搜索

此内容没有您所选择的语言版本。

Chapter 9. Intrusion Detection

download PDF
Valuable property needs to be protected from the prospect of theft and destruction. Some homes are equipped with alarm systems that can deter burglars, notify authorities when a break-in has occurred, and even warn owners when their home is on fire. Such measures are necessary to ensure the integrity of homes and the safety of homeowners.
The same assurance of integrity and safety should also be applied to computer systems and data. The Internet has facilitated the flow of information, from personal to financial. At the same time, it has fostered just as many dangers. Malicious users and crackers seek vulnerable targets such as unpatched systems, systems infected with trojans, and networks running insecure services. Alarms are needed to notify administrators and security team members that a breach has taken place so that they can respond in real-time to the threat. Intrusion detection systems have been designed as such a warning system.

9.1. Defining Intrusion Detection Systems

An intrusion detection system (IDS) is an active process or device that analyzes system and network activity for unauthorized entry and/or malicious activity. The way that an IDS detects anomalies can vary widely; however, the ultimate aim of any IDS is to catch perpetrators in the act before they do real damage to resources.
An IDS protects a system from attack, misuse, and compromise. It can also monitor network activity, audit network and system configurations for vulnerabilities, analyze data integrity, and more. Depending on the detection methods you choose to deploy, there are several direct and incidental benefits to using an IDS.

9.1.1. IDS Types

Understanding what an IDS is, and the functions it provides, is key in determining what type is appropriate to include in a computer security policy. This section discusses the concepts behind IDSes, the functionalities of each type of IDS, and the emergence of hybrid IDSes that employ several detection techniques and tools in one package.
Some IDSes are knowledge-based, which preemptively alert security administrators before an intrusion occurs using a database of common attacks. Alternatively, there are behavioral-based IDSes that track all resource usage for anomalies, which is usually a positive sign of malicious activity. Some IDSes are standalone services that work in the background and passively listen for activity, logging any suspicious packets from the outside. Others combine standard system tools, modified configurations, and verbose logging, with administrator intuition and experience to create a powerful intrusion detection kit. Evaluating the many intrusion detection techniques can assist in finding one that is right for your organization.
The most common types of IDSes referred to in the security field are known as host-based and network-based IDSes. A host-based IDS is the most comprehensive of the two, which involves implementing a detection system on each individual host. Regardless of which network environment the host resides on, it is still protected. A network-based IDS funnels packets through a single device before being sent to specific hosts. Network-based IDSes are often regarded as less comprehensive since many hosts in a mobile environment make it unavailable for reliable network packet screening and protection.
Red Hat logoGithubRedditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

© 2024 Red Hat, Inc.