CN101599963B - Suspected network threat information screener and screening and processing method - Google Patents
Suspected network threat information screener and screening and processing method Download PDFInfo
- Publication number
- CN101599963B CN101599963B CN2009100595514A CN200910059551A CN101599963B CN 101599963 B CN101599963 B CN 101599963B CN 2009100595514 A CN2009100595514 A CN 2009100595514A CN 200910059551 A CN200910059551 A CN 200910059551A CN 101599963 B CN101599963 B CN 101599963B
- Authority
- CN
- China
- Prior art keywords
- screening
- module
- packet
- doubtful
- data bag
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The invention belongs to a screener and a screening method for screening information tending to enter a detection system in the technical field of network safety. The screener adopts a functional module architecture device which is formed by modulating the F P G A logical resource and includes data aggregation, packet and payload separation, screening of suspected threat data packet in a network layer and a transmission layer, output processing, preprocessing, screening of suspected threat data packet in an application layer, and software and hardware interfaces; and the screening method includes aggregation processing, separation processing, screening of suspected threat data packet in the network layer and the transmission layer, output processing, data packet preprocessing and screening of suspected threat data packet in the application layer, and finally sends the data packet containing the suspected threat information into an intrusion detection system. The screener has the advantages of compact design and strong processing capability, the load of the intrusion detection system can be greatly reduced when the screener is matched with the intrusion detection system, and the invention increases the detection efficiency and the utilization ratio of the detection system, expands the range of detection, reduces the running cost, guarantees the safe running of the network, etc.
Description
Technical field
The invention belongs to the network security technology field; Screening washer and Screening Treatment method particularly supporting, that existing doubtful threat information in the network is screened with intruding detection system (IDS:Intrusion DetectionSystem); Screening washer of the present invention and Screening Treatment method thereof; Can at first screen the information flow that intend to get into detection system, normal information stream is filtered out and the packet that only will contain doubtful threat information sends intruding detection system (IDS) to and further handles.
Background technology
Along with Internet development, network security more and more receives people's attention.This new network security technology of intruding detection system (IDS) is considered to the fire compartment wall second road emergency exit afterwards.IDS is through the key point acquisition of information from computer network; And these information are detected (as: protocol analysis, feature detection, abnormality detection etc.); Thereby find whether to exist in network or the system behavior, virus of harm network or system safety etc., handle, guarantee Cybersecurity Operation so that carry out specific aim.Conventional IDS workflow is:
1. from the different key point acquisition of informations of network;
2. this information and behavioural characteristic storehouse are compared, whether analytical information contains the malicious attack behavior;
3. response is made in detected behavior;
4. write down and the report testing result.
At present, along with the lifting rapidly of network capacity, gigabit level intruding detection system (IDS) has become its main flow.In the technical scheme of numerous gigabit level IDS system, popular be based on high-performance CPU, network processing unit (NetworkProcessor, NP) and with framework of hardware accelerator associated treatment etc.Wherein, high-performance CPU mainly accomplishes the control of whole system, and network processing unit (NP) is used for procotol processing, fire compartment wall, QoS etc., and hardware accelerator generally adopts ASIC (application-specific integrated circuit (ASIC)) or FPGA (field programmable gate array) device.Above-mentioned IDS system based on hardware device, though can carry out the higher program of complexity (processing method) preferably, these high performance gigabit level IDS devices often complex structure, cost an arm and a leg, be difficult in vast medium and small user, popularized.In addition, the defective to above-mentioned hardware based IDS system exists at present, also has the pure software of employing to realize intrusion method for testing on platforms such as PC, as: the SNORT IDS that increases income etc.; Though it is low and very strong intrusion detection capability arranged that these software I DS system has operating cost; But because the speed of software packet capturing device is generally the tens of megabits of per second in this type of IDS system; Thereby; Exist if it is applied in the gigabit network then: the one, a lot of packets of the direct omission of meeting in service, the 2nd, the pattern matching that software mode is realized, make processing speed such as protocal analysis extremely slow, finally cause the whole system performance to hang down inferior fatal defective.
Summary of the invention
The objective of the invention is defective to the background technology existence; Research and design a kind of can with matching used suspected network threat information screener of intruding detection system (IDS) and Screening Treatment method; With the burden that reaches effective reduction intruding detection system, the resource utilization that improves its detection efficiency and detection system; Coverage rate and detection range that expansion detects network system reduce operating cost, guarantee purposes such as Cybersecurity Operation.
Solution of the present invention is through to FPGA (field programmable gate array) internal logic Resource allocation and smoothing (putting); Make the screening washer of forming by each functional module framework and adopt corresponding screening technique (flow process), information flow that the plan of each switching equipment output in the network is got into detection system at first screens, the packet that a large amount of normal information packets was filtered out, only will contain doubtful threat information sends intruding detection system (IDS) to further to carry out specific aim and handles.Screening washer adopts the data aggregate functional module; Packet header and payload separation function module; Output processing capacity module, the preprocessing function module, and network layer, transport layer and three grades of doubtful threat data bag screening function module architectures devices of application layer and institute are with or establish certainly the interface between software and hardware composition; Its screening technique is discerned screening in network layer, transport layer and application level function module through protocol characteristic, content to packet one by one, and the packet that contains doubtful threat information that will filter out then sends intruding detection system to, thereby realizes its purpose.Thereby; Screening washer of the present invention comprises field programmable gate array (FPGA) device of being with interface between software and hardware; Key is to be provided with the data aggregate module that receives network switching equipment output information in the programmable gate array device at the scene; Packet header and payload separation module; The doubtful threat data bag of network layer screening module, the doubtful threat data bag of transport layer screening module, output processing module; Contain the pretreatment module of IP recomposition unit (module), TCP (transmission control protocol) session recomposition unit (module), application layer protocol specification unit (module), and the doubtful threat data bag of the application layer screening module that contains a rule matching unit, content match unit, doubtful threat data bag output unit; In above-mentioned each (function) module: data aggregate module and packet header and payload separation module; Be connected successively through corresponding output, input between output processing module and pretreatment module, pretreatment module and the doubtful threat data bag of the application layer screening module, network layer doubtful threat data bag screening module and the doubtful threat data bag of transport layer screening module then are parallel between packet header and payload separation module and the output processing module; Output processing module, pretreatment module are connected with interface between software and hardware respectively through doubtful threat data bag output unit through TCP session recomposition unit, the doubtful threat data bag of application layer screening module.
The doubtful threat data bag of above-mentioned network layer screening module comprises the doubtful threat information screening unit of IP, the doubtful threat information screening unit of ICMP, output unit.The doubtful threat data bag of said transport layer screening module comprises doubtful threat information screening unit of TCP and output unit.
Suspected network threat information sifting processing method of the present invention comprises:
Step 1. aggregation processing: the data (information) of each switching equipment input data aggregate module (1) in the network are carried out aggregation processing;
Step 2. separating treatment: the data that will after step 1 aggregation processing, import packet header and payload separation module (2) are carried out IP packet header, IP payload and transport protocol header separating treatment, and with IP packet header and IP payload and transport protocol header respectively fan-in network layer doubtful threat data bag screening module (3) and the doubtful threat data bag of transport layer screening module (4) so that accomplish non-rule and attack and screen in that network layer and transport layer are parallel;
The doubtful threat data bag of step 3. network layer screening: will be through laggard IP packet header and the IP payload of going into the doubtful threat data bag of network layer screening module (3) of step 2 separating treatment; Regulation according to network layer protocol is screened the packet that contains doubtful threat information, and The selection result is input to output processing module (5) together with IP packet header, IP payload;
The screening of the doubtful threat data bag of step 4. transport layer: and after step 2 separating treatment, get into the transport protocol header of transport layer doubtful threat data bag screening module (4); Then the packet header that contains non-regular doubtful threat information of attacking is screened, and The selection result also is input to output processing module (5) together with transport layer protocol packet header by the regulation of transport layer protocol;
Step 5. output is handled: the The selection result of input and packet header thereof, payload after step 3, step 4 screening; If the conclusion that wherein as long as a result is arranged is for containing doubtful threat information; Then with this packet as the packet that contains the doubtful threat information of non-rule, send into through interface between software and hardware (8) and to invade detection system (A); If all conclusions are normally (not containing doubtful threat information), then this packet is imported pretreatment module (6) as normal data packet;
The preliminary treatment of step 6. packet: will by the normal data packet of step 5 input through IP recomposition unit (6.1) reorganization IP fragmentation data, through interface between software and hardware (8) is asked for TCP link information table from intruding detection system after, carry out the TCP session through TCP session recomposition unit (6.2) and recombinate; Through application layer data normalization unit (6.3) data are carried out standardization processing again, IP packet header after will handling then and transport protocol header and application layer data are imported a rule matching unit and the content match unit in the doubtful threat data bag of the application layer screening module respectively;
The doubtful threat data bag screening of step 7. application layer: will carry out a rule matching treatment through a rule matching unit (7.1) by the IP packet header and the transport protocol header of step 6 input, and the application layer data of input carries out matching treatment through content match unit (7.2) to normal character string and regular expression; Then the packet that contains doubtful threat information after the matching treatment is sent into through interface between software and hardware (8) by doubtful threat data bag output unit (7.3) and invaded detection system; Otherwise, make discard processing.
Above-mentioned, in the regulation according to network layer protocol described in the step 3 packet that contains doubtful threat information is screened, its network layer protocol comprises ICMP (Internet Control Message Protocol) and IP agreement.And in the regulation by transport layer protocol described in the step 4 packet header that contains non-regular doubtful threat information of attacking is screened, its transport layer protocol comprises TCP (transmission control protocol).Carrying out standardization processing to using layer data described in the step 6; Comprise URL (URL) standardization expression and the Unified coding mode of accomplishing HTTP (HTTP) agreement, the negotiation data in deletion Telnet (TerminaLNETwork) agreement.
The present invention is owing to adopt FPGA (field programmable gate array) device; Through configuration to its internal logic resource; Make the screening washer of forming by each functional module framework etc.; And adopt screening technique of the present invention, and the information that the plan of each network switching equipment output is got into detection system is at first screened, and the packet that the normal information packets that do not contain doubtful threat information were in a large number filtered out, only will contain doubtful threat information sends intruding detection system (IDS) to further to carry out specific aim and handles; Thereby reduced the flow that gets into the information to be detected of detection system significantly, effectively reduced the burden of intruding detection system; TCP session recomposition unit is directly asked for TCP link information table through interface between software and hardware from intruding detection system in the Screening Treatment process, has not only reduced the difficulty of hardware handles but also has practiced thrift hardware resource; In addition; Since the inventive method be to packet be that unit screens; To being the information flow of characteristic with the flow attacking; Because each packet in the attack stream does not all contain doubtful threat information, in screening process, all filtered out and can not be got into intruding detection system as the packet that does not contain doubtful threat information.Thereby the present invention has, and screening washer is compact to design, processing capacity is strong; With the supporting burden that can reduce intruding detection system significantly of intruding detection system; Improve the resource utilization of its detection efficiency and detection system; Coverage rate and detection range that expansion detects network system reduce operating cost, guarantee characteristics such as Cybersecurity Operation.
Description of drawings
Fig. 1 is a screening washer functional module framework apparatus structure sketch map of the present invention (block diagram);
Fig. 2 is a Screening Treatment method flow sketch map of the present invention (block diagram);
Fig. 3 is screening washer of the present invention and the network equipment and the supporting use annexation of intruding detection system (IDS) sketch map.
Among the figure: 1. data aggregate (function) module; 2.IP packet header and payload separation module; 3. the doubtful threat data bag of network layer screening module; 4. the doubtful threat data bag of transport layer screening module, 5. output processing module, 6. pretreatment module, 6.1.IP recomposition unit (module), 6.2.TCP session recomposition unit (module), 6.3. application layer protocol specification unit (module); 7. the doubtful threat data bag of application layer screening module, a 7.1. rule matching unit, 7.2. content match unit, the doubtful threat data bag of 7.3. output unit, 8. interface between software and hardware; A. intruding detection system, B. screening washer, C
1~Cn: the network switching equipment.
Embodiment
This execution mode with the 10 cover network switching equipment (C are arranged
1-10) and the corresponding supporting example that is used for of intruding detection system A:
Screening washer B in this execution mode adopts STRATIX III EP3SL150F type FPGA (field programmable gate array) device of ALTERA company production as the screening washer body, and is wherein set: 1500 logical blocks of data aggregate module 1 resource distribution and 0.5 megabit RAM; Packet header and 600 logical blocks of payload separation module 2 resource distributions; It is 1500 logical blocks that the doubtful threat data bag of network layer screens 3 resource distributions; 4 resource distributions of the doubtful threat data bag of transport layer screening module are 1500 logical blocks; Output processing module 5 resource distributions are 150 logical blocks; In the pretreatment module 6: 6.1 resource distributions of IP recomposition unit are 2000 logical blocks and 5 megabit RAM; 6.2 resource distributions of TCP session recomposition unit are 2000 logical blocks and 2.5 megabit RAM, 2500 logical blocks of application layer normalization unit 6.3 resource distributions; In the doubtful threat data bag of the application layer screening module 7: 7.1 resource distributions of a rule matching unit are 5000 logical blocks; 7.2 resource distributions of content match unit are 25000 logical blocks, and 7.3 resource distributions of doubtful threat data bag output unit are 150 logical blocks; This execution mode with interface between software and hardware 8 be located in the FPGA device, resource distribution is 1500 logical blocks.In above-mentioned each (function) module: data aggregate module 1 and packet header and payload separation module 2; Output processing module 5 and pretreatment module 6, pretreatment module 6 are connected through data wire with output, input between the doubtful threat data bag of the application layer screening module 7 successively, and the doubtful threat data bag of network layer screening module 3 and 4 of the doubtful threat data bag of transport layer screening module are parallel between packet header and payload separation module 2 and the output processing module 5; Output processing module 5, pretreatment module 6 are connected with interface between software and hardware respectively through doubtful threat data bag output unit 7.3 through TCP session recomposition unit 6.2, the doubtful threat data bag of application layer screening module 7.
The screening technique of this execution mode screening washer (flow process):
Step 1. aggregation processing: at first the data (information) of each switching equipment input in the network are carried out aggregation processing, then the packet after the polymerization is sent to packet header and payload separation module 2 through data aggregate module 1;
Step 2. separating treatment: after packet header and payload separation module 2 receive the packet after the aggregation processing; At first from the packet that receives, extract protocol type field and judge whether what encapsulate in the Ether frame is the IP packet; If not, then with this data packet discarding; If IP packet; Then according to the relevant regulations of IP agreement and transport layer protocol; From the IP packet, isolate IP packet header, IP payload and transport layer packet header; And IP packet header, IP payload and transport layer packet header, IP packet header sent to the doubtful threat data bag of network layer screening module 3 and the doubtful threat data bag of transport layer screening module 4 respectively, carry out the screening that network layer and the non-rule of transport layer are attacked doubtful threat data bag with parallel;
The doubtful threat data bag screening of step 3. network layer: the doubtful threat data bag of network layer screening module 3 is after receiving from packet header payload separation module 2 isolated IP packet header, payload; At first according to the regulation of IP agreement; Extract protocol type field, bag total length field, burst attribute field and Option Field in the IP head; And will more than two parts data of extracting send into the doubtful threat of ICMP respectively and count in information sifting unit and the doubtful threat information screening unit of IP; Handle through two unit parallel runnings; Wherein: the packet that the doubtful threat information screening unit of ICMP is attacked information, overlength ICMP packet attack information, ICMP packet fragment attack information to the doubtful ICMP of containing flood model screens and provides The selection result; The concrete screening process of this part of this execution mode is: if one of long effective three kinds of situation in IP fragment flag position that surpass pre-set threshold, encapsulation icmp packet of IP overall budget that icmp packet is echo request or answer, encapsulation icmp packet occur, then this packet is the packet that contains doubtful threat information; Meanwhile, The selection result is screened and provided to the doubtful threat information screening unit of IP to the doubtful improper packet of Option Field, and its concrete screening process is: if the Option Field in IP packet header is not sky, then these data comprise doubtful threat information; After two unit screenings are accomplished, The selection result is carried out logic OR and sent into output processing module in the lump together with IP packet header, the payload of packet header and the input of payload separation module;
The screening of the doubtful threat data bag of step 4. transport layer: the doubtful threat data bag of transport layer screening module 4 is after receiving the IP packet header of sending into from packet header and payload separation module 2 and transport layer packet header; Judge whether transport layer protocol is Transmission Control Protocol; If transport layer protocol; Then at first according to the regulation of Transmission Control Protocol; Control field in the TCP head is extracted and attacks information, Port Scan Attacks information, operating system and detect and attack transmission of Information layer packet header and screen and provide The selection result containing doubtful SYN (synchronously sequence number) Hong Fan; Its concrete screening technique is: if the SYN/FIN/RST of TCP control field (sequence number/terminations connection/connection synchronously resets) effectively or do not establish TCP control field sign, then this packet header is the packet header that contains doubtful threat information; Screening is sent into output processing module 5 through output unit with The selection result together with transport layer packet header after accomplishing in the lump;
Step 5. output is handled: The selection result and packet header thereof, the payload of after step 3 and step 4 are screened, sending into output processing module 6 simultaneously carry out matching treatment; If the conclusion that wherein as long as a result is arranged is for containing doubtful threat information; Then with this packet as the packet that contains the doubtful threat information of non-rule, send into through interface between software and hardware 8 and to invade detection system A; If all conclusions are normally (not containing doubtful threat information), then this packet is imported pretreatment module 6 as normal data packet;
The preliminary treatment of step 6. packet: whole pretreatment process is accomplished by the IP fragmentation recomposition unit 6.1 in the preparatory place module 6, TCP session recomposition unit 6.2, application layer normalization unit 6.3; When IP fragmentation recomposition unit 6.1 will through extracting the attribute field in IP packet header, if the burst attribute field is invalid, then directly be sent packet into TCP session recomposition unit 6.2 by the normal data packet of step 5 input; When if the burst attribute field is effective, then continue to check the list item that whether has this packet of reorganization IP payload in the present burst refitting table; Create a new list item if list item does not exist and deposit IP packet header in and the IP payload, otherwise be encased in the assigned address of storing IP payload in the existing list item according to the offset field in IP packet header; Whether the IP payload of checking this packet then is last burst, if, then reorganization is accomplished, and IP payload and IP packet header are sent to TCP session recombination module; Otherwise check the timer of this list item, if timer expired then directly the IP payload and the IP packet of part reorganization in this list item sent to TCP session recomposition unit 6.2;
Step 6.2.TCP session reorganization: after TCP session recomposition unit 6.2 receives the IP packet header and the IP payload after the reorganization of IP fragmentation recomposition unit 6.1; Judge whether its transport layer protocol is Transmission Control Protocol; If not Transmission Control Protocol, then directly be sent to application layer normalization unit 6.3; Otherwise; Check the list item that whether has this TCP payload of reorganization in the present session reorganization table according to order address, IP source, source eye end slogan in the IP payload after IP packet header and the reorganization; The session reorganization table of present embodiment is to adopt the TCP link information of asking for from intruding detection system by interface between software and hardware to set up, and real-time update; If list item does not exist (wherein with IP packet header, TCP packet header, TCP payload; TCP packet header and TCP payload are the IP payload after the reorganization) directly send into application layer standardization module, otherwise the TCP payload is deposited into the assigned address of storage TCP payload in the existing list item; And then check whether TCP payload after the reorganization has reached the length (perhaps having accomplished reorganization) of regulation, if, then the TCP payload with IP packet header, TCP packet header, after recombinating is sent into application layer normalization unit 6.3;
Step 6.3. application layer data standardization processing: after application layer normalization unit 6.3 receives the payload after IP packet header, transport layer packet header and the reorganization after the TCP session reorganization, at first judge application layer protocol whether comprise http protocol with or the Telnet agreement; Then the coded system unification of http protocol URL address is the ASCII coded system if comprise http protocol; If comprise the Telnet agreement, then with the redundant negotiation information deletion in the telnet session stream; After the performance specification processing, with IP packet header, transport layer packet header to send into the doubtful threat data bag of application layer screening module 7 respectively with application layer data;
The doubtful threat data bag screening of step 7. application layer: the doubtful threat data bag screening of application layer is undertaken by a rule matching unit 7.1, content match unit 7.2, doubtful threat data bag output unit 7.3, and its idiographic flow is:
A step 7.1. rule matching treatment: a rule matching unit 7.1 matees regular of rule in the protocol type of the order IP address, source in IP packet header and the transport layer protocol packet header, source eye end slogan, transport layer and network layer and the rule base; Wherein: because the order IP address, source in the rule head adopts prefix to express; Therefore directly adopt the mode of Ternary Content Addressable Memory carry out with IP packet header in the coupling of order IP address, source; And the port numbers in the rule head generally adopts the mode of scope to express (as: 60-80), thereby adopts the binary decision tree method to accomplish matching treatment; After rule head coupling is accomplished, matching result is sent into doubtful threat data bag output unit 7.3 in the lump together with packet header;
Step 7.2. content match is handled: to sending into the coupling that content match unit 7.2 interior application layer datas carry out normal character string and regular expression, wherein: the coupling of the normal character string in application layer data and the rule base adopts the mode of non-definite state machine to carry out; The coupling of regular expression then divided for three steps accomplished: one of which, shared identical prefix, infix, the suffix of all regular expressions; The prefix that two, obtains, infix, suffix shared structure based on the first step, the mode through non-definite state machine generates match circuit; Three, normal character string in the regular expression and complex calculation symbol are optimized processing again; Coupling is input to doubtful threat data bag output unit 7.3 with matching result together with application layer data after accomplishing in the lump; If arbitrary matching result is for containing doubtful threat information packet, 7.3 of doubtful threat data bag output units send to intruding detection system A with this packet through interface between software and hardware 8; Otherwise, this packet is directly abandoned.
