Difference between revisions of "Intrusion Detection System"
Onnowpurbo (talk | contribs) |
Onnowpurbo (talk | contribs) |
||
Line 1: | Line 1: | ||
− | + | Intrution Detection System atau '''IDS''' adalah perangkat (atau aplikasi) yang memonitor jaringan dan / atau sistem untuk kegiatan berbahaya atau pelanggaran kebijakan dan memberikan laporan ke administrator atau station manajemen jaringan. Pencegahan intrusi / pemyusupkan adalah proses melakukan deteksi intrusi dan mencoba untuk menghentikan insiden yang mungkin terdeteksi. Intrusion Detection and Prevention System '''IDPS''' atau Sistem pendeteksi intrusi dan pencegahanterutama difokuskan pada identifikasi kemungkinan insiden, mencatat informasi tentang insiden tersebut, mencoba untuk menghentikan mereka, dan melaporkan mereka ke administrator keamanan. Selain itu, organisasi dapat menggunakan IDPS untuk keperluan lain, seperti mengidentifikasi masalah dengan kebijakan keamanan, mendokumentasikan ancaman yang ada, dan menghalangi orang dari melanggar kebijakan keamanan. IDPS telah menjadi tambahan yang diperlukan untuk infrastruktur keamanan hampir setiap organisasi. | |
IDPS biasanya mencatat informasi yang berkaitan dengan peristiwa yang diamati, memberitahu administrator keamanan penting peristiwa yang diamati, dan menghasilkan laporan. Banyak IDPS juga dapat menanggapi ancaman yang terdeteksi dengan mencoba untuk mencegah berhasil. Mereka menggunakan beberapa teknik respon, yang melibatkan IDPS menghentikan serangan itu sendiri, mengubah lingkungan keamanan (misalnya, konfigurasi ulang firewall), atau mengubah konten serangan ini. | IDPS biasanya mencatat informasi yang berkaitan dengan peristiwa yang diamati, memberitahu administrator keamanan penting peristiwa yang diamati, dan menghasilkan laporan. Banyak IDPS juga dapat menanggapi ancaman yang terdeteksi dengan mencoba untuk mencegah berhasil. Mereka menggunakan beberapa teknik respon, yang melibatkan IDPS menghentikan serangan itu sendiri, mengubah lingkungan keamanan (misalnya, konfigurasi ulang firewall), atau mengubah konten serangan ini. | ||
Line 6: | Line 6: | ||
*'''Alert/Alarm'''- Sebuah kode yang menandakan bahwa sistem sedang atau telah di serang. | *'''Alert/Alarm'''- Sebuah kode yang menandakan bahwa sistem sedang atau telah di serang. | ||
− | *'''True Positive'''- | + | *'''True Positive'''- Serangan sebenarnya yang mentrigger IDS untuk memberikan alarm. |
*'''False Positive'''- Sebuah kejadian yang menyebabkan IDS memberikan alarm saat tidak ada serangan yang terjadi. | *'''False Positive'''- Sebuah kejadian yang menyebabkan IDS memberikan alarm saat tidak ada serangan yang terjadi. | ||
*'''False Negative'''- Kegagalan IDS dalam mendeteksi sebuah serangan yang sesungguhnya. | *'''False Negative'''- Kegagalan IDS dalam mendeteksi sebuah serangan yang sesungguhnya. | ||
*'''True Negative'''- Saat tidak ada serangan yang terjadi dan tidak ada alarm yang di aktifkan. | *'''True Negative'''- Saat tidak ada serangan yang terjadi dan tidak ada alarm yang di aktifkan. | ||
*'''Noise'''- Data atau interferensi yang menyebabkan terjadinya false positive. | *'''Noise'''- Data atau interferensi yang menyebabkan terjadinya false positive. | ||
− | *'''Site policy'''- | + | *'''Site policy'''- Kebijakan dalam sebuah organisassi yang mengatur rules dan konfigurasi dari sebuah IDS. |
− | *'''Site policy awareness'''- | + | *'''Site policy awareness'''- Kemampuan IDS untuk secara dinamik mengubah rules dan konfigurasinya sebagai responds terhadap aktifitas lingkungan yang berubah-ubah. |
− | *'''Confidence value'''- | + | *'''Confidence value'''- Nilai yang diberikan pada IDS berdasarkan pada kinerja dan kemampuan analisa sebelumnya dalam menolong mengidentifikasi sebuah serangan. |
− | *'''Alarm filtering'''- | + | *'''Alarm filtering'''- Proses dalam mengkategorisasi attack alert yang dibuat oleh IDS untuk membedakan antara false positive dan attack yang sesungguhnya. |
− | == | + | == Tipe Intrusion-Detection System == |
− | + | Pada dasarnya ada dua tipe utama IDS, yaitu, | |
− | + | * network-based IDS | |
+ | * host-based IDS | ||
+ | |||
+ | Pada sebuah '''network-based''' intrusion-detection system (NIDS), sensor biasanya diletakan pada titik pintu gerbang jaringan, seperti [[demilitarized zone (computing)|demilitarized zone]] (DMZ) atau pada perbatasan jaringan. Sensor akan menangkap semua traffic jaringan, menganalisa isi masing-masing paket akan adanya traffic yang tidak baik. NIDS, biasanya sebuah platform independent yang mengidentifitasi penyusupan dengan cara menganalisa traffic dan memonitor beberapa host sekaligus. NIDS memperoleh akses ke traffic jaringan dengan menyambungkan diri ke [[network hub|hub]], [[network switch]] yang di konfigurasi untuk [[port mirroring]], atau [[network tap]]. Contoh dari sebuah NIDS adalah [[Snort (software)|Snort]]. | ||
+ | |||
+ | Pada sebuah '''host-based'''intrusion-detection system (HIDS), sensor biasanya terdiri dari [[software agent]], yang akan memonitor semua aktifitas di host dimana dia terinstall biasanya dengan menganalisa system call, modifikasi file system (mondifikasi file binary, password, capability / acl database, log berbagai aplikasi, kernel. Contoh dari HIDS adalah [[OSSEC]], [[tripwire]]. | ||
− | |||
− | |||
− | |||
− | |||
− | |||
'''Intruders:''' Intruders are attackers who try to find the way to hack information by breaking the privacy of a network like LAN or internet. | '''Intruders:''' Intruders are attackers who try to find the way to hack information by breaking the privacy of a network like LAN or internet. | ||
Line 39: | Line 39: | ||
'''Clandstine user:'''A user who acts as a supervisor and tries to use his privileges so as to avoid being captured. | '''Clandstine user:'''A user who acts as a supervisor and tries to use his privileges so as to avoid being captured. | ||
− | Intrusion detection | + | Intrusion detection system dapat juga dibuat secara spesifik untuk system yang kita inginkan menggunakan custom tools dan [[honeypot (computing)|honeypots]]. |
== Passive system vs. reactive system == | == Passive system vs. reactive system == | ||
− | + | Dalam sebuah '''passive system''', sensor Intrusion Detection System (IDS) akan mendeteksi kemungkinan pembobolan security, mencatat informasinya dan memberikan alert ke console dan atau owner. Pada '''reactive system''', also known as an [[intrusion prevention system]] (IPS), the IPS responds to the suspicious activity by resetting the connection or by reprogramming the firewall to block network traffic from the suspected malicious source. This can happen automatically or at the command of an operator.in reactive intrusion detection system is one in which if the intruder or attacks is detected it does not alert the user rather responds to the illegant activity for shows a strict reaction. | |
Though they both relate to network security, an intrusion detection system (IDS) differs from a firewall in that a firewall looks outwardly for intrusions in order to stop them from happening. Firewalls limit access between networks to prevent intrusion and do not signal an attack from inside the network. An IDS evaluates a suspected intrusion once it has taken place and signals an alarm. An IDS also watches for attacks that originate from within a system. This is traditionally achieved by examining network communications, identifying heuristics and patterns (often known as signatures) of common computer attacks, and taking action to alert operators. A system that terminates connections is called an [[intrusion prevention system]], and is another form of an [[application layer firewall]]. | Though they both relate to network security, an intrusion detection system (IDS) differs from a firewall in that a firewall looks outwardly for intrusions in order to stop them from happening. Firewalls limit access between networks to prevent intrusion and do not signal an attack from inside the network. An IDS evaluates a suspected intrusion once it has taken place and signals an alarm. An IDS also watches for attacks that originate from within a system. This is traditionally achieved by examining network communications, identifying heuristics and patterns (often known as signatures) of common computer attacks, and taking action to alert operators. A system that terminates connections is called an [[intrusion prevention system]], and is another form of an [[application layer firewall]]. | ||
Line 121: | Line 121: | ||
* [http://ipsec.pl/intrusion-detection/prevention-systems-classification-tree.html Intrusion Detection/Prevention Systems classification tree] (PDF, SVG, Freemind) | * [http://ipsec.pl/intrusion-detection/prevention-systems-classification-tree.html Intrusion Detection/Prevention Systems classification tree] (PDF, SVG, Freemind) | ||
− | |||
[[Category:Intrusion detection system|*]] | [[Category:Intrusion detection system|*]] |
Revision as of 15:26, 23 March 2017
Intrution Detection System atau IDS adalah perangkat (atau aplikasi) yang memonitor jaringan dan / atau sistem untuk kegiatan berbahaya atau pelanggaran kebijakan dan memberikan laporan ke administrator atau station manajemen jaringan. Pencegahan intrusi / pemyusupkan adalah proses melakukan deteksi intrusi dan mencoba untuk menghentikan insiden yang mungkin terdeteksi. Intrusion Detection and Prevention System IDPS atau Sistem pendeteksi intrusi dan pencegahanterutama difokuskan pada identifikasi kemungkinan insiden, mencatat informasi tentang insiden tersebut, mencoba untuk menghentikan mereka, dan melaporkan mereka ke administrator keamanan. Selain itu, organisasi dapat menggunakan IDPS untuk keperluan lain, seperti mengidentifikasi masalah dengan kebijakan keamanan, mendokumentasikan ancaman yang ada, dan menghalangi orang dari melanggar kebijakan keamanan. IDPS telah menjadi tambahan yang diperlukan untuk infrastruktur keamanan hampir setiap organisasi.
IDPS biasanya mencatat informasi yang berkaitan dengan peristiwa yang diamati, memberitahu administrator keamanan penting peristiwa yang diamati, dan menghasilkan laporan. Banyak IDPS juga dapat menanggapi ancaman yang terdeteksi dengan mencoba untuk mencegah berhasil. Mereka menggunakan beberapa teknik respon, yang melibatkan IDPS menghentikan serangan itu sendiri, mengubah lingkungan keamanan (misalnya, konfigurasi ulang firewall), atau mengubah konten serangan ini.
Istilah Istilah di IDS
- Alert/Alarm- Sebuah kode yang menandakan bahwa sistem sedang atau telah di serang.
- True Positive- Serangan sebenarnya yang mentrigger IDS untuk memberikan alarm.
- False Positive- Sebuah kejadian yang menyebabkan IDS memberikan alarm saat tidak ada serangan yang terjadi.
- False Negative- Kegagalan IDS dalam mendeteksi sebuah serangan yang sesungguhnya.
- True Negative- Saat tidak ada serangan yang terjadi dan tidak ada alarm yang di aktifkan.
- Noise- Data atau interferensi yang menyebabkan terjadinya false positive.
- Site policy- Kebijakan dalam sebuah organisassi yang mengatur rules dan konfigurasi dari sebuah IDS.
- Site policy awareness- Kemampuan IDS untuk secara dinamik mengubah rules dan konfigurasinya sebagai responds terhadap aktifitas lingkungan yang berubah-ubah.
- Confidence value- Nilai yang diberikan pada IDS berdasarkan pada kinerja dan kemampuan analisa sebelumnya dalam menolong mengidentifikasi sebuah serangan.
- Alarm filtering- Proses dalam mengkategorisasi attack alert yang dibuat oleh IDS untuk membedakan antara false positive dan attack yang sesungguhnya.
Tipe Intrusion-Detection System
Pada dasarnya ada dua tipe utama IDS, yaitu,
- network-based IDS
- host-based IDS
Pada sebuah network-based intrusion-detection system (NIDS), sensor biasanya diletakan pada titik pintu gerbang jaringan, seperti demilitarized zone (DMZ) atau pada perbatasan jaringan. Sensor akan menangkap semua traffic jaringan, menganalisa isi masing-masing paket akan adanya traffic yang tidak baik. NIDS, biasanya sebuah platform independent yang mengidentifitasi penyusupan dengan cara menganalisa traffic dan memonitor beberapa host sekaligus. NIDS memperoleh akses ke traffic jaringan dengan menyambungkan diri ke hub, network switch yang di konfigurasi untuk port mirroring, atau network tap. Contoh dari sebuah NIDS adalah Snort.
Pada sebuah host-basedintrusion-detection system (HIDS), sensor biasanya terdiri dari software agent, yang akan memonitor semua aktifitas di host dimana dia terinstall biasanya dengan menganalisa system call, modifikasi file system (mondifikasi file binary, password, capability / acl database, log berbagai aplikasi, kernel. Contoh dari HIDS adalah OSSEC, tripwire.
Intruders: Intruders are attackers who try to find the way to hack information by breaking the privacy of a network like LAN or internet.
Masquerader: A user who does not have the authority to a system, but tries to access the information as an authorized user. They are generally outside users.
Misfeasor: They are commonly internal users and can be of two types: 1.An authorized user with limited permissions. 2.A user with full permissions and who misuse his powers.
Clandstine user:A user who acts as a supervisor and tries to use his privileges so as to avoid being captured.
Intrusion detection system dapat juga dibuat secara spesifik untuk system yang kita inginkan menggunakan custom tools dan honeypots.
Passive system vs. reactive system
Dalam sebuah passive system, sensor Intrusion Detection System (IDS) akan mendeteksi kemungkinan pembobolan security, mencatat informasinya dan memberikan alert ke console dan atau owner. Pada reactive system, also known as an intrusion prevention system (IPS), the IPS responds to the suspicious activity by resetting the connection or by reprogramming the firewall to block network traffic from the suspected malicious source. This can happen automatically or at the command of an operator.in reactive intrusion detection system is one in which if the intruder or attacks is detected it does not alert the user rather responds to the illegant activity for shows a strict reaction.
Though they both relate to network security, an intrusion detection system (IDS) differs from a firewall in that a firewall looks outwardly for intrusions in order to stop them from happening. Firewalls limit access between networks to prevent intrusion and do not signal an attack from inside the network. An IDS evaluates a suspected intrusion once it has taken place and signals an alarm. An IDS also watches for attacks that originate from within a system. This is traditionally achieved by examining network communications, identifying heuristics and patterns (often known as signatures) of common computer attacks, and taking action to alert operators. A system that terminates connections is called an intrusion prevention system, and is another form of an application layer firewall.
The term IDPS is commonly used to refer to hybrid security systems that both "detect" and "prevent" for sure.
Statistical anomaly and signature based IDSes
All Intrusion Detection Systems use one of two detection techniques: statistical anomaly based and/or signature based.
Statistical anomaly based IDS- A statistical anomaly-based IDS establishes a performance baseline based on normal network traffic evaluations. It will then sample current network traffic activity to this baseline in order to detect whether or not it is within baseline parameters. If the sampled traffic is outside baseline parameters, an alarm will be triggered
Signature-based IDS- Network traffic is examined for preconfigured and predetermined attack patterns known as signatures. Many attacks today have distinct signatures. In good security practice, a collection of these signatures must be constantly updated to mitigate emerging threats.
Limitations
Noise - Noise can severely limit an Intrusion detection systems effectiveness. Bad packets generated from software bugs, corrupt DNS data, and local packets that escaped can create a significantly high false-alarm rate.
Too few attacks- It is not uncommon for the number of real attacks to be far below the false-alarm rate. Real attacks are often so far below the false-alarm rate that they are often missed and ignored.
Signature updates - Many attacks are geared for specific versions of software that are usually outdated. A constantly changing library of signatures is needed to mitigate threats. Outdated signature databases can leave the IDS vulnerable to new strategies.
IDS evasion techniques
Intrusion detection system evasion techniques bypass detection by creating different states on the IDS and on the targeted computer. The adversary accomplishes this by manipulating either the attack itself or the network traffic that contains the attack.
Development
A preliminary concept of an IDS began with James P. Anderson and reviews of audit trails. An example of an audit trail would be a log of user access.
Fred Cohen noted in 1984 (see Intrusion Detection) that it is impossible to detect an intrusion in every case and that the resources needed to detect intrusions grows with the amount of usage.
Dorothy E. Denning, assisted by Peter G. Neumann, published a model of an IDS in 1986 that formed the basis for many systems today. Her model used statistics for anomaly detection, and resulted in an early IDS at SRI International named the Intrusion Detection Expert System (IDES), which ran on Sun workstations and could consider both user and network level data. IDES had a dual approach with a rule-based Expert System to detect known types of intrusions plus a statistical anomaly detection component based on profiles of users, host systems, and target systems. Lunt proposed adding an Artificial neural network as a third component. She said all three components could then report to a resolver. SRI followed IDES in 1993 with the Next-generation Intrusion Detection Expert System (NIDES).
The Multics intrusion detection and alerting system (MIDAS), an expert system using P-BEST and LISP, was developed in 1988 based on the work of Denning and Neumann. Haystack was also developed this year using statistics to reduce audit trails.
Wisdom & Sense (W&S) was a statistics-based anomaly detector developed in 1989 at the Los Alamos National Laboratory. W&S created rules based on statistical analysis, and then used those rules for anomaly detection.
In 1990, the Time-based Inductive Machine (TIM) did anomaly detection using inductive learning of sequential user patterns in Common LISP on a VAX 3500 computer. The Network Security Monitor (NSM) performed masking on access matrices for anomaly detection on a Sun-3/50 workstation. The Information Security Officer's Assistant (ISOA) was a 1990 prototype that considered a variety of strategies including statistics, a profile checker, and an expert system. ComputerWatch at AT&T Bell Labs used statistics and rules for audit data reduction and intrusion detection.
Then, in 1991, researchers at the University of California, Davis created a prototype Distributed Intrusion Detection System (DIDS), which was also an expert system. The Network Anomaly Detection and Intrusion Reporter (NADIR), also in 1991, was a prototype IDS developed at the Los Alamos National Laboratory's Integrated Computing Network (ICN), and was heavily influenced by the work of Denning and Lunt. NADIR used a statistics-based anomaly detector and an expert system.
The Lawrence Berkeley National Laboratory announced Bro in 1998, which used its own rule language for packet analysis from libpcap data. Network Flight Recorder (NFR) in 1999 also used libpcap. APE was developed as a packet sniffer, also using libpcap, in November, 1998, and was renamed Snort one month later, and has since become the world's largest used IDS/IPS system with over 300,000 active users.
The Audit Data Analysis and Mining (ADAM) IDS in 2001 used tcpdump to build profiles of rules for classifications.
In 2003 Dr. Wenke Lee argues for the importance of IDS in networks with mobile nodes.
See also
- Anomaly-based intrusion detection system
- Application protocol-based intrusion detection system (APIDS)
- Artificial immune system
- Autonomous Agents for Intrusion Detection
- Host-based intrusion detection system (HIDS)
- Inhep Digital Security (IDS)
- Intrusion prevention system (IPS)
- Network intrusion detection system (NIDS)
- Protocol-based intrusion detection system (PIDS)
Free Intrusion Detection Systems
References
External links
- Guide to Intrusion Detection and Prevention Systems (IDPS), NIST CSRC special publication SP 800-94, released 02/2007
- Softpanorama: Intrusion Detection (General Issues)
- Intrusion Detection/Prevention Systems classification tree (PDF, SVG, Freemind)