标签： 异常检测， 入侵检测，入侵防御，IDS，IPS

---

异常检测 (Anomaly detection)

异常检测的假设是入侵者活动异常于正常主体的活动[1]。
特别是在检测滥用与网络入侵时，有趣性对象往往不是罕见对象，但却是超出预料的突发活动。这种模式不遵循通常统计定义中把异常点看作是罕见对象，于是许多异常检测方法（特别是无监督的方法）将对此类数据失效，除非进行了合适的聚集。相反，聚类分析算法可能可以检测出这些模式形成的微聚类[2]。

• 无监督异常检测: 通过寻找与其他数据最不匹配的实例来检测出未标记测试数据的异常。
• 监督式异常检测: 需要一个已经被标记“正常”与“异常”的数据集，并涉及到训练分类器（与许多其他的统计分类问题的关键区别是异常检测的内在不均衡性）。
• 半监督式异常检测: 根据一个给定的正常训练数据集创建一个表示正常行为的模型，然后检测由学习模型生成的测试实例的可能性。

入侵检测 (Intrusion-detection)

An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any detected activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources, and uses alarm filtering techniques to distinguish malicious activity from false alarms[4].

Simulation tools

OPNET and NetSim are commonly used tools for simulation network intrusion detection systems.

Comparison with firewalls[4]

• Firewall looks outwardly for intrusions to stop them from happening, limits access between networks to prevent intrusion and does not signal an attack from inside the network.
• IDS evaluates a suspected intrusion once it has taken place and signals an alarm. An IDS also watches for attacks that originate from within a system.

Classifications by analyzed activity[4]:

• network intrusion detection systems (NIDS): A system that analyzes incoming network traffic. *NIDS placed at a strategic point or points within the network to monitor traffic to and from all devices on the network. It performs an analysis of passing traffic on the entire subnet, and matches the traffic that is passed on the subnets to the library of known attacks. *

  • On-line NIDS deals with the network in real time. It analyses the Ethernet packets and applies some rules, to decide if it is an attack or not [5].
  • Off-line NIDS deals with stored data and passes it through some processes to decide if it is an attack or not [5].

• host-based intrusion detection systems (HIDS) : A system that monitors important operating system files. HIDS runs on individual hosts or devices on the network. These monitors the inbound and outbound packets from the device only and will alert the user or administrator if suspicious activity is detected. HIDS takes a snapshot of existing system files and matches it to the previous snapshot.

Classifications by detection approach[4]:

• signature-based detection: Recognizing the attacks by looking for specific patterns, such as byte sequences in network traffic, or known malicious instruction sequences used by malware.

• anomaly-based detection: Detecting deviations from a model of "good" traffic, which often relies on machine learning. *Using machine learning to create a model of trustworthy activity, and then compare new behavior against this model. *

入侵预防(Intrusion prevension)[4]

• Intrusion prevention systems (IPS), also known as Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, reporting them and attempting to block or stop them.
• Four different types:
  1. Network-based intrusion prevention system (NIPS): monitors the entire network for suspicious traffic by analyzing protocol activity.
  2. Wireless intrusion prevention systems (WIPS): monitor a wireless network for suspicious traffic by analyzing wireless networking protocols.
  3. Network behavior analysis (NBA): examines network traffic to identify threats that generate unusual traffic flows, such as distributed denial of service (DDoS) attacks, certain forms of malware and policy violations.
  4. Host-based intrusion prevention system (HIPS): an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host.

IDS与IPS的关系[6]

• 入侵检测系统(IDS)对那些异常的、可能是入侵行为的数据进行检测和报警，告知使用者网络中的实时状况，并提供相应的解决、处理方法，是一种侧重于风险管理的安全产品。
• 入侵防御系统(IPS)对那些被明确判断为攻击行为，会对网络、数据造成危害的恶意行为进行检测和防御，降低或是减免使用者对异常状况的处理资源开销，是一种侧重于风险控制的安全产品。
• IDS and IPS both monitor network traffic and/or system activities for malicious activity.
• IDS和IPS并非取代和互斥，而是相互协作：没有部署IDS的时候，只能是凭感觉判断，应该在什么地方部署什么样的安全产品，通过IDS的广泛部署，了解了网络的当前实时状况，据此状况可进一步判断应该在何处部署何类安全产品（IPS等）。

Reference

[1]. 异常检测-百科
[2]. 异常检测-维基
[3]. 入侵检测系统-维基
[4]. Intrusion detection system
[5] Abdullah A. Mohamed, "Design Intrusion Detection System Based On Image Block Matching", International Journal of Computer and Communication Engineering, IACSIT Press, Vol. 2, No. 5, September 2013
[6]. IPS（入侵防御系统）