TWM563582U - Network intrusion detection system - Google Patents

Network intrusion detection system Download PDF

Info

Publication number
TWM563582U
TWM563582U TW106218718U TW106218718U TWM563582U TW M563582 U TWM563582 U TW M563582U TW 106218718 U TW106218718 U TW 106218718U TW 106218718 U TW106218718 U TW 106218718U TW M563582 U TWM563582 U TW M563582U
Authority
TW
Taiwan
Prior art keywords
packets
network
module
intrusion detection
network intrusion
Prior art date
Application number
TW106218718U
Other languages
Chinese (zh)
Inventor
黃國誠
趙英傑
楊琮華
Original Assignee
泓格科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 泓格科技股份有限公司 filed Critical 泓格科技股份有限公司
Priority to TW106218718U priority Critical patent/TWM563582U/en
Publication of TWM563582U publication Critical patent/TWM563582U/en

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

一種網路入侵偵測系統,其包含一網路入侵偵測裝置、一集線器、一防火牆模組、一交換器、複數終端設備及一控制終端,該網路入侵偵測裝置包含一網路封包解析模組、一掃描模組、一回應偵測模組、一指令偵測模組及一阻斷服務偵測模組。該網路封包解析模組分別與該掃描模組、該回應偵測模組、該指令偵測模組及該阻斷服務偵測模組相連接。該網路入侵偵測裝置係與一集線器相連接,並將傳輸至該集線器的網路封包接收進來,並利用該些模組掃描分析來自網際網路之封包是否夾帶惡意攻擊之內容,並將被攻擊的訊息回傳至一控制終端且發出警示。 A network intrusion detection system includes a network intrusion detection device, a hub, a firewall module, a switch, a plurality of terminal devices, and a control terminal. The network intrusion detection device includes a network packet An analysis module, a scanning module, a response detection module, a command detection module, and a blocking service detection module. The network packet analysis module is connected to the scanning module, the response detection module, the command detection module, and the blocking service detection module, respectively. The network intrusion detection device is connected to a hub, and receives network packets transmitted to the hub, and uses these modules to scan and analyze whether packets from the Internet carry malicious attack content, and The attacked message was returned to a control terminal and an alert was issued.

Description

網路入侵偵測系統 Network Intrusion Detection System

一種網路入侵偵測系統,尤其是指一種具有一網路入侵偵測裝置的系統,能對不同的網路攻擊行為進行掃描。 A network intrusion detection system, especially a system with a network intrusion detection device, can scan different network attack behaviors.

在現今的網路時代,許多的通訊過程皆透過網路所達成,而設備一旦連上了網路,被惡意攻擊或是竊取資訊的機率提高,因此如何降低被攻擊後的損失即為一重要問題。 In the current network age, many communication processes are achieved through the network. Once the device is connected to the network, the probability of being maliciously attacked or stealing information increases. Therefore, how to reduce the loss after being attacked is important. problem.

現有網路防護功能採用防火牆作為防止外部攻擊的一道防線。防火牆可設定特定的封包,當防火牆接收到這些特定的封包,這些特定的封包會被允許進入設備,而不在設定中的封包則會被防火牆阻擋。對於一般的網路攻擊,防火牆都能有效阻擋這些攻擊,保護設備與軟體的安全,以及確保資料不被竊取。 Existing network protection functions use firewalls as a line of defense against external attacks. The firewall can set specific packets. When the firewall receives these specific packets, these specific packets will be allowed to enter the device, and the packets not in the settings will be blocked by the firewall. For general network attacks, the firewall can effectively block these attacks, protect the security of equipment and software, and ensure that data is not stolen.

惟防火牆僅能阻擋不被設備所接受的封包,對於較高階的網路攻擊行為,例如針對系統及應用程式的漏洞進行攻擊、緩衝區溢位攻擊、或是木馬程式的攻擊,則無法偵測或攔截。這些高階網路攻擊行為會偽裝成是原本系統允許的封包,而不受防火牆阻擋進入系統中進行攻擊,進而癱瘓設備系統或是竊取機密資料,產生資安問題。 However, the firewall can only block packets that are not accepted by the device. It cannot detect higher-level network attacks such as attacks on system and application vulnerabilities, buffer overflow attacks, or Trojan horse attacks. Or intercept. These high-level network attacks will disguise as packets allowed by the original system, without being blocked by the firewall to enter the system for attack, thereby paralyzing the equipment system or stealing confidential information, resulting in security issues.

為解決防火牆無法有效偵測出高階的網路攻擊行為,本創作係提出一種網路入侵偵測系統,其包含一網路入侵偵測系統,該網路入侵偵測系統係利用多個分析模組偵測網路攻擊行為,並個別分析網路攻擊行為的態樣,達到網路監控的成效。 In order to solve the problem that the firewall cannot effectively detect high-level network attacks, this author proposes a network intrusion detection system, which includes a network intrusion detection system. The network intrusion detection system uses multiple analysis modes. The group detects network attack behaviors and analyzes the patterns of network attack behaviors individually to achieve the effect of network monitoring.

為達成上述目的,本創作一種網路入侵偵測系統,其包含:一集線器,其具有一第一連接埠及複數個第二連接埠;一網路入侵偵測裝置,係連接於該集線器之其中一第二連接埠,其具有一網路封包解析模組、一掃描模組、一回應偵測模組、一指令偵測模組及一阻斷服務偵測模組;一防火牆模組,係連接於該集線器之該第一連接埠;一交換器,係連接於該集線器之其中一第二連接埠;複數終端設備,係連接於該交換器;以及一控制終端,係連接於該交換器。 In order to achieve the above purpose, the present invention creates a network intrusion detection system including: a hub having a first port and a plurality of second ports; a network intrusion detection device connected to the hub; One of the second ports has a network packet analysis module, a scanning module, a response detection module, a command detection module, and a blocking service detection module; a firewall module, Is connected to the first port of the hub; a switch is connected to one of the second ports of the hub; a plurality of terminal devices are connected to the switch; and a control terminal is connected to the switch Device.

其中,該網路入侵偵測裝置包含有:一網路封包解析模組,其擷取從外部網路中所接收的複數封包,並對該等封包的規格進行分析;一掃描模組,與該網路封包解析模組相連接,該掃描模組接收由該網路封包解析模組分析後的該等封包,並對該等封包進行內容分析;一回應偵測模組,與該網路封包解析模組相連接,該回應偵測模組係接收該等封包,並分析該等封包之代碼;一指令偵測模組,與該網路封包解析模組相連接,該指令偵測模組係接收該等封包,並偵測該封包所夾帶的命令或參數設定之正確性;一阻斷服務偵測模組,與該網路封包解析模組相連接,該阻斷服務偵測模組係接收該等封包,並偵測網路癱瘓、攻擊服務。 The network intrusion detection device includes: a network packet analysis module that captures a plurality of packets received from an external network and analyzes the specifications of the packets; a scanning module, and The network packet analysis module is connected, the scanning module receives the packets analyzed by the network packet analysis module, and performs content analysis on the packets; a response detection module is connected to the network The packet analysis module is connected, and the response detection module receives the packets and analyzes the codes of the packets; a command detection module is connected with the network packet analysis module, and the command detection module The system receives these packets and detects the correctness of the commands or parameter settings carried by the packets; a blocking service detection module connected to the network packet analysis module, and the blocking service detection module The department receives these packets and detects network paralysis and attacks on services.

該網路入侵偵測裝置係連接於該集線器上,使通過該防火牆模組而進入該網路入侵偵測系統的所有封包,都會通過該集線器並予以該網路入侵偵測裝置接收,該網路入侵偵測裝置根據不同的網路攻擊態樣分析該些封包是否存在攻擊指令,並將攻擊指令之特徵與該網路入侵偵測裝置中的一特徵資料庫進行比對,其中該特徵資料庫儲存各項攻擊行為特徵及可被該網路入侵偵測系統接收的封包特徵。藉由該網路入侵偵測裝置的該些模組分析出網路攻擊行為,以及搭配該特徵資料庫的比對分析,再通知該控制終端有攻擊行為發生,而在該控制終端進行應對,進而達到網路監測及防護的成效。 The network intrusion detection device is connected to the hub, so that all packets entering the network intrusion detection system through the firewall module will pass through the hub and be received by the network intrusion detection device. The intrusion detection device analyzes whether there are attack instructions in the packets according to different network attack patterns, and compares the characteristics of the attack instructions with a characteristic database in the network intrusion detection device, where the characteristic data The library stores various attack behavior characteristics and packet characteristics that can be received by the network intrusion detection system. Analyze the network attack behavior through the modules of the network intrusion detection device, and compare the analysis with the signature database, and then notify the control terminal that an attack has occurred, and respond to the control terminal, The result is network monitoring and protection.

10‧‧‧網路入侵偵測裝置 10‧‧‧Network Intrusion Detection Device

11‧‧‧網路封包解析模組 11‧‧‧Network Packet Parsing Module

12‧‧‧掃描模組 12‧‧‧Scan module

14‧‧‧回應偵測模組 14‧‧‧ Response Detection Module

16‧‧‧指令偵測模組 16‧‧‧Command detection module

18‧‧‧阻斷服務偵測模組 18‧‧‧ blocking service detection module

19‧‧‧記憶裝置 19‧‧‧Memory device

191‧‧‧特徵資料庫 191‧‧‧Characteristic database

20‧‧‧集線器 20‧‧‧ Hub

21‧‧‧第一連接埠 21‧‧‧First port

22‧‧‧第二連接埠 22‧‧‧Second Port

30‧‧‧防火牆模組 30‧‧‧Firewall Module

40‧‧‧交換器 40‧‧‧exchanger

41a~41c‧‧‧終端設備 41a ~ 41c‧‧‧Terminal equipment

50‧‧‧控制終端 50‧‧‧Control terminal

圖1:本創作網路入侵偵測系統示意圖。 Figure 1: Schematic diagram of this authoring network intrusion detection system.

圖2:本創作之網路入侵偵測裝置之示意圖。 Figure 2: Schematic diagram of the network intrusion detection device of this creation.

請參見圖1,本創作一種網路入侵偵測系統,其包含一網路入侵偵測裝置10,該網路入侵偵測裝置10係於MODBUS TCP/IP網路架構下使用,其係裝設於一集線器(HUB)20,其中該集線器20具有一第一連接埠21及複數個第二連接埠22,該第一連接埠21與一防火牆模組30相連接;該些第二連接埠22分別與一交換器(Switch)40及該網路入侵偵測裝置10相連接,其中該防火牆模組30用以過濾來自網際網路的封包,並將過濾後的封包傳輸至該集線器20。該集線器20接收過濾後的封包,並將所有封包分別傳送至該交換器40及該網路入侵偵測裝置10;該交換器40更與複數個終端設備41a~41c相連接。本實施例中,更進一步具有一控制終端50,該控制終端50與該交換器40相連接。該網路 入侵裝置10、該集線器20、該防火牆模組30、該交換器40、該等終端設備41a~41c及該控制終端50形成該網路入侵偵測系統,其中控制終端50內係供系統管理員操作、監控。 Please refer to FIG. 1, this invention creates a network intrusion detection system, which includes a network intrusion detection device 10, which is used under the MODBUS TCP / IP network architecture and is installed In a hub 20, where the hub 20 has a first port 21 and a plurality of second ports 22, the first port 21 is connected to a firewall module 30; the second ports 22 It is connected to a switch 40 and the network intrusion detection device 10 respectively, wherein the firewall module 30 is used to filter packets from the Internet and transmit the filtered packets to the hub 20. The hub 20 receives the filtered packets and sends all the packets to the switch 40 and the network intrusion detection device 10 respectively; the switch 40 is further connected to a plurality of terminal devices 41a to 41c. In this embodiment, a control terminal 50 is further provided, and the control terminal 50 is connected to the switch 40. The network The intrusion device 10, the hub 20, the firewall module 30, the switch 40, the terminal devices 41a to 41c, and the control terminal 50 form the network intrusion detection system, wherein the control terminal 50 is provided for the system administrator Operation and monitoring.

請進一步參見圖2,該網路入侵偵測裝置10包含:一網路封包解析模組11、一掃描模組12、一回應偵測模組14、一指令偵測模組16、一阻斷服務偵測模組18及一記憶裝置19。該網路封包解析模組11分別與該掃描模組12、該回應偵測模組14、該指令偵測模組16與該阻斷服務偵測模組18相連接;該記憶裝置19分別與該網路封包解析模組11、該掃描模組12、該回應偵測模組14、該模組16、該阻斷服務偵測模組18相連接。該網路入侵偵測裝置10系利用竊聽方式(Sniffer),將透過該集線器20而欲傳輸至該交換器40的網路封包同時傳輸至該網路入侵偵測裝置10,以監測該些網路封包之安全性。 Please refer to FIG. 2 further, the network intrusion detection device 10 includes: a network packet analysis module 11, a scanning module 12, a response detection module 14, a command detection module 16, and a block The service detection module 18 and a memory device 19. The network packet parsing module 11 is connected to the scanning module 12, the response detection module 14, the command detection module 16 and the blocking service detection module 18 respectively; the memory device 19 is connected to The network packet analysis module 11, the scanning module 12, the response detection module 14, the module 16, and the blocking service detection module 18 are connected. The network intrusion detection device 10 uses a sniffing method to simultaneously transmit network packets that are to be transmitted to the switch 40 through the hub 20 to the network intrusion detection device 10 to monitor the networks. Security of road packets.

該記憶裝置19包含一特徵資料庫191,該特徵資料庫具有一正常清單及一異常清單,該正常清單儲存的項目可包含但不限於該網路入侵偵測系統中各個設備的IP位置、MAC位址、設備自身的身分辨識資料、正常功能代碼,以及能被該網路入侵偵測系統接收之網路封包的正常表頭格式及正常資料內容;該異常清單儲存的項目包含不同網路攻擊之態樣及特徵,包含惡意功能代碼、指令攻擊等。 The memory device 19 includes a feature database 191. The feature database has a normal list and an abnormal list. The items stored in the normal list may include, but are not limited to, the IP address and MAC of each device in the network intrusion detection system. Address, device's own identification data, normal function code, and normal header format and normal data content of network packets that can be received by the network intrusion detection system; the items stored in the anomaly list include different network attacks The appearance and characteristics include malicious function codes, instruction attacks, etc.

在一實施例中,該網路入侵偵測裝置10正式啟用前,可先將該網路入侵偵測裝置10架設至一安全內網中以建立異常清單與正常清單上的預設項目,所謂的安全內網僅有該些終端設備,以及該些終端設備之間的通訊封包,而未接收來自外界網際網路的封包,有別於該網路入侵偵測系統包含用以聯繫該些終端設備41a~41c的通訊封包,以及來自外界網際網路的網路封包。當該網路入侵偵測裝置10架設至該安全內網中,會開始初步蒐集該些通訊封包的表頭格式、正常資料內容以及各個終端設備的IP、MAC位址,並記錄於該正 常清單中,以此作為預設的清單項目。另外,系統管理員更可將已知的網路攻擊態樣預先加入該異常清單中。 In an embodiment, before the network intrusion detection device 10 is officially activated, the network intrusion detection device 10 may be set up in a secure intranet to establish default items on the abnormal list and the normal list. The secure intranet only has the terminal devices and communication packets between the terminal devices, but does not receive packets from the outside Internet. It is different from the network intrusion detection system that includes these terminals. Communication packets from devices 41a to 41c, and network packets from the outside Internet. When the network intrusion detection device 10 is set up in the secure intranet, it will initially collect the header format of the communication packets, the normal data content, and the IP and MAC addresses of each terminal device, and record them in the network. In the regular list, use this as a preset list item. In addition, the system administrator can add known cyber attack patterns to the anomaly list in advance.

當該網路入侵偵測裝置10實際應用時,可架設於該網路入侵偵測系統且分析該些網路封包,當判斷有網路封包屬於惡意攻擊封包,而該特徵資料庫191未預先儲存該惡意攻擊之態樣時,系統管理員可透過該控制終端50將該惡意攻擊的特徵手動輸入該特徵資料庫191儲存。而當該些終端設備41a~41c有所增減時,亦可透過該控制終端50手動增減該些終端設備41a~41c的IP位置及身分辨識資料至該特徵資料庫191中。 When the network intrusion detection device 10 is actually applied, it can be set up in the network intrusion detection system and analyze the network packets. When it is determined that a network packet belongs to a malicious attack packet, the feature database 191 is not When the state of the malicious attack is stored, the system administrator can manually input the characteristics of the malicious attack through the control terminal 50 into the signature database 191 for storage. When the terminal devices 41a to 41c increase or decrease, the IP locations and identity identification data of the terminal devices 41a to 41c can also be manually added to the feature database 191 through the control terminal 50.

該網路封包解析模組11為一種工控網路分析架構,用以接收來自網際網路的封包,並對封包進行解碼,得到該封包之表頭及資料內容,並與該特徵資料庫191中的該正常清單及該異常清單進行比對,確認封包內的表頭及資料內容是否為系統所接受,以作為第一階段的篩選過濾。 The network packet analysis module 11 is an industrial control network analysis framework, which is used to receive packets from the Internet and decode the packets to obtain the header and data content of the packet, and compare it with the feature database 191 The normal list and the abnormal list are compared to confirm whether the header and data contents in the packet are accepted by the system as the first stage of filtering.

當該網路封包解析模組11判斷該些網路封包可通過篩選時,該網路封包解析模組11會將該些網路封包分別且同時傳遞至該掃描模組12、該回應偵測模組14、該指令偵測模組16及該阻斷服務偵測模組18,由該些模組進行第二階段的分析處理。 When the network packet analysis module 11 determines that the network packets can pass the filtering, the network packet analysis module 11 transmits the network packets to the scanning module 12 and the response detection separately and simultaneously. The module 14, the instruction detection module 16 and the blocking service detection module 18 perform the second-stage analysis and processing by these modules.

該掃描模組12用以掃描該網路入侵偵測系統中各個節點裝置的IP位置與MAC位址。在該網路入侵偵測系統中的每一個節點裝置,例如該集線器20、該交換器40及該等終端設備41a~41c等,均各別具有單獨IP位置與MAC位址,該些IP位置與該些MAC位址會預先儲存於該特徵資料庫191中。當有任一節點裝置被惡意置換時,或是惡意在該網路入侵偵測系統中置入一新設備,置換後或另置入的該新設備會具有一新的IP位置與一新的MAC位址,當該掃描模組12與該特徵資料庫191比對出該新IP位置與新MAC位址並非該網路入侵偵測系統中所原有的,會將此訊息回傳至該控制終端50。 The scanning module 12 is configured to scan the IP location and MAC address of each node device in the network intrusion detection system. Each node device in the network intrusion detection system, such as the hub 20, the switch 40, and the terminal devices 41a to 41c, each has a separate IP location and MAC address. These IP locations The MAC addresses are stored in the feature database 191 in advance. When any node device is maliciously replaced, or a new device is maliciously placed in the network intrusion detection system, the new device after replacement or another installation will have a new IP location and a new MAC address. When the scanning module 12 matches the feature database 191, the new IP location and the new MAC address are not original in the network intrusion detection system, and this message will be returned to the Control terminal 50.

該掃描模組12亦可偵測帶有惡意功能代碼的網路封包。在該網路入侵偵測系統中,該集線器20、該交換器40及該等終端設備41a~41c各別具有一辨識單元,該辨識單元儲存設備本身的製造商、型號、採用協定及功能代碼等可識別出該等各個設備身分之資料。當來自網際網路的攻擊行為發生時,舉例而言,一未知封包若攜帶一惡意功能代碼,該惡意功能代碼意圖取代正常功能代碼使該網路入侵偵測系統的終端設備41a~41c運作產生異常。當該掃描模組12根據該特徵資料庫191中的該些清單對網路封包進行比對,並偵測出惡意功能代碼時,該掃描模組12將回傳一訊息至該控制終端50。 The scanning module 12 can also detect network packets with malicious function codes. In the network intrusion detection system, the hub 20, the switch 40, and the terminal devices 41a to 41c each have an identification unit, and the identification unit stores the manufacturer, model, adoption protocol, and function code of the device itself Information that can identify the identity of each of these devices. When an attack from the Internet occurs, for example, if an unknown packet carries a malicious function code, the malicious function code is intended to replace the normal function code to cause the terminal devices 41a to 41c of the network intrusion detection system to operate. abnormal. When the scanning module 12 compares network packets according to the lists in the feature database 191 and detects malicious function codes, the scanning module 12 returns a message to the control terminal 50.

該回應偵測模組14用以檢測該些網路封包是否帶有另一種惡意功能代碼。此種惡意功能代碼有可能單由0、1或亂數組成的內容,或是改變該網路入侵偵測系統原有封包之長度大小,或是在該網路入侵偵測系統中原有封包中任意加上隨機數字或符號。當該回應偵測模組14偵測到該網路入侵偵測系統被該功能代碼攻擊封包入侵時,會回傳訊息至該控制終端50。 The response detection module 14 is used to detect whether the network packets carry another malicious function code. This malicious function code may consist of only 0, 1, or random numbers, or change the length of the original packet of the network intrusion detection system, or in the original packet of the network intrusion detection system. Randomly add random numbers or symbols. When the response detection module 14 detects that the network intrusion detection system is invaded by the function code attack packet, it sends a message to the control terminal 50.

該指令偵測模組16用以偵測異常控制命令或異常參數設定等攻擊。當該些網路封包攜帶一指令攻擊時,該指令攻擊會進入該網路入侵偵測系統對該些終端設備41a~41c之控制指令進行攻擊,使由該些終端設備41a~41c發出錯誤命令讓控制流程出錯以及令該些終端設備41a~41c彼此之間的訊息傳遞產生異常,或是破壞該些終端設備41a~41c內的參數設定,使該些終端設備41a~41c無法正常運作。該指令偵測模組16偵測到該些網路封包具有該指令攻擊時,會將此被攻擊的訊息回傳至該控制終端50中通知使用者進行應對措施。 The instruction detection module 16 is used to detect attacks such as abnormal control commands or abnormal parameter settings. When the network packets carry a command attack, the command attack will enter the network intrusion detection system to attack the control instructions of the terminal devices 41a to 41c, so that the terminal devices 41a to 41c issue an incorrect command. Errors in the control process and abnormalities in the transmission of information between the terminal devices 41a to 41c, or destruction of parameter settings in the terminal devices 41a to 41c, make the terminal devices 41a to 41c unable to operate normally. When the command detection module 16 detects that the network packets have the command attack, it will return the attacked message to the control terminal 50 to notify the user to take countermeasures.

該阻斷服務偵測模組18用以偵測在一定的時間內該網路入侵偵測系統是否接收到大量的網路封包。阻斷服務攻擊為一種網路攻擊模式,其會在短時間之內大量發送網路封包至該網路入侵偵測系統中,使該網路入侵偵測系統在短時間之內皆收到大量的封包,進而癱瘓該網路入侵偵測系統的網路通 訊狀況。該阻斷服務偵測模組18會預先設定一指定時間間隔內所能接收到的封包上限值,當該網路入侵偵測系統在該指定時間內接收到大量的錯誤檢查碼(CRC)或是大量的封包時,該阻斷服務偵測模組18會將此被攻擊的訊息回傳至該控制終端50。當該控制終端50接收到上述等攻擊訊息時,會發出警告訊息,通知使用者進行應對措施,例如切斷與外界網路的聯繫或是中斷某一終端設備的運作。事後分析此網路攻擊的態樣,並可將該網路攻擊分析後的特徵加入該異常清單中。 The blocking service detection module 18 is used to detect whether the network intrusion detection system has received a large number of network packets within a certain period of time. Denial of service attack is a network attack mode, which sends a large number of network packets to the network intrusion detection system in a short period of time, so that the network intrusion detection system receives a large number of packets in a short period of time. Packet, which in turn blocks the network communication of the network intrusion detection system News situation. The blocking service detection module 18 presets the upper limit of the packets that can be received within a specified time interval. When the network intrusion detection system receives a large number of error check codes (CRC) within the specified time When there are a large number of packets, the blocking service detection module 18 returns the attacked message to the control terminal 50. When the control terminal 50 receives the above-mentioned attack messages, it will issue a warning message to notify the user to take countermeasures, such as cutting off the connection with the external network or interrupting the operation of a certain terminal device. Afterwards, analyze the appearance of this cyber attack, and add the analyzed characteristics of the cyber attack to the anomaly list.

由於該集線器20的作動係採用訊息廣播,當網路封包進入該集線器20時,該集線器20會以廣播的方式將該些網路封包傳遞至所有與該集線器20連接的裝置。而該網路入侵偵測系統10係連接於該集線器20,利用該集線器20的功能,該網路入侵偵測系統10能接收到進入該網路入侵偵測系統中所有的網路封包,並將被網路攻擊的訊息透過該集線器20及該交換器40傳輸至該控制終端50讓使用者進行攻擊程度的判斷,能保護該網路入侵偵測系統,使其在被攻擊時能減少損害。 Since the action of the hub 20 uses message broadcasting, when a network packet enters the hub 20, the hub 20 will broadcast these network packets to all devices connected to the hub 20 in a broadcast manner. The network intrusion detection system 10 is connected to the hub 20. Using the functions of the hub 20, the network intrusion detection system 10 can receive all network packets entering the network intrusion detection system, and The attacked information is transmitted to the control terminal 50 through the hub 20 and the switch 40 to allow the user to judge the degree of attack, which can protect the network intrusion detection system and reduce damage when it is attacked. .

Claims (7)

一種網路入侵偵測系統,其包含:一集線器,其具有一第一連接埠及複數個第二連接埠;一網路入侵偵測裝置,係連接於該集線器之其中一第二連接埠,其具有一網路封包解析模組、一掃描模組、一回應偵測模組、一指令偵測模組及一阻斷服務偵測模組;一防火牆模組,係連接於該集線器之該第一連接埠;一交換器,係連接於該集線器之其中一第二連接埠;複數終端設備,係連接於該交換器;以及一控制終端,係連接於該交換器。A network intrusion detection system includes: a hub having a first port and a plurality of second ports; a network intrusion detection device connected to one of the second ports of the hub, It has a network packet parsing module, a scanning module, a response detection module, a command detection module and a blocking service detection module; a firewall module is connected to the hub. A first port; a switch connected to one of the second ports of the hub; a plurality of terminal devices connected to the switch; and a control terminal connected to the switch. 如請求項1所述之網路入侵偵測系統,其中:該網路封包解析模組擷取從外部網路中所接收的複數封包,並對該等封包的規格進行分析;該掃描模組與該網路封包解析模組相連接,該掃描模組接收由該網路封包解析模組分析後的該等封包,並對該等封包進行內容分析;該回應偵測模組與該網路封包解析模組相連接,該回應偵測模組係接收該等封包,並分析該等封包之代碼;該指令偵測模組與該網路封包解析模組相連接,該指令偵測模組係接收該等封包,並偵測該封包所夾帶的命令或參數設定之正確性;該阻斷服務偵測模組與該網路封包解析模組相連接,該阻斷服務偵測模組係接收該等封包,並偵測網路癱瘓、攻擊服務。The network intrusion detection system according to claim 1, wherein: the network packet analysis module captures a plurality of packets received from an external network, and analyzes the specifications of the packets; the scanning module Connected to the network packet analysis module, the scanning module receives the packets analyzed by the network packet analysis module, and performs content analysis on the packets; the response detection module and the network The packet analysis module is connected, and the response detection module receives the packets and analyzes the codes of the packets; the instruction detection module is connected with the network packet analysis module, and the instruction detection module It receives these packets and detects the correctness of the commands or parameter settings carried by the packets. The blocking service detection module is connected to the network packet analysis module. The blocking service detection module is Receive these packets and detect network paralysis and attack services. 如請求項2所述之網路入侵偵測系統,該網路入侵偵測裝置係裝設於該集線器的該第二連接埠上,該集線器的該第二連接埠更與該交換器相連接,該交換器連接複數個終端設備,其中各終端設備包含製造商、型號、採用之通訊協定及網路位置(IP)與MAC位址等身分識別資訊。The network intrusion detection system according to claim 2, the network intrusion detection device is installed on the second port of the hub, and the second port of the hub is further connected to the switch The switch is connected to a plurality of terminal devices, where each terminal device includes manufacturer, model, communication protocol used, and network location (IP) and MAC address and other identification information. 如請求項3所述之網路入侵偵測系統,該網路入侵偵測裝置包含一記憶裝置,該記憶裝置儲存一特徵資料庫,該特徵資料庫紀錄有惡意攻擊之特徵,以及符合正常規範的封包格式。The network intrusion detection system according to claim 3, the network intrusion detection device includes a memory device, the memory device stores a signature database, the signature database records characteristics of malicious attacks, and meets normal specifications Packet format. 如請求項4所述之網路入侵偵測系統,其中:該網路封包解析模組接收該等封包後,對該等封包的表頭及本體進行分析,確認該等封包的表頭及本體的格式是否符合標準;該掃描模組分析該等封包內的資訊,包括封包的來源、該等終端設備的設備身分資料及封包內的功能代碼,以及確認該等封包內是否包含一第一惡意功能代碼,該第一惡意功能代碼會取代正常功能的代碼,使該網路入侵偵測系統內的該些終端設備運作異常;該回應偵測模組分析該等封包是否帶有一第二惡意功能代碼,該第二惡意功能代碼的編碼組合可以為亂數、長度錯誤或是惡意改變該網路入侵偵測系統中的指令碼;該指令偵測模組掃描該等封包是否存在任意改變程序控制狀態、頻繁切換開關、改變操作設定點或設備關機/啟動命令之惡意指令;該阻斷服務偵測模組預先設定在一段時間內所接收到的封包個數上限,以及在這段時間內所接收到的封包錯誤次數的上限。The network intrusion detection system according to claim 4, wherein: after receiving the packets, the network packet analysis module analyzes the headers and bodies of the packets to confirm the headers and bodies of the packets Whether the format of the packet meets the standard; the scanning module analyzes the information in the packets, including the source of the packets, the device identity information of the terminal devices, and the function codes in the packets, and confirms whether the packets contain a first malicious Function code, the first malicious function code will replace the normal function code, so that the terminal devices in the network intrusion detection system operate abnormally; the response detection module analyzes whether the packets carry a second malicious function Code, the coding combination of the second malicious function code may be random numbers, wrong length, or maliciously change the instruction code in the network intrusion detection system; the instruction detection module scans the packets for any change in program control Malicious instructions for status, frequent switching of switches, changing operating setpoints, or device shutdown / startup commands; the blocking service detection module is pre-set in a period Between the upper limit of the number of the received packet, and the upper limit of the number of errors in the packet received this time. 如請求項5所述之網路入侵偵測系統,該網路入侵偵測裝置包含一記憶裝置,該記憶裝置儲存一特徵資料庫,該特徵資料庫紀錄有惡意攻擊之特徵,以及符合正常規範的封包格式。The network intrusion detection system according to claim 5, the network intrusion detection device includes a memory device, the memory device stores a signature database, and the signature database records the characteristics of the malicious attack and meets the normal specifications Packet format. 如請求項6所述之網路入侵偵測系統,其中:該網路封包解析模組分析出該等封包之格式不符合標準時,發出一信號至該控制終端;該掃描模組分析該等封包內的資訊與該特徵資料庫內儲存的設備資訊有所不同,或是攜帶該第一惡意功能代碼時,發出一信號至該控制終端;該回應偵測模組分析出該等封包帶有該第二惡意功能代碼,該第二惡意功能代碼為亂數、長度錯誤、帶有會改變原系統中的指令碼時,發出一信號至該控制終端;該指令偵測模組偵測出該等封包具有惡意改變原系統流程及狀態的指令時,發出一信號至該控制終端;該阻斷服務偵測模組在一段時間內接收到超出原設定上限之封包數量,或是接收到超出原設定上限之封包錯誤次數時,則發出一信號至該控制終端。The network intrusion detection system according to claim 6, wherein: when the network packet analysis module analyzes that the format of the packets does not meet the standard, it sends a signal to the control terminal; the scanning module analyzes the packets The information inside is different from the device information stored in the feature database, or when the first malicious function code is carried, a signal is sent to the control terminal; the response detection module analyzes that the packets carry the A second malicious function code, which is a random number, an incorrect length, and a command code that changes the original system, sends a signal to the control terminal; the instruction detection module detects these When the packet has an instruction to maliciously change the original system process and status, a signal is sent to the control terminal; the blocking service detection module receives the number of packets that exceed the original set limit within a period of time, or receives more than the original set When the maximum number of packet errors is reached, a signal is sent to the control terminal.
TW106218718U 2017-12-18 2017-12-18 Network intrusion detection system TWM563582U (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW106218718U TWM563582U (en) 2017-12-18 2017-12-18 Network intrusion detection system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW106218718U TWM563582U (en) 2017-12-18 2017-12-18 Network intrusion detection system

Publications (1)

Publication Number Publication Date
TWM563582U true TWM563582U (en) 2018-07-11

Family

ID=63642014

Family Applications (1)

Application Number Title Priority Date Filing Date
TW106218718U TWM563582U (en) 2017-12-18 2017-12-18 Network intrusion detection system

Country Status (1)

Country Link
TW (1) TWM563582U (en)

Similar Documents

Publication Publication Date Title
KR101977731B1 (en) Apparatus and method for detecting anomaly in a controller system
US11363035B2 (en) Configurable robustness agent in a plant security system
JP4072150B2 (en) Host-based network intrusion detection system
CN111010409B (en) Encryption attack network flow detection method
US20100251370A1 (en) Network intrusion detection system
JP2007531398A (en) Wireless LAN intrusion detection method based on protocol anomaly analysis
KR100947211B1 (en) System for active security surveillance
CN214306527U (en) Gas pipe network scheduling monitoring network safety system
Kaushik et al. Detection of attacks in an intrusion detection system
CN111510436B (en) Network security system
EP1833227B1 (en) Intrusion detection in an IP connected security system
CN106789982B (en) Safety protection method and system applied to industrial control system
Feng et al. Snort improvement on profinet RT for industrial control system intrusion detection
US9298175B2 (en) Method for detecting abnormal traffic on control system protocol
KR101343693B1 (en) Network security system and method for process thereof
CN116015776A (en) Sealing method and device of collapse host, electronic equipment and storage medium
KR20050055996A (en) Security information management and vulnerability analysis system
TWM563582U (en) Network intrusion detection system
CN113411296B (en) Situation awareness virtual link defense method, device and system
CN114600424A (en) Security system and method for filtering data traffic
Byres et al. Worlds in collision-ethernet and the factory floor
WO2024020962A1 (en) Method, apparatus and system for covert path discovering and computer-readable storage medium
KR20200116773A (en) Cyber inspection system
Fu et al. An autoblocking mechanism for firewall service
CN116112295B (en) Method and device for researching and judging external connection type attack result