网络信息安全(入侵检测)1

IntrusionDetectionSystemWhatisIDS?IDS=IntrusionDetectionSystem

Intrusiondetectionsystems(IDSs)aresoftwareorhardwaresystemsthatautomatetheprocessofmonitoringtheeventsoccurringinacomputersystemornetwork,analyzingthemforsignsofsecurityproblems.NotfirewallWhyuseIDS?Topreventproblembehaviors2.Todetectattacksandothersecurityviolationsthatarenotpreventedbyothersecuritymeasures3.Todocumenttheexistingthreattoanorganization,

allowingimproveddiagnosis,recovery,andcorrection

ofausativefactors.4.Toactasqualitycontrolforsecuritydesignand

administrationGeneralIDSModelSensorAnalyzerManagerOperatorAdministratorBasicClassificationNIDS-NetworkBasede.g.CiscoSecureIDS,AxentNetpowler,Snort,ISSRealSecureNetworkSensor,NAICybercopMonitorHIDS-HostBasede.g.AxentIntruderAlert,ISSRealSecureOSSensor,TripwireBasedondifferentdataresourceNIDS-NetworkBasedNIDSdetectattacksbycapturingandanalyzing

networkpackets.Listeningonanetworksegmentorswitch,one

network-basedIDScanmonitorthenetworktraffic

affectingmultiplehoststhatareconnectedtothe

networksegment,therebyprotectingthosehosts.monitoralargenetwork.littleimpactuponanexistingnetwork.

·verysecureagainstattackandevenmadeinvisibleto

manyattackers.AdvantagesofNetwork-BasedIDS·Network-basedIDSsmayhavedifficultyprocessinghigh

traffic.·ManyofNIDSsdon’tapplytoswitch-basednetworks.·Network-basedIDSscannotanalyzeencryptedinformation.·NIDSshaveproblemsdealingwithnetworkbased

attacksthatinvolvefragmentingpackets.DisadvantagesofNetwork-BasedIDSs:Host-basedIDSsoperateoninformationcollected

fromwithinanindividualcomputersystem.Host-BasedIDSsHost-basedIDSsnormallyutilizeoperatingsystem

audittrails,andsystemlogsasinformationsourcesHIDScandirectlyaccessandmonitorthedatafilesandsystemprocesses,soanalyzeactivitieswithgreatreliabilityandprecision,Host-basedIDSscanoperateencryptednetworktrafficHost-basedIDSsareunaffectedbyswitchednetworks.·WhenHost-basedIDSsoperateonOSaudittrails,they

canhelpdetectTrojanHorseorotherattacksthat

involvesoftwareintegritybreaches.AdvantagesHIDSarehardertomanage,asinformationmustbe

configuredandmanagedforeveryhostmonitored.TheIDSmaybeattackedanddisabledaspartofthe

attackbecauseofthesourceresidingonhost·Host-basedIDSsarenotwellsuitedfordetecting

networkscansorotherentirenetworkattackDisadvantagesHIDScanbedisabledbycertainDOSattacks.HIDSuseoperatingsystemaudittrailsasinformation

source,thereforerequiringadditionallocalstorageonthe

system.HIDSusethecomputingresourcesofthehosts,therefore

inflictingaperformancecostonthemonitoredsystems.IDSAnalysisTecnologytwoprimaryapproaches:misusedetectionandanomalydetectionMisusedetectorsanalyzesystemactivity,lookingfor

eventsthatmatchapredefinedpatternofeventsthat

describeaknownattack.Asthepatternscorrespondingtoknownattacksare

calledsignatures,misusedetectionissometimes

called“signature-baseddetection.”

ThemostcommonformofmisusedetectionusedincommercialproductsMisuseDetectionLessfalsealarms.Advantages

Quicklyandreliablydiagnosetheuseofattacktoolor

technique.

Misusedetectorscanallowsystemmanagerstotrack

securityproblemsontheirsystems,initiatingincident

handlingprocedures.Misusedetectorscanonlydetectthoseattackstheyknow

about,thereforetheymustbeconstantlyupdatedwith

signaturesofnewattacks.·Manymisusedetectorsaredesignedtousetightly

definedsignaturesthatpreventthemfromdetecting

variantsofcommonattacks.DisadvantagesSnortlibpcapmaliciouspatternslogs,alerts,...Filtered

packet

streamlibpcapTakesthe“raw”packetstreamParsesthepacketsandpresentsthemasaFilteredpacketstreamLibraryforpacketcaptureWebsiteformoredetailsMaliciousPatternExamplealerttcpanyany->/2480(content:“/cgi-bin/phf”; msg:“PHFprobe!”;)

pass:忽略，丢弃log：日志alert：报警并日志activate：报警并激活另一条dynamic规则dynamic：保持空闲直到被激活，然后作为一条log执行protocolsourceaddresssourceportdestinationaddressdestinationport规则头（Header）规则项（Options）;分隔选项关键字（OptionsKeywords）方向操作符：规则所施加的流的方向<>:双向操作符MaliciousPatternsExamplecontent:“/cgi-bin/phf”Matchesanypacketwhosepayloadcontainsthestring“/cgi-bin/phf”Lookatmsg:“PHFprobe!”GeneratethismessageifamatchhappensMoreExamplesalerttcpanyany->/246000:6010(msg:“Xtraffic”;)

alerttcp!/24any->/246000:6010(msg:“Xtraffic”;)24：C类子网16：B类子网32：特定机器地址目标端口号在6000到6010范围内对任何来自子网以外的，发送到子网内的，目标端口号在6000-6010范围内的tcp流，在报警和日志中打印一条消息Howtogeneratenewpatterns?BufferoverrunfoundinInternetMessageAccessProtocol(IMAP)RunexploitinatestnetworkandrecordalltrafficExaminethecontentoftheattackpacketNotional"IMAPbufferoverflow"packet052499-22:27:58.403313:1034->:143TCPTTL:64TOS:0x0DF***PA*Seq:0x5295B44EAck:0x1B4F8970Win:0x7D789090909090909090909090909090EB3B;5E89760831ED31C931C0886E07896E0C^.v.1.1.1..n..n.B00B89F38D6E0889E98D6E0C89EACD80nn31DB89D840CD809090909090909090901...@9090909090909090909090E8C0FFFFFF

2F62696E2F7368909090909090909090/bin/sh

Alertruleforthenewbufferoverflowalerttcpanyany->/24143(content:"|E8C0FFFFFF|/bin/sh";msg:"NewIMAPBufferOverflowdetected!";)CanmixhexformattedbytecodeandtextAdvantagesofSnortLightweightSmallfootprintFocusedmonitoring:highlytunedSnortfortheSMTPserverMaliciouspatternseasytodevelopLargeusercommunityConsidertheIRDPdenial-of-serviceattackRuleforthisattackavailableonthesamedaytheattackwasannouncedDisadvantagesDoesnotperformstreamreassemblyAttackerscanusethatto“fool”SnortBreakoneattackpacketintoastreamPatternmatchingisexpensiveMatchingpatternsinpayloadsisexpensive(avoidit!)Ruledevelopmentmethodologyisadhoc例如，在telnet之类的交互会话中，攻击者企图读取etc/passwd文件。在获得/etc/passwd文件的内容时，我们不直接输入cat/etc/passwd等命令行，而是通过一个命令解释器(例如：perl)来实现我们的目的：

badguy@host$perl–e‘$foo=pack(“C11”,47,101,116,99,47,112,97,115,115,119,100);

@bam=`/bin/cat/$foo`;print”@bam\n”;’

从这个命令中，入侵检测系统根本就不会重组出/etc/passwd这些字符。显然，防御这种攻击就很困难了，因为这要求入侵检测系统必须能够理解这种解释器如何收到的命令。

Anomalydetectorsidentifyabnormalunusualbehavior

(anomalies)onahostornetwork.Assumptionthatattacksaredifferentfrom“normal”

(legitimate)activityandcanthereforebedetectedby

systemsthatidentifythesedifferences.Anomalydetectorsconstructprofilesrepresentingnormalbehaviorofusers,hosts,ornetworkconnections.AnomalyDetectionTechniquesusedinanomalydetection:·Statisticalmeasures

thedistributionoftheprofiledattributesis“learned”froma

setofhistoricalvalues,observedovertime.

IDES，NIDESandEmerald·Rule-basedmeasures

similartostatisticalmeasures,butthosepatternsare

specifiedasrules,notnumericquantities

Example·Othermeasures

includingneuralnetworks,geneticalgorithms,andimmune

systemmodels.Teng和Chen给出一种基于时间的归纳泛化技术，利用基于时间的规则来描述用户的正常行为特征。通过归纳学习产生这些规则集，并能动态地修改系统中的这些规则，即预测准确率较高与较高可信度的被保留下来。如果规则大部分时间是正确的，并能够成功地用于预测所观察到的数据，那么规则就具有较高的可信度。其规则形式如下：其中E1～E5表示安全事件。该规则说明，如果事件发生的顺序是E1，E2，E3，则事件E4发生的概率是95％，事件E5发生的概率是5％。如果观测到的事件序列与规则的左边匹配，而后续的事件显著地背离根据规则预测到的事件，那么系统就可以检测出这种偏离，表明用户操作异常。通过观察主体行为产生的这一套规则就是主体的行为描述。

OnlythefirsttwomeasuresareusedincurrentcommercialIDS.·Detectingunusualbehaviorandsymptomsofattacks

withoutspecificknowledgeofdetails.·Producinginformationthatcaninturnbeusedtodefine

signaturesformisusedetectors.Advantages·Producingalargenumberoffalsealarms·Oftenrequiringextensive“trainingsets”ofsystem

eventrecordsinordertocharacterizenormalbehavior

patterns.Disadvantages使用ROC(ReceiverOperatorCharacteristic)曲线能

够很好地显示不同入侵检测方法在采用不同阈值时的性能。同一ROC曲线上的点代表同一检测方法在阈值

不同时的误报率和漏报率。通常ROC曲线的X轴代表

误报率，Y轴代表检测率。ROC曲线下面积越大，表

明模型的检测性能越好。

ResponseOptionsforIDSOnceIDShaveobtainedeventinformationandanalyzedittofindsymptomsofattacks,theygenerateresponses.ActiveIDSresponsesareautomatedactionstakenTherearethreecategoriesofactiveresponses:Collectadditionalinformation:

Themostinnocuous,butattimesmostproductiveChangetheEnvironment:

re-configurerouter,resetTCPinjectTakeActionAgainsttheIntruder:

thisresponseisilladvised.ActiveResponsesPassiveResponsesProvideinformationtosystemusers,relyingon

humanstotakesubsequentactionbasedonthat

information.ManycommercialIDSsrelysolelyonpassive

responses.DeployingIDSDeploymentTips(1)DualNICNoTCP/IPbindingNetworkPerformanceNICoptimizationsettingsPromiscuousmodeDeploymentTips(2)LocationsDMZInfrontoffirewallBehindfirewallServersegments“Poweruser”segments·Seesattacksthatpenetratethenetwork’sperimeterdefenses.·Findingproblemsexitinginfirewallpolicyorperformance·Seesattacksthatmighttargetthewebserverorftpserver,

whichcommonlyresideinthisDMZ·Eveniftheincomingattackisnotrecognized,theIDScan

sometimesrecognizetheoutgoingtrafficthatresultsfrom

thecompromisedserverLocation1:Behindeachexternalfirewall,inthenetworkDMZLocation2:OutsideanexternalfirewallDocumentsnumberofattacksoriginatingonthe

Internetthattargetthenetwork.DocumentstypesofattacksoriginatingontheInternetthattargetthenetworkMonitorsalargeamountofanetwork’straffic,thus

increasingthepossibilityofspottingattacks.Detectsunauthorizedactivitybyauthorizeduserswithintheorganization’ssecurityperimeter.Location3:Onmajornetworkbackbones(Serversegments)Detectsattackstargetingcriticalsystemsandresources.Focusinglimitedresourcestothenetworkconsideredofgreatestvalue.Location4:Oncriticalsubnets(Powerusersegments)ProblemScenarios(1)SignaturequalityFalsePOSITIVESFalseNEGATIVESThresholdvaluesDuplicateseliminationEncryptedtrafficSSL,IPSEC&PPTPtunnels,PGPattachmentProblemScenarios(2)SwitchinsteadofHubCollisiondomainPortSpanning/Mirroring/MonitoringPerformancedegradeHighspeednetworkPacketdropDoSHowtochooseanIDS(1)AttackSignatureQualityUpdatefrequencyUpdatemechanismHowtochooseanIDS(2)ScalabilityTraffichandlingcapacityShutdownmechanismSupportedplatforms(HIDS)HowtochooseanIDS(3)ManageabilityExamininglogCrossreferenceArchivingCentralizedconsoleHowtochooseanIDS(4)HardwareplatformIntelbasedSPARCbasedResponseActions(1)LogHeader,significantapplicationdataRawpacketAlertConsoleIncreaseloglevelModemtoPagerEmailtoSMSRedirecttoHoneyPotResponseActions(2)Third-partyIntegrationFirewallRouterHoneyPotHoneypotsaredecoysystemsthataredesignedtolureapotentialattackerawayfromcriticalsystems.Honeypotsaredesignedto:·divertanattackerfromaccessingcriticalsystems,·collectinformationabouttheattacker’sactivity,and·encouragetheattackertostayonthesystemlongenoughforadministratorstorespond.Thesesystemsarefilledwithfabricatedinformationdesignedtoappearvaluablebutthatalegitimateuserofthesystemwouldn't’taccess.Thus,anyaccesstothehoneypotissuspect.Thesystemisinstrumentedwithsensitivemonitorsandeventloggersthatdetecttheseaccessesandcollectinformationabouttheattacker’sactivities.Today…HardwareIDSASICbasedIDSNP(NetworkProcessor)DistributedIDS(DIDS)IDSEvaluationSystemintelligentIDSGeneticAlgorithmSVMNeuralNetwork

StandardsCVE(CommonVulnerabilitiesandExposures)IDWG(IntrusionDetectionWorkingGroup)CVE的英文全称是“CommonVulnerabilities&Exposures”公共漏洞和暴露。CVE就好像是一个字典表，为广泛认同的信息安全漏洞或者已经暴露出来的弱点给出一个公共的名称。使用一个共同的名字，可以帮助用户在各自独立的各种漏洞数据库中和漏洞评估工具中共享数据。如果在一个漏洞报告中指明的一个漏洞，如果有CVE名称，你就可以快速地在任何其它CVE兼容的数据库中找到相应修补的信息，解决安全问题。

CVE(1)CVE的特点：

-为每个漏洞和暴露确定了唯一的名称

-给每个漏洞和暴露一个标准化的描述

-不是一个数据库，而是一个字典

-任何完全迥异的漏洞库都可以用同一个语言表述

-由于语言统一，可以使得安全事件报告更好地被理解，实现更好的协同工作

-可以成为评价相应工具和数据库的基准

-非常容易从互联网查询和下载，://

-通过“CVE编辑部”体现业界的认可

CVE(2)为了提高IDS产品、组件及与其他安全产品之间的互操作性，美国国防高级研究计划署（DARPA）和互联网工程任务组（IETF）的入侵检测工作组（IDWG）发起制订了一系列建议草案，从体系结构、API、通信机制、语言格式等方面规范IDS的标准。IDWGIntrusionDetectionWorkingGroup公共入侵检测框架（CIDF）

CIDF，即公共入侵检测框架（TheCommonIntrusionDetectionFramework）,是构建分布式IDS的基础。它要求各种IDS必须遵循相同的信息表达方式和相应的通信机制，也就是必须遵循一个公共的IDS的框架结构。CIDF的主要作用在于集成各种IDS使之协同工作，实现各IDS之间的组件重用,各系统之间可以配合实施统一的配置响应和恢复策略。

CIDF所做的工作主要包括四部分：IDS的体系结构、通信机制、描述语言和应用编程接口API。CIDF在IDES和NIDES的基础上提出了一个通用模型，将入侵检测系统分为四个基本组件：事件产生器、事件分析器、响应单元和事件数据库。结构如图所示。响应单元（R-boxes）事件数据库（D-boxes）事件分析器（A-boxes）事件产生器（E-boxes）原事件来源CIDF的通信机制

为了保证各个组件之间安全、高效的通信，CIDF将通信机制构造成一个三层模型：GIDO层、消息层和协商传输层。

GIDO层的任务就是提高组件之间的互操作性，所以GIDO就如何表示各种各样的事件做了详细的定义。

消息层确保被加密认证消息在防火墙或NAT等设备之间传输过程中的可靠性。消息层只负责将数据从发送方传递到接收方，而不携带任何有语义的信息；

单一的传输协议无法满足CIDF各种各样的应用需求，只有当两个特定的组件对信道使用达成一致认识时，才能进行通信。协商传输层规定GIDO在各个组件之间的传输机制。三、CIDF语言

CIDF的总体目标是实现软件的复用和IDR（入侵检测与响应）组件之间的互操作性。CIDF的工作重点是定义了一种应用层的语言CISL（公共入侵规范语言），用来描述IDR组件之间传送的信息，以及制定一套对这些信息进行编码的协议。CISL可以表示CIDF中的各种信息，如原始事件信息（审计踪迹记录和网络数据流信息）、分析结果（系统异常和攻击特征描述）、响应提示（停止某些特定的活动或修改组件的安全参数）等。

CIDFAPICIDF的API负责GIDO的编码、解码和传递，它提供的调用功能使得程序员可以在不了解编码和传递过程具体细节的情况下，以一种很简单的方式构建和传递GIDO。

GIDO的生成分为两个步骤：第一，构造表示GIDO的树型结构；第二，将此结构编成字节码。

SummaryIDSClassificationIDSDeploymentConsiderationsHowtochooseanIDSIndustrystandardsEndCVE的英文全称是“CommonVulnerabilities&Exposures”公共漏洞和暴露。CVE就好像是一个字典表，为广泛认同的信息安全漏洞或者已经暴露出来的弱点给出一个公共的名称。使用一个共同的名字，可以帮助用户在各自独立的各种漏洞数据库中和漏洞评估工具中共享数据。如果在一个漏洞报告中指明的一个漏洞，如果有CVE名称，你就可以快速地在任何其它CVE兼容的数据库中找到相应修补的信息，解决安全问题。

CVE(1)CVE的特点：

-为每个漏洞和暴露确定了唯一的名称

-给每个漏洞和暴露一个标准化的描述

-不是一个数据库，而是一个字典

-任何完全迥异的漏洞库都可以用同一个语言表述

-由于语言统一，可以使得安全事件报告更好地被理解，实现更好的协同工作

-可以成为评价相应工具和数据库的基准

-非常容易从互联网查询和下载，://

-通过“CVE编辑部”体现业界的认可

CVE(2)StandardsCVE(CommonVulnerabilitiesandExposures)IDMEF(IntrusionDetectionMessageExchangeFormat)IDWGIntrusionDetectionWorkingGroupAimsDefinedataformatDefineexchangeprocedureOutputsRequirementdocumentCommonintrusionlanguagespecificationFrameworkdocumentIDMEF

（IntrusionDetectionMessageExchangeFormat）Standarddataformat(usingXML)InteroperabilityTypicaldeployments:SensortoManagerDatabaseEventcorrelationsystemCentralizedconsoleIDMEFAddressedProblemsInherentlyheterogeneousinformationDifferentsensortypesDifferentanalyzercapabilitiesDifferentoperationsystemsDifferentobjectivesofcommercialvendorsMessageClasses(1)IDMEF-MessageClassAlertClassToolAlertCorrelationAlertOverflowAlertHeartbeatClassMessageClasses(2)CoreClassesAnalyzerSourceTargetClassificationAdditionalDataMessageClasses(3)TimeClassCreatTimeDetectTimeAnalyzerTimeMessageClasses(4)SupportClassNodeUserProcessServiceExample<?xmlversion="1.0"encoding="UTF-8"?><!DOCTYPEIDMEF-MessagePUBLIC"-//IETF//DTDRFCxxxxIDMEFv0.3//EN""idmef-message.dtd"><IDMEF-Messageversion="0.3"><Alertident="abc123456789"impact="successful-dos"><Analyzeranalyzerid="hq-dmz-analyzer01"><Nodecategory="dns"><location>HeadquartersDMZNetwork</location><name></name></Node></Analyzer><CreateTimentpstamp="0x12345678.0x98765432">2000-03-09T10:01:25.93464-05:00</CreateTime><Sourceident="a1b2c3d4"><Nodeident="a1b2c3d4-001"category="dns"><name></name><Addressident="a1b2c3d4-002"category="ipv4-net-mask"><address>21</address><netmask>55</netmask></Address></Node></Source><Targetident="d1c2b3a4"><Nodeident="d1c2b3a4-001"category="dns"><Addresscategory="ipv4-add