H thng pht hin xm nhp(IDS)

Ng Vn Cng

IDS(Intrusion detect system) Pht hin ra cc cuc tn cng v thm d my tnh Ngn chn Pht hin phng cc cuc tn cng nh gi thit hi Instrution detection: quy trnh xc nh mt s xm nhp c th, ang xut hin, hay xut hin

Cc thut ng Pht hin xm nhp(Intrusion detection): Pht hin ra cc truy cp tri php vo my tnh Pht hin s kin khng bnh thng(Anomaly detection)

IDS lm vic nh th no? Pht hin ra xm nhp

Trong qu kh c tp tin log sinh ra bi cc h thng bo mt(firewall) Ngy nay Quy trnh xem xt cc tp tin log, theo di s hot ng cc ti nguyn c lm bi IDS s s dng CPU, I/O a, b nh v cc thao tc ngi dng, s ln ng nhp h thng

IDS
Duy tr mt c s d liu cc tp tin k hiu v cc c trng ca cc cuc tn cng Mi cuc tn cng u c: c tnh, mu v hnh vi->k hiu Pht hin ra cuc tn cng hay xm nhp bng cch so khp cc du hiu ca cuc tn cng vi cc tp tin du hiu trong csdl

(tt) Li False-positive pht sinh khi m IDS xem mt hnh vi bnh thng trn mng nh l mt s tn cng ca hacker Li False-negative xut hin khi IDS b qua mt cuc xm nhp vo h thng v xem xt n nh l hnh ng bnh thng trong mng

IDS vs Firewall Thng c s nhm ln gia chc nng ca IDS v Firewall Firewall hot ng bng cch ngn chn mi th sau ngi dng s lp trnh ch php mt s mc no c i qua Firewall cho php ngi dng ni b c th truy cp ra bn ngoi nhng ngn chn ngi dng bn ngoi truy cp vo h thng mng ni b Firewall khng phi l mt h thng ng c th phn on mt cuc tn cng ang c thc hin

IDS vs Firewall(tt)
IDS l h thng ng hn, n c kh nng pht hin ra cc cuc tn cng vo mng

Xem xt v d:
Mt nhn vin ca cng ty nhn c email ca mt nhn vin khc ni rng anh ta tm c mt ti liu b mt t lu, nhn vin m email m nhp chut vo tp tin thc thi nh km, ti liu thc thi c mt Trojan nh km vi n, Trojan s m mt kt ni n my tnh ca hacker, lc ny firewall s khng ngn chn hacker thc hin cuc tn cng bng cng chung 80 V firewall ch cu hnh ngn chn cc kt ni ra bn ngoi ti mt s port, n xem cc kt ni HTTP ti webserver ch l mt kt ni khc Nu h thng IDS c ci t th n c th a ra cnh bo nh l hnh ng khng thng xuyn trong mng

Cc loi IDS pht hin c cc cuc xm nhp IDS thng da trn 2 k thut sau Anomaly-Detection Technique Misuse-Dectection Technique

Anomaly-Detection Technique
Da trn gi thuyt l tt c cc hnh ng khng ging vi mt tp cc mu hnh vi th l cc hnh ng bt thng IDS nhn bit tiu s cc hnh ng bnh thng trn mng nu bt k hnh vi no khng ging tiu s ny thi l mt hnh vi khng bnh thng v a ra mt cnh bo To mt vch ranh gii cho cc hnh vi bnh thng, thng c sinh ra da thng k ghi nhn t hnh v nhp/xut, s dng CPU, b nh, hot ng ca ngi dng.

Misuse-Detection Technique
Xem cc cuc tn cng nh cc mu v du hiu Duy tr mt c s d liu cc du hiu ca cc cuc tn cng Mt cnh bo pht sinh khi mt t tn cng no ging vi mu trong csdl. Hot ng ging nh h thng antivirus Khng pht sinh li false-positive nhng khng pht hin c cc kiu tn cng cha c pht hin trc

Cc kiu IDS khc nhau IDS mng(Network-based intrusiondetection systems) IDS Host(Host-based intrusion-detection systems) IDS lai(Hybrid intrusion-detection systems)

Mt s thut ng dng trong IDS

Mn hnh dng lnh(Command console) trung tm iu khin ca IDS gm cc cng c thit lp cc chnh sch B cm bin(Sensor) Tm kim gi tin Alert Notification Cnh bo v mt cuc tn cng(hin thng bo ln mn hnh, gi mail) Response Subsystem Khi pht hin tn cng c cc hnh ng phn hi li Database H thng lu tr tt c cc hot ng ghi nhn t IDS

IDS mng Bao gm cc b cm bin c trin khai trn ton b mng theo di v phn tch cc gi tin i qua mng sau chuyn kt qu v cho mn hnh dng lnh Traditional Sensor Architecture Distributed network-node architecture Traditional Sensor B cm bin gn vo mng v bt cc gi tin ca mng

Traditional sensor architecture Cc bc mt gi tin i qua IDS mng

1. Khi my tnh mun trao i d liu vi my tnh khc th qu trnh trao i d liu bt u 2. Cc gi tin s c lng nghe trn mng thng qua cc b cm bin trn mng 3. B phn pht hin xm nhp s so snh cc gi tin vi cc mu nh ngha trc, nu ging nhau th mt cnh bo s c a ra v chuyn n mn hnh dng lnh 4. Thng qua mn hnh dng lnh b phn bo mt s cnh bo thng qua cc phng thc khc nhau: email, SNMP. 5. Mt cu tr li s c pht sinh mt cch t ng hoc bi b phn bo mt 6. Mt mu s c lu tr sau ny c th xem li v nh gi 7. To ra bo co tm tt cc hnh ng ca tin tc

IDS mng

Distributed Network-Node Architecture B cm bin gn vo mi my tnh trn mng Mi b cm bin ch quan tm n cc gi tin n my ca mnh B cm bin sau s giao tip vi mn hnh dng lnh a ra cc cnh bo

(tt) Cc bc gi tin trong gii php th 2

1. Khi mt my tinh mun giao tip vi my tnh khc, gi tin s c trao i 2. Gi tin sau s b lng nghe trn mng bng cc b cm bin gn trn my tnh ch 3. B phn pht hin xm nhp s so snh cc gi tin ny vi cc mu nh ngha trc, nu tng ng th mt cnh bo s c a ra 4. Thng qua mnh hnh dng lnh, b phn bo mt se thng bo cho ngi dng 5. Mt cu tr li s c pht sinh t ng bi h thng tr li 6. Lu tr cnh bo(mu) xem li v nh gi sau ny 7. To ra bo co tng kt c tnh ca hot ng

(tt)

Cch thc hot ng IDS mng Tip-off Pht hin ra xm nhp vo mng ti thi im m n c thc hin Surveillance Quan st cc hnh vi ca mt tp cc thnh phn trn mng

Li ch t IDS mng Cn tr(Deterrence) Pht hin(Detection) C ch thng bo v tr li t ng Cu hnh li firewall/router Hy b kt ni

IDS Host IDS Host dng cc thng tin ca my tnh ch(host) D liu ngun Cc s kin h thng(System event log) Cc s kin ng dng(Application Log) Hiu qu pht hin cc xm nhp bn trong mng

Tn cng c pht hin bi IDS host Lm dng c quyn(misuse of privileged rights): xut hin khi ngi dng c cp quyn root, admin v dng quyn ny vo mc ch khng hp php S dng sai c quyn cao:Qun tr h thng thng cp c quyn cao cho ngi dng h c th ci t cc ng dng c bit

Kin trc IDS host C hai kin trc cho IDS host Target Agent
L mt chng trnh nh chy trn my ch. agent trn my ch cho php h thng ch thc hin cc hat ng c c quyn cc b Chy nh tin trnh nn trong Unix v nh dch v trong window Chy mt hoc nhiu agent trn h thng ch

Centralized Host-Based Architecture

Centralized Host-Based Architecture

Cch thc hot ng

1. Khi mt hnh ng c thc hin trong h thng(file ang c truy cp hay l mt chng trnh ang chy) th mt s kin c to ra 2. Agent ca h thng ch s gi tp ti trung tm iu khin cch mt khong thi gian v trn ng truyn bo mt 3. B my pht hin s so snh mu hnh vi ca tp tin vi nhng hnh vi c nh ngha trc 5. Nu nh hnh vi m trng vi cc mu hnh vi nh ngha trc, mt cnh bo s c sinh ra v chuyn cho cc h thng con a ra cc thng bo, tr li v lu tr 6. Vn phng bo mt s a ra thng bo thng wa cc phng tin truyn thng(giy t, email...) 7. a ra mt cu tr li 8. Cnh bo c lu trong csdl 10. Report s c pht sinh, tng kt cnh bo v cc s kin

Thun li ca IDS host Pht hin ra lm dng ti nguyn Cn tr, ngn chn s xm phm nh gi mc thit hi Ngn chn xm hi t bn trong

Cc nh gia v IDS host Hiu nng(Performance):L c ch phn tn, x l d liu bt ngun t cc host. Do kin trc ca IDS host m hiu nng ca host c th b vi phm window NT workstation:1MB, window NT server:8MB, Unix 20MB, xem xt mt mng gm 10 windowNT server, 5 Unix server, 200 window NT workstation, 50 unix workstation. tng tan b d liu pht sinh ln n 800 MB mt ngy

(tt) Trin khai v bo tr

Kh v l h thng phn tn cn c c ch cp nht t xa

D b tn thng
Mc ch ca vic ci t IDS s b tht bi nu nh hacker c th xm nhp vo h thng ch v tt cc agent. IDS thng khng hiu qu trong ln xm nhp u tin ca hacker, ch hiu qu pht hin cc hnh vi c nh ngha trc.

Thao tc vi cc bn ghi ca Agent

hacker c th xm nhp vo cc agent v thay i thng tin bn trong.

So snh IDS mng v IDS host

Thun li Ngn cn IDS Mng IDS Host

Ngn cn yu i vi Ngn cn mnh i xm nhp bn trong vi xm nhp bn trong Pht hin tt /vi xm nhp t bn ngoi Pht hin yu cc xm nhp bn trong Pht hin tt xm nhp t bn trong Pht hin yu cc xm nhp bn ngoi thi gian thc i vi xm nhp bn trong Mnh

Pht hin

Tr li

Thi gian thc i vi cc xm nhp bn ngoi Yu

nh gi thit hi

Honeypot: Cng c b sung cho IDS

Cng c khc dng pht hin ra cc cuc xm nhp vo h thng Hot ng da trn nguyn tc la di Mc ch nhm la tin tc bng cch gi lp mt my tnh c th b xm nhp trn mng. Honeypot dng bi IDS pht hin ra cc cch khc nhau lm tn thng h thng
Khi tin tc tn cng th cc hot ng ca n s ghi trong log file. IDS da trn log file ny pht hin cc kiu tn cng tng t.

Cc kiu honeypot Production honeypot H tr pht hin xm nhp m h thng IDS khng pht hin c. Research honeypot Dng cho mc ch nghin cu Trin khai phn tch cc hot ng tn cng ca tin tc

S dng honeypot Port monitor

L chng trnh gi dng to ra cc by cho tin tc bng cch cho php anh ta thit lp mt kt ni n.

Deception sytem
Gi lp mi trng cho tin tc c th tng tc vi

Muti-protocol deception system

H thng cung cp c ch gi lp cc h thng khc, honeypot chy trn window NT c th gi lp mi trng ca h iu hnh Unix

Full system: IDS lm vic vi honeypot

Snort

C bn Rule header
Alert tcp any any -> 192.112.12.0/24 111

Rule Option:
(Content:foobar;msg:example)

L thuyt

K hiu(signatures) m bo cnh bo ch c a ra khi c tn cng thc s. Vit ra cc k hiu rt l d Multi pattern matching: Cho php so snh nhiu mu cng mt thi im

Thc t

C nhiu l do khc nhau c th dn ti cnh bo sai Vit cc k hiu tt -> rt kh Khng ch c Snort Hu ht cc sn phm khc khng tt hn Snort v mt vi ci th yu hn.

Content

T kha Content tm mt t kha trong phn d liu Vn Tham s ca n c th l d liu ASCII hay binary

Depth, Offset

T kha Depth cho php ngi vit lut ch ra bao xa trong gi tin m snort tm cho mt mu(pattern) no . T kha offset cho php ngi vit lut ch ra ni bt u tm mu trong gi tin Gim thi gian tm kim

Ty chn Bn cnh t kha content, c mt s ty chn khc trong phn u ca gi tin c th c dng lc li cc tin hiu Tuy nhin nhng ty chn ny ch c kim tra sau khi kim tra trong phn ni dung Mt vi ty chn dsize: kim tra kch thc phn d liu(payload size) Flags: kim tra c s hin din ca mt s TCP bit Flow: p dng lut cho nhng lu thng c kt ni

Cc lut

Alert tcp $out any -> $in any (msg:SCAN cybercop os PA12 attempt; content:AAAAAAAAAAAAAAAA; depth:16) alert icmp any any -> any any (msg: "Ping with TTL=100; ttl: 100) Rt nhiu lut ang tn ti

www.themegallery.com