CN113098844B - Intelligent network intrusion detection system of hardware protocol - Google Patents
Intelligent network intrusion detection system of hardware protocol Download PDFInfo
- Publication number
- CN113098844B CN113098844B CN202110249895.2A CN202110249895A CN113098844B CN 113098844 B CN113098844 B CN 113098844B CN 202110249895 A CN202110249895 A CN 202110249895A CN 113098844 B CN113098844 B CN 113098844B
- Authority
- CN
- China
- Prior art keywords
- module
- network
- packet
- data
- decision
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
- H04L63/306—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Technology Law (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an intelligent network intrusion detection system of a hardware protocol, which comprises: the system comprises an IP packet capturing module, a network data feature extraction module and a decision classification module, wherein the IP packet capturing module is arranged at the PS end of a ZYNQ platform, is connected with an industrial control network and is used for capturing an IP packet of the industrial control network; the network data feature extraction module is arranged at the PS end of the ZYNQ platform, is connected with the IP packet capturing module and is used for extracting network data features in the IP packet; and the decision classification module is arranged at the PL end of the ZYNQ platform, adopts an FPGA chip, is connected with the network data feature extraction module, and is used for identifying and classifying network behaviors of network data features and intercepting dangerous data. The system realizes IP packet capture and network data feature extraction of the PS end and a hardware classification algorithm of the PL end based on a ZYNQ platform, and meanwhile, the PS and the PL are organically combined, so that decision classification of network data is realized to detect intrusion of the network.
Description
Technical Field
The invention relates to the technical field of network information security transmission and intrusion detection, in particular to an intelligent network intrusion detection system based on a hardware protocol.
Background
In recent years, the fourth industrial revolution represented by the industrial internet of things is raised in all countries in the world, intelligent factories and products are more concerned about intelligently, and the industrial internet of things shows a good picture to people and shows a wide market development prospect. The industrial internet of things is a new concept and is a product of the development of traditional industrial automation and industrial informatization in a certain stage. The industrial Internet of things breaks through the limitation of the traditional local area network, links such as factory production, enterprise management and marketing are strongly combined, underlying basic data are acquired in an all-around mode, data analysis and mining of deeper layers are performed, the potential of a machine and a person in the whole enterprise is fully played, and production efficiency is improved.
Meanwhile, various hidden dangers existing in the aspect of information security of the industrial internet of things technology are gradually exposed, such as industrial core data leakage, illegal operation and control of an interconnection terminal and the like, even an event that a hacker attacks national strategic infrastructure by invading an electric power energy industrial network system occurs, and the problem covers a shadow for the development of the industrial internet of things.
In the face of more and more complicated and highly intelligent network attacks, the traditional network protection technology, such as a firewall technology, cannot defend unknown attacks, and cannot prevent transmission and diffusion of the attacks. At present, with the increasing number of industrial information devices, a great deal of directional attack and novel attack means are inevitably suffered. If only depending on the current traditional defense means and solution thought, the safety requirement of the industrial development of China can not be met, so that the requirement of adopting some more advanced technical means to promote the information safety is urgently needed, and further breakthrough is needed for the network protection technology.
The intrusion detection system is a safety mechanism which can monitor in real time and carry out prevention and protection system. Intrusion detection is an active defense technology, and can identify attack behaviors and abnormal data traffic through acquisition and analysis of network data flow. The intrusion detection system does not have to bridge any link nor have network traffic flow through it.
Currently, intrusion detection techniques include neural networks, data mining, machine learning, and the like. The data mining can utilize the collected data, and combines the technologies of statistics, machine learning and the like to carry out classification decision on the data, so that various behaviors in the network data flow can be well detected. The decision tree classification algorithm constructs a complete decision tree by using the probability of various events for evaluating and predicting the event risk. The decision tree classification algorithm well meets the requirements of an intrusion detection system, can classify attack behaviors and abnormal behaviors, and can actively detect and prevent risks. The tree-based strategy method is more intuitive, the generated rules are simpler in form, and the method can be applied to a large training set and can also be used for multi-classification problems.
Therefore, the present invention proposes a classifier construction that applies decision trees to intrusion detection.
Disclosure of Invention
The present invention is directed to solving, at least to some extent, one of the technical problems in the related art.
Therefore, the invention aims to provide an intelligent network intrusion detection system of a hardware protocol.
In order to achieve the above object, an embodiment of the present invention provides an intelligent network intrusion detection system using a hardware protocol, including: the system comprises an IP packet capturing module, a network data feature extraction module and a decision classification module, wherein the IP packet capturing module is arranged at the PS end of a ZYNQ embedded platform, is connected with an industrial control network and is used for capturing an IP packet of the industrial control network; the network data feature extraction module is arranged at the PS end of the ZYNQ embedded platform, is connected with the IP packet capturing module and is used for extracting network data features in the IP packet; the decision classification module is arranged at the PL end of the ZYNQ embedded platform, adopts an FPGA chip, is connected with the network data feature extraction module, and is used for identifying and classifying network behaviors of the network data features and intercepting dangerous data.
The intelligent network intrusion detection system of the hardware protocol of the embodiment of the invention designs a hardware algorithm network attack classification IP core based on FPGA; IP packet capture and network data feature extraction are realized by applying a PS (packet switch) end of a ZYNQ embedded platform; organically combining PS and PL by using a ZYNQ embedded platform to realize network data transmission of a classification algorithm; a PL (personal authentication) end of a ZYNQ embedded platform is applied to realize a hardware classification algorithm, network behaviors are identified, and the purpose of intrusion detection is achieved; meanwhile, the physical and logical problems of the mathematical algorithm and the computer modeling problem are solved in the research process, and the capability of realizing the operation of a more complex encryption algorithm by using fewer scale circuits is realized by a theoretical analysis method; in addition, the functions of data packet receiving, feature extraction, decision classification and the like are realized, the effects of light logic and high speed of the whole equipment are achieved, and the requirements are met.
In addition, the intelligent network intrusion detection system based on the hardware protocol according to the above embodiment of the present invention may further have the following additional technical features:
further, in an embodiment of the present invention, the IP packet capturing module is specifically configured to: acquiring a network equipment interface by using a network data packet capture function library libpcap, and acquiring a network number and a mask of the network equipment interface; and opening the network equipment interface to obtain the IP packet.
Further, in an embodiment of the present invention, the network data feature extraction module is specifically configured to: reading the IP packet, counting various feature information in the IP packet, converting all the feature information into character strings, writing the character strings into a target file to obtain the network data features, wherein when one TCP stream is taken as a unit, the FIN mark is taken as an end, and the feature information in the IP packet is counted; and when one UDP flow is taken as a unit, the preset flowtimeout time is taken as a limit, if the time is exceeded, the end is determined, and all characteristic information in the IP packet is counted.
Further, in an embodiment of the present invention, the decision classification module is specifically configured to: classifying the network data characteristics through decision tree model classification node information stored in a register of the network data characteristics to obtain a classification result; and informing the upper-layer system of the network behavior of the IP packet according to the classification result, wherein if the IP packet is in a normal network behavior and does not contain network attack data, the IP packet is transmitted to a trusted network, and if the IP packet is in an abnormal network behavior and contains the network attack data, the IP packet is intercepted and alarmed.
Further, in an embodiment of the present invention, a top-down multi-module design method is adopted to decompose a preset integral module to obtain a plurality of sub-modules, a top-level module instantiates each sub-module, then a functional logic design is performed on each sub-module, and each module is instantiated and integrated in the top-level module to build the decision classification model.
Further, in an embodiment of the present invention, the decision classification module adopts a hardware classification algorithm IP core, and the hardware classification algorithm IP core includes a data buffer, a decision logic module, and a control module design, where the data buffer is used to temporarily store the network data features extracted from the network data features for the decision classification module to call; the decision logic module is used for constructing a decision tree, inputting test data into the decision tree, outputting results at leaf nodes, and judging the network behavior of the network data characteristics according to the attributes of the leaf nodes.
Further, in an embodiment of the present invention, a network interface, a USB interface, and a JTAG interface are further extended outside the decision classification module, where the JTAG interface is used to write configuration information into a Flash memory to configure and debug a PL port, complete initialization operation, and also used to access a signal logic state and a chip pin state inside a chip; the USB interface writes configuration information into the control module so as to adjust the working mode and the working state of the subsystem and is also used for data communication of an external host.
Further, in one embodiment of the present invention, the network data feature extraction module sends the network data feature to the decision classification module through an AXI bus.
Additional aspects and advantages of the invention will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the invention.
Drawings
The foregoing and/or additional aspects and advantages of the present invention will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings of which:
FIG. 1 is a schematic diagram of an intelligent network intrusion detection system using hardware protocols according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of the external connection of the intelligent network intrusion detection system according to the hardware protocol of the present invention;
FIG. 3 is a flow diagram of a network data feature extraction module according to one embodiment of the invention;
FIG. 4 is a decision classification schematic of one embodiment of the present invention;
FIG. 5 is a decision module hardware logic diagram of one embodiment of the present invention;
FIG. 6 is a block diagram of a ZYNQ development board according to one embodiment of the invention;
FIG. 7 is a block diagram of interface hardware for one embodiment of the invention.
Detailed Description
Reference will now be made in detail to embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the drawings are illustrative and intended to be illustrative of the invention and are not to be construed as limiting the invention.
An intelligent network intrusion detection system for a hardware protocol according to an embodiment of the present invention will be described with reference to the accompanying drawings.
Fig. 1 is a schematic structural diagram of an intelligent network intrusion detection system using hardware protocols according to an embodiment of the present invention.
As shown in fig. 1, the system 10 includes: an IP packet capturing module 100, a network data feature extraction module 200 and a decision classification module 300.
As shown in fig. 2, the intelligent network intrusion detection system with hardware protocol has a dual-network-port structure, wherein the upper layer interface is connected to the network data decryption system, and the lower layer interface is connected to the industrial control network control host. The IP packet capturing module 100 is disposed at the PS end of the ZYNQ embedded platform, connected to the industrial control network, and configured to capture an IP packet of the industrial control network. The network data feature extraction module 200 is disposed at the PS end of the ZYNQ embedded platform, connected to the IP packet capture module 100, and configured to extract network data features in an IP packet. The decision classification module 300 is disposed at the PL side of the ZYNQ embedded platform, is connected to the network data feature extraction module 200 through an AXI bus by using an FPGA chip, and is configured to perform recognition classification of network behaviors on network data features and intercept dangerous data.
That is, the IP packet capturing module 100 captures data streams (i.e., IP packets) of the industrial control network, so that the IP packets directly enter the network data feature extracting module 200, network data features can be obtained in the network data feature extracting module 200, and the network data features are sent to the decision classifying module 300 for identifying and classifying network behaviors.
Further, the IP packet capturing module 100 captures a data packet by using a network data packet capturing function library libpcap, and performs network traffic capturing and network traffic statistics. The specific steps can be to use a libpcap, which needs to contain a pcap.h header file, and obtain a network equipment interface; then obtaining a network number (ip address) and a mask; opening a network interface; and acquiring the data packet.
Further, in an embodiment of the present invention, the network data feature extraction module 200 is specifically configured to:
reading the IP packet, counting various feature information in the IP packet, converting all the feature information into character strings, writing the character strings into a target file to obtain the network data features, wherein,
when one TCP flow is taken as a unit, the FIN mark is taken as the end, and all characteristic information in the IP packet is counted;
and when one UDP flow is taken as a unit, the preset flowtimeout time is taken as a limit, if the time is exceeded, the end is determined, and all characteristic information in the IP packet is counted.
Specifically, as shown in fig. 3, the network data feature extraction module 200 extracts the statistical information of the transport layer, and uses one TCP stream or one UDP stream as a unit. TCP flow ends with FIN flag, UDP ends with flowtimeout time set as limit, and the end is judged when the time is over. There are many packets in a TCP stream that are first held three times and then passed four times. Statistics information in one stream is counted as the extracted data features.
It should be noted that the statistical characteristics are divided into forward and backward directions, the forward direction from the source address to the destination address is specified, the reverse direction from the destination address to the source address is specified, and a flag called FlowID is constructed for each flow, wherein the flag called FlowID is 192.168.31.100-183.232.231.174-46927-443-6 and consists of the source address, the destination address and a protocol number.
Further, in an embodiment of the present invention, the decision classification module 300 is specifically configured to: classifying the network data characteristics through decision tree model classification node information stored in a register of the network data characteristics to obtain a classification result; and informing the upper-layer system of the network behavior of the IP packet according to the classification result, wherein if the IP packet is in a normal network behavior and does not contain network attack data, the IP packet is transmitted to a trusted network, and if the IP packet is in an abnormal network behavior and contains the network attack data, the IP packet is intercepted and alarmed. That is, the decrypted legal IP packet data passing through the firewall is subjected to data capture and feature extraction, and the obtained feature data stream is sent to the decision classification module 300 for identification and classification, so that dangerous data can be intercepted.
Furthermore, the decision classification module 300 adopts a top-down multi-module design concept as a hardware implementation algorithm, and the method is to perform multi-module decomposition on the whole module, instantiate each sub-module by a top-layer module, perform logic design on each function by the sub-modules, realize the functions of each module one by one, then instantiate and integrate each module in the top-layer module, build a final integral system module, and perform integral comprehensive analysis and test on the whole module;
that is, after the IP packet capturing module receives data through the internet access, the IP packet is first transmitted to the feature extraction module, and the feature information in the IP packet data is analyzed by the feature extraction module and stored in the cache; the decision classification module classifies the characteristic data through decision tree model classification node information stored in a register of the decision classification module, and informs an upper-layer system which network behavior the IP packet belongs to according to a classification result; if the IP packet is in normal network behavior and does not contain network attack, the IP packet can be transmitted to a trusted network; if the IP packet contains attack data, intercepting and alarming are carried out.
Further, after the whole module is successfully built, the whole function analysis and the time sequence analysis are carried out on each module, and the specific function module comprises a main state machine, a decision logic module, a data buffer area and a control module, wherein,
the main state machine is used for controlling the working process of the whole subsystem;
and the data buffer area is used for temporarily storing the data features extracted by the network data feature extraction module 200 for calling the decision logic module.
The decision logic module adopts a decision tree algorithm, and the mathematical principle of the decision logic module is that all data are regarded as one node and become a root node. And calculating the information gain rate of all the characteristics in the training data, and taking the characteristics with the highest information gain rate as the splitting standard of the current node. And generating a plurality of child nodes from top to bottom in a recursion mode until all the features are used, and generating the decision tree when the condition of stopping splitting is met. And then, carrying out decision classification by using the test data or the actual data, inputting the characteristic values of the test data or the actual data into a decision tree, outputting the result in a leaf node, and judging the network behavior of the IP data packet according to the attribute of the leaf node.
As shown in FIG. 4, the control module design, whose hardware implementation implements each level of the tree from the stages of FIG. 4, takes a simple example with network data characteristics and the final output results. Each stage consists of decision logic, coefficient memory and internal registers. The input address of the coefficient memory is a function of the path taken through the decision tree to reach the particular node. Each coefficient memory stores coefficient values, an attribute index of incoming data to which the coefficients are compared, an operation to be performed, and a pointer to a storage location or assigned class of the next stage. The output of the coefficient memory contains all the information needed to perform the operation associated with the node in the tree to be addressed.
As shown in FIG. 5, the decision tree classification engine has three main parts: an input buffer, a decision logic area and an output buffer. The decision logic reads the incoming data and retrieves the rules from its associated coefficient memory, processes them, and forwards the data, along with the processed results, to the next stage. The intermediate result decides whether to assign a category to the data or whether further processing is required in the next step. If the data classification is completed, the data can be forwarded to the next stage without further processing, otherwise the processing and comparison is repeated until it is assigned to a class and then stored in the output memory. All these operations are performed in a pipelined manner, wherein in each clock cycle the data will be forwarded to the next stage and new data is fetched.
Further, the decision classification module 300 includes an external extension network interface, a USB interface, and a JTAG interface. The JTAG interface can write the configuration information into the Flash memory, the configuration information can realize the configuration and debugging of the PL end, and the operation of initializing the working mode, the working state and the decision tree node data of the PL end is realized; the JTAG interface also has access to the signal logic state inside the chip and the state of the chip pins. The USB interface can write the configuration information into the control module, and the configuration information can realize the operation of the working mode and the working state of the subsystem; the USB interface can also realize data communication with an external host.
The intelligent network intrusion detection system of the hardware protocol provided by the invention is realized and tested by researching and developing a prototype of the hardware system.
Designing a system schematic diagram and a development board, and realizing a hardware system prototype after development and debugging. And realizing the data communication among the hardware based on a standard communication protocol.
And the development driver is used for debugging the development board by the computer and realizing data communication between the computer and the development board.
The embedded board card circuit plate making and circuit forming are carried out, aiming at the design requirements of the circuit board, the PCB layout is carried out from the aspect of electrical performance, the interference and inhibition of various interference signals and equipment elements are considered, the temperature and the humidity of the working environment are considered, and the circuit board plate making is carried out according to the installation mode of the elements and the basic requirements of the typesetting. And performing welding test on the circuit board to form a network data classification card, and performing basic test on the network data classification card according to the network data classification card test. And forming a network data classification card product after the test is qualified.
The completion of the whole project is implemented according to the following technical route:
firstly, a project design theoretical algorithm and simulation work are completed, and initial, intermediate and final verification data result data including decision tree node classification information, network data characteristics and the like are obtained through a mathematical simulation tool;
meanwhile, a factory is reached to collect industrial equipment and normal IP messages during working, kali Linux is used for generating virtual attack IP messages, and the virtual attack IP messages are put into a database file to wait for subsequent operation;
performing feature extraction on the data by using a mathematical tool to obtain a feature value, generating a decision tree model by using a decision tree classification algorithm, and sending information of node classification to a PL (provider-class) terminal for subsequent decision classification;
then, verifying and realizing the decision classification algorithm in the purchased development board, debugging the performance index of the algorithm, and simultaneously putting a principle prototype of a classification detection system and a hardware device circuit board into a processing plant, welding and testing in an outsourcing mode;
and developing a hardware system prototype, and implementing and testing the designed system.
And installing the IP packet capturing module, the network data feature extraction module and the decision classification module into a prototype to verify whether each module meets the expected functional requirements or not, integrating each module, splicing each module into an integral protection system, and verifying the functional integrity of each part.
The IP packet capturing module is designed at the PS end of the ZYNQ embedded platform, is the initial part of the whole system, is connected with an industrial network through a network port, and is connected with the network data feature extraction module through an operating system;
the network data feature extraction module is the middle part of the whole system and is designed at the PS end of the ZYNQ embedded platform, and feature data obtained by the module is sent to a decision classification module at the PL end of the ZYNQ embedded platform through an AXI bus.
The decision classification module is the core and the final part of the whole system, the hardware implementation algorithm adopts a top-down multi-module design concept, the method is to carry out multi-module decomposition on the whole module, instantiate each sub-module by a top-layer module, carry out logic design on each function by the sub-modules, realize the function of each module one by one, then instantiate and integrate each module in the top-layer module, build a final integral system module, and carry out integral comprehensive analysis and test on the whole module;
as shown in FIG. 6, the ZYNQ development board is mainly divided into two functional parts, the PS terminal and the PL terminal. It can be seen from the block diagram that the PS end mainly has an ARM processor and a memory, and can operate an embedded system, store data and control data exchange, and externally connect various interfaces, such as a COM port, an RJ45 port, and an I/O port. The PL terminal comprises a large number of logic processing units, and can realize a hardware acceleration algorithm. The PS side and the PL side communicate via an AXI bus.
As shown in fig. 7, the hardware design mode of the dual-network port is to deploy one network port at each of the PS end and the PL end, respectively, to facilitate data communication.
The FPGA core control chip adopted by the whole circuit system can be a chip produced by Xilinx company. The supply of power is the most basic guarantee whether the whole system is operating normally. In the system, a plurality of 5V external power supply interfaces are designed, and USB power supply and common direct-insertion type power supply sockets are adopted for supplying power respectively. Both of these modes can provide 5V, giving the user two options.
The clock circuit and the reset circuit are indispensable parts in the operation of the system. In order to generate an integral baud rate and ensure the reliability of data transmission, the system is designed and selected to be an off-chip high-precision crystal oscillator. The reset mode selects manual reset, and the system can be restored to the initial state by pressing a reset key.
The work flow of the whole subsystem is controlled by a main state machine.
The intelligent network intrusion detection system of the hardware protocol provided by the embodiment of the invention gives consideration to the IP packet grabbing problem, the network data feature extraction problem and the network behavior decision classification problem in the information transmission process, thereby not only ensuring the safety, reliability and non-repudiation of information in the transmission process, but also giving consideration to the effects of light overall logic and high speed of equipment; meanwhile, the invention aims at researching and developing high-tech electronic information products, mainly emphasizes security network products, including network security software, intermediate plug-ins, security network terminal products and the like; in addition, the problem of information safety transmission between network nodes is solved according to the requirement of information safety transmission of the commercial Internet of things; an IP core with independent intellectual property rights and related products are researched and developed, and the purpose of establishing a private shared security channel among devices on the Internet is achieved; finally, related products have few and single functions and are not proportional to the increasing requirements of information security users, and the invention aims to research, develop and produce secure network products and can provide support and service for information security, particularly network security products.
Furthermore, the terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In the description of the present invention, "a plurality" means at least two, e.g., two, three, etc., unless specifically limited otherwise.
In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above are not necessarily intended to refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Moreover, various embodiments or examples and features of various embodiments or examples described in this specification can be combined and combined by one skilled in the art without being mutually inconsistent.
Although embodiments of the present invention have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present invention, and that variations, modifications, substitutions and alterations can be made to the above embodiments by those of ordinary skill in the art within the scope of the present invention.
Claims (1)
1. An intelligent network intrusion detection system for hardware protocols, comprising: an IP packet capturing module, a network data characteristic extracting module and a decision classifying module, wherein,
the IP packet capturing module is arranged at a PS (packet switch) end of the ZYNQ embedded platform, is connected with an industrial control network and is used for capturing the IP packet of the industrial control network, and the IP packet capturing module is specifically used for:
acquiring a network equipment interface by using a network data packet capture function library libpcap, and acquiring a network number and a mask of the network equipment interface;
opening the network equipment interface to acquire the IP packet;
the network data feature extraction module is arranged at the PS end of the ZYNQ embedded platform, is connected with the IP packet capturing module and is used for extracting network data features in the IP packet, and the network data feature extraction module is specifically used for:
reading the IP packet, counting various feature information in the IP packet, converting all the feature information into character strings, writing the character strings into a target file to obtain the network data features, wherein,
when one TCP flow is taken as a unit, the FIN mark is taken as the end, and all characteristic information in the IP packet is counted;
when one UDP flow is taken as a unit, the preset flowtimeout time is taken as a limit, if the time is exceeded, the end is determined, and all feature information in the IP packet is counted;
the network data feature extraction module sends the network data features to the decision classification module through an AXI bus;
the decision classification module is arranged at the PL end of the ZYNQ embedded platform, adopts an FPGA chip, is connected with the network data feature extraction module and is used for identifying and classifying network behaviors of the network data features and intercepting dangerous data, wherein,
decomposing a preset integral module by adopting a top-down multi-module design method to obtain a plurality of sub-modules, instantiating each sub-module by a top-layer module, then carrying out functional logic design on each sub-module, instantiating and integrating each sub-module in the top-layer module, and building the decision classification module;
the decision classification module adopts a hardware classification algorithm IP core, and the hardware classification algorithm IP core comprises a data buffer area, a decision logic module and a control module, wherein the data buffer area is used for temporarily storing the network data features extracted by the network data features for the calling of the decision classification module; the decision logic module is used for constructing a decision tree, inputting test data into the decision tree, outputting results at leaf nodes, and judging the network behavior of the network data characteristics according to the attributes of the leaf nodes;
further, the decision classification module is specifically configured to: classifying the network data characteristics through decision tree model classification node information stored in a register of the network data characteristics to obtain a classification result; informing an upper layer system of the network behavior of the IP packet according to the classification result, wherein if the IP packet is normal network behavior and does not contain network attack data, the IP packet is transmitted to a trusted network, and if the IP packet is abnormal network behavior and contains network attack data, the IP packet is intercepted and alarmed;
an external expansion network interface, a USB interface and a JTAG interface of the decision classification module, wherein,
the JTAG interface is used for writing configuration information into a Flash memory so as to configure and debug a PL (programmable logic) terminal and complete initialization operation, and is also used for accessing a signal logic state and a chip pin state in a chip;
the USB interface is used for writing configuration information into the control module so as to adjust the working mode and the working state of the subsystem, and is also used for carrying out data communication with an external host.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110249895.2A CN113098844B (en) | 2021-03-08 | 2021-03-08 | Intelligent network intrusion detection system of hardware protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110249895.2A CN113098844B (en) | 2021-03-08 | 2021-03-08 | Intelligent network intrusion detection system of hardware protocol |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113098844A CN113098844A (en) | 2021-07-09 |
| CN113098844B true CN113098844B (en) | 2023-03-21 |
Family
ID=76666772
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110249895.2A Active CN113098844B (en) | 2021-03-08 | 2021-03-08 | Intelligent network intrusion detection system of hardware protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113098844B (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2020177544A (en) * | 2019-04-19 | 2020-10-29 | 株式会社ローラン | Linux installation support program |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050114700A1 (en) * | 2003-08-13 | 2005-05-26 | Sensory Networks, Inc. | Integrated circuit apparatus and method for high throughput signature based network applications |
| CN101814977B (en) * | 2010-04-22 | 2012-11-21 | 北京邮电大学 | TCP flow on-line identification method and device utilizing head feature of data stream |
| US20140157405A1 (en) * | 2012-12-04 | 2014-06-05 | Bill Joll | Cyber Behavior Analysis and Detection Method, System and Architecture |
| CN103905451B (en) * | 2014-04-03 | 2017-04-12 | 国网河南省电力公司电力科学研究院 | System and method for trapping network attack of embedded device of smart power grid |
| US10296742B2 (en) * | 2015-10-31 | 2019-05-21 | Mcafee, Llc | Decision forest compilation |
-
2021
- 2021-03-08 CN CN202110249895.2A patent/CN113098844B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2020177544A (en) * | 2019-04-19 | 2020-10-29 | 株式会社ローラン | Linux installation support program |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113098844A (en) | 2021-07-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Elsayed et al. | InSDN: A novel SDN intrusion dataset | |
| Li et al. | Deep learning in security of internet of things | |
| Siniosoglou et al. | A unified deep learning anomaly detection and classification approach for smart grid environments | |
| US20220353286A1 (en) | Artificial intelligence cyber security analyst | |
| Yazdinejad et al. | P4-to-blockchain: A secure blockchain-enabled packet parser for software defined networking | |
| CN103905451B (en) | System and method for trapping network attack of embedded device of smart power grid | |
| CN107360145B (en) | Multi-node honeypot system and data analysis method thereof | |
| Cao et al. | Detecting and mitigating DDoS attacks in SDN using spatial-temporal graph convolutional network | |
| CN112383538B (en) | Hybrid high-interaction industrial honeypot system and method | |
| Srivastav et al. | Novel intrusion detection system integrating layered framework with neural network | |
| CN109936578A (en) | The detection method of HTTPS tunnel traffic in a kind of network-oriented | |
| CN111786950A (en) | Situation awareness-based network security monitoring method, device, equipment and medium | |
| Yang et al. | iFinger: Intrusion detection in industrial control systems via register-based fingerprinting | |
| Mao et al. | MIF: A multi-step attack scenario reconstruction and attack chains extraction method based on multi-information fusion | |
| Viegas et al. | A reliable and energy-efficient classifier combination scheme for intrusion detection in embedded systems | |
| Tabrizi et al. | Formal security analysis of smart embedded systems | |
| Kulik et al. | A framework for threat-driven cyber security verification of iot systems | |
| Mubarak et al. | Industrial datasets with ICS testbed and attack detection using machine learning techniques | |
| Barbareschi et al. | Malicious traffic analysis on mobile devices: a hardware solution | |
| Fenil et al. | Towards a secure software defined network with adaptive mitigation of dDoS attacks by machine learning approaches | |
| Halman et al. | MCAD: A Machine learning based cyberattacks detector in Software-Defined Networking (SDN) for healthcare systems | |
| CN113098844B (en) | Intelligent network intrusion detection system of hardware protocol | |
| US11297081B2 (en) | Methods and systems for eliminating and reducing attack surfaces through evaluating reconfigurations | |
| Meng et al. | SeVNoC: Security validation of system-on-chip designs with NoC fabrics | |
| CN106034132A (en) | Protection Method and Computer System |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |