8.10. Intrusion Detection

8.10.1. IDS and IPS

IDS and IPS are common protection devices. The difference between IPS and IDS is that IPS usually has blocking ability.

8.10.2. Common Intrusion Points

• web hacking

• High-risk service intrusion

8.10.3. Monitoring Implementation

8.10.3.1. Client Monitoring

• Monitor sensitive configuration files

• Common commands ELF file integrity monitoring

  • ps

  • lsof

  • …

• rootkit monitoring

• Resource usage alert

  • memory usage

  • CPU usage

  • IO usage

  • network usage

• Emerging Process Monitoring

• File monitoring based on inotify

8.10.3.2. Network Detection

Detection is based on network-level attack vectors, such as Snort.

8.10.3.3. Log Analysis

The host system security log/operation log, network device traffic log, Web application access log, SQL application access log and other logs are centralized into a unified background, and various logs are comprehensively analyzed in the background.

8.10.4. Reference Links

• Summary of Intrusion Detection for Large Internet Enterprises