Many security mechanisms have been developed, but the security problems are still suspected and concerned. Image electronics
Whether this application of business will be fully promoted depends largely on people.
Students' confidence in information system security under the network environment. Because it has been proved theoretically that no
There is an absolutely safe security system, so audit trail and attack detection system are generally used.
As the last security line of information system.
Audit information was collected in early medium and large computer systems, and tracking files were established.
The purpose of these audit trails is mainly for performance testing or billing, so attack detection.
Measurement provides less useful information; In addition, the main difficulty lies in the audit letter.
The arrangement of information granularity, when the audit information granularity is fine and the data is too large and too fine,
However, the audit trail mechanism will be useful because it provides a lot of data.
The information source is not in it; So manual inspection is meaningless, because it is not feasible.
For attempted/successful attacks, the detection degree of passive audit cannot be guaranteed.
. Universal audit trail can provide important information for attack detection, such as who.
What programs did you run, when did you access or modify those files, and used memory and magnetism?
The amount of disk space, etc. ; However, it may also miss the department's important attack detection related letters.
Rest. In order for the universal audit trail to be used for security purposes, such as attack detection, it must be equipped with
Prepare automatic tools to analyze audit data so as to find those suspicious events as soon as possible.
Behavior clues, alarm or countermeasures.
(A) Attack detection technology based on audit information
1, detection technology classification
In order to extract security from a large number of sometimes redundant audit trail data
Useful information, based on the design and implementation of computer system audit trail information.
A unified and automated safety analysis or detection tool is needed, which can be used to screen out the involved.
And security information. Its idea and popular data mining technology are as follows.
Very similar.
Automatic analysis and detection tools based on audit can be offline, which means that analysis tools cannot be offline.
Real-time processing the information provided by the audit trail file, thus obtaining the computer system.
Whether the system is attacked, and provide as much information about the attacker as possible;
In addition, it can also be online, which means that the analysis tool provides the audit trail file in real time.
When suspicious attacks occur, the system provides real-time service.
When an attack occurs, an alert can provide information about the attacker, including
The information that the attack is trying to point to.
2. Attack classification
In a security system, usually at least three types of security threats should be considered: external.
Attacks, internal attacks and authorization abuse. When the attacker comes from outside the computer system
Call it an external attack; Attackers are those who have access to computers, but not to them.
Some specific data, programs or resources are considered to be used by people who intend to use system resources beyond their authority.
Internal attacks, including forgers (that is, people who use the identities and passwords of other legitimate users)
Secret users (that is, those who deliberately evade audit mechanism and access control)
; Privilege abusers are also legitimate users of computer system resources, intentionally or unintentionally.
Deliberately abusing their privileges.
By auditing the failure records of login attempts, we can find the attacking enterprises of external attackers.
Figure; By observing the record of failed attempts to connect to specific files, programs and other resources, you can
So as to discover the attack attempts of internal attackers, which can be established separately for each user.
Compare the behavior model with specific behavior to detect and find counterfeiters; But it must pass the audit.
It is often difficult to find those authorized abusers with information.
Attack detection based on audit information is especially difficult to prevent, which is to have high performance.
Attacks by privileged insiders; Attackers can use specific system privileges or tones.
Avoid auditing with lower-level operations than auditing itself. For users with system privileges
Users need to view all operations to turn off or suspend the audit function.
Special users for audit or other audit parameters. Review lower-level jobs
Ability, such as auditing system services or core system calls, is usually difficult and common.
The work is difficult and needs special tools and operations to achieve it. In short, in order to prevent concealment.
Secret internal attacks need to ensure the effectiveness of technical means and management means other than technology.
Surgery needs to monitor some specific indicators in the system (such as CPU, memory and magnetic
Disk activity), and compared with their history under normal circumstances, in order to send.
Now
3. Attack detection method
(1) Detecting hidden illegal behaviors
Off-line attack detection based on audit information and automatic analysis tools can be used to
The system security manager reports the evaluation report of the computer system activity the day before.
The working principle of real-time attack detection system is based on the historical behavior of users.
Modeling and auditing systems based on early evidence or models detect users' opinions in real time.
According to the probability statistical model of user behavior maintained in the system, the use of the system
Monitoring, when suspicious user behavior occurs, keep tracking monitoring,
Record user's behavior. Developed by Stanford research institute
Ides (Intrusion Detection Expert System) is a typical example.
Real-time detection system based on. IDES system can determine users according to their previous historical behaviors.
Whether the current behavior is legal. The system generates each user according to their historical behavior.
Historical behavior record library. The more effective function of IDES is to learn the detected object adaptively.
Measure the behavior habits of each user in the system. When users change their behavior habits,
This anomaly will be detected. At present, the monitoring implemented in IDES is based on
The following two aspects: general projects; Such as CPU usage time, I/O usage channel and
Frequency of common directories, creation and deletion, reading, writing, modification and deletion of files, and
Behavior from local area network; Specific projects: including editors and compilers you are used to.
, the most commonly used system calls, the storage of user ID and the use of files and directories.
IDES can not only monitor the abnormal behavior of users in real time. It also has processing adaptability.
It should be the ability of user parameters. In an attack detection system like IDES, users
All aspects of behavior can be used as a sign to distinguish normal and abnormal behavior.
For example, users usually use the system during normal working hours and occasionally add it.
Classes that use this system will be warned by IDES. According to this logic, the system can judge the purpose of the line.
Legal or suspicious. Obviously, this logic has the problem of "eliminating counter-expansion/contraction"
. IDES is invalid when legitimate users abuse their rights. This method is the same as.
Sample is suitable for detecting the behavior of programs and data resources, such as files or databases.
Access behavior.
(2) Attack detection technology based on neural network.
As mentioned above, IDES (Intrusion Detection Expert System) class
The attack detection system based on audit statistics has some inherent weaknesses, because
The user's behavior can be very complicated, so you want to match the user's calendar accurately.
Historical behavior and present behavior are very difficult.
False alarms usually come from inaccurate statistical algorithms based on audit data.
Or an inappropriate assumption. As one of the improvement strategies, Stanford Research Center
The research group of H Institute used and developed neural network technology to detect attacks.
Measure. Neural network can be used to solve the following problems faced by traditional statistical analysis technology.
Problems: ① It is difficult to establish an accurate statistical distribution: statistical methods basically depend on
Subjective assumptions of user behavior, such as deviation Gaussian distribution; This assumption often leads to false alarms.
Caused. ② It is difficult to realize the universality of the method: it is suitable for the detection of some user behaviors.
Measures usually cannot be applied to other types of users. ③ The implementation of the algorithm is relatively expensive: for the above reasons,
One reason is that statistics-based algorithms do not have self-evaluation for different types of user behaviors.
Adaptability, so the algorithm is complex and huge, which leads to the expensive implementation of the algorithm.
However, neural network technology does not have this problem, and the cost of implementation is more difficult than that of school system.
In terms of tailoring: due to the use of statistical methods to detect computer systems with a large number of users, it will
We have to keep a lot of user behavior information, which makes the system bloated and difficult to cut.
The technology based on neural network can avoid this shortcoming. According to the signals detected in real time,
Respond effectively and judge the possibility of attack.
At present, neural network technology proposes attack detection based on traditional statistical technology.
The improvement direction of the method is not very mature, so the traditional statistical method will continue.
Continue to play a role, but also can still provide a considerable reference price for discovering the abnormal behavior of users.
Information of the value.
(3) Attack detection technology based on expert system.
Another noteworthy research direction of safety inspection automation is
Is an attack detection technology based on expert system, that is, according to the suspicious behavior of security experts.
Analyze experience to form a set of reasoning rules, and then form corresponding ones on this basis.
Expert system. Therefore, the expert system automatically analyzes the attack operations involved.
Work.
The so-called expert system is a set of rules predefined based on expert experience.
System. For example, a user has logged in for several minutes and failed more than.
Three times can be considered as an attack. There seems to be a similar rule in the statistical system.
Similarly, it should be noted that rule-based expert systems or propulsion systems also have their own.
Limitation, because the reasoning rules that are the basis of this system are usually based on the known.
Security vulnerabilities are arranged and planned, and the most dangerous threats to the system mainly include
It comes from an unknown security hole. It is a science to realize rule-based expert system.
Understanding engineering problems, its function should be able to use its self-study with the accumulation of experience.
Learn the ability to extend and modify rules. Of course, this ability needs to be in the fingers of experts.
You can guide and participate, otherwise it may lead to more false positives. one
On the other hand, the propulsion mechanism makes it possible for the system to appear some new behavior phenomena.
Coping ability (that is, some new security vulnerabilities may be discovered); On the other hand,
The attack may not trigger any rules, so it will not be detected. expert
The dependence of the system on historical data is generally higher than that of the audit system based on statistical technology.
Less, so the system has strong adaptability and can flexibly adapt to broad-spectrum security.
Policy and detection requirements. But so far, the computability of reasoning system and predicate calculus
There is still a certain distance between the problem and the mature solution.
(4) Attack detection technology based on model reasoning.
Attackers usually use certain behavioral programs when attacking the system, such as guessing.
Cryptographic program, this behavioral program constitutes a model with certain behavioral characteristics.
According to the behavioral characteristics of the attack intention represented by this model, it can be detected in real time.
Malicious attack attempt. Although the attacker is not necessarily malicious. Using module-based
People can build specific models for certain behaviors for monitoring.
