網(wǎng)絡(luò)信息安全(入侵檢測)1

IntrusionDetectionSystemWhatisIDS?IDS=IntrusionDetectionSystem

Intrusiondetectionsystems(IDSs)aresoftwareorhardwaresystemsthatautomatetheprocessofmonitoringtheeventsoccurringinacomputersystemornetwork,analyzingthemforsignsofsecurityproblems.NotfirewallWhyuseIDS?Topreventproblembehaviors2.Todetectattacksandothersecurityviolationsthatarenotpreventedbyothersecuritymeasures3.Todocumenttheexistingthreattoanorganization,

allowingimproveddiagnosis,recovery,andcorrection

ofausativefactors.4.Toactasqualitycontrolforsecuritydesignand

administrationGeneralIDSModelSensorAnalyzerManagerOperatorAdministratorBasicClassificationNIDS-NetworkBasede.g.CiscoSecureIDS,AxentNetpowler,Snort,ISSRealSecureNetworkSensor,NAICybercopMonitorHIDS-HostBasede.g.AxentIntruderAlert,ISSRealSecureOSSensor,TripwireBasedondifferentdataresourceNIDS-NetworkBasedNIDSdetectattacksbycapturingandanalyzing

networkpackets.Listeningonanetworksegmentorswitch,one

network-basedIDScanmonitorthenetworktraffic

affectingmultiplehoststhatareconnectedtothe

networksegment,therebyprotectingthosehosts.monitoralargenetwork.littleimpactuponanexistingnetwork.

·verysecureagainstattackandevenmadeinvisibleto

manyattackers.AdvantagesofNetwork-BasedIDS·Network-basedIDSsmayhavedifficultyprocessinghigh

traffic.·ManyofNIDSsdon’tapplytoswitch-basednetworks.·Network-basedIDSscannotanalyzeencryptedinformation.·NIDSshaveproblemsdealingwithnetworkbased

attacksthatinvolvefragmentingpackets.DisadvantagesofNetwork-BasedIDSs:Host-basedIDSsoperateoninformationcollected

fromwithinanindividualcomputersystem.Host-BasedIDSsHost-basedIDSsnormallyutilizeoperatingsystem

audittrails,andsystemlogsasinformationsourcesHIDScandirectlyaccessandmonitorthedatafilesandsystemprocesses,soanalyzeactivitieswithgreatreliabilityandprecision,Host-basedIDSscanoperateencryptednetworktrafficHost-basedIDSsareunaffectedbyswitchednetworks.·WhenHost-basedIDSsoperateonOSaudittrails,they

canhelpdetectTrojanHorseorotherattacksthat

involvesoftwareintegritybreaches.AdvantagesHIDSarehardertomanage,asinformationmustbe

configuredandmanagedforeveryhostmonitored.TheIDSmaybeattackedanddisabledaspartofthe

attackbecauseofthesourceresidingonhost·Host-basedIDSsarenotwellsuitedfordetecting

networkscansorotherentirenetworkattackDisadvantagesHIDScanbedisabledbycertainDOSattacks.HIDSuseoperatingsystemaudittrailsasinformation

source,thereforerequiringadditionallocalstorageonthe

system.HIDSusethecomputingresourcesofthehosts,therefore

inflictingaperformancecostonthemonitoredsystems.IDSAnalysisTecnologytwoprimaryapproaches:misusedetectionandanomalydetectionMisusedetectorsanalyzesystemactivity,lookingfor

eventsthatmatchapredefinedpatternofeventsthat

describeaknownattack.Asthepatternscorrespondingtoknownattacksare

calledsignatures,misusedetectionissometimes

called“signature-baseddetection.”

ThemostcommonformofmisusedetectionusedincommercialproductsMisuseDetectionLessfalsealarms.Advantages

Quicklyandreliablydiagnosetheuseofattacktoolor

technique.

Misusedetectorscanallowsystemmanagerstotrack

securityproblemsontheirsystems,initiatingincident

handlingprocedures.Misusedetectorscanonlydetectthoseattackstheyknow

about,thereforetheymustbeconstantlyupdatedwith

signaturesofnewattacks.·Manymisusedetectorsaredesignedtousetightly

definedsignaturesthatpreventthemfromdetecting

variantsofcommonattacks.DisadvantagesSnortlibpcapmaliciouspatternslogs,alerts,...Filtered

packet

streamlibpcapTakesthe“raw”packetstreamParsesthepacketsandpresentsthemasaFilteredpacketstreamLibraryforpacketcaptureWebsiteformoredetailsMaliciousPatternExamplealerttcpanyany->/2480(content:“/cgi-bin/phf”; msg:“PHFprobe!”;)

pass:忽略，丟棄log：日志alert：報警并日志activate：報警并激活另一條dynamic規(guī)則dynamic：保持空閑直到被激活，然后作為一條log執(zhí)行protocolsourceaddresssourceportdestinationaddressdestinationport規(guī)則頭（Header）規(guī)則項（Options）;分隔選項關(guān)鍵字（OptionsKeywords）方向操作符：規(guī)則所施加的流的方向<>:雙向操作符MaliciousPatternsExamplecontent:“/cgi-bin/phf”Matchesanypacketwhosepayloadcontainsthestring“/cgi-bin/phf”Lookatmsg:“PHFprobe!”GeneratethismessageifamatchhappensMoreExamplesalerttcpanyany->/246000:6010(msg:“Xtraffic”;)

alerttcp!/24any->/246000:6010(msg:“Xtraffic”;)24：C類子網(wǎng)16：B類子網(wǎng)32：特定機器地址目標端口號在6000到6010范圍內(nèi)對任何來自子網(wǎng)以外的，發(fā)送到子網(wǎng)內(nèi)的，目標端口號在6000-6010范圍內(nèi)的tcp流，在報警和日志中打印一條消息Howtogeneratenewpatterns?BufferoverrunfoundinInternetMessageAccessProtocol(IMAP)RunexploitinatestnetworkandrecordalltrafficExaminethecontentoftheattackpacketNotional"IMAPbufferoverflow"packet052499-22:27:58.403313:1034->:143TCPTTL:64TOS:0x0DF***PA*Seq:0x5295B44EAck:0x1B4F8970Win:0x7D789090909090909090909090909090EB3B;5E89760831ED31C931C0886E07896E0C^.v.1.1.1..n..n.B00B89F38D6E0889E98D6E0C89EACD80nn31DB89D840CD809090909090909090901...@9090909090909090909090E8C0FFFFFF

2F62696E2F7368909090909090909090/bin/sh

Alertruleforthenewbufferoverflowalerttcpanyany->/24143(content:"|E8C0FFFFFF|/bin/sh";msg:"NewIMAPBufferOverflowdetected!";)CanmixhexformattedbytecodeandtextAdvantagesofSnortLightweightSmallfootprintFocusedmonitoring:highlytunedSnortfortheSMTPserverMaliciouspatternseasytodevelopLargeusercommunityConsidertheIRDPdenial-of-serviceattackRuleforthisattackavailableonthesamedaytheattackwasannouncedDisadvantagesDoesnotperformstreamreassemblyAttackerscanusethatto“fool”SnortBreakoneattackpacketintoastreamPatternmatchingisexpensiveMatchingpatternsinpayloadsisexpensive(avoidit!)Ruledevelopmentmethodologyisadhoc例如，在telnet之類的交互會話中，攻擊者企圖讀取etc/passwd文件。在獲得/etc/passwd文件的內(nèi)容時，我們不直接輸入cat/etc/passwd等命令行，而是通過一個命令解釋器(例如：perl)來實現(xiàn)我們的目的：

badguy@host$perl–e‘$foo=pack(“C11”,47,101,116,99,47,112,97,115,115,119,100);

@bam=`/bin/cat/$foo`;print”@bam\n”;’

從這個命令中，入侵檢測系統(tǒng)根本就不會重組出/etc/passwd這些字符。顯然，防御這種攻擊就很困難了，因為這要求入侵檢測系統(tǒng)必須能夠理解這種解釋器如何收到的命令。

Anomalydetectorsidentifyabnormalunusualbehavior

(anomalies)onahostornetwork.Assumptionthatattacksaredifferentfrom“normal”

(legitimate)activityandcanthereforebedetectedby

systemsthatidentifythesedifferences.Anomalydetectorsconstructprofilesrepresentingnormalbehaviorofusers,hosts,ornetworkconnections.AnomalyDetectionTechniquesusedinanomalydetection:·Statisticalmeasures

thedistributionoftheprofiledattributesis“l(fā)earned”froma

setofhistoricalvalues,observedovertime.

IDES，NIDESandEmerald·Rule-basedmeasures

similartostatisticalmeasures,butthosepatternsare

specifiedasrules,notnumericquantities

Example·Othermeasures

includingneuralnetworks,geneticalgorithms,andimmune

systemmodels.Teng和Chen給出一種基于時間的歸納泛化技術(shù)，利用基于時間的規(guī)則來描述用戶的正常行為特征。通過歸納學習產(chǎn)生這些規(guī)則集，并能動態(tài)地修改系統(tǒng)中的這些規(guī)則，即預(yù)測準確率較高與較高可信度的被保留下來。如果規(guī)則大部分時間是正確的，并能夠成功地用于預(yù)測所觀察到的數(shù)據(jù)，那么規(guī)則就具有較高的可信度。其規(guī)則形式如下：其中E1～E5表示安全事件。該規(guī)則說明，如果事件發(fā)生的順序是E1，E2，E3，則事件E4發(fā)生的概率是95％，事件E5發(fā)生的概率是5％。如果觀測到的事件序列與規(guī)則的左邊匹配，而后續(xù)的事件顯著地背離根據(jù)規(guī)則預(yù)測到的事件，那么系統(tǒng)就可以檢測出這種偏離，表明用戶操作異常。通過觀察主體行為產(chǎn)生的這一套規(guī)則就是主體的行為描述。

OnlythefirsttwomeasuresareusedincurrentcommercialIDS.·Detectingunusualbehaviorandsymptomsofattacks

withoutspecificknowledgeofdetails.·Producinginformationthatcaninturnbeusedtodefine

signaturesformisusedetectors.Advantages·Producingalargenumberoffalsealarms·Oftenrequiringextensive“trainingsets”ofsystem

eventrecordsinordertocharacterizenormalbehavior

patterns.Disadvantages使用ROC(ReceiverOperatorCharacteristic)曲線能

夠很好地顯示不同入侵檢測方法在采用不同閾值時的性能。同一ROC曲線上的點代表同一檢測方法在閾值

不同時的誤報率和漏報率。通常ROC曲線的X軸代表

誤報率，Y軸代表檢測率。ROC曲線下面積越大，表

明模型的檢測性能越好。

ResponseOptionsforIDSOnceIDShaveobtainedeventinformationandanalyzedittofindsymptomsofattacks,theygenerateresponses.ActiveIDSresponsesareautomatedactionstakenTherearethreecategoriesofactiveresponses:Collectadditionalinformation:

Themostinnocuous,butattimesmostproductiveChangetheEnvironment:

re-configurerouter,resetTCPinjectTakeActionAgainsttheIntruder:

thisresponseisilladvised.ActiveResponsesPassiveResponsesProvideinformationtosystemusers,relyingon

humanstotakesubsequentactionbasedonthat

information.ManycommercialIDSsrelysolelyonpassive

responses.DeployingIDSDeploymentTips(1)DualNICNoTCP/IPbindingNetworkPerformanceNICoptimizationsettingsPromiscuousmodeDeploymentTips(2)LocationsDMZInfrontoffirewallBehindfirewallServersegments“Poweruser”segments·Seesattacksthatpenetratethenetwork’sperimeterdefenses.·Findingproblemsexitinginfirewallpolicyorperformance·Seesattacksthatmighttargetthewebserverorftpserver,

whichcommonlyresideinthisDMZ·Eveniftheincomingattackisnotrecognized,theIDScan

sometimesrecognizetheoutgoingtrafficthatresultsfrom

thecompromisedserverLocation1:Behindeachexternalfirewall,inthenetworkDMZLocation2:OutsideanexternalfirewallDocumentsnumberofattacksoriginatingonthe

Internetthattargetthenetwork.DocumentstypesofattacksoriginatingontheInternetthattargetthenetworkMonitorsalargeamountofanetwork’straffic,thus

increasingthepossibilityofspottingattacks.Detectsunauthorizedactivitybyauthorizeduserswithintheorganization’ssecurityperimeter.Location3:Onmajornetworkbackbones(Serversegments)Detectsattackstargetingcriticalsystemsandresources.Focusinglimitedresourcestothenetworkconsideredofgreatestvalue.Location4:Oncriticalsubnets(Powerusersegments)ProblemScenarios(1)SignaturequalityFalsePOSITIVESFalseNEGATIVESThresholdvaluesDuplicateseliminationEncryptedtrafficSSL,IPSEC&PPTPtunnels,PGPattachmentProblemScenarios(2)SwitchinsteadofHubCollisiondomainPortSpanning/Mirroring/MonitoringPerformancedegradeHighspeednetworkPacketdropDoSHowtochooseanIDS(1)AttackSignatureQualityUpdatefrequencyUpdatemechanismHowtochooseanIDS(2)ScalabilityTraffichandlingcapacityShutdownmechanismSupportedplatforms(HIDS)HowtochooseanIDS(3)ManageabilityExamininglogCrossreferenceArchivingCentralizedconsoleHowtochooseanIDS(4)HardwareplatformIntelbasedSPARCbasedResponseActions(1)LogHeader,significantapplicationdataRawpacketAlertConsoleIncreaseloglevelModemtoPagerEmailtoSMSRedirecttoHoneyPotResponseActions(2)Third-partyIntegrationFirewallRouterHoneyPotHoneypotsaredecoysystemsthataredesignedtolureapotentialattackerawayfromcriticalsystems.Honeypotsaredesignedto:·divertanattackerfromaccessingcriticalsystems,·collectinformationabouttheattacker’sactivity,and·encouragetheattackertostayonthesystemlongenoughforadministratorstorespond.Thesesystemsarefilledwithfabricatedinformationdesignedtoappearvaluablebutthatalegitimateuserofthesystemwouldn't’taccess.Thus,anyaccesstothehoneypotissuspect.Thesystemisinstrumentedwithsensitivemonitorsandeventloggersthatdetecttheseaccessesandcollectinformationabouttheattacker’sactivities.Today…HardwareIDSASICbasedIDSNP(NetworkProcessor)DistributedIDS(DIDS)IDSEvaluationSystemintelligentIDSGeneticAlgorithmSVMNeuralNetwork

StandardsCVE(CommonVulnerabilitiesandExposures)IDWG(IntrusionDetectionWorkingGroup)CVE的英文全稱是“CommonVulnerabilities&Exposures”公共漏洞和暴露。CVE就好像是一個字典表，為廣泛認同的信息安全漏洞或者已經(jīng)暴露出來的弱點給出一個公共的名稱。使用一個共同的名字，可以幫助用戶在各自獨立的各種漏洞數(shù)據(jù)庫中和漏洞評估工具中共享數(shù)據(jù)。如果在一個漏洞報告中指明的一個漏洞，如果有CVE名稱，你就可以快速地在任何其它CVE兼容的數(shù)據(jù)庫中找到相應(yīng)修補的信息，解決安全問題。

