Utilisateur:Crashdown59/BrouillonArchitectureDetection

Article principal : Système de détection d'intrusion.

The architecture of Intrusion detection System (IDS) designs the main and the different choice of design of a IDS.

Components[modifier | modifier le code]

The majority of the existing IDS split the fonctionnality into components (or modules) who contains a little of the functionnality of the IDS. ^[1] The IDS contains the Monitoring module, who can be separated into the director monitoring and the host monitoring, the Probe and the Countermeasures module.

Probe[modifier | modifier le code]

The probe is in charge to register all the actions made into the system or the network. ^[2] They are registered separately into audits records. These audits records are then send into the Host Monitoring module to be scanned.

Monitoring[modifier | modifier le code]

Director monitoring[modifier | modifier le code]

The director consists of three major components that are all located on the same dedicated workstation. ^[3] Because the components are logically independent processes, they could be distributed as well. The communications manager is responsible for the transfer of data between the director and each of the host and the LAN monitors. It accepts the notable event records from each of the host monitors and sends them to the expert system. On behalf of the expert system or user interface, it is also able to send requests to the host and LAN monitors for more information regarding a particular subject. The expert system is responsible for evaluating and reporting on the security state of the monitored system. It receives the reports from the host and the LAN monitors, and, based on these reports, it makes inferences about the security of each individual host, as well as the system as a whole.

Host monitoring[modifier | modifier le code]

Clearly, not all of the audit data can be forwarded into a single IDS for analysis; some analysis must be made locally. ^[4] The monitor receive audit records from the probe . These records are then scanned for notable events. In HIDS, notable events can be :

user authentification
access to /etc/passwd
others events ^[5]

In NIDS, notable events can be :

rlogin
telnet connections ^[6]

In case of notable events, reports are sent independently and asynchronously from the host and to the director through a communications infrastructure.

Counter-Measure module[modifier | modifier le code]

The module, if the monitor decides that the packet is damaging for the system, he can take 2 decisions : architecture design blablabla...

the first one is to tell the Administrator that someone has invade the system, to search in more depth about the problem
the second one is to drop the packets that be damaging for the system to avoid the intrusion ^[7]

Data analysis[modifier | modifier le code]

Means of detections[modifier | modifier le code]

In general, there are mainly 3 techniques for intrusion detections:

misuse (signature-based) detection
anomaly (behavior-based) detection ^[8]
AI-Based detection ^[9]

both systems can be used simultaneausly in a IDS. ^[10]

Anomaly detection[modifier | modifier le code]

Anomaly detection uses models of the intended behavior of users and applications, interpreting deviations from this “normal” behavior as a problem. ^[11] An anomaly-based IDS tries to find suspicious activity on the system. With this purpose, in the initial phase the IDS must be trained in order to get an idea about what is considered “normal” and “legitimate”. After that, the system will inform about any suspicious activity. ^[12]

Signature-based detection[modifier | modifier le code]

Misuse detection systems try to match computer activity to stored signatures of known attacks. ^[13] In other words, misuse detection systems use a priori knowledge on attacks to look for attack traces. this methods employs sequential rules that characterize a user’s behavior overtime. ^[14] A rulebase stores patterns of user activity, e.g., a rule can characterize the sequential relationship between security-relevant audit records. The rules can be static (based on security policy) or dynamic (based on time-based inductive learning techniques).

AI-Based detection[modifier | modifier le code]

Some researchers use neural networks to try to detect the intrusion of the system. ^[15] In this detection, a component who make the translation of the data of the Probe to the neural network and at the end must be added to use the neural network.

difference between IDS architectures[modifier | modifier le code]

Agent architecture[modifier | modifier le code]

Historique[modifier | modifier le code]

Quotes[modifier | modifier le code]

Références[modifier | modifier le code]

Bibliographie[modifier | modifier le code]

(en) Denning, « An Intrusion-Detection Model », IEEE Transactions on Software Engineering, vol. SE-13, n^o 2,‎ février 1987 (ISSN 0098-5589, DOI 10.1109/TSE.1987.232894)

(en) Vigna et Kemmerer, « NetSTAT: A Network-based Intrusion Detection System », Journal of computer security, vol. 7, n^o 1,‎ février 1999, p. 3-7

Kemmerer et Vigna, « Intrusion detection: a brief history and overview », Computer, vol. 35, n^o 4,‎ avril 2002, p. 27–30 (ISSN 0018-9162, DOI 10.1109/MC.2002.1012428)

(en) Sundaram et Aurobindo, « An Introduction to Intrusion Detection », Crossroads, vol. 2, n^o 4,‎ avril 1996, p. 3-7 (ISSN 1528-4972, DOI 10.1145/332159.332161)
(en) Mukherjee, Aurobindo et Levitt, « Network intrusion detection », IEEE Network, vol. 8, n^o 3,‎ mai 1994, p. 26-41 (ISSN 0890-8044, DOI 10.1109/65.283931)
(en) Warrender, Forrest et Pearlmutter, « Detecting intrusions using system calls: alternative data models », IEEE Xplore,‎ mai 1999, p. 133-145 (DOI 10.1109/SECPRI.1999.766910)
(en) Zhang, Wang, Sun, Green et Alam, « Distributed Intrusion Detection System in a Multi-Layer Network Architecture of Smart Grids », IEEE Transactions on Smart Grid, vol. 2, n^o 4,‎ décembre 2011, p. 796-808 (ISSN 1949-3053, DOI 10.1109/TSG.2011.2159818)

(en) Roschke, Cheng et Meinel, « Intrusion Detection in the Cloud », IEEE Xplore,‎ décembre 2009, p. 729-734 (DOI 10.1109/DASC.2009.94)

(en) Depren, Topallar, Anarim et Ciliz, « An intelligent intrusion detection system (IDS) for anomaly and misuse detection in computer networks », Expert Systems with Applications, vol. 29, n^o 4,‎ novembre 2005, p. 713-722 (ISSN 0957-4174, DOI 10.1016/j.eswa.2005.05.002)

(en) Rashida et Seyedeh, « Hybrid architecture for distributed intrusion detection system in wireless network », International Journal of Network Security & Its Applications, vol. 5, n^o 3,‎ mai 2013, p. 45 (DOI 10.5121/ijnsa.2013.5305)

(en) Steven R. Snapp, James Brentano, Gihan V. Dias, Terrance L. Goan, L. Todd Heberlein, Che-Lin Ho, Karl N. Levitt, Biswanath Mukherjee, Stephen E. Smaha, Tim Grance, Daniel M. Teal et Doug Mansur, Internet Besieged, New York, NY, USA, ACM Press/Addison-Wesley Publishing Co., 1998, 211-227 p. (ISBN 978-0-201-30820-4), « DIDS (distributed intrusion detection system)—motivation, architecture, and an early prototype »

(en) J. Gómez, C. Gil, N. Padilla, R. Baños et C. Jiménez, Distributed Computing, Artificial Intelligence, Bioinformatics, Soft Computing, and Ambient Assisted Living, Springer Berlin Heidelberg, coll. « Lecture Notes in Computer Science », 10 juin 2009, 515–522 p. (ISBN 978-3-642-02481-8, DOI 10.1007/978-3-642-02481-8_75), « Design of a Snort-Based Hybrid Intrusion Detection System »

(en) M. Ali Aydın, A. Halim Zaim et K. Gökhan Ceylan, « A hybrid intrusion detection system design for computer network security », Computers & Electrical Engineering, vol. 35, n^o 3,‎ mai 2009, p. 517–526 (ISSN 0045-7906, DOI 10.1016/j.compeleceng.2008.12.005, lire en ligne, consulté le 4 janvier 2016)

(en) J.S. Balasubramaniyan, J.O. Garcia-Fernandez, D. Isacoff, E. Spafford et D. Zamboni, « An architecture for intrusion detection using autonomous agents », Proceedings of 14th Annual Computer Security Applications Conference.,‎ décembre 1998, p. 13–24 (DOI 10.1109/CSAC.1998.738563)

(en) H. Debar, M. Becker et D. Siboni, « A neural network component for an intrusion detection system », Proceedings of the 1992 IEEE Computer Society Symposium on Research in Security and Privacy,‎ mai 1992, p. 240–250 (DOI 10.1109/RISP.1992.213257)

(en) Chirag Modi, Dhiren Patel, Bhavesh Borisaniya, Hiren Patel, Avi Patel et Muttukrishnan Rajarajan, « A survey of intrusion detection techniques in Cloud », Journal of Network and Computer Applications, vol. 36, n^o 1,‎ janvier 2013, p. 42–57 (ISSN 1084-8045, DOI 10.1016/j.jnca.2012.05.003, lire en ligne, consulté le 4 janvier 2016)

(en) R.A. Kemmerer et G. Vigna, « Intrusion detection: a brief history and overview », Computer, vol. 35, n^o 4,‎ avril 2002, p. 27–30 (ISSN 0018-9162, DOI 10.1109/MC.2002.1012428)

(en) Hung-Jen Liao, Chun-Hung Richard Lin, Ying-Chih Lin et Kuang-Yuan Tung, « Intrusion detection system: A comprehensive review », Journal of Network and Computer Applications, vol. 36, n^o 1,‎ janvier 2013, p. 16–24 (ISSN 1084-8045, DOI 10.1016/j.jnca.2012.09.004, lire en ligne, consulté le 4 janvier 2016)

[1] Snapp et Brentano 1998

[2] Denning 1987

[3] Snapp et Brentano 1998

[4] Snapp et Brentano 1998

[5] Denning 1987

[6] Snapp et Brentano 1998

[7] Jou et Gong 1994

[8] Rashida 2013

[9] Modi 2013

[10] Modi et Patel 2013

[11] Kemmerer et Vigna 2002

[12] Gomez et Gil 2009

[13] Gomez et Gil 2009

[14] Mukherjee et Heberleim 1994

[15] Debar 1992

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]