GB/T 20275-2021 PDF English
US$1205.00 · In stock · Download in 9 secondsGB/T 20275-2021: Information security technology - Technical requirements and testing and evaluation approaches for network-based intrusion detection system Delivery: 9 seconds. True-PDF full-copy in English & invoice will be downloaded + auto-delivered via email. See step-by-step procedureStatus: Valid GB/T 20275: Evolution and historical versions
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivery | Name of Chinese Standard | Status |
| GB/T 20275-2021 | English | 1205 |
Add to Cart
|
0-9 seconds. Auto-delivery
|
Information security technology - Technical requirements and testing and evaluation approaches for network-based intrusion detection system
| Valid |
| GB/T 20275-2013 | English | 150 |
Add to Cart
|
0-9 seconds. Auto-delivery
|
Information security technology -- Technical requirements and testing and evaluation approaches for network-based intrusion detection system
| Obsolete |
| GB/T 20275-2006 | English | RFQ |
ASK
|
9 days
|
Technical requirements and testing methods of information security technology intrusion detection system
| Obsolete |
Excerpted PDFs (Download full copy in 9 seconds upon purchase)PDF Preview: GB/T 20275-2021
GB/T 20275-2021: Information security technology - Technical requirements and testing and evaluation approaches for network-based intrusion detection system
---This is an excerpt. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.), auto-downloaded/delivered in 9 seconds, can be purchased online: https://www.ChineseStandard.net/PDF.aspx/GBT20275-2021
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.030
CCS L 80
Replacing GB/T 20275-2013
Information Security Technology - Technical Requirements
and Testing and Evaluation Approaches for Network-based
Intrusion Detection System
Issued on: OCTOBER 11, 2021
Implemented on: MAY 1, 2022
Issued by. State Administration for Market Regulation;
Standardization Administration of the People’s Republic of China.
Table of Contents
Foreword... 3
1 Scope... 5
2 Normative References... 5
3 Terms and Definitions... 5
4 Abbreviations... 6
5 Network-based Intrusion Detection System... 6
6 Security Technology Requirements... 6
7 Testing and Evaluation Approaches... 34
Bibliography... 120
1 Scope
This document specifies the security technology requirements, testing and evaluation
approaches for network-based intrusion detection system.
This document is applicable to the design, development, testing and evaluation of network-
based intrusion detection system.
2 Normative References
The contents of the following documents constitute indispensable clauses of this document
through the normative references in the text. In terms of references with a specified date, only
versions with a specified date are applicable to this document. In terms of references without a
specified date, the latest version (including all the modifications) is applicable to this document.
GB/T 25069 Information Security Techniques - Terminology
3 Terms and Definitions
What is defined in GB/T 25069, and the following terms and definitions are applicable to this
document.
3.1 security incident
Security incident refers to an incident that causes harm to networks and information systems,
or the data contained therein.
3.2 alert
Alert refers to a message sent by the network-based intrusion detection system to the authorized
administrator when an attack or intrusion occurs.
3.3 supporting system
Supporting system refers to an operating system that supports the operation of the network-
based intrusion detection system.
4 Abbreviations
The following abbreviations are applicable to this document.
FTP. File Transfer Protocol
HTML. Hyper Text Markup Language
HTTP. Hyper Text Transfer Protocol
ICMP. Internet Control Message Protocol
IP. Internet Protocol
POP3.Post Office Protocol 3
SMTP. Simple Mail Transfer Protocol
SNMP. Simple Network Management Protocol
TCP. Transport Control Protocol
TELNET. Telecommunication Network
UDP. User Datagram Protocol
5 Network-based Intrusion Detection System
The network-based intrusion detection system is a product that takes data packets on the
network as the data source, monitors and analyzes all the data packets of the protected network
nodes, and finds abnormal behaviors.
6 Security Technology Requirements
6.1 Classification and Level Division of Requirements
6.1.1 Classification of requirements
This document classifies the security technology requirements of the network-based intrusion
detection system into four categories. security functions, self-security protection,
environmental adaptability and security guarantee requirements. Specifically speaking, in terms
of the security functions requirements, specific requirements are put forward for the security
functions that the network-based intrusion detection system shall be equipped with, which
mainly include data detection function requirements, intrusion analysis function requirements,
intrusion response function requirements, management control function requirements, detection
result processing requirements, product flexibility requirements and performance requirements,
etc.; in terms of the self-security protection requirements, specific requirements are put forward
for identity authentication, administrator management, security audit, data security,
communication security, upgrade security and operation security of the network-based intrusion
detection system; the environmental adaptability requires support for pure IPv6 network
environment, self-management capability and dual protocol stack under IPv6 network
environment, etc.; in terms of the security guarantee requirements, specific requirements are
put forward for the life cycle process of the network-based intrusion detection system, including
development, guidance documents, life cycle support, testing and vulnerability assessment, etc.
