Professional Documents
Culture Documents
Ng Vn Cng
IDS(Intrusion detect system) Pht hin ra cc cuc tn cng v thm d my tnh Ngn chn Pht hin phng cc cuc tn cng nh gi thit hi Instrution detection: quy trnh xc nh mt s xm nhp c th, ang xut hin, hay xut hin
Cc thut ng Pht hin xm nhp(Intrusion detection): Pht hin ra cc truy cp tri php vo my tnh Pht hin s kin khng bnh thng(Anomaly detection)
IDS
Duy tr mt c s d liu cc tp tin k hiu v cc c trng ca cc cuc tn cng Mi cuc tn cng u c: c tnh, mu v hnh vi->k hiu Pht hin ra cuc tn cng hay xm nhp bng cch so khp cc du hiu ca cuc tn cng vi cc tp tin du hiu trong csdl
(tt) Li False-positive pht sinh khi m IDS xem mt hnh vi bnh thng trn mng nh l mt s tn cng ca hacker Li False-negative xut hin khi IDS b qua mt cuc xm nhp vo h thng v xem xt n nh l hnh ng bnh thng trong mng
IDS vs Firewall Thng c s nhm ln gia chc nng ca IDS v Firewall Firewall hot ng bng cch ngn chn mi th sau ngi dng s lp trnh ch php mt s mc no c i qua Firewall cho php ngi dng ni b c th truy cp ra bn ngoi nhng ngn chn ngi dng bn ngoi truy cp vo h thng mng ni b Firewall khng phi l mt h thng ng c th phn on mt cuc tn cng ang c thc hin
IDS vs Firewall(tt)
IDS l h thng ng hn, n c kh nng pht hin ra cc cuc tn cng vo mng
Xem xt v d:
Mt nhn vin ca cng ty nhn c email ca mt nhn vin khc ni rng anh ta tm c mt ti liu b mt t lu, nhn vin m email m nhp chut vo tp tin thc thi nh km, ti liu thc thi c mt Trojan nh km vi n, Trojan s m mt kt ni n my tnh ca hacker, lc ny firewall s khng ngn chn hacker thc hin cuc tn cng bng cng chung 80 V firewall ch cu hnh ngn chn cc kt ni ra bn ngoi ti mt s port, n xem cc kt ni HTTP ti webserver ch l mt kt ni khc Nu h thng IDS c ci t th n c th a ra cnh bo nh l hnh ng khng thng xuyn trong mng
Cc loi IDS pht hin c cc cuc xm nhp IDS thng da trn 2 k thut sau Anomaly-Detection Technique Misuse-Dectection Technique
Anomaly-Detection Technique
Da trn gi thuyt l tt c cc hnh ng khng ging vi mt tp cc mu hnh vi th l cc hnh ng bt thng IDS nhn bit tiu s cc hnh ng bnh thng trn mng nu bt k hnh vi no khng ging tiu s ny thi l mt hnh vi khng bnh thng v a ra mt cnh bo To mt vch ranh gii cho cc hnh vi bnh thng, thng c sinh ra da thng k ghi nhn t hnh v nhp/xut, s dng CPU, b nh, hot ng ca ngi dng.
Misuse-Detection Technique
Xem cc cuc tn cng nh cc mu v du hiu Duy tr mt c s d liu cc du hiu ca cc cuc tn cng Mt cnh bo pht sinh khi mt t tn cng no ging vi mu trong csdl. Hot ng ging nh h thng antivirus Khng pht sinh li false-positive nhng khng pht hin c cc kiu tn cng cha c pht hin trc
Cc kiu IDS khc nhau IDS mng(Network-based intrusiondetection systems) IDS Host(Host-based intrusion-detection systems) IDS lai(Hybrid intrusion-detection systems)
IDS mng Bao gm cc b cm bin c trin khai trn ton b mng theo di v phn tch cc gi tin i qua mng sau chuyn kt qu v cho mn hnh dng lnh Traditional Sensor Architecture Distributed network-node architecture Traditional Sensor B cm bin gn vo mng v bt cc gi tin ca mng
IDS mng
Distributed Network-Node Architecture B cm bin gn vo mi my tnh trn mng Mi b cm bin ch quan tm n cc gi tin n my ca mnh B cm bin sau s giao tip vi mn hnh dng lnh a ra cc cnh bo
(tt)
Cch thc hot ng IDS mng Tip-off Pht hin ra xm nhp vo mng ti thi im m n c thc hin Surveillance Quan st cc hnh vi ca mt tp cc thnh phn trn mng
IDS Host IDS Host dng cc thng tin ca my tnh ch(host) D liu ngun Cc s kin h thng(System event log) Cc s kin ng dng(Application Log) Hiu qu pht hin cc xm nhp bn trong mng
Tn cng c pht hin bi IDS host Lm dng c quyn(misuse of privileged rights): xut hin khi ngi dng c cp quyn root, admin v dng quyn ny vo mc ch khng hp php S dng sai c quyn cao:Qun tr h thng thng cp c quyn cao cho ngi dng h c th ci t cc ng dng c bit
Kin trc IDS host C hai kin trc cho IDS host Target Agent
L mt chng trnh nh chy trn my ch. agent trn my ch cho php h thng ch thc hin cc hat ng c c quyn cc b Chy nh tin trnh nn trong Unix v nh dch v trong window Chy mt hoc nhiu agent trn h thng ch
Thun li ca IDS host Pht hin ra lm dng ti nguyn Cn tr, ngn chn s xm phm nh gi mc thit hi Ngn chn xm hi t bn trong
Cc nh gia v IDS host Hiu nng(Performance):L c ch phn tn, x l d liu bt ngun t cc host. Do kin trc ca IDS host m hiu nng ca host c th b vi phm window NT workstation:1MB, window NT server:8MB, Unix 20MB, xem xt mt mng gm 10 windowNT server, 5 Unix server, 200 window NT workstation, 50 unix workstation. tng tan b d liu pht sinh ln n 800 MB mt ngy
D b tn thng
Mc ch ca vic ci t IDS s b tht bi nu nh hacker c th xm nhp vo h thng ch v tt cc agent. IDS thng khng hiu qu trong ln xm nhp u tin ca hacker, ch hiu qu pht hin cc hnh vi c nh ngha trc.
Ngn cn yu i vi Ngn cn mnh i xm nhp bn trong vi xm nhp bn trong Pht hin tt /vi xm nhp t bn ngoi Pht hin yu cc xm nhp bn trong Pht hin tt xm nhp t bn trong Pht hin yu cc xm nhp bn ngoi thi gian thc i vi xm nhp bn trong Mnh
Pht hin
Tr li
nh gi thit hi
Cc kiu honeypot Production honeypot H tr pht hin xm nhp m h thng IDS khng pht hin c. Research honeypot Dng cho mc ch nghin cu Trin khai phn tch cc hot ng tn cng ca tin tc
Deception sytem
Gi lp mi trng cho tin tc c th tng tc vi
Snort
C bn Rule header
Alert tcp any any -> 192.112.12.0/24 111
Rule Option:
(Content:foobar;msg:example)
L thuyt
K hiu(signatures) m bo cnh bo ch c a ra khi c tn cng thc s. Vit ra cc k hiu rt l d Multi pattern matching: Cho php so snh nhiu mu cng mt thi im
Thc t
C nhiu l do khc nhau c th dn ti cnh bo sai Vit cc k hiu tt -> rt kh Khng ch c Snort Hu ht cc sn phm khc khng tt hn Snort v mt vi ci th yu hn.
Content
T kha Content tm mt t kha trong phn d liu Vn Tham s ca n c th l d liu ASCII hay binary
Depth, Offset
T kha Depth cho php ngi vit lut ch ra bao xa trong gi tin m snort tm cho mt mu(pattern) no . T kha offset cho php ngi vit lut ch ra ni bt u tm mu trong gi tin Gim thi gian tm kim
Ty chn Bn cnh t kha content, c mt s ty chn khc trong phn u ca gi tin c th c dng lc li cc tin hiu Tuy nhin nhng ty chn ny ch c kim tra sau khi kim tra trong phn ni dung Mt vi ty chn dsize: kim tra kch thc phn d liu(payload size) Flags: kim tra c s hin din ca mt s TCP bit Flow: p dng lut cho nhng lu thng c kt ni
Cc lut
Alert tcp $out any -> $in any (msg:SCAN cybercop os PA12 attempt; content:AAAAAAAAAAAAAAAA; depth:16) alert icmp any any -> any any (msg: "Ping with TTL=100; ttl: 100) Rt nhiu lut ang tn ti
www.themegallery.com