With the IDS (Intrusion Detection System) is speeding the development of the terminology associated with the rapid evolution of the same. This technology to share with you some IDS terminology, some of which are very basic and relatively common, while others are some uncommon. As the rapid development and a number of IDS IDS manufacturer's market power, different manufacturers may use the same terminology that different meanings, leading to the precise meaning of certain terms out of whack. Therefore, the paper will try to include all the terms are entered.
Alerts (alert)
When an intrusion is occurring, or attempts occurred, IDS alert information system will issue a notification system administrator. If the console with the IDS system with one machine, alert information will be displayed on the monitor may also be accompanied by voice prompts. If the remote console, then the alert will be built into the system through the IDS method (usually encrypted), SNMP (Simple Network Management Protocol, is usually not encrypted), email, SMS (short message) or more of several methods of mixed mode delivery to the administrator.
Anomaly (anomaly)
When there is an event with a signal to match known attacks, most IDS will alarm. One based on anomaly (anomaly) of the IDS activity will then construct a rough outline of the host or network, when there is a profile in this time of the incident outside, IDS will alarm, such as it was done he had not done before the When, for example, a user suddenly get the administrator or root directory permissions. Some IDS vendors as heuristic function this way, but a heuristic IDS should judge their reasoning has more intelligence.
Appliance (IDS hardware)
In addition to those existing systems to be installed up the IDS software, the shelves in the market can also buy a number of existing IDS hardware, just that they can access the network application. Some of the available IDS hardware including CaptIO, Cisco Secure IDS, OpenSnort, Dragon and SecureNetPro.
ArachNIDS
ArachNIDS developed by Max Visi an attack signature database, it is updated dynamically, for a variety of network-based intrusion detection system, and its URL address http://www.whitehats.com/ids/.
ARIS: Attack Registry & Intelligence Service (Registration and intelligence service attacks)
SecurityFocus ARIS is provided an additional service that allows users to anonymously connect to the Internet network to the SecurityFocus submitted to the network security incidents, then the data will SecurityFocus and many other participants in the data, which eventually form a detailed network safety statistical analysis and trend forecasting, publishing on the web. It's URL address http://aris.securityfocus.com/.
Attacks (Attack)
Attacks can be interpreted as trying to infiltrate the system or bypass the system security policy, to obtain the information, modify information, and destroy the target network or system functional behavior. The following lists the IDS can detect the most common types of Internet attacks:
鈼?attack type 1-DOS (Denial Of Service attack, denial of service attacks): DOS attack is not a means to destroy a system by hackers, security, it is only paralyze the system, the system refused to provide services to its users. The categories include buffer overflows, by flood (flooding) run out of system resources and so on.
鈼?attack type 2-DDOS (Distributed Denial of Service, Distributed Denial of Service attack): a standard DOS attacks use a lot of data from a host to attack a remote host, but can not send enough packets to achieve the desired The results, thus gave rise to DDOS, or distributed from the host over a target to attack, run out of the remote system's resources, or failure to connect.
鈼?attack type 3-Smurf: This is an old-style attack, but also occur when an attacker use the target's camouflage the source address of broadcast address to the implementation of a smurf amplifier ping operation, then all activities will be to target the host response to interrupt the network connection. Here are 10 smurf amplifier reference URLhttp: / / www.powertech.no/smurf/.
鈼?attack type 4-Trojans (Trojan): Trojan attacks on the term comes from the ancient Greeks used the Trojan Trojans, Trojans, in the possession of the Greek soldiers, when the Trojans arrived in the city, the soldiers on the Trojans to the city and its emission Residents attack. In computer terminology, it refers to those who had the form of legal process, in fact, those who harbor malicious software software. Thus, when the user runs the legal program, in unknowingly, malicious software was installed. However, because the majority of this form of malicious programs are installed remote control tool, Trojan quickly evolved into the term refers specifically to such tools, such as BackOrifice, SubSeven, NetBus, etc..
Automated Response (automated response)
In addition to sound the alarm on the attack, some IDS can automatically defend against these attacks. There are many ways to resist: First of all, you can re-configure the router and firewall, reject that information flow from the same address; secondly, by sending reset packets off the network connection. But these two methods have the problem, an attacker can in turn use to re-configure the device, which is: by posing as a friendly address to attack, then IDS will configure routers and firewalls to reject these addresses, so was actually "own people" refuse service. Send a reset packet method requires an active network interface, so it will be placed under attack, a remedy is: to make activities within the network interface in the firewall, or use special contracting procedures to avoid the standard IP stack needs .
CERT (Computer Emergency Response Team, Computer Emergency Response Team)
The term is reflected by the first computer emergency response team selection, the team at Carnegie Mellon University to establish their computer security incident response, take action. Many organizations now have a CERT, for example CNCERT / CC (Computer Network Emergency Coordinator in China center). Because some lack of clarity in the word emergency, many organizations use the term Incident to replace it, creating new words Computer Incident Response Team (CIRT), the computer incident response team. response handling the word is sometimes used instead, which means that emergency response action, rather than long-term research.
CIDF (Common Intrusion Detection Framework; common intrusion detection framework)
CIDF in a bid to standardize to some extent, the intrusion detection, developed a number of protocols and application program interface, so that intrusion detection research projects to share information and resources between the Nenggou, and intrusion detection components can also be reused in other systems. CIDF the URL address is http://www.isi.edu/gost/cidf/.
CIRT (Computer Incident Response Team, Computer Incident Response Team)
CIRT is evolved from the CERT, CIRT represents a security incident in the philosophy of understanding change. CERT was originally a computer specifically for a particular emergency situation, but in terms CIRT incident indicates that not all incidents are necessarily emergencies, and all emergencies can be seen as incidents.
CISL (Common Intrusion Specification Language, Common Intrusion Specification Language)
CISL is CIDF between the components communicate with each other's language. As the agreement is CIDF and interface standardization attempts, so that intrusion detection CISL research attempts to standardize the language.
CVE (Common Vulnerabilities and Exposures, Common Vulnerabilities and Exposures)
On the vulnerability of an old problem is in the design of scanner or coping strategies, different manufacturers on the vulnerability of the title will be completely different. There are some loopholes in the definition of a Chamber of Commerce produced a variety of features and applications to their IDS systems, thus giving a false impression, as if their products more effective. MITRE created CVE, will be standardized vulnerability names, participating manufacturers also logical development of IDS products in accordance with this standard. CVE's URL address is http://cve.mitre.org/.
Crafting Packets (custom data packets)
Create custom packets, you can avoid the usual requirement of some data packet structure, thereby creating a data packet to deceive, or makes the computer receiving it I do not know how to handle it. Create a custom packet program available Nemesis, its URL address is http://jeff.chi.wwti.com/nemesis/.
Desynchronization (synchronization failure)
desynchronization The term originally refers to the sequence number of ways to evade IDS. Some IDS might expect it would have puzzled the serial number, which will lead to re-construct the data. This technology is very popular in 1998, is now obsolete, and some articles to desynchronization this term to mean other IDS evasion method.
Eleet
When hackers write vulnerability development process, they often leave a signature, one of the most notorious one is the elite. If eleet into digital, it is 31,337, and when it refers to their ability, elite = eleet, said the elite. 31337 is often used as a port number or serial number. Popular word "skillz".
Enumeration (list)
After passive research and social engineering work, the attacker will begin to list on network resources. List is the active exploration of a network attacker to found what is and what can be made use of. As the present action is no longer passive, it is likely to be detected. Of course, in order to avoid being detected, they will quietly as possible.
Evasion (dodge)
Evasion is to launch an attack without being detected by IDS successfully. The trick is to let them see only one aspect of the IDS, but the actual attack is another target, the so-called out at large, stealing a march. Evasion is a form of information packages for different set different TTL (effective time) value, so the information through the IDS looks like a harmless bit of information in the sound than the TTL to reach the target host is TTL needs to be short. Once through the IDS and close, friendly part will be lost, leaving only harmful.
Exploits (exploits)
For each vulnerability, have exploited this vulnerability to attack mechanism. In order to attack the system, the attacker exploits the preparation of a code or textbook.
Will exist for each vulnerability exploit the implementation of the mode of attack, this method is the Exploit. In order to attack systems, hackers will write exploits.
Vulnerability used: Zero Day Exploit (zero-day exploits)
Zero-day exploits is not yet understood and is still running amok exploits, that this type of vulnerability has not been found using the current. Once a vulnerability found in use by the network security community, and soon there will be a patch for it, and write the characteristics of IDS identification information, to make use of this loophole is invalid, and effectively capture it.
False Negatives (omitted)
Omission is not an IDS to detect attacks or analysts considered harmless.
False Positives (false positives)
False positive is the actual sound of the issue has been detected as IDS attacks.
Firewalls (Firewall)
Network security firewall is the first hurdle, although it is not IDS, but the firewall logs can provide valuable information for the IDS. The principle is based on the work firewall rules or standards, such as source address, port, etc., will block out dangerous connection.
FIRST (Forum of Incident Response and Security Teams, Incident Response and Security Team Forum)
FIRST is an international government and private organizations together to exchange information and coordinate response actions Alliance, the annual FIRST be a high priority, and its URL address is http://www.first.org/.
Fragmentation (fragment)
If a packet was too large to load, it had to be divided into pieces. Slice based on the network MTU (Maximum Transmission Units, the maximum transmission unit). For example, the tablets ring (token ring) the MTU is 4464, Ethernet (Ethernet) the MTU is 1500, so if a packet from the tablets were transferred to the Ethernet ring network, it will be split into smaller fragment, and then rebuild at the destination. While this deal will result in reduced efficiency, but the effect of fragmentation is still very good. Hackers will slice as a way to evade IDS, and there are some DOS attacks are also used Segmentation.
Heuristics (inspiration)
Heuristics refers to the use of intrusion detection in AI (artificial intelligence, artificial intelligence) thinking. IDS actually use heuristic theory has emerged about 10 years, but they are not enough "smart", an attacker can train it and make it lose sight malicious information flow. Some IDS uses to detect abnormal pattern of invasion, such IDS must be constantly learning what is normal for the event. Some producers think this is very "smart" IDS, so they will be seen as heuristic IDS. But in fact, the real application of AI technology to the analysis of input data is also very little IDS.
Honeynet Project (Honeynet Project)
Honeynet is a learning tool, is a security flaw in the network contains. When it is under security threat, the invasion of information will be captured and accepted analysis, so that hackers can learn some things. Honeynet is a professional organization of more than 30 security members, dedicated to the understanding of hacker groups using the tools, tactics and motives as well as share their knowledge of the project. They have established a series of honeypots, provides a seemingly vulnerable Honeynet network, observe the intrusion into the hacking of these systems to study the hacker tactics, motivation and behavior.
Honeypot (Honey Pot)
Honeypot is a system that contains the vulnerability, which simulates one or more of vulnerable hosts, to provide an easy hacker targets. Since honeypots have no other tasks to be done, all connection attempts should be regarded as suspicious. Another use of honeypots is their real goal to delay the attacker attacks allow an attacker to waste time on the honeypot. At the same time, the initial targets are protected, the real value of the content will not be violated.
Honey Pot is one of the original purpose of gathering evidence for the prosecution of malicious hackers, it looks like there are "trapped" feeling. However, in some countries can not use honeypots to collect evidence to prosecute hackers.
IDS Categories (IDS category)
There are many different types of IDS, the following breakdown:
鈼?IDS Category 1-Application IDS (Application IDS): IDS application for some special applications found invasion of the signal, these applications usually refers to the more vulnerable applications such as Web servers, databases and so on. There are many original focus on the operating system host-based IDS, although not for the default application, but can also be trained, used in applications. For example, KSE (a host-based IDS) can tell us in the event log is doing, including the event log report on the application's output. An example of an application IDS is Entercept's Web Server Edition.
鈼?IDS Category 2-Consoles IDS (console IDS): In order to apply collaborative environment IDS, distributed IDS agents need to report information to the center console. Now many of the center console can also receive data from other sources, such as other producers of the IDS, firewalls, routers. The integration of these information can be presented a more complete picture of the attack. Some of the console will also add their own signatures to the agency-level console, and provide remote management capabilities. This IDS product has Intellitactics Network Security Monitor and Open Esecurity Platform.
鈼?IDS Category 3-File Integrity Checkers (File Integrity Checker): When a system's threat of attack, it often will change some of the key files to provide continued access and prevent detection. Additional information for the key documents through summaries (encrypted hash), you can periodically check the file to see if they are to be changed, thus providing a guarantee to some extent. Once such a change is detected, the integrity checker will issue a warning. Moreover, when a system already under attack, the system administrator can also use the same method to determine the extent of the system at risk. File Checker before the incident occurred after a long time to come out to intrusion detection is "hindsight", the recent number of products can be accessed in the document, while on inspection, can be seen as a real-time IDS products. Such products are Tripwire and Intact.
鈼?IDS Category 4-Honeypots (honeypots): on the honeypot, as already introduced. Examples of honeypot Mantrap and Sting.
鈼?IDS Category 5-Host-based IDS (host-based IDS): IDS on multiple sources of such systems and event log monitoring, suspicious activity. Host-based IDS, also known as host IDS, the most suitable for detection of internal staff who can be trusted and have to avoid misuse of the traditional testing methods to infiltrate the network activities. In addition to the completion of a similar event log reader function, host IDS is also on the "event / log / time" for signature analysis. Many products also contain heuristic function. Host IDS for almost real-time work, the system errors can be quickly detected, technicians and security people are very like it. Now, host-based IDS is that based on server / workstation all types of host intrusion detection system. Such products include Kane Secure Enterprise and Dragon Squire.
鈼?IDS Category 6-Hybrid IDS (Hybrid IDS): The structure of modern switched network intrusion detection operation to bring some problems. First, the default state in exchange for network card in promiscuous mode does not allow the work, which makes the installation of traditional network IDS is very difficult. Second, the high speed of the network means that many packets will be discarded by NIDS. Hybrid IDS (Hybrid IDS) is a program to solve these problems, it will raise a level of IDS, a combination of network node IDS and Host IDS (host IDS). Although the coverage of this solution greatly, but taking into account the resulting huge amount of data and costs. Many network servers only critical to retain mixed-IDS. Some manufacturers to complete more than one task are called IDS Hybrid IDS, in fact it is only for advertising effects. Hybrid IDS products CentraxICE and RealSecure Server Sensor.
鈼?IDS Category 7-Network IDS (NIDS, Network IDS): NIDS on all flow through the monitoring agent to monitor network traffic for suspicious activities and unusual features include activities to respond to attacks. NIDS was originally mixed with the IDS filter information packet sniffer, but recently they have become more intelligent and can decipher the agreement and to maintain state. There NIDS products based on the application, just install and can be applied to the host. NIDS attack on the characteristics of each information packet analysis, but under high load in the network, or to discard some packets. Network IDS products are SecureNetPro and Snort.
鈼?IDS Category 8-Network Node IDS (NNIDS, network node IDS): Some network IDS is not reliable at high speed, the load will be discarded after the high proportion of their network information packet, and switching network will often hinder the network IDS to see to the mixed packet transmission. NNIDS the NIDS functions entrusted to a separate host, thus alleviating the high speed and exchange issues. Although NNIDS and personal firewall features similar, but there are differences between them. To be classified as NNIDS personal firewall, an attempt should be made of the connection. For example, unlike many personal firewall found in the "trying to connect to port xxx", a NNIDS would have done any of the probe characteristics. In addition, NNIDS will host the event received is sent to a central console.
NNIDS products BlackICE Agent and Tiny CMDS.
鈼?IDS Category 9-Personal Firewall (Personal Firewall): a personal firewall installed on a separate system, preventing unwanted connection, either incoming or out to protect the host system. Be careful not to confuse it with NNIDS. Personal firewalls are ZoneAlarm and Sybergen.
鈼?IDS Category 10-Target-Based IDS (target-based IDS): This is not a clear one IDS terminology, different people have different meaning. One possible definition file integrity checker, while the other is the definition of the network IDS, which is only for those who are looking for and protected as vulnerable to attack by the characteristics of the network. The purpose behind this definition is to improve the speed of IDS, because it does not search for those unnecessary attacks.
IDWG (Intrusion Detection Working Group, Intrusion Detection Working Group)
Intrusion Detection Working Group's goal is to define data format and exchange information on the procedural steps, the information is for intrusion detection systems, response systems, and those who need interaction with their management systems are important. Intrusion Detection Working Group to work with other IETF organizations.
IDWG the URL address is http://www.ietf.org/html.charters/idwg-charter.html.
IETF's URL address is http://www.ietf.org/.
Incident Handling (event processing)
To detect an intrusion is just the beginning. More generally, the situation is, the console operator members will Buduan to receive alerts, with a fundamental Wufa separate the time to personally track every potential incident, the operator will be in the interest of the event Shangzuo Chu Biaozhiyibei future You Response Team to research. After the initial reaction, you need to deal with the incident, that is, such as surveys, debates and issues like the prosecution.
Incident Response (incident response)
On the detection of the initial response of potential events, then these events according to event handling procedures.
Islanding (island)
Island is to the network is completely cut off from the Internet, which is almost a last resort, and no way of approach. An organization only in the large-scale virus outbreaks or security attacks are very obvious when using this tool.
Promiscuous (mixed mode)
By default, IDS can only see out of the host network interface information, which is the so-called non-promiscuous (non-promiscuous mode). If the network interface is a mixed mode, you can see the segment in all of the network traffic, regardless of its source or destination. This is necessary for network IDS, but may be used by packet sniffer to monitor network traffic. Exchange-based HUB can solve this problem, see the place full of traffic, will have a number of cross (span) port.
Routers (router)
Router is used to connect different subnets center, they work in the OSI 7 layer model of the transport layer and network layer. The basic function of the router is a network packet transmitted to their destination. Some routers have access control lists (ACLs), allows packet filtering unwanted information out. Many routers can log information to their injected into the IDS system, providing access to the network blocked attempts to valuable information.
Scanners (Scanner)
Scanner is an automated tool that scans the network and host vulnerability. With intrusion detection systems, they are also divided into many types, the following were described.
鈼?Scanner Type 1-Network Scanners (network scanner): network scanner on the network search to find all the hosts on the network. Traditionally, they use the ICMP ping technology, but this approach can easily be detected. In order to become hidden, there are some new technologies, such as fin ack scan and scan. Use of these scanners is another more subtle advantage: different operating systems on these scans have different reactions, thus providing an attacker with more valuable information. An example of this tool is nmap.
鈼?Scanner Type 2-Network Vulnerability Scanners (network vulnerability scanner): network vulnerabilities scanner network scanner a step forward, it can detect the target host, and highlight all the loopholes for hackers to use. Network vulnerability scanner for attackers and security experts to use, but will allow IDS systems often "tense." Retina of such products and CyberCop.
鈼?Scanner Type 3-Host Vulnerability Scanners (host vulnerability scanners): such tools as a privileged user, from the internal scan host, password strength testing, security policy and file permission and so on. Network IDS, Host IDS particular it can be detected. Such products are SecurityExpressions, it is a remote Windows vulnerability scanners, and can automatically repair vulnerabilities. There are as ISS database scanner, will scan the database vulnerability.
Script Kiddies (script kiddies)
Some are much-vaunted Internet security breaches, such as the February 2000 denial of service attacks against Yahoo, is the number of teenage students dry, they dry the purpose of these bad things seem to fame. Security experts often to these people as script kiddies (Script Kiddies). Script kiddies are usually spontaneous, less skilled cracker, they use the information downloaded from the Internet, software or scripts on the target site for destruction. Hacker organizations or law enforcement authorities have expressed contempt for these script kids, because they are usually unskilled, there are a lot of time to carry out his hand, destroy, their purpose generally is to impress their friends. Script kiddies is like holding a rush of children, they do not understand ballistics, do not have to be able to manufacture firearms, can become a powerful enemy. Therefore, whenever they can not underestimate the strength.
Shunning (hide)
Equipment is configured to avoid the border to reject unwanted packets to all, and some even refuse to escape all the IP addresses from certain countries, the information packets.
Signatures (feature)
IDS is the core of signatures, which allows IDS to trigger when the event occurs. Feature information is too short will always trigger the IDS, leading to false positives or wrongly reported that the work is too long will slow down the rate of IDS. Some features will be supported by the number of IDS IDS as a standard of good or bad, but a feature of some commercial products cover many attacks, and some manufacturers of these features will be listed separately, which would give the impression as if It contains more features, a better IDS. We must be aware of these.
Stealth (hidden)
Hide is the IDS in detecting attacks from outsiders can see, they often use outside in the DMZ, not firewall protection. Some of its shortcomings, such as automatic response.
相关链接:
To expose the fraud: WinRAR to compress 775MB 13.4MBMKV to MOVSimulation of snow-CorelDRAW Versus PhotoshopTeach you from complex background using Photoshop cutout dressMPG To DivXDigital China to enhance profitability yet ready to fight a protracted warCottage IN ChinaHOW to short-term consultants into your teamConvert to 3gp 3Guide Calculators And CONVERTERS3GP to FLVWho is knocking the Door of opportunity?Articles about Web Or Video CamsHow to change your personalized JSP EXTENSION
