CN107181738B - Software intrusion detection system and method - Google Patents

Software intrusion detection system and method Download PDF

Info

Publication number
CN107181738B
CN107181738B CN201710279176.9A CN201710279176A CN107181738B CN 107181738 B CN107181738 B CN 107181738B CN 201710279176 A CN201710279176 A CN 201710279176A CN 107181738 B CN107181738 B CN 107181738B
Authority
CN
China
Prior art keywords
core
detection
data packet
information
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710279176.9A
Other languages
Chinese (zh)
Other versions
CN107181738A (en
Inventor
杨慧然
刘超玲
张棪
于光喜
韩言妮
陈鑫
崔华俊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN201710279176.9A priority Critical patent/CN107181738B/en
Publication of CN107181738A publication Critical patent/CN107181738A/en
Application granted granted Critical
Publication of CN107181738B publication Critical patent/CN107181738B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a software intrusion detection system and a method thereof, wherein the system comprises: the system comprises a control core, a detection core and an output core, wherein the control core is used for interacting with an upper controller and managing information generated by the detection core and the output core; the detection core is used for collecting and analyzing the data packet based on DPDK, and traversing the rule base to detect and match the analyzed data packet; and the output core is used for recording the detection matching result obtained by the detection core to a system log at regular time, and reporting the illegal data packet information obtained according to the detection matching result to the control core after encapsulating the illegal data packet information. The software intrusion detection system and the software intrusion detection method provided by the invention have the characteristics of flexible deployment, good expandability, reduced message copy, reduced nucleophilicity and the like, can obviously improve the processing capacity of the message, have controllability due to an open control interface at the upper layer and can be well compatible with a virtualization and cloud computing platform.

Description

Software intrusion detection system and method
Technical Field
The invention relates to the technical field of security monitoring, in particular to a software intrusion detection system and a software intrusion detection method.
Background
An Intrusion Detection System (IDS) is a software application or hardware device for monitoring malicious events in a network or computer, which can continuously monitor network traffic, discover abnormal behavior violating security policies and signs of attacks during System activities, and generate System logs to a management unit, thereby implementing timely response and processing of the Intrusion or the attacks.
Conventional intrusion detection systems include hardware intrusion detection systems and software-based intrusion detection systems. Among them, the hardware intrusion detection system is usually composed of hardware, manufactured and developed by professional equipment manufacturers, and needs to depend on a plurality of devices and software to operate cooperatively. IDS hardware products are currently largely classified into Host-based IDS (HIDS) and Network-based IDS (NIDS) according to the source of the input data.
The intrusion detection system based on the host mainly carries out intelligent analysis and judgment on the network real-time connection and the system audit log of the host, and the main product comprises: ISS Real Secure OS Sensor, Emerald expert-BSM, and the like. The network-based intrusion detection system is applied to more important network segments and performs characteristic analysis on each data packet or suspicious data packets, and the main products comprise: ISS Real Secure Internet Sensor, Cisco Secure IDS, Union 'eyes-on-ice' intrusion detection system, Jinnuoan KiDS, Haixin 'cobra' intrusion detection system, and Zhongkoenewei 'eyes-on-eye' network intrusion detection system.
In addition to hardware intrusion detection systems, there are also currently a number of intrusion detection software. Common intrusion detection software include iptables, Snort, subcata, and Pfsense. Among them, Snort is the most widely used open source intrusion detection system. Snort is a packet sniffer based on libpcap and is also a lightweight Network Intrusion Detection System (NIDS). It performs content pattern matching based on the rules of the log record, detecting various attacks and probes such as buffer overflow, invisible port scan, CGI attack, and SMB probe, etc.
The prior art has the following problems: the traditional hardware intrusion detection system is usually developed by professional companies, needs a special hardware system, simultaneously needs different hardware and software for cooperative processing, and has no good expansibility. In addition, the equipment cost is high, the deployment is not flexible, and large manpower and material resource investment is needed. Common open source intrusion detection software overcomes the defects of the traditional hardware intrusion detection system, but has outstanding performance problems. For example, SnortNIDS is used, and the method is based on the collection of the libpcap message, has low processing efficiency, and cannot meet the high-throughput network requirement of the existing cloud computing platform. In addition, SnortNIDS uses a single thread to detect and process messages, which also greatly affects and restricts the performance of the messages. Moreover, the conventional intrusion detection system has insufficient controllability. By taking SnortNIDS as an example, the detection and protection of the message are performed by configuring a static rule file, which cannot monitor suspicious data traffic in real time and modify the rule file in real time. The existing intrusion detection system cannot adapt to the development of switching technology and high-speed network, and can cause serious packet loss and even paralysis of the intrusion detection system under the condition of large flow.
Disclosure of Invention
The invention provides a software intrusion detection system and a software intrusion detection method, which can solve the problems of poor expandability, inflexible deployment, poor performance and poor controllability and incapability of adapting to the development of switching technology and high-speed networks in the conventional intrusion detection system.
First, several nouns are explained:
DPDK: DataPlane development kit, data plane development kit;
RSS: Receive-Side Scaling, receiver extension.
According to one aspect of the present invention, there is provided a software-based intrusion detection system comprising: the control core, the detection core and the output core are in three levels, wherein,
the control core is used for interacting with the upper layer controller and managing information generated by the detection core and the output core;
the detection core is used for collecting and analyzing the data packet based on DPDK, and traversing the rule base to detect and match the analyzed data packet;
and the output core is used for recording the detection matching result obtained by the detection core to a system log at regular time, and reporting the illegal data packet information obtained according to the detection matching result to the control core after encapsulating the illegal data packet information.
Wherein the detection core further comprises: the device comprises a data acquisition module and a detection matching module; wherein the content of the first and second substances,
the data acquisition module is used for binding a multi-network card and a multi-queue cooperative capture data packet based on a DPDK zero-copy packet receiving mechanism, and analyzing the data packet;
the detection matching module is used for traversing a preprocessing plug-in unit and preprocessing the analyzed data packet; traversing a rule base based on a DPDK multi-core mechanism, and scanning and matching the preprocessed data packet to obtain a detection matching result of the data packet; packaging the detection matching result into a message according to a certain format, and storing the message into a buffer area to be processed for processing by an output core; wherein the detecting the matching result comprises: data packet information, matching information, alarm information and action information.
Wherein the output core further comprises: the log recording module and the matching information reporting module; wherein the content of the first and second substances,
the log recording module is used for traversing the buffer area to be processed at regular time and recording the detection matching result of the data packet stored in the buffer area to be processed to a system log;
the matching information reporting module is used for packaging message information and action information of an illegal data packet obtained based on the detection matching result according to an OpenSecurity protocol, and uploading the packaged illegal data packet to a control core;
wherein, the content recorded to the system log comprises: timestamp, message information, matching information, and processing action.
Wherein the control core further comprises: the system comprises an Agent module, a detection core management module, a rule library management module, a log management module and an output core management module; wherein the content of the first and second substances,
the Agent module is used for interacting with the controller through a socket and a well-defined message protocol, wherein the interacted content comprises the following contents: registering information, receiving rules and uploading suspicious information;
the detection core management module is used for initializing and managing the detection core;
the rule base management module is used for receiving the rules issued by the Agent module, managing the rule base and cooperating with the detection matching module of the detection core;
the log management module is used for managing log information generated by the log recording module of the output core;
the output core management module is used for initializing and managing the output core.
According to another aspect of the present invention, a software invasion detection method based on the software invasion detection system is provided, which includes the following steps:
s1, respectively initializing the control core, the detection core and the output core;
s2, the detection core collects and analyzes the data packet based on DPDK, and detects and matches the analyzed data packet through traversing the rule base;
and S3, the output core records the detection matching result obtained by the detection core to a system log at regular time, encapsulates the illegal packet information obtained according to the detection matching result and reports the information to the control core.
Wherein the initializing the control core in step S1 further includes:
s111, analyzing the command line parameters and the DPDK configuration file;
s112, initializing an Agent module;
s113, packaging the number of detection cores, the number of output cores, the number of network cards, the number of buffers to be processed and the IP information of a data plane, and initiating a registration request to a controller;
s114, receiving and analyzing a rule configuration file issued by the controller;
s115, initializing an environment abstract layer of the DPDK;
s116, initializing a ring buffer, wherein the ring buffer includes: the device comprises an instruction buffer area, a statistical information buffer area and a buffer area to be processed;
s117, configuring RSS (receiver extension) to ensure that different messages belonging to the same data stream are sent to the same core;
s118, configuring a sending queue and a receiving queue, wherein each network card is configured with one sending queue, and the number of the receiving queues is equal to the number of cores;
s119, registering a first timer for the control core to periodically check the statistical information buffer area and confirm whether the statistical information in the statistical information buffer area needs to be updated.
Wherein the initializing the detection core in step S1 further includes:
s121, copying a rule base, and registering, loading and configuring the preprocessing plugin;
and S122, registering a second timer for the detection core to periodically check the instruction buffer and determine whether an instruction sent by the controller is received.
Wherein the initializing the output core in step S1 further includes:
s131, initializing an output plug-in;
s132, registering a third timer for the output core to periodically check the instruction buffer and determine whether the instruction sent by the controller is received.
Wherein, the step S2 further includes:
circularly executing the following steps:
s21, if the signal of the synchronous statistical information is received, the statistical information is synchronized;
s22, if the second timer is up, extracting the instruction sent by the controller from the instruction buffer area, analyzing the instruction and executing the corresponding processing program;
s23, traversing the bound receiving queues, extracting the data packets in the queues for each receiving queue, and performing the following operations for each data packet:
s231, decoding and analyzing the data packet;
s232, traversing the preprocessing plug-in, and preprocessing the data packet after decoding and analyzing;
s233, traversing a rule base, and performing detection matching on the preprocessed data packet to obtain a detection matching result of the data packet;
s234, packaging the detection matching result into a message according to a certain format, and storing the message into a buffer area to be processed for processing by an output core; wherein the detecting the matching result comprises: data packet information, matching information, alarm information and action information.
Wherein, the step S3 further includes:
the following steps are executed each time while loop:
s31, if the third timer is up, extracting the instruction from the instruction buffer area, analyzing the instruction and executing the corresponding processing program;
s32, traversing each message in the buffer to be processed, and executing the following operations for each message:
s321, analyzing the message, transmitting the content of the message to the log management module, and regularly recording the content to the system log by the log management module, wherein the recorded content comprises: timestamp, message information, matching information and processing action;
and S322, if the data packet is found to be an illegal data packet according to the detection matching result, encapsulating message information and action information of the illegal data packet according to an OpenSecurity protocol, transmitting the encapsulated illegal data packet to an output core management module, and transmitting the encapsulated illegal data packet to a controller by an Agent module.
Compared with the prior art, the software intrusion detection system and the software intrusion detection method provided by the invention can obtain the following beneficial effects: the system is light in weight, purely software, flexible in deployment and good in expansibility; based on a DPDK zero-copy packet receiving mechanism, a network data packet is cooperatively received by multiple network cards and multiple queues, so that the capture efficiency of the data packet can be effectively improved; by adopting a DPDK multi-core mechanism, the received data stream is subjected to decoding classification and pattern matching, so that the intrusion detection efficiency can be effectively improved, and the method can be better suitable for a high-throughput network environment; and a control interface is opened to the upper layer, so that the controllability is realized, and the virtualization and cloud computing platform can be better compatible.
Drawings
FIG. 1 is a block diagram of a software intrusion detection system according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating a software intrusion detection method according to another embodiment of the present invention;
FIG. 3 is a diagram illustrating an initialization process of a software intrusion detection system according to another embodiment of the present invention;
fig. 4 is a schematic diagram of a packet processing procedure of a software intrusion detection method according to another embodiment of the present invention.
Detailed Description
The following detailed description of embodiments of the present invention is provided in connection with the accompanying drawings and examples. The following examples are intended to illustrate the invention but are not intended to limit the scope of the invention.
As shown in fig. 1, an architecture diagram of a software intrusion detection system according to an embodiment of the present invention includes: a control core 1, a detection core 2 and an output core 3, wherein,
the control core 1 is used for interacting with an upper layer controller and managing information generated by the detection core 2 and the output core 3;
the detection core 2 is used for acquiring and analyzing a data packet based on DPDK, and traversing a rule base to detect and match the analyzed data packet;
the output core 3 is used for regularly recording the detection matching result obtained by the detection core 2 to a system log, encapsulating the illegal data packet information of the illegal data packet information obtained according to the detection matching result and reporting the encapsulated illegal data packet information to the control core 1.
The software intrusion detection system provided by the embodiment of the invention takes a SnortNIDS intrusion detection system as an object and carries out redesign and realization based on DPDK. DPDK is an open-source data plane development toolset provided by Intel, and provides support of library functions and drivers for efficient user space data packet processing under an IA processor architecture. Specifically, the software intrusion detection system provided by the embodiment of the invention comprises three layers:
the control core 1 is responsible for interacting with an upper-layer controller and managing a detection core 2 and an output core 3, wherein the content of interacting with the controller comprises: and receiving user configuration, sending configuration parameters to the detection core 2 and the output core 3, reporting suspicious information to the controller, uploading registration information to the controller and the like. Managing the information generated by the detection core 2 and the output core 3 includes: the initialization process of the detection core 2 and the output core 3 is managed, a rule base in the detection core 2 is configured, and information output by the output core 3 is recorded into a system log or stored into a database and the like.
The detection core 2 is used for binding a multi-network card multi-queue to collect network data packets based on a DPDK zero-copy packet receiving mechanism, and decoding and analyzing the received data packets through a packet decoder; then, preprocessing the decoded data packet by traversing the preprocessing plug-in; and analyzing the characteristics existing in the preprocessed data packet based on a DPDK multi-core mechanism, matching the analyzed characteristics with rules in a rule base one by one, and knowing that the data packet contains intrusion behaviors if the characteristics are matched with one rule in the rule base, wherein the data packet is illegal. Wherein the rule base is a set of detection rules written according to a Snort rule formation specification. The detection core 2 encapsulates the obtained detection matching results of all data packets into messages according to a certain format, and stores the messages into a cache for processing by the output core 3, wherein the detection matching results refer to whether matched rule items exist in the traversal rule base, if the matched rule items exist, the data packets are illegal, and then the matched rule items, action information and alarm information contained in the matched rule items and message information of the data packets are encapsulated and stored into the cache. If no matched rule item exists, the flag of the matching information can be set to be 0, and the two fields of the alarm information and the action information are both empty.
The output core 3 is configured to record the detection matching result of the data packet obtained by the detection core 2 to a system log at regular time, encapsulate the illegal data packet obtained according to the detection matching result, and report the encapsulated illegal data packet to the control core 1, and the control core 1 continues to upload the encapsulated illegal data packet to the controller. The output core 3 records the detection matching results of all the collected data packets to a system log, wherein the recorded content is determined according to the detection matching results, and the method comprises the following steps: timestamp, message information, matching information and processing action; and the output core 3 encapsulates the illegal data packet obtained according to the detection matching and uploads the data packet to the control core 1.