6.1.2 Security level
This document divides the security level of the network-based intrusion detection system into
basic level and enhanced level, which shall comply with the requirements of Table 1, Table 2,
6.2 Basic-level Security Requirements
6.2.1 Security function requirements
6.2.1.1 Data detection function requirements
6.2.1.1.1 Data collection
When the system performs detection and analysis, it shall have the capability of obtaining data
packets in the protected network segment in real time.
6.2.1.1.2 Protocol analysis
The system shall perform protocol analysis on the collected data packets.
6.2.1.1.3 Attack behavior monitoring
The system shall at least monitor the following attack behaviors. port scanning, brute force
attack, malicious code attack, denial of service attack, buffer overflow attack and weak
vulnerability attack, etc.
6.2.1.1.4 Traffic monitoring
The system shall monitor the message traffic and byte traffic of the entire network or a specific
protocol, address or port.
6.2.1.2 Intrusion analysis function requirements
6.2.1.2.1 Data analysis
The system shall analyze the collected data packets and find security incidents.
6.2.1.2.2 Incident merging
The system shall have the capability of combining alarms for the same security incidents that
frequently occur to avoid alarm storms. High frequency thresholds shall be set by authorized
administrators.
6.2.1.3 Intrusion response function requirements
6.2.1.3.1 Customized response
The system shall allow the administrator to customize different response modes for the specific
destination host in the detected network segment.
6.2.1.3.2 Security alert
When the system detects an intrusion, it shall automatically take corresponding actions to issue
security warnings.
6.2.1.3.3 Alert mode
One or multiple modes, such as. real-time screen prompts and E-mail alerts, shall be adopted
for the alert.
6.2.1.4 Management control function requirements
6.2.1.4.1 Graphic interface
The system shall provide the administrator with a graphic interface to administrate and
configure the intrusion detection system. The administrative configuration interface shall
contain all the functions needed to configure and administrate the system.
6.2.1.4.2 Security incident library
The content in the system security incident library shall include the definition and analysis of
incidents, detailed vulnerability repair schemes and countermeasures that can be taken.
6.2.1.4.3 Incident level division
The system shall divide the incidents in accordance with their severity, so that the authorized
administrators can capture hazardous incidents from a large amount of information.
6.2.1.4.4 Policy configuration
The system shall provide a convenient and fast method and means for the policy configuration
of the intrusion detection system, and be equipped with policy templates, and support for policy
import and export.
6.2.1.4.5 Incident library upgrade
The system shall have the capability of upgrading the incident library.
6.2.1.4.6 System upgrade
The system shall have the capability of upgrading system programs.
6.2.1.4.7 Hardware failure handling
For hardware products, when the hardware fails, the administrator shall be notified in time.
6.2.1.4.8 Port separation
The detectors of the system shall be equipped with different ports, which are respectively used
for system administration and network data monitoring.
6.2.1.4.9 Clock synchronization
The system shall provide a clock synchronization function to ensure the time consistency
between each component of the system and the clock server.
7 Testing and Evaluation Approaches
7.1 Test environment
A typical network topology structure of the function test of the network-based intrusion
detection system is shown in Figure 1.
7.2 Test Tools
Available test tools include, but are not limited to special-purpose network performance
analyzers that generate network background traffic; network data packet acquisition software
7.3 Basic Level
7.3.1 Security function test
7.3.1.1 Data detection function test
7.3.1.1.1 Data collection
The testing and evaluation approaches for data collection are as follows.
a) Testing approaches.
1) Open the security policy configuration of the system and configure the protected
network segment;
2) Launch an attack on the protected network segment;
3) Check whether it has the capability of obtaining data packets in the protected
network segment in real time.
b) Expected results. the system shall be able to capture adequate network data packets
in real time to analyze security incidents.
c) Result determination.
If the above-mentioned expected results are all satisfied, they shall be determined as
conforming, otherwise, they shall be determined as non-conforming.
7.3.1.1.2 Protocol analysis
The testing and evaluation approaches for protocol analysis are as follows.
a) Testing approaches.
1) Open the security policy configuration of the system and check whether the
description of security incidents has attributes like protocol type;
2) Check the product instruction manual and look for instructions on the protocol
analysis method; in accordance with the protocol analysis type declared by the
system, conduct sampling to generate protocol events and form a security
incident test set;
3) Configure the detection policy of the system as the maximum policy set;
4) Send all incidents in the security incident test set and record the detection results
of the system.
b) Expected results.
