Lun vn Xy dng h thng pht hin xm nhp bng phn mm Snort

DANH MC T VIT TT
T vit tt KPDL BTTM PTTB SOM HIDS NIDS IDS DoS SNMP HTTPS CSDL ICMP TTL MIB Khai ph d liu Bt thng trong mng Phn t tch bit Seft Organized Map Host-based Intrusion Detection System Network-based Intrusion Detection System Intrusion Detection System Denial of Service Simple Network Management Protocol Hypertext Transfer Protocol C s d liu Internet Control Message Protocol Tn y

Time To Live
Management Information Base

DANH MC HNH V
Hnh Hnh 1.1 Hnh 1.2 Hnh 1.3 Hnh 1.4 Hnh 1.5 Hnh 1.6 Hnh 1.7 Hnh 1.8 Hnh 1.9 Hnh 1.10 Hnh 1.11 Hnh 2.1 Hnh 2.2 Hnh 2.3 Hnh 2.4 Hnh 2.5 Hnh 2.6 Hnh 2.7 Hnh 3.1 Hnh 3.2 Ni dung S lng my b tn cng ngy cng tng Thi gian ly nhim trn 10.000 my rt ngn H thng phng th theo chiu su Thnh phn ca mt h thng IDS Hot ng ca IDS Hot ng ca HIDS Hot ng ca NIDS Knowledge-based IDS Nguyn l hot ng ca mt h thng IDS IDS gi TCP Reset IDS yu cu Firewall tm dng dch v IDS da trn pht hin bt thng Hot ng ca IDS da trn pht hin bt thng IDS da trn SOM H thng pht hin bt thng s dng K thut KPDL V d v tng hp lut Hot ng ca module Tng hp

Tp hp cc tri thc tn cng

Quan h gia cc thnh phn ca Snort S gii m gi tin

MC LC
Trang

M U
1. Bi cnh nghin cu Theo Mng An ton thng tin VSEC (The VietNamese security network), 70% website ti Vit Nam c th b xm nhp, trn 80% h thng mng c th b hacker kim sot. iu ny cho thy chnh sch v bo mt ca cc h thng thng tin ca Vit Nam cha c quan tm v u t ng mc. Khi mt h thng thng tin b hacker kim sot th hu qu khng th lng trc c. c bit, nu h thng l mt trong nhng h thng xung yu ca t nc nh h thng chnh ph, h thng ngn hng, h thng vin thng, h thng thng mi in t th nhng thit hi v uy tn, kinh t l rt ln. Trong bi cnh , vic pht trin v s dng cc h thng pht hin xm nhp - IDS ngy cng tr nn ph bin v ng vai tr quan trng khng th thiu trong bt k chnh sch bo mt v an ton thng tin ca bt k h thng thng tin no. Nhim v ca cc IDS ny l thu thp d liu Mng, tin hnh phn tch, nh gi, t xc nh xem c du hiu ca mt cuc tn cng hay khng. IDS s cnh bo cho chuyn gia trc khi th phm c th thc hin hnh vi nh cp hay ph hoi thng tin, v do s gim thiu nguy c mt an ninh ca h thng. H thng pht hin xm nhp c 2 hng tip cn chnh l Tip cn da trn pht hin bt thng v Tip cn da trn du hiu. Nu nh da trn du hiu, th h thng s s dng cc mu tn cng c t trc, tin hnh so snh xc nh d liu ang xt c phi l bt thng hay khng. Hng ny hin ang c s dng rng ri tuy nhin im yu ca n l ch pht hin c cc tn cng c du hiu bit trc. K thut pht hin bt thng khc phc c nhng c im ny, bng cch tin hnh xy dng cc h s m t trng thi bnh thng. Mt hnh vi c h thng c coi l bt thng nu cc thng s o c c khc bit ng k vi mc bnh thng, t c th suy lun rng cc bt thng ny

l du hiu ca hnh vi tn cng. R rng hng tip cn da trn hnh vi bt thng c tnh tr tu cao hn v hon ton c th nhn din cc cuc tn cng mi m cha c du hiu c th. 2. Ni dung nghin cu Trong thi gian thc hin ti, tc gi tin hnh nghin cu nhng vn nh sau: Phn tch vai tr, chc nng ca H thng xm nhp tri php, tm hiu thnh phn, cch phn loi cng nh hot ng ca h thng ny. a ra tiu chi nh gi h thng IDS Tm hiu H thng IDS da trn pht hin bt thng. Phn tch u nhc im hng tip cn ny. Nghin cu cc k thut c s dng pht hin bt thng: Xc xut thng k, My trng thi hu hn, Khai ph d liu, mng N-ron, H chuyn gia. a ra cc nh gi v hiu qu ca cc k thut ny Xy dng h thng pht hin bt thng bng cch s dng phn mm pht hin xm nhp Snort 3. Cu trc ti Chng 1: Gii thiu tng quan v H thng Pht hin xm nhp tri php. Trong chng ny ti trnh by mt cch khi qut vai tr ca IDS trong mt h thng thng tin, cc hnh thc phn loi, cu trc v nguyn l hot ng ca H thng IDS. Chng 2: M t nguyn tc pht hin tn cng da trn theo di cc du hiu bt thng trong h thng, so snh v nh gi u, nhc im ca H thng pht hin xm nhp tri php da trn pht hin bt thng. Chng ny cng a ra nh gi v mt s hng nghin cu ang c thc hin. Chng 3: Xy dng h thng pht hin xm nhp vi Snort cho mt h thng thng tin. a ra cch xy dng mt tp lut v ng dng n pht hin cc xm nhp tri php. Cui cng l cc kt lun v hng nghin cu tip theo ca ti. 2

CHNG 1 TNG QUAN V H THNG PHT HIN XM NHP

1.1 Bo mt h thng thng tin Thng tin cho c gi tr cao khi m bo tnh chnh xc v kp thi, h thng ch c th cung cp cc thng tin c gi tr thc s khi cc chc nng ca h thng m bo hot ng ng n. Mc tiu ca vic m bo an ton an ninh cho h thng thng tin l a ra cc gii php v ng dng cc gii php ny vo h thng loi tr hoc gim bt cc nguy him. Hin nay cc cuc tn cng ngy cng tinh vi, gy ra mi e da ti s an ton thng tin. Cc cuc tn cng c th n t nhiu hng theo cc cch khc nhau, do cn phi a ra cc chnh sch v bin php phng cn thit. Mc ch cui cng ca an ton bo mt h thng thng tin v ti nguyn theo cc yu cu sau: m bo tnh tin cy (Confidentiality) : Thng tin khng th b truy nhp tri php bi nhng ngi khng c thm quyn. m bo tnh nguyn vn (integrity ): Thng tin khng th b sa i, b lm gi bi nhng ngi khng c thm quyn. m bo tnh sn sng (Availability): Thng tin lun sn sng p ng s dng cho ngi c thm quyn. m bo tnh khng th t chi (Non-repudiation): Thng tin c cam kt v mt php lut ca ngi cung cp. Cn nhn mnh mt thc t rng khng c mt h thng no an ton tuyt i c. Bi v bt k mt h thng bo v no d hin i v chc chn n u i na th cng c lc b v hiu ha bi nhng k ph hoi c trnh cao v c thi gian. Cha k rng tnh an ton ca mt h thng thng tin cn ph thuc rt nhiu vo vic s dng ca con ngi. T c th thy rng vn an ton mng thc t l cuc chy tip sc khng ngng v khng ai dm khng nh l c ch cui cng hay khng. 3

1.1.1 Cc nguy c e da C rt nhiu nguy c nh hng n s an ton ca mt h thng thng tin. Cc nguy c ny c th xut pht t cc hnh vi tn cng tri php bn ngoi hoc t bn thn cc l hng bn trong h thng. Tt c cc h thng u mang trong mnh l hng hay im yu. Nhn mt cch khi qut, ta c th phn ra thnh cc loi im yu chnh sau: Phn mm: Vic lp trnh phn mm n cha sn cc l hng. Theo c tnh c 1000 dng m s c trung bnh t 5-15 li, trong khi cc H iu hnh c xy dng t hng triu dng m(Windows: 50 triu dng m). Phn cng: Li thit b phn cng nh Firewall, Router, . . . Chnh sch: ra cc quy nh khng ph hp, khng m bo an ninh, v d nh chnh sch v xc thc, qui nh v ngha v v trch nhim ngi dng trong h thng. S dng: Cho d h thng c trang b hin i n u do nhng do con ngi s dng v qun l, s sai st v bt cn ca ngi dng c th gy ra nhng l hng nghim trng. i vi cc hnh vi tn cng t bn ngoi, ta c th chia thnh hai loi l: tn cng th ng v tn cng ch ng. Th ng v ch ng y c hiu theo ngha c can thip vo ni dung v vo lung thng tin trao i hay khng. Tn cng th ng ch nhm t mc tiu cui cng l nm bt c thng tin, khng bit c ni dung nhng cng c th d ra c ngi gi, ngi nhn nh vo thng tin iu khin giao thc cha trong phn u ca cc gi tin. Hn th na, k xu cn c th kim tra c s lng, di v tn s trao i bit c c tnh trao i ca d liu. Sau y l mt s hnh thc tn cng in hnh: a) Cc hnh vi d qut:

Bt c s xm nhp vo mt mi trng mng no u bt u bng cch thm d tp hp thng tin ngi dng, cu trc h thng bn trong v im yu bo mt. Vic thm d c thm d theo cc bc thm d th ng(thu thp cc thng tin c cng khai) v thm d ch ng(s dng cc cng c tm kim thng tin trn my tnh ca nn nhn). Cc cng c d qut c hacker chuyn nghip thit k v cng b rng ri trn Internet. Cc cng c thng hy dng: Nmap, Essential Network tools thc hin cc hnh ng Ping Sweep, Packet Sniffer, DNS Zone Transfer b) Tn cng t chi dch v( Denial Service Attacks): y l kiu tn cng kh phng chng nht v trn th gii vn cha c cch phng chng trit . Nguyn tc chung ca cch tn cng ny l hacker s gi lin tc nhiu yu cu phc v n my nn nhn. My b tn cng s phi tr li tt c cc yu cu ny. Khi yu cu gi n qu nhiu, my b tn cng s khng phc v kp thi dn n vic p ng cc yu cu ca cc my hp l s b chm tr, thm ch ngng hn hoc c th cho php hacker nm quyn iu khin. Chi tit v mt s hnh vi tn cng T chi dch v c gii thiu trong phn Ph lc. c) Cc hnh vi khai thc l hng bo mt: Cc h iu hnh, c s d liu, cc ng dng lun lun c nhng im yu xut hin hng tun thm ch hng ngy. Nhng im yu ny thng xuyn c cng b rng ri trn nhiu website v bo mt. Do vy cc yu im ca h thng l nguyn nhn chnh ca cc tn cng, mt thng k cho thy hn 90% cc tn cng u da trn cc l hng bo mt c cng b. i vi mt h thng mng c nhiu my ch my trm, vic cp nht cc bn v l hng bo mt l mt cng vic i hi tn nhiu thi gian v kh c th lm trit . V do , vic tn ti cc l hng bo mt ti mt s im trn mng l mt iu chc chn. Ngi ta nh ngha Tn cng Zero-Day l cc cuc tn cng din ra ngay khi li c cng b v cha xut hin bn v li. Nh vy

kiu tn cng ny rt nguy him v cc h thng bo mt thng thng khng th pht hin ra. d) Cc tn cng vo ng dng(Application-Level Attacks): y l cc tn cng nhm vo cc phn mm ng dng mc dch v. Thng thng cc tn cng ny, nu thnh cng, s cho php k xm nhp nm c quyn iu khin cc dch v v thm ch c quyn iu khin my ch b tn cng. S lng cc v tn cng lin tc tng trong khi hnh thc tn cng theo kiu da trn im yu ca con ngi (tn cng kiu Sophistication) li gim. R rng cc hnh thc tn cng vo h thng my tnh hin nay ngy cng a dng v phc tp vi trnh k thut rt cao. Ngoi ra qu trnh tn cng ngy cng c t ng ha vi nhng cng c nh c pht tn khp ni trn mng..

120,00 0 100,00 0 80,00 0 60,00 0 40,00 0 20,00 0 0

Devices infected

Code Red Nimda Goner Slammer Lovasan 2,777 6,250 12,500 100,000 120,000
Hnh 1.1 S lng my b tn cng ngy cng tng (Ngun: IDC2002)

Hnh 1.2 Thi gian ly nhim trn 10.000 my rt ngn McAfee 2005)

(Ngun

1.1.2. Cc nguyn tc bo v thng tin Sau y l mt s nguyn tc bo v h thng thng tin: Nguyn tc c bn nht ca chc nng bo mt l c ch quyn hn ti thiu. V c bn, nguyn tc ny l bt k mt i tng no (ngi s dng, ngi iu hnh, chng trnh . . .) ch nn c nhng quyn hn nht nh m i tng cn phi c c th thc hin c cc nhim v v ch nh vy m thi. y l nguyn tc quan trng hn ch s phi by h thng cho k khc tn cng v hn ch s thit hi khi b tn cng. Tip theo, cn phi bo v theo chiu su. T tng ca chin lc ny l h thng bo mt gm nhiu mc, sau mc bo mt ny th c mc bo mt khc, cc mc bo mt h tr ln nhau. Khng nn ch ph thuc v mt ch an ton d c mnh n th no i na.

 Tip n, cn to ra cc im tht i vi lung thng tin. im tht buc nhng k tn cng vo h thng phi thng qua mt knh hp m ngi qun tr c th iu khin c. y, ngi qun tr c th ci t cc c ch gim st, kim tra v iu khin (cho php hoc khng cho php) cc truy nhp vo h thng. Trong an ninh mng, IDS nm gia h thng bn trong v Internet nhng trc Firewall nh mt nt tht(gi s ch c mt con ng kt ni duy nht gia h thng bn trong vi internet). Khi , tt c nhng k tn cng t internet khi i qua nt tht ny s b ngi qun tr theo di v phn ng kp thi. Yu im ca phng php ny l khng th kim sot, ngn chn c nhng hnh thc tn cng i vng qua im . Cui cng, t hiu qu cao, cc h thng an ton cn phi a dng v gii php v c s phi hp chung ca tt c cc thnh phn trong h thng (ngi s dng, phn cng bo mt, phn mm bo mt, cc c ch an ton. . .) to thnh h bo mt, gim st v h tr ln nhau. H thng phng th gm nhiu module, cung cp nhiu hnh thc phng th khc nhau. Do , module ny lp l hng ca cc module khc. Ngoi cc firewall, mt mng LAN hay mt my cc b cn s dng cc module bo v khc ca ng dng, h iu hnh, thit b phn cng,. . . 1.1.3 Cc bin php bo v Network Firewall: Firewall l mt thit b(phn cng+phn mm) nm gia mng ca mt t chc, mt cng ty hay mt quc gia(mng Intranet) v mng Internet bn ngoi. Vi tr chnh ca n l bo mt thng tin, ngn chn s truy nhp khng mong mun t bn ngoi(Internet) v cm s truy nhp t bn trong (Intranet) ti mt s a ch nht nh trn Internet. Firewall l mt thit b bo v, v vy n phi l mt thit b c an ton rt cao. Nhn chung tt c cc thng tin i vo v ra khi mng ni b u phi qua firewall. Firewall chu trch nhim loi b cc thng tin khng hp l. bit thng tin qua n c hp l hay khng th firewall

phi da vo tp lut (rules) m n t ra. Firewall thng c kt hp lm b chuyn i a ch NAT v c chc nng nh tuyn. Do vy kh nng ngn chn tn cng ca firewall thng t lp 2 n lp 4 trong m hnh OSI. im yu ca firewall l tnh th ng, firewall hot ng trn c s cc tp lut, cc tp lut trn firewall phi c ngi qun tr cu hnh hay ch nh cho php hay khng cho php gi tin i qua. Bn thn h thng firewall khng th nhn bit c cc mi nguy hi t mng m n phi c ngi qun tr mng ch ra thng qua vic thit lp cc lut trn . IDS: H thng Intrusion Detection l qu trnh theo di cc s kin xy ra trong nhiu vng khc nhau ca h thng mng my tnh v phn tch chng tm ra nhng du hiu ca s xm nhp nhm bo m tnh bo mt, tnh ton vn, tnh sn sng cho h thng. Nhng s xm phm thng c gy ra bi nhng k tn cng truy nhp vo h thng t Internet, nhng ngi dng hp php c gng truy cp n nhng ti nguyn khng thuc thm quyn ca mnh hoc s dng sai nhng quyn cho php. IDS thng ngn chn cc cuc tn cng c ng c tinh vi cao, hoc tn cng vo lp ng dng. IDS khc phc c im yu th ng ca h thng firewall. Cc bin php khc: Cn phi hp vi cc bin php bo mt khc nh: M ha(file/ng truyn), xc thc phn quyn nhn dng, Antivirus, lc ni dung . . . hnh thnh mt h thng phng th theo chiu su, nhiu lp bo v b sung cho nhau. Attact Layers of Security Protected Assets Layers of Security

Attact

9
Hnh 1.3 H thng phng th theo chiu su

1.2 K thut pht hin xm nhp tri php Nu nh hiu Firewall l mt h thng kha cht chn ca ng mng, th h thng IDS c th c coi nh cc cm ng gim st c t khp ni trong mng cnh bo v cc cuc tn cng qua mt c Firewall hoc xut pht t bn trong mng. Mt IDS c nhim v phn tch cc gi tin m Firewall cho php i qua, tm kim cc du hiu tn cng t cc du hiu bit hoc thng qua vic phn tch cc s kin bt thng, t ngn chn cc cuc tn cng trc khi n c th gy ra nhng hu qu xu vi t chc. H thng IDS hot ng da trn 3 thnh phn chnh l Cm ng (Sensor), Giao din (Console) v B phn tch (Engine). Xt trn chc nng IDS c th phn lm 2 loi chnh l Network-based IDS (NIDS) v Host-based IDS (HIDS). NIDS thng c t ti ca ng mng gim st lu thng trn mt vng mng, cn HIDS th c ci t trn tng my trm phn tch cc hnh vi v d liu i n my trm . Xt v cch thc hot ng th h thng IDS c th chia lm 5 giai on chnh l: Gim st, Phn tch, Lin lc, Cnh bo v Phn ng. Thi gian gn y, s honh hnh ca virus, worm nhm vo h iu hnh rt ln. Nhiu loi virus, worm dng phng php qut cng theo a ch tm ra l hng v sau mi ly lan vo. Vi nhng loi tn cng ny nu h thng mng c ci t h thng IDS th kh nng phng trnh c s rt ln. 1.2.1 Thnh phn Mt h thng IDS bao gm 3 thnh phn c bn l:

10

 Cm ng (Sensor): L b phn lm nhim v pht hin cc s kin c kh nng e da an ninh ca h thng mng, Sensor c chc nng r qut ni dung ca cc gi tin trn mng, so snh ni dung vi cc mu v pht hin ra cc du hiu tn cng hay cn gi l s kin. Giao din (Console): L b phn lm nhim v tng tc vi ngi qun tr, nhn lnh iu khin hot ng b Sensor, Engine v a ra cnh bo tn cng. B x l (Engine): C nhim v ghi li tt c cc bo co v cc s kin c pht hin bi cc Sensor trong mt c s d liu v s dng mt h thng cc lut a ra cc cnh bo trn cc s kin an ninh nhn c cho h thng hoc cho ngi qun tr. Alerts Console Traffic Network Sensor

Engine
Hnh 1.4 Thnh phn ca mt h thng IDS

Nh vy, h thng IDS hot ng theo c ch pht hin v cnh bo. Cc Sensor l b phn c b tr trn h thng ti nhng im cn kim sot, Sensor bt cc gi tin trn mng, phn tch gi tin tm cc du hiu tn cng, nu cc gi tin c du hiu tn cng, Sensor lp tc nh du y l mt s kin v gi bo co kt qu v cho Engine, Engine ghi nhn tt c cc bo co ca tt c cc Sensor, lu cc bo co vo trong c s d liu ca mnh v quyt nh

11

a ra mc cnh bo i vi s kin nhn c. Console lm nhim v gim st, cnh bo ng thi iu khin hot ng ca cc Sensor. i vi cc IDS truyn thng, cc Sensor hot ng theo c ch so snh mu, cc Sensor bt cc gi tin trn mng, c ni dung gi tin v so snh cc xu trong ni dung gi tin vi h thng cc mu tn hiu nhn bit cc cuc tn cng hoc m c gy hi cho h thng, nu trong ni dung gi tin c mt xu trng vi mu, Sensor nh du l mt s kin hay c du hiu tn cng v sinh ra cnh bo. Cc tn hiu nhn bit cc cuc tn cng c tng kt v tp hp thnh mt b gi l mu(signatures). Thng thng cc mu ny c hnh thnh da trn kinh nghim phng chng cc cuc tn cng, ngi ta thnh lp cc trung tm chuyn nghin cu v a ra cc mu ny cung cp cho h thng IDS trn ton th gii.

Data Source

Activity Activity

Sens or Security Policy

Administrator

Hnh 1.5 Hot ng ca IDS

1.2.2 Phn loi

Senso r Analyzer Alert Manager Security Policy Notification perator Security Policy Trending and reporting

12

C nhiu cch phn loi cc h thng IDS ty theo cc tiu ch khc nhau. Cch phn loi da trn hnh vi ca IDS c th phn lm 2 loi l pht hin xm nhp da trn du hiu ( Misuse-based IDS) v pht hin xm nhp da trn du hiu bt thng (Anomaly-based IDS Xem chng 2): Nu xt v i tng gim st th c 2 loi IDS c bn nht l: Host-based IDS v Network-based IDS. Tng loi c mt cch tip cn khc nhau nhm theo di v pht hin xm nhp, ng thi cng c nhng li th v bt li ring. Ni mt cch ngn gn, Host-based IDS gim st d liu trn nhng my tnh ring l trong khi Network-based IDS gim st lu thng ca mt h thng mng. 1.2.2.1 Host-based IDS (HIDS) Nhng h thng Host-based l kiu IDS c nghin cu v trin khai u tin. Bng cch ci t nhng phn mm IDS trn cc my trm (gi l Agent), HIDS c th gim st ton b hot ng ca h thng, cc log file v lu thng mng i ti tng my trm. HIDS kim tra lu thng mng ang c chuyn n my trm, bo v my trm thng qua vic ngn chn cc gi tin nghi ng. HIDS c kh nng kim tra hot ng ng nhp vo my trm, tm kim cc hot ng khng bnh thng nh d tm password, leo thang c quyn . . . Ngoi ra HIDS cn c th gim st su vo bn trong H iu hnh ca my trm kim tra tnh ton vn va Nhn h iu hnh, file lu tr trong h thng . . . H thng IDS c hiu qu cao khi pht hin vic ngi dng s dng sai cc ti nguyn trn mng. Nu ngi dng c gng thc hin cc hnh vi khng hp php th nhng h thng HIDS thng thng pht hin v tp hp thng tin thch hp nht v nhanh nht. im yu ca HIDS l cng knh. Vi vi ngn my trm trn mt mng ln, vic thu thp v tp hp cc thng tin my tnh c bit ring bit cho mi

13

my ring l l khng c hiu qu. Ngoi ra, nu th phm v hiu ha vic thu thp d liu trn my tnh th HIDS trn my s khng cn c ngha.

14

Hnh 1.6 Hot ng ca HIDS 1.2.2.2 Network-based IDS (NIDS) NIDS l mt gii php xc nh cc truy cp tri php bng cch kim tra cc lung thng tin trn mng v gim st nhiu my trm, NIDS truy nhp vo lung thng tin trn mng bng cch kt ni vo cc Hub, Switch bt cc gi tin, phn tch ni dung gi tin v t sinh ra cc cnh bo. Trong h thng NIDS, cc Sensor c t cc im cn kim tra trong mng, thng l trc min DMZ() hoc vng bin ca mng, cc Sensor bt tt c cc gi tin lu thng trn mng v phn tch ni dung bn trong ca tng gi pht hin cc du hiu tn cng trong mng. im yu ca NIDS l gy nh hng n bng thng mng do trc tip truy cp vo lu thng mng. NIDS khng c nh lng ng v kh nng x l s tr thnh mt nt c chai gy ch tc trong mng. Ngoi ra NIDS cn gp kh khn vi cc vn giao thc truyn nh vic phn tch gi tin ( IP fragmentation), hay vic iu chnh thng s TTL trong gi tin IP . . 15

Hnh 1.7 Hot ng ca NIDS

HIDS Tnh qun tr thp. D ci t

NIDS Qun tr tp trung. Kh ci t

Tnh bao qut thp. Do mi my Tnh bao qut cao do c ci nhn trm ch nhn c traffic ca my ton din v traffic mng. cho nn khng th c ci nhn tng hp v cuc tn cng. Ph thuc vo H iu hnh. Do Khng ph thuc vo HH ca my HIDS c ci t trn my trm trm. nn ph thuc vo H iu hnh trn my . Khng nh hng n bng thng NIDS do phn tch trn lung d mng. liu chnh nn c nh hng n bng thng mng. 16

Khng gp vn v giao thc

Gp vn v giao thc truyn: Packet Fragment, TTL. Vn m ha: Nu IDS c t trong mt knh m ha th s khng phn tch c gi tin

ti ny ch yu nghin cu v NIDS, nn thut ng IDS tm c hiu l Network-based IDS. 1.2.2.3 Phn loi da trn du hiu Misuse-based IDS c th phn chia thnh hai loi da trn c s d liu v kiu tn cng l: Knowledge-based v Signature-based: 1.2.2.3.1 Knowledge-based IDS Misuse-based IDS vi c s d liu knowledge-based lu d thng tin v cc dng tn cng. D liu kim k c thu thp bi IDS so snh vi ni dung ca c s d liu, v nu thy c s ging nhau th to ra cnh bo. S kin khng ging vi bt c dng tn cng no th c coi l nhng hnh ng chnh ng. Li th ca m hnh ny l chng t khi to ra cnh bo sai do da trn m t chi tit v kiu tn cng. Tuy nhin m hnh ny c im yu, trc tin vi s lng kiu tn cng a dng vi nhiu l hng khc nhau theo thi gian s lm c s d liu tr nn qu ln, gy kh khn trong vic phn tch, thm na chng ch c th pht hin c cc kiu tn cng bit trc nn cn phi c cp nht thng xuyn khi pht hin ra nhng kiu tn cng v l hng mi.

Hnh 1.8: Knowledge-based IDS

1.2.2.3.2 Signature-based IDS Signature-based IDS l h s dng nh ngha tru tng m t v tn cng gi l du hiu. Du hiu bao gm mt nhm cc thng tin cn thit m 17

t kiu tn cng. V d nh h network IDS c th lu tr trong c s d liu ni dung cc gi tin c lin quan n kiu tn cng bit. Thng th du hiu c lu dng cho php so snh trc tip vi thng tin c trong chui s kin. Trong qu trnh x l, s kin c so snh vi cc mc trong file du hiu, nu thy c s ging nhau th h to ra cnh bo. Signature-based IDS hin nay rt thng dng v chng d pht trin, cho phn hi chnh xc v cnh bo v thng yu cu t ti nguyn tnh ton. Tuy nhin, chng c nhng im yu sau: - M t v cuc tn cng thng mc thp, kh hiu. - Mi cuc tn cng hay bin th ca n u cn thm du hiu a vo c s d liu, nn kch c ca n s tr nn rt ln. - Du hiu cng c th, th cng to ra t cnh bo nhm, nhng cng kh pht hin nhng bin th ca n. V d quen thuc v signature-based IDS l EMERALD v nhiu sn phm thng mi khc. 1.2.3 Nguyn l hot ng Nguyn l hot ng ca mt h thng phng chng xm nhp c chia lm 5 giai on chnh: Gim st mng, Phn tch lu thng, Lin lc gia cc thnh phn, Cnh bo v cc hnh vi xm nhp v cui cng c th tin hnh Phn ng li ty theo chc nng ca tng IDS.
2. Phn tch

1. Gim st

3. Lin lc

5. Phn ng

4. Cnh bo

Gim st mng (Monotoring): Gim st mng l qu trnh thu thp

Hnh 1.9 Nguyn lVic hot ng mt thng h thng c IDS thc hin bng thng tin v lu thng trn mng. ny ca thng

cc Sensor. Yu cu i hi i vi giai on ny l c c thng tin y v ton vn v tnh hnh mng. y cng l mt vn kh khn, bi v nu theo

18

di ton b thng tin th s tiu tn kh nhiu ti nguyn, ng thi gy ra nguy c tc nghn mng. Nn cn thit phi cn nhc khng lm nh hng n ton b h thng. C th s dng phng n l thu thp lin tc trong khong thi gian di hoc thu thp theo tng chu k. Tuy nhin khi nhng hnh vi bt c ch l nhng hnh vi trong khong thi gian gim st. Hoc c th theo vt nhng lu thng TCP theo gi hoc theo lin kt. Bng cch ny s thy c nhng dng d liu vo ra c php. Nhng nu ch theo di nhng lin kt thnh cng s c th b qua nhng thng tin c gi tr v nhng lin kt khng thnh cng m y li thng l nhng phn quan tm trong mt h thng IDS, v d nh hnh ng qut cng. Phn tch lu thng (Analyzing): Khi thu thp c nhng thng tin cn thit t nhng im trn mng. IDS tin hnh phn tch nhng d liu thu thp c. Mi h thng cn c mt s phn tch khc nhau v khng phi mi trng no cng ging nhau. Thng thng giai on ny, h thng IDS s d tm trong dng traffic mang nhng du hiu ng nghi ng da trn k thut i snh mu hoc phn tch hnh vi bt thng. Nu pht hin ra du hiu tn cng, cc Sensor s gi cnh bo v cho trung tm tng hp. Lin lc: Giai on ny gi mt vai tr quan trng trong h thng IDS. Vic lin lc din ra khi Sensor pht hin ra du hiu tn cng hoc B x l thc hin thay i cu hnh, iu khin Sensor. Thng thng cc h thng IDS s dng cc b giao thc c bit trao i thng tin gia cc thnh phn. Cc giao thc ny phi m bo tnh Tin cy, B mt v Chu li tt, v d: SSH, HTTPS, SNMPv3 . . .Chng hn h thng IDS ca hng Cisco thng s dng giao thc PostOffice nh ngha mt tp cc Thng ip giao tip gia cc thnh phn. Cnh bo (Alert): Sau khi phn tch xong d liu, h thng IDS cn phi a ra c nhng cnh bo. V d nh: + Cnh bo a ch khng hp l.

19

+ Cnh bo khi mt my s dng hoc c gng s dng nhng dch v khng hp l. + Cnh bo khi my c gng kt ni n nhng my nm trong danh sch cn theo di trong hay ngoi mng. + ... Phn ng (Response): Trong mt s h thng IDS tin tin hin nay, sau khi cc giai on trn pht hin c du hiu tn cng, h thng khng nhng cnh bo cho ngi qun tr m cn a ra cc hnh vi phng v ngn chn hnh vi tn cng . iu ny gip tng cng kh nng t v ca Mng, v nu ch cn cnh bo cho ngi qun tr th i khi cuc tn cng s tip tc xy ra gy ra cc tc hi xu. Mt h thng IDS c th phn ng li trc nhng tn cng phi c cu hnh c quyn can thip vo hot ng ca Firewall, Switch v Router. Cc hnh ng m IDS c th a ra nh: + Ngt dch v. + Gin on phin. + Cm a ch IP tn cng.

+ To log.

Client

Hnh 1.10 IDS gi TCP Reset IDS yu cu Firewall chn port 80 trong 60s chng li cc tn cng vo

my ch Web ci IIS. 20

Hnh 1.11 IDS yu cu Firewall tm dng dch v

1.3 Kt chng Chng ny cung cp mt ci nhn tng quan v H thng pht hin xm nhp tri php IDS. Trc tnh hnh mt an ton an ninh mng ngy cng gia tng i hi cc h thng my tnh phi c mt chin lc phng th theo chiu su nhiu lp. H thng IDS l mt s b sung cn thit cho cc thit b Firewall, c chc nng pht hin v cnh bo trc cc du hiu tn cng ln h thng mng, gip cho ngi qun tr ch ng trong vic ngn chn cc hnh vi xm nhp tri php. H thng IDS c th phn lm 2 loi chnh l NIDS v HIDS ty theo i tng m n gim st. Mt h thng IDS in hnh thng c 3 thnh phn l: Sensor, Engine v Console, qu trnh pht hin tn cng theo 5 giai on chnh l: Gim st, Phn tch, Lin lc, Cnh bo v Phn ng. Tnh nng ch ng phn ng li vi cc cuc tn cng c th bng cc hnh ng nh: Ngt phin, ngt dch v hoc kha IP tn cng. Hin ti a s cc h thng IDS pht hin xm nhp bng k thut da trn du hiu. K thut ny so snh cc du hiu hin ti vi cc mu tn cng c sn trong d liu nh gi c tn cng hay khng. u im ca phng php ny l c th hot ng ngay lp tc,

21

cc cnh bo a ra l chnh xc, chuyn gia c th d dng qun l v chnh sa tp cc du hiu. Tuy nhin, vn ln nht i vi h thng ny l vn lu gi trng thi ca du hiu trong trng hp hnh vi xm nhp dn tri trn nhiu s kin ri rc nhau, v d nh mt cuc tn cng ko di thc hin trn rt nhiu gi tin. Thm vo , H thng pht hin xm nhp da trn du hiu cn c nhc im l n khng th nhn thy cc cuc tn cng mi hoc nhng tn cng c c thay i do khng c du hiu tng ng trong CSDL. ng thi n cng ph thuc rt ln vo chuyn gia, i hi chuyn gia phi khng ngng cp nht cc mu mi. iu ny s l kh khn i vi mt h thng mng ln, nhiu dch v, trong khi cc cuc tn cng ngy cng a dng hn. khc phc im yu ny, ngi ta s dng mt k thut pht hin xm nhp mi l K thut da trn bt thng.

22

CHNG 2 H THNG IDS DA TRN PHT HIN BT THNG

H thng pht hin bt thng ging cc h thng IDS truyn thng ch n cng hng n vic kim sot v pht hin sm cc du hiu, cc hnh vi tn cng trong h thng mng, t cnh bo cho nh qun tr bit c nhng hin tng cn lu . Tuy nhin xt v phng php hot ng th n khc bit so vi cc h thng IDS c. Nu h thng IDS truyn thng thng s dng cc mu (pattern) v kim sot cc hnh vi s dng sai c nh ngha, th phng php pht hin bt thng hng n vic xy dng profile v hot ng ca mng trng thi bnh thng, t so snh, pht hin v cnh bo khi c nhng du hiu khc thng xy ra.
Firewall 3 Manager

2 1 Uses artificial intelligent and network history

1 Attack 2 Analysis 3 Notification

IDS Network History Database

Hnh 2.1 IDS da trn pht hin bt thng

Update profile statistically deviant ? Attack state

Audit Data

System profile

Hnh 2.2 Hot ng ca IDS da trn pht hin bt thng

23

2.1 nh ngha bt thng trong mng Bt thng trong mng (BTTM) l thut ng dng ch tnh trng hot ng ca h thng mng hot ng ngoi trng thi bnh thng. BTTM c th pht sinh t nhiu nguyn nhn, c th l do mt hoc nhiu thit b trong mng hng hc, bng thng mng b qu ti, nhng thng thy hn c l do h thng thng tin ang bi xm nhp tri php hoc ang b tn cng. phn bit gia trng thi bnh thng v trng thi bt thng trong mng, ngi ta s dng khi nim activity profile (h s hot ng). Mt cch khi qut, activity profile m t hnh vi ca mt i tng no mt s kha cnh c th. Thng thng kha cnh l cc tham s c th tin hnh o lng c. Ngi ta theo di cc tham s ny trong mt thi gian nht nh, theo mt n v no nh pht, gi, ngy, tun . . . Hoc c th o lng thi gian xy ra hai s kin lin tip, v d nh thi gian log-in v log-out h thng, thi gian kch hot v kt thc cc ng dng . . . pht hin mt profile l bt thng, ngi ta phi tin hnh xy dng tp cc profile mt t hot ng ca h thng trng thi bnh thng. Da trn s khc bit ca mt tp cc tham s trong profile, ngi ta c th pht hin ra BTTM Cc BTTM thng thng c phn thnh 2 loi chnh: BTTM do hng hc: Trong mng ny sinh ra cc hin tng bt thng do mt hay nhiu thnh phn trong mng b s c, v d nh khi mt my ch b li, thit b switch hay router gp s c, broadcast storm, network paging . . . Cc s c ny ni chung khng nh hng n cc thnh phn khc trong mng, ch yu l lm gim hiu nng hot ng, hn ch kh nng p ng dch v ca h thng. V d nh khi s lng cc yu cu n mt File Server hay Web Server qu ln, cc Server ny s gp s c. Li Network paging xy ra khi mt ng dng b trn b nh v tin hnh Phn trang b nh n mt File Server. Ngoi ra cc loi BTTM cn xy ra do cc phn mm b li, v d nh vic trin khai mt giao thc khng ng, dn n my trm lin tc gi cc gi tin nh nht lm tt nghn mng . . . 24

 BTTM lin quan n cc s c an ninh : y l loi BTTM pht sinh t cc mi e da i vi h thng thng tin. Mt v d in hnh ca loi BTTM ny l tn cng t chi dch v DoS (Denial of Service), c th m t nh hnh ng ngn cn nhng ngi dng hp php mt kh nng truy cp v s dng vo mt dch v no . Cch tin hnh tn cng DoS bao gm lm trn ngp mng, mt kt ni vi dch v . . . m mc ch cui cng l my ch khng th p ng c cc yu cu s dng dch v t cc my trm. BTTM cn xut hin khi c hin tng ly lan v bng n cc loi m xu, m nguy him trong mng nh virus, spy. i khi hnh vi d qut trc khi tn cng cng to ra nhiu gi tin vi s lng bt thng. Ngoi ra khi cc chc nng c bn ca mng nh DHCP, DNS b lm ngng hot ng th cng to ra mt s lng ln cc yu cu khng c p ng lm gim thiu bng thng. Mt trong nhng nghin cu u tin v h thng IDS da trn pht hin bt thng l ca Anderson. Trong bo co ca Anderson, ng a ra cch phn loi 3 mi e da chnh, l: Xm nhp t bn ngoi (external penetrations): H thng b tn cng t cc my tnh hoc h thng khng c xc minh. Xm nhp t bn trong (internal penetrations) : Cc my tnh c xc minh truy cp vo cc d liu khng c phn quyn. Lm quyn (misfeasance): S dng sai quyn truy cp vo h thng v d liu. 2.2 K thut pht hin bt thng pht hin bt thng trong mng, ngi ta s dng mt s k thut c th, cc k thut ny c th dng tch bit hoc phi hp vi nhau. C 3 k thut pht hin c bn l. Threshold Detection: K thut ny nhn mnh thut ng m. Cc mc ngng v cc hot ng bnh thng c t ra, nu c s bt thng no nh login vi s ln qu quy nh, s lng cc tin trnh hot ng trn CPU, s lng mt loi gi tin c gi vt qu mc. . .

25

 Seft-learning Detection: K thut d ny bao gm hai bc, khi thit lp h thng pht hin tn cng, n s chy ch t hc v thit lp mt profile mng vi cc hot ng bnh thng. Sau thi gian khi to, h thng s chy ch sensor theo di cc hot ng bt thng ca mng so vi profile thit lp. Ch t hc c th chy song song vi ch sensor cp nht bn profile ca mnh nhng nu d ra c tn hiu tn cng th ch t hc phi dng li ti khi cuc tn cng kt thc. Anomaly protocol detection: K thut d ny cn c vo hot ng ca cc giao thc, cc dch v ca h thng tm ra cc gi tin khng hp l, cc hot ng bt thng l du hiu ca s xm nhp, tn cng. K thut ny rt hiu qu trong vic ngn chn cc hnh thc qut mng, qut cng thu thp thng tin ca cc hacker. 2.3 u nhc im ca pht hin bt thng Phng php thm d bt thng ca h thng rt hu hiu trong vic pht trin cc cuc tn cng nh dng tn cng t chi dch v. u im ca phng php ny l c th pht hin ra cc kiu tn cng mi, cung cp cc thng tin hu ch b sung cho phng php do s lm dng, tuy nhin chng c nhc im thng to ra mt s lng ln cc cnh bo sai lm gim hiu sut hot ng ca mng. Tuy nhin vai tr ca phng php ny rt quan trng, bi mt k tn cng d bit r v h thng cng khng th tnh ton c cc hnh vi no l hnh vi m h thng coi l bnh thng. Do y s l hng c nghin cu nhiu hn, hon thin hn h thng chy ngy cng chun xc. Ngoi IDS da trn pht hin bt thng cn c th pht hin cc cuc tn cng t bn trong, v d nh mt ngi n cp ti khon ca mt ngi khc v thc hin cc hnh vi khng ging nh ch nhn ca ti khon thng lm, h thng IDS c th nhn thy cc bt thng . IDS da trn Misuse IDS da trn phn tch hnh vi 26

L phng php truyn thng, s L phng php tin tin, khng cn s dng mt tp cc mu m t hnh dng tp mu vi bt thng Khng pht hin c cc dng tn C kh nng pht hin cc cuc tn cng cng l, chng hn nh Zero-Day mi attact Bin th ca bt thng khng Khng b im yu ny do khng s dng c pht hin T l False positive thp hn T l False negative thng cao Khi tp d liu ln s b overload tp mu T l False positive thng cao T l False negative thp hn Khng b overload nh cc phng php

m hnh ha d liu v thut ton heuristic Da vo bng trn chng ta c th thy IDS da trn pht hin bt thng mang tnh tr tu v c nhiu u im hn so vi cc h thng IDS truyn thng. Tuy nhin, tng cng tnh chnh xc ca cnh bo th nn c s kt hp gia IDS bt thng v IDS kiu c. Cch nhn dng cc kiu tn cng ca IDS da trn pht hin bt thng: TT 1 2 3 4 5 6 Dng tn cng Xm nhp leo thang Tn cng gi dng iu khin R r thng tin Tn cng t chi dch v M c hi Cch pht hin Pht hin bng cc profile bt thng hoc s vi phm chnh sch an ninh Pht hin bng cc profile bt thng hoc s

vi phm cc chnh sch an ninh Thm nhp vo h thng Pht hin bng cch gim st mt s hnh vi c bit Pht hin bng cch gim st vic s dng ti nguyn bt thng Pht hin bng cch gim st vic s dng ti nguyn bt thng Pht hin cc hnh vi bt thng, vi phm chnh sch an ninh, s dng cc c quyn bt thng

2.4 D liu pht hin bt thng Ngun d liu ng vai tr quan trng trong phng php pht hin bt thng. S liu chnh xc v tnh trng hot ng ca mng s c tnh cht quyt nh n vic cc bt thng c c pht hin hay khng. Do bn cht ca

27

phng php pht hin bt thng l m hnh ha v lp mt h s v trng thi bnh thng ri t so snh phn bit khi c s c xy ra, nn nu s liu phn tch c cung cp cng y v chun xc th hiu qu hot ng ca cc thut ton pht hin bt thng s cng cao. Sau y ta i lit k mt s ngun d liu thng c s dng : Network Probes Network Probes l nhng cng c chuyn dng dng o lng cc tham s mng. Mt v d n gin v Network Probes l 2 lnh ping v tracerouter, cc lnh ny dng o tr (end-to-end delay), t l mt gi tin (packet loss), bc truyn (hop), . . . Network Probes c th cung cp cc s liu tc thi, phng php ny khng yu cu s phi hp ca nh cung cp dch v. Tuy nhin, Network Probes c th khng hot ng nu nh trn Firewall t cc tp lut ngn chn loi traffic ny. Ngoi ra cc gi tin m giao thc ny s dng thng c cc thit b mng i x mt cch c bit khng ging nh cc gi tin bnh thng khc, do vy cc s liu ca Network Probes cn c tinh chnh thm. K thut lc gi tin C mt k thut c dng cung cp d liu cho cc thut ton pht hin bt thng l k thut lc gi tin thng k lung (packet filtering for flow-based statistics). Lung thng tin c dn qua mt b lc ly mu, cc IP header ca cc gi tin trong nhng thi im khc nhau ti cc a im khc nhau trong mng c ghi li. Vic tng hp cc IP header cho php cung cp cc thng tin chi tit v tnh trng hot ng ca h thng mng. Cc lung thng tin c gim st, mt lung c xc nh bng a ch ngun-ch v cng ngun-ch. Phng php lc gi tin cho php c c cc thng k chnh xc v giao dch trong mng. a. D liu t cc giao thc nh tuyn

28

Cc giao thc nh tuyn cng l mt ngun cung cp d liu cho thut ton pht hin bt thng trong mng. Trong qu trnh nh tuyn, cc router lin lc vi nhau trao i cc thng tin v trng thi ng truyn v d nh: bng thng, tr, kt ni c b tt nghn hay khng. V d vi giao thc nh tuyn OSPF (Open-Shortest Path First), ti mi router c cc bng thng s m t v hnh trng mng cng nh trng thi cc ng truyn. b. D liu t cc giao thc qun tr mng Cc giao thc qun tr mng cung cp cc thng k v lu thng mng. Nhng giao thc ny c cc tham s c th gim st hot ng ca thit b mng mt cch hiu qu. Cc tham s khng cung cp trc tip cc thng tin o lng v giao thng mng nhng c th dng nhn dng cc hnh vi trn mng, do ph hp vi phng php pht hin bt thng. SNMP: l giao thc hot ng theo m hnh client-server c mc ch qun l, gim st, iu khin cc thit b mng t xa. SNMP hot ng da trn giao thc UDP. SNMP server thu thp cc thng tin gi t agent. Tuy nhin n khng c chc nng x l thng tin. SNMP server lu tr cc thng tin ny trong mt c s d liu gi l MIB (Management Information Base). Cc gi tr trong CSDL ny cha cc thng tin c ghi nhn khi cc thit b mng thc hin cc chc nng khc nhau. Tng thit b mng c mt tp cc gi tr MIB tng ng vi chc nng ca n. Cc gi tr MIB c xc nh da trn loi thit b v cc giao thc mng hot ng da trn cc thit b . V d nh mt switch s c cc gi tr MIB o lng lu thng mng mc ng truyn (link-level) trong khi mt router s c cc tham s mc dng (network-level) cung cp cc thng tin v tng mng trong m dnh OSI. u im ca vic s dng SNMP l tnh chun ha do SNMP c chp nhn v trin khai rng ri trn cc thit b khc nhau. Do tnh y v c chn lc ca d liu nn SNMP l ngun thng tin u vo rt quan trng cho cc thut ton pht hin bt thng trong mng.

29

2.5 Cc phng php pht hin bt thng Phn ny trnh by cc hng nghin cu v pht hin bt thng, phn tch c ch hot ng, cc u im cng nh nhc im ca chng. 2.5.1 Pht hin bt thng bng mng N-ron H thng IDS s dng mng N-ron thng l host-based IDS, tp trung vo vic pht hin cc thay i trong hnh vi ca chng trnh nh l du hiu bt thng. Theo cch tip cn ny, mng N-ron s hc v d on hnh vi ca ngi s dng v cc chng trnh tng ng. u im ca mng N-ron l d dng thch ng vi cc kiu d liu khng y , d liu vi chc chn khng cao, ng thi phng php ny cng c kh nng a ra cc kt lun m khng cn cp nht tri thc thng xuyn. im yu ca mng N-ron l tc x l do h thng cn thu thp d liu, phn tch v iu chnh tng N-ron cho kt qu chnh xc. Mt s h thng IDS in hnh nh: IDS s dng mng N-ron lan truyn ngc trong nghin cu ca Ghost hay mng N-ron hi quy trong nghin cu ca Elman Mt hng khc gii quyt vn bt thng l s dng Bn t t chc SOM (Self Organizing Maps) nh trong nghin cu ca Ramadas. SOM c s dng nhm mc ch o to v pht hin hnh vi bt thng. SOM, cn c bit n l SOFM (Self Organizing Feature Map) l mt trong nhng m hnh bin dng ca mng N-ron. SOM c Kohonen pht trin vo u nhng nm 80, nn cng thng c gi l mng Kohonen. SOM thng c dng hc khng c hng dn (unsupervised learning). Hc khng hng dn dng SOM cung cp mt phng thc n gin v hiu qu phn lp cc tp d liu. SOM cng c xem l mt trong nhng hng tip cn tt cho vic phn lp tp d liu theo thi gian thc bi tc x l cao ca thut ton v t l hi t nhanh khi so snh vi cc k thut hc khc. Trong h thng pht hin bt thng s dng SOM, ngi ta thit lp cc mng nhm phn lp cc hnh vi, t pht hin ra cc hnh vi nghi vn. S khi ca gii thut ny nh sau: 30

Thu thp d liu

Chun ha d liu

SOMs Lp hnh vi Cnh bo

Hc

Phn tch

Hnh 2.3 IDS da trn SOM

u tin cc d liu v mng cn phn tch phi c th hin dng vect cc tham s c trng. Tip theo cc vect ny c lu tr trong mt input vect tin hnh phn lp. Vic phn lp ny tin hnh lp i lp li cho n khi hi t. Sau vi cc SOMs xy dng c ta c th tin hnh phn tch xc nh khong cch gia hnh vi ang xt vi hnh vi bnh thng. Nu khong cch ny ra ngoi ngng cho php th tin hnh cnh bo. 2.5.2 Pht hin bt thng bng k thut khai ph d liu So vi mt s k khc nh Xc sut thng k, My trng thi th Khai ph d liu (KPDL) c mt s u th r rt: KPDL c th s dng vi cc CSDL cha nhiu nhiu, d liu khng y hoc bin i lin tc, mc s dng chuyn gia khng qu thng xuyn. Da trn cc u th , KPDL gn y cng c cc nh nghin cu p dng vo H thng pht hin xm nhp tri php. u im vt tri ca phng php ny l kh nng x l khi lng d liu ln, c th phc v cho cc h thng thi gian thc. H thng IDS s dng KPDL cng c chia theo 2 hng chnh l pht hin da trn hnh vi lm dng v pht hin bt thng . Trong hng pht hin da trn hnh vi lm dng, cc mu trong tp d liu c gn nhn l bnh thng hay bt thng. Mt thut ton hc s c o to trn tp d liu c gn nhn. K thut ny s c p dng t ng trn cc d liu u vo khc nhau pht hin tn cng.

31

Cc nghin cu theo hng ny ch yu da vo vic phn lp cc hnh vi s dng cc thut ton KPDL khc nhau nh: Phn cm, Phn tch lut tch hp. u im ca hng ny l kh nng pht hin chnh xc cc tn cng bit n v cc bin th ca n vi chnh xc cao. Nhc im l n khng th pht hin cc tn cng mi m cha c mu hay bin th no c quan st. i vi hng tip cn bt thng, gn y trong lnh vc KPDL, ngi ta thng nhc n Bi ton pht hin phn t tch bit (Outlier Detection phn t ngoi lai hay phn t tch ri). Mc tiu ca bi ton ny l pht hin phn t tch bit, vi d liu l tp thng tin quan st hot ng mng, cn phn t tch bit tng ng vi cc dng tn cng. Cc thut ton Pht hin phn t tch bit, cng tha hng u im ca phng php KPDL, l kh nng hot ng n nh trong tp d liu, l kh nng hot ng n nh trong tp d liu nhiu, d liu khng y d, d liu khi lng ln v c tnh cht phn b.

D liu tn cng bit Network

B sung du hiu mi

Bt gi tin

Trch xut

Tn cng bit

Pht hin PTTB

Lc tin

B tng hp

Tn cng mi rt gn

Tn cng bit

Hnh 2.4 H thng pht hin bt thng s dng K thut KPDL

32

H thng pht hin bt thng da trn k thut KPDL ly tng ch o l s dng cc gii thut pht hin phn t tch bit . Bn cnh , h thng cn c mt s ci tin nh s dng b lc cc kiu tn cng bit du hiu (cc du hiu ny c h thng t hc), s dng mt b tng hp nhm rt gn cnh bo ln chuyn gia. ng thi b tng hp ny cng c chc nng xy dng lut rt gn b sung tri thc cho h thng. Module tng hp c xy dng da trn mt s k thut khc ca KPDL l k thut tng hp (Summarization). Ngoi ra h thng cn c cc thnh phn tng t nh cc h thng IDS khc nh Module lc tin, Module trch xut thng tin. 2.5.2.1 Khi nim phn t tch bit nh ngha phn t tch bit theo nh ngha ca Hawkins nm 1980 cho rng: Phn t tch bit l mt quan st c sai lch ln hn so vi cc quan st khc v do c th nghi ng n c sinh ra t mt c ch khc. 2.5.2.3 Mun lc tin D liu c thu thp t nhiu ngun khc nhau nh Sensor, thit b mng, t SNMP MIB hay file log ca cc h thng. Do khi lng d liu rt ln nn h thng khng th lu tr ton b d liu ny. H thng s tin hnh quan st theo dng ca s thi gian. Chng hn nh ch lu tr thng tin trong vng 1gi tr li. di ca s quan st cng l mt yu t m ngi qun tr phi la chn sao cho ph hp vi h thng mng ca mnh. Nu ca s qu ngn, h thng ca s c th b l nhiu tn cng dng chm. Ngc li, trong trng hp ca s qu di th h thng c th s khng m bo tc , khng thch hp trong mi trng thi gian thc. Cc b d liu thng thng c lu trn file dng bn ghi. H thng s truy cp cc file ny ly thng tin. Mun lc tin c chc nng loi b nhng thng tin tha, cc lu lng m h thng bit chc khng c tn cng. Nhng thng tin c ch cho h thng ch chim khong 20% tng s thng tin m cng c bt gi tin a v.

33

2.5.2.4 Mun trch xut d liu D liu sau khi qua module lc s c tin hnh trch xut cc yu t quan st. Mi mt thut ton pht hin bt thng s c mt tp cc thng s quan st ring. Thng thng i vi cc gi tin mng, thng tin qua trng ch yu nm phn Header ca gi tin. Sau y l mt s thng s m module trch xut thng tin c th s dng n: Header Ethernet header Packet size Source address Destination address Protocol IP header Source address Destination address Header length TOS Packet size IP Fragment ID IP Flag & Pointer TTL Checksum TCP header Source port, Destination port Sequency & ACK Number Header length Window size Checksum UDP header Source port, Destination port Checksum Length ICMP Type & Code Checksum 34 Thng tin trch xut

2.5.2.5 Mun pht hin phn t tch bit Trong module ny thng thng ngi t s dng thut ton Pht hin phn t tch bit. Ty thuc vo s phn b trn B d liu u vo m thut ton ny hay thut ton khc c c kt qu x l tt hn. Cc kt qu th nghim cho thy i vi tnh cht phn b d liu mng, 2.5.2.6 Mun tng hp Trong mt h thng mng ln c nhiu nt mng, s lng kt ni cn phi gim st l rt ln. Chng hn trong 10 pht, c th c n hng triu kt ni c hnh thnh trong h thng mng. Nu 0,1% tng s lng cc kt ni c nh gi l c du hiu bt thng, th trong 10 pht c hng trm cnh bo c pht ra, iu ny gy kh khn cho kh nng gim st v nhn nh ca ngi qun tr. Do cn thit phi c mt bin php nhm tng hp cc kt ni c nh du l bt thng rt gn d liu u ra, trong khi vn phn nh chnh xc tnh trng bt thng. Ngoi ra, sau khi cc dng tn cng mi c pht hin, cn thit phi b sung cc mu ca dng tn cng ny cho h thng pht hin xm nhp da trn du hiu. Cc mu ny phi l cc tp lut dng rt gn, c th phn nh ng c cc cuc tn cng mi v thun tin trong vic so snh kim tra trong tng lai. p ng cc yu cu , ngi ta s dng k thut tng hp trong KPDL nhm rt gn cc cnh bo v tp mu. Sau y l mt v d v cch tng hp cnh bo. Mt bng gm 10 cnh bo tng i ging nhau s c rt gn thnh mt cnh bo.
SrcIPStart timeDest IPDest portNumber of bytesX.Y.Z.95

X.Y.Z.95 X.Y.Z.95 X.Y.Z.95 Summarization X.Y.Z.95 SrcIP=X.Y.Z.95, DestPort=139 X.Y.Z.95 X.Y.Z.95 X.Y.Z.95 X.Y.Z.95 X.Y.Z.9511.07.20 11.13.56 11.14.29 11.14.30 Hnh 2.5 V d v tng hp lut 11.14.32 11.14.35 35 11.14.36 11.14.38 11.14.41 11.14.44A.B.C.223

A.B.C.217 A.B.C.255 A.B.C.254 A.B.C.253 A.B.C.252 A.B.C.251 tng caA.B.C.250 module ny tng t qu trnh tm tt vn bn. C th s A.B.C.249139 139tt vn bn thc hin chc nng module ny. y dng cc thut ton Tm 139 139 trnh by mt thut ton tng hp da trn 2 yu t l nn v t l mt tin. 139 139 n tnh rt gn ca d liu, t l mt tin nhn mnh nn nhn mnh 139 139 s mt mt thng tin sau khi p dng qu trnh tng hp d liu. Trong cng mt 139 139192 thut ton th nu ta tng nn, t l mt tin cng tng theo. Do vy cn phi c 195 s cn i hp l gia 180 2 yu t ny. Bng cnh s dng hm nh lng: 199 S=k*( 186 nn) (t l mt tin) 177 172 Trong , k l hng s do ngi dng chn, n l bin iu chnh mc 192 195 quan tm gia t l nn v t l mt gi tin. 163

D liu u vo ca Module Tng hp l cc kt ni c gn ch s bt thng t Module Pht hin PTTB, u ra l cc mu rt gn m t cuc tn cng.

Kt ni c phn loi H thng pht hin bt thng

attack

B tng hp

normal update

Kho tri thc

Hc cc bin th ca tn cng/bnh thng Lut m t tn cng Hiu c ch tn cng

R1:TCP, DstPort=1863 -> attack

... ... ...

R100:TCP, DstPort=80 -> attack

Hnh 2.6 Hot ng ca module Tng hp

36

Module tng hp s dng cc thut ton heuristic la chn cch rt gn tp cnh bo sao cho ph hp. Mt thut ton heuristic gii quyt vn ny thng tri qua nhng bc sau: Bc 1: Da trn tp cnh bo t module Pht hin tch bit, tin hnh tnh ton cc tn sut xut hin ca cc tp yu t quan st Bc 2: a ra mt danh sch cc ng c vin rt gn Bc 3: Tnh ton vt cn i vi tng trng hp. Mi trng hp s tnh hm nh lng S=k*( nn) (t l mt tin). Bc 4: Chn ra mt ng c vin c hm S ln nht. Thc hin rt gn theo ng c vin ny. Loi b cc cnh bo nm trong qu trnh rt gn ny. Tip tc vi ng c vin khc cho n khi ton b danh sch cnh bo c rt gn. V d ta c cc cnh bo sau:
src IP sPort dst IP 100.10.20. 4 100.10.20. 4 100.10.20. 4 100.10.20. 4 100.10.20. 3 100.10.20. 3 100.10.20. 3 100.10.20. 4 DPort pro flags packets bytes

T1 T2 T3 T4 T5 T6 T7 T8

12.190.84.12 2 88.34.224.2 12.190.19.23 98.198.66.23 192.168.22.4 192.168.22.4 67.118.25.23 192.168.22.4

32178 51989 2234 27643 5002 5001 44532 2765

80 80 80 80 21 21 21 113

tcp tcp tcp tcp tcp tcp tcp tcp

APRSAPRSAPRSAPRSA-RSF A-RSF A-RSF APRS-

[2,20] [2,20] [2,20] [2,20] [2,20] [40,68] [40,68] [2,20]

[504,1200] [220,500] [220,500] [42,200] [42,200] [220,500] [42,200] [504,1200]

Tp ng c vin c th l cc yu t quan st hoc b yu t quan st c tn sut xut hin cao nh:{[srcIP=192.168.22.4],[dstIP=100.10.20.4;pro=tcp; flags=APRS,packets=2,20],[dPort=80],[srcIP=192.168.22.4;dstIP=100.10.20.3], [dstIP=100.10.20.4;dPort=80] . . .} Ln lt thc hin thut ton rt gn, cc cnh bo sau s ch cn 3 dng nh sau:

37

Src IP

sPort

dst IP 100.10.20. 4 100.10.20. 3 100.10.20. 4

DPort

pro

flags

packets

bytes

S1 S2 S3

*.*.*.* *.*.*.* 192.168.22.4

*** *** 2765

80 21 113

tcp tcp tcp

APRSA-RSF APRS-

[2,20] *** [2,20]

*** *** [504,1200]

Hn ch ca nhiu h thng pht hin bt thng trc y l khng c qu trnh hc phn hi t chuyn gia, Ngha l cc cnh bo sai s tip tc c a ra nhng ln sau [30]. i vi h thng s dng KPDL, sau khi hnh thnh cc cnh bo rt gn, module tng hp chuyn cho cc chuyn gia xem xt v quyt nh nhng cnh bo no l cnh bo ng v c tn cng thc s. Cc tri thc ny s c cp nht vo B d liu ca h thng nhm pht hin cc tn cng bit nhng ln sau. S dng phn hi ca chuyn gia l mt hng mi gip chi h thng lin tc c cp nht v n nh hn khi pht hin tn cng. Cc h thng IDS c t cc vng mng khc nhau v gim st lu thng vo ra cc vng mng . Mi h thng hot ng v hc tp tri thc mt cch c lp v tn cng tng vng. nng cao kh nng phi hp gia cc h thng IDS, cn thit nn c mt b tri thc chung v s phi hp gia cc h thng IDS.
Tri thc v du hiu tn cng

ZONE A

ZONE B

ZONE C

38thc tn cng Hnh 2.7 Tp hp cc tri

2.5.3 Pht hin bt thng bng H chuyn gia Phng php ny c tn gi l Rule-based Detection (Pht hin da trn tp lut). y l mt trong nhng hng tip cn u tin gii quyt vn pht hin bt thng trong mng. Phng php Rule-base ny da trn H chuyn gia, cn c mt c s d liu s bao gm cc lut m t hnh vi bt thng pht hin li trong h thng. Cc h thng Rule-based ny trong thc t khng c s dng nhiu do h thng chy qu chm khng th p ng thi gian thc, ng thi cn phi c trc tri thc v triu chng ca cc cuc tn cng. Mt s triu chng nh: mng b qu ti, s lng kt ni TCP nhiu bt thng, thng lng ca cc thit b t ti mc ti a . . . Phng php Rule-based ph thuc rt ln vo kinh nghim ca ngi qun tr v khi h thng mng c s thay i v tng trng v m hnh th tp lut cng phi thay i theo. Phng php Rule-based bao gm cc bc sau: Bc 1: Gi thit rng cc s kin khng xy ra theo mt trnh t ngu nhin m theo cc khun dng cho trc Bc 2: S dng cc lut qui np theo thi gian m t hnh vi bnh thng ca ngi s dng Bc 3: Cc lut c chnh sa v ch c nhng lut c mc entropy thp mi lu li trong tp lut. Bc 4: Nu chui cc s kin ph hp vi v tri ca lut, th s tip tc so snh s kin tip theo xc nh bt thng nu n khng nm trong phn v phi ca lut. V d clut l: E1 ->E2 -> E3 (E4=95%, E5=5%), ngha l nu thy lin tip cc s kin E1, E2, E3 th xc sut xy ra s kin E4 l 95%, E5 l 5%. 2.6 Kt chng

39

Chng ny trnh by mt cch kh chi tit v h thng IDS da trn pht hin bt thng. Khc vi h thng IDS truyn thng da trn du hiu, cc IDS da trn bt thng c mt giai on t o to c thng tin v trng thi bnh thng, sau da vo cc thng tn ny xc nh s bt thng d dn ti nguy c tn cng. Chng ny gii thiu cc khi nim v k thut bt thng, tin hnh so snh v lm r cc u nhc im ca hng tip cn ny. C nhiu phng php pht hin bt thng c s dng v d nh Xc sut thng k, My trng thi hu hn, Mng N-ron, Khai ph d liu, H chuyn gia . . . Mi phng php ny u c nhng u nhc im c th trong qu trnh thc hin v trin khai trong thc t. chng sau ta s i xy dng h thng pht hin bt thng da trn tp lut (Rule-based Detection) vi phn mm pht hin xm nhp Snort.

40

CHNG 3 XY DNG H THNG PHT HIN XM NHP BT THNG VI PHN MM Snort

3.1 Tng quan v Snort Snort l mt ng dng bo mt mi vi 3 chc nng chnh l: nh hi gi tin, theo di gi tin v s dng nh mt NIDS. Ngoi ra cn c nhiu chng trnh thm vo cung cp nhng cch khc nhau nhm mc ch ghi du v qun l logfile ca Snort, thm v bo tr tp lut, thng bo cho ngi qun tr h thng khi c nhng traffic gy hi c nhn raC nhiu cch s dng Snort trong thit k bo mt ca cng ty. Thng thng Snort ch s dng TCP/IP nhng nhng phn thm vo c th m rng kh nng cung cp cc loi ngn ng khc nh Novell'IPX... Snort c 5 thnh phn chnh nh sau: 1. B gii m gi tin - Packet Decoder 2. Cc b tin x l - PreProcessers 3. My pht hin - Detection Engine 4. H thng cnh bo v ghi du - Logging and Alerting System 5. Mun xut - Output Modules S sau biu din quan h gia cc thnh phn ca Snort. Ti cc gi d liu giao tip t mng Internet vo trong h thng c i qua Packet decoder. Ti mi thnh phn cc gi tin c x l ri truyn kt qu cho thnh phn k tip trong h thng. Output modul s loi b cc gi tin, ghi log hay sinh ra cnh bo.

41

Hnh 3.1 Quan h gia cc thnh phn ca Snort

Snort c 4 ch hot ng nh sau: 1. Sniffer mode: ch ny snort s lng nghe v c cc gi tin trn mng sau s trnh by kt qu trn giao din hin th. 2. Packet Logger mode: lu tr cc gi tin trong cc tp tin log. 3. Network instruction detect system (NIDS) : y l ch d hat ng mnh m v c p dng nhiu nht, khi hat ng NIDS mode Snort s phn tch cc gi tin lun chuyn trn mng v so snh vi cc thng tin c nh ngha ca ngi dng t c nhng hnh ng tng ng nh thng bo cho qun tr mng khi xy ra tnh hung qut li do cc hacker /attacker tin hnh hay cnh bo virus.. 4. Inline mode: khi trin khai snort trn linux th chng ta c th cu hnh snort phn tch cc gi tin t iptables thay v libpcap do iptable c th drop hoc pass cc gi tin theo snort rule. 42

3.1.1 B gii m gi tin Thng qua Card mng v dy dn, b gii m gi tin xc nh giao thc no ang dng v kt ni d liu da trn nhng hnh vi cho php ca cc gi tin. N gii m cc gi tin t nhiu dng khc nhau ca mng (Ethernet, SLIP, PPP....) chun b cho giai on tin x l. Packet Decoder c th to ra nhng cnh bo da trn s pht hin nhng giao thc khc l, nhng gi tin qu di, nhng ty chn TCP l hoc nhng hnh ng khc

Hnh 3.2 S gii m gi tin

3.1.2 Cc b tin x l B phn ny ng vai tr kh quan trng, cho php phn tch cc gi tin theo cc cch c li nht cho chng ta theo nhng la chn nh. Nu khng c qu trnh ny th chng ta ch nhn cc gi tin t truyn ti trong dng nhng gi tin ring bit, iu ny c th l nguyn nhn dn n vic b l pht hin nhiu tn cng. 43

Cc d liu ch ti b tin x l sau khi qua b gii m. Snort 2.4.4 cung cp nhiu cch tin x l nh cu hnh qu trnh pht hin cng, ti hp cc mnh ca TCP, thng qua lung d liu pht hin nhng nhng hot ng bt thng v mt s ty chn khc. B tin x l l cc cng c sn c hoc nhng phn thm vo sp xp hoc nh dng cc gi tin trc khi Detection Engine lm mt s tc v tm ra xm nhp. Mi phn tin x l ca Snort u lm nhng cng vic chung tng t nhau: ly d liu t cc gi tin c gii m v p dng cc quy tc ca n tm ra nhng hnh vi khc thng v to nhng cnh bo. C th l n c th phn mnh cc gi tin, gii m URI, ti hp cc lung TCP....(Khi mt gi tin c phn mnh th cn giai on tin x l ni cc gi tin li c th lm vic vi chng. Hoc khi b hacker la bng cch xo trn hoc thm vo cc k t m WebServer c th hiu nhng IDS li b la, giai on tin x l cn sp xp li IDS c th pht hin). 3.1.3 My pht hin L phn quan trng nht trong Snort. Trch nhim ca n l pht hin nhng xm nhp trn cc gi tin. Cc lut l c ly ra t cc cu trc d liu bn trong hoc cc dy xch lin kt, chng s i chiu cc gi tin vi cc lut nh sn to ra cc hot ng tng ng. Detection Engine l qu trnh cn nhiu thi gian nht, ph thuc vo: s lng cc lut, sc mnh cc my m Snort chy trn , tc ca bus, tc truyn ti trn mng Cc phng php phn tch da trn nhng phn khc nhau ca gi tin: header IP, header lp truyn ti (TCP, UDP, ICMP), header lp ng dng (c th lock offset hoc d liu t cc lp ng dng khc nhau), packet payload ( tm cc chui d liu trong cc gi tin). Snort ch to ra 1 thng bo khi so snh u tin thnh cng, trong khi IDS to tt c cc cnh bo tng ng vi cc so snh m n thnh cng. T Snort 2.1.3 th c la chn cho php ta chn thm kiu thng bo y nh 44

ca IDS. Nu c nhiu qu trnh so snh ng thi 1 s kin th Snort c h thng hai pha cho php bt h thng a la chn. Tng qut th lut cnh bo sinh ra trc lut pass (cho qua), th t u tin ca chng cng s c hiu qu trong 1 s trng hp. T kho PRCE dng trong tp lnh l 1 c tnh mnh trong nhng phin bn gn y ca Snort, cho php chng ta dng chung (kt hp) d liu vi cc c tnh ca Perl trong nhng payload ca gi tin. 3.1.4 H thng cnh bo v ghi du Tu thuc vo Detection Engine m to alert hoc log, cc log u c lu trong ../var/log/snort. Logs th lu di dng text, tcp-dump file hoc nhng dng tng t. C ch ghi du trong Snort s c khi ng, theo di gi tin khi gi tin sp by 1 lut no . Nh l tin x l, cc chc nng ny c gi t file snort.conf . Ty ta xc nh gi tr thng tin m chng ta c nhiu la chn cch thc ph hp, c th thng qua SMB ca Window, lu hoc theo di log file, kt ni xuyn qua cc socket... Alert c th lu trong MySQL, PostgreSQL.. 1 vi ng dng lp th ba c th gi message SMS. Cc add-on hiu qu nh: ACID, SGUIL, Oinkmaster, IDS policy Manager. 3.1.5 Mun xut Ta c cc cch xut ra cc cnh bo v log nh sau: 3.1.5.1 Output plug-ins L chng trnh c thm vo, lp trnh da trn API ca Snort, chng ta nn chn cc OutPut thch hp vi mi trng lm vic, v d nu l 1 mng ln v hot ng lin tc th nn dng SMB pop-ups. 3.1.5.2. Unified Output L cc dng thit k nh dng ti u ho nng sut, tng thch vi Barnyard(h thng output nhanh ca Snort c pht trin bi Andrew R. Baker Cc header l phn u tin ca 1 lut, header nh ngha trong gi tin cha nhng g. C th xem n nh phn m t ca cc kt ni mng, 4 tham s nh

45

ngha 1 kt ni duy nht: source IP, source port, destination IP, destination port. Header cng bao gm ch dn ng i ca gi tin , c xc nh bng -> hoc l <>. 3.2 Hng dn ci t v s dng Sau khi download Snort v tp lut Rule ca n ti a ch www.Snort.org v winpcap t www.iltiloi.com ( lu gi gi tin)ta tin hnh ci t nh sau ( y ta s dng bn chy cho windows): 3.2.1 Ci t Snort Snort dng mt card mng ch promocous mode lu gi cc gi tin trc khi phn tch chng cho nn tt nht l cc my tnh chy Snort nn t cc colision domain hay trn cc my ch tp tung cc truyn thng trn mng nh router hay gateway hoc kt ni vo cc cng SPAN ca Switch, ta c th t Snort trc hoc sau mt h thng firewall ty yu cu bo mt ca t chc. V nu h thng mng c nhiu phn an mng th mi subnet (lp mng con) phi c mt my ch Snort c ci t, khng nh cc sn phm thng mi khc ngoi tnh nng chi ph bn quyn cao th thng i hi cu hnh phn cng mng. Snort hot ng nh mt network sniffer lng nghe v lu gi cc packet trn mng sau so snh cc ni dung (payload) hoc header ca chng vi mt tp cc qui tc c nh ngha gi l cc Snort rule v khi mt s trng khp gia Rule v cc Packet th nhng hnh ng ca Rule s c tin hnh ty theo nh ngha. Mt im thun li l cc Rule ny lun c cp nht nhanh chng bi cng ng pht trin cho nn kh nng p ng ca Snort trc cc dng tn cng hin i rt cao. Snort s dng ba thnh phn: Packet decoder, Detect engineer, Logging v alert system tin hnh cng vic ca mnh. Bc 1: Click vo tp tin chng trnh Snort_Installer bt u tin trnh ci t. Khi Trn mn hnh Installation Options c cc c ch lu tr log file theo c s d liu SQL hay Oracle, y ta lu tr bng log trong Event Log 46

nn s chn ty chn u tin l I do not plan to log to a database, or I am planing to log to one of the databse listed above

Sau khi ci t Snort ta cn phi thit lp cc tham s quan trng nh HOME_NET v PATH_RULE mi c th khi ng Snort v thc hin cc cng vic tip theo. y l bc thng lm cho qu trnh ci t v s dng Snort b li do khai bo sai. Xt v d, chng ta trin khai Snort trn lp mng C vi dy a ch 192.168.1.0/24, tip n m tp tin snort.conf trong th mc C:\Snort\etc\ v tm n cc bin HOME_NET v thit lp nh sau:

47

Tip theo khai bo ng dn n ni cha cc quy tc snort rules v t RULE_PATH C:\Snort\rules

Khai bo cc bin include classification.config v reference.config nh hnh di(sa thnh include C:\Snort\etc\classification.config v reference.config C:\Snort\etc\

Tip n, chng ta c th copy cc rule c to sn ri a vo th mc rules vo th mc ci t Snort trn C:\Snort n y qu trnh chun b han tt, trc khi c th Start Snort tin hnh Sniffer hay lng nghe cc tn hiu kh nghi cc ta s ch nh th mc cha log file cho Snort IDS. Ta chy lnh sau y: C:\Snort\bin\snort -l C:\Snort\log -c C:\Snort\etc\snort.conf -A console

48

Kt qu sau khi thc thi dng lnh nh sau:

3.2.2 S dng Snort 3.2.2.1 S Dng Snort Sniffer Packet tin hnh sniffer ta cn chn card mng snort t vo ch promicous, nu my tnh c nhiu card hy s lnh snort W xc nh s hiu ca card mng:

Tip n ta c th chy lnh snort h, sau ta chy lnh dng lnh snort v ix (vi x l s hiu ca card mng) tin hnh sniffer packet.

49

C php dng lnh s dng snort v cc ty chn C:\Snort\bin\snort v i2 Vi ty chn v snort ch hin th IP v TCP/UDP/ICMP header, nu mun xem kt qu truyn thng ca cc ng dng hy s dng ty chn -vd: C:\Snort\bin\snort vd i2 hin th thm cc header ca gi tin ti tng Data Link hy s dng dng lnh: C:\Snort\bin\snort vde i2 50

Sau khi chy dng lnh trn ta m ca s mi v th ping www.dantri.vn ri quan st giao din snort chng ta s thy cc tn hiu nh hnh sau:

Kt qu cc packet header hin th khi chy snort -v

dng tin trnh sniffing hy nhn t hp phm Ctrl-C, Snort s trnh by bn tm tt cc gi tin b bt gi theo tng giao thc nh UDP, ICMP

51

3.2.2.2 S Dng Snort ch Packer Logger Ngoi vic xem cc gi tin trn mng chng ta cn c th lu tr chng trong th mc C:\Snort\log vi ty chn l, v d dng lnh sau s ghi log cc thng tin d liu ti tng data link v TCP/IP header ca lp mng ni b 192.168.1.0/24 C:/Snort/bin/snort -dev -l C:/Snort/log -h 192.168.1.0/24 n y ta tin hnh ci t v cu hnh snort tin hnh bt gi cc gi tin, xem ni dung ca chng nhng vn cha bin snort thc s tr thnh 1 h thng IDS d tm xm phm tri php. V mt h thng nh vy cn c cc quy tc (rule) cng nhng hnh ng cnh bo cho qun tr h thng khi xy ra s trng khp ca nhng quy tc ny. Trong phn tip theo,chng ta s tin hnh cu hnh xy dng 1 network IDS vi Snort. 3.2.2.3 S Dng Snort ch Network IDS Tt c nhng hnh ng ca Snort IDS u hot ng thng qua cc rule, v vy ta cn phi to mi hay chnh sa nhng rule c to sn. y ta s tham kho c hai trng hp ny. u tin, cc ta tham kho dng lnh sau p dng Snort NIDS: C:\Snort\bin\snort -dev -l \snort\log -c snort.conf Trong dng lnh ny c mt ty chn mi l c vi gi tr l snort.conf. chng ta bit snort.conf c lu tr trong th mc C:\Snort\etc cha cc thng s iu khin v cu hnh Snort nh cc bin HOME_NET xc nh lp mng, bin RULE_PATH xc nh ng dn n ni cha cc quy tc Snort p dng. Trong trng hp ny, ty chn c s yu cu Snort p dng cc quy tc c khai bo trong tp tin cu hnh snort.conf khi x l cc gi tin c bt gi trn mng. Trc khi nghin cu su hn v Snort v nhng quy tc ca n chng ta xem xt cc thnh phn ca mt Snort rule gm c:

52

 Rule header: l ni cha cc action (hnh ng), protocol (giao thc truyn thng), Source IP address v Destination IP Address cng vi gi tr subnet mask v s hiu port ca a ch IP ngun v ch. Rule option: l ni khai bo cc c t v tnh trng trng khp ca cc gi tin vi cc rule, cng nhng cnh bo alert messenger nh trong v d sau y: alert tcp any any -> any 80 (content: "adult"; msg: "Adult Site Access";) Dng lnh trn cho ta thy phn rule header l alert tcp any any -> any 80 v phn content: ("adult"; msg: "Adult Site Access";) l rule option, mc d rule option khng bt buc phi c trong tt c cc snort rule nhng n cho chng ta bit cc thng tin cn thit v l do to rule hay cc hnh ng tng ng. V kt qu ca dng lnh ny l to ra cc cnh bo (alert) khi cc TCP trafic t bt k a ch IP v port c gi n mt a ch IP bt k trn Port 80 m phn ni dung (payload) c cha t kha Adult. Nu tnh hung ny xy ra, ngha l c mt user no trn LAN truy cp vo 1 site c cha t Adult th mt record Adult Site Access s c ghi vo log file. 3.2.2.3.1 Rule Header Tip theo, ta s i su hn v cc rule header, nh trong v d trn l alert tcp any any -> any 80, vi phn u tin l alert chnh l rule action nh ngha hnh ng m snort s thc hin khi cc packet trng khp vi quy tc m ta to ra. C 5 loi rule action nh sau: Rule Action Alert Log Pass Activate Dynamic Ghi Log cc packet B qua cc gi tin To mt cnh bo v bt chc nng dynamic rule Cha s dng, tr khi c mt rule khc tng thch M t To cnh bo v ghi log file

53

Khi action c nh ngha, ta cn phi xc nh cc giao thc nh trong v d trn l TCP, Snort h tr cc giao thc truyn thng sau TCP, UDP, ICMP, v IP. Sau chng ta s b sung a ch IP cho snort rule ca mnh, v d any l xc nh bt k a ch IP no, ngai ra snort s dng nh dng netmask khai bo cc mt n mng nh lp A l /8, a ch lp B l /16 v a ch lp C l /24. Nu mun khai bo mt host th s dng /32. Bn cnh ta cn c th mt dy cc my tnh nh sau: Alert tcp any any -> [10.0.10.0/24, 10.10.10.0/24] any => (content: "Password"; msg:"Password Transfer Possible!";) Lu : trong trng hp dng lnh trn chia thnh 2 dng nhng khi thc hin cc bn phi nhp trn 1 dng. Cn nu mun chia lm nhiu dng khc nhau cho 1 dng lnh th phi s dng du \, tuy nhin nu c th nn s dng 1 dng n. Sau khi cc action, protocol v ip address c nh ngha ta cn xc nh s hiu port ca dch v, nh 80 l cho cc dch v truy cp Web hay cc port 21, 23 Cng c th p dng t kha any p dng cho tt c cc port, hay dng cc du ; ch nh mt dy cc port no : ghi log bt k truyn thng no t tt c a ch IP address v tt c port n port 23 ca lp mng 10.0.10.0/24 s dng lnh sau: Log tcp any any -> 10.0.10.0/24 23 Ghi log tt c truyn thng t bt k a ch IP n cc port nm trong khang 1 n 1024 trn cc my thuc lp mng 10.0.10.0/24 s dng lnh sau: Log tcp any any -> 10.0.10.0/24 1:1024

54

Ghi log tt c truyn thng t cc a ch IP c s hiu port thp hn hoc bng 1024 n cc my thuc lp mng 10.0.10.0/24 v destination port ln hn hoc bng 1024 s dng c pho sau: Log tcp any :1024 -> 10.0.10.0/24 1 1024 Ngoi ra, ta c th s dng cc tham s ph nh ! nh trng hp ghi

log cc truyn thng trn giao thc TCP t cc my tnh ngai tr 172.16.40.50 p dng cho tt c cc port n bt k trn 10.0.10.0/24 s dng tt c cc port : Log tcp ! 172.16.40.50/32 any -> 10.0.10.0/24 any Hay trng hp ghi log tt c cc truyn thng n cc my tnh thuc lp mng 10.0.10.0/24 ngai tr port 23 nh sau: Log tcp any any -> 10.0.10.0/24 !23 n lc ny ta duyt qua mt s cc snort rule v nhn thy mi rule u c mt lnh iu hng ->, xc nh chiu ca truyn thng i t phi qua tri. Trong trng hp mun p dng snort rule cho cc truyn thng theo c 2 chiu th s dng c php <> thay cho -> nh trong trng hp ghi log 2 chiu i vi tenlet session sau Log tcp 10.0.10.0/24 any <> 172.16.30.0/24 23 3.2.2.3.2 Rule Option Mt snort rule c th c nhiu option khc nhau phn cch bi giu ; v cc rule option ny s lm cho snort rule c th c p dng linh ng, mnh m hn. Danh sch sau y s trnh by nhng rule option thng dng thng c p dng trong cc snort rule: Rule Option Msg Ttl Id Flags Ack M t Hin th mt thng bo trong alert v packet log file Dng so snh cc gii tr Time To Live ca IP header Dng so snh mt gi tr ca IP header fragment Dng so snh tcp flag vi cc gi tr c nh ngha So snh cc TCP ack cho mt gi tr c nh ngha 55

Content So snh ni dung packet vi cc gi tr c nh ngha Khi t kha msg c p dng trong rule n s yu cu ghi nht k v cnh bo ca snort chn thm mt thng ip c nh ngha vo trong log file hay cc cnh bo v d msg: "text here"; Khi ttl c s dng trong rule s yu cu snort hy so snh vi mt gi tr Time To Live, trng hp ny thng c p dng d tm tuyn ng.V d n gin sau c dng khai bo ttl: ttl: "time-value"; Cn trng hp trong rule s dng t kha id n s yu cu Snort so snh vi 1 IP header fragment theo id nh nh: id: "id-value"; i vi trng hp ca flags option chng ta c nhiu tnh hung khc ty theo flag c yu cu so snh, cc ty chn flag c khai bo nh sau: F: dng cho c FIN S: dng cho c SYN R: dng cho c RST P: dng cho c PSH A: dng cho c ACK U: dng cho c URG 2: dng cho Reserved bit 2 1: dng cho Reserved bit 1 0: dng cho no tcp flags set Cc ton t logic c th c p dng cho ty chn flag nh + dng so khp vi tt c cc flag, * dng xc nh c s trng lp vi bt k flag no hoc ! dng so snh s trng lp mang tnh cht loi tr. Cc reserved bit c p dng trong tnh hung pht hin cc trng hp scan hay IP stack

56

fingerprinting. Sau y l mt v d ca ty chn flags v mt snort rule dng xc nh d tm cc SYNFIN scans: V d s dng flags:
Alert any any -> 10.0.10.0/24 any (flags: SF; msg: "SYN FIN => Scan Possible";)

Ty chn ack c p dng so khp vi mt gi tr ACK tng ng trong TCP header ca packet, nh ng dng Nmap dng cc ACK flag xc nh s tn ti ca mt host no . Trong s cc t kha th content l t kha quan trng nht, khi content c p dng snort s kim tra ni dung ca gi tin v so snh vi gi tr c khai bo trong content, nu c s trng lp th cc hnh ng tng ng s tin hnh. Lu l cc gi tr c p dng vi content c tnh cht case sensitive (phn bit ch hoa v ch thng) v tng hiu qu cho qu trnh so snh Snort s dng c ch pattern-match gi l Boyer-Moore, vi c ch ny qu trnh so snh s din ra hiu qu hn trn cc my c cu hnh yu. C php n gin ca t kha content l: content:"content value"; 3.2.2.3.3 Cch xy dng lut trn Snort phn trn ta thy kh r rng l mt lut ca Snort s bao gm 2 thnh phn: phn Header v phn Rule Option. Nh vy xy dng mt lut trn Snort ta s phi tng bc i xy dng 2 thnh phn ny. Sau y ta s i xy dng 1 lut, lut ny c cho php cnh bo n chuyn gia khi xy ra trng hp c lnh ping c s dng, ng thi a ra cc cnh bo nu c ai s dng mt m l password. Tin hnh nh sau: S dng trnh san tho Notepad v nhp vo ni dung: log tcp any any -> any any (msg: "TCP Traffic Logged";)

57

alert icmp any any -> any any (msg: "ICMP Traffic Alerted";) alert tcp any any -> any any (content: "password"; msg: => "Possible Password Transmitted";) Lu tp tin trn thnh c:\Snort\rules\security365.rule ,lu chn ch lu tr All file trong Notepad khng b gn thm phn m rng.

kim tra li cc quy tc va mi to ra, hy xa cc tp tin trong th mc C:\Snort\log v m 2 ca s dng lnh v chy lnh sau trn ca s th nht: C:\Snort\bin\snort -c \Snort\rules\security365.rule -l \Snort\log Sau chy cc lnh tip theo trn ca s cn li: C:\ping www.dantri.vn C:\net send [ip_address] Here is my password Nhn Ctrl-C trn mn hnh thc thi Snort s thy cc gi tin c lu gi v quan st log file s thy xut hin cc cnh bo

58

Bn cnh vic to ra cc snort rule ca ring mnh cc ta c th p dng cc quy tc c to sn. Hnh sau trnh by ni dung ca mt pre-defined rule l scan.rules trong th mc C:\Snort\rules v cch thit lp quy tc pht hin FIN/SYN scan.

Nu mun p dng rule pre-defined th cng tin hnh tng t nh i vi trng hp cc rule do ta thit lp. Trong trng hp h thng c nhiu card mng ta nn xc nh r rng cc s hiu ca chng snort s dng. Ngoi ra, khi thit lp cc quy tc cho giao thc ICMP trong phn Port ta t l any. 3.2.2.3.4 Cc V D V Snort Rule 59

Sau y l mt s snort rule c bn cng vi nhng m t ca chng. Ta c th s dng chng lm cc mu cho qu trnh to snort rule ca mnh. log tt c cc truyn thng kt ni n port 23 ca dch v telnet: Log tcp any any -> 10.0.10.0/24 23 log cc ICMP traffic n lp mng 10.0.10.0: Log icmp any any -> 10.0.10.0/24 any Cho php tt c cc qu trnh duyt Web m khng cn ghi log: Pass tcp any 80 -> any 80 To mt cnh bo vi thng ip km theo: Alert tcp any any -> any 23 (msg: "Telnet Connection => Attempt";) D tm cc tnh hung qut mng vi SYN/FIN : Alert tcp any any -> 10.0.10.0/24 any (msg: "SYN-FIN => scan detected"; flags: SF;) D tm cc tin trnh qut mng TCP NULL: Alert tcp any any -> 10.0.10.0/24 any (msg: "NULL scan detected"; flags: 0;) D tm cc tin trnh OS fingerprinting: Alert tcp any any -> 10.0.10.0/24 (msg: "O/S Fingerprint => detected"; flags: S12;) Tin hnh lc ni dung: alert tcp any $HOME_NET -> !$HOME_NET any (content: => "Hello"; msg:"Hello Packet";) 3.3 Kt chng

60

Chng ny gii thiu mt cch tng quan v phn mm Snort. Cc thnh phn c bn v cc ch lm vic ca n. ng thi cng a ra cch xy dng lut v a lut vo ng dng. Cc thnh phn c bn bao gm 5 thnh phn: B gii m gi tin, Cc b tin x l, My pht hin, H thng cnh bo v ghi du v Mun xut. Cc ch lm vic bao gm: Sniffer Packet, Packer Logger, Network IDS. Cui cng l cch xy dng lut vi cc thnh phn c bn ca n bao gm Header v Rule Option.

KT LUN V HNG NGHIN CU CA TI

1. Kt lun v ti Trong thi gian lm ti, tc gi tm hiu v cc h thng bo mt, c bit l H thng pht hin xm nhp tri php. IDS l mt thnh phn quan trng trong chin lc phng th theo chiu su ca H thng thng tin. H thng pht hin xm nhp tri php c chc nng pht hin v cnh bo sm cc du hiu tn cng, gip chuyn gia ch ng i ph vi cc nguy c xm phm. ti trnh by mt cch tng quan v nguyn l hot ng, cc hnh thc phn loi, cc phng php pht hin xm nhp v cch s dng Snort xy dng mt H thng pht hin xm nhp. H thng IDS hot ng da trn 3 thnh phn chnh l Cm ng, Giao din v B phn tch. Xt trn chc nng ca IDS c th phn ra thnh 2 loi chnh l NIDS v HIDS. NIDS thng c t ti ca ng mng gim st lu thng trn ton b mng, cn HIDS th c ci t trn tng my trm phn tch cc hnh vi v d liu i n my trm . Xt v cch thc hot ng th h thng IDS c th chia thnh 5 giai on chnh l: Gim st, Phn tch, Lin lc, Cnh bo v Phn ng.

61

H thng IDS pht hin tn cng c th da trn du hiu hoc da trn cc hin tng bt thng. tng chnh ca phng php Pht hin bt thng ly c s l nhn nh: cc tn cng thng gy ra nhng du hiu khc thng trong h thng, v d nh s tng t bin mt loi gi tin c th xut pht t Tn cng t chi dch v, hay s xut hin mt kt ni l c th l do th phm ang d qut im yu. Do , cnh bo mt cuc tn cng, h thng s phn loi v pht hin cc du hiu bt thng trong tp cc thng s quan st. Vi cc tip cn nh vy, li th ca Phng php ny l kh nng pht hin ra cc kiu tn cng mi cha c du hiu hay cc bin th ca mt tn cng c m cc H thng IDS khc khng th nhn ra. Ngoi ra, phng php Pht hin bt thng cn gii quyt vn qu ti tnh ton, tnh t ng vn hnh ca mt H thng pht hin xm nhp tri php. H thng IDS da trn pht hin bt thng c th s dng cc k thut khc nhau. ti gii thiu cc h thng Pht hin bt thng da trn Xc xut thng k, My trng thi hu hn, Khai ph d liu, mng N-ron, H chuyn gia. Mi mt k thut c c ch hot ng ring, ng thi cng c u nhc im khc nhau. ti gii thiu v mt s hng nghin cu mi trong lnh vc ny a ra cc nh gi v hng . Chng 3 ca ti tc gi i xy dng H thng pht hin xm nhp vi Snort cho mt h thng thng tin. ng thi trnh by cc b phn cu thnh Snort, nguyn l hot ng v s phi hp ca cc b phn cu thnh Snort. Chng ny cng c bit i su v cch xy dng, qun l, thc thi v cp nht cc tp lut. 2. Hng nghin cu tip theo Lnh vc Pht hin bt thng l mt lnh vc nghin cu mi, , ang v s c quan tm hn na bi vai tr ca n trong H thng thng tin. Sau y l mt s hng nghin cu m tc gi s d nh pht trin thm: Xy dng mt phn mm Pht hin bt thng da trn H chuyn gia.

62

 Tm hiu cc k thut Pht hin bt thng khc tng kh nng phng th ca h thng.

TI LIU THAM KHO

[1] Marina Thottan, Chuanyi Ji, Anomaly Detection in IP Networks, IEEE transactions on Signal processing, August 2003 [2] Nguyn Linh Giang, Anomaly Detection by statistucal analysis and neutral network, Department of Communcation and Computer Networks, Ha Noi University of Technology. [3] Stefan Alexsson, Research in Intrusion-Detection System: A Survey, Chalmers University of Technology, Sweden 1998. [4] James A.Hoagland, Practical automated detetion of stealthy portscans, Journal of Computer Security 10 (2002). [5] Matthew Vincent Mahoney, A Machine Learning Approach to Detecting Attacks by Indentifying Anomalies in Network Traffic, Florida Institude of Technology 2003. [6] Christopher Kruegel, Bayesian Event Classification for Intrusion Detection , University of California, Santa Barbara, 2003. 63

[7] Intrusion Prevention Fundamental, Cisco Press 2006. [8] Matthew Tanase, One of These Things is not Like the Other: The State of Anomaly Detection. [9] Network Security Architectures, Cisco Press 2004. [10] Network Intrusion detection, Third Edition, SANS 2006. [11] F.Feather and R.Maxion, Fault detection in an ethernet network using anomaly signature matching. [12] M.M.Breuning, H.P.Kriegel, R.T.Ng, J.Sander, LOF: Identifying densityBased Local Outliers, Proceedings of the ACM SIGMOD Conference, 2000. [13] Hawkins D.M, Indentification of Outliers, Chapman and Hall, London 1980.

64

PH LC
Tn cng t chi dch v Tn cng t chi dch v DoS c th m t nh hnh ng ngn cn nhng ngi dng hp php truy cp v s dng vo mt dch v no . N bao gm nh lm trn ngp mng, mt kt ni vi dch v... m mc ch cui cng l my ch khng th p ng c cc yu cu s dng dch v t cc my trm. DoS c th lm ngng hot ng ca mt my tnh, mt mng ni b, thm ch c mt h thng mng rt ln. V bn cht thc s ca DoS, k tn cng s chim dng mt lng ln ti nguyn mng nh bng thng, b nh . . v lm mt kh nng x l cc yu cu dch v t cc my trm khc. Cc cch thc tn cng DoS 1. Tn cng kiu SYN flood Li dng cch thc hot ng ca kt ni TCP/IP, hacker bt u qu trnh thit lp mt kt ni TCP/IP ti mc tiu mun tn cng m khng gi tr gi tin ACK, khin cho mc tiu lun ri vo trng thi ch (i gi tin ACK t pha yu cu thit lp kt ni) v lin tc gi gi tin SYN ACK thit lp kt ni. Mt cch khc l gi mo a ch IP ngun ca gi tin yu cu thit lp kt ni SYN v cng nh trng hp trn, my tnh ch cng ri vo trng thi ch v cc gi tin SYN ACK khng th i n ch do a ch IP ngun l khng c tht. Kiu tn cng SYN flood c cc hacker p dng tn cng mt h thng mng c bng thng ln hn h thng ca hacker.
Client sends SYN segment to Server Server returns ACK and its own SYN Client Client returns SYN to server Instead of a ACK Server

2. Kiu tn cng Land Attack Kiu tn cng Land Attack cng tng t nh SYN flood, nhng hacker s dng chnh IP ca mc tiu cn tn cng dng lm a ch IP ngun trong gi tin, y mc tiu vo mt vng lp v tn khi c gng thit lp kt ni vi chnh n. 3. Kiu tn cng UDP flood Hacker gi gi tin UDP echo vi a ch IP ngun l cng loopback ca chnh mc tiu cn tn cng hoc ca mt my tnh trong cng mng. Vi mc tiu s dng cng UDP echo (port 7) thit lp vic gi v nhn cc gi tin echo trn 2 my tnh (hoc gia mc tiu vi chnh n nu mc tiu c cu hnh cng loopback), khin cho 2 my tnh ny dn dn s dng ht bng thng ca chng, v cn tr hot ng chia s ti nguyn mng ca my tnh khc trong mng. 4. Tn cng kiu DDoS (Distributed Denial of Service) y l cch thc tn cng rt nguy him. Hacker xm nhp vo cc h thng my tnh, ci t cc chng trnh iu khin t xa, v s kch hot ng thi cc chng trnh ny vo cng mt thi im ng lot tn cng vo mt mc tiu. Vi DDoS, cc hacker c th huy ng ti hng trm thm ch hng ngn my tnh cng tham gia tn cng cng mt thi im (ty vo s chun b trc ca hacker) v c th ngn ht bng thng ca mc tiu trong nhy mt. 5. Kiu tn cng Smurf Attack K tn cng li dng cc ngun ti nguyn m nn nhn cn s dng tn cng. Nhng k tn cng c th thay i d liu v t sao chp d liu m nn nhn cn nn nhiu ln, lm CPU b qu ti v cc qu trnh x l d liu b nh tr. Kiu tn cng ny cn mt h thng rt quan trng, l mng khuych i. Hacker dng a ch ca my tnh cn tn cng bng cch gi gi tin ICMP echo cho ton b mng (broadcast). Cc my tnh trong mng s ng lot gi

gi tin ICMP reply cho my tnh m hacker mun tn cng. Kt qu l my tnh ny s khng th x l kp thi mt lng ln thng tin v dn ti b treo my. 6. Tn cng kiu Tear Drop Trong mng chuyn mch gi, d liu c chia thnh nhiu gi tin nh, mi gi tin c mt gi tr offset ring v c th truyn i theo nhiu con ng khc nhau ti ch. Ti ch, nh vo gi tr offset ca tng gi tin m d liu li c kt hp nh ban u. Li dng diu ny, hacker c th to ra nhiu gi tin c gi tr offset trng lo nhau gi n mc tiu mun tn cng. Kt qu l my tnh ch khng th sp xp c nhng gi tin ny v dn ti b treo my v b vt kit kh nng x l.