Depending on specific activities with specific behavioral characteristics. According to the hypothetical attack script, the system
The system can detect illegal user behavior. Generally speaking, in order to make an accurate judgment, it is necessary to make different
Attackers and different systems establish specific attack scripts.
When there is evidence that a specific attack pattern occurs, the system should collect it.
His evidence confirms or denies the truth of the attack, and neither can understate the information of the attack.
The system causes actual harm, so try to avoid false positives.
Of course, none of the above methods can completely solve the problem of attack detection.
In order to strengthen the security program of computer information system, it is best to use various means comprehensively.
Increase the difficulty of successful attacks, and at the same time assist more appropriate attacks according to the characteristics of the system itself.
Strike detection means.
4. Other related issues
In order to prevent the interference of too much irrelevant information, it is used for attack detection for security purposes.
In addition to the audit system, the test system should also be equipped with an information collector suitable for the system security policy.
Or a filter. At the same time, in addition to relying on information from the audit subsystem, it should also be sufficient.
Use information from other information sources. In some systems, progress can be made at different levels.
Audit trail. For example, some systems use a three-level audit trail in their security mechanisms. include
Audit the core calling behavior of the operating system, and audit the user and operating system interface-level behavior.
, and audit the internal behavior of the application.
Another important issue is to determine the running position of the attack detection system. for
In order to improve the operation efficiency of the attack detection system, it can be arranged independently of the monitored system.
It is efficient and effective to analyze the audit trail and detect the intrusion on the computer.
Advantages, but also the advantages of safety.
Because the response time of the monitoring system has no negative impact on the operation of the monitored system.
Surface, also won't be affected by other security-related factors.
In short, in order to effectively use the information provided by the audit system, through attack detection
Measures to prevent attack threats, computer security system should be selected according to the specific situation of the system.
Select the applicable main attack detection methods, and organically integrate other optional attack detection methods.
Measurement method. At the same time, we should clearly realize that any kind of attack detection measures can't
If we want to do it once and for all, we must be equipped with effective management and organizational measures.
(2) Test of attack detection system
In order to evaluate the attack detection system products in the market fairly and effectively
It is very important to evaluate and test the attack detection system.
For users, the third-party inspection report is very instructive in procurement.
Some units in China attach great importance to this and have done a lot of pioneering work.
It has made great achievements. The team of IDG Information World Test Center in the United States has developed a
This can be regarded as a benchmark test benchmark-IWSS16. The team collected
This paper introduces several typical and publicly available attack methods, and combines them to form.
IWSS/KOOC-0/6. IWSS/KOOC-0/6 combines four main attack methods: (/KOOC-0/) information gathering attack.
Attackers who attack the network usually make exploratory attacks before formal attacks. The goal is
Get useful information from the system, so the focus of the first type of attack detection is
PING scanning, port scanning, account scanning, DNS conversion and other operations. network attack
Hackers commonly used attack tools are: Strobe, NS, Satan (security A.
Administrator tools for auditing networks. Use these tools
You can get information about the content on the network, where the network loopholes are, and so on.
(2) Access attack
In IWSS 16, a series of destructive means are integrated to gain privileged access to the network.
Including many fault-making attacks, such as email failure and remote intrusion.
Rnet mail access protocol buffer overflow, FTP failure, phf failure, etc.
. Through the failures caused by these attacks, the vulnerabilities of the system are exposed and access rights are obtained.
(3) Denial of service attack
Denial of service attack is the most difficult attack to catch, because it leaves no trace.
It is difficult for security managers to determine the source of the attack. Because its target is to make the network
The node system is down, so this is a very dangerous attack. Of course, it is difficult to defend one side.
In a word, denial-of-service attack is an easy attack type to defend. This kind of attack
The characteristic is that the system crashes in overwhelming applications; In addition,
In addition, denial of service attacks can also take advantage of the weaknesses of the operating system to carry out targeted attacks.
Sexual assault.
(4) Avoid detecting attacks
International hackers have entered the stage of organized and planned cyber attacks, and the United States
The government intends to tolerate the activities of hacker organizations in order to put hacker attacks under certain control.
System, and through this channel to gain practical experience to prevent attacks. International hacker organization
Weaving has developed many techniques to avoid detection. However, the magic is one foot high and the road is ten feet high.
The coexistence and alternate development of spear and shield is a universal law, and the development of attack detection system
One of the research directions of the exhibition is to overcome the attempt to escape.
(3) Several typical attack detection systems
(1)NAI company is a leading provider of professional network security products, and its attack detection.
The system products are mainly three independent products: cyber scanner and cyber S.
Server and network police network.
Cybercop Scanner is one of NAI's network security products, and its goal is to
Detecting weak links in complex network environment, cyber scanner is very sensitive to Intr.
Anet, Web server, firewall and other network security links to conduct a comprehensive inspection, thus
Discover vulnerabilities in these secure links, including well-known leaks.
Hole, there are many unknown loopholes. The network police scanner found this.
Report some security vulnerabilities in network products and network systems to software vendors and related organizations.
Report (if first) so as to solve the security vulnerability as soon as possible.
The resulting danger. Cybercop Scanner is particularly good at solving routers and fire prevention.
The safety problem of wall filter program, the successful products in this respect are still rare in the market.
. This is created by CAPE (Custom Audi), a tool in Cybercop scanner products.
Ting packet engine). CAPE can execute very complex protocol layers.
Deception and attack simulation can easily form a special network that adapts to various specific networks.
You don't need too high programming ability to use tools. For those who want insiders to solve security problems.
Cybercop scanner is undoubtedly an ideal choice for organizations and units to test.
choose For those consulting companies with security problems, because Cybercop Scanner can
It is also a suitable tool, because it provides the external detection of network running status.
Cybercop server is one of NAI's network security products, and its goal is to
Provide prevention, detection and response to attacks in complex network environment, and can adopt
Tools for taking automatic countermeasures. Cybercop server is based on client/server pair.
The whole network is tested and a new industrial standard-multidimensional security protection is established. while
The biggest feature of today's network environment is unpredictability, which is the first line of defense for Web servers.
Is a firewall, and the Web server provides HTTP, FTP and other Web protocols, which
It is different from other standard channels, and many hackers bypass defense through these Web protocols.
Prevention of firewalls and other security mechanisms. The network police server can successfully enter the system after hacking.
Find the attacker before the system and report to the system security manager in time.
Cybercop server provides real-time detection service. Nai is a cyber policeman.
Ver adopts the patented technology of watchdog box, which can detect attacks in real time.
It can solve the problems of abnormal interruption of the Web server, illegal users trying to replace the super user,
The content of the Web server is illegally modified, illegal network intruders and illegal login.
Wait a minute. Cybercop server can also provide automatic countermeasures. After detecting the attack on the enterprise
After the diagram, you can automatically start programming countermeasures, such as terminating the login process and terminating the processing.
Process, page or email to the network administrator, restart the network server, and
Generate SNMP traps, etc. The Cybercop server is still reserved for users to open further.
Developing programming interface can form cooperation with other security products and further increase
The system has strong security strength.
Cyber network is one of NAI's network security products, and its main functions are as follows
It can be a hand, and it can monitor network traffic through circulation in a complex network environment.
Segment protection * * * Shared resources on the network. Network police network provides uninterrupted rights.
Real-time alarm of network monitoring and attack attempt. Cyber network is
The attack detection system based on audit data is very useful for both internal and external attacks.
Authorization abuse can give accurate and timely alarm; Can also identify the person who was attacked.
System component, recording system activities; Capture attack clues, etc.
Cyber network system consists of intelligent sensors and S.
Ensor is distributed in sensitive and vulnerable places of the whole network, such as wide-area connection and dial-up.
Connections, centralized servers, specific segments, etc. This product provides monitoring, filtering
And can effectively monitor and detect the network.
Attack attempts, timely alarm/email alarms, event logging, and
The function of sending pages to safety management personnel and taking countermeasures. The sensor may be
Configure the information collector according to the needs of the organization/enterprise to adapt to the system security policy.
.
Cybercop can generate various forms of reports, including HTML, ASC text,
RTF format and comma-separated format.
2) RealSecure of 2)ISS (Internet Security System)
2.0 for Windows NT is a leading attack detection scheme in the market. RealSecu
Re 2.0 provides a distributed security architecture, and multiple detection engines can monitor different
And report to the central management console. Communication between the console and the engine may
128-bit RSA is used for authentication and encryption.
(3) 3) Session-wall-3 of Abirnet Company is a kind of security with a wide range of functions.
All products, including the function of attack detection system.
Session-wall-3 provides the definition of monitoring, filtering and blocking network traffic.
Regular function, so its solution is concise and flexible.
Session-wall-3 sends an alarm and power to the local console after detecting the attack.
Sub-mail, event record, and also have the function of sending pages to security managers.
The reporting function is also relatively strong.
(4)Anzen's NFR(Netware Flight Recorder) provides a
A network monitoring framework can effectively perform attack detection tasks.
OEM companies can customize attack detection systems with special purposes based on NFR, including
Some software companies have developed their own NFR products.
(5) IERS system of 5)IBM (Internet Emergency Response se)
Rvice) consists of two parts; Network patrol detector and boulder monitoring center
. NetRanger detector is responsible for monitoring recognizable communication digital signatures on the network.
Once the abnormal situation is found, the alarm of the megalithic monitoring center will be activated.