Background technology
In recent years along with the extensive use of network, increasing incorporated business as its important professional approach, thereby has higher requirement network to the safety of network.Traditional Network Security Device as fire compartment wall etc., can only detect the attack below the network layer, can not satisfy the requirement to network security.
Invasion detecting device is the Network Security Device that a kind of bypass is disposed, the employing bypass mode is monitored the data traffic on the network key path comprehensively, by the data flow that listens to is carried out 4 to 7 layers, be the real-time deep analysis of application layer, session layer, presentation layer, transport layer, find assault.By invasion detecting device, operation conditions that can awareness network and relate to safe attack, and adjust security strategy and preventive means according to attack.Simultaneously the record of attack can provide foundation for regular security evaluation and analysis, thereby improves the integral level of network security.
To invasion detecting device, the attack that detects in the data flow is its basic functions the most.The detection of attack is depended on the security strategy that is provided with into invasion detecting device, and the basis that the rational and effective security strategy is set is that attack is analyzed and summed up.Therefore, security strategy and attack statistics is the important means that intrusion detection is managed.
Chang Yong invasion detecting device is IDS (Intrusion Detection System) equipment the most.In the prior art, the typical structure of the intruding detection system of employing IDS equipment as shown in Figure 1.IDS equipment 110 only as the detection engine of function singleness, detects data traffic on the network, sends a warning message to server 120 when detecting attack; Warning information such as the attack that server 120 sends when being responsible for receiving 110 operations of IDS equipment, system journal, and finish the security strategy configuration management of IDS equipment 110 and other Equipment Management Function; Administrative client 130 is configured, checks the record of attack to security strategy by the client software on it.
This intruding detection system must adopt high performance server and specific client software, cost height and installation and maintenance complexity; Simultaneously, all client software must be installed on the terminal of all participative managements, the user must learn the method for manipulating of client software.
The invasion detecting device that has in the prior art itself also provides the management function of security strategy configuration and attack statistics, by the login invasion detecting device, with command line mode security strategy is managed for configuration, and also can obtains some attack statistic analysis result with command line mode.
Because order line is based on text, and security strategy configuration and attack statistics all are complicated operations, and very not directly perceived with the order line realization, the user not only needs to learn multiple loaded down with trivial details order, and wastes time and energy when practical operation.
Summary of the invention
The present invention will solve is that the security strategy configuration or the attack statistical operation complexity of invasion detecting device in the prior art is time-consuming, intruding detection system installation and maintenance cost height, awkward problem.
Invasion detecting device of the present invention comprises detection module, attack storage statistical module and World Wide Web Web service module, wherein:
Detection module carries out attack to network traffics and detects;
The detected attack of attack storage statistical module storage detection module after the attack statistics, is recycled to the Web service module with statistics;
The Web service module manages the issue of the Web page, generates supervisory instruction according to the request based on Web that receives, with the execution result of supervisory instruction in response.
Preferably, described device also comprises security strategy memory module and security strategy configuration module, wherein:
The security strategy memory module is used for preserving and provides the current security strategy that attack detects of carrying out according to this to detection module;
The security strategy configuration module is edited the security strategy in the security strategy memory module according to the security policy parameters that comprises in the instruction of Web service module management, and execution result is transferred to the Web service module.
Preferably, described attack storage statistical module comprises attack database and attack statistic unit, wherein:
The attack database is used for storing the detected attack of detection module;
The attack statistic unit is added up attacking the attack of storing in the event database according to the statistical parameter that comprises in the instruction of Web service module management.
Preferably, HTML (Hypertext Markup Language) HTTP or Secure Hypertext Transfer Protocol HTTPS are adopted in the response of the request of described Web service module reception and transmission.
Another kind of invasion detecting device of the present invention comprises detection module, security strategy memory module, security strategy configuration module and Web service module, wherein:
Detection module carries out attack according to the security strategy of the storage in the security strategy memory module to network traffics and detects;
The security strategy configuration module is edited the security strategy in the security strategy memory module, and execution result is recycled to the Web service module;
The Web service module manages the issue of the Web page, generates supervisory instruction according to the request based on Web that receives, with the execution result of supervisory instruction in response.
Preferably, described security strategy is edited comprises at least one security strategy inquired about, revises, increased and delete.
The present invention also provides a kind of intruding detection system, comprises invasion detecting device and browsing apparatus, wherein:
Invasion detecting device comprises detection and the record that network traffics is carried out attack, to the browsing apparatus release management Web page, carries out browsing apparatus and returns execution result based on the management request of the page to it;
The browsing apparatus display management Web page to the management request of invasion detecting device transmission based on the page, receives also demonstration execution result.
Preferably, the management request of described browsing apparatus comprises the attack query requests, and invasion detecting device carries out after the attack statistics statistics being sent to browsing apparatus according to statistical parameter wherein.
Preferably, the management request of described browsing apparatus comprises the security strategy request, and invasion detecting device is used for detecting the security strategy of attack according to security policy parameters editor wherein, and operating result is sent to browsing apparatus.
Preferably, described browsing apparatus is the device with Web browser; Described browsing apparatus graphically shows execution result.
The present invention is by built-in Web (World Wide Web) service module in invasion detecting device, mode with the Web page provides the management function that relates to invasion detecting device, thereby can on the Web page, carry out the statistics inquiry of attack and the setting of security strategy, the user does not need to drop into expensive server, only needs standard browser to carry out graphically managing to invasion detecting device with simply saving time.
Embodiment
In order to overcome loaded down with trivial details, the awkward problem of order line statement in the prior art, adopt embedded graphically managing instrument to come invasion detecting device is managed among the present invention.Because the graphics management instrument need show and accept user's instruction by terminal, and terminal has different hardware and software platforms, make invasion detecting device can realize independence with terminal platform, the graphical tools that should adopt each platform all to support, promptly realize the management tool of invasion detecting device based on Web, the Web browser of standard just can manage invasion detecting device as long as any terminal has.
As previously mentioned, for the management of invasion detecting device, of paramount importance two functions are attack statistics and security strategy configuration.Figure 2 shows that the structure of invasion detecting device embodiment one among the present invention, the invasion detecting device in the present embodiment is built-in with the graphically managing instrument that carries out the attack statistics.
Network traffics input to detection module 210, and attack storage statistical module 220 is connected with Web service module 230 with detection module 210 respectively, and Web service module 230 is communicated by letter with the Web browser of invasion detecting device outside.Attack storage statistical module 220 comprises interconnected attack database 221 and attack statistic unit 222, and wherein attack database 221 is connected with detection module 210, and attack statistic unit 222 is connected with Web service module 230.
The network traffics of 210 pairs of inputs of detection module are carried out attack and are detected, and detected attack is write attack database 221, and attack is that detection module 210 detects the alarm event of once attacking the back generation according to current security strategy.
The various information of attack storage statistical module 220 storage detection modules 210 detected attacks, when Web service module 230 transmission supervisory instructions are carried out the attack statistics, finish statistical work according to the statistical parameter in the supervisory instruction, and statistics is returned to Web service module 230.
Attack database 221 is used for storing detected attack, the information that writes attack database 221 generally includes about the various details of attacking, as attacking agreement that time of origin, the source address of launching a offensive, source port, the destination address of being attacked, destination interface, attack adopt, attack message content, attack message type, severity level etc.
Receive the statistical parameter that Web service module 230 sends in supervisory instruction after, attack statistic unit 222 reads the attack record according to statistical parameter from attack database 221, after carrying out statistical analysis, generate statistics and be back to Web service module 230.Statistical parameter comprises a set querying condition of certain attack information at record in the attack database 221 at least, also can be the combination of one or more querying condition.Attack statistic unit 222 generates standard SQL (Structured Query Language, SQL) statement by above-mentioned querying condition, inquires about to attack database 221.
Web service module 230 is to the patterned management Web page of external browser issue that is connected to invasion detecting device, and external browser is sent to Web service module 230 according to management Web page editing statistical parameter with the request based on Web.Web service module 230 generates supervisory instruction in view of the above, comprising statistical parameter, sends to attack statistic unit 222.After receiving the statistics that attack statistic unit 222 returns, the Web service module sends to external browser with the response of statistics generation based on Web.
Figure 3 shows that the workflow of invasion detecting device among the embodiment one, wherein Web browser is used for showing the Web page and the interface of realizing the user in the outside of invasion detecting device.After detection module 210 detects attack, it is write attack database 221.After Web browser graphically editted statistical parameter, the request based on Web by standard was handed down to the Web service module 230 in the invasion detecting device.After Web service module 230 in the invasion detecting device is received this request, the statistical parameter that carries in this request resolved to supervisory instruction give attack statistic unit 222, attack statistic unit 222 obtains the attack data according to these statistical parameters to attack database 221, carry out the statistical analysis computing then, statistics is issued Web service module 230.Web service module 230 is packaged into the response based on Web of standard with statistics, issues Web browser, and Web browser comes out statistical result showed more graphically.
