CN1949720A - Distributed network invasion detecting system - Google Patents

Abstract

The invention discloses a distributed network intrusion detection system. The system adopts a layered structure and is divided into four layers: data acquisition layer, communication layer, communication layer, and control layer; the data acquisition layer is composed of data collectors, which are mainly responsible for intercepting data packets in the network, and Types are formatted differently; the communication layer is composed of communication devices, and is mainly responsible for transmitting control information or data information within the IDS system or between IDS systems, and is a communication bridge between various components; the analysis layer is mainly composed of analysis engines, logs It is mainly responsible for judging the intrusion of network data packets, and then writing the analysis results into the log set as needed; the control layer is composed of a control center, which is responsible for managing and configuring various components in the system, and can also start or stop a certain component running. The system adopts a central architecture, which can detect large-scale network intrusions, and has good distribution and scalability.

Description

A Distributed Network Intrusion Detection System

technical field

The invention belongs to the technical field of network security protection, and in particular relates to a distributed network intrusion detection system.

Background technique

The wide application of the Internet today greatly facilitates people's work and life, but the security threats faced by the network also interfere with people's normal life. In the past, the network security defense measures mainly used firewall technology, but the firewall also has its own Due to the limitations of the network, it cannot detect attacks from within the network, so the intrusion detection technology constitutes another network security gate after the firewall.

Existing security mechanisms can prevent protected computers and networks from illegal attacks and unauthorized use through access control. However, if these access measures are leaked or bypassed, an abuser may obtain unauthorized access. access, resulting in huge losses to the attacked system. Therefore, access control mechanisms cannot be relied upon in all cases to protect against intrusions or attacks from insiders, almost all security systems are vulnerable to abuse of power by insiders, and audit trails are almost impossible to detect authorized users The only means of abuse.

The intrusion detection system analyzes the information collected by several key nodes in the computer network or computer system, and finds out whether there are signs of violations of security policies and signs of attacks in the network or system, and then responds. The core part of network intrusion detection is data analysis, which determines whether the system is abnormal or under attack. The previous intrusion detection systems are based on the central data processing mechanism, because the network scale is small and the communication speed is slow, so the real-time processing of information can be achieved. With the development of high-speed networks, the widening of network scope, and the development of various distributed network technologies, distributed attack methods are increasing, and the existing simple host-based or network-based intrusion detection methods can hardly detect these attack methods. Nothing can be done, so it is necessary to set the detection and analysis process as distributed. The working method of the distributed intrusion detection system is relatively new. The data it detects comes from the data packets in the network. It adopts the method of distributed detection and centralized management to detect the data flow of the network segment where it is located. According to the security management established by the security management center Policy, response rules, etc. to analyze and detect network data, and at the same time send security event information to the security management center.

Intrusion detection is a reasonable supplement to the firewall, which helps the system deal with network attacks, expands the security management capabilities of system administrators, and improves the integrity of the information security infrastructure. Intrusion detection is the second security gate after the firewall. It can detect the network without affecting the network performance, so as to provide real-time protection against external attacks, internal attacks, and misoperations. Intrusion detection systems detect intrusion activity based on network packet and protocol analysis. The system can obtain data packets related to security events from the network according to certain rules, and then pass them to the analysis engine module for security analysis and judgment. The analysis results are passed to the management/configuration module. The main function of the management configuration module is to manage the configuration work of other modules and notify the network administrator of the results of the analysis engine in an effective manner.

The core technology of intrusion detection has gone through three generations: the first generation technology is host log analysis and pattern matching; the second generation technology appeared in the mid-1990s, and technological breakthroughs include network data packet interception, host network The clear division of labor and cooperation between the network intrusion detection system and the host-based intrusion detection system; the third generation technology appeared around 2000, and the representative breakthroughs include protocol analysis and abnormal behavior analysis. The emergence of protocol analysis greatly reduces the amount of calculation and reduces the false positive rate. The emergence of behavioral anomaly analysis technology endows the third generation intrusion detection system with the ability to identify unknown attacks.

At present, the top international intrusion detection systems are mainly based on pattern discovery technology. In 1991, researchers at the University of California, Davis proposed the concept of a distributed intrusion detection system, and provided a distributed intrusion detection system architecture. This architecture combines the traditional host-based and network-based intrusion detection systems.

Contents of the invention

The object of the present invention is to provide a distributed network intrusion detection system, which is a central architecture, can detect large-scale network intrusions, and has good distribution and scalability.

The technical scheme adopted in the present invention is as follows: a distributed network intrusion detection system, which adopts a layered structure and is divided into four layers: data acquisition layer, communication layer, communication layer, and control layer; The communication layer is composed of a communication device, which is mainly responsible for intercepting data packets in the network and performing different formatting processes according to different types of data packets; the communication layer is composed of communication devices, and is mainly responsible for transmitting control within the IDS system or between IDS systems Information or data information is a bridge for communication between various components; the analysis layer is mainly composed of an analysis engine, a log set and a memory, and is mainly responsible for judging the intrusion of network data packets, and then writing the analysis results into the log set as required; The control layer is composed of a control center, which is responsible for managing and configuring each component in the system, and can also start or stop the operation of a certain component.

The analysis engine is the brain center for judging whether an intrusion has occurred, and the feature library of various intrusion methods is stored in the memory, and the analysis engine needs to call the information in the feature library for comparison when performing feature matching.

The data collector is responsible for intercepting the original data packets in the network, passing the collected information to the analysis engine for security judgment, and can dig out possible intrusion or other sensitive information from the collected information, and then send the The data is passed to the analysis engine for secondary processing; by analyzing the information in the Ethernet header, TCP, UDP, and IP header, the data packets that the user is interested in are selected, and then the corresponding application-layer protocol-level data interpretation is performed, and the original data Convert them into correspondingly formatted events, and send them to the analysis engine for further analysis through communication components; if segmented messages are found during the interpretation process, they will be handed over to the message reassembler for processing, and the Information can be exchanged with each other through communication components. When a certain activity of a data collector is suspicious, other data collectors will be notified. When the level exceeds the set threshold, an alarm will be sent to the main control system and the response system; if a data collector receives a suspicious notification, it will raise the suspicious level, and if it does not receive a suspicious notification, it will gradually return to the normal state.

The data collector includes an event generator, and the event generator performs preliminary analysis and filtering on the collected data, which can reduce the amount of data that needs to be processed by the system and improve the processing speed of the system.

The communication device is responsible for exchanging required information between different intrusion detection units or exchanging relevant information between different IDSs. The communication device completes the function of exchanging information with other components through the SOCKET mechanism. At the same time, the communication By exchanging information, the components reasonably distribute the task of detecting intrusions to each detection unit, improving the operating efficiency of the entire IDS.

The analysis engine is the brain of the entire intrusion detection system, which performs unified analysis and processing on the captured raw data, system information, and suspicious information provided by other intrusion detection systems. The analysis engine has the functions of preprocessing, classification and postprocessing. The construction method of the analysis engine is to first collect event information, and after receiving the formatted event information from the data collector, determine whether the intrusion has occurred through the intrusion detection method, because the analysis engine and the storage system use a unified interface to exchange data, so there may be multiple analysis engines in an IDS, and the detection methods used by each analysis engine are not necessarily the same. Even in the same analysis engine, several detection methods can be used at the same time, and different detection methods are used for the same data. The method is analyzed, and then the respective test results are compared, which can improve the accuracy of the test.

The log set is responsible for recording the things that have happened in the system, and records all the events that the user is interested in, which will help the user to further investigate and analyze the intrusion event. On the one hand, it can analyze the intrusion technology adopted by the intruder. On the one hand, it is also possible to grasp the traces of the intruder's behavior.

The response system is responsible for receiving the intrusion alarm information sent by the analysis engine, and then taking corresponding measures to prevent the intruder from continuing the intrusion activities.

The control center is an interface for interaction between the IDS and the user, through which the administrator can manage and configure each component in the system, and query the operation status of each component in the IDS.

The characteristics of the system of the present invention are as follows:

1. It has a unified and complete architecture, which makes the whole system have the characteristics of modularization, layered processing, and easy merger. After we modularize the system, we can easily add or delete a certain part of the system, and also facilitate the reuse of parts, thus enhancing the expansion ability of the system. At the same time, it also strengthens the overall grasp of the system; moreover, we use the layered processing method of the TCP/IP protocol to establish some intermediate layers to make the mutual calls between the upper and lower layers transparent; finally, we try to make each module convenient. Combine them to form a project. This requires high independence of each module.

2. Adopt a central architecture to facilitate the detection of large-scale network intrusions. As for the possible shortcomings of the central architecture, the master-slave structure is used to solve this problem. The control system can precisely control each component. Each component is an independent entity in the system. Parts management also includes adding and deleting parts, starting and stopping a certain part, etc. The control system provides users with a view of the health of the entire system, as well as the ability to query logs for control. The analysis engine is responsible for the analysis of intrusion events on the monitored host, and sends the message to its own superior control system. The entire intrusion detection system is uniformly controlled by a central control system. After all the information is processed and judged by the central control system, different alarm messages are generated according to the situation. If the central control system is paralyzed, the secondary control system can take on the heavy responsibility of the central control system, which can not only ensure the normal operation of the entire IDS system, but also improve The security of the system itself.

3. When designing the analysis engine architecture, the openness of the system is fully considered. Any analysis method can be added to the system, and multiple analysis methods can also be applied to the system at the same time. The analysis engine and the storage system use a unified interface to exchange data, so there may be multiple analysis engines in the IDS, and the detection methods used by each analysis engine are not necessarily the same. Even in the same analysis engine, several analysis engines can be used at the same time. The detection method uses different detection methods to analyze the same data, and then compares the respective detection results, which can improve the detection accuracy. Dynamically adding data analysis functions is realized by adding new data analysis functions. For existing analysis methods, new intrusion signatures can be added to the intrusion signature database to improve the detection ability of existing pattern matching analysis methods.

Description of drawings

Fig. 1 is the structural representation of the system of the present invention;

Figure 2 is a hierarchical structure diagram of the system;

Fig. 3 is the operation flowchart of the system;

Figure 4 is a flow chart of the master-slave control structure system.

Detailed ways

The present invention will be further described below in conjunction with drawings and embodiments.

As shown in Figures 1 and 2, in terms of overall system structure, this patent divides the system into the following four levels with reference to the layered mechanism adopted in the TCP/IP protocol. Hierarchical structure is easy to manage. If the system administrator wants to manage the intrusion detection system at any time, he only needs to manage it on one machine, and each level is:

1) Data collection layer: the data collection layer is composed of data collector 1 . It is mainly responsible for intercepting data packets in the network, and doing different formatting according to different types of data packets.

2) Communication layer: The communication layer is constituted by the communication device 2 . It is mainly responsible for transmitting control information or data information within the IDS system or between IDS systems, and is a communication bridge between various components.

3) Analysis layer: The analysis layer is mainly composed of analysis engine 5 , log set 3 and memory 4 . It is mainly responsible for judging the intrusion of network data packets, and then writes the analysis results into the log set 3 as needed. The analysis engine 5 is the brain center for judging whether an intrusion has occurred. The memory 4 stores feature libraries of various intrusion methods. The analysis engine 5 needs to call the information in the feature library for comparison when performing feature matching.

4) Control layer: the control layer is composed of the control center 7 . Manage and configure various components in the system, and can also start or stop the operation of a certain component.

The data collector 1 is responsible for intercepting the original data packets in the network, and passing the collected information to the analysis engine for safety judgment. The data collector 1 can dig out possible intrusion or other sensitive information from the collected information, and then transfer the data in the data packet to the analysis engine for secondary processing. The event generator is an important component in the data collector. It conducts preliminary analysis and filtering on the collected data, reduces the amount of data that needs to be processed by the system, and improves the processing speed of the system. By analyzing the information in the Ethernet header, TCP, UDP, and IP header, select the data packets that the user is interested in, and then interpret the data at the corresponding application layer protocol level, convert the original data into corresponding formatted events, and communicate Parts are passed to the analysis engine for further analysis. If segmented packets are found during interpretation, they are handed over to the packet reassembler for processing. Each data collector can also exchange information with each other through the communication component. When a certain activity of a data collector is suspicious, other data collectors will be notified. After subsequent analysis, the data collector can also send suspicious notifications to adjacent data collectors. When the trust level finally exceeds the set threshold , to send an alarm to the main control system and response system. If a data collector receives a suspicious notification, it will increase the suspicious level, and if it does not receive a suspicious notification, it will gradually return to the normal state.

The communication device 2 is responsible for exchanging required information between different intrusion detection units or exchanging relevant information between different IDSs. The communication device 2 completes the function of exchanging information with other components through the SOCKET mechanism. At the same time, the communication device 2 reasonably distributes the task of detecting intrusions to each detection unit by exchanging information, thereby improving the operating efficiency of the entire IDS. The analysis engine is the brain of the entire intrusion detection system. Unified analysis and processing of captured raw data, system information, and suspicious information provided by other intrusion detection systems.

The log set 3 is responsible for recording the things that happened in the system, and records all the events that the user is interested in, which will help the user to further investigate and analyze the intrusion event. On the one hand, it can analyze the intrusion technology adopted by the intruder, and on the other hand On the other hand, you can also grasp the behavior traces of intruders.

The memory 4 provides each component with the data it needs. The rule base records rich intrusion features, which is an important basis for the analysis engine to judge.

The analysis engine 5 has functions of preprocessing, classification and postprocessing. The structural analysis engine 6 first collects event information, and after receiving the formatted event information from the data collector 1, it determines whether an intrusion has occurred through an intrusion detection method. Since the analysis engine 6 and the memory 4 use a unified interface to exchange data, there may be multiple analysis engines in one IDS, and the detection methods adopted by each analysis engine are not necessarily the same, even in the same analysis engine, they can be used at the same time For several detection methods, different detection methods are used to analyze the same data, and then the respective detection results are compared, which can improve the detection accuracy.

The responder 6 is responsible for receiving the intrusion alarm information sent by the analysis engine, and then taking corresponding measures to prevent the intruder from continuing the intrusion activities.

The control center 7 is the interface between the IDS and the user, through which the administrator can manage and configure each component in the system, and query the operation status of each component in the IDS.

This system adopts multi-thread processing method. The purpose of running the data collector on the main thread is to improve the speed of the analysis engine. It uses multiple matching threads to perform different matching processing at the same time: if there is control information generated, there is an independent The control thread is responsible for the control function, and the system operation flow is shown in Figure 3. First, the IDS system performs some necessary initialization configurations, then transfers the logical linked list in the rule base into the memory, and then judges whether there is control information, and if so, performs corresponding control information processing on the control information, otherwise performs network packet capture, and then Then judge whether the captured network packet header is legal. If not, go back to the previous judgment to see if there is control information. Otherwise, format the legal data packet and match it with the rules in the rule base. If it is not consistent with the rule list If it matches, it will also return to the control information judgment, otherwise, the matching data packet will be processed accordingly and the relevant rules will be written into the log set.

Fig. 4 is an application example of the present invention, another feature of this patent is that the control system adopts a master/slave structure. The whole IDS system is uniformly controlled by a central controller system. After all the information is processed and judged by the central control system, different alarm information will be generated according to the situation. If the central control system is paralyzed, the secondary control system can take on the heavy responsibility of the central control system, which can not only ensure the normal operation of the entire IDS system, but also improve the security performance of the system itself. Its operation process is shown in Figure 4. The operation process of the control system is as follows: First, the central control system will transmit the information from the control system to all the subordinate components in the area. The subordinate components then communicate normally with the central control system. When there is a problem with the central control system, it will send a handover signal to all the lower-level components. After receiving the signal, the lower-level components will first cut off the connection with the central control system, and then establish a new connection with the slave control system. After the connection is established, the slave control system will replace the central control system to control the operation of the entire system. When the central control system sends handover signals to all components in the area, it will communicate with the slave control system and send some status information to the slave control system. When the central control system resumes work, its working process is opposite to the above process.

Claims (9)

1, a kind of distributed network invasion detecting system, this system adopts hierarchy, it is characterized in that this system is divided into four layers of data collection layers, communication layers, communication layers, key-course; Described data collection layer is made of data acquisition unit, main is responsible for intercepting and capturing the packet of Home Network in disconnected, and does different formats according to packet dissimilar and handle; Described communication layers is made of communicator, mainly is responsible for communicating control information or data message between IDS internal system or IDS system, is the bridge of communicating by letter between each parts; Described analysis layer mainly is made of analysis engine, daily record collection and memory, and main being responsible for judged the invasion of network packet, as required analysis result write the daily record collection then; Described key-course is made of control centre, be in charge of with configuration-system in each parts, also can start or stop the operation of certain parts.

2, distributed network invasion detecting system according to claim 1, it is characterized in that described analysis engine is to be used for judging whether the big mesencephalic centre of invading, the feature database of in store various invasion modes in the memory, the information that analysis engine need call in the feature database when carrying out characteristic matching compares.

3, distributed network invasion detecting system according to claim 1, it is characterized in that described data acquisition unit is responsible for intercepting and capturing the raw data packets in the network, the information of collecting is passed to analysis engine carry out safe judgement, can from the information of collecting, excavate out possible invasion or other sensitive information, then the data passes in the packet be done aftertreatment to analysis engine; By analyzing the information in ether packet header, TCP, UDP and the IP packet header, select the user's interest packet, carry out the data interpretation of application corresponding layer protocol level then, initial data is converted into the incident of corresponding formatization, pass to analysis engine by communication component and be further analyzed; If in interpretation process, find to have segmented message, then they being given the message reformer handles, also can pass through the mutual exchange message of communication component between each data acquisition unit, when certain movable other data acquisition unit of then notifying when suspicious of certain data acquisition unit, after the follow-up data collector is analyzed, also can send suspicious notice, when finally on confidence levels, surpassing preset threshold, send warning to master control system and responding system to adjacent data acquisition unit; After if certain data acquisition unit is received suspicious notice, will promote level of suspicion, if do not receive suspicious notice, will return to normal condition gradually.

4, distributed network invasion detecting system according to claim 3, it is characterized in that comprising event generator in the described data acquisition unit, described event generator carries out initial analysis and filtration to the data of collecting, can reduce the data volume that needs system handles, improve the processing speed of system.

5, distributed network invasion detecting system according to claim 1, it is characterized in that described communicator is responsible in the required separately information of exchange between the different intrusion detecting unit or exchanges relevant information separately between different IDS, communicator is finished the function of carrying out exchange message with other parts by SOCKET mechanism, simultaneously, communication component passes through exchange message, the task of detecting invasion is reasonably shared to each detecting unit, promoted the operational efficiency of entire I DS.

6, distributed network invasion detecting system according to claim 1, it is characterized in that described analysis engine is the brain of whole intruding detection system, to the initial data of catching, system information, the suspicious information that other intruding detection system provides is unified to analyze and handle, analysis engine has preliminary treatment, the function of classification and reprocessing, the building method of described analysis engine is at first to want Collection Events information, after receiving the format event information that transmits from data acquisition unit, judge by intrusion detection method whether invasion takes place, because analysis engine and storage system are to utilize unified interface swap data, so have a plurality of analysis engines among the IDS, the detection method that each analysis engine adopts is also not necessarily identical, even also can use several detection methods simultaneously in the same analysis engine, the detection method that identical The data is different is analyzed, then separately testing result is compared, can improve the accuracy of detection.

7, distributed network invasion detecting system according to claim 1, it is characterized in that described daily record collection is responsible for the thing that register system took place, the interested incident of user is all noted, this will help the user intrusion event will be done further investigation and analysis, can analyze the invasion technology that the invador takes on the one hand, also can grasp invador's behavior trace on the other hand.

8, distributed network invasion detecting system according to claim 1 is characterized in that described responding system is responsible for the intrusion alarm information that the receiving and analyzing engine is sent, and takes appropriate measures then to stop the invador to proceed the invasion activity.

9, distributed network invasion detecting system according to claim 1 is characterized in that described control centre is the interface of IDS and user interactions, by its keeper can manage with configuration-system in each parts, the ruuning situation of each parts among the inquiry IDS.

Images