Scribd Logo
Upload

Welcome to Scribd!

  • XD He Thong Phat Hien Xam Nhap Mang

    Uploaded by

    Tuấn
    46 views45 pages

    Original Title

    Xd He Thong Phat Hien Xam Nhap Mang

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    DOC, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    46 views45 pages

    XD He Thong Phat Hien Xam Nhap Mang

    Uploaded by

    Tuấn

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 45

    MC LC MC LC1 Li NI U..3 CHNG 1: TNG QUAN V AN NINH MNG...4 1.1 Cc mc tiu cn bo v....4 1.2 Cc kiu tn cng mng4 1.

    3 Cc phng php bo v...6 CHNG 2: H THNG PHT HIN XM NHP TRI PHP TRN MNG (NIDS)..8 2.1 Xm nhp (Instrusion)..8 2.1.1 Cch thc xm nhp vo h thng....8 2.1.2 Nhng l hng an ninh c th xm nhp..9 2.1.3 Nhng du hiu xm nhp thng thng...12 2.1.4 Mt kch bn xm nhp in hnh..13 2.2 H thng pht hin xm nhp IDS (Instrusion Detection System).14 2.2.1 nh ngha, chc nng v nguyn l lm vic14 2.2.2 V tr 17 2.2.3 Phn loi.17 2.3 NIDS (Network-based IDS)28 2.3.1 L do la chn NIDS...28 2.3.2 Kin trc v hot ng29 2.3.3 M hnh h thng NIDS.31 2.3.4 Trin khai v iu chnh h thng NIDS33 2.3.5 nh gi mt h thng NIDS (value of NIDS)..39 2.3.6 Ti u ho gi tr ca NIDS40 2.3.7 NIDS & Firewall.42 2.3.8 Tng kt..43

    CHNG 3: THIT K H THNG NIDS44 3.1 Mc ch.44 3.2 Phn tch v thit k chng trnh..44 TI LIU THAM KHO..45

    LI NI U
    Ngy nay, cng ngh thng tin v ang pht trin mt cch mnh m em li nhng li ch v ng dng v cng to ln cho con ngi. Mng my tnh ra i, m rng v pht trin khng ngng to nn h thng mng Internet ton cu. Ngy cng c nhiu ngi nhn ra li ch ca vic ni mng ( chia s ti nguyn, c th trao i v tm kim thng tin hiu qu, nhanh chng, tit kim thi gian v chi ph,...), Internet thc s tr thnh mt phn khng th thiu trong cuc sng ca con ngi, thng tin lin lc qua Internet tr nn quen thuc vi hu ht mi ngi. Tuy nhin, vic truyn thng trn mng phi qua rt nhiu trm trung gian, nhiu nt vi nhiu ngi s dng khc nhau v khng ai dm chc rng thng tin khi n tay ngi nhn khng b thay i hoc khng b sao chp. Chng ta c nghe nhiu v vn thng tin b nh cp gy nhng thit hi nghim trng hay nhng k thng xuyn trm tin ca ngi khc, thm ch n trm mt khu v gi mo nhm ph hoi vic giao dch. Thc t cng cho thy s cc v tn cng vo mng ngy cng tng, cc k thut tn cng ngy cng mi v a dng. Chnh v th m vn an ton c t ln hng u khi ni n vic truyn thng trn mng. C rt nhiu cch thc hin an ton trn mng nh: phng php kim sot li vo, ngn cn s xm nhp tri php vo h thng cng nh kim sot tt c cc thng tin gi ra bn ngoi h thng, hay s dng phng php m ho d liu trc khi truyn, k trc khi truyn,... Trong ni dung ti ny chng ta s i su tm hiu v h thng pht hin xm nhp tri php trn mng (NIDS-Network Intrusion Detection System).

    ti: Xy dng h thng pht hin xm nhp trn mng (NIDS Network Intrusion detection System)

    CHNG 1: TNG QUAN V AN NINH MNG 1.1 Cc mc tiu cn bo v S ra i v pht trin ca Internet l mt bc ngot ln trong lch s nhn loi. H thng thng tin khng l trn Internet c chia s trn khp th gii. Tuy nhin, ng thi vi li ch to ln ca n, mng Internet cng vi cc cng ngh lin quan cng cho thy mt hn ch tt yu l tnh mt an ton, d b xm phm, tn cng. Hu qu ca cc cuc tn cng c th ch l nhng phin phc nh nhng cng c th lm suy yu hon ton h thng, cc d liu, thng tin quan trng b xa, s ring t b xm phm,Do , nhim v ca chng ta l phi trnh ti a s mt an ton, hay ni mt cch khc l phi bo v s an ton cho h thng, suy ngh ca chng ta phi i kp vi s pht trin cng ngh. Cc i tng cn m bo an ninh bao gm: D liu: D liu truyn i trn mng phi p ng c cc yu cu v: - Tnh mt (Confidentiality): m bo thng tin khng th b truy cp tri php bi nhng ngi khng c thm quyn. - Tnh ton vn (Integrity): m bo thng tin khng b thay i trong qu trnh truyn. - Tnh sn sng (Availability): m bo d liu lun sn sng khi c yu cu truy cp. Ti nguyn: Ti nguyn bao gm cc thnh phn phn cng v phn mm ca h thng. K tn cng c th li dng cc l hng an ninh nh cc l hng v h iu hnh, mng, ng dng. Nu my tnh khng c d liu quan trng th vn rt cn c bo v bi v k tn cng c th t nhp v s dng n lm tin cho cc cuc tn cng khc. Danh ting: Nh trn ni k tn cng c th dng my ca mt ngi s dng tn cng ni khc, gy tn tht v uy tn ca ngi s dng . 1.2 Cc kiu tn cng mng C rt nhiu cch tn cng bit cng nh cha bit, tuy nhin hin nay c th chia lm 4 loi chnh: Interruption (lm gin on) Interception (ngn chn) Modification (sa i) Fabrication (lm gi) Sau y, chng ta s xem xt tng quan v cc kiu tn cng : Tn cng lm gin on (Interruption Attack)

    in hnh cho kiu tn cng ny l tn cng t chi dch v DoS (Denial of Service). y l hnh ng m k tn cng li dng c im hoc li an ton thng tin ca mt h thng dch v nhm lm ngng tr hoc ngn cn ngi dng truy nhp dch v . Cuc tn cng ny khng ly mt thng tin ca h thng, n thng ch gy cho chng trnh hoc h thng b v hoc b treo, t lit tng phn hoc ton b, buc ngi qun tr dch v phi tm ngng cung cp dch v v khi ng li h thng. Vic ngng hot ng trong mt thi gian nht nh ca cc h thng dch v gy ra nhng thit hi ng k. C hai kiu tn cng t chi dch v da theo c im ca h thng b tn cng, th nht l gy qu ti khin cho h thng mt kh nng phc v cho ngi dng thc s, th hai l da vo li an ton thng tin ca h thng t gy cho h thng b treo, t lit. Vi loi th nht, vic gy qu ti c thc hin bng cch gi rt nhiu yu cu dch v gi. gii quyt mt yu cu dch v, h thng phi tn mt lng ti nguyn nht nh (CPU, b nh, ng truyn). Lng ti nguyn l gii hn, khi nhn c qu nhiu yu cu dch v gi, h thng s s dng ton b ti nguyn p ng cc yu cu v khng cn ti nguyn p ng yu cu thc s khc ca ngi dng, ngi dng s khng th truy nhp c vo h thng dch v. Vi loi tn cng t chi dch v th hai, k tn cng li dng k h an ton thng tin ca h thng, c gi cc yu cu hoc cc gi tin khng hp l khin cho h thng b tn cng khi nhn c yu cu hay gi tin ny. Vic x l khng ng hoc khng theo trnh t c thit k, dn n s sp cho chnh h thng . Phn ln cc k h ny xut pht t li phn mm. Khi k tn cng gi nhng th khng nm trong cc kh nng d tnh, th phn mm d dng b li, gy v h thng. V d in hnh cho li ny l kiu tn cng Ping of Death vo nm 1995, gy treo hoc v cho rt nhiu h thng. Ngoi ra, mt s t cc k h li xut pht t chnh nguyn l hot ng ca h thng, c bit l nguyn l ca b giao thc mng TCP/IP. V d in hnh ca kiu tn cng ny l SYN flooding, gy cho h thng dch v mt kh nng tip nhn kt ni TCP. Hin ti cha c bin php hu hiu no phng chng tn cng t chi dch v, nht l kiu tn cng gy qu ti. Nh cung cp dch v ch c th hn ch ch kh c th gi cho dch v ca mnh lun sn sng trc mi cuc tn cng t chi dch v. Bin php tt nht hin nay chng li cc cuc tn cng t chi dch v, nht l kiu tn cng da vo li an ton thng tin ca h thng, l cc nh cung cp dch v phi lin tc cp nht phin bn sa li phn mm mi nht cho h thng ca mnh. ng thi cc nh cung cp dch v phi xy dng v qun tr h thng sao cho chng t c kh nng b li dng pht ng tn cng t chi dch v. Tn cng DoS thc hin ng thi t nhiu a ch khc nhau c gi l tn cng DDoS (Distributed-DoS). Tn cng ngn chn (Interception Attack)

    Kiu tn cng ny s dng cc b nghe trm bt gi password v cc thng tin nhy cm khc c truyn qua li trn mng. Nh nghe trm password k tn cng c th ly c mt khu ca ngi s dng, sau chng truy nhp mt cch chnh quy vo h thng. hn ch kiu tn cng ny, chng ta thc hin phn on h thng mng v s dng cc Hub chuyn i. Tn cng lm thay i (Modification Attack) Kiu tn cng ny thc hin sa i, thay i thng tin/chng trnh, v d nh s dng cc on m nguy him, Virus, Trojan gn vo email hoc cc Web site,... Bin php bo v trong trng hp tn cng ny l s dng cc phn mm chng virus, thc hin lc ti mail server, kim tra tnh ton vn d liu. Tn cng gi mo (Fabrication Attack) Tn cng gi mo IP l k tn cng t t a ch IP ca mnh trng vi mt a ch no mng bn trong. Khi , n s c i x nh mt my bn trong tc l c lm mi th t tn cng, ly trm, ph hu thng tin. 1.3 Cc phng php bo v Vi cc kiu tn cng a dng nh trnh by trn, cc phng php bo v an ninh mng cng khng ngng c to ra, sa i v pht trin cho ph hp vi tng h thng. c th l nhng phn mm tch hp trn h thng, nhng cng c phn cng hoc kt hp c hai (phn cng ln phn mm), cng c th l nhng chnh sch an ninh. Cc phng php thng thng hin nay bao gm: Firewall Intrusion Detection System Policy Chng ta xem xt tng quan tng phng php: Firewall Firewall l sn phm cung cp s an ton kt ni gia mng ni b vi cc mng bn ngoi. Firewall ging nh mt hng ro quanh h thng mng, vi mt cp cc cng c la chn. Hng ro ny khng c kh nng pht hin mt ai ang c gng xm nhp vo h thng (nh tm ra mt l hng bn di n), hay pht hin ai vo qua mt cng c php. M n ch n gin hn ch vic truy cp n cc im c i din.

    Intrusion Detection System (IDS)

    IDS (h thng pht hin xm nhp tri php) c to thnh t cc thnh phn phn cng v phn mm cng hot ng tm ra cc s kin khng mong mun, t c th ch ra mt cuc tn cng s xy ra, ang xy ra hoc xy ra. Policy a ra tnh ring t, cc lut iu khin, nhng vic phi lm nu b tn cng.

    CHNG 2: H THNG PHT HIN XM NHP TRI PHP TRN MNG (NIDS) 2.1 Xm nhp (Instrusion) Trong phn ny s trnh by nhng khi nim lin quan nh xm nhp (intrusion), kch bn xm nhp (intrusion scenario), s tm hiu v bn cht, nguyn nhn, nhng du hiu ca vic xm nhp vo h thng, trc khi i su nghin cu v trin khai mt h thng pht hin xm nhp. Mt xm nhp l mt vi ngi (hacker hay cracker) c gng ph v hay lm dng h thng. Hacker v cracker l hai t dng ch nhng k xm nhp. K xm nhp c chia thnh hai loi: Outsiders: nhng k xm nhp t bn ngoi h thng (xa Web servers, chuyn tip cc spam qua e-mail servers). Chng c th vt qua firewall tn cng cc my trong ni b mng. Nhng k xm nhp c th n t Internet, qua ng dy in thoi, t nhp vt l hoc t cc mng thnh vin c lin kt n t chc mng (nh sn xut, khch hng,). Insiders: nhng k xm nhp m c s dng hp php n bn trong h thng (nhng ngi s dng c y quyn, hoc gi mo ngi dng c y quyn mc cao hn ). Loi xm nhp ny chim 80%. 2.1.1 Cch thc xm nhp vo h thng Cc cch thc chnh m nhng k xm nhp c th i vo h thng: Physical Intrusion (xm nhp vt l): nu mt k xm nhp truy cp vt l vo mt my (chng hn chng c th dng bn phm,) chng s c th xm nhp vo c h thng. System Intrusion (xm nhp h thng): y l mt kiu hacking. Gi s rng k xm nhp c mt account ngi dng c y quyn mc thp trong h thng. Nu h thng khng c cc bin php an ton mi nht, th s to c hi tt cho k xm nhp li dng c c y quyn cao hn (quyn ngi qun tr). Remote Intrusion (xm nhp t xa): y l kiu hacking lin quan n k xm nhp c gng thm nhp vo mt h thng t xa qua mng. K xm nhp u tin khng c mt y quyn c bit no c. C mt s dng hacking ny. H thng NIDS nghin cu trong phm vi ti ny lin quan chnh n kiu xm nhp t xa (Remote Intrusion).

    2.1.2 Nhng l hng an ninh c th xm nhp Phn mm lun lun c li (bug). Nh qun tr h thng v ngi lp trnh khng bao gi c th xa vt v kh mi l hng c th. Nhng k xm nhp ch cn tm ra mt l hng v xm nhp vo h thng. Chi tit v cc li h thng m nhng k xm nhp c th li dng thc hin cc mc ch ca chng nh sau: Cc li phn mm (Software bugs): Cc li phn mm c khai thc trong cc trnh tin ch trn server, trong cc ng dng ti client, trong h iu hnh v cc ngn xp mng. Cc li phn mm c th c chia thnh cc loi sau : Buffer overflows (trn b nh) : hu ht cc l hng an ninh c bit n u do li ny. V d in hnh, mt lp trnh vin thit lp 256 k t lu tr mt username ng nhp. Ngi lp trnh vin ngh rng khng ai c th c tn di hn th, nhng mt hacker th s ngh rng iu g xy ra nu mnh g vo mt username vt qu s k t , nhng k t tha ra s i u. Nu hacker th lun, h nhp vo 300 k t bao gm c code m s c thc hin bi server v nh vy l h xm nhp c vo h thng. Cc hacker s pht hin nhng li ny theo mt s cch. Mt l source code cho rt nhiu cc dch v trn mng. Hacker s xem cc code ny tm ra cc on chng trnh c li trn b nh. Hai l, hacker c th nhn vo chng trnh xem c li tn ti hay khng, tuy vy vic c m assembly u ra l rt kh. Ba l hacker s kim tra mi ni chng trnh c u vo v c gng lm trn n vi mt d liu ngu nhin. Nu chng trnh b li th y l mt c hi tt hacker thm nhp vo. Lu l vn ny ph bin i vi nhng chng trnh vit bng C/C++, nhng him trong nhng chng trnh vit bng JAVA. Unexpected combinations (cc kt hp khng c mong i) : cc chng trnh thng c xy dng s dng nhiu lp code bao gm lp di h iu hnh nh l lp di cng ca cc lp. K xm nhp c th thng xuyn gi u vo v ngha i vi mt lp nhng c ngha i vi nhiu lp khc. Ngn ng thng dng nht x l u vo ngi dng l PERL. Cc chng trnh vit bng PERL s thng xuyn gi cc u vo ny n cc chng trnh khc c lng. Mt k thut hacker ph bin c th i vo nh "| mail < /etc/passwd". iu ny c thc hin bi v PERL yu cu h iu hnh khi ng mt chng trnh thm vo vi u ra . Tuy nhin, h iu hnh chn k t ng ng |, v khi ng chng trnh mail, iu ny c th dn n vic file password c gi cho k xm nhp. Unhandled input (u vo khng c x l): hu ht cc chng trnh c vit x l u vo hp l. a s lp trnh vin khng xem xt n

    trng hp l iu g s xy ra khi u vo c nhp khng ng theo c t. Race condition : hu ht cc h thng ngy nay l a nhim/a lung (multitasking/ multTheaded). iu ny c ngha l chng c th thc hin hn mt chng trnh ti mt thi im. S l nguy him nu hai chng trnh cng phi truy cp n mt c s d liu ti cng mt thi im. Gi s hai chng trnh A v B cng mun sa i cng mt file. Mun sa i mt file, chng trnh trc tin phi c file vo b nh, thay i ni dung trong b nh sau copy t b nh ngc tr li file. Race condition xy ra khi chng trnh A c file vo b nh sau thay i, v trc khi A thc hin ghi ln file, chng trnh B can thip vo v thc hin y c/ sa i/ ghi ln file. By gi chng trnh A ghi bn copy ca n ngc tr ra file. V chng trnh A bt u vi bn copy trc khi B tin hnh thay i n nn mi thay i ca B ln file s b mt. V bn cn phi thc hin mt chui cc s kin theo ng mt trt t no nn race condition l him. Nhng k xm nhp thng xuyn phi c gng hng ngn ln trc khi thnh cng v hack vo h thng. Li cu hnh h thng (System configuration bugs): Li cu hnh h thng c th chia thnh cc loi sau : Default configurations : a s cc h thng c gi ti cc khch hng ch mc nh (cu hnh d s dng_easy to use). Tht khng may mn, easy-to-use cng ng ngha vi easy-to-break-in. Hu ht cc my UNIX hoc WINNT c chuyn cho ban u c th b hack d dng. b hack d dng. Lazy administrators: Mt s lng ng ngc nhin cc my c cu hnh vi password root/administrator rng. l v ngi qun tr qu lazy cu hnh n v mun bt my, chy my tht nhanh vi vic lm phin t nht. Khng may l h khng bao gi quay li v in password sau , nn k xm nhp s d dng truy cp vo h thng. Mt iu u tin m k xm nhp s lm trn mt mng l d tm tt c cc my c password rng. Hole creation (vic to l hng) : hu ht cc chng trnh c th c nh cu hnh chy trong ch khng an ton. i khi mt s nh qun tr v tnh m mt l hng. Hu ht cc hng dn v vic qun tr gi rng cc nh qun tr nn tt mi th m hon ton khng cn thit chy trn my trnh cc l hng bt ng. Trust relationships : k xm nhp thng li dng cc quan h tin cy trn mng. Mt h thng mng bao gm cc my tin cy ln nhau s ch an ton khi n c kt ni yu.

    Ph password (Password cracking):

    Really weak passwords: hu ht mi ngi dng tn ca h, tn ca bn tr, con vt, hoc nhn hiu xe lm password. Cn c nhng ngi khng dng password. iu ny dn n mt danh sch nh hn 30 kh nng cho k xm nhp c th t mnh nhp ng thng tin. Dictionary attacks (tn cng t in): khng p dng c cc bin php tn cng trn, k xm nhp c th thc hin bc tip theo l c gng dictionary attack. Trong kiu tn cng ny, k xm nhp s dng mt chng trnh th mi t c kh nng trong t in. Bng cch lp i lp li vic log in vo h thng bng tp hp cc password c m ho v c gng tm ra. Nhng k tn cng s c mt bn copy cc t in ting Anh nh l c s d liu (bao gm tn v danh sch cc password thng dng). Brute force attacks : ging nh dictionary attack, k xm nhp c gng th tt c cc kh nng c th gm tp hp cc k t. Mt password ngn 4 k t gm cc ch thng th c th d dng b ph ch trong vi pht. Password di 7 k t, bao gm c ch hoa ch thng th phi mt hng thng ph. Nhng k xm nhp c th ly password theo cc cch sau y : Nghe trm vn bn r (clear-text sniffing): mt s giao thc (Telnet, FTP, HTTP) s dng password clear-text, c ngha l chng khng c m ho khi truyn trn ng dy gia client v server. Mt k xm nhp vi mt b phn tch giao thc s gim st ng dy v tm kim nhng password nh vy. Khng cn nhiu n lc, k xm nhp c th ngay lp tc s dng cc password log in vo h thng. Nghe trm password c m ho: hu ht cc giao thc s dng mt s loi m ho trn password, trong trng hp ny, k xm nhp s phi s dng php tn cng t in (dictionary) trn password gii m. Ch rng bn vn khng c bit v s hin din ca k xm nhp v chng hon ton ch ng v khng truyn bt c tn hiu no trn ng dy. Vic ph password khng i hi tn hiu no c gi trn ng dy khi my ca k xm nhp ang c dng xc thc password ca bn. Tn cng nghe li (Replay attack): trong mt s trng hp, nhng k tn cng khng cn thit phi gii m password, chng c th dng dng m ha tn cng vo h thng. iu ny i hi chng phi lp trnh li cc phn mm client cho php dng password c m ho. Ly trm file password: ton b c s d liu ngi dng c lu tr mt file trn a. Mt khi k xm nhp ly c file ny, chng c th chy nhng chng trnh crack tm ra nhng password yu trong file. Quan st (Observation): mt trong nhng vn truyn thng trong an ton password l password cn phi di v kh pht hin (sao cho bin php

    tn cng s dng t in l kh c th thc hin). Tuy nhin, nhng password nh vy rt kh nh v ngi dng c th vit chng ra u . Nhng k xm nhp thng xuyn tm kim trang lm vic ca ngi dng tm password hoc ng sau ngi dng xem h g password. Social Engineering: mt k thut ph bin l gi n ngi dng v ni rng Xin cho, ti l Bob ti MIS. Chng ti ang c gng theo di mt s vn trn mng v chng xut hin ti my ca bn. Password m bn s dng l g ?. Nhiu user s a password trong tnh hung ny. Nghe trm giao thng mng (Sniffing unsecured traffic):

    Shared medium (phng tin chia s): vi mng Ethernet truyn thng, tt c bn phi lm l t mt sniffer ln ng dy xem xt tt c giao thng mng trn mt on. By gi, iu ny tr nn kh khn hn v tt c cc t chc ang chuyn sang mng Ethernet chuyn mch. Server sniffing (nghe trm trn server): tuy nhin, trn mt mng chuyn mch, nu bn c th ci t mt chng trnh sniffing trn mt server (c bit n hot ng nh mt router), th bn c th dng cc thng tin t nhp vo cc my client. V d, bn khng bit password ca mt user nhng sniffing mt phin Telnet khi h log in vo s cho bn password. Remote sniffing (nghe trm t xa): mt lng ln cc box n cng vi RMON v cc xu thc th. Trong khi bng thng rt thp (bn khng th sniff trn tt c cc giao thng mng). Li thit k (Design flaws): Thm ch nu vic thc hin mt phn mm hon ton ng theo thit k, vn c cc li trong bn thn thit k cho php k xm nhp c th li dng. TCP/IP Protocol flaws : giao thc TCP/IP c thit k trc khi chng ta c nhiu kinh nghim v hacking phm vi rng m chng ta gp phi ngy nay, kt qu l mt s li thit k s dn n vn khng an ton. 2.1.3 Nhng du hiu xm nhp thng thng C 3 cch thc chnh thc hin hnh vi xm nhp: Do thm (Reconnaissance): bao gm vic qut cc a ch, DNS, qut cc cng TCP, UDP,v cc Web server tm ra cc l hng CGI. Li dng (Exploits): li dng cc c tnh n hoc li truy cp vo h thng. T chi dch v (Denial of Service-DoS): k xm nhp s c gng ph v mt dch v, qu ti kt ni mng, qu ti CPU, hoc lm y a. Chng s khng ly cc thng tin m ch n gin ng vai tr nh mt k ph hoi ngn cn bn s dng trn my ca bn.

    Exploits: CGI Scripts Web server attacks Web browser attacks SMTP (SendMail) attacks Access IMAP IP Spoofing (gi mo IP) Buffer Overflows (trn b nh) DNS attacks

    Reconnaissance:

    Ping sweeps TCP scans UDP scans OS identification Account scans

    DoS attacks: Ping-of-Death SYN Flood Land/Latierra WinNuke

    2.1.4 Mt kch bn xm nhp in hnh Chng ta s dng thut ng kch bn xm nhp (intrusion scenario) nh l s m t mt kiu xm nhp c bit n mt cch chnh xc, r rng. N c nh ngha l mt chui cc hnh ng, m khi thc hin th kt qu l mt xm nhp tr khi c s can thip ngn cn qu trnh hon thnh chui hnh ng . M hnh hay s miu t ca kch bn xm nhp s quyt nh kh nng kim sot h thng. Mt kch bn in hnh c th l : Bc 1 : do thm bn ngoi (outside reconnaissance). Bc 2 : do thm bn trong (inside reconnaissance). Bc 3 : khai thc cc l hng (exploit). Bc 4 : theo du vt (foot hold). Bc 5 : li dng cc s h (profit).

    2.2 H thng pht hin xm nhp (IDS) 2.2.1 nh ngha, chc nng, nguyn l lm vic nh ngha: H thng pht hin xm nhp l h thng c nhim v theo di, ghi li, v (c th) ngn cn s xm nhp cng nh cc hnh vi khai thc tri php ti nguyn ca h thng c bo v. C th dn n lm tn hi n tnh mt, tnh ton vn v tnh sn sng ca h thng. Chc nng ca h thng: l bo v tnh mt, tnh ton vn, v tnh sn sng ca thng tin. H thng IDS s thu thp thng tin t rt nhiu ngun trong h thng c bo v sau tin hnh phn tch nhng thng tin theo cc cch khc nhau pht hin nhng xm nhp tri php. C hai cch tip cn c bn i vi qu trnh pht hin xm nhp, l pht hin s khng bnh thng (anomaly detection) v pht hin s lm dng (misuse detection). Hai cch thc pht hin ny cng chnh l nhng nguyn l lm vic ca cc h thng IDS t trc n nay, do i su tm hiu hai cch thc ng ngha vi vic tm hiu v c ch hot ng ca cc h thng IDS. Nguyn l lm vic Pht hin s khng bnh thng (anomaly detetion): Da trn vic nh ngha v m t c im cc dng thc (form) c nh mong mun v/hoc vi cc hnh vi (behavior) ng c th chp nhn ca h thng. Sau , phn bit chng vi cc hnh vi khng mong mun hoc bt thng tm ra cc thay i hay cc hnh vi bt hp php. Nh vy, b pht hin s khng bnh thng phi c kh nng phn bit gia nhng hin tng thng thng v hin tng bt thng. Ranh gii gia dng thc chp nhn c v dng thc bt thng ca on m v d liu lu tr c nh ngha r rng (ch cn mt bit khc nhau), cn ranh gii gia hnh vi hp l v hnh vi bt thng th kh xc nh hn. Pht hin s khng bnh thng c chia thnh hai loi tnh v ng.
    o Pht hin tnh:

    Da trn gi thit ban u l phn h thng c kim sot phi lun lun khng i. y, chng ta ch quan tm n phn mm ca vng h thng (vi gi s l phn cng khng cn phi kim tra). Phn tnh ca mt h thng bao gm 2 phn con: m h thng v d liu ca phn h thng . C th c biu din di dng mt xu bit nh phn hoc mt tp cc xu (cc file). Nu biu din ny c s sai khc so vi dng thc gc th hoc c li xy ra hoc mt k xm nhp no thay i n. Lc ny, b pht hin tnh s c thng bo kim tra tnh ton vn d liu. C th l: b pht hin tnh a ra mt hoc mt vi xu bit c nh nh ngha trng thi mong mun ca h thng. Chng thu c mt biu din v trng

    thi , c th dng nn. Sau , n so snh biu din trng thi thu c vi biu din tng t c tnh ton da trn trng thi hin ti ca cng xu bit c nh. Bt k s khc nhau no u l th hin li nh hng phn cng hoc c xm nhp. Biu din trng thi tnh c th l cc xu bit thc t c chn nh ngha cho trng thi h thng, tuy nhin iu kh tn km v lu tr cng nh v cc php ton so snh. Do vn cn quan tm l vic tm ra c s sai khc cnh bo xm nhp ch khng phi l ch ra sai khc u nn chng ta c th s dng dng biu din c nn gim chi ph, gi l du hiu (signature). N l gi tr tm tt tnh c t mt xu bit c s. Php tnh ton ny phi m bo sao cho gi tr tnh c t cc xu bit c s khc nhau l khc nhau. C th s dng cc thut ton checksums, message-digest (phn loi thng ip), cc hm bm. Mt s b pht hin xm nhp kt hp cht ch vi meta-data (d liu m t cc i tng d liu) hoc thng tin v cu trc ca i tng c kim tra. V d, meta-data cho mt log file bao gm kch c ca n. Nu kch c ca log file tng th c th l mt du hiu xm nhp.
    o Pht hin ng:

    Trc ht ta a ra khi nim hnh vi ca h thng (behavior). Hnh vi ca h thng c nh ngha l mt chui cc s kin phn bit, v d nh rt nhiu h thng pht hin xm nhp s dng cc bn ghi kim tra (audit record), sinh ra bi h iu hnh nh ngha cc s kin lin quan, trong trng hp ny ch nhng hnh vi m kt qu ca n l vic to ra cc bn ghi kim tra ca h iu hnh mi c xem xt. Cc s kin c th xy ra theo trt t nghim ngt hoc khng v thng tin phi c tch lu. Cc ngng c nh ngha phn bit ranh gii gia vic s dng ti nguyn hp l hay bt thng. Nu khng chc chn hnh vi l bt thng hay khng, h thng c th da vo cc tham s c thit lp trong sut qu trnh khi to lin quan n hnh vi. Ranh gii trong trng hp ny l khng r rng do c th dn n nhng cnh bo sai. Cch thc thng thng nht xc nh ranh gii l s dng cc phn loi thng k v cc lch chun. Khi mt phn loi c thit lp, ranh gii c th c vch ra nh s dng mt s lch chun. Nu hnh vi nm bn ngoi th s cnh bo l c xm nhp. C th l: cc h thng pht hin ng thng to ra mt profile c s m t c im cc hnh vi bnh thng, chp nhn c. Mt profile bao gm tp cc o lng c xem xt v hnh vi, mi i lng o lng gm nhiu chiu: + Lin quan n cc la chn: thi gian ng nhp, v tr ng nhp, + Cc ti nguyn c s dng trong c qu trnh hoc trn mt n v thi gian: chiu di phin giao dch, s cc thng ip gi ra mng trong mt n v thi gian, + Chui biu din cc hnh ng

    Sau khi khi to profile c s, qu trnh pht hin xm nhp c th c bt u. Pht hin ng lc ny cng ging nh pht hin tnh chng kim sot hnh vi bng cch so snh m t c im hin ti v hnh vi vi m t ban u ca hnh vi c mong i (chnh l profile c s), tm ra s khc nhau. Khi h thng pht hin xm nhp thc hin, n xem xt cc s kin lin quan n thc th hoc cc hnh ng l thuc tnh ca thc th. Chng xy dng thm mt profile hin ti. Vi cc h thng pht hin xm nhp th h trc th ph thuc vo cc bn ghi kim tra (audit record) bt gi cc s kin hoc cc hnh ng lin quan. n cc h thng sau ny th ghi li mt c s d liu c t cho pht hin xm nhp. Mt s h thng hot ng vi thi gian thc, hoc gn thi gian thc, quan st trc tip s kin trong khi chng xy ra hn l i h iu hnh to ra bn ghi m t s kin. Kh khn chnh i vi cc h thng pht hin ng l chng phi xy dng cc profile c s mt cch chnh xc, v sau nhn dng hnh vi sai tri nh cc profile. Cc profile c s c th xy dng nh vic gi chy h thng hoc quan st hnh vi ngi dng thng thng qua mt thi gian di. Pht hin s lm dng (misuse detection): Trong cc h thng, nhng ngi dng dn dn thay i hnh ng ca h v vy cc profile cha hnh vi lm dng gn nh khng th pht hin i vi nhng b pht hin s khng bnh thng trn do k thut pht hin s lm dng ra i. Pht hin s lm dng l pht hin nhng k xm nhp ang c gng t nhp vo h thng s dng mt s k thut bit. N lin quan n vic m t c im cc cch thc xm nhp vo h thng c bit n, mi cch thc ny c m t nh mt mu. H thng pht hin s lm dng ch thc hin kim sot i vi cc mu r rng. Mu c th l mt xu bit c nh (v d nh mt virus c t vic chn xu),dng m t mt tp hay mt chui cc hnh ng ng nghi ng. y, chng ta s dng thut ng kch bn xm nhp (intrusion scenario). Mt h thng pht hin s lm dng in hnh s lin tc so snh hnh ng ca h thng hin ti vi mt tp cc kch bn xm nhp c gng d ra kch bn ang c tin hnh. H thng ny c th xem xt hnh ng hin ti ca h thng c bo v trong thi gian thc hoc c th l cc bn ghi kim tra c ghi li bi h iu hnh. Cc k thut pht hin s lm dng khc nhau cch thc m chng m t (m hnh) hnh vi ch nh mt s xm nhp. Cc h thng pht hin s lm dng th h u tin s dng cc lut (rules) m t nhng g m cc nh qun tr an ninh tm kim trong h thng. Mt lng ln tp lut c tch lu dn n kh c th hiu v sa i bi v chng khng c to thnh tng nhm mt cch hp l trong mt kch bn xm nhp.

    gii quyt kh khn ny, cc h thng th h th hai a ra cc biu din kch bn xen k, bao gm cc t chc lut da trn m hnh v cc biu din v php bin i trng thi. iu ny s mang tnh hiu qu hn i vi ngi dng h thng cn n s biu din v hiu r rng v cc kch bn. H thng phi thng xuyn duy tr v cp nht ng u vi nhng kch bn xm nhp mi c pht hin. Do cc kch bn xm nhp c th c c t mt cch chnh xc, cc h thng pht hin s lm dng c th da theo theo vt hnh ng xm nhp. Trong mt chui hnh ng, h thng pht hin c th on trc c bc tip theo ca hnh ng xm nhp. B d tm phn tch thng tin h thng kim tra bc tip theo, c th can thip lm gim bi tc hi c th. 2.2.2 V tr Nh ta bit IDS (Intrusion Detection System) l mt h thng pht hin cc xm nhp. Chng c th c t trn h thng mng ti cc v tr nh trn hnh v:

    IDS #1 : Mt vi IDS lm vic ti v tr ny. Khi , firewall s khng cung cp thng tin cho cc pht hin xm nhp mt cch hiu qu. IDS #2 : Vic sp xp ny ca IDS s pht hin thnh cng cc xm nhp m i qua c firewall. IDS #3 : Pht hin cc xm nhp c gng i qua firewall. IDS #4 : Bng cch a h thng IDS qua mng ca t chc, cc tn cng bn trong h thng s c pht hin. 2.2.3 Phn loi Mc ch ca mt h thng IDS l cung cp du hiu ca mt cuc tn cng tim tng hoc mt cuc tn cng thc s. Mt cuc tn cng hay xm nhp l mt s kin nht thi trong khi cc im d b xm phm trn h thng l c nh (mang

    n tim nng cho cc cuc tn cng, xm nhp). S khc nhau gia mt cuc tn cng v mt im d b xm phm l cuc tn cng th ch tn ti ti mt thi im c bit trong khi im d b xm phm tn ti khng ph thuc vo thi im quan st. Hay ni mt cch khc, mt cuc tn cng th c gng khai thc im d b xm phm. Chnh v l , chng ta cn tin hnh phn loi cc h thng pht hin xm nhp. Hnh 1 biu din s khc nhau gia cc my qut im d b xm phm v cc h thng d tm s xm phm. Qut tm im d b xm phm khng nguy cp bng vic pht hin xm nhp. Tip vic trin khai mi cng ngh c th thay i bn trong cc t chc. Hnh 2 nh x cc loi IDS ln khung cnh ca hnh 1. C 5 loi IDS khc nhau c cp trong ti liu ny. Khng phi tt c cc loi ny u i din cho d tm kinh in nhng chng ng mt vai tr quan trng trong mc ch tng th l d tm v ngn chn s xm nhp trn mt mng ton th: H thng pht hin xm nhp da trn mng (Network Based Intrusion Detection System-NIDS). H thng pht hin xm nhp da trn host (Host Based Intrusion Detection System-HIDS). Kim tra tnh ton vn ca file (File Integrity Checker). Qut tm im d b xm phm ca mng (Network Vulnerability Scanner). Qut tm im d b xm phm trn host (Host Vulnerability Scanner).

    hnh 1: Technology Landscape Hnh 1 trn y ch ra rng cc sn phm IDS c th c phn loi theo dng phng nga hay dng i ph (phn ng li sau khi b xm nhp). Chng cng c th c phn loi theo tm quan trng trong vic qut tm trn mng v h thng.

    Cc cng c IDS c cp trong phn ny thuc mt trong hai loi sau: cc h thng pht hin xm nhp v cc my qut tm im d b xm phm. Xa hn na ta chia chng thnh cc h thng da trn mng v trn host. Nh c ch ra trn hnh 2 cc my qut im d b xm phm c th chy ti bt k thi im no v chng ta cho rng mt im d b xm phm lun tn ti cho ti khi n c sa cha. Mt khc mt s xm phm khai thc mt im d b xm phm v cn phi c d tm cng sm cng tt sau khi n c bt u. V l do ny cc cng c d tm xm nhp cn c chy mt cch thng xuyn hn mt my qut im d b xm phm. l l do ti sao hu ht cc nh cung cp sn phm IDS c gng lm cho cc cng c ca h c kh nng hot ng trong thi gian thc.

    Hnh 2: Technology Landscape Chi tit cc h thng d tm s xm phm Mt h thng pht hin xm nhp kim tra hot ng ca mng hoc ca h thng tm ra cc cuc tn cng hay xm nhp c th xy ra. Cc h thng d tm xm nhp c th l network-based hay host-based. Cc nh cung cp mi ch bt u vic tch hp hai cng ngh ny. H thng d tm xm phm da trn mng kh thng dng hn, n thc hin kim tra thng qua giao thng mng tm ra du hiu xm nhp. Cc h thng host-based xem xt cc user v qu trnh hot ng ngay trn my cc b xc nh du hiu xm nhp. Mi mt loi u c mt im mnh ring ca mnh. Chng ta s xem xt tt c loi . Cc h thng IDS thng s dng 3 loi cng c phn tch c gi tr, l: Phn tch da trn du hiu hoc s kin. Phn tch thng k

    Cc h thng c kh nng tng thch Da trn du hiu hoc s kin, chc nng cc h thng phi ging nh mt phn mm phng chng virus m hu ht mi ngi u rt quen thuc. Nhng nh cung cp a ra mt danh sch cc mu m n cho rng ng nghi hay c du hiu ca mt cuc tn cng; IDS ch n thun qut trong mi trng tm ra mt du hiu cho cc mu c bit n. Sau IDS s tr li bng cch thc hin mt thao tc xc nh ngi dng, gi mt cnh bo hoc thc hin logging ph. y l loi hnh thng dng nht ca h thng pht hin xm nhp. Mt h thng phn tch thng k xy dng cc m hnh thng k ca mi trng nh l di trung bnh ca mt phin telnet.. sau tm kim s chnh lch vi cc gi tr thng thng. Cc h thng c kh nng tng thch khi u vi cc quy tc c tng qut ho cho mi trng, sau hc hoc lm thch nghi, cc iu kin cc b m v phng din khc c th khng thng dng. Sau khi bt u qu trnh hc h thng hiu c cch m mi ngi tng tc vi mi trng sau cnh bo cho ngi i hnh v cc hot ng bt thng. Tuy nhin bn vn cn phi ch rng IDS s khng c c cc hnh ng nghi ng v cc du hiu cnh bo khi khng c iu g sai xy ra. l l do v sao cc t chc vn lun c mt qui trnh ca con ngi tng tc vi IDS c lng mi trng iu hnh. Sau y s xem xt tng quan, u im, nhc im cc loi IDS k ra trn: Network-based IDS (NIDS) NIDS thng c hai thnh phn logic l b cm bin v trm qun l. B cm bn t ti mt on mng, kim sot cc cuc giao vn nghi ng trn on mng . Trm qun l nhn cc tn hiu cnh bo t b cm bin v trnh by n cho mt iu hnh vin. B cm bin thng c dnh cho cc h thng ch tn ti gim st hot ng ca mng. Mt s s hin th thng l mt giao din ti mt cng c qun tr mng v d nh HP Overview, tuy nhin mt s trng hp li l mt hng dn c thit k gip ngi iu hnh phn tch vn .

    Hnh 3: S miu t s b tr ca mt network based IDS truyn thng vi hai b cm bin trn cc on mng khc nhau cng giao tip vi mt trm kim sot trong mt mng internal. u im Cc h thng pht hin xm nhp c th d c mt s loi tn cng s dng mng. Chng rt tt trong vic d cc truy cp tri php hoc mt s loi truy cp vt qu s cho php. Mt h thng network-based IDS khng yu cu thay i cc server hoc host a ra. y chnh l mt im thun li v cc server a ra thng thng c cc dung sai hot ng ng i vi CPU, cc thit b vo ra v dung lng a; ci t cc phn mm ph c th gy vt qu dung lng ca h thng. IDS khng kh thc hin i vi bt c mt dch v hay mt tin trnh no c a ra v mt network-based IDS khng hot ng nh mt router hay cc thit b kh tnh khc. Li h thng khng c mt nh hng ng k no i vi cng vic. Mt kha cnh ca li ch l bn c th gp t s chng c hn t cc ngi khc trong t chc. S ri ro trong vic tn ti cc chu trnh nguy cp vi mt h thng mng thp hn vi mt h thng host. Cc h thng network-based IDS hng v tnh c lp nhiu hn cc h thng host-based. Chng chy trn mt h thng chuyn dng d dng ci t; n thun ch m thit b ra, thc hin mt vi s thay i cu hnh v cm chng vo trong mng ca bn ti mt v tr cho php n kim sot cc cuc giao vn nhy cm.

    Nhc im Mt h thng network-based IDS mt khc cng c nhng hn ch ca n. N ch kim tra mng trn on m n trc tip kt ni ti, n khng th pht hin mt cuc tn cng xy ra trn cc on mng khc. Vn ny dn ti yu cu t chc cn phi mua mt lng cc ssensor c th bao ph ht ton mng, v y l mt nhc im ln v chi ph v mi sensor u rt t. Cc h thng pht hin xm nhp mng hng ti s dng phn tch tn hiu p ng cc yu cu hiu nng. N s d cc cuc tn cng cc chng trnh thng dng t cc ngun bn ngoi, nhng n khng y d cc lun thng tin phc tp hn. N yu cu kh nng mnh hn kim tra mi trng. Mt h thng pht hin xm nhp c th cn truyn mt dung lng d liu ln hn tr v h thng phn tch trung tm. Thnh thong iu c ngha l mt gi c kim sot s sinh ra mt lng ln hn ti phn tch. Rt nhiu cc h thng nh vy s dng cc tin trnh gim d liu linh hot gim bt s lng cc giao vn c truyn ti. H cng thng thm cc chu trnh t ra cc quyt nh vo cc b cm bin v s dng cc trm trung tm nh mt thit b hin th trng thi hoc trung tm truyn thng hn l thc hin cc phn tch thc t. im bt li ln s cung cp rt t cc iu phi vin gia cc b cm ng; bt k mt sensor no cng khng bit c vic mt sensor khc d c mt cuc tn cng. mt h thng nh vy s khng th d c cc cuc tn cng hip ng hoc phc tp. Mt h thng network-based IDS c th gp kh khn trong vic x l cc cuc tn cng trong mt phin c m ho. Tht may mn ch c rt t cc cuc tn cng xy ra trong mt phin giao vn b m ho ngoi tr tn cng vo cc web server yu. Host IDS H thng host-based IDS tm kim du hiu ca s xm nhp vo mt host cc b. Thng s dng cc c ch kim tra v logging nh mt thng tin ngun phn tch. Chng tm kim cc hot ng bt thng hn ch host cc b nh l login, truy nhp file khng thch hp, bc leo thang cc c quyn khng c chp nhn.. Kin trc IDS ny thng s dng cc c ch rule-based (da trn cc qui tc) phn tch cc thao tc, mt v d ca cc qui tc ny l c quyn ca ngi s dng cp cao (surperUser) ch c th t c thng qua lnh su. Nh vy nhng c gng lin tc login vo account root c th c coi l mt cuc tn cng. u im Mt h thng host-based IDS c th l mt cng c cc mnh phn tch cc cuc tn cng c th xy ra. V d nh thnh thong ni chnh xc k tn cng lm g, nhng lnh no c hn thi hnh, cc file no c m v h thng no yu

    cu hn thc hin. Mt h thng host-based IDS thng cung cp nhiu thng tin chi tit v xc ng hn mt h network-based. Host-based IDS c th c s dng trong cc mi trng m vic pht hin cc xm nhp r rng l khng cn thit hoc ni m di tn rng khng c gi tr i vi cc sensor phn tch cc cuc truyn thng. Cc h thng host-based c th hon ton c lp. N cng cho php cc h thng host-based trong mt s trng hp chy t nhng phng tin ch c c, iu ny ngn chn k tn cng v hiu ho h thng IDS. Cui cng mt h thng host-based IDS c th t ri ro hn khi cu hnh vi mt p ng hot ng nh l kt thc mt dch v hay log of mt uer sai phm. Mt h thng host-based IDS kh c th la vt qua mt gii hn truy cp t cc ngun hp php. Nhc im Cc h thng host-based yu cu phi c ci t trn cc thit b c bit m bn mun bo v. V d nh nu bn c mt server ti nguyn m bn mun bo v bn cn phi ci t h thng IDS trn server . Nh cp trn iu ny s t ra mt vn v dung lng, trong mt s trng hp n cn gy ra cc vn v an ninh.. Mt vn khc kt hp vi cc h thng host-based l n hng n vic tin vo logging mc nh v nng lc kim sot ca server. Nu nh server khng c cu hnh thc hin logging y v thc hin gim st, bn cn phi thay i cu hnh ca c th l mt my m l mt vn qun ls thay i cc ln. H thng host-based tng i t. Nhiu t chc khng c ngun ti chn bo v ton b cc on mng ca mnh s dng cc h thng host-based. Nhng t chc phi rt thn trng trong vic chn cc h thng no bo v. N c th li cc l hng ln trong mc bao ph pht hin xm nhp. V d nh mt k tn cng trn mt h thng lng ging khng c bo v c th nh hi thy cc thng tin xc thc hoc cc ti liu d b xm phm khc trn mng. Cui cng mt h thng host-based hu nh hon ton khng bit g v mi trng mng. Nh vy i hi thi gian phn tch c lng thit hi t mt s xm phm tim tng tng tuyn tnh vi so lng cc host cn bo v...V d ta cn mt thi gian t nghin cu v tai nn trn mt h thng, s mt thi gian 2t nghin cu trn 2 h thng,... File Integrity Checker Mt phng php kim tra tnh ton vn ca file (file integriy checker) kim tra file trn mt my tnh xc nh xem liu n c b thay i khng so vi ln cui cng thit b ny hot ng. Thit b kim tra tnh ton vn gi mt c s d liu gi tr bm (hash value) ca mi file. Mi khi thit b c chy n s tnh ton li

    gi tr bm v so snh vi gi tr c lu tr. Nu hai gi tr ny khc nhau file b thay i, nu hai gia tr nh nhau th file cha b thay i. Mt hm bm l mt qui trnh ton hc nhm gim dy cc byte trong mt file thnh mt s c gi tr ph hp. Cc file ging nhau lun cho ra cc gi tr bm ging nhau v bt k mt s thay i nh no trn file s sinh ra mt gi tr bm khc. Khng ging nh m ha, hm bm l hm mt chiu, bn khng th c c file gc t mt gi tr bm. Mt s hm bm an ton hn cc hm khc. Nhng hm bm rt an ton m t c cc yu cu ton hc c bit c gi l cc hm bm an ton mt m. Mt trong cc yu cu l vic tnh ton ra s xung t hai u vo hm bm cho cng mt gi tr l rt kh (thut ng k thut l s tnh ton khng th thc hin c). iu c ngha l nu nh k tn cng thay i file, hn khng th thay i bng cch no la thit b kim tra rng file vn khng b thay i. u im S tnh ton khng th thc hin c nh bi tnh ton ca thit b kim tra tnh ton vn. iu ny lm cho n tr thnh mt cng c rt mnh pht hin thay i ca file trn mt my tnh. N rt mnh, trn thc t n l mt trong nhng cng c quan trng nht bn c th s dng pht hin s lm dng ca mt h thng my tnh. Thit b kim tra tnh ton vn c th c cu hnh theo di mi th trong h thng hoc ch nhng file quan trng. N thc s rt mm do. Mt khi k tn cng lm tn hi ti h thng chng mun thc hin hai iu. u tin chng xoa b cc du vt ca mnh, ngha l chng thay i cc file nh phn, file th vin hay cc file log xo i thc t rng chng ang hoc trn h thng. Th hai l chng s to ra cc thay i chc chn rng chng c th tip tc truy nhp vo h thng. Mt thit b kim tra tnh ton vn ca file c cu hnh mt cch ng n s d c c hai thao tc trn. Nhc im Cc thit b kim tra tnh ton vn tin tng vo cc d liu c cha trn cc my tnh cc b. Ging nh file log, cc d liu ny (c s d liu cc gi tr bm) d b tn cng thay i trn h thng. Gi s k tn cng t c c quyn user cp cao trong h thng ca bn, k tn cng c th tm ra thit b kim tra tnh ton vn, thc hin mt s thay i v cho thit b chy li to li c s d liu gi tr bm. Khi ngi qun tr chy cng c ny s khng c mt bo li thay i no xy ra. Mt cch gii quyt vn ny l hy lm cho d liu ca bn l mt ti liu ch c c v d nh ghi ln mt a CD (ch khng phi l a rewritable).

