Distributed IDS mainly refers to a variety of IDS interoperability. Topology in a network among, HostBase and networkBased IDS because the different positions, can not replace each other, and because of the attacks are stage, both between the various stages of behavior are linked. so can be based on the synergy between these heterogeneous IDS to detect the role of attack. You can imagine IDS was refined and divided, forming many small data source, each with independent thinking and can command each other IDS, to influence their behavior. simple implementation, that is, no interaction between IDSsensor, but there is a centralized control system, all the correlation in the Central, the Central can change each sensor's behaviour.
EMERALD papers in 97 years, he is only a correlation for the central analyzer, and other rules and profile was the IDS sensor moved from the central to. You can go see sri.com, where the home is EMERALD. Have them written 23 papers.
On Correlation, IBM's TEC There is a correlator, to support heterogeneous IDS.
Unfortunately, there can not block, or else give you a look at the interface.
IBM recently released a correlation algorithm (IBM is fierce, security algorithms are great, patternmatch the TERESIAS algorithm is also very good), you can see:
Aggregation and Correlation of Intrusion-Detection Alerts By Herv 'e Debar 1, and Andreas espi 2,
As Agent, center interaction between the standards, FIPA, KAoS, KQML, CIDF.
Academic course like to make automation of the IDS agent, but now the industry is engaged in intensive correlation, correlation need to look at the boeing company you can huang article, he was 97 years advocated attack strategy detection. His weighted strategy tree
Is very intuitive.
There are many examples of collaborative detection, said huang about 4 years a classic example: the detection of the spoof.
ExternalHostA first InternalA denial of service, and then pretend to trust InternalA InternalA server InternalB initiate connections. This time became normal rlogin attack. Single network IDS can not detect.
The basic idea is: When a situation occurs, the original normal network behavior becomes an attack. This requires correlation.
Another example is the detection of DDOS source address, a single network / host IDS is powerless. Such HostA by DDOS, his Anomally Detection function can check out the machine by a DOS attack. Then, the network IDS found one from 1.1. 1.1 ICMP echorequest message, the message is normal in peacetime, but this time sent me, it is likely that an attacker checks whether the survival of the attacked host. by correlation, you can find the real source address DDOS 1.1 .1.1 the.
杩樻湁瀵箂tealthscan鐨勬娴?濡傛灉鏈変汉瀵逛綘鍑犱釜瀛愮綉缂撴參鐨勪綔1433鍙g殑鎵弿,缃戠粶IDS 涓?畾鏃犳硶鎶ヨ,涓绘満IDS鐨刲og閲岄潰鍙兘浼氳杞戒竴浜涜繛鎺?浣嗘槸濡傛灉鏈夐泦涓殑correlation, 灏卞彲浠ユ娴嬪嚭鏉?鍦╡vent stream閲岄潰杩欎簺閮藉彲浠ョ敤瑙勫垯鏉ユ鏌?涓嶇敤鎷呭績鏁堢巼.
杩欏彧鏄緢绠?崟鐨勪緥瀛?鑰屼笖閮芥湁涓嶇敤correlation鐨勬浛浠f柟妗?浣嗘槸鏁堢巼鍜屽噯纭?灏卞樊涓?簺浜?
鍙﹀涓?釜浼樺娍,灏辨槸,浜嬪疄涓?涓绘満IDS閫氬父閮芥槸anomaly detection鐨?杩欏氨澶уぇ鐨勫Τ琛ヤ簡 鍩轰簬pattern鐨勭綉缁淚DS鐨勪笉瓒?涓よ?閰嶅悎鐨勬娴?灏辨槸鍙俊搴﹀緢楂樼殑.
鐜板湪鐨刢orrelation閮芥槸鍩轰簬瑙勫垯鐨?濡傛灉浣犱簡瑙d簡鏀诲嚮鐨勫熀鏈楠ゅ拰鎵╂暎鐨勬墜娉? 浣犱篃鍙互鍐欏嚭浣犵殑elation鏉?
鍗忓悓妫?祴杩樻湁鏇村姞鏅鸿兘鐨勬ā鍧楀氨鏄皢response鍔犲叆杩涙潵,鍖呮嫭probing鐨剅esponse.
娉ㄦ剰鍗忓悓妫?祴涓嶆槸璇翠竴瀹氳涓绘満IDS鍜岀綉缁淚DS閮芥湁,涔熷彲鑳藉,姣斿鏈墂ebserver鏃ュ織鎻愬彇, 鍜岄槻鐏鐨勬棩蹇?涔熷彲鑳藉皯,鍙湁缃戠粶IDS涔熸槸涓?牱鐨?閲嶈鐨勬槸鏈?悗鐨刢orrelation鎶?湳.
鍙﹀璇翠竴鍙ラ澶栬瘽,correlation鍖呮嫭寰堝涓眰娆$殑,multisensor鐨刢orrelation鍙笉杩囨槸鏈熶腑鐨勪竴涓?聽
相关链接:
Advantages of outsourcing and India remain
System Maintenance Expert
Chen Zhou Reflect Years Of Business Success: The Greatest Scar Has Not Come Yet
Audio Recorders Reviews
OGM TO MP4
On The Issue Of AutoCAD Customization In The Linear
Samsung u900 vs nokia 6500 slide
Taiwan 3G competition for business opportunities in the Mainland 300 000 000 000
j2me in the Vector
TS To MPG
Reviews Reference Tools
"Fallout 3" The third sense after playing DLC broken steel
How to identify real and can automatically create index index
Interview With B & Q (China) Vice President, Human Resources Director Miss Hu Weiyan
AVI To MPEG4
Report Compilers And Interpreters
No comments:
Post a Comment