The software intrusion detection system provided by the embodiment of the invention has the characteristics of flexible deployment, good expandability, reduced message copy, reduced nucleophilicity and the like, can provide the capability of acquiring and detecting a high-performance data packet, opens a control interface to an upper layer, has controllability and can be well compatible with a virtualization and cloud computing platform.
In another embodiment of the present invention, based on the above embodiment, the detection core 2 includes: a data acquisition module 21 and a detection matching module 22; wherein the content of the first and second substances,
the data acquisition module 21 is configured to bind a multi-network card and a multi-queue cooperative capture data packet based on a DPDK zero-copy packet receiving mechanism, and analyze the data packet;
the detection matching module 22 is configured to traverse a preprocessing plug-in to preprocess the parsed data packet; traversing a rule base based on a DPDK multi-core mechanism, and scanning and matching the preprocessed data packet to obtain a detection matching result of the data packet; packaging the detection matching result into a message according to a certain format, and storing the message into a buffer area to be processed for processing by the output core 3;
wherein the detecting the matching result comprises: data packet information, matching information, alarm information and action information.
Specifically, SnortNIDS filters, buffers, and copies packets via the Libpcap sniffer, passing the packets to various application buffers. In this process, the packet undergoes two copies of the packet from the network to the kernel space and from the kernel space to the user space. In the embodiment of the present invention, the zero copy of the data packet is implemented by a packet receiving mechanism of DPDK zero copy, which specifically means: the DPDK environment abstraction layer shields the I/O operation of the operating system kernel and the bottom network card, i.e. the I/O bypasses the kernel and the protocol stack, the data packet is directly stored into the cache from the network, and the decoding analysis of the data packet is realized in the kernel state, thereby avoiding the frequent context switching and effectively avoiding the performance problem caused by the frequent copying of the data packet in the memory. The binding of the multi-network card and the multi-queue cooperative capturing of the data packet is to bind each queue on the multi-network card to different processor cores to cooperatively capture the data packet, each core independently processes the data packet arriving at the queue, the transmission overhead of the data packet among the cores is reduced, the processing capacity can be flexibly expanded along with the number of the cores, and the data packet capturing under the condition of large flow is met. The network card driver sets corresponding interrupt numbers for each receiving queue, and the queues are bound to different cores through interrupt balance processing or interrupt affinity setting. The analyzing of the data packet means that the data packet is decoded and analyzed, and the data packet is decoded into a message structure defined by Snort for subsequent analysis.
Specifically, traversing the preprocessing plug-in, and preprocessing the parsed data packet means: the analyzed data packet is checked by traversing the preprocessing plug-in, suspicious 'behaviors' of the data packet are found, and the data packet is preprocessed and then subjected to rule matching detection. The functions of the preprocessing plug-in according to implementation mainly comprise: plug-ins simulating TCP/IP stack functions, such as TIP fragment reassembly and TCP stream reassembly plug-ins; decoding plug-ins, such as http decoding plug-ins, unicode decoding plug-ins, rpc decoding plug-ins, telnet decoding plug-ins, and the like; the preprocessing plug-in can be flexibly configured according to actual needs.
Based on a DPDK multi-core mechanism, traversing a rule base, and scanning and matching the preprocessed data packet means: each core independently processes the data packet reaching the core, analyzes the characteristics existing in the preprocessed data packet, traverses the rule base, matches the characteristics obtained by analysis with the rules in the rule base one by one, and can judge that the data packet contains intrusion behavior when the characteristics are matched with a certain rule in the rule base, namely the data packet is illegal.
Wherein, the rule in the rule base accords with Snort rule formation specification, and Snort rule is divided into two logic parts: a rule header and a rule option. The rule header contains the action, protocol, source and destination ip addresses and network masks, source and destination port information, and direction operators of the rule; the rule option section contains the alarm message content and the specific section of the packet to be checked, consisting of the option key and its parameters.
And packaging the detection matching result into a message according to a certain format and storing the message into a buffer to be processed (ToBeProcessed _ RingBuffer), wherein the ToBeProcessed _ RingBuffer is a ring buffer and is used for storing the detection matching results of all data packets, including the message information of the data packets, the matched rule information, the alarm information and the processing action of the rule, and the ring buffer is used for storing the message, so that the memory can be allocated less frequently, the speed of accessing the ring buffer is high, and high-performance data access can be provided.
The software intrusion detection system provided by the embodiment of the invention is based on a DPDK zero-copy packet receiving mechanism, and can effectively improve the capture efficiency of the data packet by cooperatively receiving the network data packet through multiple network cards and multiple queues; by adopting a DPDK multi-core mechanism, the received data stream is subjected to decoding classification and pattern matching, so that the intrusion detection efficiency can be effectively improved, and the method can be better suitable for a high-throughput network environment.
In another embodiment of the present invention, on the basis of the above embodiment, the output core 3 includes a log recording module 31 and a matching information reporting module 32; wherein the content of the first and second substances,
the log recording module 31 is configured to traverse the buffer to be processed at regular time, and record the detection matching result of the data packet stored in the buffer to be processed to the system log;
the matching information reporting module 32 is configured to perform, according to an Open Security protocol, encapsulation of message information and action information on an illegal packet obtained based on the detection matching result, and upload the encapsulated illegal packet to a control core;
wherein, the content recorded to the system log comprises: timestamp, message information, matching information, and processing action.
Specifically, in order to facilitate system administrators to trace back and analyze data traffic, comprehensively understand historical network environments, and adjust and update rule bases in time, an intrusion detection system is required to store detection information of all data packets passing through the system, and the data is usually stored in a log file designated by a user or a specific database.
The log recording module 31 reads each message in the to-be-processed buffer by regularly traversing the to-be-processed buffer ToBeProcessed _ RingBuffer, analyzes the message, and records the obtained detection matching result of the data packet into the system log, wherein the recorded content includes: timestamp, message information, matching information, and processing action. The processing action refers to an action to be executed on the data packet after the rule is matched, and is divided into alert, log, pass, activate and dynamic.
If the data packet is found to be an illegal data packet according to the detection matching result, the matching information reporting module 32 encapsulates message information and action information of the illegal data packet according to an Open Security protocol, transmits the encapsulated illegal data packet to the output core management module, and then reports the encapsulated illegal data packet to the controller through the Agent module.
The software intrusion detection system provided by the embodiment of the invention adopts the annular buffer area to realize the receiving and sending of the intrusion detection related information, and can provide high-performance intrusion detection alarm information output.
In another embodiment of the present invention, based on the above embodiment, the control core 1 includes: the system comprises an Agent module 11, a detection core management module 12, a rule library management module 13, a log management module 14 and an output core management module 15; wherein the content of the first and second substances,
the Agent module 11 is used for interacting with the controller through a socket and a predefined message protocol, wherein the interacted content includes: registering information, receiving rules and uploading suspicious information;
specifically, the Agent is a software system with autonomy, can be independently added into the system or be collected and deleted from the system without influencing the whole system, the more complete the function of the Agent entity is, the better the expandability of the system is, an interface is opened to an upper layer through the Agent, and the controllability of the system is improved.
The detection core management module 12 is configured to initialize and manage a detection core;
the rule base management module 13 is used for receiving the rule issued by the Agent module 11, managing the rule base and cooperating with the detection matching module 22 of the detection core 2;
in particular, the rule base management module 13 may continually update the rule base, adding or deleting rules.
The log management module 14 is configured to manage log information generated by the log recording module 31 of the output core 3;
the output core management module 15 is configured to initialize and manage the output core 3.
Specifically, the output core management module 15 transmits the message reported by the matching information reporting module to the Agent module 11.
According to the software invasion detection system provided by the embodiment of the invention, the interface is developed to the upper layer through the Agent module, so that the rule base can be conveniently adjusted according to the requirement, the controllability of the system is improved, and the management of the lower layer is realized through a plurality of management modules.
Another embodiment of the present invention provides a software intrusion detection method, based on the software intrusion detection system according to the above embodiments, as shown in fig. 2, including the following steps:
s1, respectively initializing the control core, the detection core and the output core;
s2, the detection core collects and analyzes the data packet based on DPDK, and detects and matches the analyzed data packet through traversing the rule base;
and S3, the output core records the detection matching result obtained by the detection core to a system log at regular time, encapsulates the illegal packet information obtained according to the detection matching result and reports the information to the control core.
Specifically, first, the control core, the detection core, and the output core need to be initialized respectively, as shown in fig. 3, which is a schematic diagram of an initialization process of a software intrusion detection system according to an embodiment of the present invention. Wherein the control core initialization comprises: completing parameter configuration and analysis of a DPDK configuration file, establishing communication connection between an Agent module and a controller, receiving a rule issued by the controller, initializing an environment abstraction layer of the DPDK, initializing a ring buffer, configuring a data packet receiving and sending queue, a registration timer and the like; initializing the detection core includes: configuring a preprocessing plug-in, copying a rule issued by a controller, and registering a timer for detecting and checking data packets for monitoring and matching; initializing the output core includes: initializing a routing table, initializing an output plug-in and registering a timer so that an output core can send out a detection result.
Specifically, step S2 is to bind the multi-network card and the multi-queue cooperative capture data packet based on the DPDK zero-copy packet receiving mechanism, and to analyze the data packet; then, traversing a preprocessing plug-in, and preprocessing the analyzed data packet; traversing a rule base based on a DPDK multi-core mechanism, and scanning and matching the preprocessed data packet to obtain a detection matching result of the data packet; and packaging the detection matching result into a message according to a certain format, and storing the message into a buffer to be processed ToBeProcessed _ RingBuffer for processing by an output core.
Step S3, firstly, traversing ToBeProcessed _ RingBuffer at regular time, and recording the detection matching results of all data packets to a system log; and then, if the data packet is known to be an illegal data packet according to the detection matching result, encapsulating message information and action information of the illegal data packet according to an OpenSecurity protocol, uploading the encapsulated illegal data packet to a control core, and reporting the encapsulated suspicious message to a controller by the control core.
The software intrusion detection method provided by the embodiment of the invention is based on a DPDK zero-copy hand packet mechanism and a multi-core mechanism, has the characteristics of reducing message copy and nucleophilicity, can provide high-performance data packet capture and detection, and can be better compatible with the safety protection of a virtualization and cloud computing platform.
In another embodiment of the present invention, based on the above embodiment, initializing the control core further includes:
s111, analyzing the command line parameters and the DPDK configuration file;
s112, initializing an Agent module;
s113, packaging the number of detection cores, the number of output cores, the number of network cards, the number of buffers to be processed and the IP information of a data plane, and initiating a registration request to a controller;
s114, receiving and analyzing a rule configuration file issued by the controller;
s115, initializing an environment abstract layer of the DPDK;
s116, initializing a ring buffer, wherein the ring buffer includes: the device comprises an instruction buffer area, a statistical information buffer area and a buffer area to be processed;
s117, configuring RSS (receiver extension) to ensure that different messages belonging to the same data stream are sent to the same core;
s118, configuring a sending queue and a receiving queue, wherein each network card is configured with one sending queue, and the number of the receiving queues is equal to the number of cores;
s119, registering a first timer for the control core to periodically check the statistical information buffer area and confirm whether the statistical information in the statistical information buffer area needs to be updated.
Specifically, in S111, the command line parameter is analyzed to be a parameter required for starting Snort, and the number of the detection cores, the output cores, and the buffers to be processed, the CPU mask, the data plane IP, and the IP and the port of the controller are specified in the DPDK configuration file.
And S112, initializing the Agent module, establishing communication with the controller by establishing a socket, receiving and analyzing an instruction sent by the controller, collecting local statistical information, packaging the local statistical information and sending the packaged local statistical information to the controller.
S113, packaging information such as the number of detection cores, the number of output cores, the number of network cards, the number of buffers to be processed gBuffers, data plane IP information and the like, initiating a registration request to the controller, and after receiving the registration request, the controller records the information and responds to the registration request. And simultaneously, the controller sends a uniform rule configuration file to the protection node. Wherein the data plane IP information comprises a data plane IP type and a data plane IP address.
Receiving and analyzing the rule configuration file sent by the controller in S114 means that the controller sends a Snort rule configuration file, analyzes the Snort rule configuration file when the system is initialized, sequentially reads each rule, analyzes each rule, expresses with a corresponding rule syntax, organizes the rules in a memory, establishes a rule syntax tree, matches a data packet with the rule syntax tree, and indicates that an attack is detected if a certain rule is matched with the data packet.
S115, initializing an environment abstract layer of the DPDK, wherein the DPDK provides APIs of the DPDK, and the steps initialize the APIs;
a Ring Buffer (Ring Buffer) is initialized in S116, wherein the Ring Buffer includes: the device comprises an instruction buffer area (Policy _ RingBuffer), a statistical information buffer area (Info _ RingBuffer) and a buffer area to be processed (ToBeProcessed _ RingBuffer), wherein the instruction buffer area is used for storing controller instructions, the statistical information buffer area is used for storing statistical information, and the buffer area to be processed is used for storing detection information of illegal data packets.
And S117, the data packets are transmitted to a plurality of cores in a load balancing way by using RSS, and the data packets are distributed into different queues by the RSS, so that different messages belonging to the same data flow are ensured to be transmitted to the same core.
S118, configuring a sending queue and a receiving queue, wherein each network card is configured with one sending queue, and the number of the receiving queues is equal to the number of cores;
and S119, registering a first timer to allow the control core to periodically check whether the statistical information in the statistical information buffer area needs to be updated, and if the statistical information needs to be updated, sending signals to each detection core and each output core by the control core.
According to the software intrusion detection method provided by the embodiment of the invention, the management of a memory, a buffer area and a queue is optimized through the bypass kernel protocol stack of the environment abstraction layer, and a load balancing technology based on network card multi-queue and flow identification is provided, so that the method can realize high-performance data packet acquisition and detection.
In another embodiment of the present invention, based on the above embodiment, initializing the detection core further includes:
s121, copying a rule base, and registering, loading and configuring the preprocessing plugin;
and S122, registering a second timer for the detection core to periodically check the instruction buffer and determine whether an instruction sent by the controller is received.
Specifically, in step S121, copying the rule base is to obtain a Snort _ Config structure after the control core has analyzed the rule configuration file, and when the detection core is started, a pointer of the structure is used as a parameter to be transmitted, and the detection core copies the Snort _ Config structure as a local variable; registering, loading and configuring a preprocessing plugin, wherein the preprocessing plugin comprises: ARPspoof, Normalizer, SessionManager, Stream6, RpcDecode, Bo, HttpInscope, PerfMonitor, and SfPortScan, among others.
Step S122 registers a second timer, where the second timer is used to detect that the core periodically checks the instruction buffer to determine whether an instruction sent by the controller is received.
According to the software intrusion detection method provided by the embodiment of the invention, the rules issued by the controller are copied when the detection core is initialized, so that the dynamic modification of the rules can be realized, and the real-time monitoring of suspicious data is realized.
In another embodiment of the present invention, based on the above embodiment, initializing the output core further includes:
s131, initializing an output plug-in;
s132, registering a third timer for the output core to periodically check the instruction buffer and determine whether the instruction sent by the controller is received.
Specifically, step S131 initializes an output plug-in including SYN Cookie and SYN Proxy, and records the related information of the illegal packet into a system log or uploads the related information to the controller through the output plug-in.
Step S132 registers a third timer, where the third timer is used for the output core to periodically check the instruction buffer to determine whether an instruction sent by the controller is received.
According to the software intrusion detection method provided by the embodiment of the invention, the output core is initialized, and the relevant information of intrusion detection is output in a plug-in mode, so that system management personnel can conveniently backtrack and analyze data flow.
In another embodiment of the present invention, on the basis of the above embodiment, the step S2 further includes:
circularly executing the following steps:
s21, if the signal of the synchronous statistical information is received, the statistical information is synchronized;
s22, if the second timer is up, extracting the instruction sent by the controller from the instruction buffer area, analyzing the instruction and executing the corresponding processing program;
s23, traversing the bound receiving queues, extracting the data packets in the queues for each receiving queue, and performing the following operations for each data packet:
s231, decoding and analyzing the data packet;
s232, traversing the preprocessing plug-in, and preprocessing the data packet after decoding and analyzing;
s233, traversing a rule base, and performing detection matching on the preprocessed data packet to obtain a detection matching result of the data packet;
s234, packaging the detection matching result into a message according to a certain format, and storing the message into a buffer area to be processed for processing by an output core, wherein the detection matching result comprises: data packet information, matching information, alarm information and action information.
Specifically, as shown in fig. 4, which is a schematic diagram of a packet processing process of a software intrusion detection method according to another embodiment of the present invention, the step S2 is to collect and analyze the packet based on the DPDK, and traverse the rule base to perform detection and matching on the analyzed packet, further includes:
circularly executing the following steps:
if the detection core receives the information of the synchronous statistical information, the statistical information is synchronized, and if the time of the second timer is up, the instruction issued by the controller is extracted from the instruction buffer area of the annular buffer area, and the data packet is captured and detected. The detection core traverses the bound receiving queues, extracts the data packets in the queues for each receiving queue, and performs the following operations for each data packet: the data acquisition module decodes and analyzes the data packet; the detection matching module traverses the preprocessing plug-in to preprocess the data packet after decoding and analysis; traversing a rule base, and detecting and matching the preprocessed data packet to obtain a detection and matching result of the data packet; and packaging the detection matching result into a message according to a certain format, and storing the message into a buffer to be processed ToBeProcessed _ RingBuffer for processing by an output core.
According to the software intrusion detection method provided by the embodiment of the invention, based on a DPDK zero-copy packet receiving mechanism, a network data packet is cooperatively received by multiple network cards and multiple queues, so that the capture efficiency of the data packet can be effectively improved; by adopting a DPDK multi-core mechanism, the received data packet is decoded and pattern matched, so that the intrusion detection efficiency can be effectively improved, and the method can be better suitable for a high-throughput network environment.
In another embodiment of the present invention, on the basis of the above embodiment, the step S3 further includes:
each while loop performs the following operations:
s31, if the third timer is up, extracting the instruction from the instruction buffer area, analyzing the instruction and executing the corresponding processing program;
s32, traversing each message in the ToBeProcessed _ RingBuffer, and performing the following operations on each message:
s321, analyzing the message, transmitting the content of the message to the log management module, and regularly recording the content to the system log by the log management module, wherein the recorded content comprises: timestamp, message information, matching information and processing action;
and S322, if the data packet is found to be an illegal data packet according to the detection matching result, encapsulating message information and action information of the illegal data packet according to an OpenSecurity protocol, transmitting the encapsulated illegal data packet to an output core management module, and transmitting the encapsulated illegal data packet to a controller by an Agent module.
Specifically, referring to fig. 4, the step S3 of the outputting core periodically recording the detection matching result of the data packet obtained by the detecting core to the system log, and encapsulating and reporting the illegal data packet further includes:
each while loop performs the following operations:
and if the third timing time is up, the output core extracts the instruction issued by the controller from the annular buffer instruction buffer and starts to output the intrusion detection result acquired by the detection core. The output core traverses each message in the buffer to be processed and executes the following operations on each message:
analyzing the message by a log recording module of the output core to obtain a detection matching result of the data packet, transmitting the detection matching result of the data packet to a log management module of the control core, and regularly recording the detection matching result of the data packet to a system log by the log management module, wherein the recorded content comprises: timestamp, message information, matching information, and processing action.
When the matching information reporting module of the output core obtains that the data packet is an illegal data packet according to the detection matching result, the message information and the action information of the illegal data packet are packaged according to the OpenSecurity protocol, the packaged illegal data packet is transmitted to the output core management module of the control core, then the Agent module transmits the packaged illegal data packet to the controller, and the controller stores the packaged illegal data packet to the user database.
The software intrusion detection system provided by the embodiment of the invention adopts the annular buffer area to realize the receiving and sending of the intrusion detection related information, and can provide high-performance intrusion detection alarm information output.
The software intrusion detection system and the software intrusion detection method provided by the embodiments of the invention have the advantages of light weight, pure software, flexible deployment and good expansibility; based on a DPDK zero-copy packet receiving mechanism, a network data packet is cooperatively received by multiple network cards and multiple queues, so that the capture efficiency of the data packet can be effectively improved; by adopting a DPDK multi-core mechanism, the received data stream is subjected to decoding classification and pattern matching, so that the intrusion detection efficiency can be effectively improved, and the method can be better suitable for a high-throughput network environment; and a control interface is opened to the upper layer, so that the controllability is realized, and the virtualization and cloud computing platform can be better compatible.
Finally, the method of the present application is only a preferred embodiment and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (6)