    Cch ny hp l i vi hu ht cc trm v cc h thng khng i nhng i vi hu ht cc my a ra th l mt iu phin phc khng th tin c. Thit b kim tra phi c cu hnh cho tng h thng mt. Thng thng y l mt cng vic phc tp v tn nhiu thi gian. Nu nh h iu hnh khng tt trong vic thc hin ton vn h thng th vic ci t cng tr nn kh hn nhiu. Mt khi thit b c cu hnh n phi c chy thng xuyn. Tu thuc vo h iu hnh nhng thay i n gin hoc cc thao tc thng thng c th c bo co t hng chc ti hng ngn ln ca s thay i. V d nh mt thit b kim tra tnh ton vn ch chy trc khi nng cp MS-Outlook trong mt h Windows NT, sau khi ci t s bo co vt qu 1800 thay i. Cui cng thit b kim tra tnh ton vn tiu th mt lng ng k ngun ti nguyn ca h thng. Rt nhiu qun tr khng mun chy cc thit b kim tra thng xuyn, iu s hn ch cc tnh nng ca n, bi v nu mt thit b c chy mt ln mi thng n s bo rt nhiu s thay i m mt cuc tn cng thc s c mt c hi tt tin hnh m khng c mt s ch no c. Vulnerability Scanners Mt vulnerability scanner khc vi mt h thng pht hin s xm nhp, nh cp trn, mt vulnerability scanner tm kim cc cu hnh trng thi cn IDS tm kim s lm dng nht thi hay cc hot ng khng bnh thng. Mt vulnerability scanner c th tm kim mt NFS c th b xm hi d c bit n bng cch kim tra cc dch v c gi tr v cu hnh trn h thng t xa. Mt IDS, x l nhng tnh d b xm hi tng t nhau,ch bo co v s t ti ca mt im d b xm nhp khi mt k tn cng c gng khai thc n. Vulnerability scanner, d l network scanner hay host scanner u cho cc t chc mt c hi hn gn cc vn trc khi trc khi chng ny sinh hn l tc ng tr li s xm phm hoc lm dng ang din tin. Mt h thng pht hin xm nhp d cc cuc xm nhp ang din ra, trong khi mt vulnerability scanner cho php t chc ngn chn s xm nhp. Vulnerability rt hu ch trong cc t chc khng c kh nng tt phn hi cc s kin bt ng. Network Vulnerability Scanner Mt network vulnerability scanner iu khin t xa bng cch kim tra giao din mng trn mt h thng t xa. N s tm kim cc dch v d b xm phm chy trn my t xa v bo co v im c th d b xm phm. V d nh ta bit rexd l mt dch v yu, mt network vulnerability scanner s c gng kt ni ti dch v rexd ti h thng ch. Nu nh kt ni thnh cng th network vulnerability scanner s bo co v mt rexd d b xm hi. T khi mt my qut im d b xm phm trn mng c th chy trn mt my n trong mng, n c th c ci t m khng tc ng vo cc qun tr cu hnh ca cc my khc. Thng thng cc my qut ny c s dng bi cc

    kim ton vinva cc nhm an ninh v h c th cung cp mt ci nhn ca ngi bn ngoi v cc l hng bo mt trong mt my tnh hoc trong mt mng. u im Cc my qut im d b xm hi trn mng c th bo co v nhiu kin trc ch khc nhau. Mt s lm vic vi router, mt s lm vic vi cc h thng Unix, mt s vi cc h NT hoc Window trn cc nn khc. Network vulnerability scanner ni chung rt d ci t v bt u s dng. Khng ging nh cc h thng host-based thng xuyn yu cu ci t cc phn mm hoc cu hnh li, mt h thng network-based c th b ri vo mt ni no trong mng. D dng gn (plug) giao din vo mt switch v khi ng my. Nhc im Network vulnerability scanner gn nh dnh ring cho cc h thng da trn du hiu.Ging nh mt IDS da trn du hiumt vulnerability scanner da trn du hiu ch c th pht hin cc im d b xm phm c lp trnh nhn din. Nu nh mt im d b xm hi mi xut hin th nh n vn thng hnh ng, s c mt ca s c hi cho k tn cng trc khi nh cung cp c th cp nht du hiu (v khc hng download v ci t du hiu mi ) Nu nh khch hng l nh vi cc du hiu qut im d b xm hi ca h nh th rt nhiu t chc sd c th b lm hi bi cc cuc tn cng thm ch ngay c khi h thng xuyn chy cc my qut im d b xm phm. Mt cuc phn tch gn y ch ra rng 90% cc web server chy IIS vn c th b tn thng do cc ti liu c a ra v tnh an ton c th b t thng trm trng. iu ny kin cho cc nh cung cp cn phi sn xut ra cc ming v v cc t vn bo mt. Mt network vulnerability scanner ch c th ch ra cc vn c th, cc t chc vn phi x l cc vn . Cc vn tim tng khc trong mt network vulnerability scanner l u ra vn yu cu kh nng trnh din c kinh nghim. Tt c cc mi trng c cc yu cu hot ng khc nhau v c cc kh nng bo mt d b xm phm khc nhau. Khi mt network vulnerability scanner bo co v mt im d b xm phm c bit th mng ca t chc hoc cc thao tc t chc cn phi nh lng bo co trong ng cnh ca mi trng hot ng ca h thng. Cc my qut im d b xm phm c bit n tho b cc h thng cui. Mt s s thi hnh IP khng mnh x l cc kt ni ng thi..Cuc giao vn sinh ra bi vic kim tra cng khng an ton oi khi s lm v my Cui cng mt network vulnerability scanner hng ti vic cha mt lng ln cc d liu im d b xm phm. Nu ai tng t nhp vo mt h thng qut th vic lm hi cc my khc trong mng ch l mt tr tr con. Bo v cc my qut ngn chn s s dng tri php cc d liu qut.

    Host Vulnerability Scanner Mt host vulnerability scanner khc mt network vulnerability ch nso b hn ch hon ton trong mt h iu hnh cc b.Mt network vulnerability scanner yu cu my ch c th truy cp c t trn mng hp l cho hot ng ca n, mt host vulnerability scanner khng nh vy. Host vulnerability scanner l cc phn mm ng gi c ci t trn cc h iu hnh c bit.Khi cc phn mm c ci t, n s c cu hnh chy ti bt k thi im no, ngy cng nh m. Thng thng cc thao tc qut c thc hin bi loi cng c ny c lp lch chy vi mc u tin gim s xung t. u im Host vulnerability scanner hng ti s ho hp v chnh xc cho mt h iu hnh nht nh c u ra. N c th thng xuyn ni cho ngi s dng bit ming v no cn c s dng sa cha nhng im d b xm phm c nhn dng trong khi mt h thng network vulnerability scanner i khi ch a ra mt hng dn chung. Khi bn mun la chn mua sn phm, hy xem xt cc bo co n gin v h iu hnh ca bn xc nh c bao nhiu thng tin cha trong cc bo co . su v chnh xc ca cc bo co l mt trong cc tiu ch bn la chn. Host vulnerability scanner khng tiu th bng thng mng khi bn chy chng. Tt c cc tin trnh u b hn ch trong h thng host cc b. Host vulnerability scanner khng ging nh network scanner to ra cc ngn xp IP trn h thng ch. Mt s h iu hnh c cc ngn xp IP c b xung yu v ti t kt hp vi cc giao din mng ca chng, gi mt dung lng ln ca kh nng ti hoc cc c tiu TCP khng thng dng c th gy treo giao din bt khi ng li. Host vulnerability scanner t thch hp mt k xm phm s dng chng li bn. Khi mt k tn cng ph v mt h thng v tm ra network vulnerability scanner hoc cc bo co t scanner n thng su dng cng c hoc cc bo co tn cng cc h thng khc trong t chc ca bn. Mt cng c hostbased cung cp rt t thng tin hu ch m rng cuc tn cng. Nhc im Host vulnerability scanner li l mt h thng da trn du hiu. Chng tm kim cc cu hnh h thng nguy him xc nh v bo co v k gi mo mc ch l gim nh cc lung ring bit . Cc i hi v th tc v iu hnh h thng cc b c th yu cu tnh mm do trong vic tm v p dng cc gii php ln bt k im d b xm phm c a ra no.

    Ci t Host vulnerability scanner i hi s cng tc ca qun tr h thng. Khi m phn mm c chy thng xuyn vi mt c quyn , qun tr h thng ca mi my cn phi ng vi mc ch v cu hnh ca cng c. nhiu t chc y l mt nhim kh khn. Ging nh bt c mt h thng host-based no, nhng k tn cng c th thay i my qut im nhy cm n khng bo co v cc im d b tn cng m k tn cng mun khai thc. Mt kt qu tt yu l my qut im nhy cm khng th bo v h thng khi s ph hoi khi mt scanner c ci t. 2.3 NIDS (Network - based IDS) 2.3.1 L do la chn NIDS Vi cc kiu h thng IDS (NIDS-h thng IDS trn mng, HIDS-h thng IDS trn mt my trm, v Hybrid IDS-lai ca hai h thng ), h thng NIDS l gii php c chn la v cc l do sau: Cung cp mc bao ph rng nht v n c th c t ti cc im ni chnh trong mng v th thay v t mt h thng host-based hay hybrid agent trn mi server trong DMZ bn c th t mt cm bin mng n trong DMZ Rt d trin khai nh cc b cm bin trong mt my tnh c lp v rt nhiu NIDS ngy nay c gi tr nh cc thit b, hn th na n lm gim tng thi gian v gi thnh trin khai. Cc Host IDS v Hybrid IDS yu cuci t cc agent trn cc my cn c bo v v mi my c ci t cn c cp nht thng xuyn. Cung cp chi tit hn v giao thng trong mng tr gip quyt nh v x nh chnh sch thch hp.HostIDS v Hybrid IDS ch cung cp thng tin trn mt my no hoc trn server v HIDS khng cung cp bt c thng tin no v giao thng Th trng NIDS rt trng thnh v phc hng pht trin mt s cc cng ngh bo mt phc tp nht trong nn cng nghip. HIDS r rng vn ang cc cng ngh n gin vi hu ht nhng ci tin u t vic gii quyt cc vn v trin khai v qun l cc agent. Cc cng ngh Hybrid vn rt mi v vn cn u t vo cc chin lc trin khai v qun tr. Nhiu h thng d tm s xm nhp trn mng c th block mt cuc tn cng ngn chn k tn cng truy cp thnh cng. Nhng phng php block ny thay i mt cch hiu qu nhng c th ngay lp tc phn ng li k tn cng (c kh nng p ng yu cu thi gian thc) bng cch so hn ch nhng ph hoi c th ca k tn cng. Do HIDS da trn vic phn tch cc file log nn n lun lun khng p ng c thc t. Cc h thng Hybrid c kh nng p ng yu cu thi gian thc nhng n li ch c th bo v nhng host ring l.

    NIDS c th tng tc vi cc cng ngh vnh ai khc tng tnh vng mnh ca vnh ai ca doanh nghip. NIDS c tc dng n by vi s phong to ang tn ti trong cc cng ngh routing v firewall bng cch t ng cp nht cc chnh sch vnh ai khc nhm phn ng li cc mi e do thi gian thc. H thng host-based b giii hn trong mt thit b n v khng th h tr cc h thng bo v ang tn ti trong cc cng ngh an ton vnh ai. 2.3.2 Kin trc NIDS v hot ng Mi h thng IDS u da trn kin trc a lp (multi-tier) ca k thut d tm (Detection Technology): php phn tch d liu, lp qun tr cu hnh v giao din ngi dng ho (GUI). Trong cc t chc hoc qu trnh pht trin cc dch v qun tr, mi lp ca h thng IDS s c pht trin c lp, thun tin cho cc thao tc, m bo hiu nng, v h tr cho cc lung cng vic c t chc. Cc k thut d tm l khc nhau tu theo cc kiu h thng IDS khc nhau: Sensors : l phn mm pht trin (k thut da trn thit b), cho php NIDS gim st lng ti trn cc mng tc cao. Cc Sensor c t ti mt v tr c bit trn vnh ai ca mng hoc bn trong c cu mng. Cc Sensor l cc thit b x l tp trung i hi hot ng chnh xc. Sensor s phn tch ton b giao thng mng, tm kim cc du hiu xm nhp sau bo co thng tin n mt ngi qun tr tp trung xc nh theo cc thng s qui nh trong NIDS. Agents : l phn mm pht trin c ci t trn mt my PC ring bit trong h thng HIDS (Host-based IDS). Phn mm Agent s dng rt t cc tin trnh ngun. Chc nng ca n l gim st cc file c bit hoc cc ng nhp vo my trm, bo co n ngi qun tr trung tm khi cc file ny b truy cp, sa i, xo hoc sao chp da theo chnh sch an ninh trn my trm. Cc Agent c xem nh nhng phn mm thng minh khi chng quyt nh chp thun cc hnh ng hp l v bo co v cc can thip vo h thng an ninh. Hybrid agents : bao gm cc tnh nng ca host-based Agent, vi k thut network-based sensor gii hn ch phn tch trn giao thng mng c nh a ch ti nhng my trm c bit ni m hybrid agent c ci t. Vic s dng b x l ca hybrid agent s mnh hn host-based agent bi tnh lin tc ca cc tin trnh giao thng mng ti my trm. Collectors : ging nh cc agent nhng chng l cc phn mm ng dng nh hn, cng tp trung trn my trm nh cc agent. im khc nhau chnh l cc collector c xem nh l cc thit b cm bi v chng khng a ra quyt nh ti mc my trm. Chc nng ca mt collector l tp hp cc thng tin ng nhp, ng k, thng tin file t my trm v chuyn tip ton b n ngi qun tr trung tm ngay khi li vo c m. Ngi qun tr trung tm s thc hin tt c cc phn tch v ra quyt nh.

    Lc ca mt h thng NIDS:

    Thit b NIDS kt ni n mt hub ca mng hoc mt switch, kt ni n router mng hoc Firewall. Mi lung ti i n hoc i t khch hng s c kim tra bi thit b NIDS. NIDS qun l la chn dch v xm nhp bao gm sensor, c hai phn mm ng dng v phn mm dch v iu khin. Theo cc l do an ton, khch hng khng th yu cu tng b phn m phi mua ton b b phn mm trung tm . o Hot ng: Trong phn trnh by v IDS, chng ta tm hiu cch thc m mt h thng IDS tin hnh pht hin xm nhp. chnh l hai cch tip cn: pht hin s khng bnh thng v pht hin s lm dng. C hai u c a vo thc t t nm 1980 i vi mt h iu hnh n v c m rng cho ph hp vi cc h thng phn tn v h thng mng. Nh vy, hot ng pht hin xm nhp trong h thng NIDS cng da trn cc k thut xm nhp trnh by cho h thng IDS tng qut trn. Cc kch bn xm nhp vn da trn cc hnh ng xm nhp thc hin bi cc thc th. Tuy nhin, a ngi dng trn mt h thng mng c th lm vic vi nhau nh l mt phn ca xm nhp hp tc trong nhiu thc th cng tc vi nhau thc hin xm nhp. Thc t cng cho thy xm nhp hp tc trn mt mng xut hin thng xuyn hn v cung cp nhiu c hi hn cho hnh vi xm nhp. K xm nhp c th dng a nt c gng che giu hnh ng ca chng. Chng tn dng mt thc t rng nhng h iu hnh khc nhau c th khng nhn bit c cc trng thi khc nhau. pht hin xm nhp trn mng, b d tm phi c kh nng so snh tng quan gia cc hnh ng t a nt lin quan trong mt xm nhp hp tc. Cc qu trnh pht hin s khng bnh thng v pht hin s lm dng c m rng cho ph hp vi xm nhp trong mi trng mng. D liu kim tra (audit data), li gi n cc th tc ca h thng, v thng tin trng thi h thng c thu thp v sau c phn tch theo cch thc ging vi trnh by trong phn IDS, vn trong nhng khi nim v hnh vi bnh thng/bt thng v cc kch bn xm

    nhp. Ch khc l trong mi trng mng, h thng pht hin xm nhp cn phi tp hp v tng quan thng tin t tt c cc my trm. thc hin c nhim v ny, b d tm c th p dng cch tip cn tp trung, theo mi thng tin c thu thp trn mt my v sau c phn tch hoc c th tip cn theo cch phn quyn (phn cp), ti ch thng tin cc b c phn tch v la chn, thng tin quan trng c chia s gia cc thnh phn pht hin xm nhp qua cc nt. + Phn tch tp trung: H thng pht hin xm nhp trn mng tp trung c c t bi php thu thp d liu kim tra phn tn v phn tch tp trung. Trong hu ht cc h thng pht hin, d liu kim tra c thu thp ti cc nt ring l sau c bo co ln mt vi v tr tp trung, ni m php phn tch pht hin xm nhp c thc hin. Cch tip cn ny ph hp i vi nhng h thng mng nh nhng cha p ng i vi nhng h thng ln. + Phn tch phn cp: H thng NIDS theo cch phn cp c c t bi php thu thp d liu kim tra c phn tn, sau na l php phn tch pht hin xm nhp phn tn. Cc h thng ny c th m hnh nh qu trnh phn cp. Khng ging nh h thng NIDS tp trung, cc h thng NIDS phn cp ny p dng tt khi phm vi h thng mng tng bi v thnh phn phn tch l phn tn v c t thng tin kim tra phi chia s gia cc thnh phn khc nhau. Vi cch tip cn phn quyn, c mt s phng php chia ton b h thng thnh cc vng nh hn khc nhau tu theo mc ch giao tip. Vng (domain) l mt vi tp con ca h thng phn cp bao gm mt nt c trch nhim thu thp v phn tch d liu t tt c cc nt khc trong vng . Nt ang phn tch ny biu din vng ti cc nt cao hn trong phn cp. Cc vng c to ra bng vic phn chia h thng da trn cc yu t v: a l iu khin qun tr Tp hp cc nn phn mm ging nhau Cc kiu xm nhp d on 2.3.3 M hnh h thng NIDS Nh vy, chng ta tm hiu chi tit nguyn l, hot ng ca h thng NIDS v mt l thuyt. p dng vo thc t h thng mng, cc cng vic c th ca n s nh sau: + Pht hin xm nhp + i ph vi xm nhp Pht hin xm nhp: Bao gm cc chc nng thu thp, phn tch, lu tr d liu.

    + Thu thp d liu: c chc nng thu thp v cung cp thng tin v cc s kin trong h thng c bo v cho cc thnh phn phn tch lm nhim v x l. Qu trnh thu thp ny bao gm c vic loi b nhng thng tin khng cn thit. Trong mi trng mng, lung ti (traffic) bao gm cc b d liu IP lu thng dc theo mng. NIDS c th bt gi c cc gi tin khi chng truyn trn dy. NIDS bao gm mt stack TCP/IP c bit tp hp li cc b d liu IP v cc lung TCP. + Phn tch d liu: s phn tch thng tin nhn c t b phn thu thp d liu. Mc ch ca n l tinh chnh tip thng tin c lin quan n vn an ninh, phn tch nh gi kh nng s xm nhp ang xy ra, xy ra hay sp xy ra. S dng mt s k thut phn tch sau: Protocol stack verification: Mt s xm nhp, nh "Ping-O-Death" and "TCP Stealth Scanning" s dng cc vi phm ca cc giao thc c bn IP, TCP, UDP v TCMP tn cng my tnh. Mt h thng kim tra n gin c th nh du cc gi tin khng hp l. Application protocol verification: Mt s xm nhp s dng cch chy giao thc khng hp l, nh WinNuke (dng giao thc NetBIOS, thm d liu OOB) hoc b nh m DNS b nguy him, c ch k hp l nhng khng thng thng. pht hin cc xm nhp ny mt cch hiu qu, NIDS cn phi thi hnh li mt lng ln cc loi giao thc lp ng dng khc nhau d cc cch chy khng hp l hoc c nghi ng. Creating new loggable events: NIDS c th c dng m rng kh nng kim tra phn mm qun tr mng ca bn. Chng hn, NIDS c th n gin ghi li tt c cc giao thc lp ng dng c dng trn my. Sau , cc h thng ghi s kin (WinNT event, UNIX syslog, SNMP TRAPS,... ) s tng quan cc s kin c m rng vi cc s kin khc trn mng. + Lu tr d liu: Hai b phn thu thp v phn tch d liu c th to ra mt s lng rt ln thng tin. Sau chng s c b lu tr ghi nhn nhm bo m s sn sng ca d liu cho vic phn tch. Tuy nhin, nu ta khng tin hnh lu tr hp l s dn ti ton b hiu nng ca c h thng b nh hng. D liu thu thp: c ly t nhiu ngun khc nhau, v d cc log file ca Web server, log file ca firewall, cc thng tin v vic s dng ti nguyn CPU, vic truy cp cc ti nguyn ca HH ...H thng c pht hin c s xm nhp hay khng ph thuc trc tin vo vic thu thp d liu. Nu vic thu thp d liu chm hoc b mt mt th rt d b mt du vt ca k xm nhp, ly v d c th, mt chng trnh cn gim st hot ng xy ra trn mng, n phi c th bt c ht cc gi tin truyn trn mng, nu tc mng ln, thng lng ng truyn cao vic theo kp tc mng l rt kh. i ph vi xm nhp:

    Bao gm kh nng pht ra cnh bo hoc c th tc ng li k tn cng di dng kt thc lin kt, sa i li bng iu khin ca router ngn chn nhng cuc tn cng tip theo c cng ngun gc. H thng NIDS c mt s hnh ng i ph thng thng sau Reconfigure firewall: cu hnh li firewall lc a ch IP ca k xm nhp. Tuy nhin, iu ny vn cho php k xm nhp tn cng t nhng a ch khc. Trm kim sot firewall h tr mt SAMP (Suspicious Activity Monitoring Protocol) cu hnh cc firewall. Trm kim sot cng c chun OPSEC ca n cho vic cu hnh li cc firewall ngn chn cc a ch IP nguy him. Chime (chung): pht ra ting bp hoc chy mt file .WAV. V d, bn c th nghe thy li cnh bo You are under attack . SNMP Trap: gi mt b d liu SNMP Trap n ni qun tr giao tip ngi my nh HP OpenView, Tivoli, Cabletron Spectrum,... NT Event: gi mt s kin n WinNT event log. syslog: gi mt s kin n h thng s kin UNIX syslog. Send e-mail: gi e-mail n nh qun tr thng bo v tn cng. Page: nhn tin (dng nhng my nhn tin thng thng) cho nh qun tr h thng. Log the attack: ghi li cc thng tin ca cuc tn cng (nhn thi gian, a ch IP ca k xm nhp, a ch IP/cng ca my nn nhn, thng tin v giao thc). Save evidence (lu li du vt): lu li mt file theo vt cc gi tin s dng cho qu trnh phn tch sau ny. Launch program (khi chy chng trnh): chy mt chng trnh ring x l s kin. Terminate the TCP session (kt thc phin TCP) : gi mo mt gi tin TCP FIN ngt kt ni. 2.3.4 Trin khai v iu chnh h thng NIDS (Deploying and Tuning NIDS) Trin khai h thng NIDS Trc y cc h thng NIDS rt t, phc tp v l dng cu hnh one-size-forall. Kt qu l vic trin khai NIDS gp nhiu kh khn, b gii han gia boderrouter v firewall ni m chng c gng kim sot hu ht cc cuc giao vn. V th vic tin hnh mt cng ngh mi lm cho ph hp vi mng mi rt c hoan nghnh, kin trc Ethernet n, 10Mb/s thng tr th trng. Ngy nay c nhiu cc m hnh mng Ethernet, fast Ethernet, Gig Ethernet. S thnh cng ca mi m hnh mng ng mt vai tr c bit trong vic p ng cc yu cu ti chnh v thay i nhng chng khng m bo s dng chi ph nh nhau trong bo mt mng. Intrusion.com a ra mt tp hp cc h thng Network IDS ph hp vi cc tc khc nhau v cc yu cu trin khai ca cc mng hin

    i. Thay th m hnh one-size-for-all bng m hnh c kh nng thay i, tm trin khai ln ca cc thit b IDS cho php cc nh bo mt chuyn nghip m rng kh nng bo v mng hn trc y, bng cch to ra cc thit b iu khin hiu qu hn v cng vic kinh doanh c an ton hn. Thm vo tm bao ph ca mng ngy nay ln hn rt nhiu so vi trc y. Nhng h thng mng khng l ny c cch ly bi cc cng ngh firewall, v c kt ni thng qua cng ngh VPN. C firewal v VNP u bo v cc on mng v bt cc l hng c th nhn thy. Khi mt subnet b cch ly bi mt firewall th nhng chuyn gia bo mt khng c kh nng nhn thy loi v trng thi t nhin ca cc cuc giao vn trong on lnh ny. Khi giao vn mng c m ho (VPN) th cc chuyn gai bo mt cng khng c kh nng nhn thy trng thi t nhin ca cc cuc giao vn. t mt h thng NIDS ng sau firewall v VNP, c bit l trong cc mng cch ly v phn tn rng, cung cp chuyn gia bo mt c tm quan st cn thit m bo an ton cho mng. Trin khai trong mt mng n gin

    Mc u tin th nht: ng sau vnh ai ca cc firewall

    Bn ch c kh nng cung cp mt cm bin NIDS, vy th v tr ny l thch hp nht t n. y chnh l mt im tht trung tm ca ton b giao thng vo hoc ra khi mt mng ring (ca mt cng s hay mt c quan kinh doanh no ..). V tr ny cho php cm bin NIDS cung cp mt mc cnh bo tng th c im g sai khc hoc lm cho n xuyn qua firewall vo trong mng private. N khng cung cp kh nng nhn thy nhng hnh ng ng ng cn tn ti trong mt subnet cng nh kim sot cc giao vn bn ngoi ti DMZ. Mc m ti ngng trin khai ny cho php s kch hot ca cc du hiu t nhng hnh ng ng ng thng qua cc c gng xm nhp. o Mc u tin th hai: Trong DMZ

    y l ni m cc dch v ca cc enterprise truy cp ra th gii bn ngoi bao gm web server, FTP server v email server. V tr ny cho php b cm bin NIDS cung cp cc thng tin v giao thng trn mng v hot ng l nh hng ti cc server bao ph bn ngoi ni tp trung ca phn ln cc dng tn cng kiu t chi dch v hay khai thc web, tn cng email. mc trin khai ny cho php s kch hot ca du hiu t giao thc d thng thng qua cc c gng xm nhp. o Mc u tin th ba: Gia border-router v vnh ai cc firewall

    Mc trin khai ny cung cp kh nng nhn thy s trinh thm v nhng c gng khai thc trc tip trn firewall. Mt s qun tr mng mong mun thm kh nng nhn thy mu ca k tn cng bn ngoi nh l mt phn nh mt phn ca s phng v quc gia, cc c quan tnh bo v ton b cc c quan bo mt cn c tng cng. Mc trim khai ny cho php s kch hot ca cc du hiu t cc hnh ng ng ng thng qua cc c gng xm nhp. Vic trin khai bn ngoi firewall thng l ra mt s du hiu ri ro c th cn tr mt s qun tr la chn chng. Nhng ri ro thng l l ra cc thng tin tnh bo hoc c l c cc l hng xuyn qua firewall. Nu s mo him ng gi vi gi tr ca kh nng nhn thy ca n, c 6 ngh cui cng: + Giao din gim st khng nn c a ch IP. + Thay i cng truyn thng cho SecureNet Pro (mc nh l 975) che du nh danh ca NIDS. + Tn dng mt a ch non-routable (RFC 1918 nh 10.x.x.x) i vi giao din qun tr trn cm bin ny. + p dng mt giao thc b danh (alias interface) bn ngoi firewall ca bn hoc. + Thm mt giao thc cho firewall c bit l cho h thng IDS. + To mt mng V_LAN ring r cho qun tr d tm s xm phm. iu ny cho php giao thng quay tr li thit b giao tip ngi-my nhng khng lm cho b cm bin c th hin th ra bn ngoi mng ca bn. o Mc u tin th t: ng sau subnet c firewall hoc mt mng LAN chnh c trng ca mc trin khai ny l bo v cc server c nhim v kh khn nh ERP, CRM, PDM v cc h thng tnh ton. Thm vo t cc server ny ng sau firewall, n tr nn thng dng hn nn cc v, b quan trng (critical department) trong cc t chc c cc on mng c ngn cch vi giao thng thng thng. Firewall c s dng bn trong cch ly cc b, v nh sau: + T chc hnh php + T chc ti chnh + Cc ti nguyn con ngi

    + Cc t chc nghin cu v pht trin + Khoa cng trnh + Cc t chc cp bng sng ch + T chc php lut Mc trin khai ny c th s dng bao ph ti cc kt ni thng mi in t ti cc thnh vin. Firewall khng ch bo v nhng on mng ny n cn c th dng cc h thng IDS khc kim sot giao thng sau firewall. Khng c mt b v no khng phi chu cc cuc tn cng back door to ra cc l hng trong vnh ai mng v a cc ti sn thng tin vo tnh trng mo him. Mc trin khai ny cho php s kch hot ca tt c cc du hiu t cc s kin mng thng qua cc cuc tn cng. Thm vo do nhng hn ch tng thm ca cc firewall lin b, nhng vng ny c th ng nhiu v pha cc my tnh t cu hnh hoc s c gng ca cc user truy cp ti cc department khc hoc Internet. Vic d tm giao thc bt thng v cc du hiu s kin mng n ng lc d cc s kin ng ng tun theo cc chnh sch an ton hoc da trn hnh vi hn l da trn du hiu. o Mc u tin th nm: sau firewall ca mt vn phng chi nhnh hoc xa

    T chc kinh doanh by gi l mt t chc no tri di ra nhiu chi nhnh v cc vn phng xa tt c u cn kt ni ti trung tm ch huy truy cp cc ti sn thng tin ca t chc. Ging nh trong kch bn trin khai trn, firewall nh mt vng ai cho cc vn phng chi nhnh v cc vn phng t xa, khng ch bo v chng m cn dng cc IDS doanh nghip kim sot giao thng ti cc v tr ny.Khng c mt vn phng no khng phi chu cc cuc tn cng back door to ra cc l hng trong vnh ai mng v a cc ti sn thng tin vo tnh trng mo him. Thm vo do khong cch ti trung tm ch huy cc vn phng t xa c th ng nhiu hn v pha cc my tnh t cu hnh hoc s c gng ca cc user truy cp ti cc vn phng khc hoc Internet. Vic d tm giao thc bt thng v cc du hiu s kin mng n ng lc d cc s kin ng ng tun theo cc chnh sch an ton hoc da trn hnh vi hn l da trn du hiu. Mc trin khai ny cho php s kch hot ca tt c cc du hiu t cc s kin ca mng thng qua s c gng xm nhp. iu chnh h thng d tm s xm nhp C hai yu im chnh trong mt h thng d tm s xm nhp m k tn cng c th khai thc to mt cuc tn cng vo mng m khng b d thy l: + Lm m b cm bin + Lm m ngi iu hnh.

    Blinding Sensor: Lm m b cm bin Cc hacker c gng lm m b cm bin lm cho NIDS kh thm ch khng th d ra mt cuc tn cng thc s bng cch lm trn ngp mng vi cc cuc giao vn gi n i cuc tn cng thc s hoc s dng cuc giao vn k d ln trnh h thng d tm. Dng tn cng stick mi c cng khai gn y c kh nng lm m hon ton k ngh dn u NIDS lm cho cc cuc tn cng khc c th c gi i m hon ton khng b d thy.Thm vo mt s b cm bin NIDS khng tp hp cc gi c phn nh li hoc s dng cc gi tr trung bnh n gin, ginh c th trng ca chng m khng thc s phn phi mt gii php. Mt s NIDS yu cu ghp li cc gi nhng thc s ch thc hin mt phn ghp ni , cho user vn c th b lm hi bi mt k tn cng thnh tho. Bng cch thc thi cc cng ngh d tm s xm phm c ci tin nh l rp gi a ng hay phn tch gi tc cao, mt s h thng d tm th h hai vi nhiu u im hn, c tnh thch nghi cao hn, v c hiu qu trong vic ngn nga cc dng tn cng gy m hay tn cng lng trnh. Blinding the operator: Lm m ngi iu hnh. i lp vi blinding sensor, blinding operator v cn bn b nh hng ca vic trin khai v iu chnh NIDS m hon ton nm di s kim sot ca qun tr an ton. Blinding operator c th c thc hin kh n gin bng cch to ra tht nhiu thng tin gi ti thit b giao tip ngi-my d tm s xm phm trn mng. Qu nhiu d liu khin cho qum tr an ton kh thm ch khng th nhn ra ngay lp tc s e do trong d liu c a n. kim sot kh nng lm m ni iu hnh cc b cm bin cn c lm cho ph hp. lm ph hp cc b cm bin l mt tin trnh xc nh nhng du hiu no, di cc thng s no c gi l chnh sch nn c trin khai v bng cch no cc NIDS c th c cu hnh tng s lng cc bo co s kin cho thch hp v t l phn trm cc s kin mng. Bn bc iu chnh. gim thiu kh nng cc sensor hay cc console b m Intrusion.com SecureNet Pro cung cp nhiu mc iu chnh cho php chuyn gia an ton tm ra cc s kin ph hp vi mng n ca h. Qui trnh iu chnh gm c 4 pha: + Gii hn s lng cc du hiu tm kim. Bn cn quyt nh xem nhng thnh phn no ca giao thc bn xem nh mt mi e do ti mng hoc on mng ca bn. + S dng cch lc ton th ca SecureNet Pro. Cc b lc tng th cho php bn gii hn s lng d liu c a vo mng t b cm bin. Cc b lc tng th cho php cc chuyn gia bo mt s dng chnh sch tn hiu n trong

    ton b t chc v sau tu chnh cc chnh sch c thc hin ti sensor bng Ethernet, IP v giao thc trc khi vic x l du hiu xut hn. + Cc s kin lc ti console. gii hn s lng cc d liu c a n chuyn gia bo mt-lc console li hu ht lng d liu trong c s d liu phn tch nhng gii hn nh hng blinding the operatord bng cch ch hin th nhng s kin thch ng. + iu chnh du hiu thc s. Cc du hiu c th c iu chnh cho ph hp vi cc s kin mng c bo co khng sai nh nhng s kin khc, cc loi s kin c tnh e do cao hn hoc cnh bo cc loi s kin t e do. iu chnh du hiu S dng SecureNet Pro, cc thng s ca cc du hiu c th c thay i lm cho chng c th thch hp vi mi mng n. N bao gm vic chnh sa m t v cc trng text khc sao cho c th thm cc thng tin c trng v tr cng nh l cc mc khc. Mc u tin ca vic chnh sa du hiu l thay i quyn u tin ca cc s kin lm thch hp vi mc quan trng ca mng. Nh ni n trn, mt s mng cc hot ng ng ng ca mt s kin c th mc u tin trung bnh. Trong khi mt s khc cng vi cc s kin nhng c th mc u tin cao hn. tng kh nng c th xy ra m cc chuyn gia bo mt c th nhn thy cc thng tin h tm kim, u tin du hiu se c phn tch khp vi cc mc u tin ca cc chuyn gia bo mt. Thm vo cc chuyn gia bo mt c th chn phn tch s phn loi ca cc du hiu. Mi du hiu c phn loi vo mt trong cc dng tn cng: c gng xm nhp, DdoS, DoS, hnh ng ng ng, giao thc bt thng v cc s kin mng. Nhn chung vic phn loaih cc s kin ny l c trng ca tt c cc t chc. Mi chuyn gia bo mt ca mt doanh nghip nn nghin cu vic phn loi cc s kin theo ng cnh mng ca doanh nghip . V d nh mt s kin c phn loi l s kin mng (network event) bi Intrusion.com nhng li c phn loi li l mt hnh ng ng ng thch hp vi chnh sch mng ca mt doanh nghip no . Khi s dng Intrusion m ngun m hoc user to ra cc du hiu so khp chui (string matching signature) cc tn hiu tm kim v cc thng s cho cc du hiu ny c th b bin i lm cho cc du hiu ng n hn. Cc du hiu so khp chui ngun m cng c th b nhn i v i tn to ra cc kh nng xc minh ph. Cc du hiu ngun m c th c to ra trong mt console ca SecureNet Pro Linux hoc s dng trnh son tho vn bn. Cc du hiu so khp chui c th c thng s ho nh cac du hiu khc, vi nhiu mc u tin khc nhau, s phn loi, miu t, IP, MAC... bin i.

    2.3.5 nh gi mt h thng NIDS Mt h thng NIDS ni chung c c cc u im: + t nh hng n c s h tng hin ang tn ti. + Qun tr tp trung. + Phm vi bo v rng. + Linh hot v chc nng. Bn cnh , n cng tn ti nhng nhc im c bn: + T l xc nh sai l cao. + D b lm cho qu ti. + Thng d b ph hoc lm mt hiu lc. Gi thuyt ca chng ta l: c c chnh xc cc i, cc thut ton d tm trong mt h thng NIDS ch nn chn d liu u vo c tnh r rng, d hiu, tin cy cao v thao tc trn d liu bi cc hm bin i c th c m hnh vi chnh xc cao v tnh trng khng an ton l t. Tng ng ta c cc yu cu v lung d liu u vo v cc hm bin i nh sau: Cc c im cn thit v lung ti: + Tnh r rng (Visibility): lung ti c th i trn mng m NIDS khng pht hin ra? + Tnh d hiu (Understandability): NIDS c th hiu c giao thc?. D liu ca qu trnh d tm xm nhp c c m ha khng? + tin cy (Realiability): Thng tin c chnh xc nh th no?. C b gi mo hay khng? Cc hm bin i: + Bin i lung ti mng mt cch logic, theo thi gian v/hoc khng gian. + Bin i cc ngun d liu nguy him sau khi NIDS pht hin ra n. + C th yu cu m hnh theo trng thi m phng + Phi c m phng ngn chn xm nhp Nh vy, cn nghin cu cc NIDS bng cch ng dng m hnh ca n vo cc h thng thc t ang tn ti. Nh ta c th: + Pht hin cc mt hn ch ca m hnh. + Ch ra cch thc thay i cc thut ton hoc mi trng thao tc nng cao chnh xc ca h thng. + c lng c tnh kh thi ca cc mc ch d tm. + Cung cp y cc yu cu ca h thng tng ng vi nhng mc ch d tm c a ra.

    + Thm ch chng ta c th c tnh c chnh xc ca h thng d tm NIDS. 2.3.6 Ti u ho gi tr ca NIDS Thc o hiu nng Thc o thng dng nht i vi NIDS l s cc gi b b i hoc c bao nhiu gi m NIDS khng c kh nng phn tch. Nhng khng phi l l do m mt NIDS c la chn. Nu nh cc router v cc firewall l cc thit b ni tuyn, b cc gi ngn tr giao thng ca mng, i vi cc thit b ny th thc o l rt thch hp. Cc h thng d tm s xm nhp khng th b xp loi cng vi cc router v firewall v cc im khc bit c bn di y: Cc h thng NIDS l cc thit b th ng v kt ni ti mng bng mt kt ni hnh T v th n khng c kh nng block giao thng. Cc h thng NIDS khng phi l cc thit b iu khin truy nhp v th cc gi b hu b khng th a n vic ng truyn b block. Cha kho s dng ng thc o ca mt NIDS chnh l l do bn la chn h thng ny. Mc ch ca NIDS l xc nh chnh xc mt cuc tn cng bt chp s phc tp ca mng bo ho. Thc o ng n cho mt h thng d tm s xm phm chnh l attack detection d cc cuc tn cngti cc mc khc nhau ca mng bo ho i vi cc on mng 10Mbs, 100Mbs v Gigabit. Gi tr ca tnh mm do Gia thp k 90 nhiu nh phn tch c gng tm ra cch tnh ton ng n xc nh xem mt sn phm c mang li hiu qu cao hn so vi cc sn phm khc trong mt khong thi gian. Thc o u tin l tng gi tr quyn s hu Total Cost of Ownership (TCO)-m c gng khai thc gi tr ca vic qun l, ngi qun tr nhiu gi tr khc nhau ca cc user cui. TCO nhanh chng b theo kp bi m hnh TEI tng tc ng kinh t. Trong lnh vc bo mt, tnh mm do c ngha rt ln. Cc h thng mng khng ngng pht trin v thay i bng cc bc tin ng kinh ngc. Thm vo ti mi bc tin cc mi e do mi li c pht hin v li dng lm tng cc vn ca mng v vic bo v cc ti sn thng tin. pht huy hiu qu NIDS cn phi thch nghi vi mi s bin i ca mi trng mng ca doanh nghip Tnh mm do trong NIDS c th c o trn ba vng chnh s tu bin, trin khai v qun l. Tu bin (customization) cho php chuyn gia bo mt sa li cho hp vi chnh sch IDS ca mng doanh nghip. Kh nng tu bin lm tng gi tr

    ca cc thng tin c sinh ra bi IDS cung cp cc thng tin c gi tr cao hn v vic s dng mng. Trin khai (Deployment) tnh mm do cho php tp hp cc d liu ng nht t cc on mng khc hn nhau. Cc on Fast Ethernet, Gigabit, cc phn mm trin khai trn cc phn cng ang tn ti v cc thit b da trn cc gii php cho php IT v cc chuyn gia bo mt chi tiu thch hp cho cc i hi ca mng ca h. Qun l (Management) kh nng c th thay i lm cho n c th li dng s u t bo mt. Tnh thng minh ca mng c nng cao vi cc thng tin c chun ho t v s cc on mng trong mt v tr n hoc kin trc phn cp. Vic tha nhn cc gi tr lu di ph thuc nhiu vo kh nng lu di ca cc gii php.Tnh mm do l s m bo rng cng ngh m bn tm kim s thch hp vi h thng hin thi cng nh h thng trong tng lai. Quan tm n chnh sch trc tin, th hai l cc gii php Cc chnh sch bo mt l mc ch u t bo mt ca cc cng ty v n l bc u tin t c gi tr ti u trong bt k mt s u t vo cng ngh bo mt no. Ti u ho gi tr d tm s xm phm trn mng bt u bng mt chnh sch bo mt xc nh thc o ca s thnh cng. Chnh sch bo mt d tm s xm phm cn c nh ngha theo ba im sau: o Mc ch khi mua mt h thng NIDS: y l mt im khi u n gin nhng rt quan trng. Nu khng c mt mc ch r rng bn mun NIDS lm g th khng th xc nh vic trin khai c thnh cng hay khng. o Kh nng i mt vi nhng nguy him khi trin khai mt h thng NIDS: Mi khi mt sensor c trin khai trong mt h thng th c mt lot cc mi e do ( xc nh) s c tm kim. Gim s lng cc mc m NIDS tm kim s lm tng hiu nng. Khi trin khai mt sensor bn ngoi firewall, vic phn tch giao vn i ra c th c chia thnh dng khng phn tch (non-analysis) hoc l i tt c. o Sensor d tm hot ng trong bao lu: Mt s sensor NIDS khi c trin khai s tr thnh mt b phn vnh cu trong h thng, tuy nhin chng cng c th b di chuyn lin tc nu cn. Cn xc nh trc khong thi gian m sensor c t ti c th a ra mt chnh sch trin khai hp l nht. Tng thi gian trin khai Mt trong nhng li ch chnh ca NIDS l c trin khai ti mt im n v bo v ton b cc on mng.

    Gim thi gian v n lc bo v cc im n ny s tng g tr c nhn bit ca u t NIDS. ti u ho gi tr d tm s xm phm mt chin lc thng dng l s dng cc thit b lm gim thi gian trin khai. 2.3.7 NIDS & Firewall Mc d cn c nhng hn ch, firewall l yu t cn thit cho bt c h thng an ninh mng no. Firewall ngn chn cc dng tn cng c nh v iu khin kiu ca lung ti (Web, FTP, Telnet hoc IRC) truyn gia h thng mng bn trong ca bn v Internet. Tuy nhin, c nhng dng tn cng m firewall s khng ngn chn hoc pht hin ra nh tn cng trn cng 80 ca web server. Firewall bo v vic truyn thng gia cc h thng mng m khng cung cp cc bo v hoc rt t cho cc tn cng trong mng cc b. Nu tuyn phng th ngoi vnh ai mng b chc thng hoc nu vic lm dng l bn trong t chc ca bn th firewall s khng a ra cc h tr, NIDS s bt gi, phn tch, nhn dng v phn ng li vi cc kiu tn cng . Khi c firewall, vn cn phi c NIDS: Thng thng, mi ngi u ngh rng cc firewall nhn dng cc tn cng v ngn chn chng. iu ny khng ng. Firewall n gin l mt thit b thc hin tt (dng) mi th, sau bt li ch mt vi mc (item) c chn l hon thin (khng li). Trong mt th gii hon ho th cc h thng sn sng locked-down v an ton, firewall l khng cn thit. Tuy nhin, trong thc t, cc l hng an ton c pht hin ngu nhin do chng ta vn cn phi c firewall. V vy, khi ci t mt firewall, iu u tin m n thc hin l dng tt c cc truyn thng. Nh qun tr firewall sau s ht sc cn thn thm vo cc lut (rules) cho php cc kiu c bit ca lung ti i qua firewall. V d, mt firewall in hnh cho php truy cp vo Internet s dng tt c cc lung b d liu UDP v ICMP, dng cc kt ni TCP i vo, nhng li cho php cc kt ni TCP i ra (c ngha l n s dng cc kt ni t hacker bn ngoi Internet nhng vn cho php nhng ngi dng bn trong kt ni trc tip ra bn ngoi). Ni chung, firewall khng phi l mt h thng bo v ng nh ngi dng vn ngh, m ngc li chnh l IDS. IDS thc hin vic nhn dng cc tn cng vo h thng mng m firewall khng th nhn thy. V d nh, vo thng 4 nm 1999, rt nhiu ni b tn cng qua li (bug) ColdFusion. Tt c cc ni ny u c firewall nhng firewall ch hn ch truy cp vo Web server ti cng 80, v chnh l Web server b tn cng, v th firewall trong trng hp ny khng cn c tc dng bo v na. Mt khc, mt IDS s pht hin ra tn cng bi v n so khp ch k c cu hnh trn h thng. Mt vn khc ca firewall l chng ch nm trn ng bin trong h thng mng ca bn, m 80% cc thit hi v ti chnh do hacker xut pht t bn trong

    mng. Firewall trn ng bin s khng th nhn thy nhng g xy ra bn trong, chng ch nhn bit c lung ti gia bn trong h thng v Internet. Mt s l do cho vic thm IDS vo firewall l : + Kim tra hai chiu cc firewall b cu hnh sai. + Bt gi cc tn cng m firewall cho php i qua mt cch hp l. + Bt gi cc tn cng tht bi. + Bt gi vic tn cng bn trong. Nu c mt NIDS, firewall l vn cn thit: Bi v c mt lng ln cc script-kiddies (on m con), l cc chng trnh t ng chy trn mng (nh SATAN) tm kim cc l hng. Nu khng c firewall, cc chng trnh t ng ny s pht hin v li dng cc l hng . 2.3.8 Tng kt Cc h thng bo v an ninh trc y c thc hin trn c ch ngn chn tn cng t bn ngoi vo h thng cn bo v. Thc t hin nay cho thy khng c mt h thng ngn chn no bo m chn ng c cc cuc tn cng. Hn na, trong thc t cc tng kt cho thy hu ht nguyn nhn ca cc cuc tn cng phn ln xut pht t ngay trong h thng m n bo v. H thng IDS khng phi l mt cng c b sung thun ty cho firewall, m s kt hp gia IDS vi Firewall mi m bo thit lp mt h thng an ton an ninh trn vn nht.

    CHNG 3: THIT K H THNG NIDS 3.1 Mc ch Thit k chng trnh c kh nng "theo di" cc hot ng xy ra trn mt mng LAN da trn nguyn tc thu thp cc gi tin trn ng truyn v phn tch cc gi tin . 3.2 Phn tch v thit k chng trnh Phn chia h thng thnh cc chc nng chnh nh sau:

    H thng phi thu thp c cc gi tin truyn trn mng, l iu bt buc. Cc gi tin thu thp phi c gii m: d liu nhn c ban u hon ton l cc "byte stream". Gii m gi tin l cng vic c vo lung d liu ny sau c th phn bit ra tng loi gi tin ring r bng cch nhn ra cc trng tiu ca gi tin. Phn tch pht hin tn cng da trn cc k thut phn tch trnh by. Cui cng, pht hin tn cng phi i km vi cc bin php i ph li (bo ng, ghi li thng tin v cuc tn cng). D kin xy dng cc module x l nh sau: + Module bt gi tin trn ng truyn. + Module gii m gi tin. + Module phn tch tm kim du hiu tn cng. + Lu tr v i ph.

    TI LIU THAM KHO 1. Robert Graham Faq: Network Intrusion Detection Systems (2000). http://www.robertgraham.com/pubs/network-intrusion-detection.html 2. [Axelsson, 2000c] Axelsson, S. (2000c). Intrusion Detection Systems: A Taxonomy and Servey. Technical Report 95-15, Dept. of Computer Engineering, Chalmers University of Technology. 3. Nguyn Quc Cng Internetworking vi TCP/IP (Tp 1).

    You might also like