All attack information of storing in attack database 221 can be used as the parameter of editor and query composition condition on the Web page of Web service module 230 issues.Equally, the statistics page of Web service module 230 issue also can adopt various form as required, in full according to the show, block diagram, cake chart, Line Chart or the like.
5 kinds of maximum attack types of number of times with inquiry generation on the same day are example, the keeper clicks 5 kinds of maximum attack types of inquiry generation on the same day on the page of Web browser issue in Web service module 230, attack statistic unit 222 will obtain this querying condition, obtain all attacks that produced the same day to the inquiry of attack database 221 usefulness standard SQL sentence, calculate 5 kinds of maximum attack types of number of times, and obtain the percentage of the shared general offensive number of times of these 5 kinds of attack types, then with 5 kinds of attack type titles, attack the number of times that takes place, attack information such as shared percentage and issue Web browser by Web service module 230, Web browser shows this statistics for the keeper intuitively with patterned form and checks.
The agreement that request between Web browser and Web service module 230 and response are adopted without limits, for example can adopt HTTP (Hypertext Transfer Protocol, HTML (Hypertext Markup Language)), also can adopt HTTPS (Hypertext Transfer Protocol Secure, Secure Hypertext Transfer Protocol) to realize better fail safe.
Figure 4 shows that the structure of invasion detecting device embodiment two of the present invention, the invasion detecting device in the present embodiment is built-in with the graphically managing instrument that carries out the security strategy configuration.
Network traffics input to detection module 210, security strategy memory module 240 is connected to detection module 210 and security strategy configuration module 250 respectively, security strategy configuration module 250 is connected to Web service module 230, and Web service module 230 is communicated by letter with the Web browser of invasion detecting device outside.
The network traffics of 210 pairs of inputs of detection module are carried out attack and are detected, and detect according to the security strategy of storage in the security strategy memory module 240 and carry out.Most important security strategy is an attack detecting feature rule in the invasion detecting device, comprising the feature that attack message had.When the message on the network possesses these attack detecting features fully, just think attack has taken place.
Storing the current security strategy that comes into force in the security strategy memory module 240, with binary-coded form storage, the feature rule of each binary format has formed the regular texture tree of tree type to each attack detecting feature rule in security strategy memory module 240.Detection module 210 is set according to regular texture and is detected attack.
After security strategy configuration module 250 receives the supervisory instruction of Web service module 230, take out the security policy parameters that comprises in the instruction, the security strategy in the security strategy memory module 240 is edited according to security policy parameters.Security policy parameters comprise editor the execution item and at security strategy, editor's execution item comprises inquiry at least one security strategy, interpolation, deletion, modification etc.When adding or revise security strategy, security strategy configuration module 250 is before writing security strategy memory module 240 with new security strategy, can check the validity and the reasonability of this security strategy earlier, whether, this security strategy whether legal as the IP address conflicts or the like mutually with existing security strategy.After checking, security strategy configuration module 250 is converted into binary coding with this security strategy and writes in the regular texture tree of security strategy memory module 240.After executing editing, security strategy configuration module 250 returns to Web service module 230 with execution result.To adding, delete, revise the operation of security strategy, its result only comprises configuration successful or configuration failure information.
Web service module 230 is to the patterned management Web page of external browser issue that is connected to invasion detecting device, and external browser is sent to Web service module 230 according to management Web page editing security strategy with the request based on Web.Web service module 230 generates supervisory instruction in view of the above, comprising security policy parameters, sends to security strategy configuration module 250.After receiving the execution result that security strategy configuration module 250 returns, the Web service module sends to external browser with the response of execution result generation based on Web.
Figure 5 shows that the workflow of invasion detecting device among the embodiment two, wherein Web browser is identical with function among the embodiment one, also is not included in the invasion detecting device.
After Web browser graphically editted security strategy, the request of the basic Web by standard was handed down to the Web service module 230 in the invasion detecting device.After Web service module 230 in the invasion detecting device is received this request, the security strategy of carrying in this request is resolved to gives security strategy configuration module 250 in the supervisory instruction.Security strategy configuration module 250 can be handled these security strategies, comprises validity and the reasonability of judging security strategy, security strategy is changed into specific form etc., and the security strategy after will handling then deposits security strategy memory module 240 in.Security strategy memory module 240 return results, operating result is after security strategy configuration module 250 arrives Web service module 230, Web service module 230 is packaged into the response based on Web of standard with it, send to Web browser, Web browser shows operating result more graphically.
For example, the keeper has found a kind of attack at the Intranet application-specific, and obtains this attack and comprise following content characteristic: window .open|28 23|helpdoc .eml|27|; In addition, also obtain this feature during setting up the TCP stream that is included in after TCP connects from the attack client to the destination server end, then the keeper just can carry out patterned feature rule configuration to conduction by
Web service module 230 on the page of issuing on the Web browser, and the Rule content that configuration is finished is as shown in the table:
The list item that the characteristic matching rule comprises | Content |
Regular number | 20001 |
Protocol type | TCP |
Source address | Any |
Source port | Any |
Destination address (being attacked the address of using) | 10.10.2.23、10.10.3.23 |
Destination interface (by is attacked the application port) | 1308 |
The TCP stream mode | Established |
The TCP flow path direction | Client-to-Server |
Feature | window.open|28 23|helpdoc.eml|27| |
Response mode | Email、SNMP Trap |
After configuration is finished, will comprise that the request of above-mentioned feature rule is sent to Web service module 230.Web service module 230 generates the supervisory instruction that comprises increase and this feature rule, by security strategy configuration module 250 this feature rule is increased in the security strategy memory module 240.
With identical among the embodiment one, the agreement that in the present embodiment request between Web browser and Web service module 230 and response is adopted without limits.
For invasion detecting device, security strategy configuration and attack statistics have same importance.Security strategy configuration is to carry out the basis that attack detects, and to the statistics of the attack safe condition on can awareness network, and can further adjust and improve security strategy according to statistics.Thereby detecting with the attack of invasion detecting device is core, adds up forming a closed loop with security strategy configuration and attack, thereby the network security integral level constantly is improved.Invasion detecting device in the embodiment of the invention three is built-in with the graphically managing instrument that carries out security strategy configuration and attack statistics simultaneously, and its structure as shown in Figure 6.
As seen, as long as in embodiment one, increase security strategy memory module 240 and security strategy configuration module 250 on the basis of structure, perhaps in embodiment two, increase the structure that the attack storage statistical module 220 that comprises attack database 221 and attack statistic unit 222 has just formed Fig. 6 on the basis of structure; Therefore, the function that makes detection module 210 and Web service module 230 have simultaneously among embodiment one and the embodiment two can realize embodiment three, and the function of other modules and correlation all do not have to change, and repeat no more herein.
Equally, the agreement that among the embodiment three request between Web browser and Web service module 230 and response is adopted for example can adopt HTTP or HTTPS without limits.
The typical structure of using the intruding detection system of invasion detecting device among the present invention is: invasion detecting device is connected with browsing apparatus, and wherein browsing apparatus has the Web browser that can graphically show the Web page.Network traffics input invasion detecting device, invasion detecting device carries out the detection of attack and writes down detected attack.When being connected with browsing apparatus, invasion detecting device is to the browsing apparatus release management Web page, and browsing apparatus sends to invasion detecting device according to this management Web page editing management request.Invasion detecting device is carried out the management request that receives, and execution result is returned to browsing apparatus, is graphically shown by browsing apparatus.
The management request of browsing apparatus can be the attack query requests, comprising the statistical parameter of attack.Invasion detecting device is added up attack according to statistical parameter, and statistics is recycled to browsing apparatus.
The management request of browsing apparatus can be the security strategy request also, comprising security policy parameters.Invasion detecting device is edited the security strategy that is used for detecting attack according to security policy parameters, for example inquiry, additions and deletions and modification, and the result of edit operation is recycled to browsing apparatus.
After using the present invention, the management of invasion detecting device is no longer needed to remember complicated order and carry out time-consuming operation, the user can carry out patterned management easily and safely; To intruding detection system, no longer need expensive server, avoided the installation and maintenance complexity, used inconvenient, inflexible problem, the user only need a standard browser (as Internet Explore) just can make things convenient for, safe, invasion detecting device is carried out the configuration of security strategy and the statistics of attack whenever and wherever possible.
Above-described embodiment of the present invention does not constitute the qualification to protection range of the present invention.Any any modification of being done within the spirit and principles in the present invention, be equal to and replace and improvement etc., all should be included within the claim protection range of the present invention.