ISO/IEC 18043:2006
(Main)Information technology - Security techniques - Selection, deployment and operations of intrusion detection systems
Information technology - Security techniques - Selection, deployment and operations of intrusion detection systems
ISO/IEC 18043:2006 provides guidance for an organization that decides to include an intrusion detection capability within its IT infrastructure. It is a "how to" for managers and users who want to: understand the benefits and limitations of IDS; develop a strategy and implementation plan for IDS; effectively manage the outputs of an IDS; integrate intrusion detection into the organization's security practices; and understand the legal and privacy issues involved in the deployment of IDS. ISO/IEC 18043:2006 provides information that will facilitate collaboration among organizations using IDS. The common framework it provides will help make it easier for organizations to exchange information about intrusions that cut across organizational boundaries. ISO/IEC 18043:2006 provides a brief overview of the intrusion detection process; discusses what an IDS can and cannot do; provides a checklist that helps identify the best IDS features for a specific IT environment; describes various deployment strategies; provides guidance on managing alerts from IDSs; and discusses management and legal considerations.
Technologies de l'information β Techniques de sΓ©curitΓ© β SΓ©lection, dΓ©ploiement et opΓ©rations des systΓ¨mes de dΓ©tection d'intrusion
General Information
Relations
Frequently Asked Questions
ISO/IEC 18043:2006 is a standard published by the International Organization for Standardization (ISO). Its full title is "Information technology - Security techniques - Selection, deployment and operations of intrusion detection systems". This standard covers: ISO/IEC 18043:2006 provides guidance for an organization that decides to include an intrusion detection capability within its IT infrastructure. It is a "how to" for managers and users who want to: understand the benefits and limitations of IDS; develop a strategy and implementation plan for IDS; effectively manage the outputs of an IDS; integrate intrusion detection into the organization's security practices; and understand the legal and privacy issues involved in the deployment of IDS. ISO/IEC 18043:2006 provides information that will facilitate collaboration among organizations using IDS. The common framework it provides will help make it easier for organizations to exchange information about intrusions that cut across organizational boundaries. ISO/IEC 18043:2006 provides a brief overview of the intrusion detection process; discusses what an IDS can and cannot do; provides a checklist that helps identify the best IDS features for a specific IT environment; describes various deployment strategies; provides guidance on managing alerts from IDSs; and discusses management and legal considerations.
ISO/IEC 18043:2006 provides guidance for an organization that decides to include an intrusion detection capability within its IT infrastructure. It is a "how to" for managers and users who want to: understand the benefits and limitations of IDS; develop a strategy and implementation plan for IDS; effectively manage the outputs of an IDS; integrate intrusion detection into the organization's security practices; and understand the legal and privacy issues involved in the deployment of IDS. ISO/IEC 18043:2006 provides information that will facilitate collaboration among organizations using IDS. The common framework it provides will help make it easier for organizations to exchange information about intrusions that cut across organizational boundaries. ISO/IEC 18043:2006 provides a brief overview of the intrusion detection process; discusses what an IDS can and cannot do; provides a checklist that helps identify the best IDS features for a specific IT environment; describes various deployment strategies; provides guidance on managing alerts from IDSs; and discusses management and legal considerations.
ISO/IEC 18043:2006 is classified under the following ICS (International Classification for Standards) categories: 35.030 - IT Security; 35.040 - Information coding. The ICS classification helps identify the subject area and facilitates finding related standards.
ISO/IEC 18043:2006 has the following relationships with other standards: It is inter standard links to ISO/IEC 27039:2015. Understanding these relationships helps ensure you are using the most current and applicable version of the standard.
You can purchase ISO/IEC 18043:2006 directly from iTeh Standards. The document is available in PDF format and is delivered instantly after payment. Add the standard to your cart and complete the secure checkout process. iTeh Standards is an authorized distributor of ISO standards.
Standards Content (Sample)
INTERNATIONAL ISO/IEC
STANDARD 18043
First edition
2006-06-15
Information technology β Security
techniques β Selection, deployment and
operations of intrusion detection systems
Technologies de l'information β Techniques de sΓ©curitΓ© β SΓ©lection,
déploiement et opérations des systèmes de détection d'intrusion
Reference number
Β©
ISO/IEC 2006
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.
Β© ISO/IEC 2006
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 β’ CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii Β© ISO/IEC 2006 β All rights reserved
Contents Page
Foreword. iv
Introduction . v
1 Scope .1
2 Terms and definitions .1
3 Background.4
4 General.5
5 Selection .6
5.1 Information Security Risk Assessment.7
5.2 Host or Network IDS .7
5.3 Considerations.7
5.4 Tools that complement IDS .13
5.5 Scalability .17
5.6 Technical support.17
5.7 Training.17
6 Deployment .18
6.1 Staged Deployment .18
7 Operations .22
7.1 IDS Tuning.22
7.2 IDS Vulnerabilities .22
7.3 Handling IDS Alerts .22
7.4 Response Options .25
7.5 Legal Considerations .26
Annex A (informative) Intrusion Detection System (IDS): Framework and Issues to be Considered .27
A.1 Introduction to Intrusion Detection.27
A.2 Types of intrusions and attacks.28
A.3 Generic Model of Intrusion Detection Process.29
A.4 Types of IDS .35
A.5 Architecture.38
A.6 Management of an IDS .39
A.7 Implementation and Deployment Issues.42
A.8 Intrusion Detection Issues.44
Bibliography .46
Β© ISO/IEC 2006 β All rights reserved iii
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 18043 was prepared by Joint Technical Committee ISO/IEC JTC 1 Information technology,
Subcommittee SC 27, IT Security techniques.
Legal notice
The National Institute of Standards and Technology (NIST), hereby grant non-exclusive license to ISO/IEC to
use the NIST Special Publication on Intrusion Detection Systems (SP800-31) in the development of the
ISO/IEC 18043 International Standard. However, the NIST retains the right to use, copy, distribute, or modify
the SP800-31 as they see fit.
iv Β© ISO/IEC 2006 β All rights reserved
Introduction
Organizations should not only know when, if, and how an intrusion of their network, system or application
occurs, they also should know what vulnerability was exploited and what safeguards or appropriate risk
treatment options (i.e. risk transfer, risk acceptance, risk avoidance) should be implemented to prevent similar
intrusions in the future. Organizations should also recognize and deflect cyber-based intrusions. This requires
an analysis of host and network traffic and/or audit trails for attack signatures or specific patterns that usually
indicate malicious or suspicious intent. In the mid-1990s, organizations began to use Intrusion Detection
Systems (IDS) to fulfil these needs. The general use of IDS continues to expand with a wider range of IDS
products being made available to satisfy an increasing level of organizational demands for advanced intrusion
detection capability.
In order for an organization to derive the maximum benefits from IDS, the process of IDS selection,
deployment, and operations should be carefully planned and implemented by properly trained and
experienced personnel. In the case where this process is achieved, then IDS products can assist an
organization in obtaining intrusion information and can serve as an important security device within the overall
information and communications technology (ICT) infrastructure.
This International Standard provides guidelines for effective IDS selection, deployment and operation, as well
as fundamental knowledge about IDS. It is also applicable to those organizations that are considering
outsourcing their intrusion detection capabilities. Information about outsourcing service level agreements can
be found in the IT Service Management (ITSM) processes based on ISO/IEC 20000.
Β© ISO/IEC 2006 β All rights reserved v
INTERNATIONAL STANDARD ISO/IEC 18043:2006(E)
Information technology β Security techniques β Selection,
deployment and operations of intrusion detection systems
1 Scope
This International Standard provides guidelines to assist organizations in preparing to deploy Intrusion
Detection System (IDS). In particular, it addresses the selection, deployment and operations of IDS. It also
provides background information from which these guidelines are derived.
This International Standard is intended to be helpful to
a) an organization in satisfying the following requirements of ISO/IEC 27001:
β― The organization shall implement procedures and other controls capable of enabling prompt
detection of and response to security incidents.
β― The organization shall execute monitoring and review procedures and other controls to properly
identify attempted and successful security breaches and incidents.
b) an organization in implementing controls that meet the following security objectives of ISO/IEC 17799:
β― To detect unauthorized information processing activities.
β― Systems should be monitored and information security events should be recorded. Operator logs and
fault logging should be used to ensure information system problems are identified.
β― An organization should comply with all relevant legal requirements applicable to its monitoring and
logging activities.
β― System monitoring should be used to check the effectiveness of controls adopted and to verify
conformity to an access policy model.
An organization should recognize that deploying IDS is not a sole and/or exhaustive solution to satisfy or meet
the above-cited requirements. Furthermore, this International Standard is not intended as criteria for any kind
of conformity assessments, e.g., Information Security Management System (ISMS) certification, IDS services
or products certification.
2 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
2.1
attack
attempts to destroy, expose, alter, or disable an Information System and/or information within it or otherwise
breach the security policy
Β© ISO/IEC 2006 β All rights reserved 1
2.2
attack signature
sequence of computer activities or alterations that are used to execute an attack and which are also used by
an IDS to discover that an attack has occurred and often is determined by the examination of network traffic or
host logs
NOTE This may also be referred to as an attack pattern.
2.3
attestation
variant of public-key encryption that lets IDS software programs and devices authenticate their identity to
remote parties.
NOTE See Clause 2.21, Remote attestation.
2.4
bridge
network equipment that transparently connects a local area network (LAN) at OSI layer 2 to another LAN that
uses the same protocol
2.5
cryptographic hash value
mathematical value that is assigned to a file and used to βtestβ the file at a later date to verify that the data
contained in the file has not been maliciously changed
2.6
DoS (Denial-of-Service) attack
prevention of authorized access to a system resource or the delaying of system operations and functions
[ISO/IEC 18028-1]
2.7
Demilitarized Zone
DMZ
logical and physical network space between the perimeter router and the exterior firewall
NOTE 1 The DMZ may be between networks and under close observation but does not have to be so.
NOTE 2 They are generally unsecured areas containing bastion hosts that provide public services.
2.8
exploit
defined way to breach the security of an Information System through vulnerability
2.9
firewall
type of security gateway or barrier placed between network environments β consisting of a dedicated device
or a composite of several components and techniques β through which all traffic from one network
environment to another, and vice versa, traverses and only authorized traffic is allowed to pass
[ISO/IEC 18028-1]
2.10
false positive
IDS alert when there is no attack
2.11
false negative
no IDS alert when there is an attack
2 Β© ISO/IEC 2006 β All rights reserved
2.12
host
addressable system or computer in TCP/IP based networks like the Internet
2.13
intruder
individual who is conducting, or has conducted, an intrusion or attack against a victimβs host, site, network, or
organization
2.14
intrusion
unauthorized access to a network or a network-connected system, i.e. deliberate or accidental unauthorized
access to an information system, to include malicious activity against an information system, or unauthorized
use of resources within an information system
2.15
intrusion detection
formal process of detecting intrusions, generally characterized by gathering knowledge about abnormal usage
patterns as well as what, how, and which vulnerability has been exploited to include how and when it occurred
2.16
intrusion detection system
IDS
information system used to identify that an intrusion has been attempted, is occurring, or has occurred and
possibly respond to intrusions in Information Systems and networks
2.17
intrusion prevention system
IPS
variant on intrusion detection systems that are specifically designed to provide an active response capability
2.18
honeypot
generic term for a decoy system used to deceive, distract, divert and to encourage the attacker to spend time
on information that appears to be very valuable, but actually is fabricated and would not be of interest to a
legitimate user
2.19
penetration
unauthorized act of bypassing the security mechanisms of an Information System
2.20
provisioning
process of remotely searching for new software updates from a vendor's website and downloading
authenticated updates
2.21
remote attestation
processes of using digital certificates to ensure the identity as well as the hardware and software configuration
of IDS and to securely transmit this information to a trusted operations center
2.22
response (incident response or intrusion response)
actions taken to protect and restore the normal operational conditions of an Information System and the
information stored in them when an attack or intrusion occurs
Β© ISO/IEC 2006 β All rights reserved 3
2.23
router
network device that is used to establish and control the flow of data between different networks, which
themselves can be based on different networks protocols, by selecting paths or routes based upon routing
protocol mechanisms and algorithms
NOTE The routing information is kept in a routing table.
[ISO/IEC 18028-1]
2.24
server
computer system or program that provides services to other computers
2.25
Service Level Agreement
contract that defines the technical support or business performance objectives including measures for
performance and consequences for failure the provider of a service can provide its clients
2.26
sensor
component/agent of IDS, which collects event data from an Information System or network under observation
NOTE Also referred to as a monitor.
2.27
subnet
portion of a network that shares a common address component
2.28
switch
device which provides connectivity between networked devices by means of internal switching mechanisms
NOTE Switches are distinct from other local area network interconnection devices (e.g. a hub) as the technology
used in switches sets up connections on a point-to-point basis. This ensures the network traffic is only seen by the
addressed network devices and enables several connections to exist simultaneously routing.
[ISO/IEC 18028-1]
2.29
Test Access Points
TAP
typically passive devices that do not install any overhead on the packet; they also increase the level of the
security as they make the data collection interface invisible to the network, where a switch can still maintain
layer 2 information about the port. A TAP also gives the functionality of multiple ports so network issues can
be debugged without losing the IDS capability.
2.30
trojan horse
malicious program that masquerades as a benign application
3 Background
The purpose of Intrusion Detection System (IDS) is passively monitoring, detecting and logging inappropriate,
incorrect, suspicious or anomalous activity that may represent an intrusion and provide an alert when these
activities are detected. It is the responsibilities of the appointed IT Security personnel are actively reviewing
IDS logs and making a decision on follow-up actions to be taken for any inappropriate access attempts.
4 Β© ISO/IEC 2006 β All rights reserved
When an organization needs to detect promptly intrusions to the organizationβs Information System and
response appropriately to them, an organization should consider deploying IDS. An organization can deploy
IDS by getting IDS software and/or hardware products or by outsourcing capabilities of IDS to an IDS service
provider.
There are many commercially available or open-source IDS products and services that are based on
different technologies and approaches. In addition, IDS is not βplug and playβ technology. Thus, when an
organization is preparing to deploy IDS, an organization should, as a minimum, be familiar with guidelines
and information provided by this standard.
Fundamental knowledge about IDS is mainly presented in Annex A. This Annex explains the different
characteristics of two basic types of IDS: Host-based IDS (HIDS) and Network-based IDS (NIDS), as well as
two basic approaches for detection analysis i.e. Misuse-based approach and Anomaly-based approach.
An HIDS derives its source of information to be detected from a single host, while a NIDS derives it from
traffic on a segment of a network. The misuse-based approach models attacks on information systems as
specific attack signatures, and then systematically scans the system for occurrences of these attack
signatures. This process involves a specific encoding of previous behaviours and actions that were deemed
intrusive or malicious. The anomaly-based approach attempt to detect intrusions by noting significant
departures from normal behaviour. And function on the assumption that attacks are different from
normal/legitimate activity and can therefore be detected by systems that identify these differences
An organization should understand that the source of information and the different analysis approaches may
result in both advantages and disadvantages or limitations, which can impact the ability or inability to detect
specific attacks and influence the degree of difficulty associated with installing and maintaining the IDS.
4 General
IDS functions and limitation, presented in Annex A, indicate that an organization should combine host-based
(including application monitoring) and network-based approaches to achieve reasonably complete coverage of
potential intrusions. Each type of IDS has its strengths and limitations; together they can provide better
security event coverage and alert analysis.
Combining the IDS technologies depends on the availability of a correlation engine on the alert management
system. Manual association of HIDS and NIDS alerts may result in IDS operator overload without any
additional benefit and the result may be worse than choosing the most appropriate output from one type of
IDS.
The process of selecting, deploying and operating IDS within an organization is shown in Figure 1 along with
the clause that addresses the key steps in this process.
Β© ISO/IEC 2006 β All rights reserved 5
Figure 1 β Selection, deployment and operations of IDS
5 Selection
There are many IDS products and families of products available. They range from extremely capable freeware
offerings that can be deployed on a low-cost host to very expensive commercial systems requiring the latest
hardware available. As there are so many different IDS products to choose from, the process of selecting IDS
that represents the best fit for an organizationβs needs is difficult. Furthermore, there may be limited
compatibility between various IDS products offered in the market place. Additionally, because of mergers and
the potentially wide geographical distribution of an organization, organizations may be forced to use different
IDS and the integration of these diverse IDS can be very challenging.
Vendor brochures may not describe how well an IDS can detect intrusions and how difficult it is to deploy,
operate and maintain in an operational network with significant amounts of traffic. Vendors may indicate which
attacks can be detected, but without access to an organizationβs network traffic, it is very difficult to describe
how well the IDS can perform and avoid false positives and negatives. Consequently, relying on vendor
provided information about IDS capabilities is neither sufficient nor recommended.
ISO/IEC 15408 (all parts) may be used in the evaluation of an IDS. In such a case, a document called
βSecurity Targetβ may contain more accurate and reliable description than vendor brochures concerning IDS
performance. An organization should use this document in their selection process.
The following clauses provide the major factors that should be used by an organization in the IDS selection
process.
6 Β© ISO/IEC 2006 β All rights reserved
5.1 Information Security Risk Assessment
Prior to the selection of an IDS, an organization should perform an information security risk assessment,
aimed at identifying the attacks and intrusions (threats) to which the organizationβs specific information
systems might be vulnerable, taking into account factors such as the nature of information used by the system
and how it needs to be protected, the types of communication systems used, and other operational and
environmental factors. By considering these potential threats in the context of their specific information
security objectives, the organization can identify controls which provide cost-effective mitigation of the risks
The identified controls would provide the basis of the requirements for the functions provided by their IDS.
NOTE Information security risk management will be the subject of a future International Standard (ISO/IEC 13335-2).
Once the IDS is installed and operational an ongoing process of risk management should be implemented to
periodically review the effectiveness of the controls in light of changes to the systemβs operations and the
threat environment
5.2 Host or Network IDS
IDS deployment should be based on an organizational Risk Assessment and asset protection priorities. When
selecting IDS, the most effective method to monitor events should be investigated. Both host-based IDS
(HIDS) and Network-based (NIDS) can be deployed in tandem. Where such an IDS monitoring method is
selected, an organization should implement it in stages starting with a NIDS, as they are usually the simplest
to install and maintain, then HIDS should be deployed on critical servers.
Each option has its own advantages and disadvantages. For example, in the case where an IDS is deployed
outside an external firewall, an IDS can generate a large number of alerts that do not require careful analysis
because a large amount of the alerting events can indicate scans that are already being effectively prevented
by the external firewall.
5.2.1 Host Based IDS (HIDS)
The choice of a HIDS demands the identification of target hosts. The expensive nature of full-scale
deployment on every host in an organization normally results in the deployment of HIDS on critical hosts only.
Therefore the deployment of HIDS should be prioritized according to risk analysis results and cost-benefit
considerations. An organization should deploy an IDS capable of centralized management and reporting
functions when HIDS is deployed on all or a significant number of hosts.
5.2.2 Network Based IDS (NIDS)
The main factor to consider when deploying a NIDS is where to locate the system sensors. Options include:
β’ Inside external firewalls;
β’ Outside external firewalls;
β’ On major network backbones;
β’ On critical subnets.
5.3 Considerations
5.3.1 System Environment
Based on a security risk assessment, an organization should first determine, in order of priority, what assets
should be protected and then tailor the IDS to that environment. At a minimum, the following system
environment information needs to be collected to accomplish this objective:
Β© ISO/IEC 2006 β All rights reserved 7
β’ Network diagrams and maps specifying the number and locations of hosts, entry points to networks
and connections to external networks;
β’ Description of the enterprise network management system;
β’ Operating systems for each host;
β’ Number and types of network devices such as routers, bridges, and switches;
β’ Number and types of servers and dialup connections;
β’ Descriptors of any network servers, including types, configurations, application software and versions
running on each;
β’ Connections to external networks, including nominal bandwidth and supported protocols;
β’ Document return paths that are not the same as the incoming connection path i.e. asymmetric data
flow.
5.3.2 Security
After the technical attributes of the systemβs environment have been documented, the security protection
mechanisms presently installed should be identified. At a minimum, the following information is needed:
β’ Demilitarized Zone (DMZ)
β’ Numbers, types, and locations of firewalls and filtering routers;
β’ Identification of authentication servers;
β’ Data and link encryption;
β’ MALWARE/Anti-virus packages;
β’ Access control products;
β’ Specialized security hardware such as cryptographic hardware;
β’ Virtual private networks;
β’ Any other installed security mechanisms.
5.3.3 IDS Security Policy
After the system and general security environments have been identified, the security policy for the IDS
should be defined. At a minimum, the policy needs to answer the following key questions:
β’ What information assets are to be monitored?
β’ What type of IDS is needed?
β’ Where can the IDS be placed?
β’ What types of attacks should be detected?
β’ What type of information should be logged?
β’ What type of response or alert can be provided when an attack is detected?
8 Β© ISO/IEC 2006 β All rights reserved
The IDS security policy represents the goals the organization has for the IDS investment. This is the initial
step in attempting to gain the maximum value from the IDS asset.
In order to specify IDS security policy goals and objectives, an organization should first identify the
organizationβs risks from internal and external sources. An organization should realize that some IDS vendors
define IDS security policy as the set of rules that IDS are used to generate alerts.
A review of the existing organization security policy should provide a template against which the requirements
of the IDS can be determined and stated in terms of standard security goals of confidentiality, integrity,
availability, and non-repudiation as well as more generic management goals such as privacy, protection from
liability, manageability.
An organization should determine how it would react when an IDS detects that a security policy has been
violated. Specifically, in the case that an organization wishes to respond actively to certain kinds of violations,
the IDS should be configured to do so and the operational staff should be informed of the organizationβs
response policy so that they can deal with alarms in an appropriate manner. For example, a law enforcement
investigation may be required to assist in the effective resolution of a security incident. Relevant information,
including IDS logs, may be required to be handed over to the law enforcement body for evidentiary purposes.
Additional information concerning security incident management can be found in ISO/IEC TR 18044.
5.3.4 Performance
Performance is another factor to consider when selecting IDS. At a minimum, the following questions should
be answered:
β’ What bandwidth needs to be processed by the IDS?
β’ What level of false alarms can be tolerated when operating at that bandwidth?
β’ Can the cost of a high speed IDS be justified or can a moderate or slow IDS suffice?
β’ What are the consequences of missing a potential intrusion because of IDS performance limitations?
Sustainable performance can be defined as the ability to consistently detect attacks within a given bandwidth
utilization. In most environments, there is little tolerance for an IDS missing or dropping packets in traffic that
could be part of an attack. At some point, as the bandwidth and/or network traffic increases, many IDS will no
longer be able to effectively and consistently detect intrusions.
A combination of load balancing and tuning can increase efficiency and performance. For example:
β’ Knowledge is required of the organizationβs network and its vulnerabilities: Every network is different;
an organization should determine what network assets need protection and what attack signature
tuning are likely to be associated with those assets. This is generally accomplished through a risk
assessment process.
β’ Performance of most IDS can be much better in the case where they are configured to handle a
limited amount of network traffic and services. For example, an organization that does a lot of
e-commerce can need to monitor all Hypertext Transfer Protocol (HTTP) traffic and to tune one or
more IDS to look for only attack signatures associated with web traffic.
β’ Proper load balancing configuration can allow the signature based IDS to work much faster and more
thoroughly because the signature based IDS needs only to process through an optimized smaller
attack signature database and not through a database of all possible attack signatures.
Load balancing is used to split available bandwidth in IDS deployment. However, bandwidth splitting is likely
to introduce problems such as: additional cost, management overhead, traffic de-synchronization, alert
duplication, and false negatives. Furthermore, current IDS technology is reaching gigabits speed and as a
result the benefits versus cost of load balancing may be minimal.
Β© ISO/IEC 2006 β All rights reserved 9
5.3.5 Verification of Capabilities
Reliance on vendor provided information about the capabilities of IDS is generally not sufficient. An
organization should request additional information and perhaps a demonstration of the suitability of a
particular IDS to the organization's environment and security goals. Most IDS vendors have experience in
adapting their products as target networks grow and some are committed to support new protocol standards,
platform types, and changes in the threat environment. At a minimum, an organization should ask to the IDS
vendor the following questions:
β’ What assumptions were made regarding the applicability of the IDS to specific environments?
β’ What are the details of the tests that were performed to verify the assertions about the IDS
capabilities?
β’ What assumptions were made regarding IDS operators?
β’ What IDS interfaces are provided (e.g. physical interfaces, communication protocols, reporting
formats for interfacing with correlation engines are all types of important interfaces)?
β’ What are the alert export mechanisms or formats and are they properly documented (e.g. format or
syslog messages or MIB for SNMP messages)?
β’ Can the IDS interface be configured with shortcut keys, customizable alarm features, and custom
attack signatures on the fly?
β’ In the case where the IDS can be configured on the fly, are the features that provide this capability
documented and supported?
β’ Can the product adapt to growth and change of the organizationβs systems infrastructure?
β’ Can the IDS product adapt to an expanding and increasingly diverse network?
β’ Does the IDS provide fail-safe and fail-over capabilities and how do these capabilities integrate with
the same capabilities at the network link layer?
β’ Does the IDS use a dedicated network for the alarms or are they transmitted in the same network that
it monitors?
β’ What is the vendorβs reputation and productβs performance record?
5.3.6 Cost
The acquisition of IDS is not the actual cost of ownership. Additional costs include: acquisition of a system to
run the IDS software, specialized assistance in installing and configuring the IDS, personnel training, and
maintenance costs. Personnel to manage the system and to analyze the results are the largest cost. A useful
technique for measuring the IDS cost is the return on investment (ROI) or cost versus benefit analysis. In this
case, ROI is computed based on the savings realized by the organization when managing intrusions. The cost
of the IDS acquisition and operation needs to be balanced with the cost of the personnel required to help
resolve the alerts and the overhead caused by false alerts and inappropriate responses such as reinstalling an
Information System because of the inability to determine what has been compromised.
Operational IDS benefits include:
β’ Identification of defective or mis-configured equipment;
β’ Verification of configurations on the fly;
β’ Providing early system usage statistics.
10 Β© ISO/IEC 2006 β All rights reserved
In order to make financial decisions about IDS, questions about the total cost of IDS ownership should be
answered. To do this, the expense of deploying IDS across an organization should be analyzed. As a
minimum, the IDS cost analysis needs to be based on answers to the following questions:
β’ What is the budget for the initial capital expenditure to purchase the IDS?
β’ What is the required time period for IDS operations e.g. 24/7 or less?
β’ What infrastructure is needed to process, analyze and report the IDS outputs and what can it cost?
β’ Does the organization have the human and other resources required to configure the IDS to the
organizationβs security policy, to operate, maintain, update, monitor the outputs of the IDS and
respond to alerts? If not, how can these functions be accomplished?
β’ Are funds available for IDS training?
β’ What is the scale of deployment and if it HIDS are used how many hosts will be protected?
The costs to an individual organization may be lessened by sharing overhead costs through outsourcing the
IDS monitoring and maintenance functions to a remotely managed intrusion detection services provider.
The most expensive part of an IDS deployment is the response. Figuring out what the response should be,
building the response teams, developing and deploying response policy and training and rehearsing are
significant costs that should be mentioned
5.3.7 Updates
The majority of IDS are attack signature based and the value of the IDS is only as good as the attack
signature database against which events are analyzed. New vulnerabilities and attacks are being discovered
frequently. Consequently, the IDS attack signature database should be updated frequently. Therefore, at a
minimum an organization should consider the following factors:
β’ Timeliness of updates;
β’ Effectiveness of internal distribution;
β’ Implementation;
β’ System impact.
5.3.7.1 Timeliness of updates for signature-based IDS
Maintaining current attack signatures is essential to the detection of known attacks. At a minimum, the
following questions should be addressed in order to ensure that attack signatures are updated in a timely
manner:
β’ How fast does the IDS vendor issue attack signature updates when an exploit or a specific
vulnerability is discovered?
β’ Is the notification process reliable?
β’ Is the authenticity and integrity of the attack signature updates guaranteed?
β’ Are there sufficient skills available in case the attack signatures should be customized within the
organization?
β’ Is there a possibility to write or receive customized attack signatures in order to immediately respond
to a high-risk vulnerability or ongoing attack?
Β© ISO/IEC 2006 β All rights reserved 11
5.3.7.2 Effectiveness of internal distribution and implementation
Is the organization capable of quickly distributing and implementing site-specific updates within an appropriate
timeframe to all relevant systems? In many cases, attack signatures up-dates should be modified to include
site-specific IP addresses, ports, etc. More specifically, at a minimum the following questions should be
answered
β’ In the case that manual distribution processes are in place, do administrators or users implement the
attack signature within an acceptable timeframe?
β’ Can the effectiveness of automatic distribution and installation processes be measured?
β’ Is there a mechanism to effectively track changes to the attack signature updates?
5.3.7.3 System Impact
In order to minimize the impact of attack signature updates on system performance, at a minimum the
following questions should be answered:
β’ Does an attack signature update impact the performance of important services or applications?
β’ Is it possible to be selective concerning the attack signature updates? This may be necessary to avoid
conflicts or performance impacts on services or applications.
5.3.8 Alert Strategies
The IDS configuration and operation should be based on an organization's monitoring policy. At a minimum,
an organization should ensure that IDS can support specific methods of alerting used by an organization's
existing infrastructure. Alert features that may be supported include e-mail, paging, Short Message System
(SMS), Simple Network Management Protocol (SNMP) event, and even automated blocking of attack sources.
In the case where IDS data is used for forensic purposes, including prosecutions and evidence for internal
discipline, IDS data should at a minimum be handled and managed in compliance with the legal and
regulatory requirements of the local jurisdictions in which it is likely to applied or submitted.
5.3.9 Identity Management
Identity management is a critical foundation for realizing IDS remote attestation and provisioning without
human intervention. Each of these capabilities requires the creation and use of trusted third parties as the
authority which despite some differences, is similar to the authority often assumed as part of a public key
infrastructure. These capabilities are also important for seamless, secure, controlled IDS data and IDS identity
exchange across enterprise network trust boundaries
5.3.9.1 Remote Attestation
IDS may contain millions of lines of code. Intentional insertion of malicious software in this large code base is
difficult to discover and can allow an attacker to control the IDS output. Consequently, strict authenticated
access-control over the IDS hardware and software is extremely important and should be based in part on the
identity of the entity making the access request. Remote attestation can provide this access control capability
without humans in the loop.
Remote attestation generates, in hardware, a cryptographic certificate or hash value attesting to the identity of
a device or the software running on the device with no user involvement. In the simplest form, identity is
represented by a cryptographic hash which allows different software programs or devices to be distinguished
from one another or changes in software to be discovered. This certificate may, at the IDS user's request, be
provided to any remote party, and in principle has the effect of proving to that party that the IDS is using
expected and unaltered software. If the software on the IDS has been altered, the certificate generated will
reflect this. That the IDS code base has changed.
12 Β© ISO/IEC 2006 β All rights reserved
In the case of IDS, the aim of remote attestation is to detect unauthorized changes to IDS software. For
example, if an attacker has replaced or modified one of the IDS applications, or a part of IDS operating system
with a maliciously altered version, the hash value will not be recognized by the remote service or other
software. As a result, the corruption of IDS software by a virus or Trojan can be detected by a remote party
(e.g. Network Operations Center), which can then act on this information. Because the attestation is βremoteβ,
others with whom the IDS interact with should also be able to tell that a particular IDS has been compromised.
Thus, they can avoid from sending information to it, until it has been fixed.
For the above reasons, IDS should remotely attest/report to the Network Operations Center (NOC) its status,
configuration, and other important information. This attestation capability or IDS authentication is critical to the
ability to assess the health of IDS and to perform numerous IDS configuration and update operations. More
specifically, attestation is the ability to remotely test the integrity of the IDS. When aggregated, these IDS
attestation reports provide situational awareness about the defensive posture of the network and are a critical
part of
...
ΠΠΠΠΠ£ΠΠΠ ΠΠΠΠ«Π ISO/IEC
Π‘Π’ΠΠΠΠΠ Π’
ΠΠ΅ΡΠ²ΠΎΠ΅ ΠΈΠ·Π΄Π°Π½ΠΈΠ΅
2006-06-15
ΠΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΎΠ½Π½ΡΠ΅ ΡΠ΅Ρ
Π½ΠΎΠ»ΠΎΠ³ΠΈΠΈ. ΠΠ΅ΡΠΎΠ΄Ρ
Π·Π°ΡΠΈΡΡ. ΠΡΠ±ΠΎΡ, ΠΏΡΠΈΠΌΠ΅Π½Π΅Π½ΠΈΠ΅ ΠΈ
ΠΎΠΏΠ΅ΡΠ°ΡΠΈΠΈ ΡΠΈΡΡΠ΅ΠΌ ΠΎΠ±Π½Π°ΡΡΠΆΠ΅Π½ΠΈΡ
Π²ΡΠΎΡΠΆΠ΅Π½ΠΈΡ
Information technology β Security techniques β Selection, deployment
and operations of intrusion detection systems
ΠΡΠ²Π΅ΡΡΡΠ²Π΅Π½Π½ΠΎΡΡΡ Π·Π° ΠΏΠΎΠ΄Π³ΠΎΡΠΎΠ²ΠΊΡ ΡΡΡΡΠΊΠΎΠΉ Π²Π΅ΡΡΠΈΠΈ Π½Π΅ΡΡΡ GOST R
(Π ΠΎΡΡΠΈΠΉΡΠΊΠ°Ρ Π€Π΅Π΄Π΅ΡΠ°ΡΠΈΡ) Π² ΡΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΠΈΠΈ ΡΠΎ ΡΡΠ°ΡΡΡΠΉ 18.1 Π£ΡΡΠ°Π²Π° ISO
Π‘ΡΡΠ»ΠΎΡΠ½ΡΠΉ Π½ΠΎΠΌΠ΅Ρ
Β©
ISO/IEC 2006
ΠΡΠΊΠ°Π· ΠΎΡ ΠΎΡΠ²Π΅ΡΡΡΠ²Π΅Π½Π½ΠΎΡΡΠΈ ΠΏΡΠΈ ΡΠ°Π±ΠΎΡΠ΅ Π² PDF
ΠΠ°ΡΡΠΎΡΡΠΈΠΉ ΡΠ°ΠΉΠ» PDF ΠΌΠΎΠΆΠ΅Ρ ΡΠΎΠ΄Π΅ΡΠΆΠ°ΡΡ ΠΈΠ½ΡΠ΅Π³ΡΠΈΡΠΎΠ²Π°Π½Π½ΡΠ΅ ΡΡΠΈΡΡΡ. Π ΡΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΠΈΠΈ Ρ ΡΡΠ»ΠΎΠ²ΠΈΡΠΌΠΈ Π»ΠΈΡΠ΅Π½Π·ΠΈΡΠΎΠ²Π°Π½ΠΈΡ, ΠΏΡΠΈΠ½ΡΡΡΠΌΠΈ
ΡΠΈΡΠΌΠΎΠΉ Adobe, ΡΡΠΎΡ ΡΠ°ΠΉΠ» ΠΌΠΎΠΆΠ½ΠΎ ΡΠ°ΡΠΏΠ΅ΡΠ°ΡΠ°ΡΡ ΠΈΠ»ΠΈ ΡΠΌΠΎΡΡΠ΅ΡΡ Π½Π° ΡΠΊΡΠ°Π½Π΅, Π½ΠΎ Π΅Π³ΠΎ Π½Π΅Π»ΡΠ·Ρ ΠΈΠ·ΠΌΠ΅Π½ΠΈΡΡ, ΠΏΠΎΠΊΠ° Π½Π΅ Π±ΡΠ΄Π΅Ρ ΠΏΠΎΠ»ΡΡΠ΅Π½Π°
Π»ΠΈΡΠ΅Π½Π·ΠΈΡ Π½Π° ΠΈΠ½ΡΠ΅Π³ΡΠΈΡΠΎΠ²Π°Π½Π½ΡΠ΅ ΡΡΠΈΡΡΡ ΠΈ ΠΎΠ½ΠΈ Π½Π΅ Π±ΡΠ΄ΡΡ ΡΡΡΠ°Π½ΠΎΠ²Π»Π΅Π½Ρ Π½Π° ΠΊΠΎΠΌΠΏΡΡΡΠ΅ΡΠ΅, Π½Π° ΠΊΠΎΡΠΎΡΠΎΠΌ Π²Π΅Π΄Π΅ΡΡΡ ΡΠ΅Π΄Π°ΠΊΡΠΈΡΠΎΠ²Π°Π½ΠΈΠ΅. Π
ΡΠ»ΡΡΠ°Π΅ Π·Π°Π³ΡΡΠ·ΠΊΠΈ Π½Π°ΡΡΠΎΡΡΠ΅Π³ΠΎ ΡΠ°ΠΉΠ»Π° Π·Π°ΠΈΠ½ΡΠ΅ΡΠ΅ΡΠΎΠ²Π°Π½Π½ΡΠ΅ ΡΡΠΎΡΠΎΠ½Ρ ΠΏΡΠΈΠ½ΠΈΠΌΠ°ΡΡ Π½Π° ΡΠ΅Π±Ρ ΠΎΡΠ²Π΅ΡΡΡΠ²Π΅Π½Π½ΠΎΡΡΡ Π·Π° ΡΠΎΠ±Π»ΡΠ΄Π΅Π½ΠΈΠ΅
Π»ΠΈΡΠ΅Π½Π·ΠΈΠΎΠ½Π½ΡΡ
ΡΡΠ»ΠΎΠ²ΠΈΠΉ ΡΠΈΡΠΌΡ Adobe. Π¦Π΅Π½ΡΡΠ°Π»ΡΠ½ΡΠΉ ΡΠ΅ΠΊΡΠ΅ΡΠ°ΡΠΈΠ°Ρ ISO Π½Π΅ Π½Π΅ΡΠ΅Ρ Π½ΠΈΠΊΠ°ΠΊΠΎΠΉ ΠΎΡΠ²Π΅ΡΡΡΠ²Π΅Π½Π½ΠΎΡΡΠΈ Π² ΡΡΠΎΠΌ ΠΎΡΠ½ΠΎΡΠ΅Π½ΠΈΠΈ.
Adobe - ΡΠΎΡΠ³ΠΎΠ²ΡΠΉ Π·Π½Π°ΠΊ ΡΠΈΡΠΌΡ Adobe Systems Incorporated.
ΠΠΎΠ΄ΡΠΎΠ±Π½ΠΎΡΡΠΈ, ΠΎΡΠ½ΠΎΡΡΡΠΈΠ΅ΡΡ ΠΊ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΠ½ΡΠΌ ΠΏΡΠΎΠ΄ΡΠΊΡΠ°ΠΌ, ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½Π½ΡΠ΅ Π΄Π»Ρ ΡΠΎΠ·Π΄Π°Π½ΠΈΡ Π½Π°ΡΡΠΎΡΡΠ΅Π³ΠΎ ΡΠ°ΠΉΠ»Π° PDF, ΠΌΠΎΠΆΠ½ΠΎ Π½Π°ΠΉΡΠΈ Π²
ΡΡΠ±ΡΠΈΠΊΠ΅ General Info ΡΠ°ΠΉΠ»Π°; ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΡ ΡΠΎΠ·Π΄Π°Π½ΠΈΡ PDF Π±ΡΠ»ΠΈ ΠΎΠΏΡΠΈΠΌΠΈΠ·ΠΈΡΠΎΠ²Π°Π½Ρ Π΄Π»Ρ ΠΏΠ΅ΡΠ°ΡΠΈ. ΠΡΠ»ΠΈ ΠΏΡΠΈΠ½ΡΡΡ Π²ΠΎ Π²Π½ΠΈΠΌΠ°Π½ΠΈΠ΅ Π²ΡΠ΅
ΠΌΠ΅ΡΡ ΠΏΡΠ΅Π΄ΠΎΡΡΠΎΡΠΎΠΆΠ½ΠΎΡΡΠΈ Ρ ΡΠ΅ΠΌ, ΡΡΠΎΠ±Ρ ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠΈΡΡ ΠΏΡΠΈΠ³ΠΎΠ΄Π½ΠΎΡΡΡ Π½Π°ΡΡΠΎΡΡΠ΅Π³ΠΎ ΡΠ°ΠΉΠ»Π° Π΄Π»Ρ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΡ ΠΊΠΎΠΌΠΈΡΠ΅ΡΠ°ΠΌΠΈ-ΡΠ»Π΅Π½Π°ΠΌΠΈ
ISO. Π ΡΠ΅Π΄ΠΊΠΈΡ
ΡΠ»ΡΡΠ°ΡΡ
Π²ΠΎΠ·Π½ΠΈΠΊΠ½ΠΎΠ²Π΅Π½ΠΈΡ ΠΏΡΠΎΠ±Π»Π΅ΠΌΡ, ΡΠ²ΡΠ·Π°Π½Π½ΠΎΠΉ ΡΠΎ ΡΠΊΠ°Π·Π°Π½Π½ΡΠΌ Π²ΡΡΠ΅, ΠΏΡΠΎΡΡΠ±Π° ΠΏΡΠΎΠΈΠ½ΡΠΎΡΠΌΠΈΡΠΎΠ²Π°ΡΡ Π¦Π΅Π½ΡΡΠ°Π»ΡΠ½ΡΠΉ
ΡΠ΅ΠΊΡΠ΅ΡΠ°ΡΠΈΠ°Ρ ΠΏΠΎ Π°Π΄ΡΠ΅ΡΡ, ΠΏΡΠΈΠ²Π΅Π΄Π΅Π½Π½ΠΎΠΌΡ Π½ΠΈΠΆΠ΅.
ΠΠΠΠ£ΠΠΠΠ’ ΠΠΠ©ΠΠ©ΠΠ ΠΠΠ’ΠΠ Π‘ΠΠΠ ΠΠ ΠΠΠΠ
Β© ISO/IEC 2006
ΠΡΠ΅ ΠΏΡΠ°Π²Π° ΡΠΎΡ
ΡΠ°Π½ΡΡΡΡΡ. ΠΡΠ»ΠΈ Π½Π΅ ΡΠΊΠ°Π·Π°Π½ΠΎ ΠΈΠ½ΠΎΠ΅, Π½ΠΈΠΊΠ°ΠΊΡΡ ΡΠ°ΡΡΡ Π½Π°ΡΡΠΎΡΡΠ΅ΠΉ ΠΏΡΠ±Π»ΠΈΠΊΠ°ΡΠΈΠΈ Π½Π΅Π»ΡΠ·Ρ ΠΊΠΎΠΏΠΈΡΠΎΠ²Π°ΡΡ ΠΈΠ»ΠΈ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΡ Π²
ΠΊΠ°ΠΊΠΎΠΉ-Π»ΠΈΠ±ΠΎ ΡΠΎΡΠΌΠ΅ ΠΈΠ»ΠΈ ΠΊΠ°ΠΊΠΈΠΌ-Π»ΠΈΠ±ΠΎ ΡΠ»Π΅ΠΊΡΡΠΎΠ½Π½ΡΠΌ ΠΈΠ»ΠΈ ΠΌΠ΅Ρ
Π°Π½ΠΈΡΠ΅ΡΠΊΠΈΠΌ ΡΠΏΠΎΡΠΎΠ±ΠΎΠΌ, Π²ΠΊΠ»ΡΡΠ°Ρ ΡΠΎΡΠΎΠΊΠΎΠΏΠΈΠΈ ΠΈ ΠΌΠΈΠΊΡΠΎΡΠΈΠ»ΡΠΌΡ, Π±Π΅Π·
ΠΏΡΠ΅Π΄Π²Π°ΡΠΈΡΠ΅Π»ΡΠ½ΠΎΠ³ΠΎ ΠΏΠΈΡΡΠΌΠ΅Π½Π½ΠΎΠ³ΠΎ ΡΠΎΠ³Π»Π°ΡΠΈΡ ISO, ΠΊΠΎΡΠΎΡΠΎΠ΅ Π΄ΠΎΠ»ΠΆΠ½ΠΎ Π±ΡΡΡ ΠΏΠΎΠ»ΡΡΠ΅Π½ΠΎ ΠΏΠΎΡΠ»Π΅ Π·Π°ΠΏΡΠΎΡΠ° ΠΎ ΡΠ°Π·ΡΠ΅ΡΠ΅Π½ΠΈΠΈ, Π½Π°ΠΏΡΠ°Π²Π»Π΅Π½Π½ΠΎΠ³ΠΎ ΠΏΠΎ
Π°Π΄ΡΠ΅ΡΡ, ΠΏΡΠΈΠ²Π΅Π΄Π΅Π½Π½ΠΎΠΌΡ Π½ΠΈΠΆΠ΅, ΠΈΠ»ΠΈ Π² ΠΊΠΎΠΌΠΈΡΠ΅Ρ-ΡΠ»Π΅Π½ ISO Π² ΡΡΡΠ°Π½Π΅ Π·Π°ΠΏΡΠ°ΡΠΈΠ²Π°ΡΡΠ΅ΠΉ ΡΡΠΎΡΠΎΠ½Ρ.
ISO copyright office
Case postale 56 β’ CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
ΠΠΏΡΠ±Π»ΠΈΠΊΠΎΠ²Π°Π½ΠΎ Π² Π¨Π²Π΅ΠΉΡΠ°ΡΠΈΠΈ
ii Β© ISO/IEC 2006β ΠΡΠ΅ ΠΏΡΠ°Π²Π° ΡΠΎΡ
ΡΠ°Π½ΡΡΡΡΡ
Π‘ΠΎΠ΄Π΅ΡΠΆΠ°Π½ΠΈΠ΅ Π‘ΡΡΠ°Π½ΠΈΡΠ°
ΠΡΠ΅Π΄ΠΈΡΠ»ΠΎΠ²ΠΈΠ΅ .iv
ΠΠ²Π΅Π΄Π΅Π½ΠΈΠ΅ .v
1 ΠΠ±Π»Π°ΡΡΡ ΠΏΡΠΈΠΌΠ΅Π½Π΅Π½ΠΈΡ .1
2 Π’Π΅ΡΠΌΠΈΠ½Ρ ΠΈ ΠΎΠΏΡΠ΅Π΄Π΅Π»Π΅Π½ΠΈΡ .1
3 ΠΡΠ΅Π΄Π²Π°ΡΠΈΡΠ΅Π»ΡΠ½ΡΠ΅ Π΄Π°Π½Π½ΡΠ΅.5
4 ΠΠ±ΡΠΈΠ΅ ΠΏΠΎΠ»ΠΎΠΆΠ΅Π½ΠΈΡ .6
5 ΠΡΠ±ΠΎΡ .7
5.1 ΠΡΠ΅Π½ΠΊΠ° ΡΠΈΡΠΊΠ° ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΎΠ½Π½ΠΎΠΉ Π±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΡΡΠΈ .8
5.2 IDS Π½Π° Π±Π°Π·Π΅ Ρ
ΠΎΡΡ- ΠΌΠ°ΡΠΈΠ½Ρ ΠΈ ΡΠ΅ΡΠΈ.8
5.3 ΠΠ±ΡΡΠΆΠ΄Π΅Π½ΠΈΠ΅ .9
5.4 ΠΠ½ΡΡΡΡΠΌΠ΅Π½ΡΠ°ΡΠΈΠΉ, ΠΊΠΎΡΠΎΡΡΠΉ Π΄ΠΎΠΏΠΎΠ»Π½ΡΠ΅Ρ IDS.15
5.5 Π Π°ΡΡΠΈΡΡΠ΅ΠΌΠΎΡΡΡ.19
5.6 Π’Π΅Ρ
Π½ΠΈΡΠ΅ΡΠΊΠ°Ρ ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΊΠ° .20
5.7 ΠΠ±ΡΡΠ΅Π½ΠΈΠ΅ .20
6 ΠΠ²ΠΎΠ΄ Π² Π΄Π΅ΠΉΡΡΠ²ΠΈΠ΅ .20
6.1 ΠΠ½ΠΎΠ³ΠΎΡΡΠ°ΠΏΠ½ΡΠΉ Π²Π²ΠΎΠ΄ Π² Π΄Π΅ΠΉΡΡΠ²ΠΈΠ΅ .21
7 ΠΠΊΡΠΏΠ»ΡΠ°ΡΠ°ΡΠΈΡ.25
7.1 ΠΠ°ΡΡΡΠΎΠΉΠΊΠ° IDS.25
7.2 Π£ΡΠ·Π²ΠΈΠΌΠΎΡΡΠΈ IDS .25
7.3 ΠΠ±ΡΠ°Π±ΠΎΡΠΊΠ° ΠΏΡΠ΅Π΄ΡΠΏΡΠ΅ΠΆΠ΄Π΅Π½ΠΈΠΉ IDS.25
7.4 ΠΠ°ΡΠΈΠ°Π½ΡΡ ΠΎΡΠ²Π΅ΡΠ½ΡΡ
Π΄Π΅ΠΉΡΡΠ²ΠΈΠΉ .28
7.5 Π‘ΠΎΠΎΠ±ΡΠ°ΠΆΠ΅Π½ΠΈΡ ΠΏΡΠ°Π²ΠΎΠ²ΠΎΠ³ΠΎ ΠΏΠΎΡΡΠ΄ΠΊΠ° .29
ΠΡΠΈΠ»ΠΎΠΆΠ΅Π½ΠΈΠ΅ A (ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠ²Π½ΠΎΠ΅) Π‘ΠΈΡΡΠ΅ΠΌΠ° ΠΎΠ±Π½Π°ΡΡΠΆΠ΅Π½ΠΈΡ Π²ΡΠΎΡΠΆΠ΅Π½ΠΈΡ (IDS): Π‘ΡΡΡΠΊΡΡΡΠ° ΠΈ
ΠΏΡΠΎΠ±Π»Π΅ΠΌΡ, ΠΊΠΎΡΠΎΡΡΠ΅ Π΄ΠΎΠ»ΠΆΠ½Ρ ΡΠ°ΡΡΠΌΠ°ΡΡΠΈΠ²Π°ΡΡΡΡ .31
A.1 ΠΠ²Π΅Π΄Π΅Π½ΠΈΠ΅ Π² ΠΠ±Π½Π°ΡΡΠΆΠ΅Π½ΠΈΠ΅ ΠΡΠΎΡΠΆΠ΅Π½ΠΈΠΉ .31
A.2 Π’ΠΈΠΏΡ Π²ΡΠΎΡΠΆΠ΅Π½ΠΈΠΉ ΠΈ Π°ΡΠ°ΠΊ.32
A.3 ΠΡΡΠΏΠΏΠΎΠ²Π°Ρ ΠΠΎΠ΄Π΅Π»Ρ ΠΡΠΎΡΠ΅ΡΡΠ° ΠΠ±Π½Π°ΡΡΠΆΠ΅Π½ΠΈΡ ΠΡΠΎΡΠΆΠ΅Π½ΠΈΡ.33
A.4 Π’ΠΈΠΏΡ IDS.40
A.5 ΠΡΡ
ΠΈΡΠ΅ΠΊΡΡΡΠ° .44
A.6 Π£ΠΏΡΠ°Π²Π»Π΅Π½ΠΈΠ΅ IDS .46
A.7 ΠΠΎΠΏΡΠΎΡΡ Π Π΅Π°Π»ΠΈΠ·Π°ΡΠΈΠΈ ΠΈ ΠΡΠΈΠΌΠ΅Π½Π΅Π½ΠΈΡ .48
A.8 ΠΠΎΠΏΡΠΎΡΡ ΠΠ±Π½Π°ΡΡΠΆΠ΅Π½ΠΈΡ ΠΡΠΎΡΠΆΠ΅Π½ΠΈΠΉ.51
ΠΠΈΠ±Π»ΠΈΠΎΠ³ΡΠ°ΡΠΈΡ.54
Β© ISO/IEC 2006β ΠΡΠ΅ ΠΏΡΠ°Π²Π° ΡΠΎΡ
ΡΠ°Π½ΡΡΡΡΡ iii
ΠΡΠ΅Π΄ΠΈΡΠ»ΠΎΠ²ΠΈΠ΅
ΠΠ΅ΠΆΠ΄ΡΠ½Π°ΡΠΎΠ΄Π½Π°Ρ ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΡ ΠΏΠΎ ΡΡΠ°Π½Π΄Π°ΡΡΠΈΠ·Π°ΡΠΈΠΈ (ISO) ΠΈ ΠΠ΅ΠΆΠ΄ΡΠ½Π°ΡΠΎΠ΄Π½Π°Ρ ΡΠ»Π΅ΠΊΡΡΠΎΡΠ΅Ρ
Π½ΠΈΡΠ΅ΡΠΊΠ°Ρ ΠΊΠΎΠΌΠΈΡΡΠΈΡ
(IEC) ΡΠΎΠ·Π΄Π°Π»ΠΈ ΡΠΏΠ΅ΡΠΈΠ°Π»ΠΈΠ·ΠΈΡΠΎΠ²Π°Π½Π½ΡΡ ΡΠΈΡΡΠ΅ΠΌΡ Π²ΡΠ΅ΠΌΠΈΡΠ½ΠΎΠΉ ΡΡΠ°Π½Π΄Π°ΡΡΠΈΠ·Π°ΡΠΈΠΈ. ΠΠ°ΡΠΈΠΎΠ½Π°Π»ΡΠ½ΡΠ΅ ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΠΈ,
ΡΠ²Π»ΡΡΡΠΈΠ΅ΡΡ ΠΊΠΎΠΌΠΈΡΠ΅ΡΠ°ΠΌΠΈ-ΡΠ»Π΅Π½Π°ΠΌΠΈ ISO ΠΈΠ»ΠΈ IEC, ΡΡΠ°ΡΡΠ²ΡΡΡ Π² ΡΠ°Π·ΡΠ°Π±ΠΎΡΠΊΠ΅ ΠΌΠ΅ΠΆΠ΄ΡΠ½Π°ΡΠΎΠ΄Π½ΡΡ
ΡΡΠ°Π½Π΄Π°ΡΡΠΎΠ²
ΡΠ΅ΡΠ΅Π· ΡΠ΅Ρ
Π½ΠΈΡΠ΅ΡΠΊΠΈΠ΅ ΠΊΠΎΠΌΠΈΡΠ΅ΡΡ, ΡΡΡΠ΅ΠΆΠ΄Π΅Π½Π½ΡΠ΅ ΡΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΡΡΡΠ΅ΠΉ ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΠ΅ΠΉ Π΄Π»Ρ ΡΠΎΠ³ΠΎ, ΡΡΠΎΠ±Ρ
Π·Π°Π½ΠΈΠΌΠ°ΡΡΡΡ ΠΎΡΠ΄Π΅Π»ΡΠ½ΡΠΌΠΈ ΠΎΠ±Π»Π°ΡΡΡΠΌΠΈ ΡΠ΅Ρ
Π½ΠΈΡΠ΅ΡΠΊΠΎΠΉ Π΄Π΅ΡΡΠ΅Π»ΡΠ½ΠΎΡΡΠΈ. Π’Π΅Ρ
Π½ΠΈΡΠ΅ΡΠΊΠΈΠ΅ ΠΊΠΎΠΌΠΈΡΠ΅ΡΡ ISO ΠΈ IEC
ΡΠΎΡΡΡΠ΄Π½ΠΈΡΠ°ΡΡ Π² ΠΎΠ±Π»Π°ΡΡΡΡ
, ΠΏΡΠ΅Π΄ΡΡΠ°Π²Π»ΡΡΡΠΈΡ
Π²Π·Π°ΠΈΠΌΠ½ΡΠΉ ΠΈΠ½ΡΠ΅ΡΠ΅Ρ. ΠΡΡΠ³ΠΈΠ΅ ΠΏΡΠ°Π²ΠΈΡΠ΅Π»ΡΡΡΠ²Π΅Π½Π½ΡΠ΅ ΠΈ
Π½Π΅ΠΏΡΠ°Π²ΠΈΡΠ΅Π»ΡΡΡΠ²Π΅Π½Π½ΡΠ΅ ΠΌΠ΅ΠΆΠ΄ΡΠ½Π°ΡΠΎΠ΄Π½ΡΠ΅ ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΠΈ, ΡΠΎΡΡΡΠ΄Π½ΠΈΡΠ°ΡΡΠΈΠ΅ Ρ ISO ΠΈ IEC, ΡΠ°ΠΊΠΆΠ΅ ΠΏΡΠΈΠ½ΠΈΠΌΠ°ΡΡ
ΡΡΠ°ΡΡΠΈΠ΅ Π² ΡΡΠΎΠΉ ΡΠ°Π±ΠΎΡΠ΅. Π ΠΎΠ±Π»Π°ΡΡΠΈ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΎΠ½Π½ΠΎΠΉ ΡΠ΅Ρ
Π½ΠΎΠ»ΠΎΠ³ΠΈΠΈ ISO ΠΈ IEC ΡΡΡΠ΅Π΄ΠΈΠ»ΠΈ Π‘ΠΎΠ²ΠΌΠ΅ΡΡΠ½ΡΠΉ
Π’Π΅Ρ
Π½ΠΈΡΠ΅ΡΠΊΠΈΠΉ ΠΊΠΎΠΌΠΈΡΠ΅Ρ ISO/IEC JTC1.
ΠΡΠΎΠ΅ΠΊΡΡ ΠΌΠ΅ΠΆΠ΄ΡΠ½Π°ΡΠΎΠ΄Π½ΡΡ
ΡΡΠ°Π½Π΄Π°ΡΡΠΎΠ² ΡΠ°Π·ΡΠ°Π±Π°ΡΡΠ²Π°ΡΡΡΡ ΡΠΎΠ³Π»Π°ΡΠ½ΠΎ ΠΏΡΠ°Π²ΠΈΠ»Π°ΠΌ, ΠΏΡΠΈΠ²ΡΠ΄Π΅Π½Π½ΡΠΌ Π² ΠΠΈΡΠ΅ΠΊΡΠΈΠ²Π°Ρ
ISO/IEC, Π§Π°ΡΡΡ 2.
ΠΡΠ½ΠΎΠ²Π½ΠΎΠΉ Π·Π°Π΄Π°ΡΠ΅ΠΉ ΡΠ΅Ρ
Π½ΠΈΡΠ΅ΡΠΊΠΈΡ
ΠΊΠΎΠΌΠΈΡΠ΅ΡΠΎΠ² ΡΠ²Π»ΡΠ΅ΡΡΡ ΠΏΠΎΠ΄Π³ΠΎΡΠΎΠ²ΠΊΠ° ΠΌΠ΅ΠΆΠ΄ΡΠ½Π°ΡΠΎΠ΄Π½ΡΡ
ΡΡΠ°Π½Π΄Π°ΡΡΠΎΠ². ΠΡΠΎΠ΅ΠΊΡΡ
ΠΌΠ΅ΠΆΠ΄ΡΠ½Π°ΡΠΎΠ΄Π½ΡΡ
ΡΡΠ°Π½Π΄Π°ΡΡΠΎΠ², ΠΏΡΠΈΠ½ΡΡΡΠ΅ ΡΠ΅Ρ
Π½ΠΈΡΠ΅ΡΠΊΠΈΠΌΠΈ ΠΊΠΎΠΌΠΈΡΠ΅ΡΠ°ΠΌΠΈ, ΡΠ°ΡΡΡΠ»Π°ΡΡΡΡ ΠΊΠΎΠΌΠΈΡΠ΅ΡΠ°ΠΌ-ΡΠ»Π΅Π½Π°ΠΌ Π½Π°
Π³ΠΎΠ»ΠΎΡΠΎΠ²Π°Π½ΠΈΠ΅. ΠΠ»Ρ ΠΏΡΠ±Π»ΠΈΠΊΠ°ΡΠΈΠΈ Π² ΠΊΠ°ΡΠ΅ΡΡΠ²Π΅ ΠΌΠ΅ΠΆΠ΄ΡΠ½Π°ΡΠΎΠ΄Π½ΠΎΠ³ΠΎ ΡΡΠ°Π½Π΄Π°ΡΡΠ° ΡΡΠ΅Π±ΡΠ΅ΡΡΡ ΠΎΠ΄ΠΎΠ±ΡΠ΅Π½ΠΈΠ΅ Π½Π΅ ΠΌΠ΅Π½Π΅Π΅
75 % ΠΊΠΎΠΌΠΈΡΠ΅ΡΠΎΠ²-ΡΠ»Π΅Π½ΠΎΠ², ΠΏΡΠΈΠ½ΡΠ²ΡΠΈΡ
ΡΡΠ°ΡΡΠΈΠ΅ Π² Π³ΠΎΠ»ΠΎΡΠΎΠ²Π°Π½ΠΈΠΈ.
Π‘Π»Π΅Π΄ΡΠ΅Ρ ΠΈΠΌΠ΅ΡΡ Π² Π²ΠΈΠ΄Ρ, ΡΡΠΎ, Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎ, Π½Π΅ΠΊΠΎΡΠΎΡΡΠ΅ ΡΠ»Π΅ΠΌΠ΅Π½ΡΡ Π½Π°ΡΡΠΎΡΡΠ΅Π³ΠΎ Π΄ΠΎΠΊΡΠΌΠ΅Π½ΡΠ° ΠΌΠΎΠ³ΡΡ Π±ΡΡΡ
ΠΎΠ±ΡΠ΅ΠΊΡΠΎΠΌ ΠΏΠ°ΡΠ΅Π½ΡΠ½ΡΡ
ΠΏΡΠ°Π². ISO Π½Π΅ Π½Π΅ΡΠ΅Ρ ΠΎΡΠ²Π΅ΡΡΡΠ²Π΅Π½Π½ΠΎΡΡΡ Π·Π° ΠΎΠΏΡΠ΅Π΄Π΅Π»Π΅Π½ΠΈΠ΅ Π½Π΅ΠΊΠΎΡΠΎΡΡΡ
ΠΈΠ»ΠΈ Π²ΡΠ΅Ρ
ΡΠ°ΠΊΠΈΡ
ΠΏΠ°ΡΠ΅Π½ΡΠ½ΡΡ
ΠΏΡΠ°Π².
ISO/IEC 18043 ΠΏΠΎΠ΄Π³ΠΎΡΠΎΠ²Π»Π΅Π½ Π‘ΠΎΠ²ΠΌΠ΅ΡΡΠ½ΡΠΌ Π’Π΅Ρ
Π½ΠΈΡΠ΅ΡΠΊΠΈΠΌ ΠΊΠΎΠΌΠΈΡΠ΅ΡΠΎΠΌ ISO/IEC JTC1, ΠΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΎΠ½Π½ΡΠ΅
ΡΠ΅Ρ
Π½ΠΎΠ»ΠΎΠ³ΠΈΠΈ, ΠΠΎΠ΄ΠΊΠΎΠΌΠΈΡΠ΅ΡΠΎΠΌ SC 27, ΠΠ΅ΡΠΎΠ΄Ρ Π·Π°ΡΠΈΡΡ Π² ΠΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΎΠ½Π½ΡΡ
ΡΠ΅Ρ
Π½ΠΎΠ»ΠΎΠ³ΠΈΡΡ
.
ΠΡΠΈΡΠΈΠ°Π»ΡΠ½ΠΎΠ΅ ΡΠ²Π΅Π΄ΠΎΠΌΠ»Π΅Π½ΠΈΠ΅
ΠΠ°ΡΠΈΠΎΠ½Π°Π»ΡΠ½ΡΠΉ ΠΠ½ΡΡΠΈΡΡΡ Π‘ΡΠ°Π½Π΄Π°ΡΡΠΎΠ² ΠΈ Π’Π΅Ρ
Π½ΠΎΠ»ΠΎΠ³ΠΈΠΈ (NIST) Π½Π°ΡΡΠΎΡΡΠΈΠΌ ΠΏΡΠ΅Π΄ΠΎΡΡΠ°Π²Π»ΡΠ΅Ρ ISO/IEC
Π½Π΅ΠΈΡΠΊΠ»ΡΡΠΈΡΠ΅Π»ΡΠ½ΡΡ Π»ΠΈΡΠ΅Π½Π·ΠΈΡ Π½Π° ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΠ΅ Π‘ΠΏΠ΅ΡΠΈΠ°Π»ΡΠ½ΠΎΠΉ ΠΏΡΠ±Π»ΠΈΠΊΠ°ΡΠΈΠΈ NIST ΠΏΠΎ Π‘ΠΈΡΡΠ΅ΠΌΠ°ΠΌ
ΠΎΠ±Π½Π°ΡΡΠΆΠ΅Π½ΠΈΡ Π²ΡΠΎΡΠΆΠ΅Π½ΠΈΡ (SP800-31) ΠΏΡΠΈ ΡΠ°Π·ΡΠ°Π±ΠΎΡΠΊΠ΅ ΠΠ΅ΠΆΠ΄ΡΠ½Π°ΡΠΎΠ΄Π½ΠΎΠ³ΠΎ ΡΡΠ°Π½Π΄Π°ΡΡΠ° ISO/IEC 18043. ΠΠ΄Π½Π°ΠΊΠΎ
NIST ΡΠΎΡ
ΡΠ°Π½ΡΠ΅Ρ ΠΏΡΠ°Π²ΠΎ Π½Π° ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΠ΅, ΠΊΠΎΠΏΠΈΡΠΎΠ²Π°Π½ΠΈΠ΅, ΡΠ°ΡΠΏΡΠΎΡΡΡΠ°Π½Π΅Π½ΠΈΠ΅ ΠΈΠ»ΠΈ ΠΌΠΎΠ΄ΠΈΡΠΈΠΊΠ°ΡΠΈΡ SP800-31,
ΠΊΠΎΠ³Π΄Π° ΠΎΠ½ ΠΏΠΎΡΡΠΈΡΠ°Π΅Ρ ΡΡΠΎ Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΡΠΌ.
iv Β© ISO/IEC 2006 β ΠΡΠ΅ ΠΏΡΠ°Π²Π° ΡΠΎΡ
ΡΠ°Π½ΡΡΡΡΡ
ΠΠ²Π΅Π΄Π΅Π½ΠΈΠ΅
ΠΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΠΈ Π΄ΠΎΠ»ΠΆΠ½Ρ Π½Π΅ ΡΠΎΠ»ΡΠΊΠΎ Π·Π½Π°ΡΡ ΠΊΠΎΠ³Π΄Π°, Π³Π΄Π΅ ΠΈ ΠΊΠ°ΠΊ ΠΏΡΠΎΠΈΠ·ΠΎΡΠ»ΠΎ Π²ΡΠΎΡΠΆΠ΅Π½ΠΈΠ΅ Π² ΠΈΡ
ΡΠ΅ΡΡ, ΡΠΈΡΡΠ΅ΠΌΡ ΠΈΠ»ΠΈ
ΠΏΡΠΈΠ»ΠΎΠΆΠ΅Π½ΠΈΠ΅, ΠΎΠ½ΠΈ ΡΠ°ΠΊΠΆΠ΅ Π΄ΠΎΠ»ΠΆΠ½Ρ Π·Π½Π°ΡΡ ΠΊΠ°ΠΊΠΎΠ΅ ΡΠ»Π°Π±ΠΎΠ΅ ΠΌΠ΅ΡΡΠΎ Π±ΡΠ»ΠΎ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΎ ΠΈ ΠΊΠ°ΠΊΠΈΠ΅ ΠΌΠ΅ΡΡ
Π±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΡΡΠΈ ΠΈΠ»ΠΈ ΡΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΡΡΡΠΈΠ΅ ΠΎΠΏΡΠΈΠΈ ΠΎΠ±ΡΠ°Π±ΠΎΡΠΊΠΈ ΡΠΈΡΠΊΠΎΠ² (Ρ.Π΅. ΠΏΠ΅ΡΠ΅Π½ΠΎΡ ΡΠΈΡΠΊΠ°, ΠΏΡΠΈΠ΅ΠΌΠ»Π΅ΠΌΠ°Ρ ΡΡΠ΅ΠΏΠ΅Π½Ρ
ΡΠΈΡΠΊΠ°, ΠΈΡΠΊΠ»ΡΡΠ΅Π½ΠΈΠ΅ ΡΠΈΡΠΊΠ°) Π΄ΠΎΠ»ΠΆΠ½Ρ Π±ΡΡΡ ΡΠ΅Π°Π»ΠΈΠ·ΠΎΠ²Π°Π½Ρ, ΡΡΠΎΠ±Ρ ΠΏΡΠ΅Π΄ΠΎΡΠ²ΡΠ°ΡΠΈΡΡ ΠΏΠΎΠ΄ΠΎΠ±Π½ΠΎΠ΅ Π²ΡΠΎΡΠΆΠ΅Π½ΠΈΠ΅ Π²
Π±ΡΠ΄ΡΡΠ΅ΠΌ. ΠΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΠΈ Π΄ΠΎΠ»ΠΆΠ½Ρ ΡΠ°ΠΊΠΆΠ΅ ΡΠ°ΡΠΏΠΎΠ·Π½Π°Π²Π°ΡΡ ΠΈ ΠΎΡΡΠ°ΠΆΠ°ΡΡ ΠΊΠΈΠ±Π΅ΡΠ½Π΅ΡΠΈΡΠ΅ΡΠΊΠΈΠ΅ ΠΏΡΠΎΠ½ΠΈΠΊΠ½ΠΎΠ²Π΅Π½ΠΈΡ. ΠΡΠΎ
ΡΡΠ΅Π±ΡΠ΅Ρ Π°Π½Π°Π»ΠΈΠ·Π° Ρ
ΠΎΡΡ ΠΈ ΡΠ΅ΡΠ΅Π²ΠΎΠ³ΠΎ ΡΡΠ°ΡΠΈΠΊΠ° ΠΈ/ΠΈΠ»ΠΈ ΠΊΠΎΠ½ΡΡΠΎΠ»ΡΠ½ΠΎΠ³ΠΎ ΡΠ»Π΅Π΄Π° Π΄Π»Ρ ΡΠΈΠ³Π½Π°ΡΡΡ Π°ΡΠ°ΠΊΠΈ ΠΈΠ»ΠΈ
ΡΠΏΠ΅ΡΠΈΡΠΈΡΠ½ΠΎΠ³ΠΎ ΡΠ°Π±Π»ΠΎΠ½Π°, ΠΊΠΎΡΠΎΡΡΠ΅ ΠΎΠ±ΡΡΠ½ΠΎ ΡΠΊΠ°Π·ΡΠ²Π°ΡΡ Π·Π»ΠΎΠ½Π°ΠΌΠ΅ΡΠ΅Π½Π½ΡΠ΅ ΠΈΠ»ΠΈ ΠΏΠΎΠ΄ΠΎΠ·ΡΠΈΡΠ΅Π»ΡΠ½ΡΠ΅ Π½Π°ΠΌΠ΅ΡΠ΅Π½ΠΈΡ.
Π ΡΠ΅ΡΠ΅Π΄ΠΈΠ½Π΅ 1990 Π³ΠΎΠ΄ΠΎΠ² ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΠΈ Π½Π°ΡΠ°Π»ΠΈ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΡ Π‘ΠΈΡΡΠ΅ΠΌΡ ΠΠ±Π½Π°ΡΡΠΆΠ΅Π½ΠΈΡ ΠΡΠΎΡΠΆΠ΅Π½ΠΈΡ (IDS) Π΄Π»Ρ
ΠΎΡΡΡΠ΅ΡΡΠ²Π»Π΅Π½ΠΈΡ ΡΡΠΈΡ
ΠΏΠΎΡΡΠ΅Π±Π½ΠΎΡΡΠ΅ΠΉ. ΠΠ±ΡΠ΅Π΅ ΠΏΡΠΈΠΌΠ΅Π½Π΅Π½ΠΈΠ΅ IDS ΠΏΡΠΎΠ΄ΠΎΠ»ΠΆΠ°Π΅Ρ ΡΠ°ΡΡΠΈΡΡΡΡΡΡ Ρ Π±ΠΎΠ»Π΅Π΅ ΡΠΈΡΠΎΠΊΠΈΠΌ
Π½Π°Π±ΠΎΡΠΎΠΌ ΠΏΡΠΎΠ΄ΡΠΊΡΠΎΠ² IDS, ΠΊΠΎΡΠΎΡΡΠ΅ ΡΡΠ°Π»ΠΈ Π΄ΠΎΡΡΡΠΏΠ½Ρ Π΄Π»Ρ ΡΠ΄ΠΎΠ²Π»Π΅ΡΠ²ΠΎΡΠ΅Π½ΠΈΡ Π²ΠΎΠ·ΡΠ°ΡΡΠ°ΡΡΠ΅Π³ΠΎ ΡΡΠΎΠ²Π½Ρ Π·Π°ΠΏΡΠΎΡΠΎΠ²
ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΠΉ Π² ΠΏΠΎΠ²ΡΡΠ΅Π½Π½ΡΡ
Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΡΡ
ΠΎΠ±Π½Π°ΡΡΠΆΠ΅Π½ΠΈΡ Π²ΡΠΎΡΠΆΠ΅Π½ΠΈΡ.
ΠΠ»Ρ ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΠΈ Π² ΠΏΠΎΡΡΠ΄ΠΊΠ΅ Π²Π΅ΡΠ΅ΠΉ ΠΈΠ·Π²Π»Π΅ΠΊΠ°ΡΡ ΠΌΠ°ΠΊΡΠΈΠΌΠ°Π»ΡΠ½ΡΠ΅ Π²ΡΠ³ΠΎΠ΄Ρ ΠΎΡ IDS, ΠΏΠΎΡΡΠΎΠΌΡ ΠΏΡΠΎΡΠ΅ΡΡ Π²ΡΠ±ΠΎΡΠ°
IDS, Π²Π²ΠΎΠ΄ Π² Π΄Π΅ΠΉΡΡΠ²ΠΈΠ΅ ΠΈ ΠΎΠΏΠ΅ΡΠ°ΡΠΈΠΈ Π΄ΠΎΠ»ΠΆΠ½Ρ ΡΡΠ°ΡΠ΅Π»ΡΠ½ΠΎ ΠΏΠ»Π°Π½ΠΈΡΠΎΠ²Π°ΡΡΡΡ ΠΈ ΡΠ΅Π°Π»ΠΈΠ·ΠΎΠ²ΡΠ²Π°ΡΡΡΡ Π½Π°Π΄Π»Π΅ΠΆΠ°ΡΠΈΠΌ
ΠΎΠ±ΡΠ°Π·ΠΎΠΌ ΠΏΠΎΠ΄Π³ΠΎΡΠΎΠ²Π»Π΅Π½Π½ΡΠΌ ΠΈ ΠΎΠΏΡΡΠ½ΡΠΌ ΠΏΠ΅ΡΡΠΎΠ½Π°Π»ΠΎΠΌ. Π ΡΠ»ΡΡΠ°Π΅, ΠΊΠΎΠ³Π΄Π° ΡΡΠΎΡ ΠΏΡΠΎΡΠ΅ΡΡ ΡΡΠΏΠ΅ΡΠ½ΠΎ Π²ΡΠΏΠΎΠ»Π½ΡΠ΅ΡΡΡ,
ΠΏΡΠΎΠ΄ΡΠΊΡΡ IDS ΠΌΠΎΠ³ΡΡ ΠΏΠΎΠΌΠΎΡΡ ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΠΈ ΠΏΠΎΠ»ΡΡΠΈΡΡ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΡ ΠΎ Π²ΡΠΎΡΠΆΠ΅Π½ΠΈΠΈ ΠΈ ΠΌΠΎΠ³ΡΡ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΡΡΡ
ΠΊΠ°ΠΊ Π²Π°ΠΆΠ½ΠΎΠ΅ ΠΏΡΠ΅Π΄ΠΎΡ
ΡΠ°Π½ΠΈΡΠ΅Π»ΡΠ½ΠΎΠ΅ ΡΡΠ΅Π΄ΡΡΠ²ΠΎ Π² ΠΎΠ±ΡΠ΅ΠΉ ΠΈΠ½ΡΡΠ°ΡΡΡΡΠΊΡΡΡΠ΅ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΎΠ½Π½ΠΎΠΉ ΠΈ
ΠΊΠΎΠΌΠΌΡΠ½ΠΈΠΊΠ°ΡΠΈΠΎΠ½Π½ΠΎΠΉ ΡΠ΅Ρ
Π½ΠΎΠ»ΠΎΠ³ΠΈΠΈ (ICT).
ΠΠ°Π½Π½ΡΠΉ ΠΌΠ΅ΠΆΠ΄ΡΠ½Π°ΡΠΎΠ΄Π½ΡΠΉ ΡΡΠ°Π½Π΄Π°ΡΡ ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠΈΠ²Π°Π΅Ρ ΡΡΠΊΠΎΠ²ΠΎΠ΄ΡΡΠΈΠ΅ ΠΏΡΠΈΠ½ΡΠΈΠΏΡ Π΄Π»Ρ ΡΡΡΠ΅ΠΊΡΠΈΠ²Π½ΠΎΠ³ΠΎ Π²ΡΠ±ΠΎΡΠ°
IDS, Π²Π²ΠΎΠ΄Π° Π² Π΄Π΅ΠΉΡΡΠ²ΠΈΠ΅ ΠΈ ΡΠΊΡΠΏΠ»ΡΠ°ΡΠ°ΡΠΈΡ, Π° ΡΠ°ΠΊΠΆΠ΅ ΠΎΡΠ½ΠΎΠ²Π½ΡΠ΅ ΡΠ²Π΅Π΄Π΅Π½ΠΈΡ ΠΎΠ± IDS. ΠΠ½ ΡΠ°ΠΊΠΆΠ΅ ΠΏΡΠΈΠ³ΠΎΠ΄Π΅Π½ Π΄Π»Ρ ΡΠ΅Ρ
ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΠΉ, ΠΊΠΎΡΠΎΡΡΠ΅ ΡΠ°ΡΡΠΌΠ°ΡΡΠΈΠ²Π°ΡΡ ΠΏΡΠΈΠ²Π»Π΅ΡΠ΅Π½ΠΈΠ΅ ΡΠΎΠΈΡΠΏΠΎΠ»Π½ΠΈΡΠ΅Π»Π΅ΠΉ Π΄Π»Ρ ΡΠ΅Π°Π»ΠΈΠ·Π°ΡΠΈΠΈ Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΠ΅ΠΉ
ΠΎΠ±Π½Π°ΡΡΠΆΠ΅Π½ΠΈΡ Π²ΡΠΎΡΠΆΠ΅Π½ΠΈΡ. ΠΠ½ΡΠΎΡΠΌΠ°ΡΠΈΡ ΠΏΠΎ ΡΠΎΠ³Π»Π°ΡΠ΅Π½ΠΈΡΠΌ Π½Π° ΡΡΠΎΠ²Π½Π΅ ΡΡΠ»ΡΠ³ Π²Π½Π΅ΡΠ½ΠΈΡ
ΡΠΎΠΈΡΠΏΠΎΠ»Π½ΠΈΡΠ΅Π»Π΅ΠΉ
ΠΌΠΎΠΆΠ½ΠΎ Π½Π°ΠΉΡΠΈ Π² ΠΏΡΠΎΡΠ΅ΡΡΠ°Ρ
ΠΠ΅Π½Π΅Π΄ΠΆΠΌΠ΅Π½ΡΠ° ΡΡΠ»ΡΠ³ Π² ΠΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΎΠ½Π½ΡΡ
ΡΠ΅Ρ
Π½ΠΎΠ»ΠΎΠ³ΠΈΡΡ
(ITSM) Π½Π° Π±Π°Π·Π΅
ISO/IEC 20000.
Β© ISO/IEC 2006β ΠΡΠ΅ ΠΏΡΠ°Π²Π° ΡΠΎΡ
ΡΠ°Π½ΡΡΡΡΡ v
ΠΠΠΠΠ£ΠΠΠ ΠΠΠΠ«Π Π‘Π’ΠΠΠΠΠ Π’ ISO/IEC 18043:2006(R))
ΠΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΎΠ½Π½ΡΠ΅ ΡΠ΅Ρ
Π½ΠΎΠ»ΠΎΠ³ΠΈΠΈ. ΠΠ΅ΡΠΎΠ΄Ρ Π·Π°ΡΠΈΡΡ. ΠΡΠ±ΠΎΡ,
ΠΏΡΠΈΠΌΠ΅Π½Π΅Π½ΠΈΠ΅ ΠΈ ΠΎΠΏΠ΅ΡΠ°ΡΠΈΠΈ ΡΠΈΡΡΠ΅ΠΌ ΠΎΠ±Π½Π°ΡΡΠΆΠ΅Π½ΠΈΡ Π²ΡΠΎΡΠΆΠ΅Π½ΠΈΡ
1 ΠΠ±Π»Π°ΡΡΡ ΠΏΡΠΈΠΌΠ΅Π½Π΅Π½ΠΈΡ
Π Π΄Π°Π½Π½ΠΎΠΌ ΠΌΠ΅ΠΆΠ΄ΡΠ½Π°ΡΠΎΠ΄Π½ΠΎΠΌ ΡΡΠ°Π½Π΄Π°ΡΡΠ΅ ΠΏΡΠ΅Π΄ΡΡΠΌΠ°ΡΡΠΈΠ²Π°ΡΡΡΡ ΡΡΠΊΠΎΠ²ΠΎΠ΄ΡΡΠΈΠ΅ ΠΏΡΠΈΠ½ΡΠΈΠΏΡ Π΄Π»Ρ ΠΏΠΎΠΌΠΎΡΠΈ
ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΡΠΌ Π² ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΠΈ Π‘ΠΈΡΡΠ΅ΠΌΡ ΠΠ±Π½Π°ΡΡΠΆΠ΅Π½ΠΈΡ ΠΡΠΎΡΠΆΠ΅Π½ΠΈΡ (IDS). Π ΡΠ°ΡΡΠ½ΠΎΡΡΠΈ, Π² ΡΡΠ°Π½Π΄Π°ΡΡΠ΅
ΠΎΠ±ΡΠ°ΡΠ°Π΅ΡΡΡ Π²Π½ΠΈΠΌΠ°Π½ΠΈΠ΅ Π½Π° Π²ΡΠ±ΠΎΡ, ΠΏΡΠΈΠΌΠ΅Π½Π΅Π½ΠΈΠ΅ ΠΈ ΠΎΠΏΠ΅ΡΠ°ΡΠΈΠΈ IDS. ΠΠ½ ΡΠ°ΠΊΠΆΠ΅ ΡΠΎΠ΄Π΅ΡΠΆΠΈΡ Π΄ΠΎΠΏΠΎΠ»Π½ΠΈΡΠ΅Π»ΡΠ½ΡΡ
ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΡ, Π½Π° ΠΎΡΠ½ΠΎΠ²Π°Π½ΠΈΠΈ ΠΊΠΎΡΠΎΡΠΎΠΉ ΡΡΠΈ ΡΡΠΊΠΎΠ²ΠΎΠ΄ΡΡΠΈΠ΅ ΠΏΡΠΈΠ½ΡΠΈΠΏΡ Π±ΡΠ»ΠΈ ΠΏΠΎΠ»ΡΡΠ΅Π½Ρ.
ΠΠ°Π½Π½ΡΠΉ ΠΌΠ΅ΠΆΠ΄ΡΠ½Π°ΡΠΎΠ΄Π½ΡΠΉ ΡΡΠ°Π½Π΄Π°ΡΡ ΠΌΠΎΠΆΠ΅Ρ Π±ΡΡΡ ΠΏΠΎΠ»Π΅Π·Π΅Π½:
a) ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΠΈ Π² ΡΠ΄ΠΎΠ²Π»Π΅ΡΠ²ΠΎΡΠ΅Π½ΠΈΠΈ ΡΠ»Π΅Π΄ΡΡΡΠΈΡ
ΡΡΠ΅Π±ΠΎΠ²Π°Π½ΠΈΠΉ ISO/IEC 27001:
- ΠΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΡ Π΄ΠΎΠ»ΠΆΠ½Π° ΡΠ΅Π°Π»ΠΈΠ·ΠΎΠ²Π°ΡΡ ΠΏΡΠΎΡΠ΅Π΄ΡΡΡ ΠΈ Π΄ΡΡΠ³ΠΈΠ΅ ΡΠΏΡΠ°Π²Π»ΡΡΡΠΈΠ΅ Π²ΠΎΠ·Π΄Π΅ΠΉΡΡΠ²ΠΈΡ, ΡΠΏΠΎΡΠΎΠ±Π½ΡΠ΅ ΠΊ
Π±ΡΡΡΡΠΎΠΌΡ ΠΎΠ±Π½Π°ΡΡΠΆΠ΅Π½ΠΈΡ ΠΈ ΠΎΡΠ²Π΅ΡΠ½ΡΠΌ Π΄Π΅ΠΉΡΡΠ²ΠΈΡΠΌ ΠΏΡΠΈ ΠΈΠ½ΡΠΈΠ΄Π΅Π½ΡΠ°Ρ
Π·Π°ΡΠΈΡΡ.
- ΠΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΡ Π΄ΠΎΠ»ΠΆΠ½Π° Π²ΡΠΏΠΎΠ»Π½ΡΡΡ ΠΏΡΠΎΡΠ΅Π΄ΡΡΡ ΠΌΠΎΠ½ΠΈΡΠΎΡΠΈΠ½Π³Π° ΠΈ Π°Π½Π°Π»ΠΈΠ·Π° ΠΈ Π΄ΡΡΠ³ΠΈΠ΅ ΡΠΏΡΠ°Π²Π»ΡΡΡΠΈΠ΅
Π²ΠΎΠ·Π΄Π΅ΠΉΡΡΠ²ΠΈΡ Π΄Π»Ρ Π½Π°Π΄Π»Π΅ΠΆΠ°ΡΠ΅Π³ΠΎ ΡΠ°ΡΠΏΠΎΠ·Π½Π°Π²Π°Π½ΠΈΡ Π½Π΅ΡΠ΄Π°Π²ΡΠΈΡ
ΡΡ ΠΈ ΡΡΠΏΠ΅ΡΠ½ΡΡ
Π½Π°ΡΡΡΠ΅Π½ΠΈΠΉ Π·Π°ΡΠΈΡΡ ΠΈ
ΠΈΠ½ΡΠΈΠ΄Π΅Π½ΡΠΎΠ².
b) ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΠΈ Π² ΡΠ΅Π°Π»ΠΈΠ·Π°ΡΠΈΠΈ ΡΡΠ΅Π΄ΡΡΠ² ΡΠΏΡΠ°Π²Π»Π΅Π½ΠΈΡ, ΠΊΠΎΡΠΎΡΡΠ΅ ΡΠ΄ΠΎΠ²Π»Π΅ΡΠ²ΠΎΡΡΡΡ ΡΠ»Π΅Π΄ΡΡΡΠΈΠΌ ΡΠ΅Π»ΡΠΌ
Π·Π°ΡΠΈΡΡ ISO/IEC 17799.
β ΠΠ±Π½Π°ΡΡΠΆΠΈΡΡ Π½Π΅ΡΠ°Π½ΠΊΡΠΈΠΎΠ½ΠΈΡΠΎΠ²Π°Π½Π½ΡΠ΅ Π΄Π΅ΠΉΡΡΠ²ΠΈΡ ΠΏΡΠΈ ΠΎΠ±ΡΠ°Π±ΠΎΡΠΊΠ΅ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΈ.
β Π‘ΠΈΡΡΠ΅ΠΌΡ Π΄ΠΎΠ»ΠΆΠ½Ρ ΠΎΡΡΠ»Π΅ΠΆΠΈΠ²Π°ΡΡΡΡ, ΠΈ ΡΠΎΠ±ΡΡΠΈΡ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΎΠ½Π½ΠΎΠΉ Π±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΡΡΠΈ Π΄ΠΎΠ»ΠΆΠ½Ρ
ΡΠ΅Π³ΠΈΡΡΡΠΈΡΠΎΠ²Π°ΡΡΡΡ. ΠΠΎΠ»ΠΆΠ½Ρ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΡΡΡ ΠΎΠΏΠ΅ΡΠ°ΡΠΎΡΡΠΊΠΈΠ΅ ΠΆΡΡΠ½Π°Π»Ρ ΡΠ΅Π³ΠΈΡΡΡΠ°ΡΠΈΠΈ ΠΈ ΠΆΡΡΠ½Π°Π»Ρ
ΡΠ΅Π³ΠΈΡΡΡΠ°ΡΠΈΠΈ Π½Π΅ΠΈΡΠΏΡΠ°Π²Π½ΠΎΡΡΠ΅ΠΉ Π΄Π»Ρ ΠΈΠ΄Π΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ ΠΏΡΠΎΠ±Π»Π΅ΠΌ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΎΠ½Π½ΠΎΠΉ ΡΠΈΡΡΠ΅ΠΌΡ.
β ΠΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΡ Π΄ΠΎΠ»ΠΆΠ½Π° ΡΠΎΠ±Π»ΡΠ΄Π°ΡΡ Π²ΡΠ΅ ΡΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΡΡΡΠΈΠ΅ ΡΡΠΈΠ΄ΠΈΡΠ΅ΡΠΊΠΈΠ΅ ΡΡΠ΅Π±ΠΎΠ²Π°Π½ΠΈΡ, ΠΏΡΠΈΠΌΠ΅Π½ΠΈΠΌΡΠ΅ ΠΊ
Π΄Π΅ΠΉΡΡΠ²ΠΈΡΠΌ ΠΏΠΎ ΠΌΠΎΠ½ΠΈΡΠΎΡΠΈΠ½Π³Ρ ΠΈ ΡΠ΅Π³ΠΈΡΡΡΠ°ΡΠΈΠΈ.
β ΠΠΎΠ»ΠΆΠ΅Π½ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΡΡΡ ΠΌΠΎΠ½ΠΈΡΠΎΡΠΈΠ½Π³ ΡΠΈΡΡΠ΅ΠΌΡ Π΄Π»Ρ ΠΏΡΠΎΠ²Π΅ΡΠΊΠΈ ΡΡΡΠ΅ΠΊΡΠΈΠ²Π½ΠΎΡΡΠΈ ΠΏΡΠΈΠ½ΡΡΡΡ
ΡΡΠ΅Π΄ΡΡΠ²
ΡΠΏΡΠ°Π²Π»Π΅Π½ΠΈΡ ΠΈ ΠΏΡΠΎΠ²Π΅ΡΠΊΠΈ ΡΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΠΈΡ ΠΌΠΎΠ΄Π΅Π»ΠΈ ΡΡΡΠ°ΡΠ΅Π³ΠΈΠΈ Π΄ΠΎΡΡΡΠΏΠ°.
ΠΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΡ Π΄ΠΎΠ»ΠΆΠ½Π° ΠΏΡΠΈΠ·Π½Π°ΡΡ, ΡΡΠΎ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΠ΅ IDS Π½Π΅ ΡΠ²Π»ΡΠ΅ΡΡΡ Π΅Π΄ΠΈΠ½ΡΡΠ²Π΅Π½Π½ΡΠΌ ΠΈ/ΠΈΠ»ΠΈ
ΠΈΡΡΠ΅ΡΠΏΡΠ²Π°ΡΡΠΈΠΌ ΡΠ΅ΡΠ΅Π½ΠΈΠ΅ΠΌ Π΄Π»Ρ ΡΠ΄ΠΎΠ²Π»Π΅ΡΠ²ΠΎΡΠ΅Π½ΠΈΡ ΠΈ ΡΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΠΈΡ Π²ΡΡΠ΅Π½Π°Π·Π²Π°Π½Π½ΡΠΌ ΡΡΠ΅Π±ΠΎΠ²Π°Π½ΠΈΡΠΌ. ΠΠΎΠ»Π΅Π΅
ΡΠΎΠ³ΠΎ, Π΄Π°Π½Π½ΡΠΉ ΠΌΠ΅ΠΆΠ΄ΡΠ½Π°ΡΠΎΠ΄Π½ΡΠΉ ΡΡΠ°Π½Π΄Π°ΡΡ Π½Π΅ ΠΏΡΠ΅Π΄Π½Π°Π·Π½Π°ΡΠ΅Π½ Π±ΡΡΡ ΠΊΡΠΈΡΠ΅ΡΠΈΠ΅ΠΌ Π΄Π»Ρ ΠΎΡΠ΅Π½ΠΎΠΊ ΡΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΠΈΡ
Π»ΡΠ±ΠΎΠ³ΠΎ Π²ΠΈΠ΄Π°, Π½Π°ΠΏΡΠΈΠΌΠ΅Ρ, Π΄Π»Ρ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ ΠΊΠ°ΠΊ Π‘ΠΈΡΡΠ΅ΠΌΡ ΠΠ΅Π½Π΅Π΄ΠΆΠΌΠ΅Π½ΡΠ° ΠΠ°ΡΠΈΡΡ ΠΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΈ (ISMS),
ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ ΠΏΡΠΎΠ΄ΡΠΊΡΠΎΠ² ΠΈ ΡΡΠ»ΡΠ³ IDS.
2 Π’Π΅ΡΠΌΠΈΠ½Ρ ΠΈ ΠΎΠΏΡΠ΅Π΄Π΅Π»Π΅Π½ΠΈΡ
ΠΡΠΈΠΌΠ΅Π½ΠΈΡΠ΅Π»ΡΠ½ΠΎ ΠΊ Π΄Π°Π½Π½ΠΎΠΌΡ Π΄ΠΎΠΊΡΠΌΠ΅Π½ΡΡ ΠΏΡΠΈΠΌΠ΅Π½ΡΡΡΡΡ ΡΠ»Π΅Π΄ΡΡΡΠΈΠ΅ ΡΠ΅ΡΠΌΠΈΠ½Ρ ΠΈ ΠΎΠΏΡΠ΅Π΄Π΅Π»Π΅Π½ΠΈΡ.
2.1
Π°ΡΠ°ΠΊΠ°
attack
ΠΏΠΎΠΏΡΡΠΊΠΈ ΡΠ°Π·ΡΡΡΠΈΡΡ, ΠΏΠΎΠ΄Π²Π΅ΡΠ³Π½ΡΡΡ Π²ΠΎΠ·Π΄Π΅ΠΉΡΡΠ²ΠΈΡ, ΠΈΠ·ΠΌΠ΅Π½ΠΈΡΡ ΠΈΠ»ΠΈ Π²ΡΠ²Π΅ΡΡΠΈ ΠΈΠ· ΡΡΡΠΎΡ ΠΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΎΠ½Π½ΡΡ
ΡΠΈΡΡΠ΅ΠΌΡ ΠΈ/ΠΈΠ»ΠΈ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΡ Π² Π½Π΅ΠΉ ΠΈΠ»ΠΈ ΠΈΠ½ΡΠ΅ Π½Π°ΡΡΡΠ΅Π½ΠΈΡ ΠΏΠΎΠ»ΠΈΡΠΈΠΊΠΈ Π±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΡΡΠΈ
Β© ISO/IEC 2006 β ΠΡΠ΅ ΠΏΡΠ°Π²Π° ΡΠΎΡ
ΡΠ°Π½ΡΡΡΡΡ 1
2.2
ΡΠΈΠ³Π½Π°ΡΡΡΠ° Π°ΡΠ°ΠΊΠΈ
attack signature
ΠΏΠΎΡΠ»Π΅Π΄ΠΎΠ²Π°ΡΠ΅Π»ΡΠ½ΠΎΡΡΡ ΠΊΠΎΠΌΠΏΡΡΡΠ΅ΡΠ½ΡΡ
Π΄Π΅ΠΉΡΡΠ²ΠΈΠΉ ΠΈΠ»ΠΈ ΠΈΠ·ΠΌΠ΅Π½Π΅Π½ΠΈΠΉ, ΠΊΠΎΡΠΎΡΡΠ΅ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π»ΠΈΡΡ ΠΏΡΠΈ Π°ΡΠ°ΠΊΠ΅ ΠΈ
ΠΊΠΎΡΠΎΡΡΠ΅ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΡΡΡΡ ΡΠ°ΠΊΠΆΠ΅ IDS Π΄Π»Ρ ΠΎΠ±Π½Π°ΡΡΠΆΠ΅Π½ΠΈΡ Π°ΡΠ°ΠΊΠΈ ΠΈ ΡΠ°ΡΡΠΎ ΠΎΠΏΡΠ΅Π΄Π΅Π»ΡΡΡΡΡ ΠΏΡΡΠ΅ΠΌ ΠΏΡΠΎΠ²Π΅ΡΠΊΠΈ
ΡΠ΅ΡΠ΅Π²ΠΎΠ³ΠΎ ΡΡΠ°ΡΠΈΠΊΠ° ΠΈΠ»ΠΈ ΠΆΡΡΠ½Π°Π»ΠΎΠ² Ρ
ΠΎΡΡ- ΠΌΠ°ΡΠΈΠ½Ρ
ΠΠ ΠΠΠΠ§ΠΠΠΠ ΠΠ½Π° ΠΌΠΎΠΆΠ΅Ρ ΡΠ°ΡΡΠΌΠ°ΡΡΠΈΠ²Π°ΡΡΡΡ ΡΠ°ΠΊΠΆΠ΅ ΠΊΠ°ΠΊ ΡΠ°Π±Π»ΠΎΠ½ Π°ΡΠ°ΠΊΠΈ.
2.3
ΡΠ΄ΠΎΡΡΠΎΠ²Π΅ΡΠ΅Π½ΠΈΠ΅
attestation
Π²Π°ΡΠΈΠ°Π½Ρ ΡΠΈΡΡΠΎΠ²Π°Π½ΠΈΡ ΠΎΡΠΊΡΡΡΡΠΌ ΠΊΠ»ΡΡΠΎΠΌ, ΠΊΠΎΡΠΎΡΡΠΉ ΠΏΠΎΠ·Π²ΠΎΠ»ΡΠ΅Ρ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΠ°ΠΌ ΠΈ ΡΡΡΡΠΎΠΉΡΡΠ²Π°ΠΌ IDS
Π°ΡΡΠ΅Π½ΡΠΈΡΠΈΡΠΈΡΠΎΠ²Π°ΡΡ ΠΈΡ
ΠΈΠ΄Π΅Π½ΡΠΈΡΠ½ΠΎΡΡΡ Ρ ΡΠ΄Π°Π»Π΅Π½Π½ΡΠΌΠΈ ΡΡΠ°ΡΡΠ²ΡΡΡΠΈΠΌΠΈ ΡΡΠΎΡΠΎΠ½Π°ΠΌΠΈ
ΠΠ ΠΠΠΠ§ΠΠΠΠ Π‘ΠΌ. Π Π°Π·Π΄Π΅Π» 2.21, Π£Π΄Π°Π»Π΅Π½Π½ΠΎΠ΅ ΡΠ΄ΠΎΡΡΠΎΠ²Π΅ΡΠ΅Π½ΠΈΠ΅.
2.4
ΠΌΠΎΡΡ
bridge
ΡΠ΅ΡΠ΅Π²ΠΎΠ΅ ΠΎΠ±ΠΎΡΡΠ΄ΠΎΠ²Π°Π½ΠΈΠ΅, ΠΊΠΎΡΠΎΡΠΎΠ΅ ΠΏΡΠΎΠ·ΡΠ°ΡΠ½ΠΎ ΡΠΎΠ΅Π΄ΠΈΠ½ΡΠ΅Ρ Π»ΠΎΠΊΠ°Π»ΡΠ½ΡΡ ΡΠ΅ΡΡ (LAN) Π½Π° ΡΡΠΎΠ²Π½Π΅ 2 OSI ΠΊ Π΄ΡΡΠ³ΠΎΠΉ
Π»ΠΎΠΊΠ°Π»ΡΠ½ΠΎΠΉ ΡΠ΅ΡΠΈ, ΠΊΠΎΡΠΎΡΠ°Ρ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅Ρ ΡΠΎΡ ΠΆΠ΅ ΠΏΡΠΎΡΠΎΠΊΠΎΠ»
2.5
ΠΊΡΠΈΠΏΡΠΎΠ³ΡΠ°ΡΠΈΡΠ΅ΡΠΊΠΎΠ΅ Π·Π½Π°ΡΠ΅Π½ΠΈΠ΅ Ρ
ΡΡ-ΡΡΠ½ΠΊΡΠΈΠΈ
cryptographic hash value
ΠΌΠ°ΡΠ΅ΠΌΠ°ΡΠΈΡΠ΅ΡΠΊΠΎΠ΅ Π·Π½Π°ΡΠ΅Π½ΠΈΠ΅, ΠΊΠΎΡΠΎΡΠΎΠ΅ ΠΏΡΠΈΡΠ²Π°ΠΈΠ²Π°Π΅ΡΡΡ ΡΠ°ΠΉΠ»Ρ ΠΈ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΡΡΡ Π΄Π»Ρ ΠΏΠΎΡΠ»Π΅Π΄ΡΡΡΠ΅Π³ΠΎ
βΡΠ΅ΡΡΠΈΡΠΎΠ²Π°Π½ΠΈΡβ ΡΡΠΎΠ³ΠΎ ΡΠ°ΠΉΠ»Π°, ΡΡΠΎΠ±Ρ ΠΏΡΠΎΠ²Π΅ΡΠΈΡΡ Π½Π΅ ΠΈΠ·ΠΌΠ΅Π½ΠΈΠ»ΠΈΡΡ Π»ΠΈ ΠΏΡΠ΅Π΄ΡΠΌΡΡΠ»Π΅Π½Π½ΠΎ Π΄Π°Π½Π½ΡΠ΅,
ΡΠΎΠ΄Π΅ΡΠΆΠ°ΡΠΈΠ΅ΡΡ Π² ΡΡΠΎΠΌ ΡΠ°ΠΉΠ»Π΅
2.6
ΠΎΡΠΊΠ°Π· ΠΎΡ ΠΎΠ±ΡΠ»ΡΠΆΠΈΠ²Π°Π½ΠΈΡ ΠΏΡΠΈ Π°ΡΠ°ΠΊΠ΅
DoS (Denial-of-Service) attack
ΠΏΡΠ΅Π΄ΠΎΡΠ²ΡΠ°ΡΠ΅Π½ΠΈΠ΅ ΡΠ°Π½ΠΊΡΠΈΠΎΠ½ΠΈΡΠΎΠ²Π°Π½Π½ΠΎΠ³ΠΎ Π΄ΠΎΡΡΡΠΏΠ° ΠΊ ΡΠ΅ΡΡΡΡΠ°ΠΌ ΡΠΈΡΡΠ΅ΠΌΡ ΠΈΠ»ΠΈ Π·Π°Π΄Π΅ΡΠΆΠΊΠ° ΠΎΠΏΠ΅ΡΠ°ΡΠΈΠΉ ΠΈΠ»ΠΈ
ΡΡΠ½ΠΊΡΠΈΠΉ ΡΠΈΡΡΠ΅ΠΌΡ
[ISO/IEC 18028-1]
2.7
Π΄Π΅ΠΌΠΈΠ»ΠΈΡΠ°ΡΠΈΠ·ΠΎΠ²Π°Π½Π½Π°Ρ Π·ΠΎΠ½Π°
Demilitarized Zone DMZ
Π»ΠΎΠ³ΠΈΡΠ΅ΡΠΊΠΎΠ΅ ΠΈ ΡΠΈΠ·ΠΈΡΠ΅ΡΠΊΠΎΠ΅ ΡΠ΅ΡΠ΅Π²ΠΎΠ΅ ΠΏΡΠΎΡΡΡΠ°Π½ΡΡΠ²ΠΎ ΠΌΠ΅ΠΆΠ΄Ρ ΠΌΠ°ΡΡΡΡΡΠΈΠ·Π°ΡΠΎΡΠΎΠΌ ΠΏΠ΅ΡΠΈΠΌΠ΅ΡΡΠ° ΠΈ Π²Π½Π΅ΡΠ½ΠΈΠΌ
Π±ΡΠ°Π½Π΄ΠΌΠ°ΡΡΡΠΎΠΌ
ΠΠ ΠΠΠΠ§ΠΠΠΠ 1 DMZ ΠΌΠΎΠΆΠ΅Ρ Π±ΡΡΡ ΠΌΠ΅ΠΆΠ΄Ρ ΡΠ΅ΡΡΠΌΠΈ ΠΈ ΠΏΠΎΠ΄Π²Π΅ΡΠ³Π°ΡΡΡΡ ΡΡΠ°ΡΠ΅Π»ΡΠ½ΠΎΠΌΡ Π½Π°Π±Π»ΡΠ΄Π΅Π½ΠΈΡ, Π½ΠΎ Π½Π΅ Π±ΡΡΡ ΠΈΠΌ.
ΠΠ ΠΠΠΠ§ΠΠΠΠ 2 ΠΠΌΠΈ ΠΎΠ±ΡΡΠ½ΠΎ ΡΠ²Π»ΡΡΡΡΡ Π½Π΅Π·Π°ΡΠΈΡΠ΅Π½Π½ΡΠ΅ ΠΎΠ±Π»Π°ΡΡΠΈ, ΡΠΎΠ΄Π΅ΡΠΆΠ°ΡΠΈΠ΅ Π·Π°ΡΠΈΡΠ΅Π½Π½ΡΠ΅ Ρ
ΠΎΡΡ-ΠΌΠ°ΡΠΈΠ½Ρ,
ΠΊΠΎΡΠΎΡΡΠ΅ ΠΏΡΠ΅Π΄ΠΎΡΡΠ°Π²Π»ΡΡΡ ΡΡΠ»ΡΠ³ΠΈ ΠΎΠ±ΡΠ΅Π³ΠΎ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΡ.
2.8
ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΡ
exploit
ΠΎΠΏΡΠ΅Π΄Π΅Π»Π΅Π½Π½ΡΠΉ ΡΠΏΠΎΡΠΎΠ± ΠΏΡΠΎΡΠ²Π°ΡΡ Π·Π°ΡΠΈΡΡ ΠΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΎΠ½Π½ΠΎΠΉ ΡΠΈΡΡΠ΅ΠΌΡ ΡΠ΅ΡΠ΅Π· ΡΠ»Π°Π±ΠΎΠ΅ ΠΌΠ΅ΡΡΠΎ
2.9
Π±ΡΠ°Π½Π΄ΠΌΠ°ΡΡΡ
firewall
ΡΠΈΠΏ Π·Π°ΡΠΈΡΠ½ΠΎΠ³ΠΎ ΡΠ»ΡΠ·Π° ΠΈΠ»ΠΈ Π±Π°ΡΡΠ΅ΡΠ°, ΡΠ°Π·ΠΌΠ΅ΡΠ΅Π½Π½ΠΎΠ³ΠΎ ΠΌΠ΅ΠΆΠ΄Ρ ΡΠ΅ΡΠ΅Π²ΡΠΌΠΈ ΡΡΠ΅Π΄Π°ΠΌΠΈ β ΡΠΎΡΡΠΎΡΡΠΈΠΉ ΠΈΠ·
2 Β© ISO/IEC 2006 β ΠΡΠ΅ ΠΏΡΠ°Π²Π° ΡΠΎΡ
ΡΠ°Π½ΡΡΡΡΡ
ΡΠΏΠ΅ΡΠΈΠ°Π»ΠΈΠ·ΠΈΡΠΎΠ²Π°Π½Π½ΠΎΠ³ΠΎ ΡΡΡΡΠΎΠΉΡΡΠ²Π° ΠΈΠ»ΠΈ ΡΠΎΡΡΠ°Π²Π½ΠΎΠΉ ΠΈΠ· Π½Π΅ΡΠΊΠΎΠ»ΡΠΊΠΈΡ
ΠΊΠΎΠΌΠΏΠΎΠ½Π΅Π½ΡΠΎΠ² ΠΈ ΠΌΠ΅ΡΠΎΠ΄ΠΎΠ² β ΡΠ΅ΡΠ΅Π· ΠΊΠΎΡΠΎΡΡΠΉ
ΠΏΡΠΎΡ
ΠΎΠ΄ΡΡ Π²ΡΠ΅ ΡΡΠ°ΡΠΈΠΊΠΈ ΠΈΠ· ΠΎΠ΄Π½ΠΎΠΉ ΡΠ΅ΡΠ΅Π²ΠΎΠΉ ΡΡΠ΅Π΄Ρ Π² Π΄ΡΡΠ³ΡΡ, ΠΈ ΡΠ°Π·ΡΠ΅ΡΠ°Π΅ΡΡΡ ΠΏΡΠΎΠΏΡΡΠΊΠ°ΡΡ ΡΠΎΠ»ΡΠΊΠΎ
ΡΠ°Π½ΠΊΡΠΈΠΎΠ½ΠΈΡΠΎΠ²Π°Π½Π½ΡΠΉ ΡΡΠ°ΡΠΈΠΊ
[ISO/IEC 18028-1]
2.10
ΠΎΡΠΈΠ±ΠΎΡΠ½ΡΠΉ Π΄ΠΎΠΏΡΡΠΊ
false positive
ΠΏΡΠ΅Π΄ΡΠΏΡΠ΅ΠΆΠ΄Π΅Π½ΠΈΠ΅ IDS, ΠΊΠΎΠ³Π΄Π° Π½Π΅Ρ Π°ΡΠ°ΠΊΠΈ
2.11
ΠΎΡΠΈΠ±ΠΎΡΠ½ΡΠΉ ΠΎΡΠΊΠ°Π·
false negative
Π½Π΅Ρ ΠΏΡΠ΅Π΄ΡΠΏΡΠ΅ΠΆΠ΄Π΅Π½ΠΈΡ IDS, ΠΊΠΎΠ³Π΄Π° ΠΏΡΠΎΠΈΡΡ
ΠΎΠ΄ΠΈΡ Π°ΡΠ°ΠΊΠ°
2.12
Ρ
ΠΎΡΡ
host
Π°Π΄ΡΠ΅ΡΡΠ΅ΠΌΠ°Ρ ΡΠΈΡΡΠ΅ΠΌΠ° ΠΈΠ»ΠΈ ΠΊΠΎΠΌΠΏΡΡΡΠ΅Ρ Π² ΡΠ΅ΡΡΡ
Π½Π° Π±Π°Π·Π΅ TCP/IP, Π°Π½Π°Π»ΠΎΠ³ΠΈΡΠ½ΡΡ
ΠΠ½ΡΠ΅ΡΠ½Π΅ΡΡ
2.13
Π·Π»ΠΎΡΠΌΡΡΠ»Π΅Π½Π½ΠΈΠΊ
intruder
ΡΡΠ±ΡΠ΅ΠΊΡ, ΠΊΠΎΡΠΎΡΡΠΉ ΠΏΡΠΎΠ²ΠΎΠ΄ΠΈΡ ΠΈΠ»ΠΈ ΠΏΡΠΎΠ²Π΅Π» Π²ΡΠΎΡΠΆΠ΅Π½ΠΈΠ΅ ΠΈΠ»ΠΈ Π°ΡΠ°ΠΊΡ Π½Π° Ρ
ΠΎΡΡ, ΡΠ΅ΡΡ, ΡΠ°ΠΉΡ ΠΈΠ»ΠΈ ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΡ
2.14
Π²ΡΠΎΡΠΆΠ΅Π½ΠΈΠ΅
intrusion
Π½Π΅ΡΠ°Π½ΠΊΡΠΈΠΎΠ½ΠΈΡΠΎΠ²Π°Π½Π½ΡΠΉ Π΄ΠΎΡΡΡΠΏ ΠΊ ΡΠ΅ΡΠΈ ΠΈΠ»ΠΈ ΡΠΈΡΡΠ΅ΠΌΠ΅, ΠΏΠΎΠ΄ΡΠΎΠ΅Π΄ΠΈΠ½Π΅Π½Π½ΠΎΠΉ ΠΊ ΡΠ΅ΡΠΈ, Ρ.Π΅. ΠΏΡΠ΅Π΄ΡΠΌΡΡΠ»Π΅Π½Π½ΡΠΉ ΠΈΠ»ΠΈ
ΡΠ»ΡΡΠ°ΠΉΠ½ΡΠΉ Π΄ΠΎΡΡΡΠΏ Π½Π΅ΡΠ°Π½ΠΊΡΠΈΠΎΠ½ΠΈΡΠΎΠ²Π°Π½Π½ΡΠΉ Π΄ΠΎΡΡΡΠΏ ΠΊ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΎΠ½Π½ΠΎΠΉ ΡΠΈΡΡΠ΅ΠΌΠ΅ Π΄Π»Ρ Π²ΠΊΠ»ΡΡΠ΅Π½ΠΈΡ
Π·Π»ΠΎΠ½Π°ΠΌΠ΅ΡΠ΅Π½Π½ΠΎΠ³ΠΎ Π΄Π΅ΠΉΡΡΠ²ΠΈΡ ΠΏΡΠΎΡΠΈΠ² ΡΠΈΡΡΠ΅ΠΌΡ, ΠΈΠ»ΠΈ Π½Π΅ΡΠ°Π½ΠΊΡΠΈΠΎΠ½ΠΈΡΠΎΠ²Π°Π½Π½ΠΎΠ΅ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΡ ΡΠ΅ΡΡΡΡΠΎΠ² Π²
ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΎΠ½Π½ΠΎΠΉ ΡΠΈΡΡΠ΅ΠΌΠ΅
2.15
ΠΎΠ±Π½Π°ΡΡΠΆΠ΅Π½ΠΈΠ΅ Π²ΡΠΎΡΠΆΠ΅Π½ΠΈΡ
intrusion detection
ΡΠΎΡΠΌΠ°Π»ΡΠ½ΡΠΉ ΠΏΡΠΎΡΠ΅ΡΡ ΠΎΠ±Π½Π°ΡΡΠΆΠ΅Π½ΠΈΡ Π²ΡΠΎΡΠΆΠ΅Π½ΠΈΠΉ, ΠΎΠ±ΡΡΠ½ΠΎ Ρ
Π°ΡΠ°ΠΊΡΠ΅ΡΠΈΠ·ΡΡΡΠΈΠΉΡΡ ΠΏΠΎΠ»ΡΡΠ΅Π½ΠΈΠ΅ΠΌ Π·Π½Π°Π½ΠΈΠΉ ΠΎ
Π½Π΅Π½ΠΎΡΠΌΠ°Π»ΡΠ½ΠΎΠΌ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΠΈ ΡΠ°Π±Π»ΠΎΠ½ΠΎΠ², Π° ΡΠ°ΠΊΠΆΠ΅ ΠΊΠ°ΠΊΠΎΠ³ΠΎ ΡΠΎΠ΄Π°, ΠΊΠ°ΠΊ ΠΈ ΠΊΠ°ΠΊΠΎΠ΅ ΡΠ»Π°Π±ΠΎΠ΅ ΠΌΠ΅ΡΡΠΎ Π±ΡΠ»ΠΎ
ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΎ, Π²ΠΊΠ»ΡΡΠ°Ρ ΠΊΠ°ΠΊ ΠΈ ΠΊΠΎΠ³Π΄Π° ΡΡΠΎ ΠΏΡΠΎΠΈΠ·ΠΎΡΠ»ΠΎ
2.16
ΡΠΈΡΡΠ΅ΠΌΠ° ΠΎΠ±Π½Π°ΡΡΠΆΠ΅Π½ΠΈΡ Π²ΡΠΎΡΠΆΠ΅Π½ΠΈΡ
intrusion detection system
IDS
ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΎΠ½Π½Π°Ρ ΡΠΈΡΡΠ΅ΠΌΠ°, ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΠΌΠ°Ρ Π΄Π»Ρ ΠΎΠΏΡΠ΅Π΄Π΅Π»Π΅Π½ΠΈΡ ΡΠΎΠ³ΠΎ, Π±ΡΠ»Π° Π»ΠΈ ΠΏΠΎΠΏΡΡΠΊΠ° Π²ΡΠΎΡΠΆΠ΅Π½ΠΈΡ, ΠΎΠ½ΠΎ
ΠΏΡΠΎΠΈΡΡ
ΠΎΠ΄ΠΈΡ ΠΈΠ»ΠΈ ΠΏΡΠΎΠΈΠ·ΠΎΡΠ»ΠΎ, Π° ΡΠ°ΠΊΠΆΠ΅ ΠΎΡΠ²Π΅ΡΠ½ΠΎΠ³ΠΎ Π΄Π΅ΠΉΡΡΠ²ΠΈΡ Π² ΠΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΎΠ½Π½ΠΎΠΉ ΡΠΈΡΡΠ΅ΠΌΠ΅ ΠΈ ΡΠ΅ΡΡΡ
2.17
ΡΠΈΡΡΠ΅ΠΌΠ° ΠΏΡΠ΅Π΄ΠΎΡΠ²ΡΠ°ΡΠ΅Π½ΠΈΡ Π²ΡΠΎΡΠΆΠ΅Π½ΠΈΡ
intrusion prevention system
IPS
Π²Π°ΡΠΈΠ°Π½Ρ ΡΠΈΡΡΠ΅ΠΌ ΠΎΠ±Π½Π°ΡΡΠΆΠ΅Π½ΠΈΡ Π²ΡΠΎΡΠΆΠ΅Π½ΠΈΡ, ΠΊΠΎΡΠΎΡΡΠΉ ΡΠΏΠ΅ΡΠΈΠ°Π»ΡΠ½ΠΎ ΡΠ°Π·ΡΠ°Π±ΠΎΡΠ°Π½ Π΄Π»Ρ ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠ΅Π½ΠΈΡ
Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΠΈ Π°ΠΊΡΠΈΠ²Π½ΠΎΠ³ΠΎ ΠΎΡΠ²Π΅ΡΠ½ΠΎΠ³ΠΎ Π΄Π΅ΠΉΡΡΠ²ΠΈΡ
Β©
ISO/IEC 2006β ΠΡΠ΅ ΠΏΡΠ°Π²Π° ΡΠΎΡ
ΡΠ°Π½ΡΡΡΡΡ 3
2.18
ΠΏΡΠΈΠΌΠ°Π½ΠΊΠ°
honeypot
ΠΎΠ±ΠΎΠ±ΡΠ°ΡΡΠΈΠΉ ΡΠ΅ΡΠΌΠΈΠ½ Π΄Π»Ρ Π»ΠΎΠΆΠ½ΠΎΠΉ ΡΠΈΡΡΠ΅ΠΌΡ, ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΠΌΠΎΠΉ Π΄Π»Ρ ΠΎΠ±ΠΌΠ°Π½Π°, ΠΎΡΠ²Π»Π΅ΡΠ΅Π½ΠΈΡ, ΠΎΡΠ²ΠΎΠ΄Π° ΠΈ
ΠΏΠΎΠΎΡΡΠ΅Π½ΠΈΡ Π½Π°ΡΡΡΠΈΡΠ΅Π»Ρ Π·Π°ΡΡΠ°ΡΠΈΡΡ Π²ΡΠ΅ΠΌΡ Π½Π° ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΡ, ΠΊΠΎΡΠΎΡΠ°Ρ ΠΏΠΎΡΠ²Π»ΡΠ΅ΡΡΡ ΠΊΠ°ΠΊ ΡΠ΅Π½Π½Π°Ρ, Π½ΠΎ
ΡΠ°ΠΊΡΠΈΡΠ΅ΡΠΊΠΈ ΡΡΠ°Π±ΡΠΈΠΊΠΎΠ²Π°Π½Π° ΠΈ Π½Π΅ ΠΏΡΠ΅Π΄ΡΡΠ°Π²Π»ΡΠ΅Ρ ΠΈΠ½ΡΠ΅ΡΠ΅ΡΠ° Π΄Π»Ρ Π·Π°ΠΊΠΎΠ½Π½ΠΎΠ³ΠΎ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Ρ
2.19
ΠΏΡΠΎΠ½ΠΈΠΊΠ½ΠΎΠ²Π΅Π½ΠΈΠ΅
penetration
Π½Π΅ΡΠ°Π½ΠΊΡΠΈΠΎΠ½ΠΈΡΠΎΠ²Π°Π½Π½ΡΠΉ Π°ΠΊΡ ΠΎΠ±Ρ
ΠΎΠ΄Π° ΠΌΠ΅Ρ
Π°Π½ΠΈΠ·ΠΌΠΎΠ² Π·Π°ΡΠΈΡΡ ΠΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΎΠ½Π½ΠΎΠΉ ΡΠΈΡΡΠ΅ΠΌΡ
2.20
ΠΈΠ½ΠΈΡΠΈΠ°Π»ΠΈΠ·Π°ΡΠΈΡ
provisioning
ΠΏΡΠΎΡΠ΅ΡΡ ΡΠ΄Π°Π»Π΅Π½Π½ΠΎΠ³ΠΎ ΠΏΠΎΠΈΡΠΊΠ° Π½ΠΎΠ²ΡΡ
ΠΎΠ±Π½ΠΎΠ²Π»Π΅Π½ΠΈΠΉ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌ Ρ Π²Π΅Π±-ΡΠ°ΠΉΡΠ° ΠΏΠΎΡΡΠ°Π²ΡΠΈΠΊΠ° ΠΈ Π·Π°Π³ΡΡΠ·ΠΊΠ°
ΠΎΠ±Π½ΠΎΠ²Π»Π΅Π½ΠΈΠΉ Π² ΡΡΡΠ°Π½ΠΎΠ²Π»Π΅Π½Π½ΠΎΠΌ ΠΏΠΎΡΡΠ΄ΠΊΠ΅
2.21
ΡΠ΄Π°Π»Π΅Π½Π½ΠΎΠ΅ ΡΠ΄ΠΎΡΡΠΎΠ²Π΅ΡΠ΅Π½ΠΈΠ΅
remote attestation
ΠΏΡΠΎΡΠ΅ΡΡΡ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΡ ΡΠΈΡΡΠΎΠ²ΡΡ
ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠΎΠ² Π΄Π»Ρ ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠ΅Π½ΠΈΡ ΠΈΠ΄Π΅Π½ΡΠΈΡΠ½ΠΎΡΡΠΈ, Π° ΡΠ°ΠΊΠΆΠ΅
ΡΠ΅Ρ
Π½ΠΈΡΠ΅ΡΠΊΠΎΠΉ ΠΈ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΠ½ΠΎΠΉ ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΠΈ IDS ΠΈ Π±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΠΉ ΠΏΠ΅ΡΠ΅Π΄Π°ΡΠΈ ΡΡΠΎΠΉ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΈ Π² Π΄ΠΎΠ²Π΅ΡΠ΅Π½Π½ΡΠΉ
ΡΠ΅Π½Ρ ΡΠ»ΡΠΆΠ±Ρ ΡΠΊΡΠΏΠ»ΡΠ°ΡΠ°ΡΠΈΠΈ
2.22
ΠΎΡΠ²Π΅ΡΠ½ΠΎΠ΅ Π΄Π΅ΠΉΡΡΠ²ΠΈΠ΅ (ΠΎΡΠ²Π΅Ρ Π½Π° ΡΠΎΠ±ΡΡΠΈΠ΅ ΠΈΠ»ΠΈ ΠΎΡΠ²Π΅Ρ Π½Π° Π²ΡΠΎΡΠΆΠ΅Π½ΠΈΠ΅)
response (incident response or intrusion response)
Π΄Π΅ΠΉΡΡΠ²ΠΈΡ, ΠΏΡΠΈΠ½ΠΈΠΌΠ°Π΅ΠΌΡΠ΅ Π΄Π»Ρ Π·Π°ΡΠΈΡΡ ΠΈ Π²ΠΎΡΡΡΠ°Π½ΠΎΠ²Π»Π΅Π½ΠΈΡ Π½ΠΎΡΠΌΠ°Π»ΡΠ½ΡΡ
ΡΠ°Π±ΠΎΡΠΈΡ
ΡΡΠ»ΠΎΠ²ΠΈΠΉ ΠΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΎΠ½Π½ΠΎΠΉ
Π‘ΠΈΡΡΠ΅ΠΌΡ ΠΈ Ρ
ΡΠ°Π½ΠΈΠΌΠΎΠΉ Π² Π½Π΅ΠΉ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΈ, ΠΊΠΎΠ³Π΄Π° ΠΏΡΠΎΠΈΡΡ
ΠΎΠ΄ΠΈΡ Π°ΡΠ°ΠΊΠ° ΠΈΠ»ΠΈ Π²ΡΠΎΡΠΆΠ΅Π½ΠΈΠ΅
2.23
ΠΌΠ°ΡΡΡΡΡΠΈΠ·Π°ΡΠΎΡ
router
ΡΠ΅ΡΠ΅Π²ΠΎΠ΅ ΡΡΡΡΠΎΠΉΡΡΠ²ΠΎ, ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΠΌΠΎΠ΅ Π΄Π»Ρ ΡΡΡΠ°Π½ΠΎΠ²Π»Π΅Π½ΠΈΡ ΠΈ ΠΊΠΎΠ½ΡΡΠΎΠ»Ρ ΠΏΠΎΡΠΎΠΊΠ° Π΄Π°Π½Π½ΡΡ
ΠΌΠ΅ΠΆΠ΄Ρ ΡΠ°Π·Π»ΠΈΡΠ½ΡΠΌΠΈ
ΡΠ΅ΡΡΠΌΠΈ, ΠΊΠΎΡΠΎΡΠΎΠ΅ ΡΠ°ΠΌΠΎ ΠΌΠΎΠΆΠ΅Ρ Π±Π°Π·ΠΈΡΠΎΠ²Π°ΡΡΡΡ Π½Π° ΡΠ°Π·Π»ΠΈΡΠ½ΡΡ
ΡΠ΅ΡΠ΅Π²ΡΡ
ΠΏΡΠΎΡΠΎΠΊΠΎΠ»Π°Ρ
, ΠΏΡΡΠ΅ΠΌ Π²ΡΠ±ΠΎΡΠ° ΠΏΡΡΠ΅ΠΉ ΠΈΠ»ΠΈ
ΠΌΠ°ΡΡΡΡΡΠΎΠ² Π½Π° ΠΎΡΠ½ΠΎΠ²Π΅ ΠΌΠ΅Ρ
Π°Π½ΠΈΠ·ΠΌΠΎΠ² ΠΈΠ»ΠΈ Π°Π»Π³ΠΎΡΠΈΡΠΌΠΎΠ² ΠΏΡΠΎΡΠΎΠΊΠΎΠ»Π° ΠΌΠ°ΡΡΡΡΡΠΈΠ·Π°ΡΠΈΠΈ
ΠΠ ΠΠΠΠ§ΠΠΠΠ ΠΠ½ΡΠΎΡΠΌΠ°ΡΠΈΡ ΠΏΠΎ ΠΌΠ°ΡΡΡΡΡΠΈΠ·Π°ΡΠΈΠΈ Ρ
ΡΠ°Π½ΠΈΡΡΡ Π² ΡΠ°Π±Π»ΠΈΡΠ΅ ΠΌΠ°ΡΡΡΡΡΠΎΠ².
[ISO/IEC 18028-1]
2.24
ΡΠ΅ΡΠ²Π΅Ρ
server
ΠΊΠΎΠΌΠΏΡΡΡΠ΅ΡΠ½Π°Ρ ΡΠΈΡΡΠ΅ΠΌΠ° ΠΈΠ»ΠΈ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΠ°, ΠΊΠΎΡΠΎΡΠ°Ρ ΠΏΡΠ΅Π΄ΠΎΡΡΠ°Π²Π»ΡΠ΅Ρ ΡΡΠ»ΡΠ³ΠΈ Π΄ΡΡΠ³ΠΈΠΌ ΠΊΠΎΠΌΠΏΡΡΡΠ΅ΡΠ°ΠΌ
2.25
ΡΠΎΠ³Π»Π°ΡΠ΅Π½ΠΈΠ΅ ΠΎΠ± ΡΡΠΎΠ²Π½Π΅ ΡΠ΅ΡΠ²ΠΈΡΠ°
Service Level Agreement
ΠΊΠΎΠ½ΡΡΠ°ΠΊΡ, ΠΊΠΎΡΠΎΡΡΠΉ ΠΎΠΏΡΠ΅Π΄Π΅Π»ΡΠ΅Ρ ΡΠ΅Ρ
Π½ΠΈΡΠ΅ΡΠΊΡΡ ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΊΡ ΠΈΠ»ΠΈ ΡΡΠ΅Π±ΡΠ΅ΠΌΡΠ΅ ΠΏΡΠΎΡΠ΅ΡΡΠΈΠΎΠ½Π°Π»ΡΠ½ΡΠ΅ ΡΠ°Π±ΠΎΡΠΈΠ΅
Ρ
Π°ΡΠ°ΠΊΡΠ΅ΡΠΈΡΡΠΈΠΊΠΈ, Π²ΠΊΠ»ΡΡΠ°Ρ ΡΡΠ½ΠΊΡΠΈΠΎΠ½ΠΈΡΠΎΠ²Π°Π½ΠΈΠ΅ ΠΈ ΠΏΠΎΡΠ»Π΅Π΄ΡΡΠ²ΠΈΡ ΠΏΡΠΈ Π½Π΅ΠΈΡΠΏΡΠ°Π²Π½ΠΎΡΡΠΈ, ΠΊΠΎΡΠΎΡΡΠ΅ ΠΏΡΠΎΠ²Π°ΠΉΠ΄Π΅Ρ
ΠΌΠΎΠΆΠ΅Ρ ΠΏΡΠ΅Π΄ΠΎΡΡΠ°Π²ΠΈΡΡ ΡΠ²ΠΎΠΈΠΌ ΠΊΠ»ΠΈΠ΅Π½ΡΠ°ΠΌ
4 Β© ISO/IEC 2006 β ΠΡΠ΅ ΠΏΡΠ°Π²Π° ΡΠΎΡ
ΡΠ°Π½ΡΡΡΡΡ
2.26
ΡΠ΅Π½ΡΠΎΡ
sensor
ΠΊΠΎΠΌΠΏΠΎΠ½Π΅Π½Ρ/Π°Π³Π΅Π½Ρ IDS, ΠΊΠΎΡΠΎΡΡΠΉ ΡΠΎΠ±ΠΈΡΠ°Π΅Ρ Π΄Π°Π½Π½ΡΠ΅ ΠΎ ΡΠΎΠ±ΡΡΠΈΡΡ
ΠΈΠ· ΠΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΎΠ½Π½ΠΎΠΉ Π‘ΠΈΡΡΠ΅ΠΌΡ ΠΈΠ»ΠΈ ΡΠ΅ΡΠΈ,
Π½Π°Ρ
ΠΎΠ΄ΡΡΠ΅ΠΉΡΡ ΠΏΠΎΠ΄ Π½Π°Π±Π»ΡΠ΄Π΅Π½ΠΈΠ΅ΠΌ
ΠΠ ΠΠΠΠ§ΠΠΠΠ Π£ΠΊΠ°Π·ΡΠ²Π°Π΅ΡΡΡ ΡΠ°ΠΊΠΆΠ΅ ΠΊΠ°ΠΊ ΠΌΠΎΠ½ΠΈΡΠΎΡ.
2.27
ΠΏΠΎΠ΄ΡΠ΅ΡΡ
subnet
ΡΠ°ΡΡΡ ΡΠ΅ΡΠΈ, Π² ΠΊΠΎΡΠΎΡΠΎΠΉ ΡΠΎΠ²ΠΌΠ΅ΡΡΠ½ΠΎ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΡΡΡ ΠΊΠΎΠΌΠΏΠΎΠ½Π΅Π½Ρ ΠΎΠ±ΡΠΈΡ
Π°Π΄ΡΠ΅ΡΠΎΠ²
2.28
ΠΏΠ΅ΡΠ΅ΠΊΠ»ΡΡΠ°ΡΠ΅Π»Ρ
switch
ΡΡΡΡΠΎΠΉΡΡΠ²ΠΎ, ΠΊΠΎΡΠΎΡΠΎΠ΅ ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠΈΠ²Π°Π΅Ρ Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΡ ΡΠΎΠ΅Π΄ΠΈΠ½Π΅Π½ΠΈΡ ΠΌΠ΅ΠΆΠ΄Ρ ΡΡΡΡΠΎΠΉΡΡΠ²Π°ΠΌΠΈ, ΠΎΠ±ΡΠ΅Π΄ΠΈΠ½Π΅Π½Π½ΡΠΌΠΈ Π²
ΡΠ΅ΡΡ, Ρ ΠΏΠΎΠΌΠΎΡΡΡ Π²Π½ΡΡΡΠ΅Π½Π½ΠΈΡ
ΠΌΠ΅Ρ
Π°Π½ΠΈΠ·ΠΌΠΎΠ² ΠΏΠ΅ΡΠ΅ΠΊΠ»ΡΡΠ΅Π½ΠΈΡ
ΠΠ ΠΠΠΠ§ΠΠΠΠ ΠΠ΅ΡΠ΅ΠΊΠ»ΡΡΠ°ΡΠ΅Π»ΠΈ ΠΎΡΠ»ΠΈΡΠ°ΡΡΡΡ ΠΎΡ Π΄ΡΡΠ³ΠΈΡ
ΡΡΡΡΠΎΠΉΡΡΠ² ΠΌΠ΅ΠΆΠΊΠΎΠΌΠΏΠΎΠ½Π΅Π½ΡΠ½ΠΎΠ³ΠΎ ΡΠΎΠ΅Π΄ΠΈΠ½Π΅Π½ΠΈΡ Π² Π»ΠΎΠΊΠ°Π»ΡΠ½ΠΎΠΉ
ΡΠ΅ΡΠΈ (Π½Π°ΠΏΡΠΈΠΌΠ΅Ρ, ΠΎΡ ΠΊΠΎΠ½ΡΠ΅Π½ΡΡΠ°ΡΠΎΡΠ°), ΠΏΠΎΡΠΊΠΎΠ»ΡΠΊΡ ΡΠ΅Ρ
Π½ΠΎΠ»ΠΎΠ³ΠΈΡ, ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΠΌΠ°Ρ Π² ΠΏΠ΅ΡΠ΅ΠΊΠ»ΡΡΠ°ΡΠ΅Π»ΡΡ
, ΡΡΡΠ°Π½Π°Π²Π»ΠΈΠ²Π°Π΅Ρ
ΡΠΎΠ΅Π΄ΠΈΠ½Π΅Π½ΠΈΡ Π½Π° Π΄Π²ΡΡ
ΡΠΎΡΠ΅ΡΠ½ΠΎΠΉ ΠΎΡΠ½ΠΎΠ²Π΅. ΠΡΠΎ Π³Π°ΡΠ°Π½ΡΠΈΡΡΠ΅Ρ, ΡΡΠΎ ΡΠ΅ΡΠ΅Π²ΠΎΠΉ ΡΡΠ°ΡΠΈΠΊ ΡΠ°ΡΡΠΌΠ°ΡΡΠΈΠ²Π°Π΅ΡΡΡ ΡΠΎΠ»ΡΠΊΠΎ Π°Π΄ΡΠ΅ΡΡΠ΅ΠΌΡΠΌΠΈ
ΡΠ΅ΡΠ΅Π²ΡΠΌΠΈ ΡΡΡΡΠΎΠΉΡΡΠ²Π°ΠΌΠΈ ΠΈ Π΄Π°Π΅Ρ Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΡ ΠΏΡΠΈ ΠΌΠ°ΡΡΡΡΡΠΈΠ·Π°ΡΠΈΠΈ ΠΈΠΌΠ΅ΡΡ Π½Π΅ΡΠΊΠΎΠ»ΡΠΊΠΎ ΡΠΎΠ΅Π΄ΠΈΠ½Π΅Π½ΠΈΠΉ ΠΎΠ΄Π½ΠΎΠ²ΡΠ΅ΠΌΠ΅Π½Π½ΠΎ.
[ISO/IEC 18028-1]
2.29
ΠΊΠΎΠ½ΡΡΠΎΠ»ΡΠ½ΡΠ΅ ΡΠΎΡΠΊΠΈ Π΄ΠΎΡΡΡΠΏΠ°
Test Access Points
TAP
ΠΎΠ±ΡΡΠ½ΠΎ ΠΏΠ°ΡΡΠΈΠ²Π½ΡΠ΅ ΡΡΡΡΠΎΠΉΡΡΠ²Π°, ΠΊΠΎΡΠΎΡΡΠ΅ Π½Π΅ ΡΡΡΠ°Π½Π°Π²Π»ΠΈΠ²Π°ΡΡ ΡΠ»ΡΠΆΠ΅Π±Π½ΡΠ΅ Π΄Π°Π½Π½ΡΠ΅ Π½Π° ΠΏΠ°ΠΊΠ΅ΡΠ΅, ΠΎΠ½ΠΈ ΡΠ°ΠΊΠΆΠ΅
ΠΏΠΎΠ²ΡΡΠ°ΡΡ ΡΡΠΎΠ²Π΅Π½Ρ Π·Π°ΡΠΈΡΡ, ΠΏΠΎΡΠΊΠΎΠ»ΡΠΊΡ ΠΎΠ½ΠΈ Π΄Π΅Π»Π°ΡΡ ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡ ΡΠ±ΠΎΡΠ° Π΄Π°Π½Π½ΡΡ
Π½Π΅Π²ΠΈΠ΄ΠΈΠΌΡΠΌ Π² ΡΠ΅ΡΠΈ, ΠΊΠΎΠ³Π΄Π°
ΠΏΠ΅ΡΠ΅ΠΊΠ»ΡΡΠ°ΡΠ΅Π»Ρ ΠΌΠΎΠΆΠ΅Ρ Π΅ΡΠ΅ ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΈΠ²Π°ΡΡ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΡ ΡΡΠΎΠ²Π½Ρ 2 ΠΎ ΠΏΠΎΡΡΠ΅. TAP ΠΏΡΠ΅Π΄ΠΎΡΡΠ°Π²Π»ΡΠ΅Ρ ΡΠ°ΠΊΠΆΠ΅
ΡΡΠ½ΠΊΡΠΈΠΎΠ½Π°Π»ΡΠ½ΡΠ΅ Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΠΈ Π΄Π»Ρ ΠΌΠ½ΠΎΠ³ΠΈΡ
ΠΏΠΎΡΡΠΎΠ², ΠΏΠΎΡΡΠΎΠΌΡ ΠΏΡΠΎΠ±Π»Π΅ΠΌΡ ΡΠ΅ΡΠΈ ΠΌΠΎΠ³ΡΡ ΠΎΡΠ»Π°ΠΆΠΈΠ²Π°ΡΡΡΡ Π±Π΅Π·
ΠΏΠΎΡΠ΅ΡΠΈ Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΠ΅ΠΉ IDS
2.30
ΡΡΠΎΡΠ½ΡΠΊΠΈΠΉ ΠΊΠΎΠ½Ρ
trojan horse
Π·Π»ΠΎΡΠΌΡΡΠ»Π΅Π½Π½Π°Ρ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΠ°, ΠΊΠΎΡΠΎΡΠ°Ρ Π²ΡΠ΄Π°Π΅Ρ ΡΠ΅Π±Ρ Π·Π° Π±Π»Π°Π³ΠΎΠΏΡΠΈΡΡΠ½ΠΎΠ΅ ΠΏΡΠΈΠ»ΠΎΠΆΠ΅Π½ΠΈΠ΅
3 ΠΡΠ΅Π΄Π²Π°ΡΠΈΡΠ΅Π»ΡΠ½ΡΠ΅ Π΄Π°Π½Π½ΡΠ΅
ΠΠ°Π·Π½Π°ΡΠ΅Π½ΠΈΠ΅ Π‘ΠΈΡΡΠ΅ΠΌΡ ΠΠ±Π½Π°ΡΡΠΆΠ΅Π½ΠΈΡ ΠΡΠΎΡΠΆΠ΅Π½ΠΈΡ (IDS) ΡΠΎΡΡΠΎΠΈΡ Π² ΠΏΠ°ΡΡΠΈΠ²Π½ΠΎΠΌ ΠΌΠΎΠ½ΠΈΡΠΎΡΠΈΠ½Π³Π΅, ΠΎΠ±Π½Π°ΡΡΠΆΠ΅Π½ΠΈΠΈ ΠΈ
ΡΠ΅Π³ΠΈΡΡΡΠ°ΡΠΈΠΈ Π½Π΅ΡΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΡΡΡΠΈΡ
, Π½Π΅ΠΏΡΠ°Π²ΠΈΠ»ΡΠ½ΡΡ
, ΠΏΠΎΠ΄ΠΎΠ·ΡΠΈΡΠ΅Π»ΡΠ½ΡΡ
ΠΈΠ»ΠΈ Π½Π΅Π½ΠΎΡΠΌΠ°Π»ΡΠ½ΡΡ
Π΄Π΅ΠΉΡΡΠ²ΠΈΠΉ,
ΠΊΠΎΡΠΎΡΡΠ΅ ΠΌΠΎΠ³ΡΡ ΠΏΡΠ΅Π΄ΡΡΠ°Π²Π»ΡΡΡ ΡΠΎΠ±ΠΎΠΉ Π²ΡΠΎΡΠΆΠ΅Π½ΠΈΠ΅, ΠΈ ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠ΅Π½ΠΈΠΈ ΠΏΡΠ΅Π΄ΡΠΏΡΠ΅ΠΆΠ΄Π΅Π½ΠΈΡ, ΠΊΠΎΠ³Π΄Π° ΡΠ°ΠΊΠΈΠ΅ Π΄Π΅ΠΉΡΡΠ²ΠΈΡ
ΠΎΠ±Π½Π°ΡΡΠΆΠΈΠ²Π°ΡΡΡΡ. ΠΠ° ΠΏΠ΅ΡΡΠΎΠ½Π°Π»Π΅ ΠΠ±Π΅ΡΠΏΠ΅ΡΠ΅Π½ΠΈΡ Π±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΡΡΠΈ ΠΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΎΠ½Π½ΠΎΠΉ Π‘ΠΈΡΡΠ΅ΠΌΡ Π»Π΅ΠΆΠΈΡ
ΠΎΡΠ²Π΅ΡΡΡΠ²Π΅Π½Π½ΠΎΡΡΡ Π·Π° Π°ΠΊΡΠΈΠ²Π½ΡΠΉ ΠΏΡΠΎΡΠΌΠΎΡΡ ΠΆΡΡΠ½Π°Π»ΠΎΠ² ΡΠ΅Π³ΠΈΡΡΡΠ°ΡΠΈΠΈ IDS ΠΈ ΠΏΡΠΈΠ½ΡΡΠΈΠ΅ ΡΠ΅ΡΠ΅Π½ΠΈΡ ΠΏΠΎ
ΠΏΠΎΡΠ»Π΅Π΄ΡΡΡΠΈΠΌ Π΄Π΅ΠΉΡΡΠ²ΠΈΡΠΌ ΠΏΡΠΈ Π»ΡΠ±ΠΎΠΉ ΠΏΠΎΠΏΡΡΠΊΠ΅ Π½Π΅ΡΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΡΡΡΠ΅Π³ΠΎ Π΄ΠΎΡΡΡΠΏΠ°.
ΠΠΎΠ³Π΄Π° ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΠΈ Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΠΎ Π±ΡΡΡΡΠΎ ΠΎΠ±Π½Π°ΡΡΠΆΠΈΠ²Π°ΡΡ Π²ΡΠΎΡΠΆΠ΅Π½ΠΈΡ Π² Π΅Π΅ ΠΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΎΠ½Π½ΡΡ ΡΠΈΡΡΠ΅ΠΌΡ ΠΈ
Π±ΡΡΡΡΠΎ ΡΠ΅Π°Π³ΠΈΡΠΎΠ²Π°ΡΡ Π½Π° Π½ΠΈΡ
, ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΡ Π΄ΠΎΠ»ΠΆΠ½Π° ΡΠ°ΡΡΠΌΠΎΡΡΠ΅ΡΡ ΠΏΡΠΈΠΌΠ΅Π½Π΅Π½ΠΈΠ΅ IDS. ΠΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΡ ΠΌΠΎΠΆΠ΅Ρ
ΡΠ°Π·Π²Π΅ΡΠ½ΡΡΡ IDS ΠΏΡΡΠ΅ΠΌ ΠΏΡΠΈΠΎΠ±ΡΠ΅ΡΠ΅Π½ΠΈΡ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΠ½ΠΎΠ³ΠΎ ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠ΅Π½ΠΈΡ ΠΈ/ΠΈΠ»ΠΈ Π°ΠΏΠΏΠ°ΡΠ°ΡΠ½ΡΡ
ΠΈΠ·Π΄Π΅Π»ΠΈΠΉ ΠΈΠ»ΠΈ ΠΏΡΡΠ΅ΠΌ
ΠΏΡΠΈΠ²Π»Π΅ΡΠ΅Π½ΠΈΡ Π²Π½Π΅ΡΠ½ΠΈΡ
Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΠ΅ΠΉ IDS Ρ ΠΏΡΠΎΠ²Π°ΠΉΠ΄Π΅ΡΠ° ΡΡΠ»ΡΠ³ IDS.
Π‘ΡΡΠ΅ΡΡΠ²ΡΠ΅Ρ ΠΌΠ½ΠΎΠ³ΠΎ ΠΊΠΎΠΌΠΌΠ΅ΡΡΠ΅ΡΠΊΠΈ Π΄ΠΎΡΡΡΠΏΠ½ΡΡ
ΠΈΠ»ΠΈ ΠΎΡΠΊΡΡΡΡΡ
ΠΏΡΠΎΠ΄ΡΠΊΡΠΎΠ² ΠΈ ΡΡΠ»ΡΠ³ IDS, ΠΊΠΎΡΠΎΡΡΠ΅ ΠΎΡΠ½ΠΎΠ²Π°Π½Ρ Π½Π°
ΡΠ°Π·Π»ΠΈΡΠ½ΡΡ
ΡΠ΅Ρ
Π½ΠΎΠ»ΠΎΠ³ΠΈΡΡ
ΠΈ ΠΏΠΎΠ΄Ρ
ΠΎΠ΄Π°Ρ
. ΠΡΠΎΠΌΠ΅ ΡΠΎΠ³ΠΎ, IDS Π½Π΅ ΡΠ²Π»ΡΠ΅ΡΡΡ ΡΠ΅Ρ
Π½ΠΎΠ»ΠΎΠ³ΠΈΠ΅ΠΉ βΠ²ΠΊΠ»ΡΡΠ°ΠΉ ΠΈ ΡΠ°Π±ΠΎΡΠ°ΠΉβ.
ΠΠΎΡΡΠΎΠΌΡ ΠΊΠΎΠ³Π΄Π° ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΡ Π³ΠΎΡΠΎΠ²ΠΈΡΡΡ ΠΊ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΡ IDS, ΠΎΠ½Π° Π΄ΠΎΠ»ΠΆΠ½Π° Π±ΡΡΡ, ΠΊΠ°ΠΊ ΠΌΠΈΠ½ΠΈΠΌΡΠΌ,
Β©
ISO/IEC 2006β ΠΡΠ΅ ΠΏΡΠ°Π²Π° ΡΠΎΡ
ΡΠ°Π½ΡΡΡΡΡ 5
ΠΎΠ·Π½Π°ΠΊΠΎΠΌΠ»Π΅Π½Π° Ρ ΡΡΠΊΠΎΠ²ΠΎΠ΄ΡΡΠΈΠΌΠΈ ΠΏΡΠΈΠ½ΡΠΈΠΏΠ°ΠΌΠΈ ΠΈ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠ΅ΠΉ, ΠΏΡΠΈΠ²ΠΎΠ΄ΠΈΠΌΠΎΠΉ Π² Π΄Π°Π½Π½ΠΎΠΌ ΡΡΠ°Π½Π΄Π°ΡΡΠ΅.
ΠΡΠ½ΠΎΠ²Π½ΡΠ΅ ΡΠ²Π΅Π΄Π΅Π½ΠΈΡ ΠΎ IDS ΠΏΡΠ΅Π΄ΡΡΠ°Π²Π»Π΅Π½Ρ, Π³Π»Π°Π²Π½ΡΠΌ ΠΎΠ±ΡΠ°Π·ΠΎΠΌ, Π² ΠΡΠΈΠ»ΠΎΠΆΠ΅Π½ΠΈΠΈ A. Π ΡΡΠΎΠΌ ΠΡΠΈΠ»ΠΎΠΆΠ΅Π½ΠΈΠΈ
ΠΏΠΎΡΡΠ½ΡΡΡΡΡ ΡΠ°Π·Π»ΠΈΡΠ½ΡΠ΅ Ρ
Π°ΡΠ°ΠΊΡΠ΅ΡΠΈΡΡΠΈΠΊΠΈ Π΄Π²ΡΡ
ΠΎΡΠ½ΠΎΠ²Π½ΡΡ
ΡΠΈΠΏΠΎΠ² IDS: IDS Π½Π° Π±Π°Π·Π΅ Ρ
ΠΎΡΡ- ΠΌΠ°ΡΠΈΠ½Ρ (HIDS) ΠΈ
IDS Π½Π° Π±Π°Π·Π΅ ΡΠ΅ΡΠΈ (NIDS), Π° ΡΠ°ΠΊΠΆΠ΅ Π΄Π²ΡΡ
ΠΎΡΠ½ΠΎΠ²Π½ΡΡ
ΠΏΠΎΠ΄Ρ
ΠΎΠ΄ΠΎΠ² ΠΏΡΠΈ Π°Π½Π°Π»ΠΈΠ·Π΅ Π²ΠΎ Π²ΡΠ΅ΠΌΡ ΠΎΠ±Π½Π°ΡΡΠΆΠ΅Π½ΠΈΡ, Ρ.Π΅.
ΠΠΎΠ΄Ρ
ΠΎΠ΄ Π½Π° ΠΎΡΠ½ΠΎΠ²Π΅ Π·Π»ΠΎΡΠΏΠΎΡΡΠ΅Π±Π»Π΅Π½ΠΈΡ ΠΈ ΠΠΎΠ΄Ρ
ΠΎΠ΄ Π½Π° ΠΎΡΠ½ΠΎΠ²Π΅ Π°Π½ΠΎΠΌΠ°Π»ΠΈΠΈ.
ΠΠ»Ρ HIDS ΠΈΡΡΠΎΡΠ½ΠΈΠΊΠΎΠΌ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΈ Π΄Π»Ρ ΠΎΠ±Π½Π°ΡΡΠΆΠ΅Π½ΠΈΡ ΡΠ²Π»ΡΠ΅ΡΡΡ ΠΎΠ΄Π½Π° Ρ
ΠΎΡΡ- ΠΌΠ°ΡΠΈΠ½Π°, Π² ΡΠΎ Π²ΡΠ΅ΠΌΡ ΠΊΠ°ΠΊ NIDS
ΠΈΠ·Π²Π»Π΅ΠΊΠ°Π΅Ρ Π΅Π΅ ΠΈΠ· ΡΡΠ°ΡΠΈΠΊΠ° Π½Π° ΡΠ΅Π³ΠΌΠ΅Π½ΡΠ΅ ΡΠ΅ΡΠΈ. Π ΠΏΠΎΠ΄Ρ
ΠΎΠ΄Π΅ Π½Π° Π±Π°Π·Π΅ Π·Π»ΠΎΡΠΏΠΎΡΡΠ΅Π±Π»Π΅Π½ΠΈΡ Π°ΡΠ°ΠΊΠΈ Π½Π°
ΠΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΎΠ½Π½ΡΠ΅ ΡΠΈΡΡΠ΅ΠΌΡ ΠΌΠΎΠ΄Π΅Π»ΠΈΡΡΡΡΡΡ ΠΊΠ°ΠΊ Ρ
Π°ΡΠ°ΠΊΡΠ΅ΡΠ½ΡΠ΅ ΡΠΈΠ³Π½Π°ΡΡΡΡ Π°ΡΠ°ΠΊΠΈ, ΡΠΈΡΡΠ΅ΠΌΠ° ΡΠΈΡΡΠ΅ΠΌΠ°ΡΠΈΡΠ΅ΡΠΊΠΈ
ΡΠΊΠ°Π½ΠΈΡΡΠ΅ΡΡΡ Π½Π° ΠΏΠΎΡΠ²Π»Π΅Π½ΠΈΠ΅ ΡΡΠΈΡ
ΡΠΈΠ³Π½Π°ΡΡΡ Π°ΡΠ°ΠΊΠΈ. ΠΡΠΎΡΠ΅ΡΡ Π²ΠΊΠ»ΡΡΠ°Π΅Ρ ΡΠΏΠ΅ΡΠΈΠ°Π»ΡΠ½ΠΎΠ΅ ΠΊΠΎΠ΄ΠΈΡΠΎΠ²Π°Π½ΠΈΠ΅
ΠΏΡΠ΅Π΄ΡΠ΅ΡΡΠ²ΡΡΡΠ΅Π³ΠΎ ΠΏΠΎΠ²Π΅Π΄Π΅Π½ΠΈΡ ΠΈ Π΄Π΅ΠΉΡΡΠ²ΠΈΠΉ, ΠΊΠΎΡΠΎΡΡΠ΅ ΡΡΠΈΡΠ°Π»ΠΈΡΡ Π²ΡΠΎΡΠΆΠ΅Π½ΠΈΡΠΌΠΈ ΠΈΠ»ΠΈ Π·Π»ΠΎΡΠΌΡΡΠ»Π΅Π½Π½ΡΠΌΠΈ.
ΠΠΎΠ΄Ρ
ΠΎΠ΄ Π½Π° Π±Π°Π·Π΅ Π°Π½ΠΎΠΌΠ°Π»ΠΈΠΉ ΠΏΡΡΠ°Π΅ΡΡΡ ΠΎΠ±Π½Π°ΡΡΠΆΠΈΡΡ Π²ΡΠΎΡΠΆΠ΅Π½ΠΈΡ ΠΏΡΡΠ΅ΠΌ ΡΠΈΠΊΡΠ°ΡΠΈΠΈ Π·Π½Π°ΡΠΈΡΠ΅Π»ΡΠ½ΡΡ
ΠΎΡΠΊΠ»ΠΎΠ½Π΅Π½ΠΈΠΉ
ΠΎΡ Π½ΠΎΡΠΌΠ°Π»ΡΠ½ΠΎΠ³ΠΎ ΠΏΠΎΠ²Π΅Π΄Π΅Π½ΠΈΡ. ΠΠ½ ΡΡΠ½ΠΊΡΠΈΠΎΠ½ΠΈΡΡΠ΅Ρ Π² ΠΏΡΠ΅Π΄ΠΏΠΎΠ»ΠΎΠΆΠ΅Π½ΠΈΠΈ, ΡΡΠΎ Π°ΡΠ°ΠΊΠΈ ΠΎΡΠ»ΠΈΡΠ°ΡΡΡΡ ΠΎΡ
Π½ΠΎΡΠΌΠ°Π»ΡΠ½ΠΎΠΉ/Π·Π°ΠΊΠΎΠ½Π½ΠΎΠΉ ΡΠ°Π±ΠΎΡΡ ΠΈ, ΡΠ»Π΅Π΄ΠΎΠ²Π°ΡΠ΅Π»ΡΠ½ΠΎ, ΠΌΠΎΠ³ΡΡ Π±ΡΡΡ ΠΎΠ±Π½Π°ΡΡΠΆΠ΅Π½Ρ ΡΠΈΡΡΠ΅ΠΌΠ°ΠΌΠΈ, ΠΊΠΎΡΠΎΡΡΠ΅
ΠΈΠ΄Π΅Π½ΡΠΈΡΠΈΡΠΈΡΡΡΡ ΡΡΠΈ ΡΠ°Π·Π»ΠΈΡΠΈΡ.
ΠΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΡ Π΄ΠΎΠ»ΠΆΠ½Π° ΠΏΠΎΠ½ΠΈΠΌΠ°ΡΡ, ΡΡΠΎ ΠΈΡΡΠΎΡΠ½ΠΈΠΊ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΈ ΠΈ ΡΠ°Π·Π»ΠΈΡΠ½ΡΠ΅ ΠΏΠΎΠ΄Ρ
ΠΎΠ΄Ρ ΠΊ Π°Π½Π°Π»ΠΈΠ·Ρ ΠΈΠΌΠ΅ΡΡ ΠΊΠ°ΠΊ
Π΄ΠΎΡΡΠΎΠΈΠ½ΡΡΠ²Π°, ΡΠ°ΠΊ ΠΈ Π½Π΅Π΄ΠΎΡΡΠ°ΡΠΊΠΈ ΠΈΠ»ΠΈ ΠΎΠ³ΡΠ°Π½ΠΈΡΠ΅Π½ΠΈΡ, ΠΊΠΎΡΠΎΡΡΠ΅ ΠΌΠΎΠ³ΡΡ ΠΏΠΎΠ²Π»ΠΈΡΡΡ Π½Π° ΡΠΏΠΎΡΠΎΠ±Π½ΠΎΡΡΡ ΠΈΠ»ΠΈ
Π½Π΅ΡΠΏΠΎΡΠΎΠ±Π½ΠΎΡΡΡ ΠΎΠ±Π½Π°ΡΡΠΆΠΈΡΡ Π°ΡΠ°ΠΊΠΈ ΠΈ Π½Π° ΡΡΠ΅ΠΏΠ΅Π½Ρ ΡΠ»ΠΎΠΆΠ½ΠΎΡΡΠΈ, ΡΠ²ΡΠ·Π°Π½Π½ΡΠΉ Ρ ΡΡΡΠ°Π½ΠΎΠ²ΠΊΠΎΠΉ ΠΈ ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠ°Π½ΠΈΠ΅ΠΌ
IDS.
4 ΠΠ±ΡΠΈΠ΅ ΠΏΠΎΠ»ΠΎΠΆΠ΅Π½ΠΈΡ
Π€ΡΠ½ΠΊΡΠΈΠΈ ΠΈ ΠΎΠ³ΡΠ°Π½ΠΈΡΠ΅Π½ΠΈΡ IDS, ΠΏΡΠ΅Π΄ΡΡΠ°Π²Π»Π΅Π½Π½ΡΠ΅ Π° ΠΡΠΈΠ»ΠΎΠΆΠ΅Π½ΠΈΠΈ A, ΡΠΊΠ°Π·ΡΠ²Π°ΡΡ Π½Π° ΡΠΎ, ΡΡΠΎ ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΡ Π΄ΠΎΠ»ΠΆΠ½Π°
ΠΊΠΎΠΌΠ±ΠΈΠ½ΠΈΡΠΎΠ²Π°ΡΡ ΠΏΠΎΠ΄Ρ
ΠΎΠ΄Ρ Π½Π° Π±Π°Π·Π΅ Ρ
ΠΎΡΡ- ΠΌΠ°ΡΠΈΠ½Ρ (Π²ΠΊΠ»ΡΡΠ°Ρ ΠΌΠΎΠ½ΠΈΡΠΎΡΠΈΠ½Π³ ΠΏΡΠΈΠ»ΠΎΠΆΠ΅Π½ΠΈΠΉ) ΠΈ Π½Π° Π±Π°Π·Π΅ ΡΠ΅ΡΠΈ Π΄Π»Ρ
Π΄ΠΎΡΡΠΈΠΆΠ΅Π½ΠΈΡ Π΄ΠΎΡΡΠ°ΡΠΎΡΠ½ΠΎ ΠΏΠΎΠ»Π½ΠΎΠ³ΠΎ ΠΎΡ
Π²Π°ΡΠ° Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΡΡ
Π²ΡΠΎΡΠΆΠ΅Π½ΠΈΠΉ. ΠΠ°ΠΆΠ΄ΡΠΉ ΡΠΈΠΏ IDS ΠΈΠΌΠ΅Π΅Ρ ΡΠ²ΠΎΡ ΡΠΈΠ»Ρ ΠΈ
ΠΎΠ³ΡΠ°Π½ΠΈΡΠ΅Π½ΠΈΡ; Π²ΠΌΠ΅ΡΡΠ΅ ΠΎΠ½ΠΈ ΠΌΠΎΠ³ΡΡ Π»ΡΡΡΠ΅ ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠΈΡΡ ΠΎΡ
Π²Π°Ρ ΡΠΎΠ±ΡΡΠΈΠΉ Π·Π°ΡΠΈΡΡ ΠΈ Π°Π½Π°Π»ΠΈΠ· ΡΡΠ΅Π²ΠΎΠΆΠ½ΡΡ
ΡΠΈΠ³Π½Π°Π»ΠΎΠ².
ΠΠ±ΡΠ΅Π΄ΠΈΠ½Π΅Π½ΠΈΠ΅ ΡΠ΅Ρ
Π½ΠΎΠ»ΠΎΠ³ΠΈΠΉ IDS Π·Π°Π²ΠΈΡΠΈΡ ΠΎΡ Π½Π°Π»ΠΈΡΠΈΡ ΠΌΠ΅Ρ
Π°Π½ΠΈΠ·ΠΌΠ° Π²Π·Π°ΠΈΠΌΠΎΡΠ²ΡΠ·ΠΈ Π² ΡΠΈΡΡΠ΅ΠΌΠ΅ ΡΠΏΡΠ°Π²Π»Π΅Π½ΠΈΡ
ΠΏΡΠ΅Π΄ΡΠΏΡΠ΅ΠΆΠ΄Π΅Π½ΠΈΡΠΌΠΈ. Π ΡΡΠ½ΠΎΠ΅ ΡΠΎΠ΅Π΄ΠΈΠ½Π΅Π½ΠΈΠ΅ ΠΏΡΠ΅Π΄ΡΠΏΡΠ΅ΠΆΠ΄Π΅Π½ΠΈΠΉ HIDS ΠΈ NIDS ΠΌΠΎΠΆΠ΅Ρ ΠΏΡΠΈΠ²Π΅ΡΡΠΈ ΠΊ ΠΏΠ΅ΡΠ΅Π³ΡΡΠ·ΠΊΠ΅
ΠΎΠΏΠ΅ΡΠ°ΡΠΎΡΠ° IDS Π±Π΅Π· ΠΊΠ°ΠΊΠΎΠΉ-Π»ΠΈΠ±ΠΎ Π΄ΠΎΠΏΠΎΠ»Π½ΠΈΡΠ΅Π»ΡΠ½ΠΎΠΉ ΠΏΠΎΠ»ΡΠ·Ρ, ΠΈ ΡΠ΅Π·ΡΠ»ΡΡΠ°Ρ ΠΌΠΎΠΆΠ΅Ρ Π±ΡΡΡ Ρ
ΡΠΆΠ΅, ΡΠ΅ΠΌ ΠΏΡΠΈ Π²ΡΠ±ΠΎΡΠ΅
Π½Π°ΠΈΠ±ΠΎΠ»Π΅Π΅ ΠΏΠΎΠ΄Ρ
ΠΎΠ΄ΡΡΠΈΡ
Π²ΡΡ
ΠΎΠ΄Π½ΡΡ
Π΄Π°Π½Π½ΡΡ
IDS ΠΎΠ΄Π½ΠΎΠ³ΠΎ ΡΠΈΠΏΠ°.
ΠΡΠΎΡΠ΅ΡΡ Π²ΡΠ±ΠΎΡΠ°, ΠΏΡΠΈΠΌΠ΅Π½Π΅Π½ΠΈΡ ΠΈ ΡΠΊΡΠΏΠ»ΡΠ°ΡΠ°ΡΠΈΠΈ IDS Π² ΡΠ°ΠΌΠΊΠ°Ρ
ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΠΈ ΠΏΠΎΠΊΠ°Π·Π°Π½ Π½Π° Π ΠΈΡΡΠ½ΠΊΠ΅ 1 Π²ΠΌΠ΅ΡΡΠ΅ Ρ
ΡΠΊΠ°Π·Π°Π½ΠΈΠ΅ΠΌ ΡΠ°Π·Π΄Π΅Π»Π°, Π² ΠΊΠΎΡΠΎΡΠΎΠΌ ΠΎΠΏΠΈΡΡΠ²Π°ΡΡΡΡ ΠΎΡΠ½ΠΎΠ²Π½ΡΠ΅ ΡΠ°Π³ΠΈ Π² ΡΡΠΎΠΌ ΠΏΡΠΎΡΠ΅ΡΡΠ΅.
6 Β© ISO/IEC 2006 β ΠΡΠ΅ ΠΏΡΠ°Π²Π° ΡΠΎΡ
ΡΠ°Π½ΡΡΡΡΡ
Π ΠΈΡΡΠ½ΠΎΠΊ 1 - ΠΡΠ±ΠΎΡ, Π²Π²ΠΎΠ΄ Π² Π΄Π΅ΠΉΡΡΠ²ΠΈΠ΅ ΠΈ ΠΎΠΏΠ΅ΡΠ°ΡΠΈΠΈ IDS
5 ΠΡΠ±ΠΎΡ
Π‘ΡΡΠ΅ΡΡΠ²ΡΠ΅Ρ ΠΌΠ½ΠΎΠ³ΠΎ Π΄ΠΎΡΡΡΠΏΠ½ΡΡ
ΠΏΡΠΎΠ΄ΡΠΊΡΠΎΠ² IDS ΠΈ ΡΠ΅ΠΌΠ΅ΠΉΡΡΠ² ΡΡΠΈΡ
ΠΏΡΠΎΠ΄ΡΠΊΡΠΎΠ². ΠΠ½ΠΈ ΠΊΠΎΠ»Π΅Π±Π»ΡΡΡΡ ΠΎΡ ΡΡΠ½ΠΎΡΠ½ΡΡ
ΠΏΡΠ΅Π΄Π»ΠΎΠΆΠ΅Π½ΠΈΠΉ ΡΠ²ΠΎΠ±ΠΎΠ΄Π½ΠΎ ΡΠ°ΡΠΏΡΠΎΡΡΡΠ°Π½ΡΠ΅ΠΌΠΎΠ³ΠΎ ΠΠ, ΠΊΠΎΡΠΎΡΡΠ΅ ΠΌΠΎΠ³ΡΡ ΠΏΡΠΈΠΌΠ΅Π½ΡΡΡΡΡ Π½Π° Π½Π΅Π΄ΠΎΡΠΎΠ³ΠΈΡ
Ρ
ΠΎΡΡ β
ΠΌΠ°ΡΠΈΠ½Π°Ρ
, Π΄ΠΎ ΠΎΡΠ΅Π½Ρ Π΄ΠΎΡΠΎΠ³ΠΎΡΡΠΎΡΡΠΈΡ
ΠΊΠΎΠΌΠΌΠ΅ΡΡΠ΅ΡΠΊΠΈΡ
ΡΠΈΡΡΠ΅ΠΌ, ΡΡΠ΅Π±ΡΡΡΠΈΡ
Π½Π°Π»ΠΈΡΠΈΡ ΡΠ°ΠΌΡΡ
ΠΏΠΎΡΠ»Π΅Π΄Π½ΠΈΡ
ΡΠ΅Ρ
Π½ΠΈΡΠ΅ΡΠΊΠΈΡ
ΡΡΠ΅Π΄ΡΡΠ². ΠΠΎΡΠΊΠΎΠ»ΡΠΊΡ ΠΏΡΠΈ Π²ΡΠ±ΠΎΡΠ΅ ΡΡΡΠ΅ΡΡΠ²ΡΠ΅Ρ ΠΌΠ½ΠΎΠ³ΠΎ ΡΠ°Π·Π»ΠΈΡΠ½ΡΡ
ΠΏΡΠΎΠ΄ΡΠΊΡΠΎΠ² IDS, ΠΏΡΠΎΡΠ΅ΡΡ
Π²ΡΠ±ΠΎΡΠ° IDS, ΠΊΠΎΡΠΎΡΡΠΉ Π½Π°ΠΈΠ»ΡΡΡΠΈΠΌ ΠΎΠ±ΡΠ°Π·ΠΎΠΌ ΠΏΠΎΠ΄Ρ
ΠΎΠ΄ΠΈΠ» Π±Ρ ΠΊ ΠΏΠΎΡΡΠ΅Π±Π½ΠΎΡΡΡΠΌ ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΠΈ, Π΄ΠΎΡΡΠ°ΡΠΎΡΠ½ΠΎ
ΡΡΡΠ΄Π½ΡΠΉ. ΠΠΎΠ»Π΅Π΅ ΡΠΎΠ³ΠΎ, ΠΌΠΎΠΆΠ΅Ρ Π±ΡΡΡ ΠΎΠ³ΡΠ°Π½ΠΈΡΠ΅Π½Π½Π°Ρ ΡΠΎΠ²ΠΌΠ΅ΡΡΠΈΠΌΠΎΡΡΡ ΠΌΠ΅ΠΆΠ΄Ρ ΡΠ°Π·Π»ΠΈΡΠ½ΡΠΌΠΈ ΠΏΡΠΎΠ΄ΡΠΊΡΠ°ΠΌΠΈ IDS,
ΠΏΡΠ΅Π΄Π»Π°Π³Π°Π΅ΠΌΡΠΌΠΈ Π½Π° ΡΡΠ½ΠΊΠ΅. ΠΡΠΎΠΌΠ΅ ΡΠΎΠ³ΠΎ, ΠΏΡΠΈ ΡΠ»ΠΈΡΠ½ΠΈΡΡ
ΠΈ Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΠΌ ΡΠΈΡΠΎΠΊΠΎΠΌ Π³Π΅ΠΎΠ³ΡΠ°ΡΠΈΡΠ΅ΡΠΊΠΎΠΌ
ΡΠ°ΡΠΏΡΠΎΡΡΡΠ°Π½Π΅Π½ΠΈΠΈ ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΠΈ, ΡΡΠΈ ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΠΈ ΠΌΠΎΠ³ΡΡ Π±ΡΡΡ Π²ΡΠ½ΡΠΆΠ΄Π΅Π½Ρ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΡ ΡΠ°Π·Π»ΠΈΡΠ½ΡΠ΅ IDS, ΠΈ
ΠΌΠΎΠΆΠ΅Ρ ΠΏΠΎΡΡΠ΅Π±ΠΎΠ²Π°ΡΡΡΡ ΠΎΠ±ΡΠ΅Π΄ΠΈΠ½Π΅Π½ΠΈΠ΅ ΡΡΠΈΡ
ΡΠ°Π·Π»ΠΈΡΠ½ΡΡ
IDS.
Π Π±ΡΠΎΡΡΡΠ΅ ΠΏΠΎΡΡΠ°Π²ΡΠΈΠΊΠ° ΠΌΠΎΠΆΠ΅Ρ Π½Π΅ ΠΎΠΏΠΈΡΡΠ²Π°ΡΡΡΡ, ΠΊΠ°ΠΊ Ρ
ΠΎΡΠΎΡΠΎ IDS ΠΌΠΎΠΆΠ΅Ρ ΠΎΠ±Π½Π°ΡΡΠΆΠΈΠ²Π°ΡΡ Π²ΡΠΎΡΠΆΠ΅Π½ΠΈΡ ΠΈ ΠΊΠ°ΠΊ
ΡΠ»ΠΎΠΆΠ½ΠΎ Π²Π²ΠΎΠ΄ΠΈΡΡ ΠΈΡ
Π² Π΄Π΅ΠΉΡΡΠ²ΠΈΠ΅, ΡΠΊΡΠΏΠ»ΡΠ°ΡΠΈΡΠΎΠ²Π°ΡΡ ΠΈ ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΈΠ²Π°ΡΡ Π² ΡΠ°Π±ΠΎΡΠ΅ΠΉ ΡΠ΅ΡΠΈ ΡΠΎ Π·Π½Π°ΡΠΈΡΠ΅Π»ΡΠ½ΡΠΌ
ΠΎΠ±ΡΠ΅ΠΌΠΎΠΌ ΡΡΠ°ΡΠΈΠΊΠ°. ΠΠΎΡΡΠ°Π²ΡΠΈΠΊΠΈ ΠΌΠΎΠ³ΡΡ ΡΠΊΠ°Π·Π°ΡΡ, ΠΊΠ°ΠΊΠΈΠ΅ Π°ΡΠ°ΠΊΠΈ ΠΌΠΎΠ³ΡΡ Π±ΡΡΡ ΠΎΠ±Π½Π°ΡΡΠΆΠ΅Π½Ρ, Π½ΠΎ Π±Π΅Π· Π΄ΠΎΡΡΡΠΏΠ° ΠΊ
ΡΠ΅ΡΠ΅Π²ΠΎΠΌΡ ΡΡΠ°ΡΠΈΠΊΡ ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΠΈ ΠΎΡΠ΅Π½Ρ ΡΡΡΠ΄Π½ΠΎ ΠΎΠΏΠΈΡΠ°ΡΡ, ΠΊΠ°ΠΊ Ρ
ΠΎΡΠΎΡΠΎ IDS ΡΠ°Π±ΠΎΡΠ°ΡΡ, ΠΈ ΠΈΡΠΊΠ»ΡΡΠ°ΡΡ
ΠΎΡΠΈΠ±ΠΎΡΠ½ΡΠ΅ ΠΎΡΠΊΠ°Π·Ρ Π² Π΄ΠΎΡΡΡΠΏΠ΅ ΠΈ ΠΎΡΠΈΠ±ΠΎΡΠ½ΡΠ΅ Π΄ΠΎΠΏΡΡΠΊΠΈ. Π‘Π»Π΅Π΄ΠΎΠ²Π°ΡΠ΅Π»ΡΠ½ΠΎ, ΠΏΠΎΠ»Π°Π³Π°ΡΡΡΡ Π½Π° ΠΏΡΠ΅Π΄ΠΎΡΡΠ°Π²Π»ΡΠ΅ΠΌΡΡ
ΠΏΠΎΡΡΠ°Π²ΡΠΈΠΊΠΎΠΌ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΡ ΠΎ Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΡΡ
IDS Π½Π΅ Π΄ΠΎΡΡΠ°ΡΠΎΡΠ½ΠΎ ΠΈ Π½Π΅ ΡΠ΅ΠΊΠΎΠΌΠ΅Π½Π΄ΡΠ΅ΡΡΡ.
ΠΠ»Ρ ΠΎΡΠ΅Π½ΠΊΠΈ IDS ΠΌΠΎΠΆΠ΅Ρ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΡΡΡ ΡΡΠ°Π½Π΄Π°ΡΡ ISO/IEC 15408 (Π²ΡΠ΅ ΡΠ°ΡΡΠΈ). Π ΡΡΠΎΠΌ ΡΠ»ΡΡΠ°Π΅ Π΄ΠΎΠΊΡΠΌΠ΅Π½Ρ Ρ
Π½Π°Π·Π²Π°Π½ΠΈΠ΅ΠΌ βSecurity Target (Π¦Π΅Π»Π΅Π²ΠΎΠΉ ΠΎΠ±ΡΠ΅ΠΊΡ Π·Π°ΡΠΈΡΡ)β ΠΌΠΎΠΆΠ΅Ρ ΡΠΎΠ΄Π΅ΡΠΆΠ°ΡΡ Π±ΠΎΠ»Π΅Π΅ ΡΠΎΡΠ½ΠΎΠ΅ ΠΈ Π½Π°Π΄Π΅ΠΆΠ½ΠΎΠ΅
ΠΎΠΏΠΈΡΠ°Π½ΠΈΠ΅ Ρ
Π°ΡΠ°ΠΊΡΠ΅ΡΠΈΡΡΠΈΠΊ IDS, ΡΠ΅ΠΌ Π±ΡΠΎΡΡΡΡ ΠΏΠΎΡΡΠ°Π²ΡΠΈΠΊΠ°. ΠΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΡ Π΄ΠΎΠ»ΠΆΠ½Π° ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΡ ΡΡΠΎΡ
Β©
ISO/IEC 2006β ΠΡΠ΅ ΠΏΡΠ°Π²Π° ΡΠΎΡ
ΡΠ°Π½ΡΡΡΡΡ 7
Π΄ΠΎΠΊΡΠΌΠ΅Π½Ρ Π² ΠΏΡΠΎΡΠ΅ΡΡΠ΅ Π²ΡΠ±ΠΎΡΠ°.
Π ΡΠ»Π΅Π΄ΡΡΡΠΈΡ
ΠΏΡΠ½ΠΊΡΠ°Ρ
ΠΎΠΏΠΈΡΡΠ²Π°ΡΡΡΡ ΠΎΡΠ½ΠΎΠ²Π½ΡΠ΅ ΡΠ°ΠΊΡΠΎΡΡ, ΠΊΠΎΡΠΎΡΡΠ΅ ΡΠ»Π΅Π΄ΡΠ΅Ρ ΡΡΠΈΡΡΠ²Π°ΡΡ Π² ΠΏΡΠΎΡΠ΅ΡΡΠ΅ Π²ΡΠ±ΠΎΡΠ°
IDS.
5.1 ΠΡΠ΅Π½ΠΊΠ° ΡΠΈΡΠΊΠ° ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΎΠ½Π½ΠΎΠΉ Π±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΡΡΠΈ
ΠΠ΅ΡΠ΅Π΄ Π²ΡΠ±ΠΎΡΠΎΠΌ IDS ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΡ Π΄ΠΎΠ»ΠΆΠ½Π° Π²ΡΠΏΠΎΠ»Π½ΠΈΡΡ ΠΎΡΠ΅Π½ΠΊΡ ΡΠΈΡΠΊΠ° ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΎΠ½Π½ΠΎΠΉ Π±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΡΡΠΈ Ρ
ΡΠ΅Π»ΡΡ ΠΎΠΏΡΠ΅Π΄Π΅Π»Π΅Π½ΠΈΡ Π°ΡΠ°ΠΊ ΠΈ Π²ΡΠΎΡΠΆΠ΅Π½ΠΈΠΉ (ΡΠ³ΡΠΎΠ·), ΠΏΡΠΈ ΠΊΠΎΡΠΎΡΡΡ
ΠΊΠΎΠ½ΠΊΡΠ΅ΡΠ½Π°Ρ ΠΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΎΠ½Π½Π°Ρ ΡΠΈΡΡΠ΅ΠΌΠ°
ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΠΈ ΠΌΠΎΠΆΠ΅Ρ Π±ΡΡΡ ΡΡΠ·Π²ΠΈΠΌΠ° Ρ ΡΡΠ΅ΡΠΎΠΌ ΡΠ°ΠΊΠΈΡ
ΡΠ°ΠΊΡΠΎΡΠΎΠ² ΠΊΠ°ΠΊ Ρ
Π°ΡΠ°ΠΊΡΠ΅Ρ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΠΌΠΎΠΉ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΈ Π²
ΡΠΈΡΡΠ΅ΠΌΠ΅ ΠΈ ΠΊΠ°ΠΊ Π΅Π΅ Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΠΎ Π·Π°ΡΠΈΡΠ°ΡΡ, ΡΠΈΠΏΠΎΠ² ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΠΌΡΡ
ΡΠΈΡΡΠ΅ΠΌ ΡΠ²ΡΠ·ΠΈ ΠΈ Π΄ΡΡΠ³ΠΈΡ
ΡΠ°Π±ΠΎΡΠΈΡ
ΡΠ°ΠΊΡΠΎΡΠΎΠ²
ΠΈ ΡΠ°ΠΊΡΠΎΡΠΎΠ² ΠΎΠΊΡΡΠΆΠ΅Π½ΠΈΡ. ΠΡΠΈ ΡΠ°ΡΡΠΌΠΎΡΡΠ΅Π½ΠΈΠΈ ΡΡΠΈΡ
ΠΏΠΎΡΠ΅Π½ΡΠΈΠ°Π»ΡΠ½ΡΡ
ΡΠ³ΡΠΎΠ· Π² ΠΊΠΎΠ½ΡΠ΅ΠΊΡΡΠ΅ ΠΈΡ
ΠΊΠΎΠ½ΠΊΡΠ΅ΡΠ½ΡΡ
ΡΠ΅Π»Π΅ΠΉ
ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΎΠ½Π½ΠΎΠΉ Π±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΡΡΠΈ ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΡ ΠΌΠΎΠΆΠ΅Ρ ΠΎΠΏΡΠ΅Π΄Π΅Π»ΠΈΡΡ ΡΠ»Π΅ΠΌΠ΅Π½ΡΡ ΡΠΏΡΠ°Π²Π»Π΅Π½ΠΈΡ, ΠΊΠΎΡΠΎΡΡΠ΅
ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠ°Ρ ΡΠΊΠΎΠ½ΠΎΠΌΠΈΡΠ΅ΡΠΊΠΈ ΡΠ΅Π»Π΅ΡΠΎΠΎΠ±ΡΠ°Π·Π½ΠΎΠ΅ ΡΠΌΠ΅Π½ΡΡΠ΅Π½ΠΈΠ΅ ΡΠΈΡΠΊΠΎΠ². ΠΠΏΡΠ΅Π΄Π΅Π»Π΅Π½Π½ΡΠ΅ ΡΠ»Π΅ΠΌΠ΅Π½ΡΡ ΡΠΏΡΠ°Π²Π»Π΅Π½ΠΈΡ
ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠΈΠ»ΠΈ Π±Ρ ΠΎΡΠ½ΠΎΠ²Ρ ΡΡΠ΅Π±ΠΎΠ²Π°Π½ΠΈΠΉ ΠΊ ΡΡΠ½ΠΊΡΠΈΡΠΌ, ΠΏΡΠ΅Π΄ΡΡΠΌΠΎΡΡΠ΅Π½Π½ΡΠΌ Π² IDS.
ΠΡΠΈΠΌΠ΅ΡΠ°Π½ΠΈΠ΅ Π£ΠΏΡΠ°Π²Π»Π΅Π½ΠΈΠ΅ ΡΠΈΡΠΊΠ°ΠΌΠΈ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΎΠ½Π½ΠΎΠΉ Π±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΡΡΠΈ Π±ΡΠ΄Π΅Ρ ΠΏΡΠ΅Π΄ΠΌΠ΅ΡΠΎΠΌ Π±ΡΠ΄ΡΡΠ΅Π³ΠΎ ΠΌΠ΅ΠΆΠ΄ΡΠ½Π°ΡΠΎΠ΄Π½ΠΎΠ³ΠΎ
ΡΡΠ°Π½Π΄Π°ΡΡΠ° (ISO/IEC 13335-2).
ΠΠΎΡΠ»Π΅ ΡΡΡΠ°Π½ΠΎΠ²ΠΊΠΈ IDS ΡΠ»Π΅Π΄ΡΠ΅Ρ ΠΎΡΠ³Π°Π½ΠΈΠ·ΠΎΠ²Π°ΡΡ Π΄Π΅ΠΉΡΡΠ²Π΅Π½Π½ΠΎΠ΅ ΡΠ΅ΠΊΡΡΠ΅Π΅ ΡΠΏΡΠ°Π²Π»Π΅Π½ΠΈΠ΅ ΡΠΈΡΠΊΠ°ΠΌΠΈ, ΡΡΠΎΠ±Ρ
ΠΏΠ΅ΡΠΈΠΎΠ΄ΠΈΡΠ΅ΡΠΊΠΈ ΠΎΡΠ΅Π½ΠΈΠ²Π°ΡΡ ΡΡΡΠ΅ΠΊΡΠΈΠ²Π½ΠΎΡΡΡ ΡΠ»Π΅ΠΌΠ΅Π½ΡΠΎΠ² ΡΠΏΡΠ°Π²Π»Π΅Π½ΠΈΡ ΠΏΡΠΈ ΠΈΠ·ΠΌΠ΅Π½Π΅Π½ΠΈΡΡ
ΠΎΠΏΠ΅ΡΠ°ΡΠΈΠΉ ΡΠΈΡΡΠ΅ΠΌΡ ΠΈ
ΡΠ°ΠΊΡΠΈΡΠ΅ΡΠΊΠΈΡ
ΡΠ³ΡΠΎΠ·.
5.2 IDS Π½Π° Π±Π°Π·Π΅ Ρ
ΠΎΡΡ- ΠΌΠ°ΡΠΈΠ½Ρ ΠΈ ΡΠ΅ΡΠΈ
ΠΡΠΈΠΌΠ΅Π½Π΅Π½ΠΈΠ΅ IDS Π΄ΠΎΠ»ΠΆΠ½ΠΎ ΠΎΡΠ½ΠΎΠ²ΡΠ²Π°ΡΡΡΡ Π½Π° ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΠΎΠ½Π½ΠΎΠΉ ΠΡΠ΅Π½ΠΊΠ΅ Π ΠΈΡΠΊΠ° ΠΈ ΠΏΡΠΈΠΎΡΠΈΡΠ΅ΡΠ°Ρ
Π·Π°ΡΠΈΡΡ
ΡΠ΅ΡΡΡΡΠΎΠ². ΠΡΠΈ Π²ΡΠ±ΠΎΡΠ΅ IDS Π΄ΠΎΠ»ΠΆΠ΅Π½ Π±ΡΡΡ ΠΈΠ·ΡΡΠ΅Π½ Π½Π°ΠΈΠ±ΠΎΠ»Π΅Π΅ ΡΡΡΠ΅ΠΊΡΠΈΠ²Π½ΡΠΉ ΠΌΠ΅ΡΠΎΠ΄ ΠΊΠΎΠ½ΡΡΠΎΠ»Ρ ΡΠΎΠ±ΡΡΠΈΠΉ. IDS
Π½Π° Π±Π°Π·Π΅ Ρ
ΠΎΡΡ- ΠΌΠ°ΡΠΈΠ½Ρ (HIDS) ΠΈ Π½Π° Π±Π°Π·Π΅ ΡΠ΅ΡΠΈ (NIDS) ΠΌΠΎΠ³ΡΡ ΠΏΡΠΈΠΌΠ΅Π½ΡΡΡΡΡ Π² ΡΠ°Π½Π΄Π΅ΠΌΠ΅. ΠΡΠ»ΠΈ Π²ΡΠ±ΡΠ°Π½ ΡΠ°ΠΊΠΎΠΉ
ΠΌΠ΅ΡΠΎΠ΄ ΠΌΠΎΠ½ΠΈΡΠΎΡΠΈΠ½Π³Π° IDS, ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΡ Π΄ΠΎΠ»ΠΆΠ½Π° ΡΠ΅Π°Π»ΠΈΠ·ΠΎΠ²Π°ΡΡ Π΅Π³ΠΎ ΠΏΠΎΡΡΠ°ΠΏΠ½ΠΎ, Π½Π°ΡΠΈΠ½Π°Ρ Ρ NIDS, ΠΏΠΎΡΠΊΠΎΠ»ΡΠΊΡ ΠΎΠ½ΠΈ
ΠΎΠ±ΡΡΠ½ΠΎ Π±ΠΎΠ»Π΅Π΅ ΠΏΡΠΎΡΡΡΠ΅ Π² ΡΡΡΠ°Π½ΠΎΠ²ΠΊΠ΅ ΠΈ ΠΎΠ±ΡΠ»ΡΠΆΠΈΠ²Π°Π½ΠΈΠΈ, Π·Π°ΡΠ΅ΠΌ ΡΠ»Π΅Π΄ΡΠ΅Ρ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΡ HIDS Π½Π°
ΠΎΡΠ²Π΅ΡΡΡΠ²Π΅Π½Π½ΡΡ
ΡΠ΅ΡΠ²Π΅ΡΠ°Ρ
.
ΠΠ°ΠΆΠ΄ΡΠΉ Π²Π°ΡΠΈΠ°Π½Ρ ΠΈΠΌΠ΅Π΅Ρ ΡΠ²ΠΎΠΈ Π΄ΠΎΡΡΠΎΠΈΠ½ΡΡΠ²Π° ΠΈ Π½Π΅Π΄ΠΎΡΡΠ°ΡΠΊΠΈ. ΠΠ°ΠΏΡΠΈΠΌΠ΅Ρ, Π² ΡΠ»ΡΡΠ°Π΅, ΠΊΠΎΠ³Π΄Π° IDS ΠΏΡΠΈΠΌΠ΅Π½ΡΠ΅ΡΡΡ Π·Π°
ΠΏΡΠ΅Π΄Π΅Π»Π°ΠΌΠΈ Π²Π½Π΅ΡΠ½Π΅Π³ΠΎ Π±ΡΠ°Π½Π΄ΠΌΠ°ΡΡΡΠ°, IDS ΠΌΠΎΠΆΠ΅Ρ Π³Π΅Π½Π΅ΡΠΈΡΠΎΠ²Π°ΡΡ Π±ΠΎΠ»ΡΡΠΎΠ΅ ΡΠΈΡΠ»ΠΎ ΡΡΠ΅Π²ΠΎΠΆΠ½ΡΡ
ΡΠΈΠ³Π½Π°Π»ΠΎΠ²,
ΠΊΠΎΡΠΎΡΡΠ΅ Π½Π΅ ΡΡΠ΅Π±ΡΡΡ ΡΡΠ°ΡΠ΅Π»ΡΠ½ΠΎΠ³ΠΎ Π°Π½Π°Π»ΠΈΠ·Π°, ΠΏΠΎΡΠΊΠΎΠ»ΡΠΊΡ ΠΏΡΠΈ ΡΠΊΠ°Π½ΠΈΡΠΎΠ²Π°Π½ΠΈΠΈ ΠΌΠΎΠΆΠ΅Ρ ΠΎΠΏΡΠ΅Π΄Π΅Π»ΡΡΡΡΡ Π±ΠΎΠ»ΡΡΠΎΠ΅
ΡΠΈΡΠ»ΠΎ ΡΠΎΠ±ΡΡΠΈΠΉ Ρ ΠΏΡΠ΅Π΄ΡΠΏΡΠ΅ΠΆΠ΄Π΅Π½ΠΈΡΠΌΠΈ, ΠΊΠΎΡΠΎΡΡΠ΅ ΡΡΡΠ΅ΠΊΡΠΈΠ²Π½ΠΎ ΠΏΡΠ΅Π΄ΠΎΡΠ²ΡΠ°ΡΠ°ΡΡΡΡ Π²Π½Π΅ΡΠ½ΠΈΠΌ Π±ΡΠ°Π½Π΄ΠΌΠ°ΡΡΡΠΎΠΌ.
5.2.1 IDS Π½Π° Π±Π°Π·Π΅ Ρ
ΠΎΡΡ- ΠΌΠ°ΡΠΈΠ½Ρ
ΠΡΠ±ΠΎΡ HIDS ΡΡΠ΅Π±ΡΠ΅Ρ ΠΈΠ΄Π΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ ΡΠ΅Π»Π΅Π²ΡΡ
Ρ
ΠΎΡΡ- ΠΌΠ°ΡΠΈΠ½. ΠΠΎΡΠΊΠΎΠ»ΡΠΊΡ ΠΏΠΎΠ»Π½ΠΎΠΌΠ°ΡΡΡΠ°Π±Π½ΠΎΠ΅ ΠΏΡΠΈΠΌΠ΅Π½Π΅Π½ΠΈΠ΅
HIDS Π½Π° ΠΊΠ°ΠΆΠ΄ΠΎΠΉ Ρ
ΠΎΡΡ- ΠΌΠ°ΡΠΈΠ½Π΅ Π΄ΠΎΡΡΠ°ΡΠΎΡΠ½ΠΎ Π΄ΠΎΡΠΎΠ³ΠΎΡΡΠΎΡΡΠ΅Π΅, Π² ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΠΈ ΠΎΠ±ΡΡΠ½ΠΎ HIDS ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΡΡΡ
ΡΠΎΠ»ΡΠΊΠΎ Π½Π° ΠΎΡΠ²Π΅ΡΡΡΠ²Π΅Π½Π½ΡΡ
Ρ
ΠΎΡΡ- ΠΌΠ°ΡΠΈΠ½Π°Ρ
. ΠΠΎΡΡΠΎΠΌΡ ΠΏΡΠΈΠΌΠ΅Π½Π΅Π½ΠΈΠ΅ HIDS Π΄ΠΎΠ»ΠΆΠ½ΠΎ ΠΈΠΌΠ΅ΡΡ ΠΏΡΠΈΠΎΡΠΈΡΠ΅ΡΡ Π²
ΡΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΠΈΠΈ Ρ ΡΠ΅Π·ΡΠ»ΡΡΠ°ΡΠ°ΠΌΠΈ Π°Π½Π°Π»ΠΈΠ·Π° ΡΠΈΡΠΊΠ° ΠΈ ΡΡΠ΅ΡΠ° Π·Π°ΡΡΠ°Ρ β Π²ΡΠ³ΠΎΠ΄. ΠΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΡ Π΄ΠΎΠ»ΠΆΠ½Π° ΠΏΡΠΈΠΌΠ΅Π½ΡΡΡ
IDS, ΡΠΏΠΎΡΠΎΠ±Π½ΡΠ΅ ΠΊ ΡΠ΅Π½ΡΡΠ°Π»ΠΈΠ·ΠΎΠ²Π°Π½Π½ΠΎΠΌΡ ΡΠΏΡΠ°Π²Π»Π΅Π½ΠΈΡ Ρ ΡΡΠ½ΠΊΡΠΈΡΠΌΠΈ ΡΠ΅Π³ΠΈΡΡΡΠ°ΡΠΈΠΈ, Π΅ΡΠ»ΠΈ HIDS ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΡΡΡ
Π½Π° Π²ΡΠ΅Ρ
ΠΈΠ»ΠΈ Π·Π½Π°ΡΠΈΡΠ΅Π»ΡΠ½ΠΎΠΌ ΡΠΈΡΠ»Π΅ Ρ
ΠΎΡΡ -ΠΌΠ°ΡΠΈΠ½.
5.2.2 IDS Π½Π° Π±Π°Π·Π΅ ΡΠ΅ΡΠΈ
ΠΡΠΈ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΠΈ NIDS ΠΎΡΠ½ΠΎΠ²Π½ΠΎΠΉ Π²ΠΎΠΏΡΠΎΡ ΡΠΎΡΡΠΎΠΈΡ Π² ΡΠΎΠΌ, Π³Π΄Π΅ ΡΠ°Π·ΠΌΠ΅ΡΡΠΈΡΡ ΡΠ΅Π½ΡΠΎΡΡ ΡΠΈΡΡΠ΅ΠΌΡ.
ΠΠ°ΡΠΈΠ°Π½ΡΠ°ΠΌΠΈ ΡΠ²Π»ΡΡΡΡΡ:
β’ ΠΠ½ΡΡΡΠΈ Π²Π½Π΅ΡΠ½Π΅Π³ΠΎ Π±ΡΠ°Π½Π΄ΠΌΠ°ΡΡΡΠ°;
β’ ΠΠ° ΠΏΡΠ΅Π΄Π΅Π»Π°ΠΌΠΈ Π²Π½Π΅ΡΠ½Π΅Π³ΠΎ Π±ΡΠ°Π½Π΄ΠΌΠ°ΡΡΡΠ°;
β’ ΠΠ° Π³Π»Π°Π²Π½ΠΎΠΉ ΡΠ΅ΡΠ΅Π²ΠΎΠΉ ΠΌΠ°Π³ΠΈΡΡΡΠ°Π»ΠΈ;
β’ Π ΠΎΡΠ²Π΅ΡΡΡΠ²Π΅Π½Π½ΡΡ
ΠΏΠΎΠ΄ΡΠ΅ΡΡΡ
.
8 Β© ISO/IEC 2006 β ΠΡΠ΅ ΠΏΡΠ°Π²Π° ΡΠΎΡ
ΡΠ°Π½ΡΡΡΡΡ
5.3 ΠΠ±ΡΡΠΆΠ΄Π΅Π½ΠΈΠ΅
5.3.1 ΠΠΊΡΡΠΆΠ΅Π½ΠΈΠ΅ ΡΠΈΡΡΠ΅ΠΌΡ
ΠΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΡ Π½Π° ΠΎΡΠ½ΠΎΠ²Π΅ ΠΎΡΠ΅Π½ΠΊΠΈ ΡΠΈΡΠΊΠ° Π±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΡΡΠΈ Π΄ΠΎΠ»ΠΆΠ½Π° ΡΠ½Π°ΡΠ°Π»Π° ΠΎΠΏΡΠ΅Π΄Π΅Π»ΠΈΡΡ, Π² ΠΏΠΎΡΡΠ΄ΠΊΠ΅
ΠΏΡΠΈΠΎΡΠΈΡΠ΅ΡΠΎΠ², ΠΊΠ°ΠΊΠΈΠ΅ ΡΠ΅ΡΡΡΡΡ Π΄ΠΎΠ»ΠΆΠ½Ρ Π·Π°ΡΠΈΡΠ°ΡΡΡΡ ΠΈ ΠΏΠΎΡΠ»Π΅ ΡΡΠΎΠ³ΠΎ ΠΏΡΠΈΡΠΏΠΎΡΠΎΠ±ΠΈΡΡ IDS ΠΊ ΡΡΠΎΠΌΡ ΠΎΠΊΡΡΠΆΠ΅Π½ΠΈΡ.
ΠΠ°ΠΊ ΠΌΠΈΠ½ΠΈΠΌΡΠΌ, ΡΠ»Π΅Π΄ΡΡΡΠ°Ρ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΡ ΠΎ ΡΠΈΡΡΠ΅ΠΌΠ½ΠΎΠΌ ΠΎΠΊΡΡΠΆΠ΅Π½ΠΈΠΈ Π΄ΠΎΠ»ΠΆΠ½Π° ΡΠΎΠ±ΠΈΡΠ°ΡΡΡΡ Π΄Π»Ρ Π΄ΠΎΡΡΠΈΠΆΠ΅Π½ΠΈΡ
ΡΡΠΎΠΉ ΡΠ΅Π»ΠΈ:
β’ Π‘Π΅ΡΠ΅Π²ΡΠ΅ Π³ΡΠ°ΡΠΈΠΊΠΈ ΠΈ ΠΊΠ°ΡΡΡ, ΠΎΠΏΡΠ΅Π΄Π΅Π»ΡΡΡΠΈΠ΅ ΡΠΈΡΠ»ΠΎ ΠΈ ΡΠ°ΡΠΏΠΎΠ»ΠΎΠΆΠ΅Π½ΠΈΠ΅ Ρ
ΠΎΡΡ- ΠΌΠ°ΡΠΈΠ½, ΡΠΎΡΠΊΠΈ Π²Ρ
ΠΎΠ΄Π° Π²
ΡΠ΅ΡΠΈ ΠΈ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ΅Π½ΠΈΡ ΠΊ Π²Π½Π΅ΡΠ½ΠΈΠΌ ΡΠ΅ΡΡΠΌ;
β’ ΠΠΏΠΈΡΠ°Π½ΠΈΠ΅ ΡΠΈΡΡΠ΅ΠΌΡ ΡΠΏΡΠ°Π²Π»Π΅Π½ΠΈΡ ΡΠ΅ΡΡΠΌΠΈ ΠΏΡΠ΅Π΄ΠΏΡΠΈΡΡΠΈΡ;
β’ ΠΠΏΠ΅ΡΠ°ΡΠΈΠΎΠ½Π½ΡΠ΅ ΡΠΈΡΡΠ΅ΠΌΡ ΠΊΠ°ΠΆΠ΄ΠΎΠΉ Ρ
ΠΎΡΡ- ΠΌΠ°ΡΠΈΠ½Ρ;
β’ Π§ΠΈΡΠ»ΠΎ ΠΈ ΡΠΈΠΏΡ ΡΠ΅ΡΠ΅Π²ΡΡ
ΡΡΡΡΠΎΠΉΡΡΠ², ΡΠ°ΠΊΠΈΡ
ΠΊΠ°ΠΊ ΠΌΠ°ΡΡΡΡΡΠΈΠ·Π°ΡΠΎΡΡ, ΠΌΠΎΡΡΡ ΠΈ ΠΏΠ΅ΡΠ΅ΠΊΠ»ΡΡΠ°ΡΠ΅Π»ΠΈ;
β’ Π§ΠΈΡΠ»ΠΎ ΠΈ ΡΠΈΠΏΡ ΡΠ΅ΡΠ²Π΅ΡΠΎΠ² ΠΈ ΠΊΠΎΠΌΠΌΡΡΠΈΡΡΠ΅ΠΌΡΡ
ΡΠΎΠ΅Π΄ΠΈΠ½Π΅Π½ΠΈΠΉ ΠΏΠΎ ΡΠ΅Π»Π΅ΡΠΎΠ½Π½ΠΎΠΉ Π»ΠΈΠ½ΠΈΠΈ;
β’ ΠΠ΅ΡΠΊΡΠΈΠΏΡΠΎΡΡ Π»ΡΠ±ΡΡ
ΡΠ΅ΡΠ΅Π²ΡΡ
ΡΠ΅ΡΠ²Π΅ΡΠΎΠ², Π²ΠΊΠ»ΡΡΠ°Ρ ΡΠΈΠΏΡ, ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΠΈ, ΠΏΡΠΈΠΊΠ»Π°Π΄Π½ΠΎΠ΅ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΠ½ΠΎΠ΅
ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠ΅Π½ΠΈΠ΅ ΠΈ Π²Π΅ΡΡΠΈΠΈ ΡΠ΅ΠΆΠΈΠΌΠ° Π½Π° ΠΊΠ°ΠΆΠ΄ΠΎΠΌ;
β’ ΠΠΎΠ΄ΡΠΎΠ΅Π΄ΠΈΠ½Π΅Π½ΠΈΠ΅ ΠΊ Π²Π½Π΅ΡΠ½ΠΈΠΌ ΡΠ΅ΡΡΠΌ, Π²ΠΊΠ»ΡΡΠ°Ρ Π½ΠΎΠΌΠΈΠ½Π°Π»ΡΠ½ΡΡ ΠΏΡΠΎΠΏΡΡΠΊΠ½ΡΡ ΡΠΏΠΎΡΠΎΠ±Π½ΠΎΡΡΡ ΠΈ
ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΈΠ²Π°Π΅ΠΌΡΠ΅ ΠΏΡΠΎΡΠΎΠΊΠΎΠ»Ρ;
β’ ΠΡΡΠΈ Π²ΠΎΠ·Π²ΡΠ°ΡΠ° Π΄ΠΎΠΊΡΠΌΠ΅Π½ΡΠΎΠ², ΠΎΡΠ»ΠΈΡΠ½ΡΠ΅ ΠΎΡ Π²Ρ
ΠΎΠ΄ΡΡΠ΅Π³ΠΎ ΡΠΎΠ΅Π΄ΠΈΠ½ΠΈΡΠ΅Π»ΡΠ½ΠΎΠ³ΠΎ ΠΏΡΡΠΈ, Ρ.Π΅. Π°ΡΡΠΈΠΌΠ΅ΡΡΠΈΡΠ½ΡΠΉ
ΠΏΠΎΡΠΎΠΊ Π΄Π°Π½Π½ΡΡ
.
5.3.2 ΠΠ±Π΅ΡΠΏΠ΅ΡΠ΅Π½ΠΈΠ΅ Π±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΡΡΠΈ
ΠΠΎΡΠ»Π΅ Π΄ΠΎΠΊΡΠΌΠ΅Π½ΡΠΈΡΠΎΠ²Π°Π½ΠΈΡ ΡΠ΅Ρ
Π½ΠΈΡΠ΅ΡΠΊΠΈΡ
Ρ
Π°ΡΠ°ΠΊΡΠ΅ΡΠΈΡΡΠΈΠΊ ΠΎΠΊΡΡΠΆΠ΅Π½ΠΈΡ ΡΠΈΡΡΠ΅ΠΌΡ Π΄ΠΎΠ»ΠΆΠ½Ρ Π±ΡΡΡ ΠΎΠΏΡΠ΅Π΄Π΅Π»Π΅Π½Ρ
ΡΡΡΠ°Π½ΠΎΠ²Π»Π΅Π½Π½ΡΠ΅ Π² Π½Π°ΡΡΠΎΡΡΠ΅Π΅ Π²ΡΠ΅ΠΌΡ ΠΌΠ΅Ρ
Π°Π½ΠΈΠ·ΠΌΡ ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠ΅Π½ΠΈΡ ΡΠ΅ΠΊΡΠ΅ΡΠ½ΠΎΡΡΠΈ. ΠΠ΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΠ°, ΠΊΠ°ΠΊ ΠΌΠΈΠ½ΠΈΠΌΡΠΌ,
ΡΠ»Π΅Π΄ΡΡΡΠ°Ρ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΡ:
β’ ΠΠ΅ΠΌΠΈΠ»ΠΈΡΠ°ΡΠΈΠ·ΠΎΠ²Π°Π½Π½Π°Ρ ΠΠΎΠ½Π° (DMZ)
β’ Π§ΠΈΡΠ»ΠΎ, ΡΠΈΠΏΡ ΠΈ ΡΠ°Π·ΠΌΠ΅ΡΠ΅Π½ΠΈΠ΅ Π±ΡΠ°Π½Π΄ΠΌΠ°ΡΡΡΠΎΠ² ΠΈ ΡΠΈΠ»ΡΡΡΡΡΡΠΈΡ
ΠΌΠ°ΡΡΡΡΡΠΈΠ·Π°ΡΠΎΡΠΎΠ²;
β’ ΠΠ΄Π΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΡ ΡΠ΅ΡΠ²Π΅ΡΠΎΠ² Π°ΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ;
β’ ΠΠΎΠ΄ΠΈΡΠΎΠ²Π°Π½ΠΈΠ΅ Π΄Π°Π½Π½ΡΡ
ΠΈ ΡΠ²ΡΠ·Π΅ΠΉ;
β’ ΠΠ°ΠΊΠ΅ΡΡ MALWARE/ΠΠ½ΡΠΈΠ²ΠΈΡΡΡ;
β’ Π‘ΡΠ΅Π΄ΡΡΠ²Π° ΡΠΏΡΠ°Π²Π»Π΅Π½ΠΈΡ Π΄ΠΎΡΡΡΠΏΠΎΠΌ;
β’ Π‘ΠΏΠ΅ΡΠΈΠ°Π»ΠΈΠ·ΠΈΡΠΎΠ²Π°Π½Π½ΡΠ΅ ΡΠ΅Ρ
Π½ΠΈΡΠ΅ΡΠΊΠΈΠ΅ ΡΡΠ΅Π΄ΡΡΠ²Π° Π·Π°ΡΠΈΡΡ, ΡΠ°ΠΊΠΈΠ΅ ΠΊΠ°ΠΊ ΡΠΈΡΡΠΎΠ²Π°Π»ΡΠ½ΠΎΠ΅ ΠΎΠ±ΠΎΡΡΠ΄ΠΎΠ²Π°Π½ΠΈΠ΅;
β’ ΠΠΈΡΡΡΠ°Π»ΡΠ½ΡΠ΅ ΡΠ°ΡΡΠ½ΡΠ΅ ΡΠ΅ΡΠΈ;
β’ ΠΡΠ±ΡΠ΅ Π΄ΡΡΠ³ΠΈΠ΅ ΡΡΡΠ°Π½ΠΎΠ²Π»Π΅Π½Π½ΡΠ΅ ΠΌΠ΅Ρ
Π°Π½ΠΈΠ·ΠΌΡ Π·Π°ΡΠΈΡΡ.
5.3.3 ΠΠΎΠ»ΠΈΡΠΈΠΊΠ° Π±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΡΡΠΈ IDS
ΠΠΎΡΠ»Π΅ ΠΈΠ΄Π΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ ΡΠΈΡΡΠ΅ΠΌΠ½ΡΡ
ΠΈ ΠΎΠ±ΡΠΈΡ
ΡΡΠ»ΠΎΠ²ΠΈΠΉ Π±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΡΡΠΈ Π΄ΠΎΠ»ΠΆΠ½Π° Π±ΡΡΡ ΠΎΠΏΡΠ΅Π΄Π΅Π»Π΅Π½Π° Π΄Π»Ρ IDS
ΠΏΠΎΠ»ΠΈΡΠΈΠΊΠ° Π±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΡΡΠΈ. ΠΠ»Ρ ΠΎΠΏΡΠ΅Π΄Π΅Π»Π΅Π½ΠΈΡ ΠΏΠΎΠ»ΠΈΡΠΈΠΊΠΈ, ΠΊΠ°ΠΊ ΠΌΠΈΠ½ΠΈΠΌΡΠΌ, ΡΡΠ΅Π±ΡΠ΅ΡΡΡ ΠΎΡΠ²Π΅ΡΠΈΡΡ Π½Π° ΡΠ»Π΅Π΄ΡΡΡΠΈΠ΅
ΠΎΡΠ½ΠΎΠ²Π½ΡΠ΅ Π²ΠΎΠΏΡΠΎΡΡ:
Β©
ISO/IEC 2006β ΠΡΠ΅ ΠΏΡΠ°Π²Π° ΡΠΎΡ
ΡΠ°Π½ΡΡΡΡΡ 9
β’ ΠΠ°ΠΊΠΈΠ΅ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΎΠ½Π½ΡΠ΅ ΡΠ΅ΡΡΡΡΡ Π΄ΠΎΠ»ΠΆΠ½Ρ ΠΊΠΎΠ½ΡΡΠΎΠ»ΠΈΡΠΎΠ²Π°ΡΡΡΡ?
β’ ΠΠ°ΠΊΠΎΠΉ Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌ ΡΠΈΠΏ IDS?
β’ ΠΠ΄Π΅ Π΄ΠΎΠ»ΠΆΠ½Π° Π±ΡΡΡ ΡΠ°ΡΠΏΠΎΠ»ΠΎΠΆΠ΅Π½Π° IDS?
β’ ΠΠ°ΠΊΠΈΠ΅ ΡΠΈΠΏΡ Π°ΡΠ°ΠΊ Π΄ΠΎΠ»ΠΆΠ½Ρ Π²ΡΡΠ²Π»ΡΡΡΡΡ?
β’ ΠΠ°ΠΊΠΎΠΉ ΡΠΈΠΏ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΈ Π΄ΠΎΠ»ΠΆΠ΅Π½ ΡΠ΅Π³ΠΈΡΡΡΠΈΡΠΎΠ²Π°ΡΡΡΡ?
β’ ΠΠ°ΠΊΠΎΠΉ ΡΠΈΠΏ ΡΠ΅Π°Π³ΠΈΡΠΎΠ²Π°Π½ΠΈΡ ΠΈΠ»ΠΈ ΠΏΡΠ΅Π΄ΡΠΏΡΠ΅ΠΆΠ΄Π΅Π½ΠΈΡ ΠΌΠΎΠΆΠ΅Ρ ΠΏΡΠ΅Π΄ΡΡΠΌΠ°ΡΡΠΈΠ²Π°ΡΡΡΡ ΠΏΡΠΈ ΠΎΠ±Π½Π°ΡΡΠΆΠ΅Π½ΠΈΠΈ
Π°ΡΠ°ΠΊΠΈ?
ΠΠΎΠ»ΠΈΡΠΈΠΊΠ° Π±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΡΡΠΈ IDS ΠΏΡΠ΅Π΄ΡΡΠ°Π²Π»ΡΠ΅Ρ ΡΠΎΠ±ΠΎΠΉ ΡΠ΅Π»ΠΈ, ΠΊΠΎΡΠΎΡΡΠ΅ ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΡ ΡΡΠ°Π²ΠΈΡ ΠΏΡΠΈ
ΠΈΠ½Π²Π΅ΡΡΠΈΡΠΎΠ²Π°Π½ΠΈΠΈ Π² IDS. ΠΡΠΎ β ΠΏΠ΅ΡΠ²ΠΎΠ½Π°ΡΠ°Π»ΡΠ½ΡΠΉ ΡΠ°Π³ Π² ΠΏΠΎΠΏΡΡΠΊΠ΅ ΠΏΠΎΠ»ΡΡΠΈΡΡ ΠΌΠ°ΠΊΡΠΈΠΌΠ°Π»ΡΠ½ΡΡ Π²ΡΠ³ΠΎΠ΄Ρ ΠΎΡ
ΠΏΡΠΈΠΌΠ΅Π½Π΅Π½ΠΈΡ IDS.
ΠΠ»Ρ ΠΎΠΏΡΠ΅Π΄Π΅Π»Π΅Π½ΠΈΡ ΡΡΠ΅Π±ΡΠ΅ΠΌΡΡ
ΠΏΠΎΠΊΠ°Π·Π°ΡΠ΅Π»Π΅ΠΉ ΠΈ ΡΠ΅Π»Π΅ΠΉ ΠΏΠΎΠ»ΠΈΡΠΈΠΊΠΈ Π±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΡΡΠΈ IDS ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΡ Π΄ΠΎΠ»ΠΆΠ½Π°
ΡΠ½Π°ΡΠ°Π»Π° ΠΎΠΏΡΠ΅Π΄Π΅Π»ΠΈΡΡ ΡΠΈΡΠΊΠΈ ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΠΈ ΠΈΠ· Π²Π½ΡΡΡΠ΅Π½Π½ΠΈΡ
ΠΈ Π²Π½Π΅ΡΠ½ΠΈΡ
ΠΈΡΡΠΎΡΠ½ΠΈΠΊΠΎΠ². ΠΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΡ Π΄ΠΎΠ»ΠΆΠ½Π°
ΠΏΠΎΠ½ΠΈΠΌΠ°ΡΡ, ΡΡΠΎ Π½Π΅ΠΊΠΎΡΠΎΡΡΠ΅ ΠΏΠΎΡΡΠ°Π²ΡΠΈΠΊΠΈ IDS ΠΎΠΏΡΠ΅Π΄Π΅Π»ΡΡΡ ΠΏΠΎΠ»ΠΈΡΠΈΠΊΡ Π±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΡΡΠΈ IDS ΠΊΠ°ΠΊ Π½Π°Π±ΠΎΡ ΠΏΡΠ°Π²ΠΈΠ»,
ΠΊΠΎΡΠΎΡΡΠ΅ IDS ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅Ρ Π΄Π»Ρ Π²ΡΡΠ°Π±ΠΎΡΠΊΠΈ ΠΏΡΠ΅Π΄ΡΠΏΡΠ΅ΠΆΠ΄Π΅Π½ΠΈΠΉ.
ΠΠ½Π°Π»ΠΈΠ· ΡΡΡΠ΅ΡΡΠ²ΡΡΡΠ΅ΠΉ ΠΏΠΎΠ»ΠΈΡΠΈΠΊΠΈ Π±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΡΡΠΈ Π΄ΠΎΠ»ΠΆΠ΅Π½ ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠΈΡΡ ΡΠ°Π±Π»ΠΎΠ½, ΠΏΠΎ ΠΊΠΎΡΠΎΡΠΎΠΌΡ ΠΌΠΎΠ³ΡΡ Π±ΡΡΡ
ΠΎΠΏΡΠ΅Π΄Π΅Π»Π΅Π½Ρ ΠΈ ΡΡΡΠ°Π½ΠΎΠ²Π»Π΅Π½Ρ ΡΡΠ΅Π±ΠΎΠ²Π°Π½ΠΈΡ ΠΊ IDS Π² Π²ΠΈΠ΄Π΅ ΡΡΠ°Π½Π΄Π°ΡΡΠ½ΡΡ
ΡΠ΅Π»Π΅ΠΉ Π·Π°ΡΠΈΡΡ ΠΊΠΎΠ½ΡΠΈΠ΄Π΅Π½ΡΠΈΠ°Π»ΡΠ½ΠΎΡΡΠΈ,
ΡΠ΅Π»ΠΎΡΡΠ½ΠΎΡΡΠΈ, Π΄ΠΎΡΡΡΠΏΠ½ΠΎΡΡΠΈ ΠΈ Π½Π΅Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΠΈ ΠΎΡΠΊΠ°Π·Π° ΠΎΡ Π°Π²ΡΠΎΡΡΡΠ²Π°, Π° ΡΠ°ΠΊΠΆΠ΅ Π±ΠΎΠ»Π΅Π΅ ΠΎΠ±ΡΠΈΠ΅ ΡΠ΅Π»ΠΈ
ΡΠΏΡΠ°Π²Π»Π΅Π½ΠΈΡ, ΡΠ°ΠΊΠΈΠ΅ ΠΊΠ°ΠΊ ΡΠ΅ΠΊΡΠ΅ΡΠ½ΠΎΡΡΡ, Π·Π°ΡΠΈΡΠ° ΠΎΡ Π²Π½Π΅ΡΠ½ΠΈΡ
ΠΏΠΎΠΌΠ΅Ρ
, ΡΠΏΡΠ°Π²Π»ΡΠ΅ΠΌΠΎΡΡΡ.
ΠΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΡ Π΄ΠΎΠ»ΠΆΠ½Π° ΠΎΠΏΡΠ΅Π΄Π΅Π»ΠΈΡΡ, ΠΊΠ°ΠΊ Π΅ΠΉ ΡΠ΅Π°Π³ΠΈΡΠΎΠ²Π°ΡΡ, ΠΊΠΎΠ³Π΄Π° IDS ΠΎΠ±Π½Π°ΡΡΠΆΠΈΡ, ΡΡΠΎ ΠΏΠΎΠ»ΠΈΡΠΈΠΊΠ° Π±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΡΡΠΈ
Π±ΡΠ»Π° Π½Π°ΡΡΡΠ΅Π½Π°. ΠΡΠΎΠ±Π΅Π½Π½ΠΎ Π² ΡΠ»ΡΡΠ°Π΅, ΠΊΠΎΠ³Π΄Π° ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΡ Ρ
ΠΎΡΠ΅Ρ Π°ΠΊΡΠΈΠ²Π½ΠΎ ΡΠ΅Π°Π³ΠΈΡΠΎΠ²Π°ΡΡ Π½Π° ΠΎΠΏΡΠ΅Π΄Π΅Π»Π΅Π½Π½ΡΠ΅
ΠΊΠ°ΡΠ΅Π³ΠΎΡΠΈΠΈ Π½Π°ΡΡΡΠ΅Π½ΠΈΠΉ, IDS Π΄ΠΎΠ»ΠΆΠ½Π° Π±ΡΡΡ ΡΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠΈΡΠΎΠ²Π°Π½Π° Π΄Π»Ρ Π²ΡΠΏΠΎΠ»Π½Π΅Π½ΠΈΡ ΡΡΠΎΠ³ΠΎ, Π° ΡΠ°Π±ΠΎΡΠΈΠΉ ΠΏΠ΅ΡΡΠΎΠ½Π°Π»
Π΄ΠΎΠ»ΠΆΠ΅Π½ Π±ΡΡΡ ΠΈΠ½ΡΠΎΡΠΌΠΈΡΠΎΠ²Π°Π½ ΠΎ ΠΏΠΎΠ»ΠΈΡΠΈΠΊΠ΅ ΠΎΡΠ²Π΅ΡΠ½ΡΡ
Π΄Π΅ΠΉΡΡΠ²ΠΈΠΉ ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΠΈ Ρ ΡΠ΅ΠΌ, ΡΡΠΎΠ±Ρ ΠΎΠ½ ΠΌΠΎΠ³
ΡΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΡΡΡΠΈΠΌ ΠΎΠ±ΡΠ°Π·ΠΎΠΌ ΡΠ°Π±ΠΎΡΠ°ΡΡ Ρ ΠΏΡΠ΅Π΄ΡΠΏΡΠ΅ΠΆΠ΄Π΅Π½ΠΈΡΠΌΠΈ. ΠΠ°ΠΏΡΠΈΠΌΠ΅Ρ, ΠΌΠΎΠΆΠ΅Ρ ΠΏΠΎΡΡΠ΅Π±ΠΎΠ²Π°ΡΡΡΡ ΠΏΡΠ°Π²ΠΎΠ²ΠΎΠ΅
ΡΠ°ΡΡΠ»Π΅Π΄ΠΎΠ²Π°Π½ΠΈΠ΅ Π΄Π»Ρ ΡΠΎΠ΄Π΅ΠΉΡΡΠ²ΠΈΡ Π² ΡΡΡΠ΅ΠΊΡΠΈΠ²Π½ΠΎΠΌ ΡΠ°Π·ΡΠ΅ΡΠ΅Π½ΠΈΠΈ ΠΈΠ½ΡΠΈΠ΄Π΅Π½ΡΠ° ΠΏΡΠΈ ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠ΅Π½ΠΈΠΈ Π±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΡΡΠΈ.
ΠΠΎΠΆΠ΅Ρ ΠΏΠΎΡΡΠ΅Π±ΠΎΠ²Π°ΡΡΡΡ ΡΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΡΡΡΠ°Ρ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΡ, Π²ΠΊΠ»ΡΡΠ°Ρ ΠΆΡΡΠ½Π°Π»Ρ ΡΠ΅Π³ΠΈΡΡΡΠ°ΡΠΈΠΈ IDS, Π΄Π»Ρ
ΠΏΠ΅ΡΠ΅Π΄Π°ΡΠΈ Π² ΠΏΡΠ°Π²ΠΎΠΏΡΠΈΠΌΠ΅Π½ΡΡΡΠΈΠΉ ΠΎΡΠ³Π°Π½ Π΄Π»Ρ ΡΠ΅Π»Π΅ΠΉ Π΄ΠΎΠΊΠ°Π·Π°ΡΠ΅Π»ΡΡΡΠ²Π°.
ΠΠΎΠΏΠΎΠ»Π½ΠΈΡΠ΅Π»ΡΠ½ΡΡ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΡ ΠΏΠΎ ΡΠΏΡΠ°Π²Π»Π΅Π½ΠΈΡ ΠΏΡΠΈ ΠΈΠ½ΡΠΈΠ΄Π΅Π½ΡΠ°Ρ
Π±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΡΡΠΈ ΠΌΠΎΠΆΠ½ΠΎ Π½Π°ΠΉΡΠΈ Π²
ISO/IEC TR 18044.
5.3.4 ΠΡΡΠ΅ΠΊΡΠΈΠ²Π½ΠΎΡΡΡ
ΠΡΡΠ΅ΠΊΡΠΈΠ²Π½ΠΎΡΡΡ β ΡΡΠΎ Π΄ΡΡΠ³ΠΎΠΉ ΡΠ°ΡΡΠΌΠ°ΡΡΠΈΠ²Π°Π΅ΠΌΡΠΉ ΡΠ°ΠΊΡΠΎΡ ΠΏΡΠΈ Π²ΡΠ±ΠΎΡΠ΅ IDS. ΠΠ°ΠΊ ΠΌΠΈΠ½ΠΈΠΌΡΠΌ, Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΠΎ
ΠΎΡΠ²Π΅ΡΠΈΡΡ Π½Π° ΡΠ»Π΅Π΄ΡΡΡΠΈΠ΅ Π²ΠΎΠΏΡΠΎΡΡ:
β’ ΠΠ°ΠΊΠ°Ρ ΠΏΡΠΎΠΏΡΡΠΊΠ½Π°Ρ ΡΠΏΠΎΡΠΎΠ±Π½ΠΎΡΡΡ ΠΎΠ±ΡΠ°Π±ΠΎΡΠΊΠΈ ΡΡΠ΅Π±ΡΠ΅ΡΡΡ IDS?
β’ ΠΠ°ΠΊΠΎΠ² ΡΡΠΎΠ²Π΅Π½Ρ ΡΠΈΠ³Π½Π°Π»ΠΎΠ² Π»ΠΎΠΆΠ½ΠΎΠΉ ΡΡΠ΅Π²ΠΎΠ³ΠΈ ΠΌΠΎΠΆΠ΅Ρ Π΄ΠΎΠΏΡΡΠΊΠ°ΡΡΡΡ ΠΏΡΠΈ ΡΠ°Π±ΠΎΡΠ΅ Ρ ΡΡΠΎΠΉ ΠΏΡΠΎΠΏΡΡΠΊΠ½ΠΎΠΉ
ΡΠΏΠΎΡΠΎΠ±Π½ΠΎΡΡΡΡ?
β’ ΠΠΎΠΆΠ΅Ρ Π»ΠΈ Π±ΡΡΡ ΠΎΠΏΡΠ°Π²Π΄Π°Π½Π° Π±ΡΡΡΡΠΎΠ΄Π΅ΠΉΡΡΠ²ΡΡΡΠ°Ρ IDS ΠΈΠ»ΠΈ ΠΌΠΎΠΆΠ΅Ρ Π±ΡΡΡ ΠΎΠΏΡΠ°Π²Π΄Π°Π½Π° ΡΠΌΠ΅ΡΠ΅Π½Π½Π°Ρ ΠΈΠ»ΠΈ
ΠΌΠ΅Π΄Π»Π΅Π½Π½Π°Ρ IDS?
β’ ΠΠ°ΠΊΠΎΠ²Ρ ΠΏΠΎΡΠ»Π΅Π΄ΡΡΠ²ΠΈΡ ΠΏΡΠΎΠΏΡΡΠΊΠ° ΠΏΠΎΡΠ΅Π½ΡΠΈΠ°Π»ΡΠ½ΠΎΠ³ΠΎ Π²ΡΠΎΡΠΆΠ΅Π½ΠΈΡ ΠΈΠ·-Π·Π° ΠΎΠ³ΡΠ°Π½ΠΈΡΠ΅Π½ΠΈΠΉ ΠΏΡΠΎΠΏΡΡΠΊΠ½ΠΎΠΉ
ΡΠΏΠΎΡΠΎΠ±Π½ΠΎΡΡΠΈ?
Π£ΡΡΠΎΠΉΡΠΈΠ²Π°Ρ ΡΡΡΠ΅ΠΊΡΠΈΠ²Π½ΠΎΡΡΡ ΠΌΠΎΠΆΠ΅Ρ Π±ΡΡΡ ΠΎΠΏΡΠ΅Π΄Π΅Π»Π΅Π½Π° ΠΊΠ°ΠΊ ΡΠΏΠΎΡΠΎΠ±Π½ΠΎΡΡΡ ΠΏΠΎΡΠ»Π΅Π΄ΠΎΠ²Π°ΡΠ΅Π»ΡΠ½ΠΎ ΠΎΠ±Π½Π°ΡΡΠΆΠΈΠ²Π°ΡΡ
Π°ΡΠ°ΠΊΠΈ Π² ΡΠ°ΠΌΠΊΠ°Ρ
ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΡ Π·Π°Π΄Π°Π½Π½ΠΎΠΉ ΠΏΡΠΎΠΏΡΡΠΊΠ½ΠΎΠΉ ΡΠΏΠΎΡΠΎΠ±Π½ΠΎΡΡΠΈ. Π Π±ΠΎΠ»ΡΡΠΈΠ½ΡΡΠ²Π΅ ΡΡΠ΅Π΄Π°Ρ
ΡΡΡΠ΅ΡΡΠ²ΡΠ΅Ρ
Π½Π΅Π±ΠΎΠ»ΡΡΠΎΠΉ Π΄ΠΎΠΏΡΡΠΊ Π΄Π»Ρ ΠΏΡΠΎΠΏΡΡΠΊΠ°Π΅ΠΌΡΡ
ΠΈΠ»ΠΈ ΠΎΡΠ±ΡΠ°ΡΡΠ²Π°Π΅ΠΌΡΡ
IDS ΠΏΠ°ΠΊΠ΅ΡΠΎΠ² Π² ΡΡΠ°ΡΠΈΠΊΠ΅, ΠΊΠΎΡΠΎΡΡΠ΅ ΠΌΠΎΠ³ΡΡ Π±ΡΡΡ
ΡΠ°ΡΡΡΡ Π°ΡΠ°ΠΊΠΈ. Π Π½Π΅ΠΊΠΎΡΠΎΡΠΎΠΉ ΡΠΎΡΠΊΠ΅ ΠΏΡΠΈ Π²ΠΎΠ·ΡΠ°ΡΡΠ°Π½ΠΈΠΈ ΠΏΡΠΎΠΏΡΡΠΊΠ½ΠΎΠΉ ΡΠΏΠΎΡΠΎΠ±Π½ΠΎΡΡΠΈ ΠΈ/ΠΈΠ»ΠΈ ΡΡΠ°ΡΠΈΠΊΠ° ΠΌΠ½ΠΎΠ³ΠΈΠ΅ IDS
10 Β© ISO/IEC 2006 β ΠΡΠ΅ ΠΏΡΠ°Π²Π° ΡΠΎΡ
ΡΠ°Π½ΡΡΡΡΡ
Π½Π΅ ΠΌΠΎΠ³ΡΡ Π±ΠΎΠ»ΡΡΠ΅ ΡΡΡΠ΅ΠΊΡΠΈΠ²Π½ΠΎ ΠΎΠ±Π½Π°ΡΡΠΆΠΈΠ²Π°ΡΡ Π²ΡΠΎΡΠΆΠ΅Π½ΠΈΡ.
Π‘ΠΎΡΠ΅ΡΠ°Π½ΠΈΠ΅ Π±Π°Π»Π°Π½ΡΠΈΡΠΎΠ²ΠΊΠΈ Π½Π°Π³ΡΡΠ·ΠΊΠΈ ΠΈ Π½Π°ΡΡΡΠΎΠΉΠΊΠΈ ΠΌΠΎΠΆΠ΅Ρ ΠΏΠΎΠ²ΡΡΠΈΡΡ ΡΡΡΠ΅ΠΊΡΠΈΠ²Π½ΠΎΡΡΡ ΠΈ ΡΠ°Π±ΠΎΡΠΈΠ΅
Ρ
Π°ΡΠ°ΠΊΡΠ΅ΡΠΈΡΡΠΈΠΊΠΈ. ΠΠ°ΠΏΡΠΈΠΌΠ΅Ρ:
β’ ΠΠ΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΡ Π·Π½Π°Π½ΠΈΡ ΠΎ ΡΠ΅ΡΠΈ ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΠΈ ΠΈ Π΅Π΅ ΡΠ»Π°Π±ΡΡ
ΠΌΠ΅ΡΡΠ°Ρ
: ΠΠ°ΠΆΠ΄Π°Ρ ΡΠ΅ΡΡ Π½Π΅ ΠΏΠΎΡ
ΠΎΠΆΠ° Π½Π° Π΄ΡΡΠ³ΡΡ;
ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΡ Π΄ΠΎΠ»ΠΆΠ½Π° ΠΎΠΏΡΠ΅Π΄Π΅Π»ΠΈΡΡ, ΠΊΠ°ΠΊΠΈΠ΅ ΡΠ΅ΡΡΡΡΡ ΡΠ΅ΡΠΈ ΡΡΠ΅Π±ΡΡΡ Π·Π°ΡΠΈΡΡ ΠΈ ΠΊΠ°ΠΊΠ°Ρ Π½Π°ΡΡΡΠΎΠΉΠΊΠ°
ΡΠΈΠ³Π½Π°ΡΡΡΡ Π°ΡΠ°ΠΊΠΈ ΡΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΡΠ΅Ρ ΡΡΠΈΠΌ ΡΠ΅ΡΡΡΡΠ°ΠΌ. Π ΠΎΠ±ΡΠ΅ΠΌ ΡΠ»ΡΡΠ°Π΅ ΡΡΠΎ Π²ΡΠΏΠΎΠ»Π½ΡΠ΅ΡΡΡ Ρ ΠΏΠΎΠΌΠΎΡΡΡ
ΠΏΡΠΎΡΠ΅ΡΡΠ° ΠΎΡΠ΅Π½ΠΊΠΈ ΡΠΈΡΠΊΠ°.
β’ Π Π°Π±ΠΎΡΠΈΠ΅ Ρ
Π°ΡΠ°ΠΊΡΠ΅ΡΠΈΡΡΠΈΠΊΠΈ Π±ΠΎΠ»ΡΡΠΈΠ½ΡΡΠ²Π° IDS ΠΌΠΎΠ³ΡΡ Π±ΡΡΡ ΡΠ»ΡΡΡΠ΅Π½Ρ Π² ΡΠ»ΡΡΠ°Π΅, ΠΊΠΎΠ³Π΄Π° ΠΎΠ½ΠΈ
ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠΈΡΡΡΡΡΡ Π΄Π»Ρ ΠΎΠ±ΡΠ°Π±ΠΎΡΠΊΠΈ ΠΎΠ³ΡΠ°Π½ΠΈΡΠ΅Π½Π½ΠΎΠ³ΠΎ ΡΡΠ°ΡΠΈΠΊΠ° ΠΈ ΡΡΠ»ΡΠ³ ΡΠ΅ΡΠΈ. ΠΠ°ΠΏΡΠΈΠΌΠ΅Ρ, ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΠΈ,
ΠΊΠΎΡΠΎΡΠ°Ρ ΠΌΠ½ΠΎΠ³ΠΎ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅Ρ ΡΠ»Π΅ΠΊΡΡΠΎΠ½Π½ΡΡ ΠΊΠΎΠΌΠΌΠ΅ΡΡΠΈΡ, ΠΌΠΎΠΆΠ΅Ρ ΠΏΠΎΡΡΠ΅Π±ΠΎΠ²Π°ΡΡΡΡ ΠΊΠΎΠ½ΡΡΠΎΠ»ΠΈΡΠΎΠ²Π°ΡΡ Π²Π΅ΡΡ
ΡΡΠ°ΡΠΈΠΊ Ρ ΠΡΠΎΡΠΎΠΊΠΎΠ»ΠΎΠΌ ΠΏΠ΅ΡΠ΅Π΄Π°ΡΠΈ Π³ΠΈΠΏΠ΅ΡΡΠ΅ΠΊΡΡΠΎΠ²ΡΡ
ΡΠ°ΠΉΠ»ΠΎΠ² (HTTP) ΠΈ Π½Π°ΡΡΡΠ°ΠΈΠ²Π°ΡΡ ΠΎΠ΄Π½Ρ ΠΈΠ»ΠΈ
Π½Π΅ΡΠΊΠΎΠ»ΡΠΊΠΎ IDS Π΄Π»Ρ ΠΏΡΠΎΡΠΌΠΎΡΡΠ° ΡΠΈΠ³Π½Π°ΡΡΡ Π°ΡΠ°ΠΊ, ΡΠ²ΡΠ·Π°Π½Π½ΡΡ
Ρ Π²Π΅Π±- ΡΡΠ°ΡΠΈΠΊΠΎΠΌ.
β’ ΠΠ°Π΄Π»Π΅ΠΆΠ°ΡΠ°Ρ ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΡ Ρ Π±Π°Π»Π°Π½ΡΠΈΡΠΎΠ²ΠΊΠΎΠΉ Π½Π°Π³ΡΡΠ·ΠΊΠΈ ΠΌΠΎΠΆΠ΅Ρ Π΄Π°ΡΡ Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΡ ΡΠΈΠ³Π½Π°ΡΡΡΠ΅ Π½Π°
Π±Π°Π·Π΅ IDS ΡΠ°Π±ΠΎΡΠ°ΡΡ Π³ΠΎΡΠ°Π·Π΄ΠΎ Π±ΡΡΡΡΠ΅Π΅ ΠΈ Π±ΠΎΠ»Π΅Π΅ ΠΎΡΠ½ΠΎΠ²Π°ΡΠ΅Π»ΡΠ½ΠΎ, ΠΏΠΎΡΠΊΠΎΠ»ΡΠΊΡ ΡΠΈΠ³Π½Π°ΡΡΡΠ° Π½Π° Π±Π°Π·Π΅ IDS
ΡΡΠ΅Π±ΡΠ΅Ρ ΡΠΎΠ»ΡΠΊΠΎ ΠΎΠ±ΡΠ°Π±ΠΎΡΠΊΠΈ Π½Π° ΠΎΠΏΡΠΈΠΌΠΈΠ·ΠΈΡΠΎΠ²Π°Π½Π½ΠΎΠΉ Π½Π΅Π±ΠΎΠ»ΡΡΠΎΠΉ Π±Π°Π·Π΅ Π΄Π°Π½Π½ΡΡ
ΡΠΈΠ³Π½Π°ΡΡΡ Π°ΡΠ°ΠΊΠΈ, Π° Π½Π΅ Π½Π°
Π±Π°Π·Π΅ Π΄Π°Π½Π½ΡΡ
Π²ΡΠ΅Ρ
Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΡΡ
ΡΠΈΠ³Π½Π°ΡΡΡ.
ΠΠ°Π»Π°Π½ΡΠΈΡΠΎΠ²ΠΊΠ° Π·Π°Π³ΡΡΠ·ΠΊΠΈ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΡΡΡ Π΄Π»Ρ ΡΠ°Π·Π΄Π΅Π»Π΅Π½ΠΈΡ Π΄ΠΎΡΡΡΠΏΠ½ΠΎΠΉ ΠΏΡΠΎΠΏΡΡΠΊΠ½ΠΎΠΉ ΡΠΏΠΎΡΠΎΠ±Π½ΠΎΡΡΠΈ ΠΏΡΠΈ
ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΠΈ IDS. ΠΠ΄Π½Π°ΠΊΠΎ ΠΏΠΎΠ²ΡΡΠ΅Π½ΠΈΠ΅ ΠΏΡΠΎΠΏΡΡΠΊΠ½ΠΎΠΉ ΡΠΏΠΎΡΠΎΠ±Π½ΠΎΡΡΠΈ ΠΌΠΎΠΆΠ΅Ρ Π±ΡΡΡ ΡΠ²ΡΠ·Π°Π½ΠΎ Ρ ΡΡΡΠ΄Π½ΠΎΡΡΡΠΌΠΈ,
Π½Π°ΠΏΡΠΈΠΌΠ΅Ρ: Π΄ΠΎΠΏΠΎΠ»Π½ΠΈΡΠ΅Π»ΡΠ½ΡΠΌΠΈ Π·Π°ΡΡΠ°ΡΠ°ΠΌΠΈ, ΡΠ°ΡΡ
ΠΎΠ΄Π°ΠΌΠΈ Π½Π° ΡΠΏΡΠ°Π²Π»Π΅Π½ΠΈΠ΅, Π΄Π΅ΡΠΈΠ½Ρ
ΡΠΎΠ½ΠΈΠ·Π°ΡΠΈΠ΅ΠΉ ΡΡΠ°ΡΠΈΠΊΠ°,
Π΄ΡΠ±Π»ΠΈΡΠΎΠ²Π°Π½ΠΈΠ΅ΠΌ ΠΏΡΠ΅Π΄ΡΠΏΡΠ΅ΠΆΠ΄Π΅Π½ΠΈΠΉ ΠΈ ΠΎΡΠΈΠ±ΠΎΡΠ½ΡΠΌ ΠΎΡΠΊΠ°Π·ΠΎΠΌ Π² Π΄ΠΎΡΡΡΠΏΠ΅. ΠΠΎΠ»Π΅Π΅ ΡΠΎΠ³ΠΎ, ΡΠ΅ΠΊΡΡΠ°Ρ ΡΠ΅Ρ
Π½ΠΎΠ»ΠΎΠ³ΠΈΡ IDS
ΠΈΠΌΠ΅Π΅Ρ Π³ΠΈΠ³Π°Π±Π°ΠΉΡΠ½ΡΠ΅ ΡΠΊΠΎΡΠΎΡΡΠΈ, Π² ΡΠ΅Π·ΡΠ»ΡΡΠ°ΡΠ΅ Π²ΡΠ³ΠΎΠ΄Ρ ΠΏΠΎ ΡΡΠ°Π²Π½Π΅Π½ΠΈΡ Ρ Π·Π°ΡΡΠ°ΡΠ°ΠΌΠΈ ΠΌΠΎΠ³ΡΡ Π±ΡΡΡ
ΠΌΠΈΠ½ΠΈΠΌΠ°Π»ΡΠ½ΡΠΌΠΈ.
5.3.5 ΠΡΠΎΠ²Π΅ΡΠΊΠ° Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΠ΅ΠΉ
ΠΠΎΠ²Π΅ΡΠΈΠ΅ ΠΊ ΠΏΡΠ΅Π΄ΠΎΡΡΠ°Π²Π»ΡΠ΅ΠΌΠΎΠΉ ΠΏΠΎΡΡΠ°Π²ΡΠΈΠΊΠΎΠΌ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΈ ΠΏΠΎ Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΡΠΌ IDS, ΠΊΠ°ΠΊ ΠΏΡΠ°Π²ΠΈΠ»ΠΎ, Π½Π΅
Π΄ΠΎΡΡΠ°ΡΠΎΡΠ½ΠΎΠ΅. ΠΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΡ Π΄ΠΎΠ»ΠΆΠ½Π° Π·Π°ΡΡΠ΅Π±ΠΎΠ²Π°ΡΡ Π΄ΠΎΠΏΠΎΠ»Π½ΠΈΡΠ΅Π»ΡΠ½ΡΡ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΡ ΠΈ, Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎ,
Π΄Π΅ΠΌΠΎΠ½ΡΡΡΠ°ΡΠΈΡ ΠΏΡΠΈΠ³ΠΎΠ΄Π½ΠΎΡΡΠΈ ΠΊΠΎΠ½ΠΊΡΠ΅ΡΠ½ΠΎΠΉ IDS ΠΊ ΡΡΠ΅Π΄Π΅ ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΠΈ ΠΈ ΡΠ΅Π»ΡΠΌ Π±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΡΡΠΈ. ΠΠΎΠ»ΡΡΠΈΠ½ΡΡΠ²ΠΎ
ΠΏΠΎΡΡΠ°Π²ΡΠΈΠΊΠΎΠ² ΠΈΠΌΠ΅ΡΡ ΠΎΠΏΡΡ Π² Π°Π΄Π°ΠΏΡΠ°ΡΠΈΠΈ ΠΈΡ
ΠΏΡΠΎΠ΄ΡΠΊΡΠΎΠ² IDS, ΠΏΠΎΡΠΊΠΎΠ»ΡΠΊΡ ΡΠ΅Π»Π΅Π²ΡΠ΅ ΡΠ΅ΡΠΈ Π²ΠΎΠ·ΡΠ°ΡΡΠ°ΡΡ, Π°
Π½Π΅ΠΊΠΎΡΠΎΡΡΠ΅ ΡΠ²ΡΠ·ΡΠ²Π°ΡΡ ΡΠ΅Π±Ρ ΠΎΠ±ΡΠ·Π°ΡΠ΅Π»ΡΡΡΠ²ΠΎΠΌ ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΈΠ²Π°ΡΡ Π½ΠΎΠ²ΡΠ΅ ΡΡΠ°Π½Π΄Π°ΡΡΡ ΠΏΡΠΎΡΠΎΠΊΠΎΠ»ΠΎΠ², ΡΠΈΠΏΡ
ΠΏΠ»Π°ΡΡΠΎΡΠΌ ΠΈ ΠΈΠ·ΠΌΠ΅Π½Π΅Π½ΠΈΡ Π² ΡΡΠ΅Π΄Π΅ ΡΠ³ΡΠΎΠ·. ΠΠ°ΠΊ ΠΌΠΈΠ½ΠΈΠΌΡΠΌ, ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΡ Π΄ΠΎΠ»ΠΆΠ½Π° Π²ΡΡΡΠ½ΠΈΡΡ Ρ ΠΏΠΎΡΡΠ°Π²ΡΠΈΠΊΠ° IDS
ΡΠ»Π΅Π΄ΡΡΡΠΈΠ΅ Π²ΠΎΠΏΡΠΎΡΡ:
β’ ΠΠ°ΠΊΠΈΠ΅ ΠΏΡΠ΅Π΄ΠΏΠΎΠ»ΠΎΠΆΠ΅Π½ΠΈΡ ΡΠ΄Π΅Π»Π°Π½Ρ ΠΎΡΠ½ΠΎΡΠΈΡΠ΅Π»ΡΠ½ΠΎ ΠΏΡΠΈΠΌΠ΅Π½ΠΈΠΌΠΎΡΡΠΈ IDS ΠΊ ΠΊΠΎΠ½ΠΊΡΠ΅ΡΠ½ΡΠΌ ΠΎΠΊΡΡΠΆΠ΅Π½ΠΈΡΠΌ?
β’ ΠΠ°ΠΊΠΎΠ²Ρ Π΄Π΅ΡΠ°Π»ΡΠ½ΡΠ΅ Π΄Π°Π½Π½ΡΠ΅ ΡΠ΅ΡΡΠΎΠ², ΠΏΡΠΎΠ²Π΅Π΄Π΅Π½Π½ΡΡ
Π΄Π»Ρ ΠΏΡΠΎΠ²Π΅ΡΠΊΠΈ ΡΡΠ²Π΅ΡΠΆΠ΄Π΅Π½ΠΈΠΉ ΠΎ Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΡΡ
IDS?
β’ ΠΠ°ΠΊΠΈΠ΅ ΠΏΡΠ΅Π΄ΠΏΠΎΠ»ΠΎΠΆΠ΅Π½ΠΈΡ ΡΠ΄Π΅Π»Π°Π½Ρ ΠΏΠΎ ΠΎΠΏΠ΅ΡΠ°ΡΠΎΡΠ°ΠΌ IDS?
β’ ΠΠ°ΠΊΠΈΠ΅ ΠΏΡΠ΅Π΄ΡΡΠΌΠΎΡΡΠ΅Π½Ρ ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΡ IDS (Π½Π°ΠΏΡΠΈΠΌΠ΅Ρ, ΡΠΈΠ·ΠΈΡΠ΅ΡΠΊΠΈΠ΅ ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΡ, ΠΊΠΎΠΌΠΌΡΠ½ΠΈΠΊΠ°ΡΠΈΠΎΠ½Π½ΡΠ΅
ΠΏΡΠΎΡΠΎΠΊΠΎΠ»Ρ, ΡΠΎΡΠΌΠ°ΡΡ ΡΠΎΠΎΠ±ΡΠ΅Π½ΠΈΠΉ ΠΏΡΠΈ Π²Π·Π°ΠΈΠΌΠΎΠ΄Π΅ΠΉΡΡΠ²ΠΈΠΈ Ρ ΠΏΠΎΠ΄ΡΠΎΠ΅Π΄ΠΈΠ½Π΅Π½Π½ΡΠΌΠΈ ΡΡΡΡΠΎΠΉΡΡΠ²Π°ΠΌΠΈ
ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΈΠ²Π°ΡΡΡΡ Π΄Π»Ρ Π²ΡΠ΅Ρ
ΡΠΈΠΏΠΎΠ² Π²Π°ΠΆΠ½ΡΡ
ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΠΎΠ²)?
β’ ΠΠ°ΠΊΠΎΠ²Ρ ΠΌΠ΅Ρ
Π°Π½ΠΈΠ·ΠΌΡ ΡΠΊΡΠΏΠΎΡΡΠ° ΠΏΡΠ΅Π΄ΡΠΏΡΠ΅ΠΆΠ΄Π΅Π½ΠΈΠΉ ΠΈΠ»ΠΈ ΡΠΎΠΎΠ±ΡΠ΅Π½ΠΈΠΉ ΠΈΠ»ΠΈ Π΄ΠΎΠΊΡΠΌΠ΅Π½ΡΠΈΡΠΎΠ²Π°Π½Ρ Π»ΠΈ ΠΎΠ½ΠΈ
Π½Π°Π΄Π»Π΅ΠΆΠ°ΡΠΈΠΌ ΠΎΠ±ΡΠ°Π·ΠΎΠΌ (Π½Π°ΠΏΡΠΈΠΌΠ΅Ρ, ΡΠΎΠΎΠ±ΡΠ΅Π½ΠΈΡ ΠΎ ΡΠΎΡΠΌΠ°ΡΠ°Ρ
ΠΈΠ»ΠΈ ΡΠΎΠΎΠ±ΡΠ΅Π½ΠΈΡ Π΄Π»Ρ ΡΠΈΡΡΠ΅ΠΌΠ½ΠΎΠ³ΠΎ
ΠΆΡΡΠ½Π°Π»Π°, ΠΈΠ»ΠΈ MIB Π΄Π»Ρ ΡΠΎΠΎΠ±ΡΠ΅Π½ΠΈΠΉ SNMP)?
β’ ΠΠΎΠΆΠ΅Ρ Π»ΠΈ ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡ IDS ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠΈΡΠΎΠ²Π°ΡΡΡΡ Ρ ΠΏΠΎΠΌΠΎΡΡΡ Π±ΡΡΡΡΡΡ
ΠΊΠ»Π°Π²ΠΈΡ, Π½Π°ΡΡΡΠ°ΠΈΠ²Π°Π΅ΠΌΡΡ
ΡΡΠ½ΠΊΡΠΈΠΉ ΡΠΈΠ³Π½Π°Π»ΠΈΠ·Π°ΡΠΈΠΈ ΠΈ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»ΡΡΠΊΠΈΡ
ΡΠΈΠ³Π½Π°ΡΡΡ Π°ΡΠ°ΠΊΠΈ Π² ΠΏΡΠΎΡΠ΅ΡΡΠ΅ ΡΠ°Π±ΠΎΡΡ?
β’ Π ΡΠ»ΡΡΠ°Π΅, ΠΊΠΎΠ³Π΄Π° IDS ΠΌΠΎΠΆΠ΅Ρ ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠΈΡΠΎΠ²Π°ΡΡΡΡ Π² ΠΏΡΠΎΡΠ΅ΡΡΠ΅ ΡΠ°Π±ΠΎΡΡ, ΠΊΠ°ΠΊ Π΄ΠΎΠΊΡΠΌΠ΅Π½ΡΠΈΡΠΎΠ²Π°Π½Ρ ΠΈ
ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΈΠ²Π°ΡΡΡΡ ΡΡΠ½ΠΊΡΠΈΠΈ, ΠΊΠΎΡΠΎΡΡΠ΅ ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠΈΠ²Π°ΡΡ ΡΡΡ Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΡ?
Β©
ISO/IEC 2006β ΠΡΠ΅ ΠΏΡΠ°Π²Π° ΡΠΎΡ
ΡΠ°Π½ΡΡΡΡΡ 11
β’ ΠΠΎΠΆΠ΅Ρ Π»ΠΈ ΠΏΡΠΎΠ΄ΡΠΊΡ Π°Π΄Π°ΠΏΡΠΈΡΠΎΠ²Π°ΡΡΡΡ ΠΊ ΡΠ°ΡΡΠΈΡΠ΅Π½ΠΈΡ ΠΈ ΠΈΠ·ΠΌΠ΅Π½Π΅Π½ΠΈΡ ΠΈΠ½ΡΡΠ°ΡΡΡΡΠΊΡΡΡΡ ΡΠΈΡΡΠ΅ΠΌ
ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΠΈ?
β’ ΠΠΎΠΆΠ΅Ρ Π»ΠΈ ΠΏΡΠΎΠ΄ΡΠΊΡ IDS Π°Π΄Π°ΠΏΡΠΈΡΠΎΠ²Π°ΡΡΡΡ ΠΊ ΡΠ°ΡΡΠΈΡΡΡΡΠ΅ΠΉΡΡ ΠΈ Π²ΡΠ΅ Π±ΠΎΠ»Π΅Π΅ ΡΠ°Π·Π½ΠΎΡΠΈΠΏΠ½ΠΎΠΉ ΡΠ΅ΡΠΈ?
β’ ΠΠ±Π΅ΡΠΏΠ΅ΡΠΈΠ²Π°Π΅Ρ Π»ΠΈ IDS Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΠΈ ΠΎΡΠΊΠ°Π·ΠΎΠ±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΡΡΠΈ ΠΈ Π²ΠΎΡΡΡΠ°Π½ΠΎΠ²Π»Π΅Π½ΠΈΡ ΠΏΠΎΡΠ»Π΅ ΠΎΡΠΊΠ°Π·Π° ΠΈ ΠΊΠ°ΠΊ ΡΡΠΈ
Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΠΈ ΠΎΠ±ΡΠ΅Π΄ΠΈΠ½ΡΡΡΡΡ Ρ ΡΠ°ΠΊΠΈΠΌΠΈ ΠΆΠ΅ Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΡΠΌΠΈ Π½Π° ΠΊΠ°Π½Π°Π»ΡΠ½ΠΎΠΌ ΡΡΠΎΠ²Π½Π΅ ΡΠ΅ΡΠΈ?
β’ ΠΡΠΏΠΎΠ»ΡΠ·ΡΠ΅Ρ Π»ΠΈ IDS Π²ΡΠ΄Π΅Π»Π΅Π½Π½ΡΡ ΡΠ΅ΡΡ Π΄Π»Ρ ΡΡΠ΅Π²ΠΎΠΆΠ½ΡΡ
ΡΠΈΠ³Π½Π°Π»ΠΎΠ² ΠΈΠ»ΠΈ ΠΎΠ½ΠΈ ΠΏΠ΅ΡΠ΅Π΄Π°ΡΡΡΡ ΠΏΠΎ ΡΠΎΠΉ ΠΆΠ΅
ΡΠ΅ΡΠΈ, ΠΊΠΎΡΠΎΡΠ°Ρ ΠΊΠΎΠ½ΡΡΠΎΠ»ΠΈΡΡΠ΅ΡΡΡ?
β’ ΠΠ°ΠΊΠΎΠ²Π° ΡΠ΅ΠΏΡΡΠ°ΡΠΈΡ ΠΏΠΎΡΡΠ°Π²ΡΠΈΠΊΠ° ΠΈ Π΄Π°Π½Π½ΡΠ΅ ΠΎΠ± ΡΡΡΠ΅ΠΊΡΠΈΠ²Π½ΠΎΡΡΠΈ ΠΏΡΠΎΠ΄ΡΠΊΡΠ°?
5.3.6 Π‘ΡΠΎΠΈΠΌΠΎΡΡΡ
ΠΡΠΈΠΎΠ±ΡΠ΅ΡΠ΅Π½ΠΈΠ΅ IDS Π½Π΅ ΡΠΎΡΡΠ°Π²Π»ΡΠ΅Ρ Π΄Π΅ΠΉΡΡΠ²ΠΈΡΠ΅Π»ΡΠ½ΡΡ Π΅Π΅ ΡΡΠΎΠΈΠΌΠΎΡΡΡ. ΠΠΎΠΏΠΎΠ»Π½ΠΈΡΠ΅Π»ΡΠ½ΡΠ΅ Π·Π°ΡΡΠ°ΡΡ Π²ΠΊΠ»ΡΡΠ°ΡΡ:
ΠΏΡΠΈΠΎΠ±ΡΠ΅ΡΠ΅Π½ΠΈΠ΅ ΡΠΈΡΡΠ΅ΠΌΡ Π΄Π»Ρ Π·Π°ΠΏΡΡΠΊΠ° ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΠ½ΠΎΠ³ΠΎ ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠ΅Π½ΠΈΡ IDS, ΡΠΏΠ΅ΡΠΈΠ°Π»ΠΈΠ·ΠΈΡΠΎΠ²Π°Π½Π½ΡΡ ΠΏΠΎΠΌΠΎΡΡ Π²
ΠΈΠ½ΡΡΠ°Π»Π»ΡΡΠΈΠΈ ΠΈ ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠΈΡΠΎΠ²Π°Π½ΠΈΠΈ IDS, ΠΎΠ±ΡΡΠ΅Π½ΠΈΠ΅ ΠΏΠ΅ΡΡΠΎΠ½Π°Π»Π° ΠΈ Π·Π°ΡΡΠ°ΡΡ Π½Π° ΠΎΠ±ΡΠ»ΡΠΆΠΈΠ²Π°Π½ΠΈΠ΅. ΠΠ΅ΡΡΠΎΠ½Π°Π» Π΄Π»Ρ
ΡΠΏΡΠ°Π²Π»Π΅Π½ΠΈΡ ΠΈ Π°Π½Π°Π»ΠΈΠ·Π° ΡΠ΅Π·ΡΠ»ΡΡΠ°ΡΠΎΠ² ΡΡΠΎΠΈΡ ΠΎΡΠ΅Π½Ρ Π΄ΠΎΡΠΎΠ³ΠΎ. ΠΠΎΠ»Π΅Π·Π½ΡΠΉ ΠΌΠ΅ΡΠΎΠ΄ Π΄Π»Ρ ΠΈΠ·ΠΌΠ΅ΡΠ΅Π½ΠΈΡ ΡΡΠΎΠΈΠΌΠΎΡΡΠΈ IDS
ΡΠΎΡΡΠΎΠΈΡ Π² ΡΠ΅Π½ΡΠ°Π±Π΅Π»ΡΠ½ΠΎΡΡΠΈ ΠΈΠ½Π²Π΅ΡΡΠΈΡΠΈΠΉ (ROI) ΠΈΠ»ΠΈ Π² ΡΡΠΎΠΈΠΌΠΎΡΡΠΈ Π² Π·Π°Π²ΠΈΡΠΈΠΌΠΎΡΡΠΈ ΠΎΡ Π°Π½Π°Π»ΠΈΠ·Π° ΠΏΡΠΈΠ±ΡΠ»ΠΈ. Π
ΡΡΠΎΠΌ ΡΠ»ΡΡΠ°Π΅ ROI Π²ΡΡΠΈΡΠ»ΡΠ΅ΡΡΡ Π½Π° ΠΎΡΠ½ΠΎΠ²Π΅ ΡΠ±Π΅ΡΠ΅ΠΆΠ΅Π½ΠΈΠΉ, ΡΠ΅Π°Π»ΠΈΠ·ΠΎΠ²Π°Π½Π½ΡΡ
ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΠ΅ΠΉ ΠΏΡΠΈ
Π°Π΄ΠΌΠΈΠ½ΠΈΡΡΡΠΈΡΠΎΠ²Π°Π½ΠΈΠΈ Π²ΡΠΎΡΠΆΠ΅Π½ΠΈΠΉ. ΠΠ°ΡΡΠ°ΡΡ Π½Π° ΠΏΡΠΈΠΎΠ±ΡΠ΅ΡΠ΅Π½ΠΈΠ΅ IDS ΠΈ ΠΏΠΎΡΡΠ΅Π±Π½ΠΎΡΡΠΈ Π΄Π»Ρ ΡΠΊΡΠΏΠ»ΡΠ°ΡΠ°ΡΠΈΠΈ
Π΄ΠΎΠ»ΠΆΠ½Ρ Π±ΡΡΡ ΡΠ±Π°Π»Π°Π½ΡΠΈΡΠΎΠ²Π°Π½Ρ Ρ Π·Π°ΡΡΠ°ΡΠ°ΠΌΠΈ Π½Π° ΠΏΠ΅ΡΡΠΎΠ½Π°Π», Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΡΠΉ Π΄Π»Ρ ΠΏΠΎΠΌΠΎΡΠΈ Π² ΡΠ°Π·ΡΠ΅ΡΠ΅Π½ΠΈΠΈ
ΠΏΡΠ΅Π΄ΡΠΏΡΠ΅ΠΆΠ΄Π΅Π½ΠΈΠΉ, ΠΈ Π½Π΅ΠΏΡΠΎΠΈΠ·Π²ΠΎΠ΄ΠΈΡΠ΅Π»ΡΠ½ΡΠΌΠΈ Π·Π°ΡΡΠ°ΡΠ°ΠΌΠΈ, Π²ΡΠ·Π²Π°Π½Π½ΡΠΌΠΈ Π»ΠΎΠΆΠ½ΡΠΌΠΈ ΠΏΡΠ΅Π΄ΡΠΏΡΠ΅ΠΆΠ΄Π΅Π½ΠΈΡΠΌΠΈ ΠΈ
Π½Π΅ΡΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΡΡΡΠΈΠΌΠΈ ΠΎΡΠ²Π΅ΡΠ½ΡΠΌΠΈ Π΄Π΅ΠΉΡΡΠ²ΠΈΡΠΌΠΈ, ΡΠ°ΠΊΠΈΠΌΠΈ ΠΊΠ°ΠΊ ΠΏΠ΅ΡΠ΅ΡΡΡΠ°Π½ΠΎΠ²ΠΊΠ° ΠΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΎΠ½Π½ΠΎΠΉ ΡΠΈΡΡΠ΅ΠΌΡ ΠΈΠ·-
Π·Π° Π½Π΅Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΠΈ ΠΎΠΏΡΠ΅Π΄Π΅Π»ΠΈΡΡ, ΡΡΠΎ Π±ΡΠ»ΠΎ ΡΠΊΠΎΠΌΠΏΡΠΎΠΌΠ΅ΡΠΈΡΠΎΠ²Π°Π½ΠΎ.
ΠΠΊΡΠΏΠ»ΡΠ°ΡΠ°ΡΠΈΠΎΠ½Π½ΡΠ΅ Π²ΡΠ³ΠΎΠ΄Ρ IDS Π²ΠΊΠ»ΡΡΠ°ΡΡ:
β’ ΠΠ΄Π΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΡ Π΄Π΅ΡΠ΅ΠΊΡΠ½ΠΎΠ³ΠΎ ΠΈΠ»ΠΈ Π½Π΅ΠΏΡΠ°Π²ΠΈΠ»ΡΠ½ΠΎ ΡΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠΈΡΠΎΠ²Π°Π½Π½ΠΎΠ³ΠΎ ΠΎΠ±ΠΎΡΡΠ΄ΠΎΠ²Π°Π½ΠΈΡ;
β’ ΠΡΠΎΠ²Π΅ΡΠΊΡ ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΠΉ Π² ΠΏΡΠΎΡΠ΅ΡΡΠ΅ ΡΠ°Π±ΠΎΡΡ;
β’ ΠΠ±Π΅ΡΠΏΠ΅ΡΠ΅Π½ΠΈΠ΅ ΡΠ²ΠΎΠ΅Π²ΡΠ΅ΠΌΠ΅Π½Π½ΠΎΠΉ ΡΡΠ°ΡΠΈΡΡΠΈΠΊΠΈ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΡ ΡΠΈΡΡΠ΅ΠΌΡ.
ΠΠ»Ρ ΠΏΡΠΈΠ½ΡΡΠΈΡ ΡΠΈΠ½Π°Π½ΡΠΎΠ²ΡΡ
ΡΠ΅ΡΠ΅Π½ΠΈΠΉ ΠΏΠΎ IDS Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΠΎ ΠΎΡΠ²Π΅ΡΠΈΡΡ Π½Π° Π²ΠΎΠΏΡΠΎΡΡ ΠΎΠ± ΠΎΠ±ΡΠ΅ΠΉ ΡΡΠΎΠΈΠΌΠΎΡΡΠΈ IDS.
ΠΠ»Ρ ΡΡΠΎΠ³ΠΎ Π΄ΠΎΠ»ΠΆΠ½Ρ Π±ΡΡΡ ΠΏΡΠΎΠ°Π½Π°Π»ΠΈΠ·ΠΈΡΠΎΠ²Π°Π½Ρ Π·Π°ΡΡΠ°ΡΡ Π½Π° ΠΏΡΠΈΠΌΠ΅Π½Π΅Π½ΠΈΠ΅ IDS Π²ΠΎ Π²ΡΠ΅ΠΉ ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΠΈ. ΠΠ°ΠΊ
ΠΌΠΈΠ½ΠΈΠΌΡΠΌ, Π΄Π»Ρ Π°Π½Π°Π»ΠΈΠ·Π° ΡΡΠΎΠΈΠΌΠΎΡΡΠΈ IDS Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΠΎ ΠΎΡΠ²Π΅ΡΠΈΡΡ Π½Π° ΡΠ»Π΅Π΄ΡΡΡΠΈΠ΅ Π²ΠΎΠΏΡΠΎΡΡ:
β’ ΠΠ°ΠΊΠΎΠ² Π±ΡΠ΄ΠΆΠ΅Ρ Π΄Π»Ρ Π½Π°ΡΠ°Π»ΡΠ½ΡΡ
ΠΊΠ°ΠΏΠΈΡΠ°Π»ΡΠ½ΡΡ
Π·Π°ΡΡΠ°Ρ Π½Π° ΠΏΠΎΠΊΡΠΏΠΊΡ IDS?
β’ ΠΠ°ΠΊΠΎΠ² Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΡΠΉ Π²ΡΠ΅ΠΌΠ΅Π½Π½ΠΎΠΉ ΠΏΠ΅ΡΠΈΠΎΠ΄ Π΄Π»Ρ ΡΠΊΡΠΏΠ»ΡΠ°ΡΠ°ΡΠΈΠΈ IDS, Π½Π°ΠΏΡΠΈΠΌΠ΅Ρ, 24/7 ΠΈΠ»ΠΈ ΠΌΠ΅Π½ΡΡΠ΅?
β’ ΠΠ°ΠΊΠ°Ρ ΡΡΠ΅Π±ΡΠ΅ΡΡΡ ΠΈΠ½ΡΡΠ°ΡΡΡΡΠΊΡΡΡΠ° Π΄Π»Ρ ΠΎΠ±ΡΠ°Π±ΠΎΡΠΊΠΈ, Π°Π½Π°Π»ΠΈΠ·Π° ΠΈ ΡΠ΅Π³ΠΈΡΡΡΠ°ΡΠΈΠΈ Π²ΡΡ
ΠΎΠ΄Π½ΡΡ
Π΄Π°Π½Π½ΡΡ
IDS ΠΈ
ΠΊΠ°ΠΊΠΎΠ²Π° Π΅Π΅ ΡΡΠΎΠΈΠΌΠΎΡΡΡ?
β’ ΠΠΌΠ΅Π΅Ρ Π»ΠΈ ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΡ Π»ΡΠ΄ΡΠΊΠΈΠ΅ ΠΈ Π΄ΡΡΠ³ΠΈΠ΅ ΡΠ΅ΡΡΡΡΡ, Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΡΠ΅ Π΄Π»Ρ ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠΈΡΠΎΠ²Π°Π½ΠΈΡ IDS Π²
ΡΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΠΈΠΈ Ρ ΠΏΠΎΠ»ΠΈΡΠΈΠΊΠΎΠΉ ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΠΈ Π΄Π»Ρ ΡΠΊΡΠΏΠ»ΡΠ°ΡΠ°ΡΠΈΠΈ, ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠ°Π½ΠΈΡ, ΠΎΠ±Π½ΠΎΠ²Π»Π΅Π½ΠΈΡ, ΠΊΠΎΠ½ΡΡΠΎΠ»Ρ
Π²ΡΡ
ΠΎΠ΄Π½ΡΡ
Π΄Π°Π½Π½ΡΡ
IDS ΠΈ ΠΎΡΠ²Π΅ΡΠ½ΡΡ
Π΄Π΅ΠΉΡΡΠ²ΠΈΠΉ Π½Π° ΠΏΡΠ΅Π΄ΡΠΏΡΠ΅ΠΆΠ΄Π΅Π½ΠΈΡ? ΠΡΠ»ΠΈ Π½Π΅Ρ, ΡΠΎ ΠΊΠ°ΠΊ ΡΡΠΈ ΡΡΠ½ΠΊΡΠΈΠΈ
Π±ΡΠ΄ΡΡ Π²ΡΠΏΠΎΠ»Π½ΡΡΡΡΡ?
β’ ΠΠΌΠ΅ΡΡΡΡ Π»ΠΈ ΡΠΈΠ½Π°Π½ΡΠΎΠ²ΡΠ΅ ΡΡΠ΅Π΄ΡΡΠ²Π° Π½Π° ΠΏΡΠΎΡΠ΅ΡΡΠΈΠΎΠ½Π°Π»ΡΠ½ΡΡ ΠΏΠΎΠ΄Π³ΠΎΡΠΎΠ²ΠΊΡ Π΄Π»Ρ IDS?
β’ ΠΠ°ΠΊΠΎΠ² ΠΌΠ°ΡΡΡΠ°Π± ΠΏΡΠΈΠΌΠ΅Π½Π΅Π½ΠΈΡ ΠΈ, Π΅ΡΠ»ΠΈ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΡΡΡ HIDS, ΠΊΠ°ΠΊ ΠΌΠ½ΠΎΠ³ΠΎ Ρ
ΠΎΡΡ- ΠΌΠ°ΡΠΈΠ½ Π±ΡΠ΄Π΅Ρ
Π·Π°ΡΠΈΡΠ°ΡΡΡΡ?
ΠΠ°ΡΡΠ°ΡΡ Π² ΠΎΡΠ΄Π΅Π»ΡΠ½ΠΎΠΉ ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΠΈ ΠΌΠΎΠ³ΡΡ Π±ΡΡΡ ΡΠΌΠ΅Π½ΡΡΠ΅Π½Ρ ΠΏΡΡΠ΅ΠΌ ΡΠΎΠ²ΠΌΠ΅ΡΡΠ½ΠΎΠ³ΠΎ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΡ
Π½Π°ΠΊΠ»Π°Π΄Π½ΡΡ
ΡΠ°ΡΡ
ΠΎΠ΄ΠΎΠ² ΡΠ΅ΡΠ΅Π· ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΠ΅ Π²Π½Π΅ΡΠ½ΠΈΡ
ΡΠ΅ΡΡΡΡΠΎΠ² Π΄Π»Ρ ΡΡΠ½ΠΊΡΠΈΠΉ ΠΌΠΎΠ½ΠΈΡΠΎΡΠΈΠ½Π³Π° ΠΈ
ΠΎΠ±ΡΠ»ΡΠΆΠΈΠ²Π°Π½ΠΈΡ IDS Ρ ΠΏΡΠΎΠ²Π°ΠΉΠ΄Π΅ΡΠ° ΡΡΠ»ΡΠ³ ΠΏΡΠΈ ΡΠ΄Π°Π»Π΅Π½Π½ΠΎ ΡΠΏΡΠ°Π²Π»ΡΠ΅ΠΌΠΎΠΌ ΠΎΠ±Π½Π°ΡΡΠΆΠ΅Π½ΠΈΠΈ Π²ΡΠΎΡΠΆΠ΅Π½ΠΈΠΉ.
12 Β© ISO/IEC 2006 β ΠΡΠ΅ ΠΏΡΠ°Π²Π° ΡΠΎΡ
ΡΠ°Π½ΡΡΡΡΡ
ΠΠ°ΠΈΠ±ΠΎΠ»Π΅Π΅ Π΄ΠΎΡΠΎΠ³ΠΎΡΡΠΎΡΡΠ΅ΠΉ ΡΠ°ΡΡΡΡ ΠΏΡΠΈΠΌΠ΅Π½Π΅Π½ΠΈΡ IDS ΡΠ²Π»ΡΡΡΡΡ ΠΎΡΠ²Π΅ΡΠ½ΡΠ΅ Π΄Π΅ΠΉΡΡΠ²ΠΈΡ. ΠΡΠ»ΠΈ ΠΎΠΏΡΠ΅Π΄Π΅Π»Π΅Π½Π°
ΠΎΡΠ²Π΅ΡΠ½Π°Ρ ΡΠ΅Π°ΠΊΡΠΈΡ, Π΄Π°Π»ΡΠ½Π΅ΠΉΡΠΈΠ΅ Π·Π½Π°ΡΠΈΡΠ΅Π»ΡΠ½ΡΠ΅ Π·Π°ΡΡΠ°ΡΡ, ΠΊΠΎΡΠΎΡΡΠ΅ Π΄ΠΎΠ»ΠΆΠ½Ρ ΡΡΠΈΡΡΠ²Π°ΡΡΡΡ, Π²ΠΊΠ»ΡΡΠ°ΡΡ
ΡΠΎΠ·Π΄Π°Π½ΠΈΠ΅ ΠΎΠΏΠ΅ΡΠ°ΡΠΈΠ²Π½ΠΎΠΉ Π³ΡΡΠΏΠΏΡ, ΡΠ°Π·ΡΠ°Π±ΠΎΡΠΊΡ ΠΈ Π²Π²ΠΎΠ΄ Π² Π΄Π΅ΠΉΡΡΠ²ΠΈΠ΅ ΠΏΠΎΠ»ΠΈΡΠΈΠΊΠΈ ΠΎΡΠ²Π΅ΡΠ½ΡΡ
Π΄Π΅ΠΉΡΡΠ²ΠΈΠΉ, ΠΎΠ±ΡΡΠ΅Π½ΠΈΠ΅ ΠΈ
ΡΡΠ΅Π½ΠΈΡΠΎΠ²ΠΊΡ ΠΏΠ΅ΡΡΠΎΠ½Π°Π»Π°.
5.3.7 ΠΠ±Π½ΠΎΠ²Π»Π΅Π½ΠΈΡ
ΠΠΎΠ»ΡΡΠΈΠ½ΡΡΠ²ΠΎ IDS ΠΎΡΠ½ΠΎΠ²Π°Π½Ρ Π½Π° ΡΠΈΠ³Π½Π°ΡΡΡΠ΅ Π°ΡΠ°ΠΊ, ΠΈ ΡΠ΅Π½Π½ΠΎΡΡΡ IDS Π·Π°Π²ΠΈΡΠΈΡ ΠΎΡ Π±Π°Π·Ρ Π΄Π°Π½Π½ΡΡ
ΡΠΈΠ³Π½Π°ΡΡΡ Π°ΡΠ°ΠΊ,
Π½Π° Π±Π°Π·Π΅ ΠΊΠΎΡΠΎΡΠΎΠΉ Π°Π½Π°Π»ΠΈΠ·ΠΈΡΡΡΡΡΡ ΡΠΎΠ±ΡΡΠΈΡ. Π§Π°ΡΡΠΎ Π²ΡΡΠ²Π»ΡΡΡΡΡ Π½ΠΎΠ²ΡΠ΅ ΡΠ»Π°Π±ΡΠ΅ ΠΌΠ΅ΡΡΠ° ΠΈ Π°ΡΠ°ΠΊΠΈ.
Π‘Π»Π΅Π΄ΠΎΠ²Π°ΡΠ΅Π»ΡΠ½ΠΎ, Π±Π°Π·Π° Π΄Π°Π½Π½ΡΡ
ΡΠΈΠ³Π½Π°ΡΡΡ Π°ΡΠ°ΠΊ Π΄ΠΎΠ»ΠΆΠ½Π° ΡΠ°ΡΡΠΎ ΠΎΠ±Π½ΠΎΠ²Π»ΡΡΡΡΡ. ΠΠΎΡΡΠΎΠΌΡ, ΠΊΠ°ΠΊ ΠΌΠΈΠ½ΠΈΠΌΡΠΌ,
ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΡ Π΄ΠΎΠ»ΠΆΠ½Π° ΡΠ°ΡΡΠΌΠ°ΡΡΠΈΠ²Π°ΡΡ ΡΠ»Π΅Π΄ΡΡΡΠΈΠ΅ ΡΠ°ΠΊΡΠΎΡΡ:
β’ Π‘Π²ΠΎΠ΅Π²ΡΠ΅ΠΌΠ΅Π½Π½ΠΎΡΡΡ ΠΎΠ±Π½ΠΎΠ²Π»Π΅Π½ΠΈΠΉ;
β’ ΠΡΡΠ΅ΠΊΡΠΈΠ²Π½ΠΎΡΡΡ Π²Π½ΡΡΡΠ΅Π½Π½Π΅Π³ΠΎ ΡΠ°ΡΠΏΡΠΎΡΡΡΠ°Π½Π΅Π½ΠΈΡ;
β’ Π Π΅Π°Π»ΠΈΠ·Π°ΡΠΈΡ;
β’ ΠΠ»ΠΈΡΠ½ΠΈΠ΅ Π½Π° ΡΠΈΡΡΠ΅ΠΌΡ.
5.3.7.1 Π‘Π²ΠΎΠ΅Π²ΡΠ΅ΠΌΠ΅Π½Π½ΠΎΡΡΡ ΠΎΠ±Π½ΠΎΠ²Π»Π΅Π½ΠΈΠΉ Π΄Π»Ρ IDS, ΠΎΡΠ½ΠΎΠ²Π°Π½Π½ΡΡ
Π½Π° ΡΠΈΠ³Π½Π°ΡΡΡΠ°Ρ
ΠΠΎΠ΄Π΄Π΅ΡΠΆΠ°Π½ΠΈΠ΅ ΡΠ΅ΠΊΡΡΠΈΡ
ΡΠΈΠ³Π½Π°ΡΡΡ Π°ΡΠ°ΠΊ Π²Π°ΠΆΠ½ΠΎ Π΄Π»Ρ ΠΎΠ±Π½Π°ΡΡΠΆΠ΅Π½ΠΈΡ ΠΈΠ·Π²Π΅ΡΡΠ½ΡΡ
Π°ΡΠ°ΠΊ. ΠΠ»Ρ ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠ΅Π½ΠΈΡ
ΡΠ²ΠΎΠ΅Π²ΡΠ΅ΠΌΠ΅Π½Π½ΡΡ
ΠΎΠ±Π½ΠΎΠ²Π»Π΅Π½ΠΈΠΉ ΡΠΈΠ³Π½Π°ΡΡΡ Π°ΡΠ°ΠΊ, ΠΊΠ°ΠΊ ΠΌΠΈΠ½ΠΈΠΌΡΠΌ, Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΠΎ ΡΠ°ΡΡΠΌΠΎΡΡΠ΅ΡΡ ΡΠ»Π΅Π΄ΡΡΡΠΈΠ΅
Π²ΠΎΠΏΡΠΎΡΡ:
β’ ΠΠ°ΠΊ Π±ΡΡΡΡΠΎ ΠΏΠΎΡΡΠ°Π²ΡΠΈΠΊ IDS Π²ΡΠΏΡΡΠΊΠ°Π΅Ρ ΠΎΠ±Π½ΠΎΠ²Π»Π΅Π½ΠΈΡ ΡΠΈΠ³Π½Π°ΡΡΡ ΠΏΡΠΈ ΡΠΊΡΠΏΠ»ΡΠ°ΡΠ°ΡΠΈΠΈ ΠΈΠ»ΠΈ ΠΎΠ±Π½Π°ΡΡΠΆΠ΅Π½ΠΈΠΈ
ΠΊΠΎΠ½ΠΊΡΠ΅ΡΠ½ΡΡ
ΡΠ»Π°Π±ΡΡ
ΠΌΠ΅ΡΡ?
β’ ΠΠ°Π΄Π΅ΠΆΠ΅Π½ Π»ΠΈ ΠΏΡΠΎΡΠ΅ΡΡ ΡΠ²Π΅Π΄ΠΎΠΌΠ»Π΅Π½ΠΈΡ?
β’ ΠΠ°ΡΠ°Π½ΡΠΈΡΡΠ΅ΡΡΡ Π»ΠΈ Π°ΡΡΠ΅Π½ΡΠΈΡΠ½ΠΎΡΡΡ ΠΈ ΡΠ΅Π»ΠΎΡΡΠ½ΠΎΡΡΡ ΠΎΠ±Π½ΠΎΠ²Π»Π΅Π½ΠΈΠΉ ΡΠΈΠ³Π½Π°ΡΡΡΡ Π°ΡΠ°ΠΊΠΈ?
β’ ΠΠΎΡΡΠ°ΡΠΎΡΠ½Π° Π»ΠΈ ΠΊΠ²Π°Π»ΠΈΡΠΈΠΊΠ°ΡΠΈΡ Π² ΡΠ»ΡΡΠ°Π΅, ΠΊΠΎΠ³Π΄Π° ΡΠΈΠ³Π½Π°ΡΡΡΡ Π°ΡΠ°ΠΊ Π½Π°ΡΡΡΠ°ΠΈΠ²Π°ΡΡΡΡ Π² ΡΠ°ΠΌΠΊΠ°Ρ
ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΠΈ?
β’ ΠΠΎΠΆΠ½ΠΎ Π»ΠΈ Π·Π°ΠΏΠΈΡΠ°ΡΡ ΠΈΠ»ΠΈ ΠΏΠΎΠ»ΡΡΠΈΡΡ Π·Π°ΠΊΠ°Π·Π½ΡΠ΅ ΡΠΈΠ³Π½Π°ΡΡΡΡ Π°ΡΠ°ΠΊ, ΡΡΠΎΠ±Ρ Π½Π΅ΠΌΠ΅Π΄Π»Π΅Π½Π½ΠΎ ΠΎΡΡΠ΅Π°Π³ΠΈΡΠΎΠ²Π°ΡΡ Π½Π°
ΠΎΠΏΠ°ΡΠ½ΡΠ΅ ΡΡΠ·Π²ΠΈΠΌΠΎΡΡΠΈ ΠΈΠ»ΠΈ Π½Π° ΠΏΡΠΎΠΈΡΡ
ΠΎΠ΄ΡΡΡΡ Π² Π½Π°ΡΡΠΎΡΡΠ΅Π΅ Π²ΡΠ΅ΠΌΡ Π°ΡΠ°ΠΊΡ?
5.3.7.2 ΠΡΡΠ΅ΠΊΡΠΈΠ²Π½ΠΎΡΡΡ Π²Π½ΡΡΡΠ΅Π½Π½Π΅Π³ΠΎ ΡΠ°ΡΠΏΡΠΎΡΡΡΠ°Π½Π΅Π½ΠΈΡ ΠΈ ΡΠ΅Π°Π»ΠΈΠ·Π°ΡΠΈΡ
Π‘ΠΏΠΎΡΠΎΠ±Π½Π° Π»ΠΈ ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΡ Π±ΡΡΡΡΠΎ ΡΠ°ΡΠΏΡΠ΅Π΄Π΅Π»ΠΈΡΡ ΠΈ ΡΠ΅Π°Π»ΠΈΠ·ΠΎΠ²Π°ΡΡ Π·Π°Π²ΠΈΡΡΡΠΈΠ΅ ΠΎΡ ΠΌΠ΅ΡΡΠ½ΡΡ
ΡΡΠ»ΠΎΠ²ΠΈΠΉ
ΠΎΠ±Π½ΠΎΠ²Π»Π΅Π½ΠΈΡ Π·Π° Π²ΡΠ΄Π΅Π»Π΅Π½Π½ΡΠΉ ΠΏΠ΅ΡΠΈΠΎΠ΄ Π²ΡΠ΅ΠΌΠ΅Π½ΠΈ Π²ΠΎ Π²ΡΠ΅Ρ
Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΡΡ
ΡΠΈΡΡΠ΅ΠΌΠ°Ρ
? ΠΠΎ ΠΌΠ½ΠΎΠ³ΠΈΡ
ΡΠ»ΡΡΠ°ΡΡ
ΠΎΠ±Π½ΠΎΠ²Π»Π΅Π½ΠΈΠ΅ ΡΠΈΠ³Π½Π°ΡΡΡ Π°ΡΠ°ΠΊ Π΄ΠΎΠ»ΠΆΠ½ΠΎ ΠΌΠΎΠ΄ΠΈΡΠΈΡΠΈΡΠΎΠ²Π°ΡΡΡΡ Ρ Π²ΠΊΠ»ΡΡΠ΅Π½ΠΈΠ΅ΠΌ ΠΊΠΎΠ½ΠΊΡΠ΅ΡΠ½ΡΡ
IP - Π°Π΄ΡΠ΅ΡΠΎΠ², ΠΏΠΎΡΡΠΎΠ² ΠΈ
Π΄Ρ. ΠΠΎΠ»Π΅Π΅ ΠΊΠΎΠ½ΠΊΡΠ΅ΡΠ½ΠΎ, ΠΊΠ°ΠΊ ΠΌΠΈΠ½ΠΈΠΌΡΠΌ, Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΠΎ ΠΎΡΠ²Π΅ΡΠΈΡΡ Π½Π° ΡΠ»Π΅Π΄ΡΡΡΠΈΠ΅ Π²ΠΎΠΏΡΠΎΡΡ
β’ Π ΡΠ»ΡΡΠ°Π΅, ΠΊΠΎΠ³Π΄Π° Π½Π° ΠΌΠ΅ΡΡΠ΅ Π²ΡΠΏΠΎΠ»Π½ΡΡΡΡΡ ΡΡΡΠ½ΡΠ΅ ΠΏΡΠΎΡΠ΅ΡΡΡ ΡΠ°ΡΠΏΡΠΎΡΡΡΠ°Π½Π΅Π½ΠΈΡ, ΡΠ΅Π°Π»ΠΈΠ·ΡΠ΅Ρ Π»ΠΈ
Π°Π΄ΠΌΠΈΠ½ΠΈΡΡΡΠ°ΡΠΎΡ ΠΈΠ»ΠΈ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Ρ ΡΠΈΠ³Π½Π°ΡΡΡΡ Π°ΡΠ°ΠΊΠΈ Π·Π° ΠΏΡΠΈΠ΅ΠΌΠ»Π΅ΠΌΡΠΉ ΠΈΠ½ΡΠ΅ΡΠ²Π°Π» Π²ΡΠ΅ΠΌΠ΅Π½ΠΈ?
β’ ΠΠΎΠΆΠ΅Ρ Π»ΠΈ ΠΈΠ·ΠΌΠ΅ΡΡΡΡΡΡ ΡΡΡΠ΅ΠΊΡΠΈΠ²Π½ΠΎΡΡΡ ΠΏΡΠΎΡΠ΅ΡΡΠΎΠ² Π°Π²ΡΠΎΠΌΠ°ΡΠΈΡΠ΅ΡΠΊΠΎΠ³ΠΎ ΡΠ°ΡΠΏΡΠΎΡΡΡΠ°Π½Π΅Π½ΠΈΡ ΠΈ
ΠΈΠ½ΡΡΠ°Π»Π»ΡΡΠΈΠΈ?
β’ Π‘ΡΡΠ΅ΡΡΠ²ΡΠ΅Ρ Π»ΠΈ ΠΌΠ΅Ρ
Π°Π½ΠΈΠ·ΠΌ Π΄Π»Ρ ΡΡΡΠ΅ΠΊΡΠΈΠ²Π½ΠΎΠ³ΠΎ ΠΎΡΡΠ»Π΅ΠΆΠΈΠ²Π°Π½ΠΈΡ ΠΈΠ·ΠΌΠ΅Π½Π΅Π½ΠΈΠΉ ΠΏΡΠΈ ΠΎΠ±Π½ΠΎΠ²Π»Π΅Π½ΠΈΡΡ
ΡΠΈΠ³Π½Π°ΡΡΡ Π°ΡΠ°ΠΊ?
5.3.7.3 ΠΠ»ΠΈΡΠ½ΠΈΠ΅ Π½Π° ΡΠΈΡΡΠ΅ΠΌΡ
ΠΠ»Ρ ΠΌΠΈΠ½ΠΈΠΌΠΈΠ·Π°ΡΠΈΠΈ Π²Π»ΠΈΡΠ½ΠΈΡ ΠΎΠ±Π½ΠΎΠ²Π»Π΅Π½ΠΈΠΉ ΡΠΈΠ³Π½Π°ΡΡΡ Π°ΡΠ°ΠΊ Π½Π° Ρ
Π°ΡΠ°ΠΊΡΠ΅ΡΠΈΡΡΠΈΠΊΠΈ ΡΠΈΡΡΠ΅ΠΌΡ, ΠΊΠ°ΠΊ ΠΌΠΈΠ½ΠΈΠΌΡΠΌ, ΡΠ»Π΅Π΄ΡΠ΅Ρ
ΠΎΡΠ²Π΅ΡΠΈΡΡ Π½Π° ΡΠ»Π΅Π΄ΡΡΡΠΈΠ΅ Π²ΠΎΠΏΡΠΎΡΡ:
Β©
ISO/IEC 2006β ΠΡΠ΅ ΠΏΡΠ°Π²Π° ΡΠΎΡ
ΡΠ°Π½ΡΡΡΡΡ 13
β’ ΠΠ»ΠΈΡΠ΅Ρ Π»ΠΈ ΠΎΠ±Π½ΠΎΠ²Π»Π΅Π½ΠΈΠ΅ ΡΠΈΠ³Π½Π°ΡΡΡ Π°ΡΠ°ΠΊ Π½Π° Π²ΡΠΏΠΎΠ»Π½Π΅Π½ΠΈΠ΅ Π²Π°ΠΆΠ½ΡΡ
ΡΡΠ½ΠΊΡΠΈΠΉ ΠΈΠ»ΠΈ ΠΏΡΠΈΠ»ΠΎΠΆΠ΅Π½ΠΈΠΉ?
β’ ΠΠΎΠΆΠ½ΠΎ Π»ΠΈ Π²ΡΠ±ΠΈΡΠ°ΡΡ ΠΎΠ±Π½ΠΎΠ²Π»Π΅Π½ΠΈΡ ΡΠΈΠ³Π½Π°ΡΡΡ Π°ΡΠ°ΠΊ? ΠΡΠΎ ΠΌΠΎΠΆΠ΅Ρ ΡΡΠ°ΡΡ Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΡΠΌ, ΡΡΠΎΠ±Ρ
ΠΈΠ·Π±Π΅ΠΆΠ°ΡΡ ΠΊΠΎΠ½ΡΠ»ΠΈΠΊΡΠΎΠ² ΠΈΠ»ΠΈ Π²Π»ΠΈΡΠ½ΠΈΠΉ Π½Π° Π²ΡΠΏΠΎΠ»Π½Π΅Π½ΠΈΠ΅ ΡΡΠ½ΠΊΡΠΈΠΉ ΠΈΠ»ΠΈ ΠΏΡΠΈΠ»ΠΎΠΆΠ΅Π½ΠΈΠΉ.
5.3.8 Π‘ΡΡΠ°ΡΠ΅Π³ΠΈΠΈ ΠΡΠ΅Π΄ΡΠΏΡΠ΅ΠΆΠ΄Π΅Π½ΠΈΠΉ
ΠΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΡ ΠΈ ΡΠ°Π±ΠΎΡΠ° IDS Π΄ΠΎΠ»ΠΆΠ½Π° Π±Π°Π·ΠΈΡΠΎΠ²Π°ΡΡΡΡ Π½Π° ΠΏΠΎΠ»ΠΈΡΠΈΠΊΠ΅ ΠΌΠΎΠ½ΠΈΡΠΎΡΠΈΠ½Π³Π° ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΠΈ. ΠΠ°ΠΊ
ΠΌΠΈΠ½ΠΈΠΌΡΠΌ, ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΡ Π΄ΠΎΠ»ΠΆΠ½Π° ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠΈΡΡ, ΡΡΠΎΠ±Ρ IDS ΠΌΠΎΠ³Π»Π° ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΈΠ²Π°ΡΡ ΠΊΠΎΠ½ΠΊΡΠ΅ΡΠ½ΡΠ΅ ΠΌΠ΅ΡΠΎΠ΄Ρ
ΠΏΡΠ΅Π΄ΡΠΏΡΠ΅ΠΆΠ΄Π΅Π½ΠΈΠΉ, ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΠΌΡΠ΅ Π² ΡΡΡΠ΅ΡΡΠ²ΡΡΡΠ΅ΠΉ ΠΈΠ½ΡΡΠ°ΡΡΡΡΠΊΡΡΡΠ΅ ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΠΈ. Π€ΡΠ½ΠΊΡΠΈΠΈ
ΠΏΡΠ΅Π΄ΡΠΏΡΠ΅ΠΆΠ΄Π΅Π½ΠΈΠΉ, ΠΊΠΎΡΠΎΡΡΠ΅ ΠΌΠΎΠ³ΡΡ ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΈΠ²Π°ΡΡΡΡ, Π²ΠΊΠ»ΡΡΠ°ΡΡ ΡΠ»Π΅ΠΊΡΡΠΎΠ½Π½ΡΡ ΠΏΠΎΡΡΡ, Π·Π°ΠΌΠ΅ΡΠ΅Π½ΠΈΠ΅
ΡΡΡΠ°Π½ΠΈΡ, Π‘ΠΈΡΡΠ΅ΠΌΡ ΠΠΎΡΠΎΡΠΊΠΈΡ
Π‘ΠΎΠΎΠ±ΡΠ΅Π½ΠΈΠΉ (SMS), ΡΠΎΠ±ΡΡΠΈΠ΅ ΠΏΠΎ ΠΡΠΎΡΡΠΎΠΌΡ ΠΡΠΎΡΠΎΠΊΠΎΠ»Ρ Π‘Π΅ΡΠ΅Π²ΠΎΠ³ΠΎ
Π£ΠΏΡΠ°Π²Π»Π΅Π½ΠΈΡ (SNMP) ΠΈ Π΄Π°ΠΆΠ΅ Π°Π²ΡΠΎΠΌΠ°ΡΠΈΡΠ΅ΡΠΊΡΡ Π±Π»ΠΎΠΊΠΈΡΠΎΠ²ΠΊΡ ΠΈΡΡΠΎΡΠ½ΠΈΠΊΠΎΠ² Π°ΡΠ°ΠΊΠΈ.
Π ΡΠ»ΡΡΠ°Π΅, ΠΊΠΎΠ³Π΄Π° Π΄Π°Π½Π½ΡΠ΅ IDS ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΡΡΡΡ Π΄Π»Ρ ΡΡΠ΄Π΅Π±Π½ΡΡ
ΡΠ΅Π»Π΅ΠΉ, Π²ΠΊΠ»ΡΡΠ°Ρ ΠΏΡΠ΅Π΄ΡΡΠ²Π»Π΅Π½ΠΈΠ΅ ΠΈΡΠΊΠ° ΠΈ
Π΄ΠΎΠΊΠ°Π·Π°ΡΠ΅Π»ΡΡΡΠ²Π° Π΄Π»Ρ Π²Π½ΡΡΡΠ΅Π½Π½Π΅Π³ΠΎ Π΄ΠΈΡΡΠΈΠΏΠ»ΠΈΠ½Π°ΡΠ½ΠΎΠ³ΠΎ Π²Π·ΡΡΠΊΠ°Π½ΠΈΡ, Π΄Π°Π½Π½ΡΠ΅ IDS Π΄ΠΎΠ»ΠΆΠ½Ρ, ΠΊΠ°ΠΊ ΠΌΠΈΠ½ΠΈΠΌΡΠΌ,
ΠΎΠ±ΡΠ°Π±Π°ΡΡΠ²Π°ΡΡΡΡ ΠΈ ΠΎΡΠ³Π°Π½ΠΈΠ·ΠΎΠ²ΡΠ²Π°ΡΡΡΡ Π² ΡΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΠΈΠΈ Ρ Π΄ΠΎΠΏΡΡΡΠΈΠΌΡΠΌΠΈ ΠΈ Π·Π°ΠΊΠΎΠ½Π½ΡΠΌΠΈ ΡΡΠ΅Π±ΠΎΠ²Π°Π½ΠΈΡΠΌΠΈ
ΠΌΠ΅ΡΡΠ½ΠΎΠΉ ΡΡΠΈΡΠ΄ΠΈΠΊΡΠΈΠΈ, Π² ΠΊΠΎΡΠΎΡΠΎΠΉ ΠΎΠ½ΠΈ ΠΏΡΠΈΠΌΠ΅Π½ΡΡΡΡΡ ΠΈ ΠΏΡΠ΅Π΄ΡΡΠ°Π²Π»ΡΡΡΡΡ
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.
Loading comments...