CVE(1)CVE的特點：

-為每個漏洞和暴露確定了唯一的名稱

-給每個漏洞和暴露一個標準化的描述

-不是一個數(shù)據(jù)庫，而是一個字典

-任何完全迥異的漏洞庫都可以用同一個語言表述

-由于語言統(tǒng)一，可以使得安全事件報告更好地被理解，實現(xiàn)更好的協(xié)同工作

-可以成為評價相應(yīng)工具和數(shù)據(jù)庫的基準

-非常容易從互聯(lián)網(wǎng)查詢和下載，://

-通過“CVE編輯部”體現(xiàn)業(yè)界的認可

CVE(2)為了提高IDS產(chǎn)品、組件及與其他安全產(chǎn)品之間的互操作性，美國國防高級研究計劃署（DARPA）和互聯(lián)網(wǎng)工程任務(wù)組（IETF）的入侵檢測工作組（IDWG）發(fā)起制訂了一系列建議草案，從體系結(jié)構(gòu)、API、通信機制、語言格式等方面規(guī)范IDS的標準。IDWGIntrusionDetectionWorkingGroup公共入侵檢測框架（CIDF）

CIDF，即公共入侵檢測框架（TheCommonIntrusionDetectionFramework）,是構(gòu)建分布式IDS的基礎(chǔ)。它要求各種IDS必須遵循相同的信息表達方式和相應(yīng)的通信機制，也就是必須遵循一個公共的IDS的框架結(jié)構(gòu)。CIDF的主要作用在于集成各種IDS使之協(xié)同工作，實現(xiàn)各IDS之間的組件重用,各系統(tǒng)之間可以配合實施統(tǒng)一的配置響應(yīng)和恢復(fù)策略。

CIDF所做的工作主要包括四部分：IDS的體系結(jié)構(gòu)、通信機制、描述語言和應(yīng)用編程接口API。CIDF在IDES和NIDES的基礎(chǔ)上提出了一個通用模型，將入侵檢測系統(tǒng)分為四個基本組件：事件產(chǎn)生器、事件分析器、響應(yīng)單元和事件數(shù)據(jù)庫。結(jié)構(gòu)如圖所示。響應(yīng)單元（R-boxes）事件數(shù)據(jù)庫（D-boxes）事件分析器（A-boxes）事件產(chǎn)生器（E-boxes）原事件來源CIDF的通信機制

為了保證各個組件之間安全、高效的通信，CIDF將通信機制構(gòu)造成一個三層模型：GIDO層、消息層和協(xié)商傳輸層。

GIDO層的任務(wù)就是提高組件之間的互操作性，所以GIDO就如何表示各種各樣的事件做了詳細的定義。

消息層確保被加密認證消息在防火墻或NAT等設(shè)備之間傳輸過程中的可靠性。消息層只負責將數(shù)據(jù)從發(fā)送方傳遞到接收方，而不攜帶任何有語義的信息；

單一的傳輸協(xié)議無法滿足CIDF各種各樣的應(yīng)用需求，只有當兩個特定的組件對信道使用達成一致認識時，才能進行通信。協(xié)商傳輸層規(guī)定GIDO在各個組件之間的傳輸機制。三、CIDF語言

CIDF的總體目標是實現(xiàn)軟件的復(fù)用和IDR（入侵檢測與響應(yīng)）組件之間的互操作性。CIDF的工作重點是定義了一種應(yīng)用層的語言CISL（公共入侵規(guī)范語言），用來描述IDR組件之間傳送的信息，以及制定一套對這些信息進行編碼的協(xié)議。CISL可以表示CIDF中的各種信息，如原始事件信息（審計蹤跡記錄和網(wǎng)絡(luò)數(shù)據(jù)流信息）、分析結(jié)果（系統(tǒng)異常和攻擊特征描述）、響應(yīng)提示（停止某些特定的活動或修改組件的安全參數(shù)）等。

