Suspected network threat information screener and screening and processing method

Abstract

The invention belongs to a screener and a screening method for screening information tending to enter a detection system in the technical field of network safety. The screener adopts a functional module architecture device which is formed by modulating the F P G A logical resource and includes data aggregation, packet and payload separation, screening of suspected threat data packet in a network layer and a transmission layer, output processing, preprocessing, screening of suspected threat data packet in an application layer, and software and hardware interfaces; and the screening method includes aggregation processing, separation processing, screening of suspected threat data packet in the network layer and the transmission layer, output processing, data packet preprocessing and screening of suspected threat data packet in the application layer, and finally sends the data packet containing the suspected threat information into an intrusion detection system. The screener has the advantages of compact design and strong processing capability, the load of the intrusion detection system can be greatly reduced when the screener is matched with the intrusion detection system, and the invention increases the detection efficiency and the utilization ratio of the detection system, expands the range of detection, reduces the running cost, guarantees the safe running of the network, etc.

Description

technical field [0001] The invention belongs to the technical field of network security, especially a filter and a screening processing method for screening suspected threat information existing in the network, which is matched with an intrusion detection system (IDS: Intrusion Detection System). , the information flow intended to enter the detection system can be screened first, the normal information flow can be screened out, and only the data packets containing suspected threat information can be sent to the intrusion detection system (IDS) for further processing. Background technique [0002] With the development of the Internet, people pay more and more attention to network security. Intrusion Detection System (IDS), a new network security technology, is considered to be the second security door behind the firewall. IDS collects information from key points in the computer network and detects the information (such as: protocol analysis, feature detection, anomaly detect...

AI Technical Summary

Problems solved by technology

Although the above-mentioned IDS systems based on hardware equipment can execute relatively high-complexity programs (processing methods), these high-performance gigabit-level IDS devices are often complex in structure and expensive, and are difficult to obtain in the vast number of small and medium-sized users. promotion and popularization

In addition, in view of the defects of the above-mentioned hardware-based IDS systems, at present, there are methods of using pure software to implement intrusion detection on platforms such as personal computers, such as: open source SNORT IDS, etc.; although these software IDS systems have low operating costs, And it has a strong intrusion detection capability, but because the rate of software packet grabbers in this type of IDS system is generally tens of megabits per second, if it is applied to a gigabit network, there will be: one is running It will directly miss a lot of data packets. Second, the pattern matching implemented by software makes the processing speed of protocol analysis extremely slow, which eventually leads to fatal defects such as low performance of the entire system.

Images