Intrusion Detection Method

4.7.2 Intrusion Detection Method

1. Technical classification

Intrusion detection system can be classified technically into two categories.

(1) Signature-based detection: also called Misuse detection, this method assumes that the attacker can be represented as a pattern. And the aim of the system is to detect if the activities match the patterns. It can detect any existing attack pattern, but it cannot deal with new attack patterns. The difficulty with this method is

Introduction to E-commerce

how to design the patterns that can represent the intrusion phenomena without containing normal activities.

(2) Anomaly detection: It assumes that intrusion is different from normal activities. Based on this assumption, an “activity record” is established. And the current activity is compared with the “activity record”; when violating the statistical laws, the activity is considered as an attack. The difficulty with this method is how to establish the “activity record” and how to design the statistical methods so as not to subsume the normal operations to “intrusion” or neglect the true “intrusion”.

2. Commonly used detection methods

Commonly used detection methods include signature detection, statistical detection and expert system detection. According to the report from the Ministry of Public Security, 95% of intrusion detection products belong to signature detection products; other 5% belong to statistical detection and expert detection products.

(1) Signature detection: Signature detection makes accurate description of the known attacks and intrusion to form event models. When the current event being audited match the known event, the alarm is triggered. The working principle of this method is the same with the expert system. And its detection method is similar with that of virus detection. Currently the model match based on packet features is widely used. Although this method is high in terms of the rate of correct forecast, it becomes powerless in the presence of unknown intrusion and attacks.

(2) Statistical detection: Statistical model usually uses anomaly detection. In the statistical model the commonly used parameters include: the number of audit events, interval of time and consumption of resources, etc. The largest advantage of statistical detection is that it can “learn” from the habit of a user so that it has a higher detectable rate and usability. However, its “learning” ability provides intruders with the chance to gradually “get trained” so that the intruding events are made adaptable to the statistical patterns of normal operations. There are five commonly used statistical models for intrusion detection:

ķ Operation model. This model assumes that anomalies can be obtained by comparing the measured results and some definite indexes. Those indexes can be obtained by computing the statistical average in a period of time. For example, trying to login in a short time may probably be a kind of attack.

ĸ Variance. The variance of the parameters is computed to set the confidence interval; when the measured value exceeds the confidence interval, it might be an anomaly.

Ĺ Multivariate model. It is an extension of operation model, which accomplishes detection operation by analyzing multiple parameters at the same time.

ĺ Markov process model. Each type of events is defined as a system state; the state-transition matrix is used to represent the change of the state. When an event happens or when the probability of state-transition matrix is small, it may be an anomaly.

4 Security Technologies in E-commerce

Ļ Time sequence analysis, the event count and the resource consumption are arranged in terms of time into a sequence; if the probability of a new event happening within this time sequence is very small, it may be an attack.

(3) Expert System: The expert system usually focuses on featured intrusion. So-called rules are knowledge. And different systems and settings have different rules, and the rules are not universal. The expert system relies heavily on the integrity of the knowledge base, which, in turn, relies on the integrity of the real-time audit records. The extraction and the representation of intrusion pattern are the key to expert system. In the implementation of the system, the knowledge of intrusion will be converted into if-then structure, where if-part indicates the features of intrusion while then-part signifies the countermeasures taken by the system. The effectiveness of expert system pivots on the integrity of expert knowledge base.

The intrusion technology has changed a lot in terms of scale and methods. The means and technology of intrusion have achieved progress as well. The evolution of intrusion technology is represented in the following aspects.

Integration and complication of intrusion or attack: The intruder often adopts multiple attack means to ensure the success of intrusion.

Indirectness of intruder: that is both the intruder and the attack objects are hidden. His source address and host location are hidden in the process of intrusion and attack.

Expansion of scale of intrusion or attack: The intrusion and attack against network was originally aimed at some company or website out of curiosity or commercial purposes. Now since war is more and more dependent on electronic technology and network technology, intrusion or attack related to war will surely climb up in terms of scale.

Distribution of intrusion or attack technology: The intrusion and attack are often launched by a single computer, and this kind of intrusion is rendered powerless with the development of preventive technology. But distributed denial of service (DDoS) can make the host breakdown in a very short time, which can

be easily detected at the initial stage. Shift of attack target: The network is usually the target of attack in the past, but recently the target is shifted to the protective system of network. The attacker makes a detailed analysis of the audit mode of IDS, feature description, communication mode to find out the weak points and then launch attacks.

Dokumen yang terkait

AN ALIS IS YU RID IS PUT USAN BE B AS DAL AM P E RKAR A TIND AK P IDA NA P E NY E RTA AN M E L AK U K A N P R AK T IK K E DO K T E RA N YA NG M E N G A K IB ATK AN M ATINYA P AS IE N ( PUT USA N N O MOR: 9 0/PID.B /2011/ PN.MD O)

0 82 16

Anal isi s L e ve l Pe r tanyaan p ad a S oal Ce r ita d alam B u k u T e k s M at e m at ik a Pe n u n jang S MK Pr ogr a m Keahl ian T e k n ologi , Kese h at an , d an Pe r tani an Kelas X T e r b itan E r lan gga B e r d asarkan T ak s on om i S OL O

2 99 16

The Effectiveness of Computer-Assisted Language Learning in Teaching Past Tense to the Tenth Grade Students of SMAN 5 Tangerang Selatan

4 116 138

Modul TK E 2016 150 hlm edit Tina M imas

2 44 165

Membangun aplikasi e-commerce pada Toko Reafshop Bandung

1 26 687

Pengaruh Persepsi Kemudahan dan Kepuasan Wajib Pajak Terhadap Penggunaan E Filling (Survei Pada Wajib Pajak Orang Pribadi Di Kpp Pratama Soreang)

12 68 1

PENGARUH ARUS PENGELASAN TERHADAP KEKUATAN TARIK PADA PENGELASAN BIMETAL (STAINLESS STEEL A 240 Type 304 DAN CARBON STEEL A 516 Grade 70) DENGAN ELEKTRODA E 309-16

10 133 86

Factors Related to Somatosensory Amplification of Patients with Epigas- tric Pain

0 0 15

TEKNIK PERLAKUAN PENDAHULUAN DAN METODE PERKECAMBAHAN UNTUK MEMPERTAHANKAN VIABILITAS BENIH Acacia crassicarpa HASIL PEMULIAAN (Pretreatment Technique and Germination Method to Maintain the Viability of Acacia crassicarpa Improved Seed)

0 1 11

The Risk and Trust Factors in Relation to the Consumer Buying Decision Process Model

0 0 15