Saturday, October 9, 2010

About Distributed IDS

Distributed IDS mainly refers to a variety of IDS interoperability. Topology in a network among, HostBase and networkBased IDS because the different positions, can not replace each other, and because of the attacks are stage, both between the various stages of behavior are linked. so can be based on the synergy between these heterogeneous IDS to detect the role of attack. You can imagine IDS was refined and divided, forming many small data source, each with independent thinking and can command each other IDS, to influence their behavior. simple implementation, that is, no interaction between IDSsensor, but there is a centralized control system, all the correlation in the Central, the Central can change each sensor's behaviour.

EMERALD papers in 97 years, he is only a correlation for the central analyzer, and other rules and profile was the IDS sensor moved from the central to. You can go see, where the home is EMERALD. Have them written 23 papers.
On Correlation, IBM's TEC There is a correlator, to support heterogeneous IDS.
Unfortunately, there can not block, or else give you a look at the interface.
IBM recently released a correlation algorithm (IBM is fierce, security algorithms are great, patternmatch the TERESIAS algorithm is also very good), you can see:
Aggregation and Correlation of Intrusion-Detection Alerts By Herv 'e Debar 1, and Andreas espi 2,

As Agent, center interaction between the standards, FIPA, KAoS, KQML, CIDF.
Academic course like to make automation of the IDS agent, but now the industry is engaged in intensive correlation, correlation need to look at the boeing company you can huang article, he was 97 years advocated attack strategy detection. His weighted strategy tree
Is very intuitive.

There are many examples of collaborative detection, said huang about 4 years a classic example: the detection of the spoof.
ExternalHostA first InternalA denial of service, and then pretend to trust InternalA InternalA server InternalB initiate connections. This time became normal rlogin attack. Single network IDS can not detect.

The basic idea is: When a situation occurs, the original normal network behavior becomes an attack. This requires correlation.
Another example is the detection of DDOS source address, a single network / host IDS is powerless. Such HostA by DDOS, his Anomally Detection function can check out the machine by a DOS attack. Then, the network IDS found one from 1.1. 1.1 ICMP echorequest message, the message is normal in peacetime, but this time sent me, it is likely that an attacker checks whether the survival of the attacked host. by correlation, you can find the real source address DDOS 1.1 .1.1 the.

杩樻湁瀵箂tealthscan鐨勬娴?濡傛灉鏈変汉瀵逛綘鍑犱釜瀛愮綉缂撴參鐨勪綔1433鍙g殑鎵弿,缃戠粶IDS 涓?畾鏃犳硶鎶ヨ,涓绘満IDS鐨刲og閲岄潰鍙兘浼氳杞戒竴浜涜繛鎺?浣嗘槸濡傛灉鏈夐泦涓殑correlation, 灏卞彲浠ユ娴嬪嚭鏉?鍦╡vent stream閲岄潰杩欎簺閮藉彲浠ョ敤瑙勫垯鏉ユ鏌?涓嶇敤鎷呭績鏁堢巼.
鍙﹀涓?釜浼樺娍,灏辨槸,浜嬪疄涓?涓绘満IDS閫氬父閮芥槸anomaly detection鐨?杩欏氨澶уぇ鐨勫Τ琛ヤ簡 鍩轰簬pattern鐨勭綉缁淚DS鐨勪笉瓒?涓よ?閰嶅悎鐨勬娴?灏辨槸鍙俊搴﹀緢楂樼殑.
鐜板湪鐨刢orrelation閮芥槸鍩轰簬瑙勫垯鐨?濡傛灉浣犱簡瑙d簡鏀诲嚮鐨勫熀鏈楠ゅ拰鎵╂暎鐨勬墜娉? 浣犱篃鍙互鍐欏嚭浣犵殑elation鏉?
娉ㄦ剰鍗忓悓妫?祴涓嶆槸璇翠竴瀹氳涓绘満IDS鍜岀綉缁淚DS閮芥湁,涔熷彲鑳藉,姣斿鏈墂ebserver鏃ュ織鎻愬彇, 鍜岄槻鐏鐨勬棩蹇?涔熷彲鑳藉皯,鍙湁缃戠粶IDS涔熸槸涓?牱鐨?閲嶈鐨勬槸鏈?悗鐨刢orrelation鎶?湳.


Advantages of outsourcing and India remain

System Maintenance Expert

Chen Zhou Reflect Years Of Business Success: The Greatest Scar Has Not Come Yet

Audio Recorders Reviews


On The Issue Of AutoCAD Customization In The Linear

Samsung u900 vs nokia 6500 slide

Taiwan 3G competition for business opportunities in the Mainland 300 000 000 000

j2me in the Vector


Reviews Reference Tools

"Fallout 3" The third sense after playing DLC broken steel

How to identify real and can automatically create index index

Interview With B & Q (China) Vice President, Human Resources Director Miss Hu Weiyan


Report Compilers And Interpreters

No comments:

Post a Comment