1) Record the name and type of attack reported by the system;
2) For protocol events that claim to be analyzable in the product instruction manual,
no contradiction shall be found in sampling tests;
3) List all protocol analysis methods supported by the system.
c) Result determination.
If the above-mentioned expected results are all satisfied, they shall be determined as
conforming, otherwise, they shall be determined as non-conforming.
7.3.1.1.3 Attack behavior monitoring
The testing and evaluation approaches for attack behavior monitoring are as follows.
a) Testing approaches.
1) From the existing incident library, select multiple incidents with different
features to form a security incident test set. The selected incidents shall include.
port scanning incidents (including but not limited to TCP port scanning, UDP
port scanning and ICMP distributed host scanning, etc.), brute force attack
incidents (including but not limited to SMTP, HTTP, FTP, MSSQLSERVER,
FTP_weak password, POP3_weak password, etc.), malicious code incidents
(including but not limited to BO, Netbus, Dolly, Code Red, impact wave and
oscillation wave, etc.), denial of service incidents (including but not limited to
SYNFLOOD, UDPFLOOD, ICMPFLOOD, IGMP denial of service, etc.), buffer
overflow incidents (including but not limited to FTP_command overflow,
SMTP_HELO_buffer overflow, POP3_foxmail_5.0_buffer overflow,
Telnet_Solaris_telnet_buffer overflow, HTTP_IIS_Unicode_vulnerability,
MSSQL2000_remote overflow, etc.), vulnerability attack incidents (including
but not limited to MS-Office file vulnerability, MS-IE browser vulnerability and
application layer security vulnerability attack, etc.), as well as other
representative network security incidents, test system;
2) Configure the detection policy of the system as the maximum policy set;
3) Send all incidents in the security incident test set and record the detection results
of the system.
b) Expected results.
1) For the attack on the security incident test set, the system shall report the
corresponding security incidents, including incident name, incident type, attack
source address, destination address, incident occurrence time and severity level,
etc.;
2) Record the name and type of attack reported by the system.
c) Result determination.
If the above-mentioned expected results are all satisfied, they shall be determined as
conforming, otherwise, they shall be determined as non-conforming.
7.3.1.1.4 Traffic monitoring
The testing and evaluation approaches for traffic monitoring are as follows.
a) Testing approaches.
1) Turn on the traffic display function, define traffic incidents, view the traffic
display interface and display traffic changes;
2) Launch a large-traffic attack on a certain server, for example, ping flood;
3) Launch a denial of service attack on a specific port (for example, port 80).
b) Expected results.
1) Various traffic information can be displayed;
2) The server under attack (for example, ping flood) can be displayed;
3) The denial of service attack on the network can be displayed;
4) List the provided traffic monitoring content, including but not limited to traffic
incidents and traffic display curves of different protocols, etc.
c) Result determination.
If the above-mentioned expected results are all satisfied, they shall be determined as
conforming, otherwise, they shall be determined as non-conforming.
7.3.1.2 Intrusion analysis function test
7.3.1.2.1 Data analysis
The testing and evaluation approaches for the data analysis are as follows.
a) Testing approaches.
1) From the existing incident library, select multiple incidents with different
features to form a security incident test set. The selected incidents shall include
scanning incident, denial of service incident, backdoor incident, worm incident,
overflow incident, brute force guessing and weak password incident, as well as
other representative security incidents;
2) Configure the detection policy of the system as the maximum policy set;
3) Send all incidents in the security incident test set and record the detection results
of the system.
b) Expected results.
1) For the attack on the security incident test set, the system shall report the
corresponding security incidents, including incident name, attack source address,
destination address, incident occurrence time and severity level, etc.;
2) Record the name and type of attack reported by the system.
c) Result determination.
If the above-mentioned expected results are all satisfied, they shall be determined as
conforming, otherwise, they shall be determined as non-conforming.
7.3.1.2.2 Incident merging
The testing and evaluation approaches for the incident merging are as follows.
a) Testing approaches.
1) Continuously trigger the same incident to reach the high frequency threshold,
check the status of the alarm display and whether the same incident is merged
and displayed;
2) Set the rules for incident merging to merge some contents, for example, only
displaying the incident name, the occurrence times and the source IP (the purpose
is to check how many times an incident has occurred on this IP) of the alarm
information.
b) Expected results.
1) Merging of the same type of incidents can be carried out as required;
2) In accordance with the settings, the incident name, the occurrence times and the
source IP of the alarm information can be displayed.
c) Result determination.
If the above-mentioned expected results are all satisfied, they shall be determined as
conforming, otherwise, they shall be determined as non-conforming.
7.3.1.3 Intrusion response function test
7.3.1.3.1 Customized response
The testing and evaluation approaches for the customized response are as follows.
a) Testing approaches.
1) The system shall allow the administrator to customize different response modes
for the specified destination host in the detected network segment, so as to
highlight the alert for specific incidents;
2) Open the menu and check whether the system allows the administrator to set an
alert only for the specified destination host in the detected network segment.
b) Expected results. the administrator can customize to merely monitor the destination
host that complies with the specified conditions.
c) Result determination.
If the above-mentioned expected results are all satisfied, they shall be determined as
conforming, otherwise, they shall be determined as non-conforming.
7.3.1.3.2 Security alert
The testing and evaluation approaches for the security alert are as follows.
a) Testing approaches.
1) Trigger a certain security incident and check whether there is an alert message;
2) Check whether the information on the alarm interface is displayed in different
levels;
3) View detailed records of alarm information;
4) View detailed explanations and recommended solutions for alarm incidents.
b) Expected results.
1) The alert information can be displayed;
2) The alarm information can display the level of security incidents;
3) For each alarm message, record detailed parameters;
4) For each alarm incident, detailed explanations and recommended solutions can
be provided.
c) Result determination.
If the above-mentioned expected results are all satisfied, they shall be determined as
conforming, otherwise, they shall be determined as non-conforming.
7.3.1.3.3 Alert mode
The testing and evaluation approaches for the alert mode are as follows.
a) Testing approaches.
1) Open the menu to view the selection of alert modes;
2) Successively select each alert mode to test whether the alert can be issued in
accordance with the specified method.
b) Expected results. one or multiple alert modes, such as. real-time screen prompts and
E-mail alerts can be adopted. Record and list all the alert modes.
c) Result determination.
If the above-mentioned expected results are all satisfied, they shall be determined as
conforming, otherwise, they shall be determined as non-conforming.
7.3.1.4 Management control function test
7.3.1.4.1 Graphic interface
The testing and evaluation approaches for the graphic interface are as follows.
a) Testing approaches.
1) Log in to the console interface;
2) View the functions of the administrator interface, including the management
configuration interface and alarm display interface, etc.;
3) Through the interface, configure the connection between the console and the
detector.
b) Evaluation results.
1) With an independent console;
2) With a graphical management interface;
3) With an alarm display interface with clearly divided functional areas.
c) Result determination.
If the above-mentioned expected results are all satisfied, they shall be determined as
conforming, otherwise, they shall be determined as non-conforming.
......
Source: Above contents are excerpted from the full-copy PDF -- translated/reviewed by: www.ChineseStandard.net / Wayne Zheng et al.
Tips & Frequently Asked QuestionsQuestion 1: How long will the true-PDF of English version of GB/T 20275-2021 be delivered?Answer: The full copy PDF of English version of GB/T 20275-2021 can be downloaded in 9 seconds, and it will also be emailed to you in 9 seconds (double mechanisms to ensure the delivery reliably), with PDF-invoice. Question 2: Can I share the purchased PDF of GB/T 20275-2021_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 20275-2021_English will be deemed to be sold to your employer/organization who actually paid for it, including your colleagues and your employer's intranet. Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. www.ChineseStandard.us -- GB/T 20275-2021 -- Click this link and select your country/currency to pay, the exact amount in your currency will be printed on the invoice. Full PDF will also be downloaded/emailed in 9 seconds. Question 5: Should I purchase the latest version GB/T 20275-2021?Answer: Yes. Unless special scenarios such as technical constraints or academic study, you should always prioritize to purchase the latest version GB/T 20275-2021 even if the enforcement date is in future. Complying with the latest version means that, by default, it also complies with all the earlier versions, technically. How to buy and download a true PDF of English version of GB/T 20275-2021?A step-by-step guide to download PDF of GB/T 20275-2021_EnglishStep 1: Visit website https://www.ChineseStandard.net (Pay in USD), or https://www.ChineseStandard.us (Pay in any currencies such as Euro, KRW, JPY, AUD).
Step 2: Search keyword "GB/T 20275-2021".
Step 3: Click "Add to Cart". If multiple PDFs are required, repeat steps 2 and 3 to add up to 12 PDFs to cart.
Step 4: Select payment option (Via payment agents Stripe or PayPal).
Step 5: Customize Tax Invoice -- Fill up your email etc.
Step 6: Click "Checkout".
Step 7: Make payment by credit card, PayPal, Google Pay etc. After the payment is completed and in 9 seconds, you will receive 2 emails attached with the purchased PDFs and PDF-invoice, respectively.
Step 8: Optional -- Go to download PDF.
Step 9: Optional -- Click Open/Download PDF to download PDFs and invoice.
See screenshots for above steps: Steps 1~3 Steps 4~6 Step 7 Step 8 Step 9
|