Service identification method and system

A service identification and server technology, applied in the transmission system, digital transmission system, electrical components, etc., can solve the problems of multiple false alarms, achieve the effect of reducing false alarms, reducing the rate of false alarms, and solving false alarms and performance problems

Inactive Publication Date: 2009-06-10
BEIJING VENUS INFORMATION TECH
View PDF0 Cites 7 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

However, many existing attacks are often carried out against specific server types. For example, some overflow attacks work when the http protocol server type is apache, but cannot be completed for other types of http servers.
This results in a lot of false positives if the intrusion detection or blocking is performed according to the same detection rules without distinguishing the server type

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Service identification method and system
  • Service identification method and system

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0022] This embodiment is a basic mode of a service identification method and system for intrusion detection, and its basic structure is as follows figure 1 shown. Including protocol parser, service identifier, attack signature library, actual detection rule library and intrusion detector, the system workflow is as follows: figure 2 Shown:

[0023] A method for service identification for intrusion detection, the steps of which include,

[0024] ① Steps of protocol identification. Protocol identification includes hierarchical analysis of datagrams, based on the actual captured datagrams, port characteristics, protocol static message characteristics and behavior characteristics to identify the actual protocol used and output the analysis results as the basis for the service identification step.

[0025] ② Steps of service identification. The step of service identification depends on the output data result of the protocol identification to identify the type of the actual pro...

Embodiment 2

[0029] This embodiment is a preferred solution of the protocol identification step in Embodiment 1:

[0030] ①Using the hierarchical data packet protocol analysis method to obtain the data packets captured by the packet capture function, then perform protocol analysis and protocol restoration work as a sub-step of protocol tree establishment;

[0031] ②The unstructured data stream at the lowest level is taken as the root node, and the protocols with the same parent node become sibling nodes, and the protocol signature is used to identify the protocol as a sub-step of protocol analysis.

[0032] The basic idea of ​​this embodiment is: protocol identification includes a protocol tree module and a protocol analysis module. Due to the 7-layer protocol model of OSI, protocol data is encapsulated and sent from top to bottom. Protocol analysis needs to be done from the bottom up. Firstly, after identifying the protocol of the network layer, the package is restored, and then the pro...

Embodiment 3

[0034] This embodiment is a preferred solution of the service identification step in Embodiment 1:

[0035] ① From the data packet returned by the captured server, first determine the protocol type in the protocol identification step, and then perform keyword matching to obtain the server type;

[0036] ②The service identification module negotiates and resolves the server type with the intrusion detection engine, and maps it to a digital id recognized by both parties throughout the process, which facilitates the interaction of data and commands.

[0037] The basic idea of ​​this embodiment is: first, perform corresponding keyword matching according to a specific protocol to obtain the server type. Then add the attack mode of attacking this type of server to the actual detection rule base. For example, for the http protocol, the main service extraction package is the server return package, and the matching feature key "server:" in the data message until the first line feed and...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention relates to a method and a system for recognizing services. The system comprises a protocol analyzer, a service recognizer, an attack feature base, an actual detection rule base and so on. The method comprises the steps of protocol recognition, service recognition, generation of the actual detection rule base, and deep detection. The method and the system have the advantages of high detection speed, high accuracy and so on when realizing service recognition simultaneously.

Description

technical field [0001] The invention relates to a service identification method and system for intrusion detection, which can be used in intrusion detection and defense (IDS / IPS) and audit products, and belongs to the field of network technology. Background technique [0002] As an important means of network security protection, intrusion detection / protection system (Intrusion Detection / Protection System, IDS / IPS) is usually deployed at the entrance of key network interior / network boundary, and captures the packet data flow in or in and out of the network in real time and conducts Intelligent comprehensive analysis, discover possible intrusion behavior and block it in real time. [0003] The current intrusion detection products and technologies are directly based on the results of protocol analysis and the corresponding intrusion detection rules according to the pre-set event library detection rules, and do not identify the service type before detection. However, many exist...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): H04L9/00H04L29/06
Inventor 孙海波王磊骆拥政李博
Owner BEIJING VENUS INFORMATION TECH
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap