Intrude detection method and device

Abstract

The present invention relates to an intrusion detection method and a device thereof. The method distributes one or more than one detection units to various types of network attacks to be detected, and is provided with the type of the object to be detected in the network attack of the type, a detection operator and a detection knowledge base. When the intrusion is detected, the real-time network data packet which comprises the object to be detected is acquired; the corresponding detection unit detects the intrusion according to the configured detection operator and the detection knowledge base, so as to generate the occurrence of alarming the network attack. The intrusion detection device orderly comprises a data pre-processing unit, a data distribution unit, a detection network which comprises one or more than one detection units, and a configuration management which is used for managing the connection of the unit. The method supports the precise detection of various complex network attacks, and comprises the detection efficiency of the whole intrusion detection device.

Description

technical field [0001] The invention relates to the field of network attack detection, in particular to an intrusion detection method and device. Background technique [0002] The intrusion detection device is a network security device deployed in bypass or in series. It is usually deployed at the entrance of the key network / network boundary to comprehensively monitor the network data packets entering and leaving the network. By scanning the monitored network data packets Detection to discover various possible intrusion behaviors, and adjust security policies or protection methods according to attack events. At the same time, the attack event sequence generated by the intrusion detection device can provide a basis for regular security assessment and analysis. [0003] The intrusion detection technologies adopted by current intrusion detection devices can be divided into two categories: one is misuse detection technology; the other is anomaly detection technology. Misuse de...

AI Technical Summary

Problems solved by technology

This intrusion detection mode based on a single attack signature string expression format and a single pattern matching algorithm is being severely challenged by the current variety of network attack events, mainly in the following aspects: 1) With the emergence of various network applications, especially Web-based With the emergence of network application systems, the differences of various network attack events are becoming larger and larger, and it is becoming more and more difficult to use a single format to describe the attack characteristics of all types of network attack events; 2) some network attack events There is no obvious attack signature string in the event, or it is impossible to list all attack signature strings by enumeration, so the attack signature knowledge base using misuse detection cannot extract attack signature strings, such as SQL injection attacks and cross-site scripting attack events. It is impossible to use the attack signature string enumeration method to define the attack signature, but must use other dedicated detection knowledge base; 3) Traditional pattern matching technology is becoming more and more difficult to achieve complex attack signature string matching

[0006] In order to support the intrusion detection of complex network attack events such as SQL injection attacks, it is necessary to overcome the shortcomings of using a single attack feature description format and a single attack feature matching technology in traditional intrusion detection devices

Although some traditional intrusion detection devices support the detection of some complex network attack events through patching, it destroys the architecture of traditional intrusion detection devices, resulting in two problems: 1) With more With the addition of the detection patch, the degree of unitization of the entire intrusion detection device is getting worse and worse, which will greatly increase the maintenance and upgrading costs of the intrusion detection device; 2) The coupling between the detection patch and the data collection unit in the traditional intrusion detection device is too strong, seriously Affect the execution efficiency of the intrusion detection device

[0007] At present, it is also seen that some intrusion detection devices use an attack feature description language similar to a high-level language to define the attack features of network attack events, which makes it possible to use a single format to describe all attack features, such as the open source Bro intrusion detection tool and commercial NFR intrusion detection The tools adopt this method, but these intrusion detection tools have to use virtual machine technology to perform the matching of network data flow data and attack signature strings, resulting in low intrusion detection efficiency

Images