CN101309274B - Mixed structure invasion detection system rule base establishing method - Google Patents
Mixed structure invasion detection system rule base establishing method Download PDFInfo
- Publication number
- CN101309274B CN101309274B CN2008101243768A CN200810124376A CN101309274B CN 101309274 B CN101309274 B CN 101309274B CN 2008101243768 A CN2008101243768 A CN 2008101243768A CN 200810124376 A CN200810124376 A CN 200810124376A CN 101309274 B CN101309274 B CN 101309274B
- Authority
- CN
- China
- Prior art keywords
- rule
- ipv6
- ipv4
- packet
- feature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Disclosed is a rule base creation method of a hybrid architecture intrusion detection system, which proposes to create a data packet identification mechanism; the mechanism aims to identity the type of the data packet and start the corresponding rule base (IPv4 or IPv6) for feature identification; the identification method of the mechanism is based on the data packet feature under the hybrid architecture environment of IPv4 and IPv6 and analyzes the feature of the corresponding data packet under different network communication modes and different situations; the method of constructing the IPv4 feature base and the IPv6 feature base and the aspects need to be considered are basically the same to that of the traditional method; the novel behavior features brought by the characteristics of the IPv6 data packet and the IPv6 features need to be considered greatly in the invention. As for the organization form of the rules, the rule base creation method of the hybrid architecture intrusion detection system only provides the process of identifying the features of the intrusion with the rules under the IPv6 condition.
Description
Technical field
The present invention proposes based on IPv6 (IP protocol version 6, the IP protocol edition 4) and the inbreak detection rule base establishing method of IPv4 (IPprotocol version 4, IP protocol edition 4) mixed architecture and utilize this rule base to carry out intrusion method for testing and process.Longer following period of time IPv6 and IPv4 will long-term co-existence in future, long-term co-existence has the diverse ways strategy and deals with, corresponding meeting requires plant therewith the corresponding intruding detection system of network complex environment, therefore, it is very necessary must setting up an invasion detection system rule base that is suitable for this kind environment.
Background technology
IPv6 is most important once upgrading on the network technology history, and current upgrading will produce far-reaching influence to network.Present intruding detection system (Intrusion Detection System based on IPv4, IDS) existing application comparatively widely, though IPv6 has represented the networks development direction, but because the restriction of objective condition, the coexistence of IPv6 and IPv4 also can continue the several years, so also should consider the safety problem that both coexist.Developing rapidly of IPv6 application technology, quick growth also correspondingly appears and is in the invasion technology under the IPv6 environment, and the Study of Intrusion Detection under the IPv6 environment has obtained domestic and international security expert's common concern.How under IPv6 and IPv4/IPv6 coexisted environment, taking precautions against invasion, ensure the normal operation of network, has been a real problem that needs to be resolved hurrily.Rule base is the important component part of an intruding detection system, and this patent just is being based on this foundation and problem of implementation of proposing the rule base of IDS under new transitional environment.
Mainly contain four kinds of schemes at present from IPv4 to the IPv6 transitional technology: tunneling technique, dual stack technology, address protocol conversion and based on the transitional technology of MPLS.
1) tunneling technique (tunneling) tunneling technique is a kind of mechanism that often uses in the IPv4/IPv6 transition.In the early stage of development, the pure IPv6 network of many parts must be arranged, these IPv6 networks are kept apart by the IPv4 backbone network.The tunneling technique that existing IPv4 internet is passed through in the tunneling technique utilization couples together many isolated IPv6 sites, progressively enlarges the scope that realizes.Just at IPv6 network and the internetwork tunnel portal of IPv4 place, router is encapsulated into the packet of IPv6 among the IPv4 working mechanism of tunneling technique, the IPv4 address that the source address of IPv4 grouping and destination address are tunnel portal and exit respectively.Exit in the tunnel is transmitted to destination node with IPv6 grouping taking-up again.Tunneling technique has utilized existing IPv4 network dexterously, for the IPv6 subnet that separates provides effective means of communication.The IPv4/IPv6 tunneling technique mainly comprises manual configuration tunnel, automatic configured tunneling technique etc.Tunneling technique can make full use of existing network investment, is a kind of selection simply and easily at the transition initial stage therefore.
2) dual stack (dual stack)
Dual stack is meant to have IPv6 and two protocol stacks of IPv4 simultaneously in network node.Like this, the grouping that it both can receive, handle, receives and dispatches IPv6, the grouping that also can receive, handle, receive and dispatch IPv4.For main frame, dual stack is meant that its data that can come as required upper-layer protocol is produced carry out IPv4 encapsulation or IPv6 encapsulation.Its mode of operation is as follows, if the destination address that application program is used is the IPv4 address, then adopt the IPv4 agreement to carry out data encapsulation, if the destination address that application program is used is the IPv4 compatible address among the IPv6, then same use agreement IPv4, different is, if it is the IPv6 address of a non-IPv4 compatibility that IPv6 this moment is encapsulated in the destination address of the central application program use of IPv4, to adopt the Ipv6 agreement to carry out data encapsulation this moment so, and to adopt this moment mechanism such as tunnel to carry out route probably, use domain name to be used as destination address if transmit application program, to obtain corresponding address ip v4/IPv6 there from dns server earlier this moment so, handle accordingly according to the situation of address then.For router, dual stack is meant safeguards IPv4 and IPv6 two cover route protocol stacks in a router device, make router can with the IPv4 main-machine communication also can with the IPv6 main-machine communication, support independently IPv4 and IPv6 Routing Protocol respectively, IPv4 and IPv6 routing iinformation calculate according to Routing Protocol separately, safeguard two different routing tables.The IPv6 datagram is transmitted according to the routing table that the IPv6 Routing Protocol obtains, and the IPv4 datagram is then transmitted according to the routing table that the IPv4 Routing Protocol obtains.
3) network address translation one protocol conversion
Network address translation one protocol conversion (NAT-PT, network address translation-protocoltranslation) comprises two parts: network address translation protocol and protocol conversion.Wherein address spaces is meant by using the NAT gateway, is the address of another kind of IP network with a kind of address transition of IP network, its allow internal network use one group in public network from obsolete reserved address.Using this technology is the IPv6 net can be considered as an independence and the local area network (LAN) that seals, and it need use an address translator to carry out address translation.When the main frame of Intranet outwards sends packet, be outside public network address with the IP address transition of inside, when packet when external network is replied packet, again public network address is converted to the address of internal network.Protocol conversion is meant according to the difference between IPv6 and the IPv4 does corresponding modification to meet the call format of bipartite network to the stem of packet, and because the change of network layer protocol will be to TCP (the transportcontrol protocol on upper strata, transmission control protocol), UDP (user datagram protocol, User Datagram Protoco (UDP)), ICMP packets such as (Internet Control Messages Protocol, Internet Control Message Protocols) is done corresponding modification.The NAT-PT that machine-processed the combining with protocol conversion mechanism of network address translation produced can realize the intercommunication mutually between IPv6 and the IPv4 by the conversion to agreement, address.
List of references
[1] the Zhao Jin duckweed 1, bear monarch star 2, and 3 couples of IPv4 of Luo Hua group are to the research network communication and the safety of IPv6 protocol conversion technology, 2007.9
[2] Zhang Bo, Li Weihua, An Xifeng, the research of great-great-grandfather's Wang intruding detection system under the IPv6 environment grinds 2004.11 with realizing computer application
[3] Jiang Daoxia, the rule research of intruding detection system with based on the intruding detection system model information safety of machine learning, 2005.4
[4] Sun Mei phoenix Gong Jian, the conflict inspection of Snort rule base, Yangzhou University's journal (natural science edition) 2006.5
Summary of the invention
Technical problem: the objective of the invention is to propose a kind of mixed structure invasion detection system rule base establishing method, solve how to be identified in identification particular data packet under the different network environments, so that extract related data information; How to make up different rules to adapt to the needs that use different agreements, the storage of rule.
Technical scheme: mixed structure invasion detection system rule base establishing method of the present invention comprises following five partial contents:
A. analyze type that adopts agreement and the method for extracting protocol data:
At a given packet, the step of analyzing its protocol type is:
A1. receive a packet, according to preceding four the version sign position decision data newspaper type of packet, if preceding four value is 6, this packet is the IPv6 packet, extracts relevant IPv6 protocol data to carry out rule match, judges and finishes; If preceding four value is 4, then this packet is the IPv4 packet, proceed next step judgement;
A2. when " agreement " thresholding of IPv4 packet be " 41 ", then indicate this datagram payload be the grouping of an IPv6, then extract relevant IPv6 protocol data to carry out rule match, judge end;
A3. " agreement " thresholding when the IPv4 packet is not " 41 ", and then indicating this packet is a common IPv4 packet, extracts relevant IPv4 protocol data so to carry out rule match, judges and finishes; B. structure adapts to the rule base of different characteristic:
B1.IPv4 Feature Library process:
B11. obtain the IPv4 packet,
B12. extract IPv4 packet header information,
B13. add up behavioural characteristic,
B14. seek illegal, unusual or suspicious information, more whether the contrast rule base exists this rule,
B15. choose the suitable combination of previous step gained information, be built into feature,
B16. the rule base that feature is added the IPv4 part;
B2.IPv6 Feature Library process:
B21. obtain packet, statistics header information wherein,
B22. extract IPv6 packet header information, and check behavioural characteristic,
B23. seek illegal, unusual or suspicious information, whether the inspection of contrast rule base exists,
B24. if do not exist, then choose the suitable combination of previous step gained information, be built into new feature,
B25. the rule base that new feature is added the IPv6 part;
C. the form of organization regulation, and utilization rule is invaded the process of identification:
C1. Gui Ze organizational form:
Rule organizational form with " Hash two-dimensional chain table " in internal memory exists;
The process that the C2.Hash two-dimensional chain table makes up:
C21. initialization Hash table so its list item all is changed to sky, changes step C22,
C22. whether judgment rule all reads in internal memory, if change step C27; Otherwise, change step C23,
C23. from rule base, read in a rule, calculate this regular hashed value,, then should rule insert this hash table entry, change step C22 as a vertical chained list if corresponding hash table entry is empty; Otherwise, change step C24,
C24. a regular identical gauge outfit node is sought and be inserted into to the corresponding laterally chained list of traversal; If find, change step C25; Otherwise, change step C26,
C25. the corresponding vertically chained list of traversal is sought priority and is lower than the common node that is inserted into regular option, if find, should the rule option insert it before; Otherwise, be inserted in after the caudal knot point of vertical chained list; Change step C22,
C26. travel through horizontal chained list, seek priority and be lower than the gauge outfit node that is inserted into rule; If find, should rule insert it as a vertical chained list before, otherwise, be inserted in after the horizontal chained list caudal knot point, commentaries on classics step C22,
C27. finish;
D. matching process
D1. obtain bag to be matched;
D2. extract the feature of bag to be matched, calculate its hashed value;
D3. find the Hash list item, travel through horizontal regulation linked, seek the gauge outfit node of coupling,, travel through corresponding laterally chained list, seek and be inserted into a rule identical gauge outfit node if find; Otherwise, travel through horizontal chained list, seek priority and be lower than the gauge outfit node that is inserted into rule; If find, should rule insert it as a vertical chained list before; Otherwise, be inserted in after the horizontal chained list caudal knot point;
D4. travel through vertical regulation linked, seek the regular option of coupling,, change the corresponding vertically chained list of traversal, seek priority and be lower than the common node that is inserted into regular option, find if find, should the rule option insert it before; Otherwise, be inserted in after the caudal knot point of vertical chained list; Otherwise, change the horizontal chained list of traversal, seek priority and be lower than the gauge outfit node that is inserted into rule;
D5. finish this coupling, continue to obtain other bags to be matched, all read in internal memory to rule and finish to mate;
E. increase rule and adjust priority
The real-time adjustment process of priority is as follows:
If to be adjusted is the priority of gauge outfit node, then this gauge outfit node and the corresponding vertical chained list of whole piece thereof are deleted from the Hash two-dimensional chain table and be stored in the temporary variable, increase the priority of gauge outfit node, call the increase rule functional this vertical chained list is added in the Hash two-dimensional chain table again.
Beneficial effect: to use provided by the present invention a kind of can be implemented in the method for setting up the rule base of intruding detection system under the network environment of long-term IPv6 and IPv4 coexistence, can set up invasion detection system rule base effectively under comparatively complicated mixed networks environment.The invention provides data pack protocol type identification mechanism based on the protocol data feature, the organizational form of the rule base of different agreement typing rule base construction method and Hash two-dimensional chain table, and set up an expression and used rule base to discern the process model of the feature of invasion.
Description of drawings
Fig. 1 uses the process of regular recognition feature,
Fig. 2 analyzes method and the process that adopts protocol type,
Fig. 3 constructs the process of IPv4 rule base,
Fig. 4 constructs the process of IPv6 rule base,
Fig. 5 rule chain organizational form Hash two-dimensional chain table logic diagram,
The process that Fig. 6 Hash two-dimensional chain table makes up,
Fig. 7 uses the process of the feature of rule base identification invasion.
Embodiment
Longer following period of time IPv6 and IPv4 will long-term co-existence in future, and long-term co-existence can have the diverse ways strategy, therefore, must set up an invasion detection system rule base that is suitable for this kind environment.
1) sets up identification of data packets mechanism, this machine-processed purpose is recognition data bag type and carries out feature identification so that start corresponding rule base (IPv4 or IPv6), this machine-processed recognition methods is based on the feature of packet under the environment of IPv4 and IPv6 mixed architecture, the feature of dividing situation analysis corresponding data bag under different network communication modes
2) set up the complete characterization rule base, this rule base promptly comprises traditional IPv4 feature and IPv6 feature,
The method of structure IPv4 feature database and structure IPv6 feature database and the aspect of consideration and traditional basic identical will be considered the characteristics of packet of IPv6 and the new behavioural characteristic that the IPv6 feature is brought only herein emphatically,
3) Gui Ze organizational form. provided the rule chain organizational form Hash two-dimensional chain table logic diagram based on IPv6 in Fig. 4, the organizational form of IPv4 rule chain and the situation of IPv6 are similar, and we have only provided the situation under the IPv6 situation here.
Rule base is stored on the hard disk with the form of file, when system start-up, therefrom reads rule and is saved in the internal memory.In internal memory, rule is divided into two parts: rule head and regular option.The rule head only comprises some total information, as source, order IPv6 address, and source, eye end slogan and priority, the rule head also comprises horizontal pointer that points to next rule head and the vertical pointer that points to regular option in addition.The rule option comprises more detailed information, as the TCP sign, and ICMP code/type, payload content and priority or the like, regular in addition option also comprises the pointer that points to next regular option.The rule head has identical priority with regular option.We are with the gauge outfit node of rule head as vertical chained list, and regular option is as the common node (non-gauge outfit node) of vertical chained list.Rule organizational form with " Hash two-dimensional chain table " in internal memory exists, and its logical construction as shown in Figure 4.
The building process of Hash two-dimensional chain table increases rule and adjusts the building process of priority and Hash two-dimensional chain table similar as shown in Figure 5, and testing process is as follows:
(1) obtains bag to be detected, change (2);
(2) feature of extraction bag to be detected is calculated its hashed value, changes (3);
(3) find the Hash list item, travel through horizontal regulation linked, seek the gauge outfit node of coupling,, change if find
(4), otherwise, change (6);
(4) travel through vertical regulation linked, seek the regular option of coupling,, change (5) if find, otherwise, change (6);
(5) coupling finishes this detection, changes (1);
(6) finish this detection, change (1).
The building process of Hash two-dimensional chain table and increase rule and adjustment priority, testing process are all specifically implementing partly to have more detailed description.
4) use this rule to discern the process of the feature of invasion. for the process that briefly bright utilization rule is carried out intrusion rule identification, we set up the following invasion feature rule base and the model of attack method detection design.
1. set up identification of data packets mechanism
As if because preceding four of IPv6 and IPv4 packet are exactly the version sign position, being easy to discern a packet with this is to adopt IPv4 agreement or IPv6 agreement.But because the restriction of network environment at present, the realization technology of IPv6 makes us only judge not enough with this, as adopt under the situation of tunneling technique, end-to-end IPv6 service need be set up the tunnel by the IPv4 net, IPv6 is sealed the loading section that is loaded on IPv4 bag, again destination node is peeled off out and be sent to the IPv6 bag from the IPv4 bag at the node place of the other end in tunnel.Therefore we will propose the type that a kind of strategy is discerned the packet of being accepted, and can not simply a packet be identified as the packet of IPv6 or IPv4. and according to different network environments, adopt diverse ways, following is to describe every kind of method in detail:
Adopt tunneling technique: the core concept of tunneling technique is by the data message of IPv6 being encapsulated in the data message of IPv4, allow existing IPv4 network become carrier to set up the communication of IPv6. router is encapsulated into IPv4 with the IPv6 data message, " agreement " territory of the data message head of IPv4 is changed to " 41 ", and the payload of indicating this grouping is the grouping of an IPv6. and can differentiate in view of the above and whether adopt tunneling technique.
Dual stack: when receiving the IPv6 packet, then can use IPv6 protocol rule storehouse. still, when receiving the IPv4 packet, need to consider whether adopted tunneling technique, the protocol data extracting method of the employing tunneling technique that has proposed above can using.
Network address translation one protocol conversion: this method is suitable for communicating by letter between pure IPv4 and the IPv6, therefore can determine protocol type according to NAT-PT feature and data packet head feature.
2. structural feature storehouse
The IPv4 feature database
The process in structural feature storehouse can be divided into following steps:
1). obtain the IPv4 packet
2). extract IPv4 packet header information
3). the statistics behavioural characteristic
4). seek illegal, unusual or suspicious information, more whether the contrast rule base exists this rule
5). choose the suitable combination of previous step gained information, be built into feature (too much very few all bad, as to be as the criterion) with higher efficient and rational resource consumption
6). feature is added rule base (IPv4 part)
The process of structure IPv4 feature database is as shown in Figure 4.
The foundation of Traditional IP v4 feature rule mainly is based on header value, in the time of on the other hand according to the behavioural characteristic of data. because header value is relatively simple for structure, and can very clearly identify unusual header information, so the main reference item of characteristic is exactly it.The foundation of rule base relies on the header value feature of collecting the packet with attack signature, carries out rule definition with this.Process is similar to the building process of following IPv6 feature database.
The IPv6 feature database
Structure IPv6 feature database process can be divided into following steps:
1). obtain packet
2). extract IPv6 packet header information and check behavioural characteristic, header information mainly comprises following content:
Version number (4bit) priority (4bit)
Flow identifier (24bit)
Data length (16bit)
Next packet header (8bit)
Jumping figure restriction (8bit)
Initial address (128bit)
Destination address (128bit)
3). seek illegal, unusual or suspicious information, whether the inspection of contrast rule base exists.
4). choose the suitable combination of previous step gained information, be built into new feature.
5). feature is added rule base (IPv6 part).
3. Gui Ze organizational form, and utilization rule is invaded the process of identification
● the organizational form of rule
Rule base is stored on the hard disk with the form of file, when system start-up, therefrom reads rule and is saved in the internal memory.In internal memory, rule is divided into two parts: rule head and regular option.The rule head only comprises some total information, as source, order IPv6 address, and source, eye end slogan and priority, the rule head also comprises horizontal pointer that points to next rule head and the vertical pointer that points to regular option in addition.The rule option comprises more detailed information, as the TCP sign, and ICMP code/type, payload content and priority or the like, regular in addition option also comprises the pointer that points to next regular option.The rule head has identical priority with regular option.We are with the gauge outfit node of rule head as vertical chained list, and regular option is as the common node (non-gauge outfit node) of vertical chained list.Rule organizational form with " Hash two-dimensional chain table " in internal memory exists, and its logical construction as shown in Figure 4.
● the process that the Hash two-dimensional chain table makes up
(1) initialization Hash table is so all be changed to sky with its list item.Change (2)
(2) whether judgment rule all reads in internal memory, if change (7); Otherwise, change (3).
(3) from rule base, read in a rule, calculate this regular hashed value (as being hashed value for the number of " 1 ") with bit in the IPv6 address, source, if corresponding hash table entry is empty, then should rule insert this hash table entry as a vertical chained list, change (2); Otherwise, change (4).
(4) a regular identical gauge outfit node is sought and be inserted into to the corresponding laterally chained list of traversal.If find, change (5); Otherwise, change (6).
(5) the corresponding vertically chained list of traversal is sought priority and is lower than the common node that is inserted into regular option, if find, should the rule option insert it before; Otherwise, be inserted in after the caudal knot point of vertical chained list.Change (2).
(6) travel through horizontal chained list, seek priority and be lower than the gauge outfit node that is inserted into rule.If find, should rule insert it as a vertical chained list before.Otherwise, be inserted in after the horizontal chained list caudal knot point.Change (2).
(7) finish.
This process also can be by figure five expressions.
3) increase rule and adjustment priority
It is basic identical to increase process of rule and said process, does not do at this and gives unnecessary details.Real-time adjustment is set or made to the priority of rule by the keeper according to the concrete condition of the recent network operation.Frequently take place such as certain attack at no distant date, then increase the priority that it detects rule, thereby detection efficiency is improved.
The real-time adjustment process of priority is as follows:
If to be adjusted is the priority of gauge outfit node, then this gauge outfit node and the corresponding vertical chained list of whole piece thereof are deleted from the Hash two-dimensional chain table and be stored in the temporary variable, increase the priority of gauge outfit node, call the increase rule functional this vertical chained list is added in the Hash two-dimensional chain table again.
From the Hash two-dimensional chain table, delete regular list item to be adjusted, the rule head copy of its correspondence is a, the backup of regular option and rule head is stored in the interim rule in the lump, the priority of regulation rule option is called the increase rule functional it is added in the Hash two-dimensional chain table again.
4) matching process
(1) obtains bag to be matched, change (2);
(2) feature of extraction bag to be matched is calculated its hashed value, changes (3);
(3) find the Hash list item, travel through horizontal regulation linked, seek the gauge outfit node of coupling,, change (4) if find, otherwise, change (6);
(4) travel through vertical regulation linked, seek the regular option of coupling,, change (5) if find, otherwise, change (6);
(5) coupling finishes this coupling, changes (1);
(6) finish this coupling, change (1).
4. use the process of the feature of this rule base identification invasion
For the process that briefly bright utilization rule is carried out intrusion rule identification, we set up the following invasion feature rule base and the model of attack method detection design.
Intruding detection system under IPv4 and the IPv6 mixed architecture environment uses flexibly rule language to describe the network data message, therefore can make translation fast to attack.A series of relevant regular weaves are got up, be built into invasion feature rule base, and be foundation, the message of intruding detection system intercepting is carried out protocal analysis, content search coupling, detect various attack and detection with this feature database.The feature detection structure is as shown below, is made of following five major parts: 1. feature rule database is used for storage and management invasion feature rule; 2. rule set is handled, and is used for the message that analytical system is intercepted and captured, and carries out the content search coupling in the feature rule base, thereby detects various attack and detection behavior; 3. the visualized management control desk can show the warning message that invasion is attacked in real time, and warning message is carried out statistic of classification, provides full and accurate monitor message directly perceived to the keeper; 4. rules administration module can design and revise rule, new database more, thus can detect the new attack behavior; 5. comprehensively attack platform, integrated multiple attack tool is used for simulated strike person the target target drone is attacked.
Intrusion detection is based on the intruding detection system of rule set.By visualization processing, can safeguard, upgrade, revise the rule of intrusion detection easily to rule.Visual control desk based on Web is controlled whole visualization process, back-stage management is mainly finished maintenance, the management to rule, as read in rule, results modification, deletion, increase rule according to visualization processing, functions such as final result preservations, visualization processing is then finished various maintenances, the processing to rule, as checks the rule of a certain type, to operations such as the rule of a certain type increase, deletes, changes etc.Visual configuration is carried out in intrusion detection, the path in option and used storehouse is set; Visualized operation is carried out in rule configuration to intrusion detection, and rule is classified, edits, generates, deletes, inquired about; The intrusion detection operation is controlled, can be controlled intrusion detection and load new rule set, restart; Output database option to intrusion detection is configured.
Invasion feature rule base and attack method detection design model are as shown in Figure 6.
Claims (1)
1. mixed structure invasion detection system rule base establishing method is characterized in that this method comprises following five partial contents:
A. analyze type that adopts agreement and the method for extracting protocol data:
At a given packet, the step of analyzing its protocol type is:
A1. receive a packet, according to preceding four the version sign position decision data bag type of packet, if preceding four value is 6, this packet is the IPv6 packet, extracts relevant IPv6 protocol data to carry out rule match, judges and finishes; If preceding four value is 4, then this packet is the IPv4 packet, proceed next step judgement;
A2. " agreement " thresholding when the IPv4 packet is " 41 ", and the payload of then indicating this packet is the grouping of an IPv6, then extracts relevant IPv6 protocol data to carry out rule match, judges and finishes;
A3. " agreement " thresholding when the IPv4 packet is not " 41 ", and then indicating this packet is a common IPv4 packet, extracts relevant IPv4 protocol data so to carry out rule match, judges and finishes;
B. structure adapts to the rule base of different characteristic:
IPv4 Feature Library process:
B1. obtain the IPv4 packet,
B2. extract IPv4 packet header information,
B3. add up behavioural characteristic,
B4. seek illegal, unusual or suspicious information, more whether the contrast rule base exists this rule,
B5. choose the suitable combination of previous step gained information, be built into feature,
B6. the rule base that feature is added the IPv4 part;
IPv6 Feature Library process:
B7. obtain packet, statistics header information wherein,
B8. extract IPv6 packet header information, and check behavioural characteristic,
B9. seek illegal, unusual or suspicious information, whether the inspection of contrast rule base exists,
B10. if do not exist, then choose the suitable combination of previous step gained information, be built into new feature,
B11. the rule base that new feature is added the IPv6 part;
C. the form of organization regulation, and utilization rule is invaded the process of identification:
C1. Gui Ze organizational form:
Rule organizational form with " Hash two-dimensional chain table " in internal memory exists;
The process that the C2.Hash two-dimensional chain table makes up:
C21. initialization Hash table so its list item all is changed to sky, changes step C22,
C22. whether judgment rule all reads in internal memory, if change step C27; Otherwise, change step C23,
C23. from rule base, read in a rule, calculate this regular hashed value,, then should rule insert this hash table entry, change step C22 as a vertical chained list if corresponding hash table entry is empty; Otherwise, change step C24,
C24. a regular identical gauge outfit node is sought and be inserted into to the corresponding laterally chained list of traversal; If find, change step C25; Otherwise, change step C26,
C25. the corresponding vertically chained list of traversal is sought priority and is lower than the common node that is inserted into regular option, if find, should the rule option insert it before; Otherwise, be inserted in after the caudal knot point of vertical chained list; Change step C22,
C26. travel through horizontal chained list, seek priority and be lower than the gauge outfit node that is inserted into rule; If find, should rule insert it as a vertical chained list before, otherwise, be inserted in after the horizontal chained list caudal knot point, commentaries on classics step C22,
C27. finish;
D. matching process
D1. obtain bag to be matched;
D2. extract the feature of bag to be detected, calculate its hashed value, then find the Hash list item, travel through horizontal regulation linked, seek the gauge outfit node of coupling, if find, travel through vertical regulation linked,, then finish coupling if do not find, travel through vertical regulation linked, seek the regular option of coupling,, then mate and finish and mate if find, if do not find, then mate;
E. increase rule and adjust priority
The real-time adjustment process of priority is as follows:
If to be adjusted is the priority of gauge outfit node, then this gauge outfit node and the corresponding vertical chained list of whole piece thereof are deleted from the Hash two-dimensional chain table and be stored in the temporary variable, increase the priority of gauge outfit node, call the increase rule functional this vertical chained list is added in the Hash two-dimensional chain table again.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008101243768A CN101309274B (en) | 2008-06-27 | 2008-06-27 | Mixed structure invasion detection system rule base establishing method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008101243768A CN101309274B (en) | 2008-06-27 | 2008-06-27 | Mixed structure invasion detection system rule base establishing method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101309274A CN101309274A (en) | 2008-11-19 |
| CN101309274B true CN101309274B (en) | 2011-02-09 |
Family
ID=40125492
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008101243768A Expired - Fee Related CN101309274B (en) | 2008-06-27 | 2008-06-27 | Mixed structure invasion detection system rule base establishing method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101309274B (en) |
Families Citing this family (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101656634B (en) * | 2008-12-31 | 2012-06-06 | 暨南大学 | Intrusion detection method based on IPv6 network environment |
| CN101707601B (en) * | 2009-11-23 | 2012-09-05 | 成都市华为赛门铁克科技有限公司 | Invasion defence detection method and device and gateway equipment |
| CN103780469B (en) * | 2012-10-23 | 2018-01-23 | 上海博达数据通信有限公司 | The implementation method and message forwarding method in IPv6 tunnels on multi-core platform |
| CN103269342B (en) * | 2013-05-10 | 2016-03-02 | 南通大学 | The extensive bag matching process of a kind of higher-dimension based on IPV6 |
| CN103581007A (en) * | 2013-10-28 | 2014-02-12 | 汉柏科技有限公司 | Message classifying and looking-up method |
| US10439875B2 (en) * | 2017-05-31 | 2019-10-08 | Cisco Technology, Inc. | Identification of conflict rules in a network intent formal equivalence failure |
| CN109472138B (en) * | 2017-12-01 | 2022-07-01 | 北京安天网络安全技术有限公司 | Method, device and storage medium for detecting snort rule conflict |
| CN110019325A (en) * | 2018-08-15 | 2019-07-16 | 北京天地和兴科技有限公司 | A kind of fast matching method of industry rule |
| CN110320890B (en) * | 2019-07-08 | 2021-08-03 | 北京科技大学 | Intrusion detection system for PLC control system |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1815997A (en) * | 2005-01-31 | 2006-08-09 | 国际商业机器公司 | Group classifying method based on regular collection division for use in internet |
| CN101094244A (en) * | 2007-07-06 | 2007-12-26 | 中国人民解放军国防科学技术大学 | Method of high performance distributed Hash table in P2P system |
-
2008
- 2008-06-27 CN CN2008101243768A patent/CN101309274B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1815997A (en) * | 2005-01-31 | 2006-08-09 | 国际商业机器公司 | Group classifying method based on regular collection division for use in internet |
| CN101094244A (en) * | 2007-07-06 | 2007-12-26 | 中国人民解放军国防科学技术大学 | Method of high performance distributed Hash table in P2P system |
Non-Patent Citations (2)
| Title |
|---|
| 孙知信.基于流量状态特性的网络异常流量检测模型研究.《南京邮电大学学报自然科学版》.2007,第27卷(第2期),全文. * |
| 孙知信等.混合二次网络流量异常状态模型研究.《计算机技术与发展》.2007,第17卷(第3期),全文. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101309274A (en) | 2008-11-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101309274B (en) | Mixed structure invasion detection system rule base establishing method | |
| CN104348716B (en) | A kind of message processing method and equipment | |
| CN101193064B (en) | Method and system for computer networking | |
| CN102148773B (en) | Method and system for converting IPv6 (Internet Protocol Version 6) protocol and IPv4 (Internet Protocol Version 4) protocol | |
| CN104320304B (en) | A kind of core network user flow application recognition methods of the multimode fusion easily extended | |
| CN100555986C (en) | The bag classification of mix flow line type and address search method and equipment that switched environment is used | |
| CN102244593B (en) | Do not addressing the network service at network equipment place | |
| CN100550909C (en) | A kind of system, method and apparatus of realizing professional perception | |
| CN101594303B (en) | Rapid network packet classification method based on network traffic statistic information | |
| CN101599897B (en) | P2P network flow control method based on application layer detection | |
| CN104010049A (en) | Ethernet IP message packaging method based on SDN and network isolation and DHCP implementing method based on SDN | |
| CN109547316A (en) | Method, the system, storage medium of VXLAN message cross-over NAT equipment | |
| CN105939239A (en) | Data transmission method and device of virtual network interface card | |
| CN103988478A (en) | Intelligent connectors integrating magnetic modular jacks and intelligent physical layer devices | |
| CN106470206A (en) | Abnormity prediction method and system suitable for heterogeneous network architecture | |
| SG184120A1 (en) | Method of identifying a protocol giving rise to a data flow | |
| CN107947994A (en) | Network topology self-discovery method, apparatus, the network equipment and computer-readable storage medium | |
| CN101242409B (en) | An efficient filtering method for multi-language network data packets | |
| CN100493065C (en) | Method for using immediate information software by data detection network address switching equipment | |
| CN105634846B (en) | A kind of general DPI platform and its construction method | |
| CN101321097A (en) | Tencent network living broadcast business recognition method based on payload depth detection | |
| EP3073685B1 (en) | Network control device, network control method, and program | |
| CN102648604A (en) | Method of monitoring network traffic by means of descriptive metadata | |
| CN106899616A (en) | A kind of safety regulation collocation method without IP fire walls | |
| CN102724068A (en) | Method for identifying audit log asset in internet protocol version 6 (IPv6) mixed network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| EE01 | Entry into force of recordation of patent licensing contract |
Application publication date: 20081119 Assignee: Jiangsu Nanyou IOT Technology Park Ltd. Assignor: Nanjing Post & Telecommunication Univ. Contract record no.: 2016320000207 Denomination of invention: Mixed structure invasion detection system rule base establishing method Granted publication date: 20110209 License type: Common License Record date: 20161109 |
|
| LICC | Enforcement, change and cancellation of record of contracts on the licence for exploitation of a patent or utility model | ||
| EC01 | Cancellation of recordation of patent licensing contract |
Assignee: Jiangsu Nanyou IOT Technology Park Ltd. Assignor: Nanjing Post & Telecommunication Univ. Contract record no.: 2016320000207 Date of cancellation: 20180116 |
|
| EC01 | Cancellation of recordation of patent licensing contract | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20110209 Termination date: 20180627 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |