Intrusion detection (Detection Intrusion) is the detection of intrusion behavior. Through the collection and analysis of network behavior, security log, audit data, other networks can get information and computer systems in a number of key points of information, check your network or system in the existence of a breach of security strategy and the attacks were a sign of. Intrusion detection as a proactive security protection technology, provides real-time protection against internal attacks, external attacks and misuse of the network system to intercept and respond to intrusion before the network system. So it is considered that the second security gate after the firewall can monitor the network without affecting the performance of the network. Intrusion detection by performing the following tasks to achieve: monitoring and analysis of user and system activity. The system structure and the weakness of the audit; recognition reflects the known attack patterns of activity and to relevant personage alarm; abnormal behavior patterns of statistical analysis; assess the integrity of critical system and data files; the operating system audit trail management and user identification violation of security policy. Intrusion detection is a reasonable supplement to the firewall, can help the system cope with the network attack extends the safe management of system administrator (including security audit, monitoring, attack recognition and response), and increase the integrity of information security infrastructure. It collects information from a number of key points in a computer network system and analyzes the information to see if there are any signs of violations of security policies and attacks in the network.
According to the object of monitoring, the host or network is divided into host based intrusion detection system and network based intrusion detection system:
(1) host based intrusion detection system: intrusion detection by monitoring and analysis of the host's audit records. Whether the audit can be collected in time is one of the weaknesses of these systems, the intruder will host the audit subsystem as an attack target to avoid the intrusion detection system.
(2) network based intrusion detection system: Based on the network intrusion detection system by in the shared segment of data communications interception data collection and analysis of suspicious phenomenon. Such systems do not require the host to provide a rigorous audit, less consumption of the host resources, and can provide universal protection of the network without taking into account the different architectures of heterogeneous hosts.
(3) distributed intrusion detection system: at present, this technology has been applied in ISS products. It detects the data is also from the network data packets, the difference is that it uses a distributed detection, centralized management method. That a black box placed on each segment, the black box is equivalent to the intrusion detection system based on network, but no user interface. Black box used to monitor their network data flow, it according to the centralized security management center to develop security strategy and response rules to analyze data detection network, simultaneously to the centralized security management center send security event information. Centralized security management center is a user oriented interface for distributed intrusion detection system. It is characterized by the scope of the data protection is relatively large, but have a certain impact on network traffic.
Deteksi intrusi (deteksi intrusi) adalah deteksi intrusi perilaku. Melalui pengumpulan dan analisis perilaku jaringan, log keamanan, audit data, jaringan lain dapat mendapatkan sistem informasi dan komputer dalam jumlah pokok-pokok informasi, memeriksa jaringan atau sistem di adanya pelanggaran keamanan strategi dan serangan itu tanda. Deteksi intrusi sebagai teknologi perlindungan keamanan yang proaktif, menyediakan real-time perlindungan terhadap serangan internal, eksternal serangan dan penyalahgunaan sistem jaringan untuk mencegat dan menanggapi intrusi sebelum sistem jaringan. Jadi hal ini dianggap bahwa gerbang keamanan kedua setelah firewall dapat memonitor jaringan tanpa mempengaruhi kinerja jaringan. Deteksi intrusi dengan melakukan tugas berikut untuk mencapai: monitoring dan analisis aktivitas pengguna dan sistem. Struktur sistem dan kelemahan audit; pengakuan mencerminkan pola dikenal serangan aktivitas dan alarm tokoh yang relevan; pola-pola perilaku abnormal dari analisis statistik; menilai integritas sistem kritis dan file data; sistem operasi audit trail manajemen dan pengguna identifikasi pelanggaran kebijakan keamanan. Deteksi intrusi adalah suplemen yang wajar untuk firewall, dapat membantu sistem mengatasi serangan jaringan meluas manajemen aman administrator sistem (termasuk audit keamanan, monitoring, serangan pengakuan dan respon), dan meningkatkan integritas infrastruktur keamanan informasi. Ini mengumpulkan informasi dari beberapa poin kunci dalam sebuah sistem jaringan komputer dan menganalisa informasi untuk melihat apakah ada tanda-tanda pelanggaran kebijakan keamanan dan serangan dalam jaringan.Menurut objek pemantauan, host atau jaringan terbagi menjadi intrusi berbasis host sistem deteksi intrusi berbasis sistem Deteksi dan jaringan:(1) host berbasis sistem deteksi intrusi: deteksi intrusi oleh monitoring dan analisis data audit host. Apakah audit dapat dikumpulkan dalam waktu adalah salah satu kelemahan sistem ini, penyusup akan menjadi tuan rumah subsistem audit sebagai sasaran serangan untuk menghindari sistem deteksi intrusi.(2) jaringan berbasis sistem deteksi intrusi: Berdasarkan jaringan sistem deteksi intrusi oleh di segmen bersama data komunikasi pencegatan pengumpulan data dan analisis terhadap fenomena yang mencurigakan. Sistem tersebut tidak memerlukan host untuk memberikan audit ketat, kurang konsumsi sumber daya tuan rumah, dan dapat memberikan perlindungan universal jaringan tanpa memperhitungkan arsitektur yang berbeda heterogen semesta alam.