| GB/T 20275-2021 PDF EnglishUS$1205.00 · In stock · Download in 9 seconds GB/T 20275-2021: Information security technology - Technical requirements and testing and evaluation approaches for network-based intrusion detection system Delivery: 9 seconds. True-PDF full-copy in English & invoice will be downloaded + auto-delivered via email. See step-by-step procedure Status: Valid GB/T 20275: Historical versions
 Similar standardsGB/T 20275-2021: Information security technology - Technical requirements and testing and evaluation approaches for network-based intrusion detection system---This is an excerpt. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.), auto-downloaded/delivered in 9 seconds, can be purchased online: https://www.ChineseStandard.net/PDF.aspx/GBT20275-2021 GB NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.030 CCS L 80 Replacing GB/T 20275-2013 Information Security Technology - Technical Requirements and Testing and Evaluation Approaches for Network-based Intrusion Detection System Issued on: OCTOBER 11, 2021 Implemented on: MAY 1, 2022 Issued by. State Administration for Market Regulation; Standardization Administration of the People’s Republic of China. Table of ContentsForeword... 3 1 Scope... 5 2 Normative References... 5 3 Terms and Definitions... 5 4 Abbreviations... 6 5 Network-based Intrusion Detection System... 6 6 Security Technology Requirements... 6 7 Testing and Evaluation Approaches... 34 Bibliography... 1201 ScopeThis document specifies the security technology requirements, testing and evaluation approaches for network-based intrusion detection system. This document is applicable to the design, development, testing and evaluation of network- based intrusion detection system.2 Normative ReferencesThe contents of the following documents constitute indispensable clauses of this document through the normative references in the text. In terms of references with a specified date, only versions with a specified date are applicable to this document. In terms of references without a specified date, the latest version (including all the modifications) is applicable to this document. GB/T 25069 Information Security Techniques - Terminology3 Terms and DefinitionsWhat is defined in GB/T 25069, and the following terms and definitions are applicable to this document. 3.1 security incident Security incident refers to an incident that causes harm to networks and information systems, or the data contained therein. 3.2 alert Alert refers to a message sent by the network-based intrusion detection system to the authorized administrator when an attack or intrusion occurs. 3.3 supporting system Supporting system refers to an operating system that supports the operation of the network- based intrusion detection system.4 AbbreviationsThe following abbreviations are applicable to this document. FTP. File Transfer Protocol HTML. Hyper Text Markup Language HTTP. Hyper Text Transfer Protocol ICMP. Internet Control Message Protocol IP. Internet Protocol POP3.Post Office Protocol 3 SMTP. Simple Mail Transfer Protocol SNMP. Simple Network Management Protocol TCP. Transport Control Protocol TELNET. Telecommunication Network UDP. User Datagram Protocol5 Network-based Intrusion Detection SystemThe network-based intrusion detection system is a product that takes data packets on the network as the data source, monitors and analyzes all the data packets of the protected network nodes, and finds abnormal behaviors.6 Security Technology Requirements6.1 Classification and Level Division of Requirements 6.1.1 Classification of requirements This document classifies the security technology requirements of the network-based intrusion detection system into four categories. security functions, self-security protection, environmental adaptability and security guarantee requirements. Specifically speaking, in terms of the security functions requirements, specific requirements are put forward for the security functions that the network-based intrusion detection system shall be equipped with, which mainly include data detection function requirements, intrusion analysis function requirements, intrusion response function requirements, management control function requirements, detection result processing requirements, product flexibility requirements and performance requirements, etc.; in terms of the self-security protection requirements, specific requirements are put forward for identity authentication, administrator management, security audit, data security, communication security, upgrade security and operation security of the network-based intrusion detection system; the environmental adaptability requires support for pure IPv6 network environment, self-management capability and dual protocol stack under IPv6 network environment, etc.; in terms of the security guarantee requirements, specific requirements are put forward for the life cycle process of the network-based intrusion detection system, including development, guidance documents, life cycle support, testing and vulnerability assessment, etc. 6.1.2 Security level This document divides the security level of the network-based intrusion detection system into basic level and enhanced level, which shall comply with the requirements of Table 1, Table 2, 6.2 Basic-level Security Requirements 6.2.1 Security function requirements 6.2.1.1 Data detection function requirements 6.2.1.1.1 Data collection When the system performs detection and analysis, it shall have the capability of obtaining data packets in the protected network segment in real time. 6.2.1.1.2 Protocol analysis The system shall perform protocol analysis on the collected data packets. 6.2.1.1.3 Attack behavior monitoring The system shall at least monitor the following attack behaviors. port scanning, brute force attack, malicious code attack, denial of service attack, buffer overflow attack and weak vulnerability attack, etc. 6.2.1.1.4 Traffic monitoring The system shall monitor the message traffic and byte traffic of the entire network or a specific protocol, address or port. 6.2.1.2 Intrusion analysis function requirements 6.2.1.2.1 Data analysis The system shall analyze the collected data packets and find security incidents. 6.2.1.2.2 Incident merging The system shall have the capability of combining alarms for the same security incidents that frequently occur to avoid alarm storms. High frequency thresholds shall be set by authorized administrators. 6.2.1.3 Intrusion response function requirements 6.2.1.3.1 Customized response The system shall allow the administrator to customize different response modes for the specific destination host in the detected network segment. 6.2.1.3.2 Security alert When the system detects an intrusion, it shall automatically take corresponding actions to issue security warnings. 6.2.1.3.3 Alert mode One or multiple modes, such as. real-time screen prompts and E-mail alerts, shall be adopted for the alert. 6.2.1.4 Management control function requirements 6.2.1.4.1 Graphic interface The system shall provide the administrator with a graphic interface to administrate and configure the intrusion detection system. The administrative configuration interface shall contain all the functions needed to configure and administrate the system. 6.2.1.4.2 Security incident library The content in the system security incident library shall include the definition and analysis of incidents, detailed vulnerability repair schemes and countermeasures that can be taken. 6.2.1.4.3 Incident level division The system shall divide the incidents in accordance with their severity, so that the authorized administrators can capture hazardous incidents from a large amount of information. 6.2.1.4.4 Policy configuration The system shall provide a convenient and fast method and means for the policy configuration of the intrusion detection system, and be equipped with policy templates, and support for policy import and export. 6.2.1.4.5 Incident library upgrade The system shall have the capability of upgrading the incident library. 6.2.1.4.6 System upgrade The system shall have the capability of upgrading system programs. 6.2.1.4.7 Hardware failure handling For hardware products, when the hardware fails, the administrator shall be notified in time. 6.2.1.4.8 Port separation The detectors of the system shall be equipped with different ports, which are respectively used for system administration and network data monitoring. 6.2.1.4.9 Clock synchronization The system shall provide a clock synchronization function to ensure the time consistency between each component of the system and the clock server.7 Testing and Evaluation Approaches7.1 Test environment A typical network topology structure of the function test of the network-based intrusion detection system is shown in Figure 1. 7.2 Test Tools Available test tools include, but are not limited to special-purpose network performance analyzers that generate network background traffic; network data packet acquisition software 7.3 Basic Level 7.3.1 Security function test 7.3.1.1 Data detection function test 7.3.1.1.1 Data collection The testing and evaluation approaches for data collection are as follows. a) Testing approaches. 1) Open the security policy configuration of the system and configure the protected network segment; 2) Launch an attack on the protected network segment; 3) Check whether it has the capability of obtaining data packets in the protected network segment in real time. b) Expected results. the system shall be able to capture adequate network data packets in real time to analyze security incidents. c) Result determination. If the above-mentioned expected results are all satisfied, they shall be determined as conforming, otherwise, they shall be determined as non-conforming. 7.3.1.1.2 Protocol analysis The testing and evaluation approaches for protocol analysis are as follows. a) Testing approaches. 1) Open the security policy configuration of the system and check whether the description of security incidents has attributes like protocol type; 2) Check the product instruction manual and look for instructions on the protocol analysis method; in accordance with the protocol analysis type declared by the system, conduct sampling to generate protocol events and form a security incident test set; 3) Configure the detection policy of the system as the maximum policy set; 4) Send all incidents in the security incident test set and record the detection results of the system. b) Expected results. 1) Record the name and type of attack reported by the system; 2) For protocol events that claim to be analyzable in the product instruction manual, no contradiction shall be found in sampling tests; 3) List all protocol analysis methods supported by the system. c) Result determination. If the above-mentioned expected results are all satisfied, they shall be determined as conforming, otherwise, they shall be determined as non-conforming. 7.3.1.1.3 Attack behavior monitoring The testing and evaluation approaches for attack behavior monitoring are as follows. a) Testing approaches. 1) From the existing incident library, select multiple incidents with different features to form a security incident test set. The selected incidents shall include. port scanning incidents (including but not limited to TCP port scanning, UDP port scanning and ICMP distributed host scanning, etc.), brute force attack incidents (including but not limited to SMTP, HTTP, FTP, MSSQLSERVER, FTP_weak password, POP3_weak password, etc.), malicious code incidents (including but not limited to BO, Netbus, Dolly, Code Red, impact wave and oscillation wave, etc.), denial of service incidents (including but not limited to SYNFLOOD, UDPFLOOD, ICMPFLOOD, IGMP denial of service, etc.), buffer overflow incidents (including but not limited to FTP_command overflow, SMTP_HELO_buffer overflow, POP3_foxmail_5.0_buffer overflow, Telnet_Solaris_telnet_buffer overflow, HTTP_IIS_Unicode_vulnerability, MSSQL2000_remote overflow, etc.), vulnerability attack incidents (including but not limited to MS-Office file vulnerability, MS-IE browser vulnerability and application layer security vulnerability attack, etc.), as well as other representative network security incidents, test system; 2) Configure the detection policy of the system as the maximum policy set; 3) Send all incidents in the security incident test set and record the detection results of the system. b) Expected results. 1) For the attack on the security incident test set, the system shall report the corresponding security incidents, including incident name, incident type, attack source address, destination address, incident occurrence time and severity level, etc.; 2) Record the name and type of attack reported by the system. c) Result determination. If the above-mentioned expected results are all satisfied, they shall be determined as conforming, otherwise, they shall be determined as non-conforming. 7.3.1.1.4 Traffic monitoring The testing and evaluation approaches for traffic monitoring are as follows. a) Testing approaches. 1) Turn on the traffic display function, define traffic incidents, view the traffic display interface and display traffic changes; 2) Launch a large-traffic attack on a certain server, for example, ping flood; 3) Launch a denial of service attack on a specific port (for example, port 80). b) Expected results. 1) Various traffic information can be displayed; 2) The server under attack (for example, ping flood) can be displayed; 3) The denial of service attack on the network can be displayed; 4) List the provided traffic monitoring content, including but not limited to traffic incidents and traffic display curves of different protocols, etc. c) Result determination. If the above-mentioned expected results are all satisfied, they shall be determined as conforming, otherwise, they shall be determined as non-conforming. 7.3.1.2 Intrusion analysis function test 7.3.1.2.1 Data analysis The testing and evaluation approaches for the data analysis are as follows. a) Testing approaches. 1) From the existing incident library, select multiple incidents with different features to form a security incident test set. The selected incidents shall include scanning incident, denial of service incident, backdoor incident, worm incident, overflow incident, brute force guessing and weak password incident, as well as other representative security incidents; 2) Configure the detection policy of the system as the maximum policy set; 3) Send all incidents in the security incident test set and record the detection results of the system. b) Expected results. 1) For the attack on the security incident test set, the system shall report the corresponding security incidents, including incident name, attack source address, destination address, incident occurrence time and severity level, etc.; 2) Record the name and type of attack reported by the system. c) Result determination. If the above-mentioned expected results are all satisfied, they shall be determined as conforming, otherwise, they shall be determined as non-conforming. 7.3.1.2.2 Incident merging The testing and evaluation approaches for the incident merging are as follows. a) Testing approaches. 1) Continuously trigger the same incident to reach the high frequency threshold, check the status of the alarm display and whether the same incident is merged and displayed; 2) Set the rules for incident merging to merge some contents, for example, only displaying the incident name, the occurrence times and the source IP (the purpose is to check how many times an incident has occurred on this IP) of the alarm information. b) Expected results. 1) Merging of the same type of incidents can be carried out as required; 2) In accordance with the settings, the incident name, the occurrence times and the source IP of the alarm information can be displayed. c) Result determination. If the above-mentioned expected results are all satisfied, they shall be determined as conforming, otherwise, they shall be determined as non-conforming. 7.3.1.3 Intrusion response function test 7.3.1.3.1 Customized response The testing and evaluation approaches for the customized response are as follows. a) Testing approaches. 1) The system shall allow the administrator to customize different response modes for the specified destination host in the detected network segment, so as to highlight the alert for specific incidents; 2) Open the menu and check whether the system allows the administrator to set an alert only for the specified destination host in the detected network segment. b) Expected results. the administrator can customize to merely monitor the destination host that complies with the specified conditions. c) Result determination. If the above-mentioned expected results are all satisfied, they shall be determined as conforming, otherwise, they shall be determined as non-conforming. 7.3.1.3.2 Security alert The testing and evaluation approaches for the security alert are as follows. a) Testing approaches. 1) Trigger a certain security incident and check whether there is an alert message; 2) Check whether the information on the alarm interface is displayed in different levels; 3) View detailed records of alarm information; 4) View detailed explanations and recommended solutions for alarm incidents. b) Expected results. 1) The alert information can be displayed; 2) The alarm information can display the level of security incidents; 3) For each alarm message, record detailed parameters; 4) For each alarm incident, detailed explanations and recommended solutions can be provided. c) Result determination. If the above-mentioned expected results are all satisfied, they shall be determined as conforming, otherwise, they shall be determined as non-conforming. 7.3.1.3.3 Alert mode The testing and evaluation approaches for the alert mode are as follows. a) Testing approaches. 1) Open the menu to view the selection of alert modes; 2) Successively select each alert mode to test whether the alert can be issued in accordance with the specified method. b) Expected results. one or multiple alert modes, such as. real-time screen prompts and E-mail alerts can be adopted. Record and list all the alert modes. c) Result determination. If the above-mentioned expected results are all satisfied, they shall be determined as conforming, otherwise, they shall be determined as non-conforming. 7.3.1.4 Management control function test 7.3.1.4.1 Graphic interface The testing and evaluation approaches for the graphic interface are as follows. a) Testing approaches. 1) Log in to the console interface; 2) View the functions of the administrator interface, including the management configuration interface and alarm display interface, etc.; 3) Through the interface, configure the connection between the console and the detector. b) Evaluation results. 1) With an independent console; 2) With a graphical management interface; 3) With an alarm display interface with clearly divided functional areas. c) Result determination. If the above-mentioned expected results are all satisfied, they shall be determined as conforming, otherwise, they shall be determined as non-conforming. ......Source: Above contents are excerpted from the full-copy PDF -- translated/reviewed by: www.ChineseStandard.net / Wayne Zheng et al. Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of English version of GB/T 20275-2021 be delivered?Answer: The full copy PDF of English version of GB/T 20275-2021 can be downloaded in 9 seconds, and it will also be emailed to you in 9 seconds (double mechanisms to ensure the delivery reliably), with PDF-invoice.Question 2: Can I share the purchased PDF of GB/T 20275-2021_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 20275-2021_English will be deemed to be sold to your employer/organization who actually paid for it, including your colleagues and your employer's intranet.Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. www.ChineseStandard.us -- GB/T 20275-2021 -- Click this link and select your country/currency to pay, the exact amount in your currency will be printed on the invoice. Full PDF will also be downloaded/emailed in 9 seconds.Question 5: Should I purchase the latest version GB/T 20275-2021?Answer: Yes. Unless special scenarios such as technical constraints or academic study, you should always prioritize to purchase the latest version GB/T 20275-2021 even if the enforcement date is in future. Complying with the latest version means that, by default, it also complies with all the earlier versions, technically.How to buy and download a true PDF of English version of GB/T 20275-2021?A step-by-step guide to download PDF of GB/T 20275-2021_EnglishStep 1: Visit website https://www.ChineseStandard.net (Pay in USD), or https://www.ChineseStandard.us (Pay in any currencies such as Euro, KRW, JPY, AUD).Step 2: Search keyword "GB/T 20275-2021". Step 3: Click "Add to Cart". If multiple PDFs are required, repeat steps 2 and 3 to add up to 12 PDFs to cart. Step 4: Select payment option (Via payment agents Stripe or PayPal). Step 5: Customize Tax Invoice -- Fill up your email etc. Step 6: Click "Checkout". Step 7: Make payment by credit card, PayPal, Google Pay etc. After the payment is completed and in 9 seconds, you will receive 2 emails attached with the purchased PDFs and PDF-invoice, respectively. Step 8: Optional -- Go to download PDF. Step 9: Optional -- Click Open/Download PDF to download PDFs and invoice. See screenshots for above steps: Steps 1~3 Steps 4~6 Step 7 Step 8 Step 9 |