1. A software intrusion detection system, comprising: the control core, the detection core and the output core are in three levels, wherein,
the control core is used for interacting with the upper layer controller and managing information generated by the detection core and the output core;
the detection core is used for collecting and analyzing the data packet based on DPDK, and traversing the rule base to detect and match the analyzed data packet;
the output core is used for recording the detection matching result obtained by the detection core to a system log at regular time, and reporting the illegal data packet information obtained according to the detection matching result to the control core after encapsulating the illegal data packet information;
wherein the detection core further comprises: the device comprises a data acquisition module and a detection matching module; wherein the content of the first and second substances,
the data acquisition module is used for binding a multi-network card and a multi-queue cooperative capture data packet based on a DPDK zero-copy packet receiving mechanism, and analyzing the data packet;
the detection matching module is used for traversing a preprocessing plug-in unit and preprocessing the analyzed data packet; traversing a rule base based on a DPDK multi-core mechanism, and scanning and matching the preprocessed data packet to obtain a detection matching result of the data packet; packaging the detection matching result into a message according to a certain format, and storing the message into a buffer area to be processed for processing by an output core;
wherein the detecting the matching result comprises: data packet information, matching information, alarm information and action information;
wherein the control core further comprises: the system comprises an Agent module, a detection core management module, a rule library management module, a log management module and an output core management module; wherein the content of the first and second substances,
the Agent module is used for interacting with the controller through a socket and a well-defined message protocol, wherein the interacted content comprises the following contents: registering information, receiving rules and uploading suspicious information;
the detection core management module is used for initializing and managing the detection core;
the rule base management module is used for receiving the rules issued by the Agent module, managing the rule base and cooperating with the detection matching module of the detection core;
the log management module is used for managing log information generated by the log recording module of the output core;
the output core management module is used for initializing and managing an output core;
wherein the output core further comprises: the log recording module and the matching information reporting module; wherein the content of the first and second substances,
the log recording module is used for traversing the buffer area to be processed at regular time and recording the detection matching result of the data packet stored in the buffer area to be processed to a system log;
the matching information reporting module is used for packaging message information and action information of an illegal data packet obtained based on the detection matching result according to an OpenSecurity protocol, and uploading the packaged illegal data packet to a control core;
wherein, the content recorded to the system log comprises: timestamp, message information, matching information, and processing action.
2. A software intrusion detection method based on the system of claim 1, comprising the steps of:
s1, respectively initializing the control core, the detection core and the output core;
s2, the detection core collects and analyzes the data packet based on DPDK, and detects and matches the analyzed data packet through traversing the rule base;
s3, the output core records the detection matching result obtained by the detection core to the system log at regular time, and reports the illegal data packet information obtained according to the detection matching result to the control core after packaging;
step S3 further includes:
the following steps are executed each time while loop:
s31, if the third timer is up, extracting the instruction from the instruction buffer area, analyzing the instruction and executing the corresponding processing program;
s32, traversing each message in the buffer to be processed, and executing the following operations for each message:
s321, analyzing the message, transmitting the content of the message to the log management module, and regularly recording the content to the system log by the log management module, wherein the recorded content comprises: timestamp, message information, matching information and processing action;
and S322, if the data packet is found to be an illegal data packet according to the detection matching result, encapsulating message information and action information of the illegal data packet according to an OpenSecurity protocol, transmitting the encapsulated illegal data packet to an output core management module, and transmitting the encapsulated illegal data packet to a controller by an Agent module.
3. The method of claim 2, wherein the initializing the control core in step S1 further comprises:
s111, analyzing the command line parameters and the DPDK configuration file;
s112, initializing an Agent module;
s113, packaging the number of detection cores, the number of output cores, the number of network cards, the number of buffers to be processed and the IP information of a data plane, and initiating a registration request to a controller;
s114, receiving and analyzing a rule configuration file issued by the controller;
s115, initializing an environment abstract layer of the DPDK;
s116, initializing a ring buffer, wherein the ring buffer includes: the device comprises an instruction buffer area, a statistical information buffer area and a buffer area to be processed;
s117, configuring RSS (receiver extension) to ensure that different messages belonging to the same data stream are sent to the same core;
s118, configuring a sending queue and a receiving queue, wherein each network card is configured with one sending queue, and the number of the receiving queues is equal to the number of cores;
s119, registering a first timer for the control core to periodically check the statistical information buffer area and confirm whether the statistical information in the statistical information buffer area needs to be updated.
4. The method of claim 2, wherein the initializing the detection core in step S1 further comprises:
s121, copying a rule base, and registering, loading and configuring the preprocessing plugin;
and S122, registering a second timer for the detection core to periodically check the instruction buffer and determine whether an instruction sent by the controller is received.
5. The method of claim 2, wherein the initializing the output core in step S1 further comprises:
s131, initializing an output plug-in;
s132, registering a third timer for the output core to periodically check the instruction buffer and determine whether the instruction sent by the controller is received.
6. The method of claim 2, wherein step S2 further comprises:
circularly executing the following steps:
s21, if the signal of the synchronous statistical information is received, the statistical information is synchronized;
s22, if the second timer is up, extracting the instruction sent by the controller from the instruction buffer area, analyzing the instruction and executing the corresponding processing program;
s23, traversing the bound receiving queues, extracting the data packets in the queues for each receiving queue, and performing the following operations for each data packet:
s231, decoding and analyzing the data packet;
s232, traversing the preprocessing plug-in, and preprocessing the data packet after decoding and analyzing;
s233, traversing a rule base, and performing detection matching on the preprocessed data packet to obtain a detection matching result of the data packet;
s234, packaging the detection matching result into a message according to a certain format, and storing the message into a buffer area to be processed for processing by an output core; wherein the detecting the matching result comprises: data packet information, matching information, alarm information and action information.
CN201710279176.9A 2017-04-25 2017-04-25 Software intrusion detection system and method Active CN107181738B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710279176.9A CN107181738B (en) 2017-04-25 2017-04-25 Software intrusion detection system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710279176.9A CN107181738B (en) 2017-04-25 2017-04-25 Software intrusion detection system and method

Publications (2)

Publication Number Publication Date
CN107181738A CN107181738A (en) 2017-09-19
CN107181738B true CN107181738B (en) 2020-09-11

Family

ID=59830905

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710279176.9A Active CN107181738B (en) 2017-04-25 2017-04-25 Software intrusion detection system and method

Country Status (1)

Country Link
CN (1) CN107181738B (en)

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107911237B (en) * 2017-11-10 2021-05-04 南京邮电大学 DPDK-based rapid detection method for data packets in user space
DE102017221889B4 (en) * 2017-12-05 2022-03-17 Audi Ag Data processing device, overall device and method for operating a data processing device or overall device
CN108632110B (en) * 2018-03-23 2020-06-19 北京网测科技有限公司 Device performance testing method, system, computer device and storage medium
CN110798366B (en) * 2018-08-01 2023-02-24 阿里巴巴集团控股有限公司 Task logic processing method, device and equipment
CN109451045A (en) * 2018-12-12 2019-03-08 成都九洲电子信息系统股份有限公司 A kind of high-speed message acquisition network card control method can configure customized Ethernet header
CN109495504B (en) * 2018-12-21 2021-05-25 东软集团股份有限公司 Firewall equipment and message processing method and medium thereof
CN110138797B (en) * 2019-05-27 2021-12-14 北京知道创宇信息技术股份有限公司 Message processing method and device
CN110995678B (en) * 2019-11-22 2021-07-23 北京航空航天大学 Industrial control network-oriented efficient intrusion detection system
CN113132349A (en) * 2021-03-12 2021-07-16 中国科学院信息工程研究所 Agent-free cloud platform virtual flow intrusion detection method and device
CN113157447B (en) * 2021-04-13 2023-08-29 中南大学 RPC load balancing method based on intelligent network card
CN113765785B (en) * 2021-08-19 2022-07-05 东北大学 DPDK-based multipath transmission method
CN114189368B (en) * 2021-11-30 2023-02-14 华中科技大学 Multi-inference engine compatible real-time flow detection system and method
CN114900347B (en) * 2022-04-28 2023-04-14 重庆长安汽车股份有限公司 Ethernet-based intrusion detection method and data packet distribution method
CN114866332B (en) * 2022-06-08 2023-03-28 上海百功半导体有限公司 Lightweight intrusion detection system and method for optical communication equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101409623A (en) * 2008-11-26 2009-04-15 湖南大学 Mode matching method facing to high speed network
CN101841470A (en) * 2010-03-29 2010-09-22 东南大学 High-speed capturing method of bottom-layer data packet based on Linux
CN105516091A (en) * 2015-11-27 2016-04-20 武汉邮电科学研究院 Secure flow filter and filtering method based on software defined network (SDN) controller
CN105577567A (en) * 2016-01-29 2016-05-11 国家电网公司 Network data packet parallel processing method based on Intel DPDK

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1309214C (en) * 2004-12-20 2007-04-04 华中科技大学 Cooperative intrusion detection based large-scale network security defense system
US8683590B2 (en) * 2008-10-31 2014-03-25 Alcatel Lucent Method and apparatus for pattern matching for intrusion detection/prevention systems

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101409623A (en) * 2008-11-26 2009-04-15 湖南大学 Mode matching method facing to high speed network
CN101841470A (en) * 2010-03-29 2010-09-22 东南大学 High-speed capturing method of bottom-layer data packet based on Linux
CN105516091A (en) * 2015-11-27 2016-04-20 武汉邮电科学研究院 Secure flow filter and filtering method based on software defined network (SDN) controller
CN105577567A (en) * 2016-01-29 2016-05-11 国家电网公司 Network data packet parallel processing method based on Intel DPDK

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"基于数据挖掘的Snort入侵检测系统的研究";刘峰飞;《中国优秀硕士学位论文全文数据库 信息科技辑 2008年第06期》;20080615;第二章 *

Also Published As

Publication number Publication date
CN107181738A (en) 2017-09-19

Similar Documents

Publication Publication Date Title
CN107181738B (en) Software intrusion detection system and method
US10868893B2 (en) Network interface device
CN107667505B (en) System and method for monitoring and managing data center
Alsmadi et al. Security of software defined networks: A survey
CN107683597B (en) Network behavior data collection and analysis for anomaly detection
US9860154B2 (en) Streaming method and system for processing network metadata
US8059532B2 (en) Data and control plane architecture including server-side triggered flow policy mechanism
CN109479013B (en) Logging of traffic in a computer network
US9838289B2 (en) Security network processor system and method
US20030084326A1 (en) Method, node and computer readable medium for identifying data in a network exploit
US20080239956A1 (en) Data and Control Plane Architecture for Network Application Traffic Management Device
KR102451237B1 (en) Security for container networks
CN105897728B (en) Anti-virus system based on SDN
US11477128B1 (en) Bandwidth throttling in vulnerability scanning applications
CN102546624A (en) Method and system for detecting and defending multichannel network intrusion
CN107682312A (en) A kind of security protection system and method
Lagrasse et al. Digital forensic readiness framework for software-defined networks using a trigger-based collection mechanism
US20190104086A1 (en) Network interface device
CA3131921A1 (en) Network traffic analysis
KR101446280B1 (en) System for detecting and blocking metamorphic malware using the Intermediate driver
Watanabe et al. Performance of network intrusion detection cluster system
CN117857554A (en) Cloud environment network data auditing method based on side car mode
Durner Fine-grained isolation and filtering of network traffic using SDN and NFV
Kuzniar et al. PoirIoT: Fingerprinting IoT Devices at Tbps Scale
Takiddin Firewalling in SDN: Proposal, Analysis, Implementation and Experiment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant