CN111031073B - Network intrusion detection system and method - Google Patents
Network intrusion detection system and method Download PDFInfo
- Publication number
- CN111031073B CN111031073B CN202010005839.XA CN202010005839A CN111031073B CN 111031073 B CN111031073 B CN 111031073B CN 202010005839 A CN202010005839 A CN 202010005839A CN 111031073 B CN111031073 B CN 111031073B
- Authority
- CN
- China
- Prior art keywords
- matching
- packet
- detection
- module
- nfa
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
Abstract
The application discloses a network intrusion detection system and a method, wherein the system comprises: the packet header matching module is used for extracting packet header fields to combine into an N-tuple, performing packet header matching detection according to the N-tuple and a preset rule base, and triggering the packet load matching module if matching is successful; the packet load compiling module is used for compiling the packet load into a DFA matching library when the complexity of the data packet is lower than a threshold value, compiling the packet load into an NFA matching library when the complexity of the data packet is higher than or equal to the threshold value, and sending the DFA matching library and the NFA matching library to the packet load matching module; and the packet load matching module is used for performing DFA matching detection according to the DFA matching library when packet load detection is performed on the data packet, directly skipping NFA matching detection if matching is successful, and otherwise, performing NFA matching detection according to the NFA matching library. The method and the device solve the technical problem that the efficiency and the throughput of the existing SDN-based intrusion detection are low.
Description
Technical Field
The present application relates to the field of network intrusion detection technologies, and in particular, to a network intrusion detection system and method.
Background
Deep packet inspection and multi-element matching are important technical means of intrusion detection, and Software Defined Network (SDN) equipment separates a control plane from a data plane, so that the effects of flexible control and efficient forwarding are achieved. Therefore, deep packet inspection and multi-element matching are realized on the SDN equipment, high-performance network intrusion inspection capability can be obtained, and flexible control over the network is achieved.
The existing SDN-based intrusion detection has the defects in performance due to the SDN controller, a data packet occupying a large memory is easy to generate space explosion in compiling, the full-packet intrusion detection efficiency is low, and high throughput cannot be obtained on a data plane.
Disclosure of Invention
The application provides a network intrusion detection system and a network intrusion detection method, which are used for solving the technical problems that the efficiency and the throughput of intrusion detection are low because the performance of equipment is limited and intrusion data packets are not detected efficiently and pertinently in the existing SDN-based intrusion detection.
In view of the above, a first aspect of the present application provides a network intrusion detection system, including: the device comprises a packet header matching module, a packet load compiling module and a packet load matching module;
the packet header matching module is used for extracting packet header fields of the data packets to combine into an N-tuple, performing packet header matching detection according to the N-tuple and a preset rule base, and triggering the packet load matching module if matching is successful;
the packet load compiling module is used for compiling the packet load into a DFA matching library when the complexity of the data packet is lower than a threshold value, sending the DFA matching library to the packet load matching module, compiling the packet load into an NFA matching library when the complexity of the data packet is higher than or equal to the threshold value, and sending the NFA matching library to the packet load matching module;
and the packet load matching module is used for performing DFA matching detection according to the DFA matching library when detecting the packet load of the data packet, directly skipping NFA matching detection if the matching is successful, and performing NFA matching detection according to the NFA matching library if the matching is not successful.
Preferably, the method further comprises the following steps: a preprocessing module;
the preprocessing module is used for separating the packet head and the packet load of the data packet.
Preferably, the pack header includes: source address, destination address, and operation action.
Preferably, the pack header further includes: source port, destination port, and protocol number.
Preferably, the N-tuple comprises: binary, quaternary or quintuple.
Preferably, the packet header matching module is specifically configured to:
extracting packet header fields of the data packets to combine into an N-tuple;
dividing the N-tuple by fields;
and carrying out packet head matching detection on the divided fields and the fields corresponding to the preset rule base, and triggering the packet load matching module if matching is successful.
Preferably, the method further comprises the following steps:
a result processing module;
and the result processing module is used for responding to the packet head matching module and the packet load matching module and carrying out corresponding strategy processing on the data packet according to a preset strategy library when matching is completed.
Preferably, the result processing module includes: a miss module;
and the miss module is used for prompting the miss if the DFA matching detection is not matched successfully and the NFA matching detection is not matched successfully, and triggering the result processing module to perform corresponding processing actions according to the corresponding strategy of the miss in the preset strategy library.
Preferably, the method further comprises the following steps:
an invasion situation statistic module;
and the intrusion situation counting module is used for counting intrusion detection situation data and sending the data to an SDN control surface during intrusion detection, wherein the intrusion detection situation data comprise an intrusion matching success rate and intrusion flow characteristics.
The present application provides a network intrusion detection method from a second aspect, including:
extracting packet head fields of the data packets to combine into an N-tuple, performing packet head matching detection according to the N-tuple and a preset rule base, and performing packet load detection if matching is successful;
compiling the packet load into a DFA matching library when the complexity of the data packet is lower than a threshold value;
compiling the packet payload into an NFA matching repository when a complexity of a data packet is greater than or equal to the threshold;
and when detecting the packet load of the data packet, carrying out DFA matching detection according to the DFA matching library, if the matching is successful, directly skipping NFA matching detection, and otherwise, carrying out NFA matching detection according to the NFA matching library.
According to the technical scheme, the embodiment of the application has the following advantages:
in this application, a network intrusion detection system is provided, including: the packet header matching module is used for extracting packet header fields of the data packets to combine into an N-tuple, performing packet header matching detection according to the N-tuple and a preset rule base, and triggering the packet load matching module if matching is successful; the packet load compiling module is used for compiling the packet load into a DFA (distributed feedback) matching library when the complexity of the data packet is lower than a threshold value, sending the DFA matching library to the packet load matching module, compiling the packet load into an NFA matching library when the complexity of the data packet is higher than or equal to the threshold value, and sending the NFA matching library to the packet load matching module; and the packet load matching module is used for performing DFA matching detection according to the DFA matching library when packet load detection is performed on the data packet, directly skipping NFA matching detection if matching is successful, and otherwise, performing NFA matching detection according to the NFA matching library.
According to the network intrusion detection system, the packet head of a data packet to be detected is detected by adopting an N-element ancestor matching technology, and the packet load part of the data packet can be detected after the detection is passed; the detection method of the packet load comprises the steps of firstly distinguishing the packet load according to a preset complexity threshold, compiling the packet load with higher complexity into an NFA matching library with low space consumption, and compiling the packet load with lower complexity into a DFA with higher matching performance; secondly, matching detection is carried out on the input packet load, DFA matching detection is preferentially carried out, and the detection action is stopped if matching is successful; if the matching fails, further NFA matching detection is needed. The packet load is subjected to targeted detection according to the complexity, the detection speed can be increased when the complexity of the packet load is low, the throughput rate of a data plane can be increased, and the situation that the packet load is compiled into a DFA to cause space explosion when the complexity of the packet load is high can be avoided. Therefore, the network intrusion detection system provided by the application solves the technical problems that the existing SDN-based intrusion detection is limited in equipment performance, and intrusion data packets are not detected efficiently and specifically, so that the intrusion detection efficiency and throughput are low.
Drawings
Fig. 1 is a schematic structural diagram of an embodiment of a network intrusion detection system provided in the present application;
fig. 2 is a schematic structural diagram of another embodiment of a network intrusion detection system provided in the present application;
fig. 3 is a flowchart illustrating a network intrusion detection method according to an embodiment of the present application.
Detailed Description
In order to make the technical solutions of the present application better understood, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
For easy understanding, referring to fig. 1, a first embodiment of a network intrusion detection system provided in the present application includes: a packet header matching module 101, a packet load compiling module 102 and a packet load matching module 103;
the packet header matching module 101 is used for extracting packet header fields of the data packets to combine into an N-tuple, performing packet header matching detection according to the N-tuple and a preset rule base, and triggering the packet load matching module if matching is successful;
the packet load compiling module 102 is configured to compile a packet load into a DFA matching library when the complexity of the data packet is lower than a threshold, send the DFA matching library to the packet load matching module, compile the packet load into an NFA matching library when the complexity of the data packet is higher than or equal to the threshold, and send the NFA matching library to the packet load matching module;
and the packet load matching module 103 is configured to perform DFA matching detection according to the DFA matching library when detecting the packet load of the data packet, directly skip the NFA matching detection if the matching is successful, and perform the NFA matching detection according to the NFA matching library if the matching is not successful.
It should be noted that, the packet intrusion detection is divided into a packet header detection and a packet payload detection from the viewpoint of the component of the packet, and the packet payload is divided into a DFA matching detection and an NFA matching detection according to the complexity thereof. Before intrusion detection, a preset rule base, a DFA matching base and an NFA matching base need to be established in advance; the preset rule base is composed of fields and operation actions, wherein the fields comprise a source address, a target address, a source port, a target port and a protocol number, the operation actions can comprise issuing, deleting, forwarding and other actions, and the preset rule base is composed according to packet head components of a data packet and is used for detecting the packet head. The DFA matching library and the NFA matching library are obtained by compiling the packet load of the data packet according to the rule of the packet load, and are divided into the DFA matching library and the NFA matching library because the complexity of data carried by the packet load is inconsistent, so that the consumed memory in the monitoring process has larger difference, and the packet loads with inconsistent complexity need to be distinguished in a targeted manner to perform different matching detection; the DFA has the characteristic of high matching performance, the NFA has the characteristic of low space consumption, packet loads are distinguished through a set complexity threshold, the packet loads with low complexity can be directly compiled into a DFA matching library, the matching accuracy is high, the speed is high, and the throughput rate of a data plane is increased; the packet load with high complexity is compiled into an NFA matching library, so that the consumed memory is small, and the space explosion cannot be caused; the matching detection of the intrusion packet load is processed by a self-adaptive method, so that the method is more suitable for the detection of data packets with various complexities, and the matching accuracy can be ensured while the memory resource is saved. The N-tuple is mainly determined according to the composition of the packet head, and if the N-tuple only comprises a pair of addresses and operation actions, the N-tuple is a binary tuple; if the address comprises a pair of addresses, a pair of ports and an operation action, the address is a quadruple; if the address comprises a pair of addresses, a pair of ports, a protocol number and operation actions, the address is a five-tuple, and the like, the tuples are mainly formed.
In the network intrusion detection system provided by this embodiment, the packet header of the data packet to be detected is detected by using an N-tuple matching technique, and the packet load part of the data packet can be detected after the detection is passed; the detection method of the packet load comprises the steps of firstly distinguishing the packet load according to a preset complexity threshold, compiling the packet load with higher complexity into an NFA matching library with low space consumption, and compiling the packet load with lower complexity into a DFA with higher matching performance; secondly, matching detection is carried out on the input packet load, DFA matching detection is preferentially carried out, and the detection action is stopped if matching is successful; if the matching fails, further NFA matching detection is needed. The packet load is subjected to targeted detection according to the complexity, the detection speed can be increased when the complexity of the packet load is low, the throughput rate of a data plane can be increased, and the situation that the packet load is compiled into a DFA to cause space explosion when the complexity of the packet load is high can be avoided. Therefore, the network intrusion detection system provided by the embodiment solves the technical problems that the existing SDN-based intrusion detection system is limited in equipment performance, does not detect intrusion data packets efficiently and specifically, and therefore the intrusion detection efficiency and throughput are low.
For easy understanding, referring to fig. 2, a second embodiment of a network intrusion detection system provided in the embodiment of the present application includes: the system comprises a preprocessing module 201, a packet header matching module 202, a packet load compiling module 203 and a packet load matching module 204;
a pre-processing module 201, configured to separate a packet header and a packet payload of a data packet.
And the packet header matching module 202 is used for extracting packet header fields of the data packets to combine into an N-tuple, performing packet header matching detection according to the N-tuple and a preset rule base, and triggering the packet load matching module if matching is successful.
It should be noted that the packet header matching module 202 is specifically configured to extract packet header fields of the data packets to combine into an N-tuple; dividing the N-tuple by fields; and carrying out packet head matching detection on the divided fields and the fields corresponding to the preset rule base, and triggering a packet load matching module if matching is successful.
It should be noted that the packet header includes various fields and an explicit operation action, and the fields include: source address, destination address, source port, destination port, protocol number, etc.; the number of fields included in the packet header is different, and the obtained tuples are also different, wherein the tuples mainly comprise a binary tuple, a quadruple tuple and a quintuple. Firstly, a preset rule base is established, for example, N is 2, the fields of the packet header are a source address SrcIP and a destination address DstIP, then the binary group is (SrcIP, DstIP), the rule is (SrcIP, DstIP; operation action), and the preset rule base is: rule one (A, B; discard); rule two (C, D; forward), which also needs to be divided into two groups, the first group being (A, C) and the second group being (B, D). When an intrusion data packet needs to be subjected to packet header detection, the binary group of the intrusion data packet is (a, B), and after field segmentation, SrcIP ═ a and DstIP ═ B are performed, and when the field segmentation is performed, SrcIP ═ a is matched with a first group of rules in a rule base to obtain M1 ═ 1, 0, and DstIP ═ B is matched with a second group of rules in the rule base to obtain M2 ═ 1, 0, where 1 is a hit rule, 0 is a miss, and M1& M2 ═ 1, 0, it can be concluded that the data packet is successfully matched with both a and B, that is, a rule one is hit, packet load matching can be performed, and the packet load matching is unsuccessful and the packet load matching detection stage cannot be entered.
The packet load compiling module 203 is configured to compile the packet load into a DFA matching library when the complexity of the data packet is lower than a threshold, send the DFA matching library to the packet load matching module, compile the packet load into an NFA matching library when the complexity of the data packet is higher than or equal to the threshold, and send the NFA matching library to the packet load matching module.
And the packet load matching module 204 is configured to perform DFA matching detection according to the DFA matching library when detecting the packet load of the data packet, directly skip the NFA matching detection if the matching is successful, and perform the NFA matching detection according to the NFA matching library if the matching is not successful.
It should be noted that, before packet load matching is performed, matching libraries need to be established, in this embodiment, two matching libraries are established, the complexity of the packet load is used as a standard for measurement, for a packet load with lower complexity, the packet load is compiled into a DFA according to a rule of the packet load, so that corresponding matching accuracy is improved, for a packet load with higher complexity, the packet load needs to be compiled into an NFA, and space explosion caused by consumption of a large amount of memory is avoided. Two matching banks are used simultaneously in the packet load matching process.
It should be noted that, in the matching detection process, the DFA matching library and the NFA matching library need to be used, and the DFA matching library is preferentially matched, and if the direct matching is successful, the NFA matching detection is not required to be performed, and if the matching is unsuccessful, the NFA matching detection is required to be performed. For example, if the intrusion rule is (CDE) and the complexity is greater than the threshold, if the intrusion rule is compiled into DFA, space explosion occurs, and a large amount of memory is consumed, so the intrusion rule is compiled into NFA; the second intrusion rule (abc), whose complexity is less than the threshold, is therefore compiled into a DFA; if the two packet loads need to be subjected to matching detection at the moment, the packet 1 is (ABC), the packet 2 is (ABC), in the packet load matching detection process, firstly, the packet 1 is matched with the DFA matching library, and if the matching is successful, the detected packet 1 is sent to the result processing module; and secondly, matching the packet 2 with the DFA matching library, finding that the matching fails, at the moment, continuously matching the packet 2 with the NFA matching library, wherein the result is not hit, and after the matching detection is completed, the packet load can be sent to a result processing module. Thereby ending the packet load match detection process.
It should be noted that, the detection of the packet header or the packet payload only involves operations such as matching and detection, and does not perform any processing on the data packet, or performs any operation on the data packet, and after the matching or the detection is completed, the data packet is sent out and sent to other processing modules for analysis or processing.
Further, a result processing module 205 is included, configured to respond to the packet header matching module and the packet payload matching module, and perform corresponding policy processing on the data packet according to a preset policy library when matching is completed.
The result processing module 205 includes a miss module 2051, configured to prompt "miss" if the DFA match detection is not successfully matched and the NFA match detection is also not successfully matched, and trigger the result processing module to perform a corresponding processing action according to a policy corresponding to the "miss" in the preset policy repository.
It should be noted that, the result processing module responds to the packet header matching module and the packet load matching module, and after the packet header is successfully matched, if the operation action carried by the packet header is discarded, the result processing module will directly discard the data packet without entering the next operation, and if the operation action is other operation actions, packet load matching detection is required; after the packet load is successfully matched, the result processing module needs to perform arbitration and processing according to a matched result, then makes a decision, and finally processes the data packet according to a strategy configured by the decision base, wherein the processing includes discarding, forwarding or other processing.
Further, the system further includes an intrusion situation statistics module 206, configured to count intrusion detection situation data during intrusion detection, and send the intrusion detection situation data to the SDN control plane, where the intrusion detection situation data includes an intrusion matching success rate and intrusion traffic characteristics.
It should be noted that, during intrusion detection, situation data of intrusion detection is counted at the same time, and the SDN data plane can receive this information and then dynamically hang and verify an intrusion detection engine according to an application layer control strategy, thereby being more beneficial to implementation of intrusion detection. The situation data comprises an intrusion matching success rate and intrusion flow characteristics, the situation data is counted and used for influencing the updating of an intrusion engine, and a group of rules in a preset rule base are determined for matching the packet head, so that the matching efficiency of the packet head can be improved.
To facilitate understanding, the present application provides a network intrusion detection method, including:
301. extracting packet head fields of the data packets to combine into an N-tuple, performing packet head matching detection according to the N-tuple and a preset rule base, and performing packet load detection if matching is successful;
302. compiling the packet load into a DFA matching library when the complexity of the data packet is lower than a threshold value;
303. compiling the packet load into an NFA matching library when the complexity of the data packet is higher than or equal to a threshold;
304. and when detecting the packet load of the data packet, carrying out DFA matching detection according to the DFA matching library, if the matching is successful, directly skipping NFA matching detection, and otherwise, carrying out NFA matching detection according to the NFA matching library.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for executing all or part of the steps of the method described in the embodiments of the present application through a computer device (which may be a personal computer, a server, or a network device). And the aforementioned storage medium includes: a U disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions in the embodiments of the present application.
Claims (6)
1. A network intrusion detection system, comprising: the system comprises a packet header matching module, a packet load compiling module, a packet load matching module, a result processing module and an invasion situation counting module;
the packet header matching module is used for extracting packet header fields of the data packets to combine into N-tuple, dividing the N-tuple according to the fields, performing packet header matching detection on the divided fields and the corresponding fields of the preset rule base, and triggering the packet load matching module if matching is successful;
the packet load compiling module is used for compiling the packet load into a DFA matching library when the complexity of the data packet is lower than a threshold value, sending the DFA matching library to the packet load matching module, compiling the packet load into an NFA matching library when the complexity of the data packet is higher than or equal to the threshold value, and sending the NFA matching library to the packet load matching module;
the packet load matching module is used for performing DFA matching detection according to the DFA matching library when packet load detection is performed on a data packet, directly skipping NFA matching detection if matching is successful, and performing NFA matching detection according to the NFA matching library if matching is not successful;
the result processing module is used for responding to the packet head matching module and the packet load matching module, performing corresponding strategy processing on the data packet according to a preset strategy library when matching is completed, and prompting 'miss' if matching detection of NFA is not successful when matching detection of DFA is not successful, and performing corresponding processing action according to a corresponding strategy in the preset strategy library when matching detection of NFA is not successful;
and the intrusion situation counting module is used for counting intrusion detection situation data and sending the data to an SDN control surface during intrusion detection, wherein the intrusion detection situation data comprise an intrusion matching success rate and intrusion flow characteristics.
2. The network intrusion detection system of claim 1, further comprising: a preprocessing module;
the preprocessing module is used for separating the packet head and the packet load of the data packet.
3. The network intrusion detection system of claim 1, wherein the packet header includes: source address, destination address, and operation action.
4. The network intrusion detection system of claim 3, wherein the packet header further includes: source port, destination port, and protocol number.
5. The network intrusion detection system of claim 4, wherein the N-tuple comprises: binary, quaternary or quintuple.
6. A method for network intrusion detection, comprising:
extracting packet header fields of the data packets to combine into an N-tuple, dividing the N-tuple according to the fields, performing packet header matching detection on the divided fields and the fields corresponding to the preset rule base, and performing packet load detection if matching is successful;
compiling the packet load into a DFA matching library when the complexity of the data packet is lower than a threshold value;
compiling the packet payload into an NFA matching repository when a complexity of a data packet is greater than or equal to the threshold;
when detecting the packet load of a data packet, carrying out DFA matching detection according to the DFA matching library, if the matching is successful, directly skipping NFA matching detection, otherwise, carrying out NFA matching detection according to the NFA matching library;
when matching is completed, performing corresponding policy processing on the data packet according to a preset policy library, if matching detection of the DFA is not successful and matching detection of the NFA is also not successful, prompting 'miss', and performing corresponding processing action according to a corresponding policy of the 'miss' in the preset policy library;
and when carrying out intrusion detection, counting intrusion detection situation data and sending the data to an SDN control surface, wherein the intrusion detection situation data comprises an intrusion matching success rate and intrusion flow characteristics.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010005839.XA CN111031073B (en) | 2020-01-03 | 2020-01-03 | Network intrusion detection system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010005839.XA CN111031073B (en) | 2020-01-03 | 2020-01-03 | Network intrusion detection system and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111031073A CN111031073A (en) | 2020-04-17 |
| CN111031073B true CN111031073B (en) | 2021-10-19 |
Family
ID=70198396
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010005839.XA Active CN111031073B (en) | 2020-01-03 | 2020-01-03 | Network intrusion detection system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111031073B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112351002B (en) * | 2020-10-21 | 2022-04-26 | 新华三信息安全技术有限公司 | Message detection method, device and equipment |
| CN112464047B (en) * | 2020-11-06 | 2021-07-02 | 广州竞远安全技术股份有限公司 | Optimization system and method for NIDS device adopting hybrid matching engine |
| CN112565271B (en) * | 2020-12-07 | 2022-09-02 | 瑞数信息技术(上海)有限公司 | Web attack detection method and device |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101360088A (en) * | 2007-07-30 | 2009-02-04 | 华为技术有限公司 | Regular expression compiling, matching system and compiling, matching method |
| CN101645069A (en) * | 2008-08-04 | 2010-02-10 | 中国科学院计算机网络信息中心 | Regular expression storage compacting method in multi-mode matching |
| CN101841546A (en) * | 2010-05-17 | 2010-09-22 | 华为技术有限公司 | Rule matching method, device and system |
| CN105791045A (en) * | 2014-12-26 | 2016-07-20 | 中国科学院声学研究所 | Depth packet detection method and system for parallel data flows |
| CN108200086A (en) * | 2018-01-31 | 2018-06-22 | 四川九洲电器集团有限责任公司 | A kind of express network Packet Filtering device |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7685254B2 (en) * | 2003-06-10 | 2010-03-23 | Pandya Ashish A | Runtime adaptable search processor |
| CN102075511B (en) * | 2010-11-01 | 2014-05-14 | 北京神州绿盟信息安全科技股份有限公司 | Data matching equipment and method as well as network intrusion detection equipment and method |
| US9398033B2 (en) * | 2011-02-25 | 2016-07-19 | Cavium, Inc. | Regular expression processing automaton |
| CN102201948B (en) * | 2011-05-27 | 2013-09-18 | 北方工业大学 | Quick matching method for network intrusion detection system |
-
2020
- 2020-01-03 CN CN202010005839.XA patent/CN111031073B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101360088A (en) * | 2007-07-30 | 2009-02-04 | 华为技术有限公司 | Regular expression compiling, matching system and compiling, matching method |
| CN101645069A (en) * | 2008-08-04 | 2010-02-10 | 中国科学院计算机网络信息中心 | Regular expression storage compacting method in multi-mode matching |
| CN101841546A (en) * | 2010-05-17 | 2010-09-22 | 华为技术有限公司 | Rule matching method, device and system |
| CN105791045A (en) * | 2014-12-26 | 2016-07-20 | 中国科学院声学研究所 | Depth packet detection method and system for parallel data flows |
| CN108200086A (en) * | 2018-01-31 | 2018-06-22 | 四川九洲电器集团有限责任公司 | A kind of express network Packet Filtering device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111031073A (en) | 2020-04-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111031073B (en) | Network intrusion detection system and method | |
| US8510830B2 (en) | Method and apparatus for efficient netflow data analysis | |
| US20220368703A1 (en) | Method and device for detecting security based on machine learning in combination with rule matching | |
| CN108701187B (en) | Apparatus and method for hybrid hardware-software distributed threat analysis | |
| US8079083B1 (en) | Method and system for recording network traffic and predicting potential security events | |
| CN109617931B (en) | DDoS attack defense method and system of SDN controller | |
| US8638793B1 (en) | Enhanced parsing and classification in a packet processor | |
| US9825841B2 (en) | Method of and network server for detecting data patterns in an input data stream | |
| US9589073B2 (en) | Systems and methods for keyword spotting using adaptive management of multiple pattern matching algorithms | |
| US10104043B2 (en) | Method and system for analyzing a data flow | |
| US10567426B2 (en) | Methods and apparatus for detecting and/or dealing with denial of service attacks | |
| EP2434689A1 (en) | Method and apparatus for detecting message | |
| KR20120071122A (en) | Apparatus for analizing traffic | |
| CN107608852A (en) | A kind of process monitoring method and device | |
| CN106534068B (en) | Method and device for cleaning counterfeit source IP in DDOS defense system | |
| WO2020103574A1 (en) | Message processing method and device, and storage medium | |
| Celesova et al. | Enhancing security of SDN focusing on control plane and data plane | |
| US20220295283A1 (en) | Apparatus and method for traffic security processing in 5g mobile edge computing slicing service | |
| CN113630420A (en) | SDN-based DDoS attack detection method | |
| CN116915450A (en) | Topology pruning optimization method based on multi-step network attack recognition and scene reconstruction | |
| CN114297010A (en) | Service board card detection method and device | |
| CN112104628B (en) | Adaptive feature rule matching real-time malicious flow detection method | |
| CN113645188A (en) | Data packet fast forwarding method based on security association | |
| KR102285661B1 (en) | Appatus and method of load balancing in intrusion dectection system | |
| CN115987684B (en) | Distributed denial of service DDoS defense system, method, device and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |