CN108600216A - A kind of Network Intrusion Detection System - Google Patents
A kind of Network Intrusion Detection System Download PDFInfo
- Publication number
- CN108600216A CN108600216A CN201810364212.6A CN201810364212A CN108600216A CN 108600216 A CN108600216 A CN 108600216A CN 201810364212 A CN201810364212 A CN 201810364212A CN 108600216 A CN108600216 A CN 108600216A
- Authority
- CN
- China
- Prior art keywords
- module
- message
- network
- intrusion detection
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 31
- 238000012545 processing Methods 0.000 claims abstract description 19
- 230000006399 behavior Effects 0.000 claims abstract description 6
- 230000002159 abnormal effect Effects 0.000 claims description 3
- 238000005457 optimization Methods 0.000 description 4
- 230000000694 effects Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000000034 method Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008092 positive effect Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 239000013589 supplement Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Technology Law (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention relates to Intrusion Detection fields, more particularly to a kind of Network Intrusion Detection System, including message receiving module, message analysis module, message sending module and AM access module, AM access module is used to extract the information of the data message of access, data message information is matched with preset processing strategy, and the message matched is sent to the message analysis module.Network Intrusion Detection System further includes alarm module and event memory module;Wherein, alarm module gives a warning according to the analysis result of message analysis module to message receiving module;Event memory module carries out statistics and analysis to the intrusion event occurred in network and attack.The present invention can effectively detect network intrusions behavior, solve the problem of that IPS system expense is big in the prior art while limited performance.Increase the safety of network.
Description
Technical Field
The invention relates to the technical field of network intrusion detection, in particular to a network intrusion detection system.
Background
The risk and the chance of network intrusion are increased rapidly at present, and designing security measures to prevent unauthorized access to the resources and data of the system is an important and urgent problem in the field of network security at present. At present, it is not realistic to completely avoid the occurrence of security incidents. What network security personnel can do is just try to discover and detect intrusions and intrusion attempts to take effective measures to block vulnerabilities and repair systems. Such research is known as intrusion detection and the systems developed for this purpose are known as intrusion detection systems.
Intrusion detection is a reasonable supplement of a firewall, helps a system to deal with network attacks, expands the security management capability of the system and improves the integrity of an information security infrastructure. The intrusion detection is a second security gate behind the firewall, and can detect the network under the condition of not influencing the network performance, thereby providing real-time protection against external attack, internal attack and misoperation. Intrusion detection systems detect intrusion activity based on network packets and protocol analysis. The system can acquire a data packet related to a security event from a network according to a certain rule, and then transmits the data packet to the analysis engine module for security analysis and judgment, the intrusion analysis engine module analyzes the data packet according to the received data packet and in combination with the network security database, and transmits an analysis result to the management/configuration module, and the management/configuration module has the main functions of managing the configuration work of other modules and sending out the result of the analysis engine in an effective mode.
Disclosure of Invention
The invention provides a network intrusion detection system which can improve the security of a network.
In order to realize the purpose of the invention, the adopted technical scheme is as follows: a network intrusion detection system comprises a message receiving module, a message analysis module, a message sending module and an access module, wherein the access module is used for extracting information of accessed data messages, matching the information of the data messages with a preset processing strategy and sending the matched messages to the message analysis module.
As the optimization scheme of the invention, the network intrusion detection system also comprises an alarm module and an event storage module; the alarm module sends an alarm to the message receiving module according to the analysis result of the message analysis module; and the event storage module is used for counting and analyzing intrusion events and attack behaviors occurring in the network.
As an optimization scheme of the invention, the access module comprises a protocol decoding unit which is responsible for decoding the captured message and matching the decoded message with a preset processing strategy.
As the optimization scheme of the invention, after matching, the data message which is not matched with the processing strategy also comprises a step of identifying whether the current network condition is abnormal, if so, the data message is discarded, otherwise, the data message is processed according to a default processing strategy, and the default processing strategy is detection, release or discard.
As an optimization scheme of the invention, the message receiving module captures data of a data link layer.
The invention has the positive effects that: the invention can effectively detect the network intrusion behavior and solve the problems of high overhead and limited performance of an IDS/IPS system in the prior art. The security of the network is increased.
Drawings
The present invention will be described in further detail with reference to the accompanying drawings and specific embodiments.
Fig. 1 is a block diagram of the overall structure of the present invention.
Wherein: 1. the system comprises a message receiving module 2, a message analyzing module 3, a message sending module 4, an access module 5, an alarm module 6 and an event storage module.
Detailed Description
As shown in fig. 1, the present invention discloses a network intrusion detection system, which includes a message receiving module 1, a message analyzing module 2, a message sending module 3 and an access module 4, wherein the access module 4 is configured to extract information of an accessed data message, match the data message information with a preset processing policy, and send the matched message to the message analyzing module 2.
The network intrusion detection system also comprises an alarm module 5 and an event storage module 6; wherein,
the alarm module 5 sends out an alarm to the message receiving module 1 according to the analysis result of the message analysis module 2;
the event storage module 6 counts and analyzes intrusion events and attack behaviors occurring in the network.
The access module 4 comprises a protocol decoding unit, and the protocol decoding unit is responsible for decoding the captured message and matching the decoded message with a preset processing strategy.
After matching, the data message which is not matched with the processing strategy also comprises a step of identifying whether the current network condition is abnormal or not, if so, the data message is discarded, otherwise, the data message is processed according to a default processing strategy, and the default processing strategy is detection, release or discard.
The message receiving module 1 captures data of a data link layer.
The data collector is responsible for intercepting and capturing original data packets in the network and transmitting the collected information to the analysis engine for safety judgment. The data collector can discover possible invasion or other sensitive information from the collected information and then transmit the data in the data packet to the analysis engine for secondary processing. The event generator is an important component in the data collector, and performs preliminary analysis and filtering on the collected data, so that the data volume needing to be processed by the system is reduced, and the processing speed of the system is improved. The data packet which is interested by the user is selected by analyzing the information in the Ethernet packet header, the TCP, the UDP and the IP packet header, then the corresponding data interpretation of the application layer protocol level is carried out, the original data is converted into the corresponding formatted event, and the event is transmitted to the analysis engine through the communication component for further analysis. If the segmented messages are found in the interpretation process, the segmented messages are delivered to a message recombiner for processing. The data collectors can exchange information with each other through the communication component. When a certain data collector has suspicious activity, other data collectors are informed, after the subsequent data collectors analyze the suspicious activity, suspicious notifications can be sent to adjacent data collectors, and finally, when the credibility level exceeds a set threshold value, an alarm is sent to the main control system and the response system. If a data collector receives the suspicious notice, the suspicious level is promoted, and if the suspicious notice is not received, the data collector is gradually restored to a normal state.
The log set is responsible for recording the events of the system and recording the events which are interested by the user, which is beneficial for the user to further investigate and analyze the intrusion events, on one hand, the intrusion technique adopted by the intruder can be analyzed, and on the other hand, the behavior trace of the intruder can be mastered.
The memory provides the data required by each component. The rule base records abundant intrusion characteristics, which is an important basis for judgment by the analysis engine. The detection methods adopted by each analysis engine are not necessarily the same, even if the same analysis engine can use several detection methods at the same time, the same data is analyzed by adopting different detection methods, and then the respective detection results are compared, so that the detection accuracy can be improved.
The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are only exemplary embodiments of the present invention, and are not intended to limit the present invention, and any modifications, equivalents, improvements and the like made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (5)
1. A network intrusion detection system, characterized by: the system comprises a message receiving module (1), a message analyzing module (2), a message sending module (3) and an access module (4), wherein the access module (4) is used for extracting information of accessed data messages, matching the data message information with a preset processing strategy and sending the matched messages to the message analyzing module (2).
2. The network intrusion detection system of claim 1, wherein: the network intrusion detection system also comprises an alarm module (5) and an event storage module (6); wherein,
the alarm module (5) sends out an alarm to the message receiving module (1) according to the analysis result of the message analysis module (2);
the event storage module (6) counts and analyzes intrusion events and attack behaviors occurring in the network.
3. A network intrusion detection system according to claim 2, wherein: the access module (4) comprises a protocol decoding unit which is responsible for decoding the captured message and matching the decoded message with a preset processing strategy.
4. A network intrusion detection system according to claim 3 wherein: after matching, the data message which is not matched with the processing strategy also comprises a step of identifying whether the current network condition is abnormal or not, if so, the data message is discarded, otherwise, the data message is processed according to a default processing strategy, and the default processing strategy is detection, release or discard.