In the trial run of this execution mode: the network switching equipment (C
1-10) be S2403TP-EA type switch and SRW208 type switch, 10 altogether; The mirror port speed of each switch is 1Gbps (Gigabits per second); Intruding detection system A is SNORT IDS (SNORT is the intruding detection system of development sources code);
This execution mode screening washer B and each network switching equipment (C
1-10) and intruding detection system A connect the 88E1111 that adopts Marvell company to produce with network card chip, this chip supports 1,000 million network to connect 11 altogether;
In service; If it is 1Gbps that the plan of every cover network switching equipment C input gets into the flow of intruding detection system A; The flow of 10 complete equipments amounts to 10Gbps; This execution mode screening washer wherein 95~98% the normal data packet that does not contain doubtful threat information filters out, and has only≤5% (the packet entering intruding detection system A that contains doubtful threat information promptly≤500Mbps); Thereby reduced the load of intruding detection system A significantly.
Claims (7)
1. suspected network threat information screener; Comprise the FPGA of being with interface between software and hardware; It is characterized in that being provided with the data aggregate module that receives network switching equipment output information, packet header and payload separation module, the doubtful threat data bag of network layer screening module in the programmable gate array device at the scene; The doubtful threat data bag of transport layer screening module; Output processing module contains the pretreatment module of IP recomposition unit, TCP session recomposition unit, application layer protocol specification unit, and the doubtful threat data bag of the application layer screening module that contains a rule matching unit, content match unit, doubtful threat data bag output unit; In above-mentioned each module: data aggregate module and packet header and payload separation module; Be connected successively through corresponding output, input between output processing module and pretreatment module, pretreatment module and the doubtful threat data bag of the application layer screening module, network layer doubtful threat data bag screening module and the doubtful threat data bag of transport layer screening module then are parallel between packet header and payload separation module and the output processing module; Output processing module, pretreatment module are connected with interface between software and hardware respectively through doubtful threat data bag output unit through TCP session recomposition unit, the doubtful threat data bag of application layer screening module.
2. by the said suspected network threat information screener of claim 1, it is characterized in that the doubtful threat data bag of said network layer screening module comprises the doubtful threat information screening unit of IP, the doubtful threat information screening unit of ICMP, output unit.
3. by the said suspected network threat information screener of claim 1, it is characterized in that the doubtful threat data bag of said transport layer screening module comprises doubtful threat information screening unit of TCP and output unit.
4. the Screening Treatment method that is adopted by the said suspected network threat information screener of claim 1 comprises:
Step 1. aggregation processing: the data of each switching equipment input data aggregate module (1) in the network are carried out aggregation processing;
Step 2. separating treatment: the data that will after step 1 aggregation processing, import packet header and payload separation module (2) are carried out IP packet header, IP payload and transport protocol header separating treatment, and with IP packet header and IP payload and transport protocol header respectively fan-in network layer doubtful threat data bag screening module (3) and the doubtful threat data bag of transport layer screening module (4) so that accomplish non-rule and attack and screen in that network layer and transport layer are parallel;
The doubtful threat data bag of step 3. network layer screening: will be through laggard IP packet header and the IP payload of going into the doubtful threat data bag of network layer screening module (3) of step 2 separating treatment; Regulation according to network layer protocol is screened the packet that contains doubtful threat information, and The selection result is input to output processing module (5) together with IP packet header, IP payload;
The screening of the doubtful threat data bag of step 4. transport layer: and after step 2 separating treatment, get into the transport protocol header of transport layer doubtful threat data bag screening module (4); Then the packet header that contains non-regular doubtful threat information of attacking is screened, and The selection result also is input to output processing module (5) together with transport layer protocol packet header by the regulation of transport layer protocol;
Step 5. output is handled: the The selection result of input and packet header thereof, payload after step 3, step 4 screening; If the conclusion that wherein as long as a result is arranged is for containing doubtful threat information; Then with this packet as the packet that contains the doubtful threat information of non-rule, send into through interface between software and hardware (8) and to invade detection system (A); If all conclusions are normally, then this packet is imported pretreatment module (6) as normal data packet;
The preliminary treatment of step 6. packet: will by the normal data packet of step 5 input through IP recomposition unit (6.1) reorganization IP fragmentation data, through interface between software and hardware (8) is asked for TCP link information table from intruding detection system after, carry out the TCP session through TCP session recomposition unit (6.2) and recombinate; Through application layer data normalization unit (6.3) data are carried out standardization processing again, IP packet header after will handling then and transport protocol header and application layer data are imported a rule matching unit and the content match unit in the doubtful threat data bag of the application layer screening module respectively;
The doubtful threat data bag screening of step 7. application layer: will carry out a rule matching treatment through a rule matching unit (7.1) by the IP packet header and the transport protocol header of step 6 input, and the application layer data of input carries out matching treatment through content match unit (7.2) to normal character string and regular expression; Then the packet that contains doubtful threat information after the matching treatment is sent into through interface between software and hardware (8) by doubtful threat data bag output unit (7.3) and invaded detection system; Otherwise, make discard processing.
5. by the said Screening Treatment method of claim 4, it is characterized in that the regulation according to network layer protocol is screened the packet that contains doubtful threat information described in the step 3, its network layer protocol comprises ICMP and IP agreement.
6. by the said Screening Treatment method of claim 4, it is characterized in that the regulation by transport layer protocol is screened the packet header that contains non-regular doubtful threat information of attacking described in the step 4, its transport layer protocol comprises TCP.
7. by the said Screening Treatment method of claim 4, it is characterized in that carrying out standardization processing to using layer data described in the step 6, comprise that the URL standardization of accomplishing http protocol is expressed and the Unified coding mode, delete the negotiation data in the Telnet agreement.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009100595514A CN101599963B (en) | 2009-06-10 | 2009-06-10 | Suspected network threat information screener and screening and processing method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009100595514A CN101599963B (en) | 2009-06-10 | 2009-06-10 | Suspected network threat information screener and screening and processing method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101599963A CN101599963A (en) | 2009-12-09 |
| CN101599963B true CN101599963B (en) | 2012-07-04 |
Family
ID=41421210
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009100595514A Expired - Fee Related CN101599963B (en) | 2009-06-10 | 2009-06-10 | Suspected network threat information screener and screening and processing method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101599963B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109753518A (en) * | 2018-12-28 | 2019-05-14 | 成都九洲电子信息系统股份有限公司 | The data depth threat detection system and method for rule-based data |
Families Citing this family (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2011149773A2 (en) * | 2010-05-25 | 2011-12-01 | Hewlett-Packard Development Company, L.P. | Security threat detection associated with security events and an actor category model |
| CN101964751B (en) * | 2010-09-30 | 2013-01-16 | 华为技术有限公司 | Transmission method and device of data packets |
| CN102098289B (en) * | 2010-12-17 | 2014-08-27 | 曙光信息产业股份有限公司 | Network security accessing and sealing method based on FPGA (field programmable gate array) |
| US20130346985A1 (en) * | 2012-06-20 | 2013-12-26 | Microsoft Corporation | Managing use of a field programmable gate array by multiple processes in an operating system |
| MX2015010770A (en) * | 2013-03-14 | 2016-06-17 | Fidelis Cybersecurity Inc | System and method for extracting and preserving metadata for analyzing network communications. |
| CN103647708A (en) * | 2013-11-29 | 2014-03-19 | 曙光信息产业(北京)有限公司 | ATCA-based data message processing board |
| CN104219242A (en) * | 2014-09-09 | 2014-12-17 | 天津大学 | Hardware-based network data packet filtering structure |
| CN106301992B (en) * | 2015-06-12 | 2019-09-03 | 阿里巴巴集团控股有限公司 | A kind of attack message detection method and equipment |
| CN106961414B (en) * | 2016-01-12 | 2020-12-25 | 阿里巴巴集团控股有限公司 | Honeypot-based data processing method, device and system |
| CN106789695B (en) * | 2016-11-24 | 2020-04-03 | 杭州迪普科技股份有限公司 | Message processing method and device |
| CN108206826B (en) * | 2017-11-29 | 2020-07-14 | 华东师范大学 | Lightweight intrusion detection method for integrated electronic system |
| CN108650274B (en) * | 2018-05-21 | 2021-07-27 | 中国科学院计算机网络信息中心 | Network intrusion detection method and system |
| CN111414402A (en) * | 2020-03-19 | 2020-07-14 | 北京神州绿盟信息安全科技股份有限公司 | Log threat analysis rule generation method and device |
| CN117118717A (en) * | 2023-09-01 | 2023-11-24 | 湖北顺安伟业科技有限公司 | User information threat analysis method and system |
| CN117009961B (en) * | 2023-09-28 | 2023-12-08 | 北京安天网络安全技术有限公司 | Method, device, equipment and medium for determining behavior detection rule |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1435977A (en) * | 2002-02-01 | 2003-08-13 | 联想(北京)有限公司 | Method for detecting and responding of fire wall invasion |
| CN101252467A (en) * | 2006-12-18 | 2008-08-27 | Lgcns株式会社 | Apparatus and method of securing network |
| CN101401090A (en) * | 2004-04-19 | 2009-04-01 | 加利福尼亚大学董事会 | Programmable hardware for deep packet filtering |
-
2009
- 2009-06-10 CN CN2009100595514A patent/CN101599963B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1435977A (en) * | 2002-02-01 | 2003-08-13 | 联想(北京)有限公司 | Method for detecting and responding of fire wall invasion |
| CN101401090A (en) * | 2004-04-19 | 2009-04-01 | 加利福尼亚大学董事会 | Programmable hardware for deep packet filtering |
| CN101252467A (en) * | 2006-12-18 | 2008-08-27 | Lgcns株式会社 | Apparatus and method of securing network |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109753518A (en) * | 2018-12-28 | 2019-05-14 | 成都九洲电子信息系统股份有限公司 | The data depth threat detection system and method for rule-based data |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101599963A (en) | 2009-12-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101599963B (en) | Suspected network threat information screener and screening and processing method | |
| US8149705B2 (en) | Packet communications unit | |
| CN104539594B (en) | Merge DDoS and threaten filtering and SDN frameworks, system and the method for work of routing optimality | |
| CN110401624A (en) | The detection method and system of source net G system mutual message exception | |
| CN104660582B (en) | The network architecture of the software definition of DDoS identifications, protection and path optimization | |
| CN104767752A (en) | Distributed network isolating system and method | |
| CN110417729B (en) | Service and application classification method and system for encrypted traffic | |
| CN105357137B (en) | Message filtering method and the FPGA being applicable in, intelligent substation | |
| CN112532642B (en) | Industrial control system network intrusion detection method based on improved Suricata engine | |
| CN101465760A (en) | Method and system for detecting abnegation service aggression | |
| CN111222019B (en) | Feature extraction method and device | |
| CN112261021B (en) | DDoS attack detection method under software defined Internet of things | |
| US20230006937A1 (en) | Packet flow identification with reduced decode operations | |
| KR20220074635A (en) | A method and apparatus for detecting malicious activities over encrypted secure channels | |
| CN1741473A (en) | A network data packet availability deciding method and system | |
| CN104348749B (en) | A kind of flow control methods, apparatus and system | |
| CN107864110A (en) | Botnet main control end detection method and device | |
| CN101582880B (en) | Method and system for filtering messages based on audited object | |
| CN104579832B (en) | A kind of OpenFlow network security detection methods and system | |
| CN102739537B (en) | The retransmission method and device of Ethernet data bag | |
| CN104980408A (en) | Blocking method, device and system for malicious website | |
| CN104702596A (en) | Method and system for hiding and transmitting information based on data packet length | |
| CN113377051B (en) | Network safety protection equipment based on FPGA | |
| CN109039811A (en) | Network packet header compression method and device for network performance monitoring | |
| CN108234323A (en) | A kind of safely controllable performance is up to the network processes and retransmission method of linear speed |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20120704 Termination date: 20150610 |
|
| EXPY | Termination of patent right or utility model |