Intrusion detection system and method adopting unified detection framework

Abstract

The invention relates to an intrusion detection method and system adopting a unified detection framework. The method comprises the following steps: mount points are embedded in a selected message handling unit and configured for each detecting unit; the required message characteristic information is obtained before the message handling process of each mount point; all the active detecting units are registered to the corresponding mount points; when the message passes through one mount point with the detecting unit, the detecting unit on the mount point performs intrusion detection to the message; and after the detection, for one mount point which is not the last level of mount point, the message enters the message handling unit after the mount point or the mount point for continuous handling. The system of the invention comprises a plurality of message handling units, a plurality of detecting units, a configuration unit, an initialization unit and a detection control unit on each protocol layer. The method and system can fast add or delete the detecting unit without changing the software architecture, thus saving time and system resources.

Description

technical field [0001] The invention relates to an intrusion detection system (Intrusion Detection System, IDS for short) system and an intrusion detection method. Background technique [0002] The IDS system is composed of hardware and software. It is used to detect systems or networks to find possible intrusions or attacks. At present, mainstream commercial IDS systems use feature detection as the core, which is to combine the collected information with known network information. Intrusion and system misuse pattern databases are compared to discover behaviors that violate security policies, and the timely update of signature databases becomes the key to system detection capabilities. [0003] Such as figure 1 As shown, the traditional IDS processing flow is to first capture network packets, and then pre-process the captured packets, including fragment processing, flow reassembly and protocol identification, and then send the data to the attack signature detection unit for...

AI Technical Summary

Problems solved by technology

[0004] With the diversification of intrusion methods, some attacks such as slow scanning, SQL injection, XSS and other attack methods can no longer be described by simple features. When new attack methods appear, the IDS system needs to make more modifications to the software to add new detection methods. When some detection methods are no longer needed due to some reasons, more modifications are required before deletion.

Images