A Filtering Method for Real-time Intrusion Detection System

Abstract

The invention discloses a filtering method for a real-time intrusion detection system, including: white list and black list construction; risk loss assessment; filter construction and deployment; white list users are assigned an initial hash for inserting a Bloom filter; Column function set; combined with blacklist users and their corresponding degree of harm, adaptively adjust the hash function set of whitelist users, so that blacklist users with high degree of harm have a higher probability of being blocked; the adjusted hash The function set is stored in the preset hash expressor; the whitelist user uses its hash function set to be inserted into the Bloom filter, combined with the hash expressor to obtain a hash adaptive Bloom filter, and then the hash Chi adaptive Bloom filters deployed to detection systems. The invention has the characteristics of high space efficiency and fast detection, can effectively reduce system losses caused by blacklisted users, provides effective theoretical performance guarantee, and can be applied to applications involving real-time intrusion detection.

Description

technical field [0001] The invention relates to the technical field of network intrusion prevention detection, in particular to a filtering method for a real-time intrusion detection system. Background technique [0002] In recent years, with the rapid development and application of the Internet, network attacks and frauds have also increased, which greatly increases the risk of intrusion into existing network service systems, especially in high-speed network environments. For some real-time processing systems, usually Because it is necessary to quickly determine whether the accessing user has malicious attack intentions, it cannot be accurately intercepted. For example, the peak traffic of distributed denial-of-service (D-Dos) network attacks is constantly surpassed every year. In such attacks, attackers disguise a large number of high-frequency malicious requests as normal requests and send them to victim machines. Excessive service load Will cause the victim's server to ...

AI Technical Summary

Problems solved by technology

[0002] In recent years, with the rapid development and application of the Internet, network attacks and frauds have also increased, which greatly increases the risk of intrusion into existing network service systems, especially in high-speed network environments. For some real-time processing systems, usually Because it is necessary to quickly determine whether the access user has malicious attack intentions, it cannot be accurately intercepted

For example, the peak traffic of Distributed Denial of Service (D-Dos) network attacks is constantly surpassed every year. In this type of attack, the attacker disguises a large number of high-frequency malicious requests as normal requests and sends them to the victim machine. Excessive service load Will cause the victim's server to crash

In 2016, five Russian banks were attacked by a distributed denial-of-service attack, which directly caused the service to go offline; Dyn DNS, a dynamic DNS resolution service provider in the United States, was once attacked, causing half of the Internet services in the United States to be paralyzed

In a high-speed network environment, because the data to be analyzed is very large, considering that the existing intrusion detection research is difficult to ensure the real-time and correct rate of detection at the same time, it is impossible to quickly detect each access user while reducing system risk and power consumption

Thus existing work cannot address the goals proposed in the present invention

Images