CN1317855C - Invasion detecting system and its invasion detecting method - Google Patents
Invasion detecting system and its invasion detecting method Download PDFInfo
- Publication number
- CN1317855C CN1317855C CNB031571433A CN03157143A CN1317855C CN 1317855 C CN1317855 C CN 1317855C CN B031571433 A CNB031571433 A CN B031571433A CN 03157143 A CN03157143 A CN 03157143A CN 1317855 C CN1317855 C CN 1317855C
- Authority
- CN
- China
- Prior art keywords
- packet
- data
- module
- detection
- behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The present invention provides an intrusion detecting system and an invasion detecting method. The intrusion detection system comprises a data packet analyzing module, an abnormal data processing module, data packet reconstituting module and an application data detecting module. The intrusion detecting method comprises the following steps: A) detecting captured data packets to be detected based on the data packets, judging whether the data packets currently to be detected are abnormal or not, if the data packets are abnormal, then a step B is carried out, otherwise a step C is carried out; B) analyzing data packets detected to be abnormal in the step A to generate a detected result, C) reconstituting and reducing the application data packaged in data packets detected to be normal in the step A and detecting the reconstituted and reduced application data to generate a detected result. With the present invention, the intrusion detecting efficiency and the data detecting accuracy can be increased, the resource consumption for intrusion detection can be reduced, and the intrusion detecting accuracy and reliability can be increased.
Description
Technical field
The present invention relates to network security technology, be meant a kind of intruding detection system and intrusion detection method thereof especially.
Background technology
Intrusion detection is a kind of for computer network provides the network security technology of real-time guard, mainly is current input is subjected to the protecting wire net network or the data of being protected in the main frame detect, and determines that the current detection data are legal data or invalid data.Usually; the information of the some key point collection network communication of Network Intrusion Detection System from computer network system; as the state of User Activity and behavior etc.; come by the inbreak detection rule storehouse of having set up whether the behavior of violating security strategy is arranged in the phase-split network; if the behavior of discovery breach of security strategy is then reported to the police, thereby provide real-time guard to computer network system.
The basic detection method of network invasion monitoring is based on the mode-matching technique of packet.After intruding detection system is caught packet, packet content is carried out the coupling of character string with reference to the inbreak detection rule storehouse of intruding detection system, match the content that meets and promptly report to the police.This mode-matching technique based on packet implements comparatively simple, is similar to the principle of anti-virus software.But owing to be based on the detection of packet, the attack pattern of fraud to coding and so on can't detect, in addition, lack the flexibility that a large amount of types of identification are attacked, have only the rule base of continuous upgrading intruding detection system could detect emerging invasion attacking ways.
At present, intruding detection system can realize the detection technique based on application data.This detection method is opened and is not to detect at single forms data bag, after intruding detection system is caught packet, adopt the protocol analysis technology, packaged application data in relevant a plurality of packets is reduced reorganization, for example common ip fragmentation reorganization, to take into the application data of plurality of data bag because of transmission apart and reduce, then at the data analysis that makes an explanation after the reorganization.Real application data except the analysis of carrying out the string matching formula, can also analyze at semantic, grammer, so detection mode is comparatively flexible, can be used for detecting emerging invasion attacking ways.But, owing to can't detect, for example can't detect by information such as the topology of protecting wire net network, the system type that is protected main frame and COS by connecting inner in conjunction with the current network environment, exist a large amount of wrong reports unavoidably in therefore detecting.And the work owing to all reducing and explain all packets for the network environment of big flow, has increased the resource consumption of CPU greatly, has reduced the performance of system.
Summary of the invention
In view of this, main purpose of the present invention provides a kind of intruding detection system, with the efficient of raising intrusion detection and the accuracy of Data Detection.
Another object of the present invention is to provide a kind of intrusion detection method, to alleviate the resource consumption of intrusion detection, improves the accuracy and the reliability of intrusion detection.
Intruding detection system of the present invention comprises:
The data packet analysis module is used to detect the packet of catching, and according to testing result the current packet that detects is sent to abnormal data processing module or packet recombination module; The abnormal data processing module is used to receive the detection of data packet analysis module and is unusual packet, and generates testing result; The packet recombination module is used to receive the detection of data packet analysis module and is normal packet, and sends to the application data detection module after the application data that will encapsulate in the packet reduction; The application data detection module is used to detect the application data after the packet recombination module reduces, and generates testing result;
Wherein, the application data detection module comprises data analysis module and behavior audit module, and data analysis module is used to detect the existing intrusion behavior of application data after the reduction, and generates the Data Detection result; Behavior audit module is used for detecting irrational network behavior that the application data after the reduction exists, and the behavior of generation testing result.
Wherein, this intruding detection system further comprises: the network environment monitoring module is used to collect the information of intruding detection system place network, and is converted to the intrusion detection condition and sends to the data packet analysis module.
Wherein, this intruding detection system further comprises: the association analysis module, be used to receive Data Detection result, the behavior testing result of behavior audit module generation and the testing result that the abnormal data processing module generates that data analysis module generates, and carry out association analysis generation association analysis result.
Wherein, this system further comprises: the behavior monitoring module is used for the application data of packet recombination module reduction is monitored.
Realize this clearly demarcated described intrusion detection method, may further comprise the steps:
A carries out detection based on packet with the packet that will detect of catching, and judges whether the current packet that will detect is unusual, if unusual, and execution in step B then, otherwise execution in step C;
B, testing result is analyzed and generated to detection for unusual packet to steps A;
C detects steps A and is the reduction of recombinating of the packaged application data of normal packet, and the application data after the reorganization reduction is carried out intrusion detection and reasonability detects, generation Data Detection result and behavior testing result.
Wherein, carry out further comprising based on the detection of packet to catching packet described in the steps A: packet header, packet content to the packet of being caught are carried out analyzing and testing.
Wherein, carry out further comprising based on the detection of packet to catching packet described in the steps A: the variation according to the current network environment generates the intrusion detection condition, and according to the intrusion detection condition that is generated packet is detected.
Wherein, this method further comprises: will detect the testing result that processing is generated to abnormal data among Data Detection result, behavior testing result and the step B that is generated to the application data after the reduction and carry out association analysis, and generate the association analysis result.
By said method as can be seen, intruding detection system provided by the invention and intrusion detection method thereof, the multiple detection means of integrated use, and the suitable detection mode of each process use that is detecting.The data packet analysis module at first detects shunting based on packet, and the network environment monitoring module is according to the change of network system, the guide data packet analysis module carries out the screening of packet, reduced the data packet number of subsequent detection, follow-up detection is only reduced reorganization to the packet of screening, thereby improved detection efficiency, and alleviated resource consumption.Technology based on protocol-decoding is reduced the application data reorganization, detect again with behavior and audit, can be used for detecting emerging attack means and spoofing attack, and irrational access to netwoks, the result of association analysis module synthesis abnormal data processing module and behavior audit module analyzes the information that data analysis module sends over, improve the accuracy of intrusion detection, reduced rate of failing to report.
Description of drawings
Fig. 1 is an intruding detection system schematic diagram of the present invention.
Fig. 2 is an intrusion detection flow chart of the present invention.
Embodiment
For making purpose of the present invention, technical scheme and advantage clearer, below by specific embodiment, the present invention is described in more detail.
Fig. 1 is the schematic diagram of intruding detection system.As shown in the figure, intruding detection system mainly comprises with lower module: network environment monitoring module, data packet analysis module, abnormal data processing module, packet recombination module, behavior monitoring module, application data detection module and association analysis module.
Wherein, the situation of change of network environment monitoring module real time scan intruding detection system institute protecting wire net network, collection network information comprises the change of host operating system type, application program in the interpolation of equipment in the network topology structure, network and deletion, the network etc.The network environment monitoring module changes into suitable rule condition with the network information of collecting, and offers the data packet analysis module as the Rule of judgment of intrusion detection.
The data packet analysis module receives the packet that intruding detection system is caught, and packet is done coarse grained screening.The data packet analysis module does not detect the packaged concrete application data of packet, and a resolution data bag packet header, packet structure, and packet content judge by unusual statistics of packet and type of data packet analysis whether this bag is normal packet; Simultaneously, the data packet analysis module receives the intrusion detection condition that the network environment monitoring module sends over packet is judged.The data packet analysis module sends to the abnormal data processing module with detected abnormal data bag, is handled by the abnormal data processing module, no longer detects; The normal data packet that filters out is sent to the packet recombination module, so that the packaged application data of packet is detected.
