CN109413114B - Network intrusion prevention system - Google Patents
Network intrusion prevention system Download PDFInfo
- Publication number
- CN109413114B CN109413114B CN201811626023.8A CN201811626023A CN109413114B CN 109413114 B CN109413114 B CN 109413114B CN 201811626023 A CN201811626023 A CN 201811626023A CN 109413114 B CN109413114 B CN 109413114B
- Authority
- CN
- China
- Prior art keywords
- strategy
- client
- analysis
- response
- layer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a network intrusion prevention system, and belongs to the technical field of computers. The defense system comprises an analysis and response layer, wherein the analysis and response layer is used for providing an interface for the whole defense system to analyze an Http message request sent by a client and encapsulate the Http message when a server responds; when a client accesses the server, the strategy engine is informed to schedule the access information of the strategy detection client and provide response realization for the strategy engine; the analysis and response layer is realized by interface packaging provided by a server; the strategy engine layer is used for scheduling the strategy, and acquiring a specific response of the information of the client through an interface provided by the analysis and response layer in the strategy and also delivering the specific response to the analysis and response layer to complete the scheduling of the strategy; meanwhile, the policy engine also needs to schedule a data management layer to complete the loading of the policy and the logging function. The invention has simple structure, convenient use and strong practicability and is suitable for popularization and use.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a network intrusion prevention system.
Background
Intrusion detection is the detection of intrusion behavior. It checks the network or system for the presence of security policy violations and signs of attack by collecting and analyzing network behavior, security logs, audit data, other information available on the network, and information at several key points in the computer system. Intrusion detection, as an active security technique, provides real-time protection against internal attacks, external attacks and misoperations, intercepting and responding to intrusions before the network system is compromised.
Most of the conventional network intrusion prevention systems analyze and monitor the occurring attack behavior by analyzing logs of some safety equipment, basically adopt passive prevention thought, lack network safety situation perception and linkage early warning capacity, and take corresponding emergency measures after detecting a network attack event, so that loss is caused at the moment, and the system is not beneficial to privacy protection. Therefore, a network intrusion prevention system is proposed to solve the above problems.
Disclosure of Invention
The invention aims to provide a network intrusion prevention system for solving the problems of complex structure and low intrusion prevention effect of the machine network intrusion prevention system, and the network intrusion prevention system has the advantage of comprehensive monitoring.
In order to achieve the purpose, the invention adopts the following technical scheme:
a network intrusion prevention system comprises
The system comprises an analysis and response layer, a server and a client side, wherein the analysis and response layer is used for providing an interface for the whole defense system to analyze an Http message request sent by the client side and encapsulate the Http message when the server responds; when a client accesses the server, the strategy engine is informed to schedule the access information of the strategy detection client and provide response realization for the strategy engine; the parsing and response layer is implemented by interface packaging provided by a server.
The strategy engine layer is used for scheduling the strategy, and acquiring a specific response of the information of the client through an interface provided by the analysis and response layer in the strategy and also delivering the specific response to the analysis and response layer to complete the scheduling of the strategy; meanwhile, the policy engine also needs to schedule a data management layer to complete the loading of the policy and the logging function.
And the data management layer is used for providing the functions of log recording, configuration management and strategy script analysis.
The analysis and response layer, the strategy engine layer and the data management layer all complete relatively independent functions, and when the implementation of a certain layer is changed, the other layers are not affected as long as the provided interface is not changed.
According to the further technical scheme, the analysis and response layer comprises an IPS management module which is responsible for managing and connecting each module, managing data streams, finishing initialization of the whole system after reading configuration files, managing, running, stopping and reloading the state of the whole system; when the Http message analysis module notifies that the client accesses, the policy engine is called to detect the behavior and information of the client, and the Http response module is notified of the result returned by the policy engine to respond.
The strategy engine layer comprises a configuration file module which is used for reading and storing the configuration file and providing a uniform interface, and the configuration file module can be modified according to the requirement.
The strategy engine layer comprises a log module which is used for recording logs generated during the operation of the system or intrusion prevention behaviors and recording log information in a text file by using a uniform format.
The analysis and response layer comprises an analysis module of an Http message, generates an object for each client, wherein the object realizes an interface capable of detecting the relevant information of the client, analyzes original data submitted when the client accesses the Web server, informs the IPS management module of receiving an access request of the client, and requests the policy engine to detect the access behavior of the client.
The strategy engine layer comprises an Http response module which is used for assembling data messages.
Advantageous effects
Compared with the prior art, the invention has the following remarkable advantages:
1. the network intrusion prevention system can well monitor the operating system in the computer network, prevent illegal program intrusion and improve the safety of the network, adopts a layered system structure, has good expansibility and is suitable for different server platforms.
2. The invention has simple structure, convenient operation and strong practicability and is suitable for popularization and use.
Drawings
FIG. 1 is a schematic diagram of the system of the present invention.
FIG. 2 is a schematic processing diagram of the system of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to FIGS. 1-2, a network intrusion prevention system includes
The system comprises an analysis and response layer, a server and a client side, wherein the analysis and response layer is used for providing an interface for the whole defense system to analyze an Http message request sent by the client side and encapsulate the Http message when the server responds; when a client accesses the server, the strategy engine is informed to schedule the access information of the strategy detection client and provide response realization for the strategy engine; the parsing and response layer is implemented by interface packaging provided by a server.
The strategy engine layer is used for scheduling the strategy, and acquiring a specific response of the information of the client through an interface provided by the analysis and response layer in the strategy and also delivering the specific response to the analysis and response layer to complete the scheduling of the strategy; meanwhile, the policy engine also needs to schedule a data management layer to complete the loading of the policy and the logging function.
And the data management layer is used for providing the functions of log recording, configuration management and strategy script analysis.
Each layer completes relatively independent functions, and when the implementation of a certain layer is changed, the other layers are not influenced as long as the provided interface is not changed.
The analysis and response layer comprises an IPS management module which is responsible for managing and connecting each module, managing data streams, finishing the initialization of the whole system after reading configuration files, managing the state of the whole system, running, stopping and reloading; when the Http message analysis module notifies that the client accesses, the policy engine is called to detect the behavior and information of the client, and the Http response module is notified of the result returned by the policy engine to respond.
The strategy engine layer comprises a configuration file module which is used for reading and storing the configuration file and providing a uniform interface, and the configuration file module can be modified according to the requirement.
The strategy engine layer comprises a log module which is used for recording logs generated during the operation of the system or intrusion prevention behaviors and recording log information in a text file by using a uniform format.
The analysis and response layer comprises an analysis module of an Http message, generates an object for each client, wherein the object realizes an interface capable of detecting the relevant information of the client, analyzes original data submitted when the client accesses the Web server, informs the IPS management module of receiving an access request of the client, and requests the policy engine to detect the access behavior of the client.
The strategy engine layer comprises an Http response module which is used for assembling data messages.
When the method works, firstly, a strategy engine analyzes a strategy script and assembles a strategy chain according to the attribute and the priority of the strategy; when the IPS management module informs the policy engine to detect the information of a certain client, the policy engine acquires the required information of the client by using an interface provided by the Http message analysis module, analyzes the behavior of the client, and controls the access of the client by scheduling the policies in sequence. In the strategy, each field requested by the client can be detected, the behavior of the client is analyzed or recorded, and different behaviors of the client are responded through a defined rule; when no response is made to the client's behavior in one policy; the policy engine calls the next one in the policy chain; until all calls are used. If the strategy returns a response, the Http response module is informed to complete the response of the client, and the strategy behind the strategy chain is stopped to be mobilized; if no strategy responds to the behavior of the client, the strategy engine returns a response for accepting the request; the policy engine needs to encapsulate an analysis and response module and a log recording module of the Http message for calling in the policy.
It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned.
Furthermore, it should be understood that although the present description refers to embodiments, not every embodiment may contain only a single embodiment, and such description is for clarity only, and those skilled in the art should integrate the description, and the embodiments may be combined as appropriate to form other embodiments understood by those skilled in the art.
Claims (1)
1. A network intrusion prevention system, comprising: the defense system comprises an analysis and response layer, wherein the analysis and response layer is used for providing an interface for analyzing an Http message request sent by a client and encapsulating the Http message when a server responds for the whole defense system; when a client accesses the server, the strategy engine is informed to schedule the access information of the strategy detection client and provide response realization for the strategy engine; the analysis and response layer is realized by interface packaging provided by a server;
the strategy engine layer is used for scheduling the strategy, the information of the client is obtained through an interface provided by the analysis and response layer in the strategy, and the specific response is also given to the analysis and response layer to be completed; meanwhile, the policy engine also needs to schedule a data management layer to complete the loading of the policy and the log recording function;
the data management layer is used for providing functions of log recording, configuration management and strategy script analysis; each layer completes relatively independent functions, and when the realization of a certain layer is changed, the other layers are not influenced as long as the provided interface is not changed;
the analysis and response layer comprises an IPS management module which is responsible for managing and connecting each module, managing data streams, finishing the initialization of the whole system after reading configuration files, managing the state of the whole system, running, stopping and reloading; when the Http message analysis module notifies that the client accesses, a policy engine is called to detect the behavior and information of the client, and a result returned by the policy engine is notified to the Http response module to respond;
the strategy engine layer comprises a configuration file module which is used for reading and storing the configuration file and providing a uniform interface, and the configuration file module can be modified according to the requirement;
the strategy engine layer comprises a log module which is used for recording logs generated during the operation of the system or intrusion prevention behaviors and recording log information in a text file by using a uniform format;
the analysis and response layer comprises an analysis module of an Http message, generates an object for each client, wherein the object realizes an interface capable of detecting client-related information, analyzes original data submitted when the client accesses the Web server, informs the IPS management module of receiving an access request of the client, and requests the policy engine to detect an access behavior of the client;
the strategy engine layer comprises an Http response module which is used for assembling the data message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811626023.8A CN109413114B (en) | 2018-12-28 | 2018-12-28 | Network intrusion prevention system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811626023.8A CN109413114B (en) | 2018-12-28 | 2018-12-28 | Network intrusion prevention system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109413114A CN109413114A (en) | 2019-03-01 |
| CN109413114B true CN109413114B (en) | 2021-08-10 |
Family
ID=65462457
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811626023.8A Active CN109413114B (en) | 2018-12-28 | 2018-12-28 | Network intrusion prevention system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109413114B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101286850A (en) * | 2007-04-10 | 2008-10-15 | 深圳职业技术学院 | Defensive installation for security of router, defense system and method |
| CN102292708A (en) * | 2008-11-25 | 2011-12-21 | 思杰系统有限公司 | Systems and Methods for HTTP Callouts for Policies |
| CN102523296A (en) * | 2011-12-21 | 2012-06-27 | 华为技术有限公司 | Method, device and system for optimizing wireless webpage browsing resources |
| CN103916398A (en) * | 2014-04-15 | 2014-07-09 | 浪潮电子信息产业股份有限公司 | System for form field detection based on Web |
| CN107181769A (en) * | 2017-07-28 | 2017-09-19 | 山东超越数控电子有限公司 | A kind of network intrusion prevention system and method |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9461876B2 (en) * | 2012-08-29 | 2016-10-04 | Loci | System and method for fuzzy concept mapping, voting ontology crowd sourcing, and technology prediction |
| CN102882703B (en) * | 2012-08-31 | 2015-08-19 | 赛尔网络有限公司 | A kind of system and method for the URL automatic classification classification based on HTTP analysis |
-
2018
- 2018-12-28 CN CN201811626023.8A patent/CN109413114B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101286850A (en) * | 2007-04-10 | 2008-10-15 | 深圳职业技术学院 | Defensive installation for security of router, defense system and method |
| CN102292708A (en) * | 2008-11-25 | 2011-12-21 | 思杰系统有限公司 | Systems and Methods for HTTP Callouts for Policies |
| CN102523296A (en) * | 2011-12-21 | 2012-06-27 | 华为技术有限公司 | Method, device and system for optimizing wireless webpage browsing resources |
| CN103916398A (en) * | 2014-04-15 | 2014-07-09 | 浪潮电子信息产业股份有限公司 | System for form field detection based on Web |
| CN107181769A (en) * | 2017-07-28 | 2017-09-19 | 山东超越数控电子有限公司 | A kind of network intrusion prevention system and method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109413114A (en) | 2019-03-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20190098027A1 (en) | Joint defence method and apparatus for network security, and server and storage medium | |
| US10341355B1 (en) | Confidential malicious behavior analysis for virtual computing resources | |
| CN102999716B (en) | virtual machine monitoring system and method | |
| US20210026969A1 (en) | Detection and prevention of malicious script attacks using behavioral analysis of run-time script execution events | |
| CN108270716A (en) | A kind of audit of information security method based on cloud computing | |
| CN110912876A (en) | Mimicry defense system, method and medium for information system | |
| US20200175177A1 (en) | Auto-injection of security protocols | |
| US20140259171A1 (en) | Tunable intrusion prevention with forensic analysis | |
| Uemura et al. | Availability analysis of an intrusion tolerant distributed server system with preventive maintenance | |
| CN113132318A (en) | Active defense method and system for information safety of power distribution automation system master station | |
| CN112769851A (en) | Mimicry defense system based on Internet of vehicles | |
| CN112231726A (en) | Access control method, device, computer equipment and readable storage medium | |
| CN113032793A (en) | Intelligent reinforcement system and method for data security | |
| CN110049028A (en) | Monitor method, apparatus, computer equipment and the storage medium of domain control administrator | |
| CN114338105B (en) | Zero trust based system for creating fort | |
| CN109241769B (en) | Electronic equipment privacy safety early warning method and system | |
| CN109413114B (en) | Network intrusion prevention system | |
| CN111740973A (en) | Intelligent defense system and method for block chain service and application | |
| KR102139062B1 (en) | Security Service system based on cloud | |
| CN111600890A (en) | Network security perception system based on big data | |
| CN114760083B (en) | Method, device and storage medium for issuing attack detection file | |
| CN112187787B (en) | Digital marketing advertisement page tamper-proof method, device and equipment based on knowledge graph | |
| Cerullo et al. | Enabling convergence of physical and logical security through intelligent event correlation | |
| CN108134781B (en) | Important information data secrecy monitoring system | |
| CN116633594B (en) | Flamingo gateway security system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 230000 floors 4-5, building A1, Zhongguancun collaborative innovation Zhihui Park, the intersection of Nanfeihe road and Lanzhou Road, Baohe Economic Development Zone, Hefei, Anhui Province Patentee after: Anhui Changtai Technology Co.,Ltd. Address before: 210-d16, building A3, Hefei Innovation Industrial Park, No. 800, Wangjiang West Road, high tech Zone, Hefei City, Anhui Province 230000 Patentee before: ANHUI CHANGTAI INFORMATION SECURITY SERVICE Co.,Ltd. |
|
| CP03 | Change of name, title or address |