Detection method and system for protocol format exception

A protocol format, anomaly detection technology, applied in transmission systems, digital transmission systems, instruments, etc., can solve problems such as lack, and achieve the effect of convenient expansion

Inactive Publication Date: 2009-04-01
BEIJING VENUS INFORMATION TECH
View PDF0 Cites 25 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

Most of the protocol anomaly attacks found so far are mainly aimed at the format of the protocol, and there are very few products with complete and flexible protocol format anomaly detection functions

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Detection method and system for protocol format exception
  • Detection method and system for protocol format exception
  • Detection method and system for protocol format exception

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0020] This embodiment is the basic mode of the protocol format anomaly detection method, and the system used is such as figure 1 shown. Including detection key field library, actual detection rule library, syntax analyzer, protocol parser, protocol format anomaly detector, the operation process is as follows figure 2 Shown:

[0021] ① Steps to establish the key field library for detection. The establishment of the detection key field library includes the formulation of the initial rule grammar, the verification of the grammar explanation, and the extraction and storage of key fields. For the protocol field targeted by some attacks, the unified pattern of the attack is found, and the combination of the attacked protocol field and the attack pattern is input as the initial rule. The detection rules that are initially set are the initial rules. Then call the lexical analyzer to perform grammatical analysis on the initial rule, and perform lexical segmentation on the input s...

Embodiment 2

[0026] This embodiment is an optimal scheme for formulating initial input rule syntax in the step of establishing the detection key field library in the first embodiment. Run the process as image 3 shown.

[0027] ① For the protocol field targeted by some attacks, look for the unified pattern of the attack, and combine the attacked protocol field and the attack pattern as the input of the rule, which is a substep of the initial rule.

[0028] ② Invoke the syntax analyzer to perform syntax analysis on the initial detection rules, and carry out the sub-step of syntax segmentation on the input sentences of the rules.

[0029] ③Using the result of grammatical analysis as the input of grammatical analysis, so as to judge whether the input rule conforms to the preset grammatical rule sub-step.

[0030] ④ If the grammar test is passed, it means that the rule conforms to the preset grammar rule, then use this rule as the basis sub-step for generating the actual test rule in the nex...

Embodiment 3

[0034]This embodiment is an optimal solution of the step of establishing the actual detection rule base in the first embodiment. Run the process as Figure 4 shown

[0035] ① The sub-step of generating the actual detection rules based on the syntax-checked input rule statement combined with the actual protocol analysis tool used.

[0036] ②Extract keywords to realize the sub-step of data interaction in the next step.

[0037] ③ Put the generated actual detection rules into the actual detection rule base, and associate the actual detection rules with the relevant processing functions used.

[0038] The keyword extraction method relies on the formulation of the initial rule input grammar, which can automatically match the position of the key field in the detection rule, and accurately extract the corresponding key field that needs to be detected for format anomalies.

[0039] After obtaining the output result of the yacc syntax detection, it is necessary to combine a specific...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention relates to a method used for detecting the anomalies of protocol format and a system thereof; the system comprises a detection key field library, a practical detection rule library, a grammar analyzer, a protocol analyzer and a protocol format anomalies detector; the method comprises the steps as follows: establishing of the detection key field library, establishing of the practical detection rule library, data extraction and deep detection. The method and the system solve the performance problem that only misused detection is used for carrying out mode matching on the load part of all data packets in the prior art. The method and the system adopt the grammar analyzer which has powerful function so as to lead the extension of the system to be extremely convenient, can automatically generate the practical detection rule and corresponding processing function correlation, have the advantages of fast detection speed for protocol format anomalies, high exactness and the like, and have wide application prospect.

Description

technical field [0001] The present invention relates to a protocol format anomaly detection method and system, which is a detection method applied to electrical digital data processing in a network system, and a protocol format anomaly detection method that can be used in intrusion detection and defense (IDS / IPS) and audit products methods and systems. Background technique [0002] As an important means of network security protection, intrusion detection / protection system (Intrusion Detection / Protection System, IDS / IPS) is usually deployed at the entrance of key network interior / network boundary, and captures the packet data flow in or in and out of the network in real time and conducts Intelligent comprehensive analysis, discover possible intrusion behavior and block it in real time. The current intrusion detection methods are mainly divided into misuse detection technology and anomaly detection technology. Anomaly detection can detect known and unknown attack methods and...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): H04L12/26H04L29/06H04L1/00G06F17/30
Inventor 孙海波王磊骆拥政李博叶润国
Owner BEIJING VENUS INFORMATION TECH
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap