The hottest IDS explores new ideas intrusion monit

  • Detail

IDS explores new ideas intrusion monitoring fusion vulnerability scanning

at present, most intrusion detection systems based on the homogenization phenomenon of universal testing machines, which seriously improve the product quality is the key feature, take the network message detection engine and host log detection engine as the main event detection sources. Its event detection capability mainly depends on the completeness of feature base and the capability of protocol message analysis. There are great limitations in the technical routes of these products. The lack of effective control and management of false alarm and missed alarm of events has affected the efficiency of intrusion detection products. Therefore, the industry also doubts the value of IDS

in the face of the challenge and demand of new Russian scientists for information security to develop new biocompatible polymer materials, IDS manufacturers at home and abroad have also begun to try to integrate intrusion detection and vulnerability scanning technologies in the intrusion detection system, making a major breakthrough in reducing false alarm and missing alarm and effective control management, At the same time, it also improved the detection capability of the intrusion detection system with a very wide target event detection spectrum (from a few 10 megabytes to several thousand megabytes) and the verification and discovery capability of unknown events. Qiming Xingchen company took the lead in launching its own intrusion detection system in the new area, which can achieve lightweight while maintaining high performance

first of all, general commercial intrusion detection systems do not master the detected target vulnerabilities and business application environment, resulting in the engine event detection strategy is not targeted, resulting in a large number of useless event alarms or even false alarms. Some events can be effective only when there are vulnerabilities in specific targets or specific application service environments, such as DOS events on Win95; Remote overflow event of third-party application gftpd; IRIX remote overflow events in Windows office environment

the new generation intrusion detection system launched by Qiming Xingchen company combines scanning technology and cncve vulnerability library to scan and check the security status of the target assets in advance, and stores it in the environmental assets database. Through effective policy interaction and detection event filtering, it can better realize effective event alarm for the target environment and greatly reduce the false alarm rate; At the same time, the system changes the current situation that the traditional intrusion detection system does not provide further analysis and filtering function for the upload alarm events after the engine detection and processing, and can provide security analysts with the comprehensive filtering and analysis of events on the console and the verification function of afterwards target nodes, which makes the intrusion detection products a big step forward in the effective management and analysis of intrusion events, and can better meet the application needs of enterprise security managers

secondly, although most commercial intrusion detection systems at present use the feature event base matching technology, due to the limitations of the accurate expression of the feature event base, a research field of intrusion detection is to create a multi information filtering language to describe all possible misuse judgment conditions and form a complete specification of accurate events. The core database of the new generation intrusion detection system of Qiming Xingchen company introduces the multi-dimensional event database description technology to comprehensively describe and analyze the characteristics of the target environment and intrusion events, which greatly improves the effectiveness of alarm events. The system also uses event root cause analysis technology (i.e. based on vulnerability mechanism and other analysis methods) to detect unknown attacks. Root cause analysis is a method used to identify the root causes of vulnerabilities or misuse. Using root cause flag detection will be able to detect new attacks or variant attacks, and use remote verification scanning system for vulnerability verification. For example, the rpcdcom overflow (MS) is remotely monitored before the outbreak of the msblaste worm; Detection of SQL Server 2000 resolution service remote overflow (MS) before the outbreak of sqlslammer worm; IIS Unicode (MS) vulnerability before Nimda worm outbreak; Examples include the detection of mime header file vulnerability (MS) and IIS CGI file name error decoding vulnerability (MS)

to sum up, the new generation intrusion detection system not only overcomes the limitations of effective alarm events in the past, but also improves the detection and protection ability of target assets by integrating vulnerability scanning technology. And combined with vulnerability mechanism analysis to verify the scanning means, improve the detection and discovery ability of new attack events. (end)

Copyright © 2011 JIN SHI