Saturday, 19 May 2012
Home arrow Security information arrow Structure of Intrusion Detection System
Security software
Anti spam tools
Anti spyware tools
Antivirus
Backup
Encryption
Firewall
Free software
Passwords managers
Popup ad blockers
Other
Other
Submit software
Security news
Security information
Contact us


RSS
Security software
Security software


Sell software online
Affiliate Programs
Hand guns


Structure of Intrusion Detection System
Wednesday, 05 October 2005
Page 1 of 4

Requirements to the IDS

It is necessary to note, that the IDS can be applied as to the authorized users of system using it is incorrect (i.e. breaking its policy of safety), and to external in relation to system to users

The IDS should carry out following basic functions:

- supervise and analyze activity of users and the computing system;

- fix configurations of system and vulnerability;

- estimate integrity of critical system files and files of data;

- distinguish the patterns of activity reflecting known attacks;

- spend the statistical analysis for revealing abnormal behaviors;

- distinguish infringements of policy of safety by the user of system;

Except for the above-described basic functions the IDS should satisfy in an ideal to following functional characteristics:

1. To be carried out continuously with the minimal intervention of the user.

2. To be protected from failures, i.e. to not depend on failures of system, events casually or owing to actions of the intruder.

3. To supervise own integrity and to find out own updating which have been carried out by the intruder.

4. Minimally to influence system which safety is supervised.

5. To be configured according to a policy of safety of controllable system.

6. To adapt for changes in system and behavior of the user in time (the new appendices, the new resources, the authorized changes of activity of the user).

7. To work with the data acting from many users.

8. To support dynamic reconfiguration.

9. To provide the manager of system with data sufficient for restoration of system after attack.

As consequence of the given requirements is desirable to build system of detection of the intruder on architecture the client-server.

Problems detection of the intruder solved by systems. A global problem - recognition of the intruder and the lawful user. Problems solved at it:

1. Data gathering;

2. A filtration of data;

3. Classification of behavior - directly process of recognition of the intruder;

4. The report;

5. The response of system.

The First experience of construction of system of detection of the intruder.

The structure Shown in given figure is to a certain extent "classical" since reflects the general principles of construction of many the IDS.

For the description of process of detection of the intruder records of audit, structures, abnormal records and rules of action are used.

Subjects and objects

As well as in the majority of models of safety, representation of set of subjects and sets of objects should be a first step in construction of model. In model IDES subjects will be active initiators of operations in system (processes of the computing system). Objects will be data carriers on which subjects carry out operations (files and directories of operational system). All assumptions of subjects and objects for schemes of audit and detection of the intruder should be the same.

Records of audit

Second making model IDES record of audit is. It is supposed, that the computing system interesting us includes the mechanism of the audit storing records of audit in protected magazine. However, that the scheme of detection of the intruder worked in practical appendices, it is necessary in advance the nobility detailed characteristics of each auditing record. That is, it is necessary to distinguish various types of the information, which, will be placed in each auditing record, as well as their relative positioning so that the information was correctly processed by the mechanism of detection of the intruder.

It is supposed, that in model IDES of record of audit represent structures from six component (i.e. the six), located as follows:

<the subject, object, action, a mistake, a resource, time>.

In such auditing record IDES the subject is the initiator of action with the object mentioned in record. A component of a mistake describes any exclusive conditions, which can result from action. A component of a resource gives statistics of all uses of a resource during action. A component of time shows time of action.

We Shall give an example: if the user John successfully uses a file johnfile in 2 one o'clock in the morning and will spend thus 2 seconds of processor time auditing record of this action can look as follows:

<john, jonhfile, execute, no, CPU (00:02), 2:00>

Similarly, consecutive auditing records can be useful at studying current work of system. For example, such sequence of auditing records can:

<john, important_file, read, no, CPU (00:01), 6:00>

<mike, important_file, read, no, CPU (00:01), 6:01>

< leon, important_file, read, no, CPU (00:01), 6:02>

<ted, important_file, read, no, CPU (00:01), 6:03>

It, certainly, will mean, that many various users of systems for any reason, are interested in perusal of a file important_file.

Though this model defines records of audit only in terms the resulted six component, computing systems, undoubtedly, can carry out special auditing records for concrete appendices. It should be made either addition, or removal of fields of records of audit, depending on a situation.

Structures.

Structures in model IDES are used for the characteristic of expected activity of the computing system. Parameters of activity of the computing system, used for construction of a structure, can change depending on type of checked activity. However in most cases, cases usual types of the information that are present at structures, the following are:

Entrance activity. For the given user or system structures can characterize usual number of inputs at present within the day, etc. Practice has shown prospective earliest time of the input, prospective maximal duration of an input, that such parameters are most typical for the majority of computing operational environments. For example, for some operational environments attempt of users to be registered in system in 4 o'clock in the morning is not normal whereas in others it can be considered as usual action.

Parameters of performance. Structures also can be established depending on prospective type of use of resources that the given computing system should support. Among such structures, as a rule, should be statistics of use of processor time, memory and other resources. It is one more parameter, which is usually regular and predicted. In the environment of performance of writing reports, for example, the caused program borrowing more of 10 minutes of processor time, should be considered as abnormal while in a scientific operational environment it can be absolutely normal. Parameters of performance in system of detection of the intruder give means for possible reflection of this type of ill-intentioned activity.

Access to files. It is possible to create structures of frequency of reading and record of some files, numbers of refusals on inquiries of reading or record of some files and structures of other parameters of access to files. This parameter can be less predicted, but some files can be marked as most likely inaccessible to usual users. For example, if the usual user tries something to write down in a file of the password, it can be considered as abnormal behavior. In the majority of operational environments copying of a file of the password should be considered as suspicious activity.



<< Start < Prev 1 2 3 4 Next > End >>
 
< Prev   Next >
[ Back ]
© 2004-2007 Daita.org