The abnormal data processing module receives the abnormal data bag that the data packet analysis module sends over, and writes down, adds up and generate testing result, and the abnormal data processing module is issued the association analysis module with the testing result that generates as the condition of association analysis.
It is normal packet that the packet recombination module receives the detection that the data packet analysis module sends over, and the packet recombination module adopts the protocol analysis technology, with the reduction of being recombinated of the application data content of the encapsulation of a plurality of related data packets.Restore complete application data and send to the application data detection module.
In addition, after the reduction of data, can send to the behavior monitoring module, monitor, monitor and analyze to offer the keeper by the network behavior that behavior monitoring module application data is embodied.
The application data detection module further comprises data analysis module and behavior audit module.Wherein, the application data after data analysis module reduces to the packet recombination module detects, and detection method comprises that carrying out character string, semanteme, grammer etc. at the application data content analyzes.If the result of data analysis module analytical applications data is a normal data, then finish detection to these data, if analysis result is an abnormal data, then generates the Data Detection result and send to the association analysis module.
Behavior audit module receives the data after the reduction of packet recombination module, according to the predefined rule of conduct of keeper, analyzes whether there is irrational network behavior.Behavior audit module mainly detects non-invasion but irrational operation, comprises irrational access to netwoks, as signs in to the position do not expected and unauthorized attempt visit vital document or the like.Behavior audit module detects back generation behavior testing result to data and sends to the condition of relating module as association analysis.
The association analysis module receives the result that data analysis module, abnormal data processing module and behavior audit module generate, the result of data analysis module generation is flowed the result of processing module and each self-generating of behavior audit module with reference to abnormal data, promptly comprehensive current detected invasion is attacked and unreasonable behavior, further analyze the concrete behavior of this invasion, improve the accuracy of intrusion detection.And the association analysis module is exported testing result with suitable form, the prompting keeper.
The present invention adopts the method for monitor bypass to duplicate and catches the raw data packets that will detect, the packet of catching is detected by intruding detection system.Fig. 2 is an intrusion detection flow chart of the present invention, referring to Fig. 2, intrusion detection method of the present invention is further specified.
Wherein, the employed detection method of data packet analysis module is identical with the employed method of prior art, carry out the detection of packet legitimacy as using based on the method for statistical analysis, legitimacy according to determined property current data packet such as time of this network of host access of this packet of transmission that counts, access times, perhaps use the method for pattern matching that packet packet header, structure are detected, in addition, also receive the intrusion detection condition that the network environment monitoring module passes over, packet is detected.For example, the testing conditions that the network monitoring module sends over is in closed condition for certain main frame, the data packet analysis module with this as testing conditions, if the source address identical with this host address carried in the packet header of the packet that detects, think that then current packet of catching is unusual, issues the abnormal data processing module.
For example, application data after the packet reorganization reduction carries general information position, internet (URL), data analysis module is by analyze this URL back slash that carries, independent fullstop and a string fullstop, detect and have illegal form, then generate the Data Detection result: intrusion behavior is to adopt URL path deception measures to visit this URL position, and issue association analysis module, execution in step 206.
Step 205, behavior audit module receives the data after the reduction of packet recombination module, according to the predefined rule of conduct of keeper, analyze and whether have irrational network behavior, if exist, then generate the behavior testing result and send to relating module, execution in step 206.Wherein, this step main purpose is to be used for detecting non-invasion but for irrational behavior, if only detect intrusion behavior, then this step can be omitted.
Give an example, the association analysis module receives following result:
Data Detection result from step 204 data analysis module: intrusion behavior is to adopt URL path deception measures to visit this URL position; Corresponding association analysis condition is: the behavior mode of record is: the path deception, and the destination address of record is: the URL address that visit;
Testing result from the generation of step 202 abnormal data processing module: do not detect this invasion;
Behavior testing result from step 205 behavior audit module: the URL position of not expecting to server is logined, with the file at unauthorized attempt visit URL place; Corresponding association analysis condition is: the behavior mode of record is: unusual login, abnormal access file, the destination address of record is: the URL address that visit.
The association analysis module analyzes definite intrusion behavior by comprehensive above conclusion, then can generate testing result according to the association analysis condition as this example is: adopt the method for URL path deception to visit the URL position of not expecting on the server, then, the association analysis module with association analysis result output, is pointed out the keeper with suitable form.
The above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being done, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (8)
1, a kind of intruding detection system is characterized in that, this intruding detection system comprises:
The data packet analysis module is used to detect the packet of catching, and according to testing result the current packet that detects is sent to abnormal data processing module or packet recombination module;
The abnormal data processing module is used to receive the detection of data packet analysis module and is unusual packet, and generates testing result;
The packet recombination module is used to receive the detection of data packet analysis module and is normal packet, and sends to the application data detection module after the application data that will encapsulate in the packet reduction;
The application data detection module is used to detect the application data after the packet recombination module reduces, and generates testing result;
Wherein, the application data detection module comprises data analysis module and behavior audit module,
Data analysis module is used to detect the existing intrusion behavior of application data after the reduction, and generates the Data Detection result;
Behavior audit module is used for detecting irrational network behavior that the application data after the reduction exists, and the behavior of generation testing result.
2, intruding detection system according to claim 1 is characterized in that, this system further comprises: the network environment monitoring module is used to collect the information of intruding detection system place network, and is converted to the intrusion detection condition and sends to the data packet analysis module.
3, intruding detection system according to claim 1, it is characterized in that, this system further comprises: the association analysis module, be used to receive Data Detection result, the behavior testing result of behavior audit module generation and the testing result that the abnormal data processing module generates that data analysis module generates, and carry out association analysis generation association analysis result.
4, intruding detection system according to claim 1 is characterized in that, this system further comprises: the behavior monitoring module is used for the application data of packet recombination module reduction is monitored.
5, a kind of intrusion detection method is characterized in that, this method may further comprise the steps:
A carries out detection based on packet with the packet that will detect of catching, and judges whether the current packet that will detect is unusual, if unusual, and execution in step B then, otherwise execution in step C;
B, testing result is analyzed and generated to detection for unusual packet to steps A;
C detects steps A and is the reduction of recombinating of the packaged application data of normal packet, and the application data after the reorganization reduction is carried out intrusion detection and reasonability detects, generation Data Detection result and behavior testing result.
6, intrusion detection method according to claim 5 is characterized in that, carries out further comprising based on the detection of packet to catching packet described in the steps A: packet header, packet content to the packet of being caught are carried out analyzing and testing.
7, according to claim 5 or 6 described intrusion detection methods, it is characterized in that, carry out further comprising based on the detection of packet to catching packet described in the steps A: the variation according to the current network environment generates the intrusion detection condition, and according to the intrusion detection condition that is generated packet is detected.
8, intrusion detection method according to claim 5, it is characterized in that, this method further comprises: will detect the testing result that processing is generated to abnormal data among Data Detection result, behavior testing result and the step B that is generated to the application data after the reduction and carry out association analysis, and generate the association analysis result.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB031571433A CN1317855C (en) | 2003-09-16 | 2003-09-16 | Invasion detecting system and its invasion detecting method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB031571433A CN1317855C (en) | 2003-09-16 | 2003-09-16 | Invasion detecting system and its invasion detecting method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1599334A CN1599334A (en) | 2005-03-23 |
| CN1317855C true CN1317855C (en) | 2007-05-23 |
Family
ID=34660217
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB031571433A Expired - Lifetime CN1317855C (en) | 2003-09-16 | 2003-09-16 | Invasion detecting system and its invasion detecting method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1317855C (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7461036B2 (en) * | 2006-01-18 | 2008-12-02 | International Business Machines Corporation | Method for controlling risk in a computer security artificial neural network expert system |
| CN101282244B (en) * | 2008-05-09 | 2010-12-01 | 浙江大学 | Intrusion Detection Method Based on SPM |
| CN102196440A (en) * | 2010-03-01 | 2011-09-21 | 李青山 | Method and system for network audit and intrusion detection |
| CN102457415B (en) | 2011-12-27 | 2015-08-19 | 华为数字技术(成都)有限公司 | IPS check processing method, Network Security Device and system |
| CN103368979B (en) * | 2013-08-08 | 2015-02-04 | 电子科技大学 | Network security verifying device based on improved K-means algorithm |
| CN107979567A (en) * | 2016-10-25 | 2018-05-01 | 北京计算机技术及应用研究所 | A kind of abnormality detection system and method based on protocal analysis |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2003092603A (en) * | 2001-09-17 | 2003-03-28 | Toshiba Corp | Network intrusion detecting system, apparatus and program |
| US20030115486A1 (en) * | 2001-12-14 | 2003-06-19 | Choi Byeong Cheol | Intrusion detection method using adaptive rule estimation in network-based instrusion detection system |
| JP2003204358A (en) * | 2002-01-07 | 2003-07-18 | Mitsubishi Electric Corp | Intrusion detector, intrusion detection method, and intrusion detection program |
-
2003
- 2003-09-16 CN CNB031571433A patent/CN1317855C/en not_active Expired - Lifetime
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2003092603A (en) * | 2001-09-17 | 2003-03-28 | Toshiba Corp | Network intrusion detecting system, apparatus and program |
| US20030115486A1 (en) * | 2001-12-14 | 2003-06-19 | Choi Byeong Cheol | Intrusion detection method using adaptive rule estimation in network-based instrusion detection system |
| JP2003204358A (en) * | 2002-01-07 | 2003-07-18 | Mitsubishi Electric Corp | Intrusion detector, intrusion detection method, and intrusion detection program |
Non-Patent Citations (4)
| Title |
|---|
| 入侵检测系统中的协议分析子系统的设计和实现 李佳静,徐辉,潘爱民,计算机工程与应用,第12期 2003 * |
| 利用协议分析提高入侵检测效率 李晓英,曾启铭,计算机工程与应用,第6期 2003 * |
| 基于网络的入侵检测系统的感应器组件 曹元大,岳治宇,张海勇,北京理工大学学报,第22卷第5期 2002 * |
| 基于网络的入侵检测系统的感应器组件 曹元大,岳治宇,张海勇,北京理工大学学报,第22卷第5期 2002;利用协议分析提高入侵检测效率 李晓英,曾启铭,计算机工程与应用,第6期 2003;入侵检测系统中的协议分析子系统的设计和实现 李佳静,徐辉,潘爱民,计算机工程与应用,第12期 2003 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1599334A (en) | 2005-03-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1203641C (en) | Method and system for monitoring network intrusion | |
| CN101789931B (en) | Network intrusion detection system and method based on data mining | |
| CN101448007B (en) | Attack prevention system based on structured query language (SQL) | |
| US7225343B1 (en) | System and methods for adaptive model generation for detecting intrusions in computer systems | |
| CN101018121B (en) | Log convergence processing method and convergence processing device | |
| CN1269030A (en) | Method and apparatus for automated network surveillance and security breanch intervention | |
| CN1655518A (en) | Network security system and method | |
| CN1697404A (en) | System and method for detecting network worm in interactive mode | |
| CN1841397A (en) | Aggregating the knowledge base of computer systems to proactively protect a computer from malware | |
| CN1578227A (en) | Dynamic IP data packet filtering method | |
| CN1647483A (en) | Detecting and countering malicious code in enterprise networks | |
| CN1794661A (en) | Network performance analysis report system based on IPv6 and its implementing method | |
| CN1415099A (en) | System and method for blocking harmful information online, and computer readable medium therefor | |
| CN101895521A (en) | Network worm detection and characteristic automatic extraction method and system | |
| CN1889573A (en) | Active decoy method and system | |
| CN1252555C (en) | Cooperative invading testing system based on distributed data dig | |
| CN1492336A (en) | Information system auditing method based on data storehouse | |
| CN1411209A (en) | Method of detecting and monitoring malicious user host machine attack | |
| CN1529248A (en) | Network invasion related event detecting method and system | |
| CN1317855C (en) | Invasion detecting system and its invasion detecting method | |
| CN1741526A (en) | Method and system for detecting exception flow of network | |
| CN1725709A (en) | Method of linking network equipment and invading detection system | |
| CN1992595A (en) | Terminal and related method for detecting maliciously attempted data in a computer network | |
| CN1507233A (en) | A kind of solid gateway system and its detection attack method | |
| Qin et al. | Frequent episode rules for intrusive anomaly detection with internet datamining |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CX01 | Expiry of patent term |
Granted publication date: 20070523 |
|
| CX01 | Expiry of patent term |