5. A network intrusion detection system according to any one of claims 1 to 4 wherein: the message receiving module (1) captures data of a data link layer.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810364212.6A CN108600216A (en) | 2018-04-19 | 2018-04-19 | A kind of Network Intrusion Detection System |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810364212.6A CN108600216A (en) | 2018-04-19 | 2018-04-19 | A kind of Network Intrusion Detection System |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN108600216A true CN108600216A (en) | 2018-09-28 |
Family
ID=63614467
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810364212.6A Pending CN108600216A (en) | 2018-04-19 | 2018-04-19 | A kind of Network Intrusion Detection System |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108600216A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101022343A (en) * | 2007-03-19 | 2007-08-22 | 杭州华为三康技术有限公司 | Network invading detecting/resisting system and method |
| CN101656634A (en) * | 2008-12-31 | 2010-02-24 | 暨南大学 | Intrusion detection system and method based on IPv6 network environment |
| CN104660552A (en) * | 2013-11-20 | 2015-05-27 | 南京理工高新技术发展有限公司 | Wireless local area network (WLAN) intrusion detection system |
| CN106209902A (en) * | 2016-08-03 | 2016-12-07 | 常熟高新技术创业服务有限公司 | A kind of network safety system being applied to intellectual property operation platform and detection method |
| US20170180319A1 (en) * | 2015-12-18 | 2017-06-22 | Nicira, Inc. | Datapath processing of service rules with qualifiers defined in terms of template identifiers and/or template matching criteria |
-
2018
- 2018-04-19 CN CN201810364212.6A patent/CN108600216A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101022343A (en) * | 2007-03-19 | 2007-08-22 | 杭州华为三康技术有限公司 | Network invading detecting/resisting system and method |
| CN101656634A (en) * | 2008-12-31 | 2010-02-24 | 暨南大学 | Intrusion detection system and method based on IPv6 network environment |
| CN104660552A (en) * | 2013-11-20 | 2015-05-27 | 南京理工高新技术发展有限公司 | Wireless local area network (WLAN) intrusion detection system |
| US20170180319A1 (en) * | 2015-12-18 | 2017-06-22 | Nicira, Inc. | Datapath processing of service rules with qualifiers defined in terms of template identifiers and/or template matching criteria |
| CN106209902A (en) * | 2016-08-03 | 2016-12-07 | 常熟高新技术创业服务有限公司 | A kind of network safety system being applied to intellectual property operation platform and detection method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Ganame et al. | A global security architecture for intrusion detection on computer networks | |
| KR101375813B1 (en) | Active security sensing device and method for intrusion detection and audit of digital substation | |
| CN100435513C (en) | Method of linking network equipment and invading detection system | |
| CN109922048B (en) | Method and system for detecting serial scattered hidden threat intrusion attacks | |
| CN114567463B (en) | Industrial network information safety monitoring and protecting system | |
| CN104660552A (en) | Wireless local area network (WLAN) intrusion detection system | |
| CN113315771B (en) | Safety event alarm device and method based on industrial control system | |
| CN114125083B (en) | Industrial network distributed data acquisition method and device, electronic equipment and medium | |
| Berthier et al. | On the practicality of detecting anomalies with encrypted traffic in AMI | |
| CN113783880A (en) | Network security detection system and network security detection method thereof | |
| CN107733941A (en) | A kind of realization method and system of the data acquisition platform based on big data | |
| CN117560187A (en) | IEC104 service protection method and equipment for industrial control network | |
| CN117560196A (en) | Intelligent substation secondary system testing system and method | |
| CN101222498B (en) | Method for improving network security | |
| Meng et al. | Research and application based on network security monitoring platform and device | |
| CN108600216A (en) | A kind of Network Intrusion Detection System | |
| CN115632820A (en) | Log collecting and analyzing system | |
| CN112887288B (en) | Internet-based E-commerce platform intrusion detection front-end computer scanning system | |
| CN114374838A (en) | Network camera monitoring method, device, equipment and medium | |
| CN114268458A (en) | Protection method of safety protection module for terminal public network safety communication | |
| CN111711626A (en) | Method and system for monitoring network intrusion | |
| CN113194087A (en) | Safety risk high-intensity monitoring system for different information domains | |
| CN112134845A (en) | Rejection service system | |
| CN111314278A (en) | Safety detection method based on Ethernet IP industrial control protocol | |
| KR20200054495A (en) | Method for security operation service and apparatus therefor |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20180928 |