CN101453320A - Service identification method and system - Google Patents
Service identification method and system Download PDFInfo
- Publication number
- CN101453320A CN101453320A CNA2007101788498A CN200710178849A CN101453320A CN 101453320 A CN101453320 A CN 101453320A CN A2007101788498 A CNA2007101788498 A CN A2007101788498A CN 200710178849 A CN200710178849 A CN 200710178849A CN 101453320 A CN101453320 A CN 101453320A
- Authority
- CN
- China
- Prior art keywords
- intrusion detection
- server
- protocol
- identification
- type
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a method and a system for recognizing services. The system comprises a protocol analyzer, a service recognizer, an attack feature base, an actual detection rule base and so on. The method comprises the steps of protocol recognition, service recognition, generation of the actual detection rule base, and deep detection. The method and the system have the advantages of high detection speed, high accuracy and so on when realizing service recognition simultaneously.
Description
Technical field
The present invention relates to a kind of method and system that are used for the service identification of intrusion detection, is a kind of method and system that can be used in intrusion detection defence (IDS/IPS) and the audit product, belongs to networking technology area.
Background technology
Intrusion detection/system of defense (Intrusion Detection/Protection System, IDS/IPS) as the important means of network safety prevention, usually be deployed in key network inside/network boundary porch, catch in the network in real time or the message data stream of turnover network and carry out the intelligent comprehensive analysis, find possible intrusion behavior and block in real time.
Present intrusion detection product and technology are directly carried out the judgement of corresponding intrusion detection based on the result of protocol analysis and according to predefined event base detection rule, do not carry out the identification of COS before detecting.But existing a lot of attack is carried out at specific type of server often, works when for example some flooding is apache for http protocol server type, and can not finish this type of attack for the http-server of other type.If this can produce a lot of wrong reports when carrying out intrusion detection or blocking-up with regard to having caused not Differentiated Services device type and according to identical detection rule.So before the judgement of carrying out intrusion detection, be necessary to carry out the identification of server identification types, thereby can dwindle the scope of actual detected rule base greatly, only rule relevant with this type of server in the intrusion feature database is added in the actual detected rule base, further improve the efficient and the accuracy rate of intrusion detection.According to discovering the relevant information that in disclosure agreement standard commonly used such as http, ftp etc. carry out associative operation or information interaction in the middle of the real network environment process, all includes for type of server, realize that therefore this intruding detection system based on service identification is feasible.
Summary of the invention
The present invention proposes a kind of method and system that are used for the service identification of intrusion detection, the described service recognition technology that is used for intrusion detection can satisfy: the accuracy rate and the efficient that have improved intrusion detection, with attack at aspect further refine to specific type of server from agreement, thereby dwindled the attack detecting feature database, improved the efficient of pattern matching.In the process of Differentiated Services device type, improved greatly for some accuracy simultaneously, reduced rate of false alarm at the detection and the blocking-up of the attack of particular server.
The object of the present invention is achieved like this, and a kind of method that is used for the service identification of intrusion detection is characterized in that comprising following steps:
The agreement identification step;
The service identification step;
The generation step of actual detected rule base;
Deeply detect step.
A kind of service recognition system that is used for intrusion detection comprises:
Each layer protocol of being responsible for the data message of actual transmissions is resolved the protocol resolver of identification;
The data in server newspaper is carried out the service identifier of keyword coupling;
The intrusion feature database that all attacks are described;
The actual detected rule base of attacking at particular server type;
The intrusion detection that realize to detect rule and the related of processing function and the data of all acquisitions are correlated with and the intrusion detection device of return results;
Described protocol resolver is connected with the service identifier; Described service identifier is connected with the actual detected rule base with intrusion feature database, and described service identifier is connected with the intrusion detection device with the actual detected rule base.
The beneficial effect of generation of the present invention is: solved in the conventional I DS/IPS product not the Differentiated Services type and carried out wrong report and the performance issue that the single incident definition causes.Existing attack is attacked at the server of particular type often, and the scope that the service of adding identification can be dwindled intrusion feature database, detect efficiently and reduce wrong report, have the fast and high accuracy for examination of detection speed, can be widely used in the network security products such as IDS/IPS, audit.
Description of drawings
Fig. 1 is used for the service identification method of intrusion detection and the system architecture diagram of system.
Fig. 2 is the workflow diagram that is used for the service recognition system of intrusion detection.
The invention will be further described below in conjunction with drawings and Examples.
Embodiment
Embodiment one:
Present embodiment is a kind of fundamental mode of method and system of the service identification that is used for intrusion detection, and its basic framework as shown in Figure 1.Comprise protocol resolver, service identifier, intrusion feature database, actual detected rule base and intrusion detection device, the system works flow process as shown in Figure 2:
Its step of method of a kind of service identification that is used for intrusion detection comprises,
1. the step of agreement identification.Agreement identification comprises that datagram is carried out stratification resolves, according to the data message of actual acquisition, according to static message characteristic of port diagnostic, agreement and behavioural characteristic carry out the identification of actual use agreement and with analysis result output as the foundation of serving identification step.
2. serve the step of identification.The step of service identification relies on the type of the data result identification actual agreements runtime server of agreement identification output.And behind the actual acquisition data message from the packet that the server of catching returns, at first judge protocol type, carry out the coupling of keyword then, obtain the type of server; Serve the type of server that identification module and intrusion detection engine consult to be resolved simultaneously, its whole process is mapped as the digital id of mutual concession, be convenient to the mutual of data and order.
3. the generation step of actual detected rule base.The type that the generation step of actual detected rule base comprises the server that will obtain is carried out the related matched rule that actual detected is used that generates in conjunction with the actual attack behavioural characteristic.To offer intrusion detection engine as the foundation in the middle of the actual detected process.
4. go deep into the step of detection.Deeply the step that detects comprises invasion detector inquiry actual detected rule base, the association of setting up with actual detected rule base establishment stage corresponds to dependency rule in the suitable processing function, the data of receiving are detected, according to relevant processing function the data message of rule match success is handled accordingly and returned and detect or result.
Embodiment two:
Present embodiment is the preferred version of the agreement identification step among the embodiment one:
1. obtain to catch with the data pack protocol analytical method of stratification and carry out protocal analysis behind the packet that the bag function catches back and protocol assembly work is set up substep as protocol tree;
2. with the non-structure data flow of lowermost layer as the root contact, the agreement with identical father node becomes the brotgher of node, adopts the tagged word of agreement to come identification protocol, as the protocol analysis substep.
The basic ideas of present embodiment are: agreement identification comprises protocol tree module, protocol analysis module.Because the 7 layer protocol models of OSI, protocol data are to encapsulate the back from top to bottom to send.Need carry out from bottom to up for protocal analysis.The network layer protocol head is sloughed in the reduction that at first packages after the agreement identification to network layer then.Give the transport layer analysis with the data of the inside, go on up to application layer so always.Because the procotol kind is a lot, level concerns obviously between agreement and agreement in order to make.Thereby can successively handle the agreement at all levels in the data flow.Protocol resolver has adopted the mode of protocol tree.After the port field registration such as the tcp agreement, Tcp.port=21 just can think the ftp agreement, and tagged word can be any one field of protocol specification definition.Just can define the proto field such as the ip agreement is a tagged word.Each agreement of registering in the protocol resolver has all been indicated the feature of its father's agreement, sub-protocol and brotgher of node agreement.Such as the ftp agreement.Resolve at puppy parc that his father's contact is the tcp agreement in the platform, its feature be exactly the port field of tcp agreement be 21.Like this when port be that 21 tcp data flow is come then, can be identified as the ftp data message automatically.
Embodiment three:
Present embodiment is the preferred version of the service identification step among the embodiment one:
1. from the packet that the server of catching returns, at first in the agreement identification step, judge protocol type, carry out the coupling of keyword then, obtain the type of server;
2. serve the type of server that identification module and intrusion detection engine consult to be resolved, its whole process is mapped as the digital id of mutual concession, be convenient to the mutual of data and order.
The basic ideas of present embodiment are: at first carry out the correspondent keyword coupling according to certain protocol, obtain type of server.Then the attack mode of attacking this kind type of server is added in the middle of the actual detected rule base.For example for the http agreement, main service extraction bag returns in the middle of the bag for server, and the crucial son of matching characteristic " server: " is concrete information on services up to first line feed carriage return (0d0a) afterwards in the middle of the data message.For example visiting Sina's homepage is Server:Apache/2.0.54 (Unix).Visit google homepage be Server:nginx/0.5.14. visit cat pounce on into: Server:Resin/2.1.13. is for File Transfer Protocol, main information on services is also by extracting in the middle of the server return information, promptly at first be judged to be FTP message (port 21), first three byte of File Transfer Protocol payload segment is 220 in the return information, i.e. answer code.Begin to be server info by File Transfer Protocol load the 5th byte.Be extracted into till line feed carriage return character (0d0a).As in the sample packages being: 220Serv-UFTPServer v6.0 for WinSock ready...; After identifying concrete type of server, generate the ID sign of this type of server of sign, and offer the intrusion detection server so that carry out the deep detection of subsequent packet.
Embodiment four:
Present embodiment is the preferred version of the generation step of the actual detected rule base among the embodiment one.
The basic ideas of present embodiment are: type of server and intrusion feature database are carried out related coupling, adding in the actual detected rule base with the rule on type of server is related, generate final actual detected rule base.Example is got up the attack detecting rule association under ftp type of server Serv-U FTP Server v6.0 and the type as described in example 3 above, with the combination of this two parts as the actual detected rale store in the middle of the actual detected rule base.
The algorithm that adopts in the present embodiment:, all will adopt the hash algorithm that it is set up the hash table for the type of server.When generating the actual detected rule, consult the hash value (being ID) of type of server by IDS/IPS with the service identifier, thereby directly from intrusion feature database, extract the rule relevant with this hash value, form the actual detected rule base.
Embodiment five:
Present embodiment is the preferred version of the deep detection step among the embodiment one.
In the middle of the real network environment, after the type of server of the network message use agreement that the actual acquisition that is provided by the service identifier is provided, intrusion detection engine is according to the ID inquiry actual detected rule base of this type of server.Query Result offers intrusion detection engine various event rules that need detection under this type of server, intrusion detection engine serves as that foundation is carried out deep detection to the related data message with these actual detection rules, and carries out relevant treatment and return result according to the data that the testing result corresponding processing function is received.
Embodiment six:
Present embodiment is the virtual bench system in other words that realizes embodiment one, two, three, four, five described methods, system as shown in Figure 1, present embodiment comprises: each layer protocol of being responsible for the data message of actual transmissions is resolved the protocol resolver of identification; Data in server newspaper is carried out the service identifier of keyword coupling, intrusion feature database that all attacks are described, the actual detected rule base of attacking at particular server type, realizes detecting rule and the related of processing function and the intrusion detection that the data of all acquisitions are correlated with and the intrusion detection device of return results.
Wherein, protocol resolver has been realized resolving the function of identification for each layer protocol of the data message of catching in the middle of the actual environment described in embodiment two; The service identifier has been realized the function for the identification of institute's use agreement type of server in the middle of the current message described in embodiment three; The actual detected rule base has been stored described in embodiment four according to the actual rule that be used for carry out intrusion detection or blocking-up of attack storehouse with the related foundation of type of server of actual identification; The intrusion detection device has realized that the coherent detection rule of described concrete type of server that provides according to the service identification step of embodiment five and the storage of actual detected rule base gos deep into the function of intrusion detection and respective handling.
Be used for the service recognition system of intrusion detection, comprise: protocol resolver, service identifier, intrusion feature database, actual detected rule base and intrusion detection device; Described protocol resolver is connected with the service identifier; Described service identifier is connected with the actual detected rule base with intrusion feature database, and described service identifier is connected with the intrusion detection device with the actual detected rule base.
Claims (6)
1. the method for a service identification that is used for intrusion detection is characterized in that comprising following steps:
The agreement identification step;
The service identification step;
The generation step of actual detected rule base;
Deeply detect step.
2. a kind of method that is used for the service identification of intrusion detection according to claim 1 is characterized in that the substep in the described agreement identification step:
Obtain to catch with the data pack protocol analytical method of stratification and carry out protocal analysis behind the packet that the bag function catches back and protocol assembly work is set up substep as protocol tree;
As the root contact, the agreement with identical father node becomes the brotgher of node with the non-structure data flow of lowermost layer, adopts the tagged word of agreement to come identification protocol, as the protocol analysis substep.
3. a kind of method that is used for the service identification of intrusion detection according to claim 1 is characterized in that the substep in the described service identification step:
At first from the packet that the server of catching returns,, obtain the type substep of server according to judging the coupling that protocol type carries out keyword in the agreement identification step;
Service identification module and intrusion detection engine are consulted the type of server of resolving, and its whole process is mapped as the digital id of mutual concession, be convenient to data and order alternately, with this sign substep as type of server.
4. the method for a kind of service identification that is used for intrusion detection according to claim 1 is characterized in that the generation step of described actual detected rule base having following feature:
According to the type of server information of reality identification type of server and intrusion feature database are carried out relatedly, obtain the actual detected rule base.
5. a kind of method that is used for the service identification of intrusion detection according to claim 1 is characterized in that the described step that deeply detects, and has following feature:
Receive after the related data that the intrusion detection device is inquired about the actual detected rule base, find the substep of the dependency rule of keyword correspondence;
The association of setting up with actual detected rule base establishment stage corresponds to dependency rule in the suitable processing function, the data of receiving is handled and returned the substep of result.
6. the system of a service identification that is used for intrusion detection is characterized in that comprising: each layer protocol of being responsible for the data message of actual transmissions is resolved the protocol resolver of identification, the data in server newspaper is carried out the service identifier of keyword coupling, intrusion feature database that all attacks are described, the actual detected rule base of attacking at particular server type, realizes detecting rule and the related of processing function and the intrusion detection that the data of all acquisitions are correlated with and the intrusion detection device of return results;
Described protocol resolver is connected with the service identifier; Described service identifier is connected with the actual detected rule base with intrusion feature database, and described service identifier is connected with the intrusion detection device with the actual detected rule base.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007101788498A CN101453320B (en) | 2007-12-06 | 2007-12-06 | Service identification method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007101788498A CN101453320B (en) | 2007-12-06 | 2007-12-06 | Service identification method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101453320A true CN101453320A (en) | 2009-06-10 |
| CN101453320B CN101453320B (en) | 2011-06-15 |
Family
ID=40735360
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2007101788498A Expired - Fee Related CN101453320B (en) | 2007-12-06 | 2007-12-06 | Service identification method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101453320B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101931557A (en) * | 2010-08-13 | 2010-12-29 | 杭州迪普科技有限公司 | User behaviour auditing method and system |
| CN102571719A (en) * | 2010-12-31 | 2012-07-11 | 北京启明星辰信息技术股份有限公司 | Invasion detection system and detection method thereof |
| CN104852894A (en) * | 2014-12-10 | 2015-08-19 | 北京奇虎科技有限公司 | Wireless message monitor detecting method, system and central control server |
| CN105450640A (en) * | 2015-11-12 | 2016-03-30 | 国家电网公司 | Electronic evidence collection method |
| US10594677B2 (en) | 2015-03-23 | 2020-03-17 | Duo Security, Inc. | System and method for automatic service discovery and protection |
-
2007
- 2007-12-06 CN CN2007101788498A patent/CN101453320B/en not_active Expired - Fee Related
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101931557A (en) * | 2010-08-13 | 2010-12-29 | 杭州迪普科技有限公司 | User behaviour auditing method and system |
| CN101931557B (en) * | 2010-08-13 | 2013-01-30 | 杭州迪普科技有限公司 | User behaviour auditing method and system |
| CN102571719A (en) * | 2010-12-31 | 2012-07-11 | 北京启明星辰信息技术股份有限公司 | Invasion detection system and detection method thereof |
| CN104852894A (en) * | 2014-12-10 | 2015-08-19 | 北京奇虎科技有限公司 | Wireless message monitor detecting method, system and central control server |
| US10594677B2 (en) | 2015-03-23 | 2020-03-17 | Duo Security, Inc. | System and method for automatic service discovery and protection |
| CN105450640A (en) * | 2015-11-12 | 2016-03-30 | 国家电网公司 | Electronic evidence collection method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101453320B (en) | 2011-06-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105429963B (en) | Intrusion detection analysis method based on Modbus/Tcp | |
| CN105357082B (en) | A kind of recognition methods of network flow and device | |
| CN106657141A (en) | Android malware real-time detection method based on network flow analysis | |
| CN103530367B (en) | A kind of fishing website identification system and method | |
| CN109600363A (en) | A kind of internet-of-things terminal network portrait and abnormal network access behavioral value method | |
| CN106534146B (en) | A kind of safety monitoring system and method | |
| CN109995740A (en) | Threat detection method based on depth protocal analysis | |
| CN107733851A (en) | DNS tunnels Trojan detecting method based on communication behavior analysis | |
| CN110113345A (en) | A method of the assets based on Internet of Things flow are found automatically | |
| CN101453320B (en) | Service identification method and system | |
| CN109117634A (en) | Malware detection method and system based on network flow multi-view integration | |
| CN107360118B (en) | Advanced persistent threat attack protection method and device | |
| CN105491018B (en) | A kind of network data security analysis method based on DPI technology | |
| CN110392013A (en) | A kind of Malware recognition methods, system and electronic equipment based on net flow assorted | |
| CN107209834A (en) | Malicious communication pattern extraction apparatus, malicious communication schema extraction system, malicious communication schema extraction method and malicious communication schema extraction program | |
| CN112491917A (en) | Unknown vulnerability identification method and device for Internet of things equipment | |
| CN110020161B (en) | Data processing method, log processing method and terminal | |
| SG184120A1 (en) | Method of identifying a protocol giving rise to a data flow | |
| CN114205143A (en) | Intelligent cooperative defense method and system for heterogeneous security equipment | |
| CN106899978A (en) | A kind of wireless network attack localization method | |
| Cho et al. | A method of detecting storage based network steganography using machine learning | |
| CN106227741B (en) | A kind of extensive URL matching process based on multilevel hash index chained list | |
| CN105227540B (en) | The MTD guard systems and method of a kind of event-triggered | |
| CN106878102A (en) | A kind of Pedestrian flow detection method and system based on the identification of network traffics multi-field | |
| RU2472211C1 (en) | Method of protecting information computer networks from computer attacks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20110615 Termination date: 20131206 |