Network intrusion cooperative detection method based on security cloud

Abstract

The invention discloses a network intrusion cooperative detection method based on security cloud. The network intrusion cooperative detection method comprises the following steps: S1, an NIDS initiates an authorization application to the security cloud; S2, the authorized NIDS is dynamically registered; and the dynamically registered NIDS obtains a unique identifier ID from the security cloud; S3, for antagonistic requirements of intrusion detection, the NIDS obtains a characteristic rule library from the security cloud in real time; and S4, the NIDS performs comprehensive detection by using a network security detection technology, including: the NIDS detects all generated network security threat events, and uploads the network security threat events to the security cloud according to requirements; storing, analyzing, filtering and judging of the events are carried out at the security cloud side; and then, the security cloud returns the security threat events to the NIDS in a fixed point.

Description

Technical field [0001] The invention relates to a network intrusion detection method, in particular to a network intrusion collaborative detection method based on a security cloud. Background technique [0002] The Network-based Intrusion Detection System (NIDS) is a useful supplement to the firewall. It is considered the second security gate after the firewall. NIDS bypasses the network traffic to detect network traffic without affecting network performance. Under the circumstances, real-time monitoring of internal attacks, external attacks and misoperations is provided, thereby improving the security of the network. [0003] The existing NIDS is generally composed of a detection unit and a management unit, which we call detection nodes and management nodes respectively. The working mode of NIDS can be summarized as: single-point detection and multi-level management. [0004] Single point detection: The detection node is generally a single software and hardware system. The bypass i...

AI Technical Summary

Problems solved by technology

Since the life cycle of some phishing websites is only a few hours, according to the current upgrade method, it is basically impossible to guarantee that the feature rule library will take effect within the life cycle of the phishing website

[0010] 2. There are many false positives and negative negatives, because NIDS is mainly based on the misuse detection technology, which needs to collect the behavior characteristics of abnormal network traffic or attacks in advance, and establish the relevant intrusion feature rule base. When the characteristics match, the system considers this behavior as an intrusion

However, due to the fact that the definition of feature rules is often not accurate and comprehensive enough, and there is a lack of analysis and judgment mechanism for suspected events, resulting in many false positives and missed negatives

[0011] 3. There are performance bottlenecks and single points of failure in the management node, which cannot achieve large-scale deployment

For NIDS under the centralized management mode, we often encounter such problems: due to the continuous expansion of enterprise scale, the deployment of NIDS products has developed from a single point to global deployment across regions, and the product architecture is required to support hundreds or thousands of IDS detection nodes and management nodes; secondly, it must be able to handle the alarm events generated by all detection nodes; in addition, it is also necessary to solve the establishment, configuration and upgrade of the feature rule base

However, general management nodes are deployed on a single piece of hardware. Due to the lack of hardware resources, they basically do not have the ability to store big data and analyze in depth, let alone display the overall security situation, and even have performance bottlenecks in communication forwarding. , it is difficult to meet the needs of users for large-scale deployment. At the same time, there is still a single point of failure. Once the upper management node has a hardware or software failure, it will affect the normal operation of the entire system.

[0012] 4. There are problems of slow and unstable access speed in cross-regional access

If the management node and the detection node are in different regions or in different operator networks, when the detection node accesses the management node, it will cause communication delay and instability due to cross-network and cross-region