CN102223267A - IDS (intrusion detection system) detecting method and IDS detecting equipment - Google Patents
IDS (intrusion detection system) detecting method and IDS detecting equipment Download PDFInfo
- Publication number
- CN102223267A CN102223267A CN201110163258XA CN201110163258A CN102223267A CN 102223267 A CN102223267 A CN 102223267A CN 201110163258X A CN201110163258X A CN 201110163258XA CN 201110163258 A CN201110163258 A CN 201110163258A CN 102223267 A CN102223267 A CN 102223267A
- Authority
- CN
- China
- Prior art keywords
- information
- ids
- characteristic
- characteristic information
- tested
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention relates to an IDS (intrusion detection system) detecting method and IDS detecting equipment. The detecting method comprises the following steps: step a: obtaining the detecting command information; analyzing the detecting command information so as to obtain the detection characteristic information; step b: extracting the detecting characteristic information and storing the detecting characteristic information as a characteristic information chain table; step c: combining the characteristic information in the characteristic information chain table according to the property of the detecting characteristic information; step d: generating the testing data packet by the combined characteristic information and sending the testing data packet to the IDS terminal to be tested; step e: obtaining the feedback file of the IDS terminal to be tested and generating an alarm file in a uniform form. The technical scheme can establish the detecting data packets with a plurality of characteristics, reinforces the detection rationality and veracity; furthermore, the analysis can be carried on the feedback files of different IDS; and the method and the equipment has excellent generality and practical values.
Description
Technical field
The present invention relates to the network security detection range, be specifically related to detection method and the checkout equipment of a kind of IDS.
Background technology
Along with the expansion of internet, applications scope, new type has also appearred in computer virus targetedly, and network security problem has had a strong impact on people and used the every field of network, even has threatened the safety of state secret.Intruding detection system IDS(Intrusion Detection System) as a kind of to Network Transmission carry out immediately monitoring, the network security technology of the reactive measures that when finding suspicious transmission, gives the alarm or take the initiative, become one of indispensable important means of network protection, so the monitoring performance of IDS itself has been subjected to people's extensive concern.
Usually, detection to IDS equipment is to come the fail safe of IDS equipment is tested and assessed by the alarm condition of assessment IDS, because detection technique comparative maturity based on feature, most of IDS product all is the mode-matching technique that adopts the attack signature sign indicating number, this class IDS workflow is substantially for obtaining network packet, extract load in the packet, protocol fields, information such as address port, then with rule base in information search coupling, exist legal packet information then to trigger warning if find, so, the IDS detection method is mainly attacked packet by sending according to attack that detects the rule structure or emulation to equipment under test, obtain and resolve the IDS warning message, realize safety evaluation, be the service of information security demonstration this IDS equipment.But the detection method of common rule-based pattern matching is network packet of a corresponding generation of rule, therefore; if adopt said method to detect IDS; need to send a large amount of network packet and detect strictly all rules, the time is commented in not only wasteful measurement, and has the risk of network blockage.
Because IDS needs regular online upgrading rule base, therefore need the structure in-circuit emulation to attack packet again, and will under the prerequisite that guarantees network and equipment operate as normal, carry out the efficient online detection of IDS, obtain the actual intrusion detection effect of updating apparatus in real time; But,, for the description of alert event too simply or too complicated, do not possess operability because the warning message content of different I DS equipment is different when realizing that IDS equipment online in real time detects; The warning form is different, and it is relatively poor to be not easy to identification and understanding and versatility; The IDS equipment that each producer produces for separately commercial interest, its extensibility is not strong, and is portable poor; Therefore there is not a kind of method of assessing and detecting that IDS equipment is unified so far all the time.
Summary of the invention
Technical problem to be solved by this invention provides detection method and the checkout equipment of a kind of IDS, can realize constructing detection packet with a plurality of features, and the feedback file of different I DS equipment resolved, generate the alert files of consolidation form, have good versatility and practical value and strengthened the reasonability and the accuracy that detect.
The present invention discloses the detection method of a kind of IDS in order to solve the problems of the technologies described above, and described method comprises:
Step a obtains sense command information, and sense command information is resolved to obtain detected characteristics information;
Step b extracts detected characteristics information and is stored as the characteristic information chained list;
Step c merges the characteristic information in the characteristic information chained list according to the attribute of detected characteristics information;
Steps d generates test packet with the characteristic information that merges, and is sent to tested IDS end;
Step e obtains the feedback file of tested IDS end, and generates the alert files of consolidation form.
Further, described step c also comprises:
Step c11, a characteristic information in the selected characteristic information chained list is as reference characteristic;
Step c12 obtains next bar characteristic information, with its feature as a comparison;
Step c13, the attribute that obtains and resolve reference characteristic and contrast characteristic is to judge whether and can merge, if can merge, the information stores after merging is deleted this contrast characteristic in reference characteristic and from the characteristic information chained list, otherwise keep this contrast characteristic;
Step c14, repeating step c12~c13 travels through all characteristic informations in the characteristic information chained list, if traveled through all characteristic informations, then merges and finishes.
Further, described steps d also comprises:
Steps d 11 generates test packet with the characteristic information that merges, and judges whether that according to command information needs set up TCP and connect;
Steps d 12 connects if do not need to set up TCP, then directly test packet is sent to tested IDS end from the network interface A or the B of command information appointment;
Steps d 13 is set up TCP if desired and is connected, then according to the instruction of command information with network interface A or B as TCP connection requests side, with the answer party of another network interface as the TCP connection, set up TCP and connect, test packet is sent to tested IDS end, transmission end back discharges and connects.
Further, described step e also comprises:
Step e11 obtains the feedback file that tested IDS holds;
Step e12 is according to the feedback file generation description document of tested IDS end;
Step e13 resolves to generate the alert files of consolidation form the feedback file of description document and tested IDS end.
The invention also discloses the checkout equipment of a kind of IDS, described equipment comprises that characteristic information parsing module, characteristic extracting module, feature merge module, packet generation module, warning parsing module, wherein:
Described characteristic information parsing module is used to obtain sense command information, and sense command information is resolved to obtain detected characteristics information;
Described characteristic extracting module is used to extract detected characteristics information and is stored as the characteristic information chained list;
Described feature merges module, is used for according to the attribute of detected characteristics information the characteristic information in the characteristic information chained list being merged;
Described packet generation module, the characteristic information that is used for merging generates test packet, and is sent to tested IDS end;
Described warning parsing module is used to obtain the feedback file of tested IDS end, and generates the alert files of consolidation form.
Adopt the beneficial effect of technique scheme of the present invention to be:
1) detection method and the equipment of the IDS of employing the present invention proposition can realize connecting test and disconnected test, wherein in disconnected test, can pass through the measuring ability of the network interface parallel transmission test packet of testing equipment with realization IDS; In connecting test, the network interface of testing equipment can make up the not TCP connection of limited number certainly, guarantees to realize the efficient online detection of IDS under the prerequisite of network basic function;
2) because having designed feature, the present invention merges module, thereby, by parsing and merging, can construct detection packet with a plurality of features to characteristic information, strengthened the reasonability, the accuracy that detect;
3) because the present invention has designed the warning parsing module, defined unified alert files form, therefore, the feedback file that can produce detection is carried out unified description and parsing, thereby realize the feedback file that different I DS produces is resolved, have good versatility and practical value.
Description of drawings
Fig. 1 is the detection method flow chart of IDS in the embodiment of the invention;
Fig. 2 is the test environment framework schematic diagram of the detection method of IDS in the embodiment of the invention;
Fig. 3 is that characteristic information merges flow chart in the embodiment of the invention;
Fig. 4 is the combined analysis flow chart of characteristic information in the embodiment of the invention;
Fig. 5 is alert files product process figure in the embodiment of the invention;
Fig. 6 is the logical construction schematic diagram of the checkout equipment of IDS in the embodiment of the invention.
Embodiment
Below in conjunction with accompanying drawing principle of the present invention and feature are described, institute gives an actual example and only is used to explain the present invention, is not to be used to limit scope of the present invention.
The present invention one implements to disclose the detection method of a kind of IDS, and Fig. 1 is the detection method flow chart of IDS in the embodiment of the invention, and as shown in Figure 1, this method comprises the steps:
In embodiments of the present invention, the test environment of the detection method of described IDS is as shown in Figure 2: the test environment framework of the detection method of IDS is formed by host computer, the checkout equipment that comprises three network interfaces, LAN and to the tested IDS that LAN is monitored, wherein realize two-way communication by network interface C between host computer and the checkout equipment, carry out the mutual of PC control command information and checkout equipment feedback file, finish the co-ordination of the two; Checkout equipment sends test packet by network interface A and B to local area network (LAN); tested IDS resolves and returns feedback file to the packet that local area network (LAN) receives; by the safe effect of feedback file assessment IDS, reach the purpose that IDS is detected to working computer in the monitoring effect of LAN, the protection LAN.Described PC control command information, comprise features protocol field, feature precedence field and feature database reference number of a document information, and the used core processor in concrete TCP connection requests side, the used used used information such as network interface of network interface, answer party of core processor, requesting party of answer party; The feedback file of checkout equipment comprises use information, host computer process of commands progress msg of core processor etc.
In this execution mode, when checkout equipment receives the command information of host computer transmission, by each field of command information is resolved, to obtain the relevant detection characteristic information.Wherein, the process that command information is resolved is: at first the feature database reference number of a document according to command information parses corresponding detected characteristics file, features protocol field and feature precedence field according to command information screens the tag file that parses then, obtains concrete characteristic information.
In the present embodiment, the detected characteristics information of extracting is preserved with the form of chained list, in a specific embodiment, described detected characteristics information comprises following content:
typedef?struct?IDS_D_RuleInfo{
Unsigned char uc_IP_Fragbits; A //IP reserved field
Unsigned char uc_IP_Sameip; Whether source IP is identical with purpose IP for // sign
Unsigned int ui_IP_Dsize; // load size
Unsigned int ui_IP_Protocol; //IP protocol fields
Unsigned short us_IP_Fragoffset; // particular fragments compiling value
union?{
IDS_Struct_TCP_OPT st_TCP_Opt; The set of //TCP option for features
IDS_Struct_ICMP_OPT st_ICMP_Opt; The set of //ICMP option for features
}un_Protocol_Opt;
Unsigned char uc_Flow; // data flow state command code, TCP stream
IDS_Struct_Content * pst_Content; // load relevant information
Char * pc_MSG; The character string of exporting in // the feedback file
Char * pc_ClassType; // feature class
Unsigned int ui_SID; // feature unique ID number
Unsigned short us_OS_Status; // characteristic manipulation genealogical classification state
Unsigned short us_OS; // adaptation OS Type
Unsigned long ul_Time; // timing node
Struct IDS_D_RuleInfo * Next; Next bar feature of // sensing
}IDS_Struct_RuleInfo;
Step 103 merges the characteristic information in the characteristic information chained list according to the attribute of detected characteristics information;
The embodiment of the invention has defined feature combined analysis flow process, the possibility that all characteristic informations in the characteristic information chained list merge is analyzed, for the merging of finishing characteristic information lays the foundation.The attribute of wherein said characteristic information comprises: packet survival period ttl, COS tos, burst ID id, IP option ipopts, segmentation and reservation bit field fragbits, TCP indicates flags, TCP sequence number seq, TCP acknowledgment ack, ICMP type field itype, ICMP code field icode, check whether ICMP ID is designated value field icmp_id in the ICMP ECHO packet, check whether ICMP SEQ is designated value field icmp_seq in the ICMP ECHO packet, rule flow to flow, whether detection resources IP and purpose IP same field sameip, tcp window size windows, allow to detect IP protocol header field ip_proto, the load size dsize of rule classification logotype classtype and packet, and defined parameters pmax represents the maximum load limit; In this execution mode, Fig. 3 is that characteristic information merges flow chart in the embodiment of the invention, below in conjunction with Fig. 3 characteristic information is merged probability analysis, and its analytic process comprises following substep:
Substep c11, a characteristic information in the selected characteristic information chained list is as reference characteristic;
Substep c12 obtains next bar characteristic information, with its feature as a comparison;
Substep c13, the attribute that obtains and resolve reference characteristic and contrast characteristic is to judge whether and can merge, if can merge, the information stores after merging is deleted this contrast characteristic in reference characteristic and from the characteristic information chained list, otherwise keep this contrast characteristic;
Among this embodiment, the process whether described judgment standard feature and contrast characteristic can merge as shown in Figure 4:
1) two attribute informations that characteristic information comprised of contrast, if the attribute information that comprised is identical, and the also identical or wherein maximum attribute informations of the parameter of attribute information designated parameter not, then carry out next step, otherwise can not merge;
With following two characteristic informations is example, because the parameter difference of attribute information icmp_id, so can not merge:
?alert?icmp?$EXTERNAL_NET?any?<>?$HOME_NET?any?(msg:"DDOS?Stacheldraht?handler->agent?(niggahbitch)";?content:?"niggahbitch";?itype:0;icmp_id:9015;reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis;classtype:attempted-dos;sid:1854;rev:2;)
2) carry out dsize option combined analysis, if dsize designated parameter not, then dsize is the actual loading size of packet, and pmax is set to 1460; If dsize is a fixed value, then pmax is set to the value of dsize, and as dsize:40, then pmax is set to 40; If the scope that dsize is provided with is less than certain boundary value, then pmax is set to this boundary value and subtracts 1, as dsize:<40, then pmax is set to 39; If the scope that dsize is provided with is that then pmax is set to 1460 greater than certain boundary value;
3) dsize to two characteristic informations of above-mentioned contrast sues for peace, and will compare with the pmax of value and benchmark rule, if dsize with value less than the pmax value of benchmark rule, then can merge, otherwise can not merge these two characteristic informations.
With following two characteristic informations is example, and the attribute information that it comprised is identical, characteristic information
Data payload size dsize greater than 1445, so the value of pmax is 1460; Characteristic information
Data payload size dsize be 40, sum of the two, therefore can not merge greater than pmax1460 greater than 1485:
With following two characteristic informations is the situation that the example explanation can merge:
①?alert?udp?$EXTERNAL_NET?any?->?$HOME_NET?10498?(msg:"DDOS?mstream?handler?to?agent";content:"stream/";classtype:?attempted-dos;?sid:244;)
②?alert?udp?$EXTERNAL_NET?any?->?$HOME_NET?10498?(msg:"DDOS?mstream?handler?ping?to?agent";content:"ping";?classtype:attempted-dos;sid:245;)
Result after it merges is:
alert?udp?$EXTERNAL_NET?any?->?$HOME_NET?10498?(msg:"DDOS?mstream?handler?to?agent";?content:?"stream/";?content:?"ping";?classtype:?attempted-dos;?sid:244;)
Substep c14, repeating step c12~c13 travels through all characteristic informations in the characteristic information chained list, if traveled through all characteristic informations, then merges and finishes.
Step 104 generates test packet with the characteristic information that merges, and is sent to tested IDS end;
In this execution mode, comprise following substep:
Substep d11 generates test packet with the characteristic information that merges, and judges whether that according to command information needs set up TCP and connect;
In the present embodiment, if definition does not need to set up the TCP connection in the control command information that host computer sends, then can specify arbitrarily from network interface A or B, perhaps two network interfaces send test packet simultaneously to tested IDS end.
Substep d12 connects if do not need to set up TCP, then directly test packet is sent to tested IDS end from the network interface A or the B of command information appointment;
Substep d13, setting up TCP if desired connects, then according to the instruction of command information with network interface A or B as TCP connection requests side, with the answer party of another network interface as the TCP connection, setting up TCP connects, test packet is sent to tested IDS end, send the release of end back and connect.
If definition need be set up the TCP connection in the control command information that host computer sends, then according to the appointment of control command information with network interface A or B as TCP connection requests side, the answer party that network interface B or A connect as TCP, also can be with network interface A and B role's exchange, and the TCP that sets up limited number not simultaneously connects, test packet is sent to tested IDS end, and release connected after packet sent and finishes.
Step 105 is obtained the feedback file of tested IDS end, and generates the alert files of consolidation form.
Fig. 5 is alert files product process figure in the embodiment of the invention, and as shown in Figure 5, the process of the alert files of described generation consolidation form also comprises following substep:
Substep e11 obtains the feedback file that tested IDS holds;
Substep e12 is according to the feedback file generation description document of tested IDS end;
In this execution mode, owing to have different difference between the IDS equipment that each businessman produces, feedback file form such as IDS is different, content is different etc., therefore the present invention is in line with unifying the order assessing and detect to IDS equipment, in order to realize the alert files of consolidation form, defined feedback file form model.In a specific embodiment of the present invention, described feedback file form model comprises following label information: initial row AlertStart, end line AlertEnd, warning message produce survivor Analyzer, temporal information Time, attacker's information Source, under fire square information Target, packet information Packet, warning classification information Classification, events affecting information A ssessment and expand information A dditionalData; And comprise one or more subtabs in each label information, for example the label information of events affecting information A ssessment comprises the influence that the Impact(intrusion behavior produces target), Action(IDS responsive measures that intrusion behavior is taked) and the threat level of Priority(intrusion behavior) etc. subtab.
In embodiments of the present invention, in order to realize that every feedback information in the feedback file is carried out complete description and location, by obtaining the feedback file of tested IDS end, read every feedback information one by one, and in conjunction with feedback file form model generation description document, in a specific embodiment of the present invention, described description document at every feedback information is as follows:
<feedback information type name; Line=' '; Keyword=' '; KeywordLoc=' '; SectionLoc=' '; MarkStart=' '; MarkEnd=' '; 〉</type of message name 〉
Wherein, Line represents that this feedback information is positioned at the line number of its place feedback file (beginning to calculate with initial behavior first row);
Keyword represent this feedback information the label information in the corresponding feedback file form model, if do not have corresponding label information then to replace in this feedback information with NULL;
KeywordLoc represents the content of this feedback information and the position relation of label information, and 0 expression feedback information content is before this label information, and 1 expression feedback information content does not then have this parameter when label information is NULL after this label information;
SectionLoc represents the position of segmentation, so as when not have corresponding label information locating information, promptly appear at which character string after the segmentation, if then there is not this parameter when corresponding label information is arranged;
MarkStart represents the origin identification character string of this feedback information;
MarkEnd represents the end identification strings of this feedback information.
Substep e13 resolves to generate the alert files of consolidation form the feedback file of description document and tested IDS end.
In this embodiment, the present invention is by the description document of parsing said method generation and the feedback file of tested IDS end, with the alert files of final realization consolidation form.In a specific embodiment of the present invention, the process that generates the consolidation form alert files is: the initial row position of at first determining feedback file, read feedback information in the feedback file line by line according to the label information in the description document, extract the pairing feedback information content of label information; The circulation above-mentioned steps is obtained the pairing feedback information content of all label informations in the description document, and the feedback information content of obtaining is output as alert files with consolidation form.In embodiments of the present invention, the formal definition of described alert files is as follows:
Warning sequence number: * * // expression warning sequence number
Alarm generation time: * * * // when not existing, then do not have this information, the same hereinafter
Warning trigger event: * * *
Time during warning on the IDS: * * *
Source IP address: * * *
Source MAC: * * *
Source port number: * * *
Purpose IP address: * * *
Target MAC (Media Access Control) address: * * *
Destination slogan: * * *
The warning classification: * * * * // be classification
Priority level: * * * *
Total length of data packets: * * *
IP related words segment value: the field value of TTL:*** TOS:*** ID:*** // expression IP head
TCP related words segment value: the field value of Seq:*** Ack:*** // expression TCP head
ICMP related words segment value: Type:*** Code:*** // expression ICMP header field value
Warning message is described: * * *
External linkage: the additional website links that * * * * // expression is relevant
Other information: * * *
Another embodiment of the present invention also discloses the checkout equipment of a kind of IDS, it is characterized in that, described equipment comprises that characteristic information parsing module, characteristic extracting module, feature merge module, packet generation module and warning parsing module.
Fig. 6 is the logical construction schematic diagram of the checkout equipment of IDS in the embodiment of the invention, below in conjunction with Fig. 6 the structure of the checkout equipment of IDS of the present invention is described in detail, and as shown in Figure 6, the checkout equipment of described IDS comprises:
Characteristic information parsing module 601 is used to obtain sense command information, and sense command information is resolved to obtain detected characteristics information;
Characteristic extracting module 602 is used to extract detected characteristics information and is stored as the characteristic information chained list;
Feature merges module 603, is used for according to the attribute of detected characteristics information the characteristic information in the characteristic information chained list being merged;
Those skilled in the art should be understood that, above-mentioned each module of the present invention or each step can realize with the general calculation device, they can concentrate on the single calculation element, perhaps be distributed on the network that a plurality of calculation element forms, alternatively, they can be realized with the executable program code of calculation element, thereby, they can be stored in the storage device and carry out by calculation element, perhaps they are made into each integrated circuit modules respectively, perhaps a plurality of modules in them or step are made into the single integrated circuit module and realize; Like this, the present invention is not restricted to any specific hardware and software combination.
The above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being done, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (5)
1. the detection method of an IDS is characterized in that, described method comprises the steps:
Step a obtains sense command information, and sense command information is resolved to obtain detected characteristics information;
Step b extracts detected characteristics information and is stored as the characteristic information chained list;
Step c merges the characteristic information in the characteristic information chained list according to the attribute of detected characteristics information;
Steps d generates test packet with the characteristic information that merges, and is sent to tested IDS end;
Step e obtains the feedback file of tested IDS end, and generates the alert files of consolidation form.
2. method according to claim 1 is characterized in that, described step c comprises:
Step c11, a characteristic information in the selected characteristic information chained list is as reference characteristic;
Step c12 obtains next bar characteristic information, with its feature as a comparison;
Step c13, the attribute that obtains and resolve reference characteristic and contrast characteristic is to judge whether and can merge, if can merge, the information stores after merging is deleted this contrast characteristic in reference characteristic and from the characteristic information chained list, otherwise keep this contrast characteristic;
Step c14, repeating step c12~c13 travels through all characteristic informations in the characteristic information chained list, if traveled through all characteristic informations, then merges and finishes.
3. method according to claim 1 is characterized in that, described steps d comprises:
Steps d 11 generates test packet with the characteristic information that merges, and judges whether that according to command information needs set up TCP and connect;
Steps d 12 connects if do not need to set up TCP, then directly test packet is sent to tested IDS end from the network interface A or the B of command information appointment;
Steps d 13 is set up TCP if desired and is connected, then according to the instruction of command information with network interface A or B as TCP connection requests side, with the answer party of another network interface as the TCP connection, set up TCP and connect, test packet is sent to tested IDS end, transmission end back discharges and connects.
4. method according to claim 1 is characterized in that, described step e comprises:
Step e11 obtains the feedback file that tested IDS holds;
Step e12 is according to the feedback file generation description document of tested IDS end;
Step e13 resolves to generate the alert files of consolidation form the feedback file of description document and tested IDS end.
5. the checkout equipment of an IDS is characterized in that, described equipment comprises that characteristic information parsing module, characteristic extracting module, feature merge module, packet generation module, warning parsing module, wherein:
Described characteristic information parsing module is used to obtain sense command information, and sense command information is resolved to obtain detected characteristics information;
Described characteristic extracting module is used to extract detected characteristics information and is stored as the characteristic information chained list;
Described feature merges module, is used for according to the attribute of detected characteristics information the characteristic information in the characteristic information chained list being merged;
Described packet generation module, the characteristic information that is used for merging generates test packet, and is sent to tested IDS end;
Described warning parsing module is used to obtain the feedback file of tested IDS end, and generates the alert files of consolidation form.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110163258.XA CN102223267B (en) | 2011-06-17 | 2011-06-17 | IDS (intrusion detection system) detecting method and IDS detecting equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110163258.XA CN102223267B (en) | 2011-06-17 | 2011-06-17 | IDS (intrusion detection system) detecting method and IDS detecting equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102223267A true CN102223267A (en) | 2011-10-19 |
| CN102223267B CN102223267B (en) | 2014-04-09 |
Family
ID=44779700
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110163258.XA Active CN102223267B (en) | 2011-06-17 | 2011-06-17 | IDS (intrusion detection system) detecting method and IDS detecting equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102223267B (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103440227A (en) * | 2013-08-30 | 2013-12-11 | 广州天宁信息技术有限公司 | Data processing method and device supporting parallel running algorithms |
| CN103780602A (en) * | 2012-10-17 | 2014-05-07 | 北京力控华康科技有限公司 | Method for preventing Stuxnet attacks |
| CN106022129A (en) * | 2016-05-17 | 2016-10-12 | 北京江民新科技术有限公司 | File data characteristic extraction method and device and virus characteristic detection system |
| CN110022319A (en) * | 2019-04-03 | 2019-07-16 | 北京奇安信科技有限公司 | Attack security isolation method, device, computer equipment and the storage equipment of data |
| CN111698160A (en) * | 2019-12-27 | 2020-09-22 | 国网上海市电力公司 | Ring network system, and data processing method and device of nodes in network system |
| CN111753304A (en) * | 2019-03-29 | 2020-10-09 | 卡巴斯基实验室股份制公司 | System and method for performing tasks on a computing device based on access rights |
| CN112202763A (en) * | 2020-09-28 | 2021-01-08 | 杭州安恒信息技术股份有限公司 | IDS strategy generation method, device, equipment and medium |
| CN112953953A (en) * | 2021-03-02 | 2021-06-11 | 招商银行股份有限公司 | Communication protocol design method, terminal and computer storage medium |
| CN114301672A (en) * | 2021-12-28 | 2022-04-08 | 南京中孚信息技术有限公司 | Network risk detection method and device and electronic equipment |
| CN114500665A (en) * | 2021-12-28 | 2022-05-13 | 炫彩互动网络科技有限公司 | File fragmentation downloading method, equipment and storage medium adaptive to network environment |
| CN115051873A (en) * | 2022-07-27 | 2022-09-13 | 深信服科技股份有限公司 | Network attack result detection method and device and computer readable storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1694411A (en) * | 2004-07-16 | 2005-11-09 | 北京航空航天大学 | Network invading detection system with two-level decision structure and its alarm optimization method |
| CN101022343A (en) * | 2007-03-19 | 2007-08-22 | 杭州华为三康技术有限公司 | Network invading detecting/resisting system and method |
| CN101447991A (en) * | 2008-11-19 | 2009-06-03 | 中国人民解放军信息安全测评认证中心 | Test device used for testing intrusion detection system and test method thereof |
-
2011
- 2011-06-17 CN CN201110163258.XA patent/CN102223267B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1694411A (en) * | 2004-07-16 | 2005-11-09 | 北京航空航天大学 | Network invading detection system with two-level decision structure and its alarm optimization method |
| CN101022343A (en) * | 2007-03-19 | 2007-08-22 | 杭州华为三康技术有限公司 | Network invading detecting/resisting system and method |
| CN101447991A (en) * | 2008-11-19 | 2009-06-03 | 中国人民解放军信息安全测评认证中心 | Test device used for testing intrusion detection system and test method thereof |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103780602A (en) * | 2012-10-17 | 2014-05-07 | 北京力控华康科技有限公司 | Method for preventing Stuxnet attacks |
| CN103440227B (en) * | 2013-08-30 | 2016-06-22 | 广州天宁信息技术有限公司 | A kind of data processing method supporting running algorithms in parallel and device |
| CN103440227A (en) * | 2013-08-30 | 2013-12-11 | 广州天宁信息技术有限公司 | Data processing method and device supporting parallel running algorithms |
| CN106022129A (en) * | 2016-05-17 | 2016-10-12 | 北京江民新科技术有限公司 | File data characteristic extraction method and device and virus characteristic detection system |
| CN106022129B (en) * | 2016-05-17 | 2019-02-15 | 北京江民新科技术有限公司 | Data characteristics extracting method, device and the virus characteristic detection system of file |
| CN111753304A (en) * | 2019-03-29 | 2020-10-09 | 卡巴斯基实验室股份制公司 | System and method for performing tasks on a computing device based on access rights |
| CN110022319B (en) * | 2019-04-03 | 2020-10-30 | 奇安信科技集团股份有限公司 | Attack data security isolation method and device, computer equipment and storage equipment |
| CN110022319A (en) * | 2019-04-03 | 2019-07-16 | 北京奇安信科技有限公司 | Attack security isolation method, device, computer equipment and the storage equipment of data |
| CN111698160A (en) * | 2019-12-27 | 2020-09-22 | 国网上海市电力公司 | Ring network system, and data processing method and device of nodes in network system |
| CN112202763A (en) * | 2020-09-28 | 2021-01-08 | 杭州安恒信息技术股份有限公司 | IDS strategy generation method, device, equipment and medium |
| CN112202763B (en) * | 2020-09-28 | 2022-04-22 | 杭州安恒信息技术股份有限公司 | IDS strategy generation method, device, equipment and medium |
| CN112953953A (en) * | 2021-03-02 | 2021-06-11 | 招商银行股份有限公司 | Communication protocol design method, terminal and computer storage medium |
| CN114301672A (en) * | 2021-12-28 | 2022-04-08 | 南京中孚信息技术有限公司 | Network risk detection method and device and electronic equipment |
| CN114500665A (en) * | 2021-12-28 | 2022-05-13 | 炫彩互动网络科技有限公司 | File fragmentation downloading method, equipment and storage medium adaptive to network environment |
| CN114301672B (en) * | 2021-12-28 | 2024-01-26 | 南京中孚信息技术有限公司 | Network risk detection method and device and electronic equipment |
| CN115051873A (en) * | 2022-07-27 | 2022-09-13 | 深信服科技股份有限公司 | Network attack result detection method and device and computer readable storage medium |
| CN115051873B (en) * | 2022-07-27 | 2024-02-23 | 深信服科技股份有限公司 | Network attack result detection method, device and computer readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102223267B (en) | 2014-04-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102223267B (en) | IDS (intrusion detection system) detecting method and IDS detecting equipment | |
| CN106230800B (en) | A kind of method of pair of assets active probe and loophole early warning | |
| EP3855692A1 (en) | Network security monitoring method, network security monitoring device, and system | |
| CN101447898B (en) | Test system used for network safety product and test method thereof | |
| Wuu et al. | Building intrusion pattern miner for Snort network intrusion detection system | |
| CN100531073C (en) | Condition detection based protocol abnormity detecting method and system | |
| US20150156214A1 (en) | Detection and prevention of online user interface manipulation via remote control | |
| CN107070929A (en) | A kind of industry control network honey pot system | |
| CN106909847A (en) | A kind of method of Malicious Code Detection, apparatus and system | |
| CN104734916B (en) | A kind of high-efficiency multi-stage anomalous traffic detection method based on Transmission Control Protocol | |
| CN108111482A (en) | A kind of intelligent grid industrial control network safety test system and test method | |
| CN103763695B (en) | Method for evaluating safety of internet of things | |
| CN105592044B (en) | Message aggression detection method and device | |
| CN102045220A (en) | Wooden horse monitoring and auditing method and system thereof | |
| Cao et al. | Dipot: A distributed industrial honeypot system | |
| Liao et al. | A comprehensive detection approach of nmap: Principles, rules and experiments | |
| CN112866051B (en) | Vulnerability processing method, vulnerability processing device, server and medium | |
| Ding et al. | Research and implementation on snort-based hybrid intrusion detection system | |
| EP3340097A1 (en) | Analysis device, analysis method, and analysis program | |
| Luo et al. | BLEEM: packet sequence oriented fuzzing for protocol implementations | |
| CN101888296A (en) | Method, device, equipment and system for detecting shadow user | |
| CN112153081A (en) | Method for detecting abnormal state of industrial network | |
| CN104135403B (en) | A kind of distributed environment Monitoring Data transfer check method | |
| KR100772177B1 (en) | Method and apparatus for generating intrusion detection event to test security function | |
| US7653742B1 (en) | Defining and detecting network application business activities |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |