CN112532598B - Filtering method for real-time intrusion detection system - Google Patents
Filtering method for real-time intrusion detection system Download PDFInfo
- Publication number
- CN112532598B CN112532598B CN202011304350.9A CN202011304350A CN112532598B CN 112532598 B CN112532598 B CN 112532598B CN 202011304350 A CN202011304350 A CN 202011304350A CN 112532598 B CN112532598 B CN 112532598B
- Authority
- CN
- China
- Prior art keywords
- hash
- user
- bloom filter
- users
- hash function
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
The invention discloses a filtering method for a real-time intrusion detection system, which comprises the following steps: constructing a white list and a black list; assessing risk loss; filter construction and deployment: allocating an initial hash function set for inserting a bloom filter for a white list user; combining the blacklist users and the corresponding hazard degrees thereof, and adaptively adjusting the hash function set of the white list users, so that the blacklist users with high hazard degrees have higher intercepted probability; storing the adjusted hash function set into a preset hash expression device; and inserting the white list user into the bloom filter by using the hash function set of the white list user, obtaining a hash self-adaptive bloom filter by combining a hash expression device, and deploying the hash self-adaptive bloom filter to a detection system. The invention has the characteristics of space efficiency and quick detection, can effectively reduce the system loss caused by blacklist users, provides effective theoretical performance guarantee, and can be applied to the application related to real-time intrusion detection.
Description
Technical Field
The invention relates to the technical field of network intrusion protection detection, in particular to a filtering method for a real-time intrusion detection system.
Background
In recent years, with the rapid development and application of the internet, network attacks and fraudulent activities are increasing, so that the risk of the existing network service system being invaded is greatly increased, and particularly in a high-speed network environment, for some real-time processing systems, accurate interception cannot be performed because whether an access user has a malicious attack intention needs to be quickly judged. For example, distributed denial of service (D-Dos) network attack traffic peaks are continually being exceeded each year in which an attacker masquerades a large number of high frequency malicious requests as normal requests to a victim's machine, and excessive service load will cause the victim's servers to go down. In 2016, five Russian banks suffer from distributed denial of service attacks, which directly leads to offline of service; the dynamic DNS resolution facilitator Dyn DNS in the united states was under attack, causing half of the united states internet services to go down.
In recent years, some research work has been focused on real-time intrusion detection, but the focus of the research work is on the following two aspects: (1) passive detection, which sends out an alarm after the intrusion occurs, and reduces the system loss as much as possible; (2) a large number of filtering rules are used and checked one by one. At present, most network applications establish an intrusion prevention detection system for preventing some malicious intruders from entering and damaging the system, usually a white list is maintained, and the system only allows users in the list to enter. In real-time intrusion detection, the detection system not only needs to give a detection result accurately when each user accesses, but also needs to be as fast as possible in the detection process. In a high-speed network environment, because the data to be analyzed is very large, the real-time performance and the accuracy of detection are difficult to ensure simultaneously in consideration of the existing intrusion detection research, and the system risk and the power consumption can not be reduced while each access user can not be detected quickly. Thus, there has been no work to solve the object proposed in the present invention.
Therefore, the technical staff in the art needs to solve the problem of how to provide a novel efficient filtering method for a real-time intrusion detection system, and to effectively reduce the storage space of the filter and ensure the accuracy of the detected malicious attack.
Disclosure of Invention
The invention provides a filtering method for a real-time intrusion detection system aiming at the defects in the prior art, firstly provides a system model for carrying out real-time intrusion detection based on a bloom filter, secondly provides a novel high-efficiency bloom filter, optimizes the filter by utilizing a blacklist and loss evaluation, and has the core of self-adaptively selecting a hash function set used by each user. The novel filter provided by the invention has the characteristics of space efficiency and quick detection, can effectively reduce the system loss caused by blacklist users, provides effective theoretical performance guarantee, and can be applied to the application related to real-time intrusion detection.
In order to achieve the purpose, the invention adopts the following technical scheme:
a filtering method for a real-time intrusion detection system, the filtering method comprising the steps of:
s1, constructing a white list and a black list: collecting user lists corresponding to the system allowing access and the system forbidding access, which are detected by the system, and respectively defining the user lists as white list users and black list users;
s2, risk loss assessment: evaluating the degree of damage to the system which is possibly caused when the blacklist user is not intercepted;
s3, filter construction and deployment:
s31, distributing an initial hash function set for inserting the bloom filter for the white list user;
s32, adaptively adjusting a hash function set of the white list users by combining the black list users and the corresponding hazard degrees thereof, so that the black list users with high hazard degrees have higher intercepted probability;
s33, storing the adjusted hash function set into a preset hash expression device, wherein the hash expression device is a hash table formed by a plurality of tuples, and each tuple comprises an identifier and a hash index which are initialized to 0;
s34, inserting the white list user into the bloom filter by using the hash function set, combining the hash expression to obtain the hash self-adaptive bloom filter, and then deploying the hash self-adaptive bloom filter to the detection system.
In order to optimize the technical scheme, the specific measures adopted further comprise:
further, in step S1, the blacklisted users are set by the administrator and/or collected through log records.
Further, in step S2, the evaluation of the possible damage to the system when the blacklisted user is not intercepted is:
and comprehensively evaluating by combining the blacklist users and the system running state to obtain the hazard degree of each blacklist user.
Further, in step S31, the process of assigning the initial hash function set for inserting the bloom filter to the white list user includes the following steps:
constructing a bloom filter, wherein the bloom filter is a one-dimensional hash table and consists of m bits, and each bit consists of 0 or 1;
for each inserted white list user, k bits are obtained by using k hash functions, and the k bits are set to 1, so that the initialization of the bloom filter is completed.
Further, in step S32, the step of adaptively adjusting the hash function set of the white list user in combination with the black list user and the corresponding degree of harm thereof, so that the black list user with a high degree of harm has a higher intercepted probability includes the following steps:
s321, constructing a collision queue which is mistaken as a white list user in the blacklist users by using the initialized bloom filter, and performing descending order according to the evaluated harm degree;
s322, defining hash distribution as an index structure for storing the user mapped on each bit of the bloom filter, wherein the index structure comprises a plurality of buckets, each bucket corresponds to the bit at the same position and is used for storing the user identifier hashed to the bit; initializing two hash distributions, wherein one is the hash distribution of a white list user, and the other is the hash distribution of a non-collided black list user;
s323, for each user e of the blacklist collision queueckMapping to white list hash distribution by using initial hash function set, taking white list user e in one buckets,esThe hash function mapped to this bucket is hi(ii) a User esMapping to non-collided blacklist hash distribution according to candidate hash function set, and performing collision detection on each bucketMeasuring, i.e. replacing h by a candidate hash function mapped to the bucketiWhether the collision of the un-collided blacklist users can be caused or not so as to cause interception failure; if there is one barrel that does not collide, i.e. hiIs replaced successfully;
s324, mixing esStoring the adjusted hash function set into a predefined hash expression device; when inserting esWith its hash function set, esMapping to the first tuple by using a uniform entry hash function, optionally inserting a hash function, jumping to the next tuple by using the inserted hash function to continue inserting, and then jumping when esAfter all the hash function sets are inserted, the last tuple is marked with 1 and marked with esThe insertion is successful;
s325, when the user in the collision queue is successfully optimized, inserting the user into the hash distribution of the non-collision blacklist, and updating the hash distribution of the users in the whitelist and the bloom filter according to the adjusted hash function set of the users in the whitelist;
and S326, storing the optimized bloom filter and the hash expression device and then deploying.
Further, the filtering method further comprises the following steps:
s4, respectively calculating the probability P of successfully intercepting the blacklist user according to the following formulahabfAnd probability P 'that blacklisted users in the collision queue can be successfully optimized'cAnd verifying the optimized bloom filter and the optimized hash expression device:
where m is the bit of a given hash adaptive bloom filter, n is the number of white list users, o is the number of black list users, k is the number of hash functions, l is the number of candidate hash function sets, PbfIs the probability that the blacklisted user of the initialized bloom filter is successfully intercepted.
Further, the process of the detection system adopting the hash adaptive bloom filter to detect the user requesting access includes the following steps:
s51, receiving a user access request;
s52, judging whether the system can be accessed through the initial hash function set in the bloom filter, if the system is allowed to be accessed, allowing the user to normally access the system, and ending the process, otherwise, turning to the step S53;
and S53, giving a new hash function set by the hash expression device, judging again, if the filter allows to enter, allowing the user to normally access the system, otherwise, intercepting the access request of the user by the filter.
The invention has the beneficial effects that:
1. it is proposed to use bloom filters to speed up intrusion detection and reduce the footprint of the filter.
2. The hash adaptive bloom filter technology is provided to optimize the system risk loss brought by the blacklist users.
3. The accuracy of detecting white-listed and black-listed users is derived.
4. Experiments on real data sets show that the method of the invention is at least 11 times higher in accuracy than the comparison algorithm and at least 90 times lower in system threat level than the comparison algorithm.
Drawings
Fig. 1 is a schematic architecture diagram of a filtering method for a real-time intrusion detection system according to the present invention.
FIG. 2 is a schematic diagram of the process of entering a bloom filter by a white list user according to the present invention.
FIG. 3 is a schematic diagram of hash adaptive bloom filter optimization according to the present invention.
FIG. 4 is a schematic of the filter deployment of the present invention.
Detailed Description
The present invention will now be described in further detail with reference to the accompanying drawings.
It should be noted that the terms "upper", "lower", "left", "right", "front", "back", etc. used in the present invention are for clarity of description only, and are not intended to limit the scope of the present invention, and the relative relationship between the terms and the terms is not limited by the technical contents of the essential changes.
The invention provides a filtering method for a real-time intrusion detection system, which comprises the following steps:
s1, constructing a white list and a black list: and collecting user lists corresponding to the access allowing system and the access forbidding system of the detection system, and respectively defining the user lists as white list users and black list users.
S2, risk loss assessment: and evaluating the damage degree to the system when the blacklisted user is not intercepted.
S3, filter construction and deployment:
s31, the white list user is assigned an initial set of hash functions for inserting the bloom filter.
And S32, adaptively adjusting the hash function set of the white list user by combining the black list user and the corresponding hazard degree thereof, so that the black list user with high hazard degree has higher intercepted probability.
And S33, storing the adjusted hash function set into a preset hash expression device, wherein the hash expression device is a hash table formed by a plurality of tuples, and each tuple comprises an identifier and a hash index which are initialized to 0.
S34, inserting the white list user into the bloom filter by using the hash function set, combining the hash expression to obtain the hash self-adaptive bloom filter, and then deploying the hash self-adaptive bloom filter to the detection system.
The invention aims to provide a novel high-efficiency filtering method in a real-time intrusion detection system, which comprises the following steps: the method comprises the steps of designing a system model for carrying out real-time intrusion detection based on a bloom filter, providing the bloom filter to improve the detection speed and reduce the model space, and providing system risk loss possibly brought by optimizing the bloom filter by utilizing a Hash self-adaptive bloom filter. Specifically, 1, designing a system model for overall detection and filtration; 2. the bloom filter is used for accelerating the detection speed and reducing the occupied space of the filter; 3. the system risk loss brought by optimizing blacklist users by using a hash self-adaptive bloom filter is proposed; 4. modeling the whole process of the method and theoretically analyzing the accuracy of detecting the white list and the black list users.
The system architecture of the present invention is shown in fig. 1, and when a user accesses the system, the user judges whether the user can enter the system through a hash adaptive bloom filter. The invention constructs a Hash self-adaptive bloom filter through three stages, which respectively comprise the following steps: the method comprises a white list and black list construction stage, a risk evaluation stage and a filter construction and deployment stage. The filter construction and deployment phase can be subdivided into 3 steps: filter initialization, filter risk optimization, and filter deployment.
Step 1: white list and black list construction stage
And in the white list and black list construction stage, maintaining a group of white list and black list users for the system, wherein the white list users are normal access users of the system and are allowed to enter the system. The blacklist user is an access user which is determined by the system to be malicious and needs to be intercepted, and the interception can be set by an administrator or collected through log records.
Step 2: risk assessment phase
After the white list and the black list user list are established, the risk degree of the black list user is evaluated, namely the risk loss of the whole system can be caused after the black list user enters. The blacklist users and the system running state can be comprehensively evaluated by an administrator, the higher the danger degree is, the higher the success rate of filter interception is, and the lower the risk of the system is.
And step 3: filter build and deployment phase
In the filter construction and deployment stage, the initial hash function set is not directly used, but the hash function set adjusted according to the overall harm degree of the system is used, and the user queries the bloom filter by using the adjusted hash function set each time.
In the filter construction and deployment stage, when the hash function set of the white list user is adjusted, the overall system hazard degree brought by the black list user and the space used by the filter need to be reduced, and particularly relates to optimizing the storage space by using a greedy selection algorithm.
Step 3.1: filter initialization
After the above list building and risk assessment phases are completed, the white list user is now inserted into the bloom filter. A bloom filter can be essentially seen as a one-dimensional hash table consisting of m bits, each bit consisting of either 0 or 1, for each inserted white-listed user k bits are obtained by using k hash functions (or a set of hash functions called k in size), which are set to 1. The specific insertion process is shown in fig. 2.
Following the above insertion process, the filter initialization phase is complete when all white list users have inserted the bloom filter. When a certain user is inquired, the bloom filter acquires k bits by using the hash function set, whether all the bits are 1 is judged, if yes, the user is a white list user, and if not, the user is a black list user. Note that the bloom filter uses the same hash function set for all users, and the hash table has a collision, so if a blacklist user is queried, bits mapped by the hash function set by the blacklist collide with bits inserted by a whitelist user, and the blacklist user is determined as a whitelist user, and an interception failure occurs.
The bit of the bloom filter is given as m, the number of white list users is given as n, the number of hash functions is given as k, and the probability that the black list users are successfully intercepted is as follows:
step 3.2: filter risk optimization
In order to increase the probability of successful interception of blacklisted users and reduce the risk loss of the system as much as possible, a hash adaptive bloom filter is proposed. As shown in fig. 3, the specific optimization process is as follows:
(1) and constructing a user collision queue which is mistaken as a white list in the black list by using the initialized bloom filter, and arranging the user collision queue in a descending order according to the risk degree evaluated in the stage 2.
(2) The hash distribution is defined as an index structure that stores users mapped on each bit of the bloom filter, and is composed of a plurality of buckets, each bucket corresponding to a bit of the same position for storing a user identifier hashed to the bit. Two hash distributions are initialized, one for white list users and one for non-collided black list users.
(3) For each user e of the blacklist collision queueckMapping to white list hash distribution by using initial hash function set, taking white list user e in one buckets,esThe hash function mapped to this bucket is hi. Mapping the user es to the non-collided blacklist hash distribution according to the candidate hash function set, and performing collision detection on each bucket, namely replacing h with the candidate hash function mapped to the bucketiWhether collision can occur to the users of the black list who do not collide or not, and interception failure is caused. If there is one barrel that does not collide, i.e. hiIs successfully replaced.
(4) E is to besThe adjusted set of hash functions is stored in a defined hash formulator, which is essentially a hash table, consisting of a plurality of tuples, each tuple comprising an identification and a hash index, all initialized to 0. When inserting esWith its hash function set, esMapping to the first tuple by using a uniform entry hash function, optionally inserting a hash function, jumping to the next tuple by using the inserted hash function to continue inserting, and then jumping when esAfter all the hash function sets are inserted, the last tuple is marked with 1 and marked with esThe insertion was successful.
(5) And when the user in the collision queue is successfully optimized, inserting the user into the non-collision blacklist hash distribution, and updating the hash distribution and the bloom filter of the white list user according to the adjusted hash function set of the white list user. And finally, storing the optimized bloom filter and the optimized hash expression device and then deploying.
FIG. 3 is a schematic diagram of hash adaptive bloom filter optimization.
Because the Hash self-adaptive bloom filter only optimizes the blacklist users which are intercepted unsuccessfully, the interception success rate of the Hash self-adaptive bloom filter is always higher than that of the Blong filter, and the lower bound of the probability that the blacklist users of the Hash self-adaptive bloom filter are intercepted successfully is calculated below and is given by a formula 3.1.1.
Equation 3.1.1: the bit of the hash self-adaptive bloom filter is given as m, the number of white list users is given as n, the number of black list users is given as o, the number of hash functions is given as k, and the probability that the black list users are successfully intercepted is given as:
wherein P'cGiven by equation 3.1.2.
Equation 3.1.2: given that the bit of the Hash self-adaptive bloom filter is m, the number of white list users is n, the number of blacklist users is o, the number of hash functions is k, the number of candidate hash function sets is l, and the probability that the blacklist users in the collision queue can be successfully optimized is as follows:
step 3.3: filter deployment
After the filter risk optimization stage is completed, the optimized bloom filter and hash formulator need to be deployed, as shown by the dashed box in fig. 4, because the hash formulator only stores a partially adjusted hash function set, most of the user's hash function sets are not adjusted. Therefore, when a user accesses, whether the user can enter the system is judged on the bloom filter through the initial hash function set, if the user is allowed to enter the system, the user can normally access the system, otherwise, a new hash function set of the user is given through the hash expression device, and the judgment is carried out again. If the filter allows the access, the user can still normally access the system, otherwise, the filter intercepts the user's access request. FIG. 4 is a schematic of a filter deployment.
This deployment ensures that white-listed users can enter the system normally and the risk of black-listed users is greatly reduced after the filter risk optimization stage.
The above is only a preferred embodiment of the present invention, and the protection scope of the present invention is not limited to the above-mentioned embodiments, and all technical solutions belonging to the idea of the present invention belong to the protection scope of the present invention. It should be noted that modifications and embellishments within the scope of the invention may be made by those skilled in the art without departing from the principle of the invention.
Claims (5)
1. A filtering method for a real-time intrusion detection system, the filtering method comprising the steps of:
s1, constructing a white list and a black list: collecting user lists corresponding to the system allowing access and the system forbidding access, which are detected by the system, and respectively defining the user lists as white list users and black list users;
s2, risk loss assessment: evaluating the degree of damage to the system which is possibly caused when the blacklist user is not intercepted;
s3, filter construction and deployment:
s31, distributing an initial hash function set for inserting the bloom filter for the white list user;
s32, adaptively adjusting a hash function set of the white list users by combining the black list users and the corresponding hazard degrees thereof, so that the black list users with high hazard degrees have higher intercepted probability;
s33, storing the adjusted hash function set into a preset hash expression device, wherein the hash expression device is a hash table formed by a plurality of tuples, and each tuple comprises an identifier and a hash index which are initialized to 0;
s34, inserting the white list user into the bloom filter by using the hash function set, obtaining a hash self-adaptive bloom filter by combining the hash expression device, and deploying the hash self-adaptive bloom filter to a detection system;
in step S31, the process of assigning an initial set of hash functions for inserting a bloom filter to a white list user includes the following steps:
constructing a bloom filter, wherein the bloom filter is a one-dimensional hash table and consists of m bits, and each bit consists of 0 or 1;
for each inserted white list user, k bits are obtained by using k hash functions, and the k bits are set to be 1, so that the initialization of the bloom filter is completed;
in step S32, the process of adaptively adjusting the hash function set of the white list user in combination with the black list user and the corresponding hazard level thereof, so that the black list user with a high hazard level has a higher intercepted probability includes the following steps:
s321, constructing a collision queue which is mistaken as a white list user in the blacklist users by using the initialized bloom filter, and performing descending order according to the evaluated harm degree;
s322, defining hash distribution as an index structure for storing the user mapped on each bit of the bloom filter, wherein the index structure comprises a plurality of buckets, each bucket corresponds to the bit at the same position and is used for storing the user identifier hashed to the bit; initializing two hash distributions, wherein one is the hash distribution of a white list user, and the other is the hash distribution of a non-collided black list user;
s323, for each user e of the blacklist collision queueckMapping to white list hash distribution by using initial hash function set, taking white list user e in one buckets,esThe hash function mapped to this bucket is hi(ii) a User esMapping to non-collided black names according to a set of candidate hash functionsIn single hash distribution, for each bucket, collision detection is performed, i.e., h is replaced with a candidate hash function mapped to that bucketiWhether the collision of the un-collided blacklist users can be caused or not so as to cause interception failure; if there is one barrel that does not collide, i.e. hiIs replaced successfully;
s324, mixing esStoring the adjusted hash function set into a predefined hash expression device; when inserting esWith its hash function set, esMapping to the first tuple by using a uniform entry hash function, optionally inserting a hash function, jumping to the next tuple by using the inserted hash function to continue inserting, and then jumping when esAfter all the hash function sets are inserted, the last tuple is marked with 1 and marked with esThe insertion is successful;
s325, when the user in the collision queue is successfully optimized, inserting the user into the hash distribution of the non-collision blacklist, and updating the hash distribution of the users in the whitelist and the bloom filter according to the adjusted hash function set of the users in the whitelist;
and S326, storing the optimized bloom filter and the hash expression device and then deploying.
2. The filtering method for real-time intrusion detection system according to claim 1, wherein the blacklisted users are set by an administrator and/or collected through log recording in step S1.
3. The filtering method for real-time intrusion detection system according to claim 1, wherein in step S2, the evaluation of the possible damage to the system when the blacklisted user is not intercepted is:
and comprehensively evaluating by combining the blacklist users and the system running state to obtain the hazard degree of each blacklist user.
4. The filtering method for a real-time intrusion detection system according to claim 1, wherein the filtering method further comprises the steps of:
s4, respectively calculating the probability P of successfully intercepting the blacklist user according to the following formulahabfAnd probability P 'that blacklisted users in the collision queue can be successfully optimized'cAnd verifying the optimized bloom filter and the optimized hash expression device:
where m is the bit of a given hash adaptive bloom filter, n is the number of white list users, o is the number of black list users, k is the number of hash functions, l is the number of candidate hash function sets, PbfIs the probability that the blacklisted user of the initialized bloom filter is successfully intercepted.
5. The filtering method for real-time intrusion detection system according to claim 1, wherein the process of detecting the user requesting access by the detection system using the hash adaptive bloom filter comprises the following steps:
s51, receiving a user access request;
s52, judging whether the system can be accessed through the initial hash function set in the bloom filter, if the system is allowed to be accessed, allowing the user to normally access the system, and ending the process, otherwise, turning to the step S53;
and S53, giving a new hash function set by the user by using the hash expression device, judging again, if the filter allows the access, allowing the user to normally access the system, otherwise, intercepting the access request of the user by the filter.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011304350.9A CN112532598B (en) | 2020-11-19 | 2020-11-19 | Filtering method for real-time intrusion detection system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011304350.9A CN112532598B (en) | 2020-11-19 | 2020-11-19 | Filtering method for real-time intrusion detection system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112532598A CN112532598A (en) | 2021-03-19 |
| CN112532598B true CN112532598B (en) | 2021-10-26 |
Family
ID=74981316
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011304350.9A Active CN112532598B (en) | 2020-11-19 | 2020-11-19 | Filtering method for real-time intrusion detection system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112532598B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113329036B (en) * | 2021-08-02 | 2021-11-05 | 南京大数据集团有限公司 | Blacklist system working method |
| CN114547597B (en) * | 2021-12-02 | 2023-03-31 | 四川大学 | Industrial control intrusion detection method based on improved bloom filter |
| CN114244618B (en) * | 2021-12-22 | 2023-11-10 | 北京天融信网络安全技术有限公司 | Abnormal access detection method and device, electronic equipment and storage medium |
| CN116094748A (en) * | 2022-11-23 | 2023-05-09 | 紫光云技术有限公司 | Message signature interception system based on bloom filter |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101398820A (en) * | 2007-09-24 | 2009-04-01 | 北京启明星辰信息技术有限公司 | Large scale key word matching method |
| CN102110132A (en) * | 2010-12-08 | 2011-06-29 | 北京星网锐捷网络技术有限公司 | Uniform resource locator matching and searching method, device and network equipment |
| CN110768946A (en) * | 2019-08-13 | 2020-02-07 | 中国电力科学研究院有限公司 | Industrial control network intrusion detection system and method based on bloom filter |
| WO2020132854A1 (en) * | 2018-12-25 | 2020-07-02 | Paypal, Inc. | Bloom filter whitelist and blacklist operations |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101901248B (en) * | 2010-04-07 | 2012-08-15 | 北京星网锐捷网络技术有限公司 | Method and device for creating and updating Bloom filter and searching elements |
| CN101923568B (en) * | 2010-06-23 | 2013-06-19 | 北京星网锐捷网络技术有限公司 | Method for increasing and canceling elements of Bloom filter and Bloom filter |
| CN105187436B (en) * | 2015-09-25 | 2019-03-08 | 中国航天科工集团第二研究院七〇六所 | A kind of packet filtering mainframe network control method based on hash table |
| US20170250998A1 (en) * | 2016-02-29 | 2017-08-31 | Snoopwall, Inc. | Systems and methods of preventing infection or data leakage from contact with a malicious host system |
| US10275541B2 (en) * | 2016-08-05 | 2019-04-30 | Micron Technology, Inc. | Proactive corrective actions in memory based on a probabilistic data structure |
| US10938851B2 (en) * | 2018-03-29 | 2021-03-02 | Radware, Ltd. | Techniques for defense against domain name system (DNS) cyber-attacks |
| CN108549716A (en) * | 2018-04-23 | 2018-09-18 | 广东奥园奥买家电子商务有限公司 | A method of the processing of magnanimity blacklist is realized based on the grand algorithm of cloth |
-
2020
- 2020-11-19 CN CN202011304350.9A patent/CN112532598B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101398820A (en) * | 2007-09-24 | 2009-04-01 | 北京启明星辰信息技术有限公司 | Large scale key word matching method |
| CN102110132A (en) * | 2010-12-08 | 2011-06-29 | 北京星网锐捷网络技术有限公司 | Uniform resource locator matching and searching method, device and network equipment |
| WO2020132854A1 (en) * | 2018-12-25 | 2020-07-02 | Paypal, Inc. | Bloom filter whitelist and blacklist operations |
| CN110768946A (en) * | 2019-08-13 | 2020-02-07 | 中国电力科学研究院有限公司 | Industrial control network intrusion detection system and method based on bloom filter |
Non-Patent Citations (4)
| Title |
|---|
| BLOOM FILTER BASED INTRUSION DETECTION FOR SMART GRID SCADA;Saranya Parthasarathy,Deepa Kundur;《2012 25th IEEE Canadian Conference on Electrical and Computer Engineering (CCECE)》;20121022;全文 * |
| Finding Persistent Items in Distributed Datasets;Haipeng Dai; Meng Li; Alex X. Liu; Jiaqi Zheng; Guihai Chen;《IEEE/ACM Transactions on Networking》;20200228;第28卷(第1期);第1-14页 * |
| 基于有效载荷的多级实时入侵检测系统框架;刘解放,赵斌,周宁;《计算机科学》;20140430;第41卷(第4期);全文 * |
| 工业控制系统网络入侵检测方法综述;张文安, 洪榛, 朱俊威, 陈博;《控制与决策》;20191130;第34卷(第11期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112532598A (en) | 2021-03-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112532598B (en) | Filtering method for real-time intrusion detection system | |
| CN111818103B (en) | Traffic-based tracing attack path method in network target range | |
| US20150264070A1 (en) | Method and system for detecting algorithm-generated domains | |
| CN110830490B (en) | Malicious domain name detection method and system based on area confrontation training deep network | |
| CN109274632A (en) | A kind of recognition methods of website and device | |
| CN106789901A (en) | A kind of method and device for preventing malice from submitting web-page requests to | |
| CN112235306B (en) | E-commerce account verification method based on cloud security | |
| Teng et al. | A cooperative intrusion detection model for cloud computing networks | |
| US8612523B1 (en) | Methods and apparatus for detecting botnet attacks | |
| CN104426836A (en) | Invasion detection method and device | |
| Patil et al. | SS-DDoS:: spark-based DDoS attacks classification approach | |
| CN101800752B (en) | Method and system for improving safety and performance of domain name system (DNS) | |
| Song et al. | A comprehensive approach to detect unknown attacks via intrusion detection alerts | |
| CN115208679B (en) | Attacker IP defending method and defending system based on honey array cooperation | |
| CN110650157A (en) | Fast-flux domain name detection method based on ensemble learning | |
| CN116707870A (en) | Defensive strategy model training method, defensive strategy determining method and equipment | |
| CN103532777A (en) | Web Service vulnerability testing method for carrying out worst difference input variation on basis of SOAP (Simple Object Access Protocol) message | |
| CN112422483B (en) | Identity protection strategy for ubiquitous power Internet of things | |
| CN111131285B (en) | Active protection method for random domain name attack | |
| CN201717899U (en) | System for improving safety and performance of domain name system | |
| Honda et al. | Detection of novel-type brute force attacks used ephemeral springboard ips as camouflage | |
| Xiuguo | A security-aware data replica placement strategy based on fuzzy evaluation in the cloud | |
| EP4036760A1 (en) | Method and system for automated and dynamic main domain determination and identification | |
| CN110912936B (en) | Media file security situation perception method and firewall | |
| Devassy | Detection of Application Layer DDoS Attack Using Logistic Regression |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |