3.
Typical work process
3.1 The basic work process of network monitoring involves
quite a few modules and is as follows:
¡î Protocol analysis: accomplish real-time monitoring of
communication packets, transmit result to mode matching
module and store as required.
¡î Mode matching: based on the result of protocol analysis
module, match intrusion characteristics with optimized
retrieval algorithm and transmit result to response behavior
module.
¡î Response behavior: based on requirement of mode
matching module, implement specified action, such as
warning, anti-detection and even counterattack.
¡î Track database: store analysis result and relevant
data.
3.2 Protection of host
Numen NET Host provides real-time protection for critical
server. Numen NET is integrally equipped with strong memory
process-based analysis engine covering local network
monitoring. By monitoring attack from network, illegal
intrusion and exception process, Numen NET Host can
real-time detect out attack and make actions of switching
off service, restart server process, warning and recording
intrusion process.
The application of Numen NET not only guarantees security of
critical network section, but also guarantees reliability of
server system. Network security can only be guaranteed fully
with effective combination of Network-based and host-based
IDS.
4. Supported OS platform
Numen NET Watch can be installed on various operation system
platforms, like Linux, Open BSD, Free BSD, Net BSD, Solaries,
HP-UX, ALX, IRIX, Tru64, WinNT, Win2000, Win9x, and WinXP
with an optional UNIX operation system as black-box.
Some functions of Numen NET Host is especially developed for
WIN32 platform with WIN32 version and UNIX similar version.
Numen NET Center can only operate under NT/2000/XP.
III. Numen NET detection of attack types
¡î Detect attack - The earlier stage steps taken by most
hackers is usually to detect and find out loopholes by
scanning. Normal scanners include: ISS, SATAN, Retina, Ping
Sweeps, TCP/UDP scan, IPHalfScan, and Port Scan. Numen NET
Watch can distinguish nearly hundred of scanning behavior.
¡î Reject service attack and distributed reject service
attack - Though it is a very ancient mode, it did not arise
wide attention until large-scale distributed attack to the
famous websites like YAHOO took place last year. Distributed
attack achieves its purpose by preempting resources of
target system to prevent legal users from using the system
or by crashing the system. Trinoo, TFN, TFN2k, IWD FLOOD,
SYN Flood, TearDrop, UDPBomb and Nuke all belong to typical
distributed attack. Bestlink security research group
possesses almost all relevant malicious programs and details
of attack, some of which have been added into knowledge base
(about 170). And further sorting work is under progress
tensely.
¡î Cache overflow attack - This attack obtains super
authority of system by making use of or creating specified
errors in application program of the system and executing
specified code, like DNS overflow and Statd overflow. Numen
NET Watch presently can find out 92 kinds of cache overflow
attack.
¡î CGI attack - It attacks by making use of the loopholes
in compilation of CGI program, especially some widespread
loopholes of CGI program. Numen NET presently can detect out
102 kinds of CGI attack.
¡î WEB platform attack - It attacks by making use of
common WEB platforms, like IIS and APACHE, the prevailing
HTR map loophole, ASP source code exposure loophole which is
called nightmare of IIS, and the latest PRINTER map
loophole. Presently Numen NET can detect 164 kinds of WEB
platform attack.
¡î Worm and virus: Numen NET is not an anti-virus
software, but it can response to the prevailing worms and
viruses which spread by the form of network. It was because
of QAZ worm that Microsoft was intruded by hackers. Bestlink
has the biggest virus sample library among the folk in
China, of which includes 149 kinds of most prevailing
network worm programs and hundreds of other viruses spread
by the form of accessories of mails. By right of long-year
experience in anti-virus analysis and the virus sample
library, which is updated synchronously with ICSA, we have
made the IDS product really accomplish precise real-time
capture of virus according to virus characteristics at
application layer. And this is the significant difference
from other IDS products, which detect worms and viruses by
adopting special filename.
¡î Trojan horse and backdoor tools: The opening of source
code of BO tool to public has caused unprecedented flooding
of backdoor tools. We have complete Trojan horse sample
library, which includes thousands of malicious programs of
over 200 Trojan horse families. Presently detection of IDS
product on backdoor tools is mainly against connection
ports, but ports are definable for most of the current
Trojan horses. While Numen NET provides filtering against
connection content, which has realized more precise
judgment.
¡î Network interception: Different from the abovementioned
attacks, network interception is a passive behavior for
stealing privacy. Numen NET can conduct counter-detection on
the interception that is generally deemed as beyond
antagonism, which is an important technical development for
IDS system.
¡î Other attacks: Numen NET also supports the attacks
against Telnet, SMTP, X-window and FTP.
IV. Application of combination
Besides basic capture of hackers' attack behavior, the
system can also make combination for other application.
1. Sensitive message control: User can extend
monitoring function of network sensitive messages simply by
the interface provided by the system to prevent staff from
visiting porno and reactionary websites, unloading songs and
other content unrelated with work, and transmitting privacy
by mistake.
2. Network flow volume control: The system can be used as a
small network-diagnosing device.
3. Observation of action connection: observe all connections
in network system or those of some node.
V. Technical features
1. Security guarantee of the system itself: Security of the
system is guaranteed from two aspects of system and
information. The system of enciphering communication among
Numen NET Watch, Numen NET HOST and Numen NET Center has
been planned and completed for distributed structure,
including more secure communication mode than SSL when
managing Numen NET Center. Numen NET Watch and Numen NET
Center have a set of security mechanism to ensure their own
security; meanwhile we provide enhanced type OS
configuration manual, which has been tested repeatedly, to
ensure security of Numen NET carrier.
2. High speed rule matching technology and digital
interception technology: statistic and mode recognition
based monitoring, highly optimized inquiry algorithm, rapid
operation of system, and low rate in loss of packets.
Exclusive definable track analysis engine can rapidly link
completely new system.
