Data obtaining method of intrusion detection

Abstract

The invention discloses a data obtaining method of intrusion detection, which obtains data after carrying out forwarding chain filtering on a firewall, wherein the mode for obtaining the data comprises a socket communication mode and a character equipment work mode. The data obtaining method of intrusion detection of the invention can obtain the data filtered by the fire wall, so the false reporting is reduced. In addition, data after the network address translation (NAT) can be obtained, so an attacking party and an attacked party can be correctly positioned. A decrypted Internet protocol security data pack (IPsec data pack) can also be obtained, so the IPsec data flow can be normally processed.

Description

technical field [0001] The invention relates to a data processing method for network security, in particular to a data acquisition method for intrusion detection. Background technique [0002] Intrusion Detection (Intrusion Detection) is the discovery of intrusion behavior. It collects and analyzes information from several key points in a computer network or computer system, and discovers whether there are signs of violations of security policies and attacks in the network or system. An intrusion detection system (IDS) is a combination of software and hardware for intrusion detection. In general, intrusion detection systems can be divided into host-type and network-type. Host intrusion detection systems often use system logs, application logs, etc. as data sources. The data source of the Network Intrusion Detection System (NIDS) is the data packet on the network. [0003] Please refer to figure 1 and figure 2 , figure 1 is a system functional block diagram of data ac...

AI Technical Summary

Problems solved by technology

[0004] (1) The traffic filtered by the firewall will still appear in the processing of intrusion detection: figure 2 The operation of the data packet acquisition position on the left is located before the firewall operation, so it will obtain the data packets lost by the firewall. These data packets are meaningless to the intrusion detection system, but will cause false positives of the intrusion detection system

[0005] (2) The intrusion detection process cannot be implemented normally for the traffic with the network address translation (NAT) function enabled: the firewall with the NAT operation enabled needs to change the source IP, source port or destination IP, destination port

These operations are figure 2 The "Destination Network Address Translation before Routing (PRE_ROUTING DNAT)" module and the "Source Network Address Translation after Routing (POST_ROUTING SNAT)" module are completed, and the ip and port information of the data packet obtained by the prior art is the information before the NAT operation , so that the intrusion detection system locates the wrong attacking host or the attacked host

[0006] (3) It is impossible to restore the encrypted Internet Protocol Security (Internet Protocol Security, IPsec) data packet into plain text for detection: the IPsec encrypted data packet will be analyzed inside the protocol stack (protocol stack), and the data packet acquisition position of the prior art It is located outside the protocol, so what is obtained is an undecrypted data packet, and the intrusion detection system cannot process the ciphertext data packet

Images