CIDFAPICIDF的API負責GIDO的編碼、解碼和傳遞，它提供的調(diào)用功能使得程序員可以在不了解編碼和傳遞過程具體細節(jié)的情況下，以一種很簡單的方式構(gòu)建和傳遞GIDO。

GIDO的生成分為兩個步驟：第一，構(gòu)造表示GIDO的樹型結(jié)構(gòu)；第二，將此結(jié)構(gòu)編成字節(jié)碼。

SummaryIDSClassificationIDSDeploymentConsiderationsHowtochooseanIDSIndustrystandardsEndCVE的英文全稱是“CommonVulnerabilities&Exposures”公共漏洞和暴露。CVE就好像是一個字典表，為廣泛認同的信息安全漏洞或者已經(jīng)暴露出來的弱點給出一個公共的名稱。使用一個共同的名字，可以幫助用戶在各自獨立的各種漏洞數(shù)據(jù)庫中和漏洞評估工具中共享數(shù)據(jù)。如果在一個漏洞報告中指明的一個漏洞，如果有CVE名稱，你就可以快速地在任何其它CVE兼容的數(shù)據(jù)庫中找到相應(yīng)修補的信息，解決安全問題。

CVE(1)CVE的特點：

-為每個漏洞和暴露確定了唯一的名稱

-給每個漏洞和暴露一個標準化的描述

-不是一個數(shù)據(jù)庫，而是一個字典

-任何完全迥異的漏洞庫都可以用同一個語言表述

-由于語言統(tǒng)一，可以使得安全事件報告更好地被理解，實現(xiàn)更好的協(xié)同工作

-可以成為評價相應(yīng)工具和數(shù)據(jù)庫的基準

-非常容易從互聯(lián)網(wǎng)查詢和下載，://

-通過“CVE編輯部”體現(xiàn)業(yè)界的認可

CVE(2)StandardsCVE(CommonVulnerabilitiesandExposures)IDMEF(IntrusionDetectionMessageExchangeFormat)IDWGIntrusionDetectionWorkingGroupAimsDefinedataformatDefineexchangeprocedureOutputsRequirementdocumentCommonintrusionlanguagespecificationFrameworkdocumentIDMEF

（IntrusionDetectionMessageExchangeFormat）Standarddataformat(usingXML)InteroperabilityTypicaldeployments:SensortoManagerDatabaseEventcorrelationsystemCentralizedconsoleIDMEFAddressedProblemsInherentlyheterogeneousinformationDifferentsensortypesDifferentanalyzercapabilitiesDifferentoperationsystemsDifferentobjectivesofcommercialvendorsMessageClasses(1)IDMEF-MessageClassAlertClassToolAlertCorrelationAlertOverflowAlertHeartbeatClassMessageClasses(2)CoreClassesAnalyzerSourceTargetClassificationAdditionalDataMessageClasses(3)TimeClassCreatTimeDetectTimeAnalyzerTimeMessageClasses(4)SupportClassNodeUserProcessServiceExample<?xmlversion="1.0"encoding="UTF-8"?><!DOCTYPEIDMEF-MessagePUBLIC"-//IETF//DTDRFCxxxxIDMEFv0.3//EN""idmef-message.dtd"><IDMEF-Messageversion="0.3"><Alertident="abc123456789"impact="successful-dos"><Analyzeranalyzerid="hq-dmz-analyzer01"><Nodecategory="dns"><location>HeadquartersDMZNetwork</location><name></name></Node></Analyzer><CreateTimentpstamp="0x12345678.0x98765432">2000-03-09T10:01:25.93464-05:00</CreateTime><Sourceident="a1b2c3d4"><Nodeident="a1b2c3d4-001"category="dns"><name></name><Addressident="a1b2c3d4-002"category="ipv4-net-mask"><address>21</address><netmask>55</netmask></Address></Node></Source><Targetident="d1c2b3a4"><Nodeident="d1c2b3a4-001"category="dns"><Addresscategory="ipv4-add