You are on page 1of 66

A.

Mc tiu ca vic nghin cu v IDS/IPS o Vic nghin cu gip cho kh nng t hc ,tm hiu v nghin cu c lp ngy cng tt hn o Nghin cu v h thng ngn nga v pht hin xm nhp IDS/IPS
o Trin khai h thng pht hin, ngn chn cc lu lng ra vo ca h

thng l s cn thit cho cc doanh nghip c nhu cu v s an ton ca h thng trc nhng hnh vi xm nhp tri php. Trc s pht trin ca internet v s hiu bit ca ngy cng su ca con ngi th vic truy cp v ph hoi h thng mng ca mt doanh nghip ,cng ty no cng theo pht trin ca internet m tng ln rt nhiu.
o Vic nghin cu ny p ng cho lnh vc bo mt v an ninh ca h

thng. B. Cu trc ca ti ti ny c chia lm 4 phn I. Chng 1:Gii thiu khi qut v h thng ngn nga v pht hin xm nhp IDS/IPS 1. Gii thiu s cc phng php xm nhp vo h thng 2. Cc phng php pht hin v ngn nga xm nhp
3. S a dng ca IDS/IPS

4. So snh gia IPS v IDS II. Chng 2: Tng quan IDS 1. nh ngha IDS 2. Chc nng ca IDS 3. Kin trc ca IDS
4. Phn loi IDS

5. Cng c h tr IDS 6. Cc k thut x l trong IDS 7. Phn loi cc du hiu

III. Chng 3: Tng quan IPS 1. nh ngha IPS 2. Chc nng ca IPS 3. Kin trc ca IPS 4. Phn loi IPS 5. Cng c h tr IPS
6. Ch k v cc k thut x l trong IPS

IV. Chng 4:M phng


1. Mc tiu ca m phng

2. M hnh m phng
3. Cc cng c cn thit thc hin m phng

4. Cc bc m phng 5. Kt qu t c 6. Nhng mt hn ch

I.Chng 1:Gii thiu khi qut v h thng ngn nga v pht hin xm Ngy nay, nhu cu trao i d liu qua h thng mng my tnh tr thnh v cng quan trng trong mi hot ng ca x hi. . Vn bo m an ninh, an ton cho thng tin trn mng ngy cng l mi quan tm hng u ca cc cng ty, cc t chc, cc nh cung cp dch v. Cng vi thi gian, cc k thut tn cng ngy cng tinh vi hn khin cc h thng an ninh mng tr nn mt hiu qu. Cc h thng an ninh mng truyn thng thun ty da trn cc tng la nhm kim sot lung thng tin ra vo h thng mng mt cch cng nhc da trn cc lut bo v c nh. Vi kiu phng th ny, cc h thng an ninh s bt lc trc k thut tn cng mi, c bit l cc cuc tn cng nhm vo im yu ca h thng. Trc cc nguy c xm nhp ca nhng k tn cng nhm tm kim d liu mt ca cng ty,doanh nghip,t chc, hay mt quc gia no th h thng IDS(Intrusion Detection System ) ra i pht hin s xm nhp tri php ca k tn cng thng qua vic kim sot lu lng giao thng ca h thng mng. IDS ch kim tra v thng bo khi h thng c s bt thng hoc tri vi mt nh ngha m ngi dng t ra cho h thng , IDS khng th thc hin vic ngn chn ngay khi pht hin xm nhp xy ra thc hin an ninh cho h thng mng th IPS ra i. H thng phng chng xm nhp IPS l mt k thut an ninh c kt hp cc u im ca k thut tng la vi h thng pht hin xm nhp IDS, c kh nng pht hin cc cuc tn cng v t ng ngn chn cc cuc tn cng . 1. Gii thiu s cc phng php xm nhp vo h thng

Cc kh nng xm nhp vo h thng mng l:


Trinh st(Reconnaissance attack) iu khin truy cp(access control attack)

T chi dch v(Denial of service (DoS) attacks) -Trinh st(Reconnaissance): khi ng c hiu qu mt s loi tn cng, mt k tn cng thng c nhu cu hiu bit v m hnh mng v cc phn cng ang dc s dng. K thut thu thp loi thng tin ny c gi l trinh st. Trinh st trn mt i tng trong mi trng, khng phi l mt mi e da, nhng kt qu ca vic trinh st thng c s dng sau ny tn cng mt h thng hoc mng. V vy, s e da ca cc cuc tn cng mt trinh st ch yu l mt trong nhng gin tip: sau khi mng c qut, thng tin ny sau c s dng cho cc cuc tn cng. Thng thng cc cuc tn cng trinh st i m khng b pht hin v thng l chng khng c tc hi cho h thng mng.cch tt nht pht hin l xem trong tp tin ng nhp,nhng thng cng khng th thy trong tp tin ng nhp ny.Vic trinh st ny c xem l mt phng n kh thi c th ni l tn hnh thu thp thng tin mt cch tt nht cho cc k tn cng tm nng . Cc phng php dng cho tn cng trinh st:

Bng dng lnh hoc cc tin ch qun l , nslookup , ping , telnet , finger.... Cc cng c hack nh NMAP,Nessus,custom script

Thc hin trinh st i hi phi bit s dng cc dng lnh hoc cc tin ch qun l nh l s dng tin ch nslookup xem mt a ch ip ca mt trang web.K tn cng c th d dng xc nh khng gian a ch IP c ch nh cho mt cng ty cho hay mt t chc. Lnh ping cho php k tn cng bit rng mt a ch IP cn sng trn mng. Cc cng c tn cng c s dng thc hin trinh st,nhng cng c ny gip k tn cng t hiu bit c th d trinh st khi chn t ng qu trnh thng qua giao din than thin m bt c ai cng c th s dng.

-iu khin truy cp(access control attack): Tn cng xy ra khi mt c nhn hoc mt nhm cc c nhn n lc truy cp, sa i hoc thit hi mt trng v ti nguyn h thng. Tn cng truy cp l mt c gng truy cp vo thng tin m nhng k tn cng khng c quyn : Phng php truy cp vt l: Dumpster diving Tn cng truy cp trn mng:

Nghe trm(Eavesdropping). Gi mo (Snooping). Can thip (Interception).

-T chi dch v(Denial of service (DoS) attacks):Cuc tn cng DoS khc vi hu ht cc cuc tn cng khc, v chng khng t c mc tiu truy cp tm kim bt k thng tin no trong h thng. Thc hin cuc tn cng bng cch ny l nhm vo tnh kh dng(Availability) ca h thng,mc ch l ngn chn hot ng bnh thng ca h thng,c bit l i vi h thng phc v nhiu ngi nh web server,mail server Cc phng thc tn cng DoS: Lm cho ti nguyn qu ti(Resource Overload)

Sc cha ca a cng,bng thng v b m Lm trn cc gi ping hay syn hoc l lin tc nh bom UDP Unsolicited Commercial E-mail (UCE) Pht tn gi ICMP lm tc nghn. IP fragment overlay Same Source and Destination IP packet

Fragmentation or Impossible Packets

2. Cc phng php pht hin v ngn nga xm nhp Cc gii php Ngn nga Xm nhp nhm mc ch bo v ti nguyn, d liu v mng. Chng s lm gim bt nhng mi e do tn cng bng vic loi b nhng lu lng mng c hi hay c c trong khi vn cho php cc hot ng

hp php tip tc. Mc ch y l mt h thng hon ho , khng c nhng bo ng gi no lm gim nng sut ngi dng cui v khng c nhng t chi sai no to ra ri ro qu mc bn trong mi trng. C l mt vai tr ct yu hn s l cn thit tin tng, thc hin theo cch mong mun di bt k iu kin no. iu ny c ngha cc gii php Ngn nga Xm nhp c t vo ng v tr v c kh nng sau:

Mng li trinh st khng th c ngn chn hon ton. IDS cp mng v my ch lu tr c th thng bo cho qun tr vin khi mt trinh st tp hp tn cng (v d: ping v qut cng). Nu ICMP echo request v echo-reply c tt trn router ba th hn ch c tc nghn. Mt IDS mc mng v my ch qun l s thng bo cho ngi qun tr vin bit rng c cuc tn cng trinh st ang c tin hnh. iu ny gip cho nh qun tri vin c th chun b tt hn cho ln tn cng sp ti hoc thng bo cho ISP qun l ca ngi tung ra cuc tn cng trinh st.

Cc mi e da ca cc cuc tn cng DoS c th c gim thng qua ba phng php sau y: Tnh nng Antispoof : cu hnh ng ca antispoof trn router v tng la ca h thng. Tnh nng Anti-DoS :cu hnh ng ca Anti-DoS chng tnh nng DoS trn router v tng la. Gii hn vic nh gi lu lng mng

3. S a dng ca IDS IDS pht trin a dng trong c phn mm v phn cng ,mc ch chung ca IDS l quan st cc s kin trn h thng mng v thng bo cho nh qun tr vin bit v an ninh ca s kin cm bin c cho l ng bo ng. Mt s IDS so snh cc cuc hi thoi trn mng nghe c trn mng vi danh sch chui tn cng bit trc hay ch k. Khi m lu lng mng c xem xt

cho l ph hp vi mt ch k th chng s gy ra mt cnh bo,h thng ny gi l Signature-based IDS. i vi vic quan st lu lng ca h thng theo thi gian v xem xt cc tnh hung m khng ph hp vi bnh thng s gy ra mt cnh bo ,IDS ny gi l anomaly-based IDS. Ch ng bo v ti nguyn h thng mng l xu hng mi nht trong bo mt. Hu ht cc h thng pht hin xm nhp (IDS) th ng gim st h thng cho cc du hiu ca hot ng xm nhp. Khi hot ng xm nhp c pht hin, IDS cung cp kh nng cho vic ngn chn trong tng lai vi cc hot ng xm nhp t cc my ch nghi ng. Cch tip cn phn ng ny khng ngn chn lu lng cuc tn cng vo h thng t lc bt u n lc kt thc.Tuy nhin mt IPS c th ch ng dng ngay cc lu lng truy cp tn cng vo h thng ngay lc ban u. 3.1 H thng pht hin xm nhp mm(Snort) ci c snort th u tin xem xt quy m ca h thng mng, cc yu cu c th ci t snort nh l:cn khng gian da cng lu tr cc file log ghi li cnh bo ca snort,phi c mt my ch kh mnh v vic chn la mt h iu hnh khng km phn quan trng thng th ngi qun tr s chn cho mnh mt h iu hnh m h s dng mt cch thnh tho nht.Snort c th chy trn cc h iu hnh nh window,linux. 3.2 H thng pht hin xm nhp cng(cisco) Cisco cung cp nhiu loi thit b pht hin xm nhp, c nhiu nn cm bin cho php quyt nh v tr tt nht gim st hot ng xm nhp cho h thng. Cisco cung cp cc nn tng cm bin sau y: * Cisco Adaptive Security Appliance nng cao Kim tra v phng chng dch v bo v Module (ASA AIP SSM): Cisco ASA AIP SSM s dng cng ngh tin tin v kim tra cng tc phng chng cung cp dch v hiu nng bo mt cao, chng hn nh cc dch v cng tc phng chng xm nhp v chng tin tin-x dch v, c xc nh nh chng virus v spyware. Cisco ASA AIP SSM sn phm bao gm mt Cisco ASA AIP SSM-

10 m-un vi 1-GB b nh, mt Cisco ASA AIP SSM-20 m-un vi 2-GB b nh, v mt Cisco ASA AIP SSM-40 m-un. * Cisco IPS 4.200 lot cc cm bin: Cisco IPS 4.200 lot cc cm bin ng k bo v mng ca bn bng cch gip pht hin, phn loi, v ngn chn cc mi e da, bao gm c su, phn mm gin ip v phn mm qung co virus mng, v lm dng ng dng. S dng Cisco IPS Sensor Software Version 5.1, Cisco IPS gii php kt hp cc dch v cng tc phng chng xm nhp ni tuyn vi cc cng ngh tin tin ci thin tnh chnh xc. Kt qu l, cc mi e da khc c th c ngng li m khng c nguy c gim lu lng mng hp php. Cisco IPS Sensor Software bao gm kh nng pht hin tng cng kh nng m rng v nng cao, kh nng phc hi, v vv. * Cisco 6.500 Series Intrusion Detection System Services Module (IDSM-2): 6.500 Catalyst Series IDSM-2 l mt phn ca gii php ca Cisco IPS. N hot ng kt hp vi cc thnh phn khc bo v d liu ca bn c hiu qu c s h tng. Vi s phc tp gia tng ca cc mi e da an ninh, vic t c cc gii php bo mt mng hiu qu xm nhp l rt quan trng duy tr mt mc cao ca bo v. thn trng bo v ,m bo lin tc kinh doanh v gim thiu cc hot ng tn km cho vic pht hin xm nhp. * Cisco IPS Advance Integration Module (AIM): Cisco cung cp mt lot cc gii php IPS; Cisco IPS AIM cho Cisco 1841 Integrated Services Router v Cisco 2800 v 3.800 Series Integrated Services Routers c lm cho nh v va kinh doanh( small and medium-sized business (SMB) ) v cc mi trng vn phng chi nhnh. Cisco IPS Sensor Phn mm chy trn Cisco IPS AIM cung cp nng cao, doanh nghip-class IPS chc nng v p ng ngy cng tng nhu cu bo mt ca cc vn phng chi nhnh. Cisco IPS AIM c quy m trong hot ng ph hp vi vn phng chi nhnh vi h thng mng WAN yu cu bng thng ngy hm nay v trong tng lai, bi v chc nng IPS l chy trn dnh ring cho CPU ca n, v th khng chim

CPU ca router. ng thi, s tch hp ca IPS ln mt Integrated Services Router Cisco gi chi ph thp v gii php hiu qu cho vic kinh doanh ca tt c cc kch c.
4. So snh gia IPS v IDS

Hin nay, Cng ngh ca IDS c thay th bng cc gii php IPS. Nu nh hiu n gin, c th xem nh IDS ch l mt ci chung cnh bo cho ngi qun tr bit nhng nguy c c th xy ra tn cng. D nhin c th thy rng, n ch l mt gii php gim st th ng, tc l ch c th cnh bo m thi, vic thc hin ngn chn cc cuc tn cng vo h thng li hon ton ph thuc vo ngi qun tr. V vy yu cu rt cao i vi nh qun tr trong vic xc nh cc lu lng cn v cc lu lng c nghi vn l du hiu ca mt cuc tn cng. V d nhin cng vic ny th li ht sc kh khn. Vi IPS, ngi qun tr khng nhng c th xc nh c cc lu lng kh nghi khi c du hiu tn cng m cn gim thiu c kh nng xc nh sai cc lu lng. Vi IPS, cc cuc tn cng s b loi b ngay khi mi c du hiu v n hot ng tun theo mt quy lut do nh Qun tr nh sn. IDS hin nay ch s dng t mt n 2 c ch pht hin tn. V mi cuc tn cng li c cc c ch khc nhau ca n, v vy cn c cc c ch khc nhau phn bit. Vi IDS, do s lng c ch l t nn c th dn n tnh trng khng pht hin ra c cc cuc tn cng vi c ch khng nh sn, dn n kh nng cc cuc tn cng s thnh cng, gy nh hng n h thng. Thm vo , do cc c ch ca IDS l tng qut, dn n tnh trng bo co nhm, cnh bo nhm, lm tn thi gian v cng sc ca nh qun tr. Vi IPS th c xy dng trn rt nhiu c ch tn cng v hon ton c th to mi cc c ch ph hp vi cc dng thc tn cng mi nn s gim thiu c kh nng tn cng ca mng, thm , chnh xc ca IPS l cao hn so vi IDS.Nn bit rng vi IDS, vic p ng li cc cuc tn cng ch c th xut hin sau khi gi tin ca cuc tn cng i ti ch, lc vic chng li tn cng l vic n gi cc yu cu n cc my ca h thng xo cc kt ni n my tn cng v my ch, hoc l gi thng tin thng bo n tng la

( Firewall) tng la thc hin chc nng ca n, tuy nhin, vic lm ny i khi li gy tc ng ph n h thng. V d nh nu k tn cng (Attacker) gi mo (sniffer) ca mt i tc, ISP, hay l khch hng, to mt cuc tn cng t chi dch v th c th thy rng, mc d IDS c th chn c cuc tn cng t chi dch v nhng n cng s kha lun c IP ca khch hng, ca ISP, ca i tc, nh vy thit hi vn tn ti v coi nh hiu ng ph ca DoS thnh cng mc d cuc tn cng t chi dch v tht bi. Nhng vi IPS th khc n s pht hin ngay t u du hiu ca cuc tn cng v sau l kho ngay cc lu lng mng ny th mi c kh nng gim thiu c cc cuc tn cng.

II. Chng 2: Tng quan IDS 1.1 nh ngha IDS IDS (Intrusion Detection System- h thng pht hin xm nhp) l h thng phn cng hoc phn mm c chc nng gim st, phn tch lu thng mng, cc hot ng kh nghi v cnh bo cho h thng, nh qun tr. IDS cng c th phn bit gia nhng tn cng vo h thng t bn trong (t nhng ngi trong cng ty) hay tn cng t bn ngoi (t cc hacker). IDS pht hin da trn cc du hiu c bit v cc nguy c bit (ging nh cch cc phn mm dit virus

da vo cc du hiu c bit pht hin v dit virus) hay da trn so snh lu thng mng hin ti vi baseline (thng s o c chun ca h thng) tm ra cc du hiu khc thng. 1.2 Phn bit nhng h thng khng phi l IDS Theo mt cch ring bit no , cc thit b bo mt di y khng phi l IDS: H thng ng nhp mng c s dng pht hin l hng i vi vn tn cng t chi dch v (DoS) trn mt mng no . s c h thng kim tra lu lng mng. Cc cng c nh gi l hng kim tra li v l hng trong h iu hnh, dch v mng (cc b qut bo mt). Cc sn phm chng virus thit k pht hin phn mm m nguy him nh virus, Trojan horse, worm... Mc d nhng tnh nng mc nh c th rt ging h thng pht hin xm phm v thng cung cp mt cng c pht hin l hng bo mt hiu qu. Tng la Cc h thng bo mt/mt m, v d nh VPN, SSL, S/MIME, Kerberos, Radius . 2. Chc nng ca IDS H thng pht hin xm nhp cho php cc t chc bo v h thng ca h khi nhng e da vi vic gia tng kt ni mng v s tin cy ca h thng thng tin. Nhng e da i vi an ninh mng ngy cng tr nn cp thit t ra cu hi cho cc nh an ninh mng chuyn nghip c nn s dng h thng pht hin xm nhp tr khi nhng c tnh ca h thng pht hin xm nhp l hu ch cho h, b sung nhng im yu ca h thng khcIDS c c chp nhn l mt thnh phn thm vo cho mi h thng an ton hay khng vn l mt cu hi ca nhiu nh qun tr h thng. C nhiu ti liu gii thiu v nhng chc nng m IDS lm c nhng c th a ra vi l do ti sao nn s dng h thng IDS: Bo v tnh ton vn (integrity) ca d liu, bo m s nht qun ca d liu

trong h thng. Cc bin php a ra ngn chn c vic thay i bt hp php hoc ph hoi d liu. Bo v tnh b mt, gi cho thng tin khng b l ra ngoi. Bo v tnh kh dng, tc l h thng lun sn sng thc hin yu cu truy nhp thng tin ca ngi dng hp php. Bo v tnh ring t, tc l m bo cho ngi s dng khai thc ti nguyn ca h thng theo ng chc nng, nhim v c phn cp, ngn chn c s truy nhp thng tin bt hp php. Cung cp thng tin v s xm nhp, a ra nhng chnh sch i ph, khi phc, sa cha Ni tm li c th tm tt IDS nh sau: - Chc nng quan trng nht l: gim st cnh bo bo v Gim st: lu lng mng v cc hot ng kh nghi. Cnh bo: bo co v tnh trng mng cho h thng v nh qun tr. Bo v: Dng nhng thit lp mc nh v s cu hnh t nh qun tr m c nhng hnh ng thit thc chng li k xm nhp v ph hoi. - Chc nng m rng: Phn bit: "th trong gic ngoi" tn cng bn trong v tn cng bn ngoi. Pht hin: nhng du hiu bt thng da trn nhng g bit hoc nh vo s so snh thng lng mng hin ti vi baseline.

Thng tin s kin

Thit lp s kin

H thng p phn tch

H thng p tr

Chnh sch thu thp thng tin

H thng thng tin

Chnh sch pht hin

Chnh sch phn ng

Thu thp thng tin Pht hin

Phn ng

Ngoi ra h thng pht hin xm nhp IDS cn c chc nng: - Ngn chn s gia tng ca nhng tn cng - B sung nhng im yu m cc h thng khc cha lm c - nh gi cht lng ca vic thit k h thng Khi IDS chy mt thi gian s a ra c nhng im yu l iu hin nhin. Vic a ra nhng im yu nhm nh gi cht lng vic thit k mng cng nh cch b tr bo v phng th ca cc nh qun tr mng. 3.Kin trc h thng IDS Ngy nay phn bit cc h thng IDS khc nhau thng qua vic phn tch v kim tra khc nhau ca cc h thng. Mi h thng c nhng u im cng nh khuyt im ring nhng cc h thng c th c m t di m hnh tng qut chung nh sau: 3.1 Cc nhim v thc hin Nhim v chnh ca cc h thng pht hin xm phm l bo v cho mt h thng my tnh bng cch pht hin cc du hiu tn cng. Vic pht hin cc tn cng ph thuc vo s lng v kiu hnh ng thch hp ( Hnh 3.1.a). ngn chn
Ngn chn(Prevention) xm phm tt cn phi kt hp tt gia b v by c trang b cho vic nghin

cu cc mi e da. Vic lm lnh hng s tp trung ca k xm nhp vo ti nguyn c bo v l mt nhim v quan trng khc. Ton b h thng cn phi M phng(Simulation) c kim tra mt cch lin tc. D liu c to ra t cc h thng pht hin xm nhp c kim tra mt cch cn thn (y l nhim v chnh cho mi IDS) pht
Gim st xm nhp (Instruction Monitoring) hin cc du hiu tn cng (s xm phm).

Phn tch(Analysis)

Kim tra xm nhp (Instruction detection) Thng bo (Notification)

T Tr li(Response)

Hnh 3.1a Qu trnh ca IDS

I IDS task

Protected System

Additional IDS Infrastructure

Monitoring Response Hnh 3.1b M t chnh sch bo mt Khi mt hnh ng xm nhp c pht hin, IDS a ra cc cnh bo n cc qun tr vin h thng v s vic ny. Bc tip theo c thc hin bi cc qun tr vin hoc c th l bn thn IDS bng cch li dng cc tham s o b sung (cc chc nng kha gii hn cc session, backup h thng, nh tuyn cc kt ni n by h thng, c s h tng hp l,) ,theo cc chnh sch bo mt ca cc t chc (Hnh 3.1b). Mt IDS l mt thnh phn nm trong chnh sch bo mt. Gia cc nhim v IDS khc nhau, vic nhn ra k xm nhp l mt trong nhng nhim v c bn. N cng hu dng trong vic nghin cu mang tnh php l cc tnh tit v vic ci t cc bn v thch hp cho php pht hin cc tn cng trong tng lai nhm vo cc c nhn c th hoc ti nguyn h thng. Pht hin xm nhp i khi c th a ra cc bo cnh sai, v d nhng vn xy ra do trc trc v giao din mng hoc vic gi phn m t cc tn cng hoc cc ch k thng qua mail.

3.2 Kin trc ca h thng pht hin xm nhp IDS Kin trc ca h thng IDS bao gm cc thnh phn chnh: thnh phn thu thp gi tin (information collection), thnh phn phn tch gi tin(Dectection), thnh phn phn hi (respontion) nu gi tin c pht hin l mt tn cng ca tin tc. Trong ba thnh phn ny th thnh phn phn tch gi tin l quan trng nht v thnh phn ny b cm bin ng vai tr quyt nh nn chng ta s i vo phn tch b cm bin hiu r hn kin trc ca h thng pht hin xm nhp l nh th no.

B cm bin c tch hp vi thnh phn su tp d liu mt b to s kin. Cch su tp ny c xc nh bi chnh sch to s kin nh ngha ch lc thng tin s kin. B to s kin (h iu hnh, mng, ng dng) cung cp mt s chnh sch thch hp cho cc s kin, c th l mt bn ghi cc s kin ca h thng hoc cc gi mng. S chnh sch ny cng vi thng tin chnh sch c th c lu trong h thng c bo v hoc bn ngoi. Trong trng hp no , v d khi lung d liu s kin c truyn ti trc tip n b phn tch m khng c s lu d liu no c thc hin. iu ny cng lin quan mt cht no n cc gi mng Vai tr ca b cm bin l dng lc thng tin v loi b d liu khng tng thch t c t cc s kin lin quan vi h thng bo v, v vy c th pht hin c cc hnh ng nghi ng. B phn tch s dng c s d liu chnh sch pht hin cho mc ny. Ngoi ra cn c cc thnh phn: du hiu tn cng, profile hnh vi thng thng, cc tham s cn thit (v d: cc ngng). Thm vo , c s d liu gi cc tham s cu hnh, gm c cc ch truyn thng vi module p tr. B cm bin cng c c s d liu ca ring n, gm d liu lu v cc xm phm phc tp tim n (to ra t nhiu hnh ng khc nhau). IDS c th c sp t tp trung (v d nh c tch hp vo trong tng la) hoc phn tn. Mt IDS phn tn gm nhiu IDS khc nhau trn mt mng ln, tt c chng truyn thng vi nhau. Nhiu h thng tinh vi i theo nguyn l cu trc mt tc nhn, ni cc module nh c t chc trn mt host trong mng c bo v. Vai tr ca tc nhn l kim tra v lc tt c cc hnh ng bn trong vng c bo v v ph thuc vo phng php c a ra to phn tch bc u v thm ch m trch c hnh ng p tr. Mng cc tc nhn hp tc bo co n my ch phn tch trung tm l mt trong nhng thnh phn quan trng ca IDS. DIDS c th s dng nhiu cng c phn tch tinh vi hn, c bit c trang b s pht hin cc tn cng phn tn. Cc vai tr khc ca tc nhn lin quan n kh nng lu ng v tnh roaming ca n trong cc v tr vt l. Thm vo , cc tc

nhn c th c bit dnh cho vic pht hin du hiu tn cng bit no . y l mt h s quyt nh khi ni n ngha v bo v lin quan n cc kiu tn cng mi. Gii php kin trc a tc nhn c a ra nm 1994 l AAFID (cc tc nhn t tr cho vic pht hin xm phm). N s dng cc tc nhn kim tra mt kha cnh no v cc hnh vi h thng mt thi im no . V d: mt tc nhn c th cho bit mt s khng bnh thng cc telnet session bn trong h thng n kim tra. Tc nhn c kh nng a ra mt cnh bo khi pht hin mt s kin kh nghi. Cc tc nhn c th c nhi v thay i bn trong cc h thng khc (tnh nng t tr). Mt phn trong cc tc nhn, h thng c th c cc b phn thu pht kim tra tt c cc hnh ng c kim sot bi cc tc nhn mt host c th no . Cc b thu nhn lun lun gi cc kt qu hot ng ca chng n b kim tra duy nht. Cc b kim tra nhn thng tin t cc mng (khng ch t mt host), iu c ngha l chng c th tng quan vi thng tin phn tn. Thm vo mt s b lc c th c a ra chn lc v thu thp d liu. Ngoi ra cn c 1 s im ch sau: - Kin trc, v tr t h thng IDS: ty thuc vo quy m t chc ca doanh nghip cng nh mc ch s dng h thng IDS ca doanh nghip. - Chin lc iu khin: l s m t r rng cho mi h thng IDS v vic kim sot , kim tra thng tin u vo u ra: + Chin lc tp trung: l vic iu khin trc tip cc thao tc nh kim tra, pht hin, phn tch, p tr, bo co t v tr trung tm: +Phn thnh nhiu thnh phn: Pht hin, kim tra t cc v tr thnh phn ri v bo co v v tr trung tm. +Phn phi: Mi vng s c nhng trung tm i din cho trung tm chnh trc tip iu khin cc thao tc gim st, kim tra bo co. 4. Phn loi IDS

C hai phng php khc nhau trong vic phn tch cc s kin pht hin cc v tn cng: pht hin da trn cc du hiu v pht hin s bt thng. Cc sn phm IDS c th s dng mt trong hai cch hoc s dng kt hp c hai. - Pht hin da trn du hiu: Phng php ny nhn dng cc s kin hoc tp hp cc s kin ph hp vi mt mu cc s kin c nh ngha l tn cng. - Pht hin s bt thng: cng c ny thit lp mt hin trng cc hot ng bnh thng v sau duy tr mt hin trng hin hnh cho mt h thng. Khi hai yu t ny xut hin s khc bit, ngha l c s xm nhp. Cc h thng IDS khc nhau u da vo pht hin cc xm nhp tri php v nhng hnh ng d thng. Qu trnh pht hin c th c m t bi 3 yu t c bn nn tng sau: - Thu thp thng tin (information source): Kim tra tt c cc gi tin trn mng. - S phn tch (Analysis): Phn tch tt c cc gi tin thu thp cho bit hnh ng no l tn cng. - Cnh bo (response): hnh ng cnh bo cho s tn cng c phn tch trn. 4.1 Network Base IDS (NIDS) H thng IDS da trn mng s dng b d v b b cm bin ci t trn ton mng. Nhng b d ny theo di trn mng nhm tm kim nhng lu lng trng vi nhng m t s lc c nh ngha hay l nhng du hiu. Nhng b b cm bin thu nhn v phn tch lu lng trong thi gian thc. Khi ghi nhn c mt mu lu lng hay du hiu, b cm bin gi tn hiu cnh bo n trm qun tr v c th c cu hnh nhm tm ra bin php ngn chn nhng xm nhp xa hn. NIDS l tp nhiu sensor c t ton mng theo di nhng gi tin trong mng so snh vi vi mu c nh ngha pht hin l tn cng hay khng. c t gia kt ni h thng mng bn trong v mng bn ngoi gim st ton b lu lng vo ra. C th l mt thit b phn cng ring bit c thit lp sn hay phn mm ci t trn my tnh. Ch yu dng o lu lng mng c s

dng. Tuy nhin c th xy ra hin tng nghn c chai khi lu lng mng hot ng mc cao. 4.1.1 Li th ca Network-Based IDSs: - Qun l c c mt network segment (gm nhiu host) - "Trong sut" vi ngi s dng ln k tn cng - Ci t v bo tr n gin, khng nh hng ti mng - Trnh DOS nh hng ti mt host no . - C kh nng xc nh li tng Network (trong m hnh OSI) - c lp vi OS 4.1.2 Hn ch ca Network-Based IDSs: - C th xy ra trng hp bo ng gi (false positive), tc khng c intrusion m NIDS bo l c intrusion. - Khng th phn tch cc traffic c encrypt (vd: SSL, SSH, IPSec) - NIDS i hi phi c cp nht cc signature mi nht thc s an ton - C tr gia thi im b attack vi thi im pht bo ng. Khi bo ng c pht ra, h thng c th b tn hi. - Khng cho bit vic attack c thnh cng hay khng. Mt trong nhng hn ch l gii hn bng thng. Nhng b d mng phi nhn tt c cc lu lng mng, sp xp li nhng lu lng cng nh phn tch chng. Khi tc mng tng ln th kh nng ca u d cng vy. Mt gii php l bo m cho mng c thit k chnh xc cho php s sp t ca nhiu u d. Khi m mng pht trin, th cng nhiu u d c lp thm vo bo m truyn thng v bo mt tt nht. Mt cch m cc k xm nhp c gng nhm che y cho hot ng ca h khi gp h thng IDS da trn mng l phn mnh nhng gi thng tin ca h. Mi giao thc c mt kch c gi d liu gii hn, nu d liu truyn qua mng ln hn kch c ny th gi d liu s c phn mnh. Phn mnh n gin ch l qu trnh chia nh d liu ra nhng mu nh. Th t ca vic sp xp li khng thnh vn min l khng xut hin hin tng chng cho. Nu c hin tng phn mnh

chng cho, b cm bin phi bit qu trnh ti hp li cho ng. Nhiu hacker c gng ngn chn pht hin bng cch gi nhiu gi d liu phn mnh chng cho. Mt b cm bin s khng pht hin cc hot ng xm nhp nu b cm bin khng th sp xp li nhng gi thng tin mt cch chnh xc. 4.2 Host Based IDS (HIDS) Bng cch ci t mt phn mm trn tt c cc my tnh ch, IDS da trn my ch quan st tt c nhng hot ng h thng, nh cc file log v nhng lu lng mng thu thp c. H thng da trn my ch cng theo di OS, nhng cuc gi h thng, lch s s sch (audit log) v nhng thng ip bo li trn h thng my ch. Trong khi nhng u d ca mng c th pht hin mt cuc tn cng, th ch c h thng da trn my ch mi c th xc nh xem cuc tn cng c thnh cng hay khng. Thm na l, h thng da trn my ch c th ghi nhn nhng vic m ngi tn cng lm trn my ch b tn cng (compromised host). Khng phi tt c cc cuc tn cng c thc hin qua mng. Bng cch ginh quyn truy cp mc vt l (physical access) vo mt h thng my tnh, k xm nhp c th tn cng mt h thng hay d liu m khng cn phi to ra bt c lu lng mng (network traffic) no c. H thng da trn my ch c th pht hin cc cuc tn cng m khng i qua ng cng cng hay mng c theo di, hay thc hin t cng iu khin (console), nhng vi mt k xm nhp c hiu bit, c kin thc v h IDS th hn c th nhanh chng tt tt c cc phn mm pht hin khi c quyn truy cp vt l. Mt u im khc ca IDS da trn my ch l n c th ngn chn cc kiu tn cng dng s phn mnh hoc TTL. V mt host phi nhn v ti hp cc phn mnh khi x l lu lng nn IDS da trn host c th gim st chuyn ny. HIDS thng c ci t trn mt my tnh nht inh. Thay v gim st hot ng ca mt network segment, HIDS ch gim st cc hot ng trn mt my tnh. HIDS thng c t trn cc host xung yu ca t chc, v cc server trong vng DMZ - thng l mc tiu b tn cng u tin. Nhim v chnh ca HIDS l gim st cc thay i trn h thng, bao gm (not all):

- Cc tin trnh. - Cc mc ca Registry. - Mc s dng CPU. - Kim tra tnh ton vn v truy cp trn h thng file. - Mt vi thng s khc. Cc thng s ny khi vt qua mt ngng nh trc hoc nhng thay i kh nghi trn h thng file s gy ra bo ng. 4.2.1 Li th ca HIDS: - C kh nng xc inh user lin quan ti mt s kin (event). - HIDS c kh nng pht hin cc cuc tn cng din ra trn mt my, NIDS khng c kh nng ny. - C th phn tch cc d liu m ho. - Cung cp cc thng tin v host trong lc cuc tn cng din ra trn host ny. 4.2.2 Hn ch ca HIDS: - Thng tin t HIDS l khng ng tin cy ngay khi s tn cng vo host ny thnh cng. - Khi OS b "h" do tn cng, ng thi HIDS cng b "h". - HIDS phi c thit lp trn tng host cn gim st . - HIDS khng c kh nng pht hin cc cuc d qut mng (Nmap, Netcat). - HIDS cn ti nguyn trn host hot ng. - HIDS c th khng hiu qu khi b DOS. - a s chy trn h iu hnh Window. Tuy nhin cng c 1 s chy c trn UNIX v nhng h iu hnh khc. V h thng IDS da trn my ch i hi phn mm IDS phi c ci t trn tt c cc my ch nn y c th l cn c mng ca nhng nh qun tr khi nng cp phin bn, bo tr phn mm, v cu hnh phn mm tr thnh cng vic tn nhiu thi gian v l nhng vic lm phc tp. Bi v h thng da trn my ch ch phn tch nhng lu lng c my ch nhn c, chng khng th pht hin nhng tn cng thm d thng thng c thc hin nhm chng li mt my ch hay l

mt nhm my ch. H thng IDS da trn my ch s khng pht hin c nhng chc nng qut ping hay d cng (ping sweep and port scans) trn nhiu my ch. Nu my ch b tha hip th k xm nhp hon ton c th tt phn mm IDS hay tt kt ni ca my ch . Mt khi iu ny xy ra th cc my ch s khng th to ra c cnh bo no c. Phn mm IDS phi c ci t trn mi h thng trn mng nhm cung cp y kh nng cnh bo ca mng. Trong mt mi trng hn tp, iu ny c th l mt vn bi v phn mm IDS phi tng ng nhiu h iu hnh khc nhau. Do trc khi chn mt h thng IDS, chng ta phi chc l n ph hp v chy c trn tt c cc h iu hnh. 5.Cng c h tr cho IDS C 1 s cng c h tr cho h thng xm nhp IDS, trong phn ny s cp n bn cng c h tr : h thng phn tch tn thng, b kim tra ton vn d liu, honey pots, Padded cell. Nhng thnh phn ny c th tng cng, h tr, t chc nh th no vi h thng pht hin xm nhp IDS s c lm r nhng mc di y. 5.1 H thng phn tch nh gi tn thng S phn tch nh gi tn thng (s nh gi cng c bit nh tnh d b tn thng) l cng c kim tra xc nh liu c phi mt mng hay host c th b tn thng ti nhng s tn cng c bit. S nh gi tn thng i din cho mt trng hp c bit ca qu trnh pht hin xm nhp. Nhng thng tin bao gm tnh trng h thng v hu qa ca nhng tn cng c phn tch nh gi. Nhng thng tin ny c tng hp phn tch ti ti b cm bin. S phn tch nh gi tn thng l mt k thut qun l an ton rt mnh v l s b sung thch hp ti vic s dng IDS, khng phi nh mt s thay th. Cn phi c mt t chc tin cy qun l nhng cng c phn tch nh gi tn thng theo di nhng h thng ny. a. Qu trnh phn tch nh gi tn thng Qu trnh phn tch nh gi tn thng bao gm nhng bc sau:

- Ly 1 mu bao gm tp hp cc thuc tnh ca h thng. - Kt qu ca vic ly mc c ct vo mt ch an ton. - Kt qu ny c so snh vi t nht mt mu trc hoc mt mu l tng trc . - Bt k s khc nhau gia hai tp hp c tng hp v bo co. b. Cc kiu phn tch nh gi tn thng C hai kiu phn tch nh gi tn thng dnh cho Netword-based v host-based: - Host-based: phn tch nh gi tn thng chnh l vic nh gi d liu ca h thng nh d liu, vic cu hnh, trng thi ca nhng thng tin khc. - Network-based: S phn tch nh gi tn thng yu cu 1 kt ni t xa ti h thng ch. Cng vic nh gi bao gm ghi ch li s phn hi ca h thng hay n gin l thm d xem xt bit nhng im yu ca h thng. 5.2. Kim tra ton vn d liu Nhng b kim tra ton vn d liu l nhng cng c an ton m b sung IDSs. Chng tm lc thng bo hay kim tra gii m cho nhng d liu v nhng i tng ph bnh, so snh n vi nhng gi tr tham kho v vic t nhng du hiu cho s khc nhau hay thay i. Vic kim tra gii m s gip bit ni dung ca d liu c b thay i bi tin tc hay khng. Vic thay i ni dung c nhiu k thut nhng mc ch ca tin tc l gn nhng thnh phn vo ni dung lm cu ni trao i thng tin gia h thng v my ca tin tc hoc l vi mc ch ph hoi. Mc d vic kim tra nhng thnh phn thay i trong ni dung ca d liu hay cn gi l su thng xuyn c s h tr cp nht t nhng hng chng virut, spyware hay trojan nhng vic cp nht cn qu chm so vi s pht trin ca nhng thnh phn ny. 5.3. Honey Pot v Padded Cell System Honey pot l h thng nhng cm by c thit k by nhng tin tc tn cng. Honey pot c thit k bao gm nhng mc ch sau: - Lm lch hng tin tc ra khi h thng cn bo v. - Tp hp thng tin v tin tc v hnh ng ca tin tc.

- Li ko tin tc trn h thng di hn thi gian cho ngi qun tr phn hi li. Padded Cell: khc vi honey pot l hng tin tc theo k hoch ca mnh th padded cell c thit k theo di hnh ng thay i d liu ca tin tc, nh du s thay i bit mc ch ca tin tc. 6. Cc k thut x l d liu c s dng trong cc h thng pht hin xm nhp Ph thuc vo kiu phng php c s dng pht hin xm nhp, cc c ch x l khc nhau (k thut) cng c s dng cho d liu i vi mt IDS.Di y l mt s h thng c m t vn tt. 6.1 H thng Expert (Expert system) H thng ny lm vic trn mt tp cc nguyn tc c nh ngha t trc miu t cc tn cng. Tt c cc s kin c lin quan n bo mt u c kt hp vo cuc kim nh v c dch di dng nguyn tc if-then-else. Ly v d Wisdom & Sense v ComputerWatch (c pht trin ti AT&T). 6.2 Pht hin xm nhp da trn lut (Rule-Based Intrusion Detection) Ging nh phng php h thng Expert, phng php ny da trn nhng hiu bit v tn cng. Chng bin i s m t ca mi tn cng thnh nh dng kim nh thch hp. Nh vy, du hiu tn cng c th c tm thy trong cc bn ghi (record). Mt kch bn tn cng c th c m t, v d nh mt chui s kin kim nh i vi cc tn cng hoc mu d liu c th tm kim ly c trong cuc kim nh. Phng php ny s dng cc t tng ng tru tng ca d liu kim nh. S pht hin c thc hin bng cch s dng chui vn bn chung hp vi cc c ch. in hnh, n l mt k thut rt mnh v thng c s dng trong cc h thng thng mi (v d nh: Cisco Secure IDS, Tierald eXpert-BSM (Solaris)). 6.3 Phn bit nh ngi dng (User intention identification) K thut ny m hnh ha cc hnh vi thng thng ca ngi dng bng mt tp nhim v mc cao m h c th thc hin c trn h thng (lin quan n chc

nng ngi dng). Cc nhim v thng cn n mt s hot ng c iu chnh sao cho hp vi d liu kim nh thch hp. B phn tch gi mt tp hp nhim v c th chp nhn cho mi ngi dng. Bt c khi no mt s khng hp l c pht hin th mt cnh bo s c sinh ra. 6.4 Phn tch trng thi phin (State-transition analysis) Mt tn cng c miu t bng mt tp cc mc tiu v phin cn c thc hin bi mt k xm nhp gy tn hi h thng. Cc phin c trnh by trong s trng thi phin. Nu pht hin c mt tp phin vi phm s tin hnh cnh bo hay p tr theo cc hnh ng c nh trc. 6.5 Phng php Colored Petri Nets Phng php ny thng c s dng tng qut ha cc tn cng t nhng hiu bit c bn v th hin cc tn cng theo ha. H thng IDIOT ca i hc Purdue s dng Colored Petri Nets. Vi k thut ny, cc qun tr vin s d dng hn trong vic b sung thm du hiu mi. Mc d vy, vic tng qut ha mt du hiu phc tp vi d liu kim nh l mt vn gy tn nhiu thi gian. K thut ny khng c s dng trong cc h thng thng mi. 6.6 Phng php phn tch thng k (Statistical analysis approach) Hnh vi ngi dng hay h thng (tp cc thuc tnh) c tnh theo mt s bin thi gian. V d, cc bin nh l: ng nhp ngi dng, ng xut, s tp tin truy nhp trong mt khong thi gian, hiu sut s dng khng gian a, b nh, CPU Chu k nng cp c th thay i t mt vi pht n mt thng. H thng lu gi tr c ngha cho mi bin c s dng pht hin s vt qu ngng c nh ngha t trc. Ngay c phng php n gin ny cng khng th hp c vi m hnh hnh vi ngi dng in hnh. Cc phng php da vo vic lm tng quan thng tin v ngi dng ring l vi cc bin nhm c gp li cng t c hiu qu. V vy, mt m hnh tinh vi hn v hnh vi ngi dng c pht trin bng cch s dng thng tin ngi dng ngn hn hoc di hn. Cc thng tin ny thng xuyn c nng cp bt kp vi thay i trong hnh vi ngi dng. Cc phng

php thng k thng c s dng trong vic b sung trong IDS da trn thng tin hnh vi ngi dng thng thng. 6.7 Neural Networks Phung php ny s dng cc thut ton ang c nghin cu ca chng nghin cu v mi quan h gia cc vector u vo - u ra v tng qut ha chng rt ra mi quan h vo/ra mi. Phng php neural network c s dng cho pht hin xm nhp, mc ch chnh l nghin cu hnh vi ca ngi tham gia vo mng (ngi dng hay k xm phm). Thc ra cc phng php thng k cng mt phn c coi nh neural networks. S dng mng neural trn thng k hin c hoc tp trung vo cc n gin biu din mi quan h khng tuyn tnh gia cc bin v trong vic nghin cu cc mi quan h mt cch t ng. Cc thc nghim c tin hnh vi s d on mng neural v hnh vi ngi dng. T nhng kt qu cho thy rng cc hnh vi ca siu ngi dng UNIX (root) l c th d on. Vi mt s t ngoi l, hnh vi ca hu ht ngi dng khc cng c th d on. Neural networks vn l mt k thut tnh ton mnh v khng c s dng rng ri trong cng ng pht hin xm nhp. 6.8 Computer immunology Analogies Vi s nghin cu min dch c ch nh pht trin cc k thut c xy dng t m hnh hnh vi thng thng trong cc dch v mng UNIX hn l ngi dng ring l. M hnh ny gm c cc chui ngn cuc gi h thng c to thnh bi cc qu trnh. Cc tn cng khai thc l hng trong m ng dng rt c kh nng gy ra ng dn thc thi khng bnh thng. u tin, mt tp d liu kim nh tham chiu c su tp trnh by hnh vi hp l ca cc dch v, sau kin thc c bn c b sung thm vi tt c cc chui c bit r v cuc gi h thng. Cc mu sau c s dng cho vic kim tra lin tc cc cuc gi h thng, xem chui c to ra c lit k trong c s kin thc cha nu khng, mt bo cnh s c to ra. K thut ny c t l bo cnh sai rt thp. Tr ngi ca n l s bt lc trong vic pht hin li trong cu hnh dch v mng. 6.9 Machine learning (nghin cu c ch)

y l mt k thut thng minh nhn to, n lu lung lnh u ra ngi dng vo cc biu mu vector v s dng nh mt tham chiu ca profile hnh vi ngi dng thng thng. Cc profile sau c nhm vo trong mt th vin lnh ngi dng c cc thnh phn chung no . Vic ti thiu ha d liu thng phi dng n mt s k thut s dng qu trnh trch d liu cha bit nhng c kh nng hu dng trc t nhng v tr d liu c lu tr vi s lng ln. Phng php ti thiu d liu ny vt tri hn i vi vic x l bn ghi h thng ln (d liu kim nh). Mc d vy, chng km hu dng i vi vic phn tch lung lu lng mng. Mt trong nhng k thut ti thiu ha d liu c bn c s dng trong pht hin xm nhp c kt hp vi cc cy phn quyt. Cc m hnh cy phn quyt cho php ai c th pht hin cc s bt thng trong mt c s d liu ln. K thut khc phi dng n cc on, cho php trch mu ca cc tn cng cha bit. iu c thc hin bng vic hp l ha cc mu c trch t mt tp kim nh n gin vi cc mu khc c cung cp cho tn cng cha bit ct gi. Mt k thut ti thiu ha d liu in hnh c kt hp vi vic tm kim cc nguyn tc kt hp. N cho php ai c th trch kin thc cha hiu trc v cc tn cng mi hoc xy dng trn mu hnh vi thng thng. S pht hin bt thng thng gy ra cc bo cnh sai. Vi vic ti thiu ha d liu, n d dng tng quan d liu lin quan n cc bo cnh vi d liu kim nh ti thiu, do gim ng k xc sut bo sai. 7. Phn loi cc du hiu 7.1. Pht hin du hiu khng bnh thng H thng pht hin xm phm phi c kh nng phn bit gia cc hot ng thng thng ca ngi dng v hot ng bt thng tm ra c cc tn cng nguy him kp thi. Mc d vy, vic dch cc hnh vi ngi dng (hoc session h thng ngi dng hon chnh) trong mt quyt nh lin quan n bo mt ph hp thng khng n gin nhiu hnh vi khng c d nh trc v khng r rng (Hnh 2). phn loi cc hnh ng, IDS phi li dng phng php pht hin d thng, i khi l hnh vi c bn hoc cc du hiu tn cng, mt thit b m t

hnh vi bt thng bit (pht hin du hiu) cng c gi l kin thc c bn. 7.2 Cc mu hnh vi thng thng- pht hin bt thng Cc mu hnh vi thng thng rt hu ch trong vic d on ngi dng v hnh vi h thng. Do cc b pht hin bt thng xy dng profile th hin vic s dng thng thng v sau s dng d liu hnh vi thng thng pht hin s khng hp l gia cc profile v nhn ra tn cng c th. hp l vi cc profile s kin, h thng b yu cu phi to ra profile ngi dng ban u o to h thng quan tm n s hp php ha hnh vi ngi dng. C mt vn lin quan n vic lm profile y l: khi h thng c php hc trn chnh n, th nhng k xm nhp cng c th o to h thng im ny, ni m cc hnh vi xm phm trc tr thnh hnh vi thng thng. Mt profile khng tng thch s c th c pht hin tt c cc hot ng xm nhp c th. Ngoi ra, cn c mt s cn thit na l nng cp profile v o to h thng, mt nhim v kh khn v tn thi gian. Cho mt tp cc profile hnh vi thng thng, mi th khng hp vi profile c lu s c coi nh l mt hot ng nghi ng. Do , cc h thng ny c c trng bi hiu qu pht hin rt cao (chng c th nhn ra nhiu tn cng mc d tn cng l mi c trong h thng), tuy nhin chng li c hin tng l to cc cnh bo sai v mt s vn . u im ca phng php pht hin bt thng ny l: c kh nng pht hin cc tn cng mi khi c s xm nhp; cc vn khng bnh thng c nhn ra khng cn nguyn nhn bn trong ca chng v cc tnh cch; t ph thuc vo IDS i vi mi trng hot ng (khi so snh vi cc h thng da vo du hiu); kh nng pht hin s lm dng quyn ca ngi dng. Nhc im ln nht ca phng php ny l: Xc sut cnh bo sai nhiu. Hiu sut h thng khng c kim tra trong sut qu trnh xy dng profile v giai on o to. Do , tt c cc hot ng ngi dng b b qua trong sut giai on ny s khng hp l. Cc hnh vi ngi dng c th thay i theo thi gian, do cn phi c mt s nng cp lin tc i vi c s d liu profile hnh vi thng

thng. S cn thit v o to h thng khi thay i hnh vi s lm h thng khng c c pht hin bt thng trong giai on o to (li tiu cc). 7.3 Cc du hiu c hnh vi xu pht hin du hiu Thng tin x l h thng trong cc hnh vi bt thng v khng an ton (du hiu tn cng da vo cc h thng) thng c s dng trong cc h thng pht hin xm nhp thi gian thc (v s phc tp trong tnh ton ca chng khng cao). Cc du hiu hnh vi xu c chia thnh hai loi: Cc du hiu tn cng chng miu t cc mu hot ng c th gy ra mi e da v bo mt. in hnh, chng c th hin khi mi quan h ph thuc thi gian gia mt lot cc hot ng c th kt hp li vi cc hot ng trung tnh. Cc chui vn bn c chn cc du hiu hp vi cc chui vn bn ang tm kim cc hot ng nghi ng. Bt k hot ng no khng r rng u c th b xem xt v ngn cn. Do , chnh xc ca chng rt cao (s bo cnh sai thp). Tuy nhin chng khng thc hin mt cch hon ton v khng ngn cn hon ton cc tn cng mi. C hai phng php chnh kt hp s pht hin du hiu ny: Vic kim tra vn cc gi lp thp hn nhiu loi tn cng khai thc l hng trong cc gi IP, TCP, UDP hoc ICMP. Vi kim tra n gin v tp cc c trn gi c trng hon ton c th pht hin ra gi no hp l, gi no khng. Kh khn y c th l phi m gi v lp rp chng li. Tng t, mt s vn khc c th lin quan vi lp TCP/IP ca h thng ang c bo v. Thng th k tn cng hay s dng cch m cc gi bng qua c nhiu cng c IDS. Kim tra giao thc lp ng dng nhiu loi tn cng (WinNuke) khai thc cc l hng chng trnh, v d d liu c bit gi n mt kt ni mng c thnh lp. pht hin c hiu qu cc tn cng nh vy, IDS phi c b sung nhiu giao thc lp ng dng. Cc phng php pht hin du hiu c mt s u im di y: t l cnh bo sai thp, thut ton n gin, d dng to c s d liu du hiu tn cng, d dng b

sung v tiu ph hiu sut ti nguyn h thng ti thiu. Mt s nhc im: Kh khn trong vic nng cp cc kiu tn cng mi. Chng khng th k tha pht hin cc tn cng mi v cha bit. Phi nng cp mt c s d liu du hiu tn cng tng quan vi n. S qun l v duy tr mt IDS cn thit phi kt hp vi vic phn tch v v cc l hng bo mt, l mt qu trnh tn km thi gian. Kin thc v tn cng li ph thuc vo mi trng hot ng v vy, IDS da trn du hiu nhng hnh vi xu phi c cu hnh tun th nhng nguyn tc nghim ngt ca n vi h iu hnh (phin bn, nn tng, cc ng dng c s dng) Chng dng nh kh qun l cc tn cng bn trong. in hnh, s lm dng quyn ngi dng xc thc khng th pht hin khi c hot ng m nguy him (v chng thiu thng tin v quyn ngi dng v cu trc du hiu tn cng). Cc sn phm IDS thng mi thng s dng phng php pht hin du hiu cho hai l do. Trc tin, n d dng hn trong vic cung cp du hiu lin quan n tn cng bit v gn tn i vi mt tn cng. Th hai, c s d liu du hiu tn cng c nng cp thng xuyn (bng cch thm cc du hiu tn cng mi pht hin). 7.4 Tng quan cc mu tham s Phng php th ba v pht hin xm nhp kh khn ngoan hn hai phng php trc. N c sinh ra do nhu cu thc t rng, cc qun tr vin kim tra cc h thng khc nhau v cc thuc tnh mng (khng cn nhm n cc vn bo mt). Thng tin t c trong cch ny c mt mi trng c th khng thay i. Phng php ny lin quan n s dng kinh nghim hot ng hng ngy ca cc qun tr vin nh cc vn c bn cho vic pht hin du hiu bt thng. N c th c xem nh trng hp c bit ca phng php Profile thng thng. S khc nhau y nm ch trong thc t, mt profile l mt phn hiu bit ca con ngi.

y l mt k thut mnh, bi v n cho php xm nhp da trn cc kiu tn cng khng bit. Hot ng h thng c th pht hin cc thay i tinh vi khng r rng i vi chnh hot ng . N k tha nhng nhc im trong thc t l con ngi ch hiu mt phn gii hn thng tin ti mt thi im, iu c ngha l cc tn cng no c th vt qua m khng b pht hin.

III. H thng ngn chn xm nhp IPS 1. nh ngha IPS H thng IPS (intrusion prevention system) l mt k thut an ninh mi, kt hp cc u im ca k thut firewall vi h thng pht hin xm nhp IDS (intrusion detection system), c kh nng pht hin s xm nhp, cc cuc tn cng v t ng ngn chn cc cuc tn cng . IPS khng n gin ch d cc cuc tn cng, chng c kh nng ngn chn cc cuc hoc cn tr cc cuc tn cng . Chng cho php t chc u tin, thc hin cc bc ngn chn li s xm nhp. Phn ln h thng IPS c t vnh ai mng, d kh nng bo v tt c cc thit b trong mng. 2. Chc nng ca IPS Chc nng IPS m t nh l kim tra gi tin, phn tch c trng thi, rp li cc on, rp li cc TCP-segment, kim tra gi tin su, xc nhn tnh hp l giao thc v thch ng ch k. Mt IPS hot ng ging nh mt ngi bo v gc cng cho mt khu dn c, cho php v t chi truy nhp da trn c s cc u nhim v tp quy tc ni quy no . Cc gii php IPSNgn nga Xm nhp nhm mc ch bo v ti nguyn, d liu v mng. Chng s lm gim bt nhng mi e do tn cng bng vic loi b nhng lu lng mng c hi hay c c trong khi vn cho php cc hot ng hp php tip tc. Mc ch y l mt h thng hon ho khng c nhng bo ng gi no lm gim nng sut ngi dng cui v khng c nhng t chi sai no to ra ri ro qu mc bn trong mi trng. C l mt vai tr ct yu hn s l cn thit tin tng, thc hin theo cch mong mun di bt k iu kin no. iu ny c ngha cc gii php Ngn nga Xm nhp c t vo ng v tr phc v vi: - Nhng ng dng khng mong mun v nhng cuc tn cng Trojan horse nhm

vo cc mng v cc ng dng c nhn, qua vic s dng cc nguyn tc xc nh v cc danh sch iu khin truy nhp (access control lists). - Cc gi tin tn cng ging nh nhng gi tin t LAND v WinNuke qua vic s dng cc b lc gi tc cao. - S lm dng giao thc v nhng hnh ng lng trnh nhng thao tc giao thc mng ging nh Fragroute v nhng kho st ln TCP (TCP overlap exploits) thng qua s rp li thng minh. - Cc tn cng t chi dch v (DOS/DDOS) nh lt cc gi tin SYN v ICMP bi vic s dng cc thut ton lc da trn c s ngng. - S lm dng cc ng dng v nhng thao tc giao thc cc cuc tn cng bit v cha bit chng li HTTP, FTP, DNS, SMTP .v.v. qua vic s dng nhng quy tc giao thc ng dng v ch k. - Nhng cuc tn cng qu ti hay lm dng ng dng bng vic s dng cc hu hn tiu th ti nguyn da trn c s ngng. Tt c cc cuc tn cng v trng thi d b tn cng cho php chng tnh c xy ra u c chng minh bng ti liu. Ngoi ra, nhng khc thng trong cc giao thc truyn thng t mng qua lp ng dng khng c ch cho bt c loi lu lng hp php no, lm cho cc li tr thnh t chn lc trong ng cnh xc nh. 3. Kin trc chung ca cc h thng IPS Mt h thng IPS c xem l thnh cng nu chng hi t c cc yu t: thc hin nhanh, chnh xc, a ra cc thng bo hp l, phn tch c ton b thng lng, cm bin ti a, ngn chn thnh cng v chnh sch qun l mm do. H thng IPS gm 3 modul chnh: modul phn tch lung d liu, modul pht hin tn cng, modul phn ng. 3.1 Module phn tch lung d liu: Modul ny c nhim v ly tt cc gi tin i n mng phn tch. Thng thng cc gi tin c a ch khng phi ca mt card mng th s b card mng hu b nhng card mng ca IPS c t ch thu nhn tt c. Tt c cc gi tin qua chng u c sao chp, x l, phn tch n tng trng thng tin. B phn tch

c thng tin tng trng trong gi tin, xc nh chng thuc kiu gi tin no, dch v g... Cc thng tin ny c chuyn n modul pht hin tn cng. 3.2 Modul pht hin tn cng: y l modul quan trng nht trong h thng c nhim v pht hin cc cuc tn cng. C hai phng php pht hin cc cuc tn cng, xm nhp l d s lm dng v d s khng bnh thng. Phng php d s lm dng: Phng php ny phn tch cc hot ng ca h thng, tm kim cc s kin ging vi cc mu tn cng bit trc. Cc mu tn cng bit trc ny gi l cc du hiu tn cng. Do vy phng php ny cn c gi l phng php d du hiu. Kiu pht hin tn cng ny c u im l pht hin cc cuc tn cng nhanh v chnh xc, khng a ra cc cnh bo sai lm gim kh nng hot ng ca mng v gip cc ngi qun tr xc nh cc l hng bo mt trong h thng ca mnh. Tuy nhin, phng php ny c nhc im l khng pht hin c cc cuc tn cng khng c trong c s d liu, cc kiu tn cng mi, do vy h thng lun phi cp nht cc mu tn cng mi. Phng php d s khng bnh thng: y l k thut d thng minh, nhn dng ra cc hnh ng khng bnh thng ca mng. Quan nim ca phng php ny v cc cuc tn cng l khc so vi cc hot ng thng thng. Ban u, chng lu tr cc m t s lc v cc hot ng bnh thng ca h thng. Cc cuc tn cng s c nhng hnh ng khc so vi bnh thng v phng php d ny c th nhn dng. C mt s k thut gip thc hin d s khng bnh thng ca cc cuc tn cng nh di y: - Pht hin mc ngng: K thut ny nhn mnh vic o m cc hot ng bnh thng trn mng. Cc mc ngng v cc hot ng bnh thng c t ra. Nu c s bt thng no nh ng nhp vi s ln qu quy nh, s lng cc tin trnh hot ng trn CPU, s lng mt loi gi tin c gi vt qu mc... th h thng c du hiu b tn cng. - Pht hin nh qu trnh t hc: K thut ny bao gm hai bc. Khi bt u thit lp, h thng pht hin tn cng s chy ch t hc v to ra mt h s v cch

c x ca mng vi cc hot ng bnh thng. Sau thi gian khi to, h thng s chy ch lm vic, tin hnh theo di, pht hin cc hot ng bt thng ca mng bng cch so snh vi h s thit lp. Ch t hc c th chy song song vi ch lm vic cp nht h s ca mnh nhng nu d ra c tn hiu tn cng th ch t hc phi dng li cho ti khi cuc tn cng kt thc. - Pht hin s khng bnh thng ca cc giao thc: K thut ny cn c vo hot ng ca cc giao thc, cc dch v ca h thng tm ra cc gi tin khng hp l, cc hot ng bt thng vn l du hiu ca s xm nhp, tn cng. K thut ny rt hiu qu trong vic ngn chn cc hnh thc qut mng, qut cng thu thp thng tin ca cc tin tc. Phng php d s khng bnh thng ca h thng rt hu hiu trong vic pht hin cc cuc tn cng kiu t chi dch v. u im ca phng php ny l c th pht hin ra cc kiu tn cng mi, cung cp cc thng tin hu ch b sung cho phng php d s lm dng, tuy nhin chng c nhc im thng to ra mt s lng cc cnh bo sai lm gim hiu sut hot ng ca mng. Phng php ny s l hng c nghin cu nhiu hn, khc phc cc nhc im cn gp, gim s ln cnh bo sai h thng chy chun xc hn. 3.3 Modul phn ng Khi c du hiu ca s tn cng hoc thm nhp, modul pht hin tn cng s gi tn hiu bo hiu c s tn cng hoc thm nhp n modul phn ng. Lc modul phn ng s kch hot tng la thc hin chc nng ngn chn cuc tn cng hay cnh bo ti ngi qun tr. Ti modul ny, nu ch a ra cc cnh bo ti cc ngi qun tr v dng li th h thng ny c gi l h thng phng th b ng. Modul phn ng ny ty theo h thng m c cc chc nng v phng php ngn chn khc nhau. Di y l mt s k thut ngn chn: - Kt thc tin trnh: C ch ca k thut ny l h thng IPS gi cc gi tin nhm ph hu tin trnh b nghi ng. Tuy nhin phng php ny c mt s nhc im. Thi gian gi gi tin can thip chm hn so vi thi im tin tc bt u tn cng, dn n tnh trng tn cng xong ri mi bt u can thip. Phng php ny khng

hiu qu vi cc giao thc hot ng trn UDP nh DNS, ngoi ra cc gi tin can thip phi c trng th t ng nh cc gi tin trong phin lm vic ca tin trnh tn cng. Nu tin trnh tn cng xy ra nhanh th rt kh thc hin c phng php ny. - Hu b tn cng: K thut ny dng tng la hy b gi tin hoc chn ng mt gi tin n, mt phin lm vic hoc mt lung thng tin tn cng. Kiu phn ng ny l an ton nht nhng li c nhc im l d nhm vi cc gi tin hp l. - Thay i cc chnh sch ca tng la: K thut ny cho php ngi qun tr cu hnh li chnh sch bo mt khi cuc tn cng xy ra. S cu hnh li l tm thi thay i cc chnh sch iu khin truy nhp bi ngi dng c bit trong khi cnh bo ti ngi qun tr. - Cnh bo thi gian thc: Gi cc cnh bo thi gian thc n ngi qun tr h nm c chi tit cc cuc tn cng, cc c im v thng tin v chng. - Ghi li vo tp tin: Cc d liu ca cc gi tin s c lu tr trong h thng cc tp tin log. Mc ch cc ngi qun tr c th theo di cc lung thng tin v l ngun thng tin gip cho modul pht hin tn cng hot ng. 4. Phn loi h thng IPS C hai kiu kin trc IPS chnh l IPS ngoi lung v IPS trong lung. 4.1 IPS ngoi lung(Promiscuous Mode IPS) H thng IPS ngoi lung khng can thip trc tip vo lung d liu. Lung d liu vo h thng mng s cng i qua tng la v IPS. IPS c th kim sot lung d liu vo, phn tch v pht hin cc du hiu ca s xm nhp, tn cng. Vi v tr ny, IPS c th qun l bc tng la, ch dn n chn li cc hnh ng nghi ng m khng lm nh hng n tc lu thng ca mng. 4.2 IPS trong lung (In-line IPS) V tr IPS nm trc bc tng la, lung d liu phi i qua IPS trc khi ti bc tng la. im khc chnh so vi IPS ngoi lung l c thm chc nng chn lu thng (traffic-blocking). iu lm cho IPS c th ngn chn lung giao thng nguy him nhanh hn so vi IPS ngoi lung(Promiscuous Mode IPS). Tuy nhin,

v tr ny s lm cho tc lung thng tin ra vo mng chm hn. Vi mc tiu ngn chn cc cuc tn cng, h thng IPS phi hot ng theo thi gian thc. Tc hat ng ca h thng l mt yu t rt quan trng. Qua trnh pht hin xm nhp phi nhanh c th ngn chn cc cuc tn cng ngay lp tc. Nu khng p ng c iu ny th cc cuc tn cng c thc hin xong v h thng IPS l v ngha. 5. Cng c h tr IPS(Ging phn 5 ca IDS) 6. Cc k thut x l IPS Mc ch IPS l pht hin v ngn chn k tn cng xm nhp tri php vo h thng. Khng phi mt IPS c th pht hin v ngn chn c tt c cc kiu tn cng m ch c nhng kiu tn cng c nh ngha sn,v cc k thut c p dng trong h thng pht hin xm nhp l:

Anomaly detection(Pht hin s bt thng) Misuse detection (Kim tra lm pht) Policy-Based detection(Kim tra cc chnh sch ) Protocol analysis (Phn tch giao thc)

6.1 Anomaly detection :Pht hin da trn s bt thng hay m t s lc phn tch nhng hot ng a mng my tnh v lu lng mng nhm tm kim s bt thng Khi tm thy s bt thng, mt tn hiu cnh bo s c khi pht. S bt thng l bt c s chch hng hay i khi nhng th t, dng, nguyn tc thng thng. Chnh v dng pht hin ny tm kim nhng bt thng nn nh qun tr bo mt phi nh ngha u l nhng hot ng, lu lng bt thng. Nh qun tr bo mt c th nh ngha nhng hot ng bnh thng bng cch to ra nhng bn m t s lc nhm ngi dng (user group profiles). Bn m t s lc nhm ngi dng th hin ranh gii gia nhng hot ng cng nh nhng lu lng mng trn mt nhm ngi dng cho trc . Nhng nhm ngi dng c nh ngha bi k s bo mt v c dng th hin nhng chc nng cng vic chung. Mt cch in hnh , nhng nhm s dng

nn c chia theo nhng hot ng cng nh nhng ngun ti nguyn m nhm s dng. Mt web server phi c bn m t s lc ca n da trn lu lng web, tng t nh vy i vi mail server. Bn chc chn khng mong i lu lng telnet vi web server ca mnh cng nh khng mun lu lng SSH n vi mail server ca bn . Chnh v l do ny m bn nn c nhiu bn m t s lc khc nhau cho mi dng dch v c trn mng ca bn. a dng nhng k thut c s dng xy dng nhng bn m t s lc ngi dng v nhiu h thng IPS c th c nh dng xy dng nhng profile ca chng. Nhng phng php in hnh nhm xy dng bn m t s lc nhm ngi dng l ly mu thng k (statistical sampling) , da trn nhng nguyn tc v nhng mng neural. Mi profile c s dng nh l nh ngha cho ngi s dng thng thng v hot ng mng. Nu mt ngi s dng lm chch qu xa nhng g h nh ngha trong profile, h thng IPS s pht sinh cnh bo. 6.1.1 Li ch ca vic dng Anomaly-Based IPS: Vi phng php ny, k xm nhp khng bao gi bit lc no c, lc no khng pht sinh cnh bo bi v h khng c quyn truy cp vo nhng profile s dng pht hin nhng cuc tn cng. Nhng profile nhm ngi dng rt ging c s d liu du hiu ng lun thay i khi mng ca bn thay i . Vi phng php da trn nhng du hiu, k xm nhp c th kim tra trn h thng IPS ca h ci g lm pht sinh tn hiu cnh bo . File du hiu c cung cp km theo vi h thng IPS, v th k xm nhp c th s dng h thng IPS thc hin kim tra Mt khi k xm nhp hiu ci g to ra cnh bo th h c th thay i phng php tn cng cng nh cng c tn cng nh bi h IPS. Chnh v pht hin bt thng khng s dng nhng c s d liu du hiu nh dng trc nn k xm nhp khng th bit chnh xc ci g gy ra cnh bo.

Pht hin bt thng c th nhanh chng pht hin mt cuc tn cng t bn trong s dng ti khon ngi dng b tha hip (compromised user account) . Nu ti khon ngi dng l s hu ca mt ph t qun tr ang c s dng thi hnh qun tr h thng, h IPS s dng pht hin bt thng s gy ra mt cnh bo min l ti khon khng c s dng qun tr h thng mt cch bnh thng. u im ln nht ca pht hin da trn profile hay s bt thng l n khng da trn mt tp nhng du hiu c nh dng hay nhng t tn cng c bit Profile c th l ng v c th s dng tr tu nhn to xc nh nhng hot ng bnh thng. Bi v pht hin da trn profile khng da trn nhng du hiu bit, n thc s ph hp cho vic pht hin nhng cuc tn cng cha h c bit trc y min l n chch khi profile bnh thng. Pht hin da trn profile c s dng pht hin nhng phng php tn cng mi m pht hin bng du hiu khng pht hin c. 6.1.2 Hn ch ca vic dng Anomaly-Based IPS: Nhiu hn ch ca phng php pht hin bt thng phi lm vi vic sng to nhng profile nhm ngi dng , cng nh cht lng ca nhng profile ny . Thi gian chun b ban u cao. Khng c s bo v trong sut thi gian khi to ban u. Thng xuyn cp nht profile khi thi quen ngi dng thay i. Kh khn trong vic nh ngha cch hnh ng thng thng : H IPS ch tht s tt c khi n nh ngha nhng hnh ng no l bnh thng. nh ngha nhng hot ng bnh thng thm ch cn l th thch khi m mi trng ni m cng vic ca ngi dng hay nhng trch nhim thay i thng xuyn. Cnh bo nhm: Nhng h thng da trn s bt thng c xu hng c nhiu false positive bi v chng thng tm nhng iu khc thng. Kh hiu : Hn ch cui cng ca phng php pht hin da trn s bt thng l

s phc tp. Ly mu thng k, da trn nguyn tc, v mng neural l nhng phng cch nhm to profile m tht kh hiu v gii thch. 6.2 Misuse detection Pht hin s lm dng( Misuse detection), cng c bit nh signature-based detection, ging nh hot ng xm phm m tranh ginh nhng signature c bit. Nhng signature ny c da trn mt s thit lp nhng qui lut m ginh nhng mu tiu biu v khai thc c s dng bi nhng k tn cng nhm chng li s truy cp vo mng. Nhng k s mng kho lo cp cao nghin cu cch nhn bit tn cng v nhng ch yu nhm pht trin nhng qui lut cho mi signature. Vic xy dng nhng signature rnh mch lm gim nhng c hi ca false possitive trong khi lm nh c hi ca false negative. Mt misuse-detection-based IDS cu hnh hon chnh to ra mc thp nht false negative. Nu mt misuse-based IDS lin tc to ra nhng false positive , s nh hng ton din ca n s c gim. Mt Signature-Based IPS l to ra mt lut gn lin vi nhng hot ng xm nhp tiu biu.Vic to ra cc Signature-Based yu cu ngi qun tr phi c nhng k nng hiu bit tht r v tn cng (attacks), nhng mi nguy hi v phi bit pht trin nhng Signature d tm (detect) nhng cuc tn cng v mi nguy hi vi h thng mng ca mnh. Mt Signature-Based IPS gim st tt c cc traffic v so snh vi d liu hin c. Nu khng c s a ra nhng cnh bo cho ngi qun tr cho bit l mt cuc tn cng. xc nh c mt attacks signature, khi phi thng xuyn bit c kiu dng ca attacks, mt Signature-Based IPS s xem packets header hoc data payloads. V d, mt Signature c th l chui gm nhiu s kin hoc mt chui cc bytes trong mt ng cnh no . Mt Signature-Based IPS l mt tp nhng nguyn tc s dng xc nh nhng hot ng xm nhp thng thng. Nhng nghin cu v nhng k thut kho lo nhm tm ra s tn cng, nhng mu v nhng phng php vit file du hiu .

Khi m cng nhiu phng php tn cng cng nh phng php khai thc c khm ph, nhng nh sn xut IPS phi cung cp nhng bn cp nht (update) file du hiu, ging nh nhng nh cung cp phn mm dit virus khc cng phi cung cp nhng bn cp nht cho phn mm ca h. Khi cp nht file du hiu th h thng IPS c th phn tch tt c cc lu lng . Nu c nhng lu lng no trng vi du hiu th cnh bo c khi to. Nhng h thng IPS in hnh thng km theo d liu ca file du hiu. 6.2.1 Li ch ca vic dng Signature-Based IPS: Nhng file du hiu c to nn t nhng hot ng v phng php tn cng c bit, do nu c s trng lp th xc sut xy ra mt cuc tn cng l rt cao. Pht hin s dng sai s c t cnh bo nhm (false positive report) hn kiu pht hin s bt thng. Pht hin da trn du hiu khng theo di nhng mu lu lng hay tm kim nhng s bt thng. Thay vo n theo di nhng hot ng n gin tm s tng xng i vi bt k du hiu no c nh dng. Bi v phng php pht hin s dng sai da trn nhng du hiu- khng phi nhng mu lu lng - h thng IPS c th c nh dng v c th bt u bo v mng ngay lp tc. Nhng du hiu trong c s d liu cha nhng hot ng xm nhp bit v bn m t ca nhng du hiu ny. Mi du hiu trong c s d liu c th c thy cho php, khng cho php nhng mc cnh bo khc nhau cng nh nhng hnh ng ngn cn khc nhau, c th c nh dng cho nhng du hiu ring bit. Pht hin s dng sai d hiu cng nh d nh dng hn nhng h thng pht hin s bt thng . File du hiu c th d dng c ngi qun tr thy v hiu hnh ng no phi c tng xng cho mt tn hiu cnh bo. Ngi qun tr bo mt c th c th bt nhng du hiu ln, sau h thc hin cuc kim tra trn ton mng v xem xem c cnh bo no khng. Chnh v pht hin s dng sai d hiu ,b sung, kim tra, do nh qun tr c nhng kh nng to ln trong vic iu khin cng nh t tin vo h thng IPS ca h.

6.2.2 Nhng hn ch ca Signature-Based IPS: Bn cnh nhng li im ca c ch pht hin s dng sai th n cng tn ti nhiu hn ch. Pht hin s dng sai d dng hn trong nh dng v hiu, nhng chnh s gin n ny tr thnh ci gi phi tr cho s mt mt nhng chc nng v overhead. y l nhng hn ch: Khng c kh nng pht hin nhng cuc tn cng mi hay cha c bit : H thng IPS s dng pht hin s dng sai phi bit trc nhng hot ng tn cng n c th nhn ra t tn cng . Nhng dng tn cng mi m cha tng c bit hay khm ph trc y thng s khng b pht hin. Khng c kh nng pht hin nhng s thay i ca nhng cuc tn cng bit : Nhng file du hiu l nhng file tnh tc l chng khng thch nghi vi mt vi h thng da trn s bt thng. Bng cch thay i cch tn cng, mt k xm nhp c th thc hin cuc xm nhp m khng b pht hin(false negative). Kh nng qun tr c s d liu nhng du hiu : Trch nhim ca nh qun tr bo mt l bo m file c s d liu lun cp nht v hin hnh. y l cng vic mt nhiu thi gian cng nh kh khn. Nhng b b cm bin phi duy tr tnh trng thng tin : Ging nh tng la , b cm bin phi duy tr trng thi d liu. Hu ht nhng b cm bin gi trng thi thng tin trong b nh tm li nhanh hn, nhng m khong trng th gii hn. 6.3 Policy-Based IPS Mt Policy-Based IPS n s phn ng hoc c nhng hnh ng nu c s vi phm ca mt cu hnh policy xy ra. Bi vy, mt Policy-Based IPS cung cp mt hoc nhiu phng thc c u chung ngn chn. Li ch ca vic dng Policy-Based IPS. C th p policy cho tng thit b mt trong h thng mng. Mt trong nhng tnh nng quan trng ca Policy-Based l xc thc v phn ng nhanh, rt t c nhng cnh bo sai. y l nhng li ch c th chp nhn c bi v ngi qun tr h thng a cc security policy ti IPS mt cch chnh xc .Hn

ch ca vic dng Policy-Based IPS. Khi cng vic ca ngi qun tr cc k l vt v. Khi mt thit b mi c thm vo trong mng th li phi cu hnh. Kh khn khi qun tr t xa. 6.4 Protocol Analysis-Based IPS. Gii php phn tch giao thc(Protocol Analysis-Based IPS) v vic chng xm nhp th cng tng t nh Signature-Based IPS, nhng n s i su hn v vic phn tch cc giao thc trong gi tin(packets).V d: Mt hacker bt u chy mt chng trnh tn cng ti mt Server. Trc tin hacker phi gi mt gi tin IP cng vi kiu giao thc, theo mt RFC, c th khng cha data trong payload. Mt Protocol Analysis-Based s detect kiu tn cng c bn trn mt s giao thc. Kim tra kh nng ca giao thc xc nh gi tin c hp php hay khng hp php. Kim tra ni dung trong Payload (pattern matching). Thc hin nhng cnh co khng bnh thng.

7. Ch k v cc k thut x l Ch k l mt tp cc quy tc m mt IDS v mt IPS s dng pht hin in hnh hot ng xm nhp, nh cc cuc tn cng DoS. C th d dng ci t ch k bng cch s dng phn mm qun l IDS v IPS nh Cisco IDM,SDM v c th d dng chnh sa hoc c th to mi. Ging nh b cm bin qut cc packet, IOS IPS s dng ch k pht hin cc cuc tn cng bit v phn ng vi hnh ng c xc nh trc. Mt lung gi c hi c mt loi c th ca hot ng v ch k, v mt b cm bin IDS hoc IPS kim tra d liu lu lng s dng ch k khc nhau. Khi mt IDS hoc IPS cm bin ph hp vi mt ch k vi lu lng d liu, cm bin s hnh ng, chng hn nh s kin ng nhp hoc gi bo ng IDS hoc phn mm qun l IPS, chng hn nh SDM ca Cisco.

Ch k da trn pht hin xm nhp c th a ra mt cnh bo sai bi v mt s mng li hot ng bnh thng c th c hiu sai nh hot ng c hi. V d, mt s ng dng mng hoc h iu hnh c th gi nhiu thng ip Internet Control Message Protocol (ICMP) , c mt ch k trn c s pht hin h thng c th gii thch nh mt n lc ca k tn cng v ra mt phn on mng. C th gim thiu tch cc iu chnh sai bi cm bin ca h thng bng cch iu chnh thng s qui nh c xy dng trong ch k (iu chnh ch k) bng cch iu chnh cc thng s ch k cho ng theo nh hot ng ca h thng. 7.1 Xem xt Ch k Micro-Engines. Mt ch k Micro-Engines l mt thnh phn ca mt IDS v IPS cm bin c h tr mt nhm cc ch k dc ph bin trong danh sch cng cng. Mi ng c(engine) l ty chnh cho cc giao thc v lnh vc m n c thit k kim tra v xc nh mt tp hp cc thng s quy phm php lut c phm vi cho php hoc tp hp cc gi tr. Ch k Micro-Engines tm kim cc hot ng c hi trong mt giao thc c th. Ch k c th c nh ngha cho bt k ch k Micro-Engines s dng cc thng s c cung cp bi ng c vi sinh h tr. Cc gi d liu c qut bi Micro-Engines c th hiu c giao thc cha trong gi. Cisco signature micro-engines thc hin song song cc cng c qut. Tt c cc ch k trong mt ch k cho Micro-Engines c qut song song, ch khng phi l chui. Mi ch k Micro-Engines chit xut t cc gi tr gi v vt qua cc phn ca gi cho cng c v khng gian . Mt k thut x l biu hin thng xuyn c qut song song, iu ny lm tng hiu qu v kt qu truong vic thng lng cao hn. Khi IDS (ch promiscuous) hoc IPS (inline mode) c kch hot, mt ch k vi ng c (signature micro-engine)c np (hoc xy dng) trn vi router. Khi mt ch k vi cng c c xy dng, router c th cn phi bin dch biu thc thng thng c tm thy trong mt ch k. Bin dch biu hin thng xuyn i hi b nh nhiu hn dung lng cui cng ca biu hin thng xuyn. Hy

chc chn xc nh cc yu cu b nh cui cng ca ch k hon thnh vic sp nhp trc khi ti v kt hp ch k. Ch Mt biu hin thng xuyn l mt cch c h thng xc nh mt tm kim mt kiu mu trong mt lot cc byte. V d, mt biu hin thng xuyn c s dng ngn chn c cha d liu . Exe hay com hay bat. Thng qua bc tng la c th. Ging nh th ny: * ".* \. ([Ee] [Xx] [Ee] | [Cc] [Oo] [Mm] | [Bb] [Aa] [Tt])". Ch i vi danh sch hin ang c h tr ch k vi ng c, hy tham kho danh sch "ca Cng c h tr Ch k" trn trang ch ca cisco. Tm tt cc loi ng c ch k c sn trong Cisco IOS Release Signature Engine Atomic Service String Ch k s dng biu thc thng thng da trn cc mu pht hin xm nhp. Multi-string H tr cc m hnh kt hp linh hot v Other h tr xu hng ch k K thut bn trong x l ch k linh tinh Description Ch k ny th kim tra cc gi n gin, chng hn nh ICMP v UDP Ch k ny l kim tra nhiu dch v ang b tn cng

Bng :M t chi tit Signature Engine ATOMIC.IP ATOMIC.ICMP Description Cnh bo ip lp 3 Cnh bo icmp da trn :type, code, sequence, and ID

ATOMIC.IPOPTIONS ATOMIC.UDP

Cnh bo chc nng gii m lp 3 Cung cp cc gi UDP n gin bo ng da trn cc thng s: cng, phng din,v chiu di d liu

ATOMIC.TCP Cung cp cc gi tin TCP bo ng n gin, da trn cc thng s: cng, im SERVICE.DNS SERVICE.RPC SERVICE.SMTP SERVICE.HTTP n, v c Phn tch dch v DNS Phn tch dch v diu khin t xa rpc Kim tra phng thc gi mail SMTP Cung cp cc giao thc HTTP gii m c bn da trn chui ng c; bao gm anti-evasive URL de-obfuscation SERVICE.FTP FTP cung cp dch v c bit gii m STRING.TCP cnh bo UDP cung cp thng xuyn biu hin dch v da trn m hnh ng c kim STRING.UDP tra UDP cung cp thng xuyn biu hin dch v da trn m hnh ng c kim tra STRING.ICMP ICMP cung cp thng xuyn biu hin dch v da trn m hnh ng c kim MULTI-STRING Other tra H tr cc m hnh kt hp linh hot v h tr m hnh ch k xu hng . Cung cp cc cng c ni b x l ch k linh tinh.

Ch : Cisco IOS IPS v Cisco IPS AIM khng th c s dng cng nhau. Cisco IOS IPS phi c v hiu ha khi IPS AIM c ci t. Cisco IOS IPS l mt ng dng cung cp kh nng kim tra cho lu lng chy qua router. Mc d n c bao gm trong IOS Cisco nng cao tnh nng bo mt thit, n s dng CPU router v b b nh chia s thc hin vic kim tra. Cisco IOS IPS cng chy mt tp con ca ch k IPS. Cisco AIM IPS, tho lun trc trong chng ny, chy vi mt CPU v b nh chuyn dng, gim ti x l tt c cc ch k IPS t CPU router. N c th ti mt ch k y cc thit lp v cung cp cc tnh nng nng cao IPS khng c sn trn Cisco IOS IPS. 7.2 Ch k cnh bo(Signature Alarms) Nng lc ca IDS v IPS cm bin pht hin chnh xc mt cuc tn cng hoc vi phm mt chnh sch v to ra mt bo ng l quan trng i vi cc chc nng ca cc b cm ng. Cuc tn cng c th to ra cc loi sau y ca cc bo ng: * Sai tch cc: Mt sai tch cc l mt bo ng c kch hot bi giao thng bnh thng hoc mt hnh ng bnh thng. Hy xem xt kch bn ny: ch k to ra cc bo ng nu mt khu ca bt k thit b mng c nhp khng chnh xc. Mt vin qun tr mng c gng ng nhp vo mt router Cisco nhng nhp mt khu sai. Cc IDS khng th phn bit gia mt ngi s dng quy ph hay l mt qun tr mng, v n to ra mt bo ng. * Sai ph nh: Mt tiu cc sai xy ra khi mt ch k khng c to ra khi vi phm lu lng c pht hin. Phm vi vi phm giao thng t ai gi ti liu b mt bn ngoi mng cng ty chng li cc cuc tn cng cc my ch web ca cng ty. Sai m l li trong phn mm IDS v IPS v cn c bo co. Mt m tnh gi nn c coi l mt li phn mm ch khi IDS v IPS c mt ch k c thit k pht hin cc vi phm giao thng. * ng tch cc: Mt tch cc thc s xy ra khi mt ch k IDS hay IPS ng b vi phm, v mt bo ng c to ra, khi vi phm lu lng c pht hin. V d, hy xem xt mt cuc tn cng Unicode. Cisco IPS cm bin c ch k m pht

hin cc cuc tn cng chng li Unicode Microsoft Internet Information Services (IIS) cc my ch web. Nu mt cuc tn cng Unicode l a ra i vi cc my ch web Microsoft IIS, cc cm bin pht hin cc cuc tn cng v to ra mt bo ng. * ng ph nh: Mt tiu cc thc s xy ra khi mt ch k khng ng khi khng vi phm lu lng b bt v phn tch. Ni cch khc, cm bin khng kch hot, mt bo ng khi n bt v phn tch "mng li giao thng bnh thng". bng-cung cp mt tm tt cc loi bo ng. Loi cnh bo Cnh bo c kch hot Cnh bo khng c kch hot Xm nhp xy ra/pht hin ng tch cc Sai ph nh Xm nhp khng xy ra/khng pht hin Sai tch cc ng ph dnh

Cnh bo xy ra khi c p n ng cc nhu cu. phi cn nhc vi lng cnh bo nu xy ra qu nhiu cnh bo s kh m qun l c v bng thng s b chim do qu trnh bt v phn tch gi tin v vic gy ra cnh bo nu cnh bo t qu th s kh khn trong vic pht hin h thng c b xm nhp khng nhng bng thng ca h thng khng b chim.Nu h thng IPS khng s dng dng cc cnh bo th s gy ra cnh bo sai tch cc. Do cn xem xt mc cn thit gy ra mt cnh bo, i vi IPS signature c phn ra cc cp cnh bo sau: * Thng tin: Hot ng kch hot cc ch k khng c xem l mt mi e da trc mt, nhng nhng thng tin c cung cp thng tin c ch. * Thp: mng li hot ng bt thng c pht hin rng c th c coi nh l c hi, nhng mt mi e da trc mt l khng c kh nng. * Trung bnh: mng li hot ng bt thng c pht hin rng c th c coi nh l c hi, v l mt mi e da trc mt c th. * Cao: tn cng c s dng truy cp hoc gy ra mt cuc tn cng DoS c pht hin, v l mt mi e da trc mt l rt c kh nng.

Ngoi cc mc c nh ngha mc nh c th chnh sa li cho ph hp vi h thng mng. gim thiu sai tch cc cn xem xt lu lng mng tn ti v sau m signature ln pht hin xm nhp khng in hnh (trong cc t tnh) theo nh cc mu qui nh. Khng nn cn c vo ch k chnh sa khc mu qui nh ,m s dng mu ch k qui nh sn so snh vi cc lu lng mng ang c, ly mu qui nh sn lm im ta quyt nh mu lu lng t gy ra cnh bo.

VI. M PHNG
1. Mc tiu ca m phng

M phng gip thy c tnh nng v thy r c hot ng cng nh cc bc cu hnh IDS/IPS trn router . Thc hin tnh nng gy ra cnh bo nu c vi phm.
2. M hnh m phng

ROUTER IPS

ROUTER TRUST

ROUTER UNTRUST

3. Cng c cn thit thc hin m phng

H diu hnh window 7 Phn mm gi lp GNS3 Tool SDM ca cisco My PC phi ci gi java h tr cho SDM
4. Cc bc m phng

Dng m hnh vi gns3 nh m hnh t ip cho cc cc thit b nh m hnh Ti router ips cu hnh a ch ip v qung b mng dng giao thc rip nh sau:

Router ips(config )#int f0/0 Router ips(config -if)#ip add 192.168.12.2 255.255.255.0 Router ips(config -if)#no shut Router ips(config -if)#exit Router ips(config )#int s1/0 Router ips(config -if)#ip add 192.168.23.2 255.255.255.0 Router ips(config -if)#no shut Router ips(config -if)#clock rate 64000 Router ips(config -if)#exit Router ips(config )#router rip Router ips(config -router)#net 172.16.12.0 Router ips(config -router)#net 172.16.23.0 Ti router trusted v untrusted c cu hnh ip v default route nh sau: Trusted router(config)#int f0/0 Trusted router(config-if)#ip add 192.168.12.1 255.255.255.0 Trusted router(config-if)#no shut Trusted router(configif)#exit Trusted router(config)#ip router 0.0.0.0 0.0.0.0 192.168.12.2 Untrusted router(config)#int s0/0 Untrusted router(config-if)#ip add 192.168.23.1 255.255.255.0 Untrusted router(config-if)#no shut Untrusted router(config-if)#clock rate 64000 Untrusted router(configif)#exit Untrusted router(config)#ip route 0.0.0.0 0.0.0.0 192.168.23.2 Cho php chy SDM trn router ips Router ips(config )#ip http server Router ips(config )#ip http secure-server Router ips(config )#ip http authentication local

Router ips(config )#username cisco privilege 15 password 0 cisco Router ips(config )#line vty 0 4 Router ips(config-line )#privilege level 15 Router ips(config -line)#login local Router ips(config -line)#transport input telnet Router ips(config -line)#transport input telnet ssh Ti pc chnh ip v default gerway v router ips(hnh 1)

Hnh 1: Chnh IP v default getway Trn pc ci t gi java v tool SDM cho computer v chy ciscoSDM Ti mn hnh SDM Launcher chn ip ca router ips:192.168.12.2

Hnh 2: IP ca router chy SDM Mn hnh internet explorer xut hin sau khi bm Launch bc trn,kch phi chut chn allow blocked content

Hnh 3: cho php chy pop up Xut hin cnh bo chn yes

Hnh 4: cnh bo Mn hnh ng nhp chng thc xut hin ,ng nhp vi user & pass c level 15

Hnh 5: chng thc username & password Xut hin ca s internet explorer mi chn allow blocked content

Hnh 6: cnh bo secure ca IE Cnh bo ca trnh duyt tip tc xut hin cho yes i tip

Hnh 7: cnh bo Sau khi nhn yes xut hin trang load SDM t router ti my tnh

Hnh 8: qu trnh np SDM Xut hin mn hnh ng nhp ,tip tc ng nhp vi username v pass level 15

Hnh 9 : yu cu chng thc username & password

Mn hnh load SDM ti my tnh bt u v yu cu i username v password cho ln u tin sau ng nhp li vi user mi

Hnh 10 : qu trnh np cu hnh t router ti ln sdm Giao din u tin khi vo ch cu hnh cho router thng qua giao din, chn configure cu hnh cho router ips.

Hnh 11: hin th cc tnh nng c trn router Kch chn tnh nng instruction prevention cu hnh cho IPS,kch chn launch ips rule winzard bt u to mt lut ips mi

hnh 12: Tnh nng IPS trn router

Cisco SDM yu cu thng bo s kin IPS qua SDEE cu hnh tnh nngCisco IOS IPS , theo mc nh, thng bo SDEE khng c kch hot. Cisco SDM s nhc nh ngi dng cho php thng bo s kin IPS qua SDEE chn ok

Hnh 14: thng bo khi chy ips Nhp vo "Next" trn di cng ca giao din dn n trang tip theo trong Wizard IPS .Chn giao din trong danh sch v nh du vo trng cho c hai hng trong hay ngoi i vi cc giao din m mun kch hot tnh nng IPS. Cisco ngh cho php hng c trong v ngoi khi kch hot IPS trn giao din. Click "Next" khi kt thc vic chn la.

Hnh 15: hng dn cc bc cu hnh

Mn hnh tip theo cho thy v tr SDF ca Wizard IPS. cu hnh a im SDF, hy nhp vo "Add ..." nt bn phi ca danh sch.

Hnh 16: m t cch np signature Ca s Add a signature location xut hin chn secify sdf using url v chn tftp ( thc hin c qu trnh copy File .sdf ny pc chy tftp ),hoc c th qua bc ny chn add file .SDF t pc.

Hnh 17: chn v tr signature K n mn hnh tng kt cc qu trnh cu hnh rule v np signature chn finish kt thc cc bc trn.

Hnh 18: kt thc cc qu trnh cu hnh kim tra cu hnh cc signature c np trn router vo giao din nh hnh SDM UI Path: Configure-> Intrusion Prevention -> Edit IPS -> Signatures T giao din ny c th nh ngha thm signature sau khi kch hot default SDF. C th nh ngha thm cc signature bng cch chc nng import .

nhp ch k mi, chn default SDFs, hoc cc IOS-Sxxx.zip cp nht tp tin nhp ch k b sung(Hnh 19) SDM UI Path: Configure-> Intrusion Prevention -> Edit IPS -> Signatures -> Import Chn nt nhn import trong thanh cng c trn cng ca bng danh sch ch k. K tip chn from pc ch ng dn ti file cha k . Ti mn hnh ny cng c th chnh li hot ng ca ch k bng cch kch chn vo ch k->action v chn la hnh ng mun y chn alarm.(hnh 19)

Hnh 19: hin th cc signature c np v cu hnh signature Lu : trong qu trnh np signature thm vo CPU s hot ng cao v trong lc np khng nn lm cc hnh ng khc s lm cho qu trnh np signature chm li. sau khi ch k c np c mt vi trng hp khng c enable nu mun c th enable cho ph hp vi nhu cu cn thit ca h thng. Sau khi cu hnh v chnh sa hon tt tnh nng IPS trn SDM ,truy cp vo command line vo router kim tra bng cc dng lnh sau:

Router ips#show ip inspect all

Hnh 20: Lnh cho thy cc ngng gi tr mc nh Router ips#show running-config | in ip ips sdf

Hnh 21: Lnh xem v tr ch file *.sdf Lnh xem cc ch k b disable Router ips#show running-config | include ip ips signature .* disable Router ips#show ip ips interfaces

Hnh 22:Lnh xem ips c p trn interface no Tin hnh ping kim tra xem t mng unstrusted vo trusted c gy ra cnh bo khng

Hnh 23: ping kim tra. Kt qu nhn c trn router ips s gy ra cnh bo ghi r vi phm ch k bao nhiu v i vi gi tin g,t u n u. 5.Kt qu thu c t qu trnh m phng H thng pht hin v ngn chn xm nhp rt hiu qu trong lnh vc bo mt cho h thng mng ca cc doanh nghip,t chc,cng ty c nhu cu bo mt cao. Thng qua vic m phng c th thy c cch ci t v s dng tnh nng IPS trn router h thng s gy ra cnh bo hay ngt kt ni nu vi phm ch k c nh ngha ch k trn ios router 6. Nhng mt hn ch Do thi gian ngn,nhn lc hn hp nn khng th hon chnh mt h thng c th v thc t lm. Trong phn nghin cu ch dng li trn router ,cha lm c trn cc b sensor hay trn router firewall.

Tham Kho
1. Cisco Systems, Inc. Cisco Intrusion Prevention System: Introduction,

http://www.cisco.com/go/ips
2. Cisco Systems, Inc. Cisco Security Monitoring, Analysis and Response

System: Introduction, http://www.cisco.com/go/mars 3. Cisco Systems, Inc. Cisco Security Agent: Introduction, http://www.cisco.com/go/csa 4. Cisco Systems, Inc. Cisco Intrusion Detection System Event Viewer 3DES Cryptographic Software Download, http://www.cisco.com/cgibin/tablebuild.pl/ids-ev 5. Cisco Systems, Inc. Cisco IOS Intrusion Prevention System (IPS): Cisco IOS IPS Supported Signature List in 4.x Signature Format, http://www.cisco.com/en/US/partner/products/ps6634/products_white_paper 0900aecd8039e2e4.shtml 6. Cisco Systems, Inc. Software Download: Cisco IOS IPS, http://www.cisco.com/cgi-bin/tablebuild.pl/ios-sigup 7. Cisco Systems, Inc. Software Download: Cisco IDS Management Center Version 4.x Signature Updates, http://www.cisco.com/cgibin/tablebuild.pl/idsmc-ids4-sigup 8. Cisco Systems, Inc. Cisco IOS Security Configuration Guide, Release 12.4: Configuring Cisco IOS Intrusion Prevention System (IPS), http://tinyurl.com/3ufo6j 9. Cisco System, Inc. Tools & Resources: Software Download, Cisco IOS IPS Signature Package for SDM 2.4, http://www.cisco.com/cgibin/tablebuild.pl/ios-v5sigup-sdm 10. Cisco System, Inc. Cisco Security Center, http://tools.cisco.com/security/center/home.x 11. Cisco Systems, Inc. Cisco IOS Security Configuration Guide, Release 12.4: Configuring Cisco IOS Intrusion Prevention System (IPS), http://www.cisco.com/en/US/products/ps6350/products_configuration_guide _chapter09186a00804453cf.html 12. SearchSecurity.com. http://searchsecurity.techtarget.com/

You might also like