CN100372296C - Network invading detection system with two-level decision structure and its alarm optimization method - Google Patents
Network invading detection system with two-level decision structure and its alarm optimization method Download PDFInfo
- Publication number
- CN100372296C CN100372296C CNB2004100093515A CN200410009351A CN100372296C CN 100372296 C CN100372296 C CN 100372296C CN B2004100093515 A CNB2004100093515 A CN B2004100093515A CN 200410009351 A CN200410009351 A CN 200410009351A CN 100372296 C CN100372296 C CN 100372296C
- Authority
- CN
- China
- Prior art keywords
- knowledge base
- decision
- alarm
- warning
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The present invention discloses a network intrusion detection system with a secondary decision inner core, and an alarm optimization method thereof, which realizes the alarm optimization technique by combining a secondary decision inner core. An alarm optimization mechanism mainly comprises two steps: step one, an alarm filter algorithm based on an alarm buffer pool is achieved, original alert data is filtered, and data for repeated alarm and excessive data is filtered out; step two, filtered alarm data is connected with a network system knowledge base by using a correlation technique and is analyzed in order to remove false alarm data generated from mismatch contexts caused by intrusion; the network system knowledge base is maintained and updated in time by using a vulnerability scan technique in order to ensure the correlation effect. The alarm optimization technique realized by combining the two decision system structures is capable of effectively reducing the phenomena of false alarm and excessive alarm, improves detection effects, and has high practicability.
Description
Technical field
The present invention relates to a kind of Network Intrusion Detection System, particularly a kind of Network Intrusion Detection System with second-level decision kernel, the warning optimization method that also relates to this Network Intrusion Detection System and adopted belongs to the network security technology field.
Background technology
Along with the Internet use is universal day by day, people begin more and more to pay attention to network security problem.As the effective means of reply network intrusions, intruding detection system (Intrusion DetectionSystem is called for short the IDS system) plays an important role in the network safety prevention system.
Existing intruding detection system mainly comprises based on network intruding detection system (Network-based IDS, be called for short NIDS) and Host Based intruding detection system (Host-based IDS, be called for short HIDS), wherein NIDS detects invasion according to the packet content in the monitored network, and HIDS then detects invasion to the information analysis in the host computer systems such as system audit daily record and operating system process.From detection technique, intruding detection system mainly contains abnormality detection and misuse detects two classes, and wherein abnormality detection detects invasion by the behavior of any violation normal condition of identification, and it can detect unknown attack, but is easy to generate high rate of false alarm; And misuse detects the feature that clearly definition is attacked, and mates and detects invasion by detecting data and attack signature, higher accuracy rate is arranged, but can only detect the known attack of rule definition.
Though existing intruding detection system has been brought into play important function in network safety prevention, but still there are some more serious technical problems, influenced the practical effect of intruding detection system, wherein report to the police inaccurate (as reporting by mistake, failing to report) and the problem of type of alarm imappropriate (as indiscriminate newspaper) are particularly outstanding.In addition, occurred attack technology and special Software tool such as Stick, the Snot etc. that carry out dos attack at IDS that many escapes detect in recent years, made the problems referred to above seem particularly outstanding.Therefore, how to reduce wrong report, fail to report and report excessively, the validity (effectiveness) that improves IDS work just becomes one of the core research topic in current intrusion detection field.
In existing research work, the validity that many detection techniques and method improve IDS has been proposed, detect invasion exactly, main have following a few class: (1) utilizes the special processing technology of the Internet protocol data is avoided the mistake that detects, as in the Snort system, having adopted the ip fragmentation reorganization, technology such as TCP session reconstruct are included in attack in a plurality of continuous fragments or the message with detection, the RealSecure system integration protocal analysis technology of BlackICE, can avoid the wrong report that the defective of many because mode-matching technique causes and fail to report by the semantic information of further analytical applications agreement; (2) strengthen descriptive power to invasion to improve the accuracy rate that detects, typical N-Code rule description language as NFR, the N-Code language provides abundant characteristic of speech sounds such as variable, operator, statement, function, abnormality processing, the feature and the processing mode of invasion can be described more accurately, by this functional characteristic, avoid because the inaccurate detection mistake that causes is described in invasion;
(3) utilize special detection algorithm to detect, finish intrusion detection feature under the large network environment by the building network activity diagram as the GrIDS system of UC Davis development; In the EMEARLD of SRI system, will combine based on the expert system in attack knowledge storehouse with based on the abnormality detection algorithm of probability statistics; To carry out combination with feature detection based on the abnormality detection of data mining in the MINDS project of Minnesota university; Chinese invention patent application 03137094.2 is disclosed sets up the member that initialization data is flow to line correlation signature analysis, extraction and reorganization that is made of correlated characteristic analyzer, data recombination device and big class profile analyzer and substitutes original attack profile analyzer in event analysis module, thereby constitutes a kind of new level intruding detection system etc.Adopt technology such as neural net, immune algorithm to carry out the research of abnormality detection algorithm in the research project that also has.Though these work possess the advantage that can detect unknown invasion, but still have the more high defective of rate of false alarm.
The inventor herein has analysed in depth the feature of existing IDS system, finds that they all belong to the single-level decision-making inner core basically, promptly invades analysis result and only handles through a decision-making kernel.Though there is difference in different IDS systems in form, but a decision-making kernel that clearly defines is in logic arranged all, it is analyzed source data by specific detection algorithm and determines whether carry out intrusion alarm, the order of accuarcy of reporting to the police depends on the logical capability of parser in the decision-making kernel fully, though the researcher has taked various technical measures to improve the accuracy of parser, its warning accuracy rate is not high to remain a serious problem.
Summary of the invention
The objective of the invention is to propose a kind of new-type network intruding detection system, it has second-level decision kernel, and decision-making kernels at different levels adopt different parsers, thereby has effectively avoided the defective of existing single parser, reduce wrong report and indiscriminate newspaper phenomenon, improved the detection effect.
The warning optimization method that provides a kind of this Network Intrusion Detection System to adopt is provided another object of the present invention.
For realizing above-mentioned goal of the invention, the present invention adopts following technical scheme:
A kind of Network Intrusion Detection System comprises data source, alert data storehouse and supervisor console, it is characterized in that:
Described Network Intrusion Detection System has two-stage decision-making kernel, and wherein first order decision-making kernel is connected with described data source, and its result flows to second level decision-making kernel, and described second level decision-making kernel is connected with described alert data storehouse;
The decision-making kernel of described first order decision-making kernel for the original alert data in the described data source being filtered based on the alarm filter algorithm in the warning Buffer Pool;
Described second level decision-making kernel is rejected the false alarm data for utilizing corresponding technology and knowledge base to carry out related, analysis to the alert data after filtering with this, and the decision-making kernel that utilizes the vulnerability scanning technology that knowledge base is in time safeguarded and upgraded.
Wherein, the described first order is distributed in respectively on the different main frames with second level decision-making kernel, communicates by the agency that reports to the police each other.
The warning of described first order decision-making kernel agency is with independent process realization, utilizes the mode of shared drive to transmit communicating by letter of warning message between the network invasion monitoring process at this process and this decision-making kernel place.
Described second level decision-making kernel is divided into communication module, main control module, decision-making module and output module, and described decision-making module is divided into filter, analyzer, correlator and knowledge base; Described detection system also has the engine of detection and vulnerability scanners, described detection engine connects described communication module, described communication module sends data to described correlator through described filter and analyzer, described vulnerability scanners also sends data to described correlator by described knowledge base, alert data after described correlator will be optimized sends described output module to, and described output module sends data to described supervisor console and alert data storehouse.
The warning optimization method that aforesaid Network Intrusion Detection System adopted is characterized in that comprising the steps:
A) by a kind of alarm filter algorithm original alert data is filtered, filter out repetition of alarms and indiscriminate alert data based on the warning Buffer Pool;
B) utilize corresponding technology to carry out related, analysis to the alert data after filtering, reject owing to invading context with this and be not inconsistent the false alarm data that cause, and utilize the vulnerability scanning technology knowledge base is in time safeguarded and to be upgraded with knowledge base.
Wherein, described step a) comprises following substep:
(1) beginning;
(2) obtain mutual exclusion lock;
(3) whether be in the special processing state;
(4) if enter the special processing state of a large amount of warnings, release mutual exclusion lock and end; If not, then information in warning message and the warning pond is mated, change step (5) over to;
(5) whether repetition of alarms is arranged;
(6) if, carry out repetition of alarms and handle, change step (7) over to; If not, directly enter step (7);
(7) alert data is write the warning pond;
(8) whether a large amount of warnings are arranged;
(9) if, send report to control desk, the replacement overtime timer changes step (10) over to; If not, directly enter step (11);
(10) enter the special processing state of a large amount of warnings;
(11) discharge mutual exclusion lock;
(12) finish.
Described step b) also comprises following substep:
(1) searches intrusion rule base according to warning message, find out the corresponding general leak disclosure value of reporting to the police;
(2) search the vulnerability scanning plugin library according to general leak disclosure value, find out corresponding scanner plug-in unit sign;
(3) search knowledge base, mate related scanner plug-in unit sign;
(4) whether mate and not out of date;
(5) if the match is successful and the storehouse that is ignorant does not have expiredly, then be successfully associated, output alarm also finishes; If the match is successful but knowledge base is expired, perhaps coupling is unsuccessful, then changes step (6) over to;
(6) initiate scanning with related scanner plug-in unit sign to target machine;
(7) with the scanner scans result storehouse of refreshing one's knowledge;
(8) change step (3) over to, again scanning plug-in unit sign is mated, then be successfully associated as the match is successful, otherwise related failure.
In the described step b), the renewal process of described knowledge base comprises the steps:
(1) knowledge expired time spacing value of definition;
(2) empty knowledge base earlier during system start-up, start then existing target machine in the knowledge base is carried out vulnerability scanning one time, simultaneously with the initializes knowledge base of scanning;
(3) if in knowledge base, can not find when each related occurrence or can the match is successful but information time stabs the overtime spacing value, then initiate scanning again, with the scanning result storehouse of refreshing one's knowledge.
Of the present invention have following advantage based on the Network Intrusion Detection System of second-level decision kernel and the warning optimization method of employing thereof:
● can take simultaneously to improve the measure that detects effect in two-stage decision-making kernel, structure is more flexible, is easy to expansion;
● the problem that can exist at first kernel parser of making a strategic decision designs the filter analysis algorithm of secondary kernel, improves targetedly and detects and the warning effect;
● under the application scenarios of distributed Intrusion Detection Systems, the secondary kernel can carry out analysis of overall importance to the analysis result of a plurality of detection engines, can utilize single detection engines such as network topology, application deployment information unknown knowledge carry out analysis again, the filtration of warning message, improve the warning effect;
● because the logic entity of the such special disposal warning message of agency of reporting to the police has been arranged, make that warning message is carried out processing such as format conversion, encryption and decryption to be highly susceptible to realizing, and system architecture is more clear.
Description of drawings
The present invention is further illustrated below in conjunction with the drawings and specific embodiments.
Fig. 1 is the structural representation of existing intruding detection system.
Fig. 2 is the structure chart with Network Intrusion Detection System of second-level decision kernel of the present invention.
Fig. 3 is the system assumption diagram of the Network Intrusion Detection System developed based on the basic principle of above-mentioned second-level decision kernel.
Fig. 4 is the structure chart of distributed second-level decision kernel.
Fig. 5 is an embodiment of the deployment way of the distributed second-level decision kernel structure under the Distributed Detection environment.
Fig. 6 is the schematic diagram of warning Buffer Pool.
Fig. 7 is the realization flow figure of alarm filter algorithm.
Fig. 8 is the bare machine structure chart of knowledge base.
Fig. 9 is the schematic diagram of mechanism of report to the police related and knowledge base update.
Figure 10 is the flow chart of report to the police related and knowledge base update process.
Embodiment
As shown in Figure 1, any one intruding detection system should have data source, decision-making kernel, alert data storehouse and supervisor console at least.No matter the performed parser of intruding detection system why, and the flow process that its carries out intrusion detection feature all is image data source, decision-making kernel analyze, report to the police output and response.Therefore, above-mentioned structure chart all is blanket to existing intruding detection system.
Fig. 2 is the structure chart with Network Intrusion Detection System of second-level decision kernel of the present invention.It introduces second level decision-making kernel on the basis of system shown in Figure 1, promptly this system has two decision-making kernels, be divided into two parts of A and B successively, wherein A finishes traditional measuring ability, the warning message that among the B A is produced is further analyzed and is filtered from different angles, to improve the accuracy rate that Network Intrusion Detection System detects invasion, we claim that this system configuration is the second-level decision kernel structure.
Network Intrusion Detection System of the present invention is not merely to increase a decision-making kernel in system.In order really to play the effect that improve to detect accuracy rate, in system of the present invention, the Analysis of Policy Making logic among the decision-making kernel B should from core A different angle carry out.
That is, on the one hand, it should carry out analysis decision to warning message from more senior, more comprehensive angle.Detect in the IDS system in the great majority misuse, the decision making algorithm of core A is normally according to the attack signature information in the intrusion rule base, utilize mode-matching technique or protocal analysis technology to carry out check and analysis, just report to the police if find the data that meet attack signature.In decision-making kernel B, parser just there is no need to carry out repeated matching according to intrusion rule again, and should carry out the analysis, comprehensive of bulking property from the aspects such as frequency, repeatability, network topology structure and application deployment information of warning message, filter out wrong warning message or merge redundant warning information, improve the accuracy rate of reporting to the police, and reduce too much indiscriminate newspaper, for the system manager provides comprehensively, more valuable information rather than at random, alert event independently separately.
On the other hand, in second-level decision kernel, can also utilize other safe practice acquisition relevant information to carry out aid decision.Such as the associated safety loophole information of warning that can produce according to the one-level kernel, the real-time vulnerability scanning system of calling is verified the leak situation of attacking goal systems, check that whether destination host is responsive to this attack, can eliminate many to occurring in the false alarm of the invasion in the wrong context (context) in this way; Simultaneously, can also obtain information such as relevant system journal, fire compartment wall daily record immediately makes a strategic decision more accurately with auxiliary.
Figure 3 shows that the system assumption diagram of the Network Intrusion Detection System that the inventor herein develops based on the basic principle of above-mentioned second-level decision kernel.As shown in Figure 3, wherein hollow arrow is represented the flow direction of data, and the thin arrow of black is represented control operation, and the alert data that the thick arrow of black refers in particular to after the optimization flows to.It is common to detect engine, supervisor console and alert data storehouse and be general intruding detection system.Second-level decision kernel and vulnerability scanners increase newly for the optimization of reporting to the police, and the second-level decision kernel system is from being divided into communication module, main control module, decision-making module and four parts of output module in logic.Wherein communication module is responsible for communicating with detecting engine, receives original alert data; Decision-making module be responsible for to original alert data filter, optimization process such as association; Main control module is responsible for startup, configuration and the management of second-level decision kernel; Output module is responsible for the output of final alert data.Vulnerability scanners is created, is safeguarded and upgrade knowledge base by the leak information of collecting destination host, for the association of reporting to the police provides foundation.Said system has promptly realized the second-level decision kernel structure that proposes above, and has carried out the realization of warning optimisation technique in conjunction with second-level decision kernel.
Must be pointed out,,, may influence the operational efficiency of entire system because the introducing of second level decision-making kernel can cause the increase for the treatment of capacity though the second-level decision kernel system configuration is to improve the warning effect to have brought very big flexibility.In order to overcome this shortcoming, as shown in Figure 4, we further provide following distributed second-level decision kernel structure.
This structure is on the architecture basics of Fig. 2, increase by two warnings and acted on behalf of parts, simultaneously the part in two empty frames is distributed in different machine deploy, the work of treatment of decision-making kernel B is born by another main frame, thereby eliminated the performance loss that second-level decision kernel brings to system; When reporting to the police, wait for the time delay of network communication simultaneously for fear of the decision-making core A, the warning agency of the responsible network communication in the empty frame in the left side can be realized with independent process, can utilize the shared drive mode to transmit communicating by letter of warning message between the network invasion monitoring process at this process and decision-making core A place, to improve operational efficiency.Because decision-making kernel B only handles the many warning messages that lack than the source data amount that core A produces, so the problem on the nonexistence energy.Resemble this shown in Fig. 4, two-stage decision-making kernel is distributed on the different main frames, utilize the agency that reports to the police to finish the structure of internuclear communication in the two-stage by network, and we are called distributed second-level decision kernel structure.
Further, said structure can be expanded at an easy rate, and to adapt to large-scale distributed network invasion monitoring environmental applications, Fig. 5 is an embodiment of the deployment way of the distributed second-level decision kernel structure under the Distributed Detection environment.In this embodiment, the decision-making kernel that is distributed in a plurality of detection engines is acted on behalf of the realization connection by warning separately, and connects a second-level decision kernel simultaneously.Carry out analysis-by-synthesis with related by checking a plurality of detection engines alert data after through the one-level decision-making in this, thereby can when reducing false alarm, be more conducive to find invasion that initiate, that single detection engine can't be found in the network entire scope.
The present invention not only provides above-mentioned Network Intrusion Detection System based on second-level decision kernel, and the distinctive warning optimization method that this system adopted also is provided.To be elaborated to this below.
In the process of exploitation native system, we find that there are two kinds of typical situations that produce wrong report or indiscriminate newspaper in the feature detection techniques that adopts existing intruding detection system to be adopted, is respectively described below:
When utilization resembles such the sending when having the message of different attack signatures to the network of IDS monitoring at the attack tool of NIDS specially of Stick, Snot, the IDS system can produce a large amount of warnings in a short period of time, and (these warning messages are different often, do not repeat), cause reporting to the police congested even system is out of service.In this case, though packet has attack signature, do not take place but the attack scene of its representative is real, therefore can not cause the actual attack effect to network, and intruding detection system can't be judged this point, think that these attacks have really taken place, thereby belong to the situation of false alarm.We are called the part warning that floods with this situation.
When the dos attack (as Ping flood, smurf etc.) of network sweep or some mode takes place, the data message that the appearance of meeting repeatability has identical invasion feature in a large number, because intruding detection system can only be judged by the simple feature of monitoring data message these situations, can produce a large amount of repeated warning messages this moment at short notice, other warning is flooded, make the keeper can't make objective judgement and analysis, seriously reduced the practicality of system.Though warning message is correct in this case, not wrong report, a large amount of repeatability warnings can have a strong impact on the Practical Performance of system in the short time, belongs to the situation of indiscriminate newspaper.We claim that this situation is local repetition of alarms.
In order to solve the existing problem of above-mentioned feature detection techniques, the present invention proposes a kind of warning optimization method that is suitable for originally having the Network Intrusion Detection System of second-level decision kernel.This method comprises two steps, and the first step is by a kind of alarm filter algorithm based on the warning Buffer Pool original alert data to be filtered, and filters out repetition of alarms and indiscriminate alert data; Second step was to utilize corresponding technology to carry out related, analysis with knowledge base to the alert data after filtering, reject owing to the invasion context is not inconsistent the false alarm data that cause with this, and utilize the vulnerability scanning technology knowledge base is in time safeguarded and to be upgraded, to guarantee interrelating effect.
Implementation procedure to these two steps is illustrated respectively below.
As shown in Figure 6, flood and report to the police and the phenomenon of local repetition of alarms and carry out corresponding filtration treatment in order to discern the part, we have designed a warning Buffer Pool Alert Pool, finish all filter operations in Buffer Pool, and the warning message after filtering is just really reported to the police.In the drawings, each node in the Buffer Pool is represented and the relevant information of once reporting to the police, for improving operating efficiency, source address with warning message is different warning message formations as foundation with node organization, and promptly the warning of all nodes representatives in any one formation is all from same source host.Wherein comprise warning message and the details that cause the attack packet of warning in the AlertNode node, the AlertQueue structure comprises the globality information of formation, as queue length, final updating time etc.
In said method, can abstractly be two classes to the main processing of warning Buffer Pool: a class be to add new node according to certain rule in Buffer Pool, and an other class is node to be filtered the back accordingly remove node from the pond.In implementation procedure, we have adopted following key technology:
(1) adopt multithreading to realize local repetition of alarms and local the flood filter operation of warning message and the cleaning work of Buffer Pool, to improve to the treatment effeciency of warning message at random;
(2), adopt the machine-processed one-level decision-making kernel of realizing of shared drive to communicate by letter with the warning message between the warning agent process for improving the efficient of reporting to the police;
(3) the warning Buffer Pool is considered as shared resource between multithreading, adopts the mutual exclusion lock technology that the multithreading operation shared resource is carried out synchronously, occur conflicting avoiding;
(4) use the timer technology, regularly startup is used for clearing up the warning pond and carries out the operation of condition managing.
Above-mentioned multithreading, shared drive mechanism, mutual exclusion lock technology and timer technology etc. all are technological means commonly used in the active computer technology, have not just explained one by one at this.
The realization flow of above-mentioned alarm filter algorithm comprises following substep as shown in Figure 7:
(1) beginning;
(2) obtain mutual exclusion lock alert_lock;
(3) be in the special processing state?
(4) if enter the special processing state of a large amount of warnings, release mutual exclusion lock alert_lock and end; If not, then information in warning message and the warning pond is mated, change step (5) over to;
(5) is there there repetition of alarms?
(6) if, carry out repetition of alarms and handle, change step (7) over to; If not, directly enter step (7);
(7) alert data is write the warning pond;
(8) are there there a large amount of warnings?
(9) if, send report to console (control desk), the replacement overtime timer changes step (10) over to; If not, directly enter step (11);
(10) enter the special processing state of a large amount of warnings;
(11) discharge mutual exclusion lock alert_lock;
(12) finish.
In addition, in the practical application of intruding detection system, it is a kind of scene of important generation false alarm that the network traffics with attack signature appear in the middle of the incorrect context.In order to eliminate this class false alarm, we carry out related with a knowledge base that comprises network system service, leak information warning message, if be successfully associated promptly attack at system vulnerability exist really, illustrate that then attack activity will bring destruction to system, should provide warning immediately, otherwise explanation attack at leak do not exist, can really not bring destruction to system, therefore warning message is a false alarm, should filter out.For guaranteeing the accuracy and the objectivity of knowledge base, we utilize vulnerability scanners that knowledge base is carried out dynamic creation, maintenance and renewal.
Knowledge base information is crucial to alert information correlation, because the content association of association algorithm comes from knowledge base, so the content of knowledge base, establishment and update mechanism are the key issues of knowledge-base design.The form that adopts database table in the system that leaves in of knowledge base realizes that its logical construction comprises host information and information on services two parts as shown in Figure 8.
What knowledge base was stored is the security breaches relevant information of target machine, and the leak message reflection is information such as some software arrangements, state, because software can upgrade at any time, so knowledge base also should upgrade thereupon, so just can accurately reflect the state of target machine.The renewal process of knowledge base is as follows:
A) knowledge expired time spacing value T of definition, this can be at the order line inediting;
B) empty knowledge base earlier during system start-up, start then existing target machine in the knowledge base is carried out vulnerability scanning one time, simultaneously with the initializes knowledge base of scanning;
C) if in knowledge base, can not find when each related occurrence or can the match is successful but information time stabs the overtime spacing value, then initiate scanning again, with the scanning result storehouse of refreshing one's knowledge.
By above-mentioned knowledge base update process, the association results that can fully guarantee to report to the police in time, accuracy.
Generally speaking, the mechanism of report to the police related and knowledge base update as shown in Figure 9, its concrete implementation procedure comprises the steps: as shown in figure 10
(1) searches intrusion rule base according to warning message, find out the corresponding CVE that reports to the police (CommonVulnerabilities and Exposures, general leak discloses) value;
(2) search the vulnerability scanning plugin library according to the CVE value, find out corresponding scanner plug-in unit sign;
(3) search knowledge base, mate related scanner plug-in unit sign;
(4) mate and not out of date?
(5) if the match is successful and knowledge base does not have expiredly, then be successfully associated, output alarm also finishes; If the match is successful but knowledge base is expired, perhaps coupling is unsuccessful, then changes step (6) over to;
(6) initiate scanning with related scanner plug-in unit sign to target machine;
(7) with the scanner scans result storehouse of refreshing one's knowledge;
(8) change step (3) over to, again scanning plug-in unit sign is mated, then be successfully associated as the match is successful, otherwise related failure.
Network Intrusion Detection System and warning optimization method thereof with second-level decision kernel of the present invention is not only feasible in theory, and checking has also obtained gratifying effect by experiment, briefly introduces as follows below:
Experimental situation is: the shared local area network (LAN) of 100M, bear experimental duties by 5 main frames: wherein two main frames move two detection engines (one-level decision-making kernel) respectively, a main frame operational management control desk, a main frame operation second-level decision kernel double as alert data storehouse server, an operation testing tool software, detailed configuration is as follows:
■ detects the 192.168.1.175 that operates in of engine, on the 192.168.1.217 main frame, and RedHat Linux 7.2 operating systems, Pentium IV 1G CPU, 512M internal memory;
■ second-level decision kernel and alert data storehouse server operate on the 192.168.1.136 main frame, Redhat Linux 9.0 operating systems, Pentium IV 1G CPU, 512M internal memory;
■ attack test software (Nmap, Packet Sender, snot etc.) operates on the 192.168.1.219 main frame RedHat Linux 7.2 operating systems, Pentium III700CPU, 512M internal memory;
The ■ supervisor console operates on the 192.168.1.124 main frame, Win2000Professional operating system, Pentium III700CPU, 512M internal memory.
Experiment 1:
In order to test the actual processing effect of filter algorithm in the second-level decision kernel, we simulate local repetition of alarms and the local situation that floods and report to the police respectively in the following method:
1) utilizes the NMAP scanner that certain main frame is carried out the scanning of particular type, produce the data message of a large amount of same types at short notice, cause detecting engine and local repetition of alarms occurs;
2) utilize the independently developed instrument Packer Sender that gives out a contract for a project to send the data message of specified quantity and attack signature, simulate the situation of local repetition of alarms to certain main frame;
3) initiate dos attack as attack tool to detecting engine with snot, send data message a large amount of, that have different attack signatures in the short time, cause detecting engine and the part warning that floods occurs.
Attack analogy method above utilizing is tested the network invasion monitoring engine of introducing the second-level decision kernel front and back respectively and alarm condition is checked the checking second-level decision kernel is to the filter effect of top two kinds of situations.
Experimental result is as shown in table 1:
| Test scene | Alarm condition | |
| Before the introducing | After the introducing | |
| With Nmap main frame 192.168.1.124 is carried out UDP type scanning (correspondence | Produce 344 unreachable alert datas of port in 7 seconds, have a strong impact on control desk | Only produce a warning message, point out to occur local repetition of alarms, can check in detail |
| -sU option) | The analysis definition | Cause the ICMP notice message of warning |
| Send 200 source addresses, port with packet sender and attack packet with destination address, land that port is identical respectively | Produce 168 land and attack warning message, supervisor console is reported to the police and is checked that repetition of alarms all over the screen appears in the interface | Have only 1 warning message after comprehensive, point out to take place local repetition of alarms, can further check all packet details that cause warning |
| Utilize of the input of the rule file of snort1.8.6, send the packet of 200 different attack signatures continuously as snot | 176 different warning messages in 1 second, occur, cause supervisor console to report to the police and check that interface moment appearance is all over the screen | Occur 10 warning messages altogether, the last item is reported to the police and is pointed out to take place local a large amount of the warning, can further check all packet details that cause warning |
Table 1 second-level decision kernel is introduced preceding and is introduced the back contrast
Since the attack data message in the different test scenes all in short time of concentration (<30 seconds) send and finish (this also reflected local the repetition and the local common actual conditions that flood when reporting to the police taken place), therefore the filter effect of filter algorithm is fabulous in the second-level decision kernel, when having to omit, do not simplify, combine local repetition of alarms and the local process information that floods and report to the police the detection of any attack information, improved the robustness that detects engine self to a great extent and to system manager's close friend, ease for use, detecting effect has an obvious improvement.
Experiment 2:
Utilize Nessus scanner selected series to initiate scanning attack to the main frame of operation Windows system at the attack pattern of Unix system, selected series is initiated scanning attack to the main frame of operation Unix system, the false alarm filter effect of the collaborative corresponding technology of check at the attack pattern of Windows system again.
For two kinds of different test scenes, experimental result is as shown in table 2:
| Scene | The situation of launching a offensive | The target machine platform | Before the introducing | After the introducing | ||
| Report to the police | Wrong report | Report to the police | Wrong report | |||
| Test 1 | 8 times Unix attacks | Windows2000 | 8 | 8 | 0 | 0 |
| Test 2 | 8 times Windows attacks | Red?Hat Linux7.2 | 8 | 8 | 0 | 0 |
As seen, for the intrusion alarm that appears in the incorrect contextual information, the collaborative corresponding technology of disposing in second-level decision kernel can be good at filtering, and has avoided the appearance of a considerable amount of false alarms.
Experiment 3:
In order to test because the presignal delay that the introducing of second-level decision kernel brings, we use the system clock of clock synchronization instrument synchronous detecting engine and second-level decision kernel earlier, when sending original warning, the detection engine writes down zero-time then, write down the termination time when second-level decision kernel sends real alert notice, the difference of the two is time delay.Experiment is tested respectively under network normal duty and two kinds of situations of full load, uses Packet Sender to send packet and comes analog network fully loaded situation.
Survey ten groups of data computation mean values respectively for two kinds of scenes, experimental result is as shown in table 3:
| The experiment sequence number | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | Mean value (second) |
| Normal duty (second) | 1 | 0.5 | 1 | 1 | 1 | 0.5 | 1 | 1 | 0.5 | 1 | 0.85 |
| (second) at full capacity | 1 | 1 | 1 | 0.5 | 1 | 1 | 1 | 1 | 1 | 0.5 | 0.9 |
Table 3 time of fire alarming postpones
Presignal delay mean value under two kinds of network load states can not cause the delay issue on the system alarm real-time basically all less than 1 second.
Above-mentioned experimental result shows that Network Intrusion Detection System with second-level decision kernel that we propose and warning optimization method thereof can effectively reduce wrong report and indiscriminate newspaper phenomenon, has greatly improved the practicality of Network Intrusion Detection System.
Describe the present invention in conjunction with embodiment above, but obvious specific implementation form of the present invention is not limited thereto.For the those skilled in the art in present technique field, the various conspicuous change of under the situation of spirit that does not deviate from the method for the invention and claim scope it being carried out is all within protection scope of the present invention.
Claims (8)
1. a Network Intrusion Detection System comprises data source, alert data storehouse and supervisor console, it is characterized in that:
Described Network Intrusion Detection System has two-stage decision-making kernel, and wherein first order decision-making kernel is connected with described data source, and its result flows to second level decision-making kernel, and described second level decision-making kernel is connected with described alert data storehouse;
The decision-making kernel of described first order decision-making kernel for the original alert data in the described data source being filtered based on the alarm filter algorithm in the warning Buffer Pool;
Described second level decision-making kernel is rejected the false alarm data for utilizing corresponding technology and knowledge base to carry out related, analysis to the alert data after filtering with this, and the decision-making kernel that utilizes the vulnerability scanning technology that knowledge base is in time safeguarded and upgraded.
2. Network Intrusion Detection System as claimed in claim 1 is characterized in that:
The described first order is distributed in respectively on the different main frames with second level decision-making kernel, communicates by the agency that reports to the police each other.
3. Network Intrusion Detection System as claimed in claim 2 is characterized in that:
The warning of described first order decision-making kernel agency is with independent process realization, utilizes the mode of shared drive to transmit communicating by letter of warning message between the network invasion monitoring process at this process and this decision-making kernel place.
4. Network Intrusion Detection System as claimed in claim 1 is characterized in that:
Described second level decision-making kernel is divided into communication module, main control module, decision-making module and output module, and described decision-making module is divided into filter, analyzer, correlator and knowledge base; Described detection system also has the engine of detection and vulnerability scanners, described detection engine connects described communication module, described communication module sends data to described correlator through described filter and analyzer, described vulnerability scanners also sends data to described correlator by described knowledge base, alert data after described correlator will be optimized sends described output module to, and described output module sends data to described supervisor console and alert data storehouse.
5. a warning optimization method is realized based on Network Intrusion Detection System as claimed in claim 1, it is characterized in that comprising the steps:
A) by alarm filter algorithm original alert data is filtered, filter out repetition of alarms and indiscriminate alert data based on the warning Buffer Pool;
B) utilize corresponding technology to carry out related, analysis to the alert data after filtering, reject owing to invading context with this and be not inconsistent the false alarm data that cause, and utilize the vulnerability scanning technology knowledge base is in time safeguarded and to be upgraded with knowledge base.
6. warning optimization method as claimed in claim 5 is characterized in that:
Described step a) comprises following substep:
(1) beginning;
(2) obtain mutual exclusion lock;
(3) whether be in the special processing state;
(4) if enter the special processing state of a large amount of warnings, release mutual exclusion lock and end; If not, then information in warning message and the warning pond is mated, change step (5) over to;
(5) whether repetition of alarms is arranged;
(6) if, carry out repetition of alarms and handle, change step (7) over to; If not, directly enter step (7);
(7) alert data is write the warning pond;
(8) whether a large amount of warnings are arranged;
(9) if, send report to control desk, the replacement overtime timer changes step (10) over to; If not, directly enter step (11);
(10) enter the special processing state of a large amount of warnings;
(11) discharge mutual exclusion lock;
(12) finish.
7. warning optimization method as claimed in claim 5 is characterized in that:
Described step b) comprises following substep:
(1) searches intrusion rule base according to warning message, find out the corresponding general leak disclosure value of reporting to the police;
(2) search the vulnerability scanning plugin library according to general leak disclosure value, find out corresponding scanner plug-in unit sign;
(3) search knowledge base, mate related scanner plug-in unit sign;
(4) whether mate and not out of date;
(5) if the match is successful and knowledge base does not have expiredly, then be successfully associated, output alarm also finishes; If the match is successful but knowledge base is expired, perhaps coupling is unsuccessful, then changes step (6) over to;
(6) initiate scanning with related scanner plug-in unit sign to target machine;
(7) with the scanner scans result storehouse of refreshing one's knowledge;
(8) change step (3) over to, again scanning plug-in unit sign is mated, then be successfully associated as the match is successful, otherwise related failure.
8. warning optimization method as claimed in claim 5 is characterized in that:
In the described step b), the renewal process of described knowledge base comprises the steps:
(1) knowledge expired time spacing value of definition;
(2) empty knowledge base earlier during system start-up, start then existing target machine in the knowledge base is carried out vulnerability scanning one time, simultaneously with the initializes knowledge base of scanning;
(3) if in knowledge base, can not find when each related occurrence or can the match is successful but information time stabs the overtime spacing value, then initiate scanning again, with the scanning result storehouse of refreshing one's knowledge.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100093515A CN100372296C (en) | 2004-07-16 | 2004-07-16 | Network invading detection system with two-level decision structure and its alarm optimization method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100093515A CN100372296C (en) | 2004-07-16 | 2004-07-16 | Network invading detection system with two-level decision structure and its alarm optimization method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1694411A CN1694411A (en) | 2005-11-09 |
| CN100372296C true CN100372296C (en) | 2008-02-27 |
Family
ID=35353222
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2004100093515A Expired - Fee Related CN100372296C (en) | 2004-07-16 | 2004-07-16 | Network invading detection system with two-level decision structure and its alarm optimization method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100372296C (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018125906A1 (en) * | 2016-12-27 | 2018-07-05 | Mcafee, Llc | Dynamic re-distribution of detection content and algorithms for exploit detection |
Families Citing this family (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8181145B2 (en) * | 2009-03-11 | 2012-05-15 | Synopsys, Inc. | Method and apparatus for generating a floorplan using a reduced netlist |
| CN102223267B (en) * | 2011-06-17 | 2014-04-09 | 北京电子科技学院 | IDS (intrusion detection system) detecting method and IDS detecting equipment |
| CN102436720B (en) * | 2011-09-28 | 2013-07-03 | 清华大学 | Repeated alarm processing method based on data filtering |
| CN104158677B (en) * | 2013-05-15 | 2018-08-07 | 北京捷诺视讯数码科技有限公司 | A kind of safety state analysis alarm method |
| CN104462981B (en) * | 2013-09-12 | 2019-01-04 | 深圳市腾讯计算机系统有限公司 | leak detection method and device |
| CN104091116B (en) * | 2014-06-30 | 2017-06-27 | 珠海市君天电子科技有限公司 | Monitor method, device and the terminal of website vulnerability information |
| CN106713038B (en) * | 2016-12-28 | 2019-12-06 | 中国银联股份有限公司 | remote transmission line quality detection method and system |
| CN107145784B (en) * | 2017-05-04 | 2023-04-04 | 腾讯科技(深圳)有限公司 | Vulnerability scanning method and device and computer readable medium |
| CN114465869A (en) * | 2018-10-08 | 2022-05-10 | 山东衡昊信息技术有限公司 | Efficient intrusion detection method for food processing remote control system |
| CN109861994A (en) * | 2019-01-17 | 2019-06-07 | 安徽云探索网络科技有限公司 | The vulnerability scanning method and its scanning means that cloud is invaded |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1398481A (en) * | 2000-02-08 | 2003-02-19 | 哈里公司 | System and method for assessing security vulnerability of network |
| WO2003090046A2 (en) * | 2002-04-18 | 2003-10-30 | Isis Innovation Limited | Intrusion detection system |
| EP1418484A2 (en) * | 2002-11-07 | 2004-05-12 | Stonesoft Corporation | Event sequence detection |
| WO2004044698A2 (en) * | 2002-11-08 | 2004-05-27 | Federal Network Systems Llc | Systems and methods for preventing intrusion at a web host |
| CN1509003A (en) * | 2002-12-20 | 2004-06-30 | 中联绿盟信息技术(北京)有限公司 | Method for monitoring unauthorized dial accessing in local area network |
-
2004
- 2004-07-16 CN CNB2004100093515A patent/CN100372296C/en not_active Expired - Fee Related
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1398481A (en) * | 2000-02-08 | 2003-02-19 | 哈里公司 | System and method for assessing security vulnerability of network |
| WO2003090046A2 (en) * | 2002-04-18 | 2003-10-30 | Isis Innovation Limited | Intrusion detection system |
| EP1418484A2 (en) * | 2002-11-07 | 2004-05-12 | Stonesoft Corporation | Event sequence detection |
| WO2004044698A2 (en) * | 2002-11-08 | 2004-05-27 | Federal Network Systems Llc | Systems and methods for preventing intrusion at a web host |
| CN1509003A (en) * | 2002-12-20 | 2004-06-30 | 中联绿盟信息技术(北京)有限公司 | Method for monitoring unauthorized dial accessing in local area network |
Non-Patent Citations (1)
| Title |
|---|
| Alert Correlation in a Cooperative IntrusionDetectionFramework. Cuppens, F. , Miege, A.Security and Privacy, 2002. Proceedings. 2002 IEEE Symposium on. 2002 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018125906A1 (en) * | 2016-12-27 | 2018-07-05 | Mcafee, Llc | Dynamic re-distribution of detection content and algorithms for exploit detection |
| US10387642B2 (en) | 2016-12-27 | 2019-08-20 | Mcafee, Llc | Dynamic re-distribution of detection content and algorithms for exploit detection |
| US11347840B2 (en) | 2016-12-27 | 2022-05-31 | Mcafee, Llc | Dynamic re-distribution of detection content and algorithms for exploit detection |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1694411A (en) | 2005-11-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Zhu et al. | Alert correlation for extracting attack strategies | |
| EP1995929B1 (en) | Distributed system for the detection of eThreats | |
| CN101803337B (en) | Intrusion detection method and system | |
| US20070300300A1 (en) | Statistical instrusion detection using log files | |
| CN100531219C (en) | A network worm detection method and its system | |
| CN106790186A (en) | Multi-step attack detection method based on multi-source anomalous event association analysis | |
| Ning et al. | Correlating alerts using prerequisites of intrusions | |
| CN106411562A (en) | Electric power information network safety linkage defense method and system | |
| Chen et al. | Worm epidemics in high-speed networks | |
| CN100372296C (en) | Network invading detection system with two-level decision structure and its alarm optimization method | |
| CN110213226A (en) | Associated cyber attack scenarios method for reconstructing and system are recognized based on risk total factor | |
| Novikov et al. | Anomaly detection based intrusion detection | |
| CN101567812A (en) | Method and device for detecting network attack | |
| CN114357459A (en) | Information security detection method for block chain system | |
| Gorodetski et al. | Agent-based model of computer network security system: A case study | |
| CN113645181A (en) | Distributed protocol attack detection method and system based on isolated forest | |
| Haslum et al. | Real-time intrusion prevention and security analysis of networks using HMMs | |
| CN112804204A (en) | Intelligent network safety system based on big data analysis | |
| CN111885020A (en) | Network attack behavior real-time capturing and monitoring system with distributed architecture | |
| TianYu et al. | Research on security threat assessment for power iot terminal based on knowledge graph | |
| Neelakantan et al. | A threat-aware signature based intrusion-detection approach for obtaining network-specific useful alarms | |
| Salim et al. | Improving the quality of alerts with correlation in intrusion detection | |
| Liang et al. | Survivability index and evaluation framework for cyber physical power systems | |
| Chu et al. | Data stream mining architecture for network intrusion detection | |
| Mu et al. | Fuzzy cognitive maps for decision support in an automatic intrusion response mechanism |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20080227 Termination date: 20120716 |