CN1450758A - High performance network intrusion detecting system and detecting method - Google Patents
High performance network intrusion detecting system and detecting method Download PDFInfo
- Publication number
- CN1450758A CN1450758A CN03116970A CN03116970A CN1450758A CN 1450758 A CN1450758 A CN 1450758A CN 03116970 A CN03116970 A CN 03116970A CN 03116970 A CN03116970 A CN 03116970A CN 1450758 A CN1450758 A CN 1450758A
- Authority
- CN
- China
- Prior art keywords
- packet
- transponder
- switch
- address
- detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The detection system is composed of a transponder, at least an exchanger and a number of detecting engines, which are connected by information transmitting circuit as bridging system is installed in the transponder. The detection method incourse of processing a data packet comprises catching data packet, revising destination MAC address, retransmitting data packet, bridging data packet and instrusion detecting. The system and method can realize data bridging so the performance of intrusion detection can be raised.
Description
Technical field
The present invention relates to a kind of Computer Applied Technology, relate in particular to a kind of high performance network intruding detection system and detection method of utilizing many computers and the network switch to realize network invasion monitoring.
Background technology
In computer application system, Network Intrusion Detection System (NIDS) has become the important implementation tool of intrusion detection.Yet, along with the progress of network technology and developing in depth and breadth of every profession and trade network application, the status of the performance of Network Intrusion Detection System in testing process is more and more important, only guaranteeing that Network Intrusion Detection System detects under the situation of performance, parser, complete technology essential factors such as rule set just may play a role efficiently.
The implementation method of existing high performance network intruding detection system mainly contains following several:
Method one: on single computer, implement to detect.The system configuration block diagram of this method as shown in Figure 1.Its technological means that comprises comprises: use processor faster, use special-purpose detection hardware, use high performance parser, reduce the scale that detects rule set etc.On the surface, the pressure that this implementation method can the big flow detection of respite.But the hardware performance of single computer is limited after all, in network speed more and more faster today, more and more become an impossible mission with the concurrent flow that single computer is handled thousands of the Internet host.
Method two: use special-purpose hardware device to shunt, realize that multimachine detects.In testing process, network traffics are at first shunted by hardware shunt equipment, and the information of big flow is divided into several less flow informations, by a plurality of Network Intrusion Detection System the information through shunting are detected then.The system configuration block diagram of this method as shown in Figure 2.Because this method has solved the hardware bottleneck problem in the method one, is used by some premium quality product.But the technology of some shunting hardware in the market is still immature, uses this class shunt easily to cause the instability of properties of product.And ripe high-performance shunting hardware price is quite high, and lower deployment cost is increased greatly.
Summary of the invention
Purpose of the present invention is to provide a kind of dividing technology that utilizes to realize high performance network intruding detection system and detection method that multimachine detects.
The object of the present invention is achieved like this, a kind of high performance network intruding detection system, this system links to each other with express network, comprises the detection engine of carrying out intrusion detection, be characterized in also comprising a transponder and at least one switch, described detection engine is many; The input of described transponder connects express network, and its output connects one or connect many switches respectively, and switch connects many detection engines simultaneously respectively; Transponder is used for grasping packet, being forwarded to switch after revising the target MAC (Media Access Control) address of packet from express network, and switch is used to receive from the packet of transponder and according to destination address packet is sent to suitable detection engine.
In the described transponder separate system is installed, this separate system is made up of packet capturing module, packet handing module and the module of giving out a contract for a project; The packet capturing module is used to grasp network packet, and packet handing module is used to revise the target MAC (Media Access Control) address of packet, and the module of giving out a contract for a project is used for amended packet is mail to switch.
A kind of high performance network intrusion detection method is implemented by the high performance network intruding detection system, and this detection method is as follows to the treatment step of a packet:
The first step, extracting packet
Packet capturing module in the transponder grasps packet from express network;
Second step, modification target MAC (Media Access Control) address
Packet handing module in the transponder is revised as and each detection engine corresponding address according to the target MAC (Media Access Control) address of predefined strategy with first step institute captured packets;
The 3rd step, forwarding packet
The packet that the module of giving out a contract for a project in the transponder will be revised behind the target MAC (Media Access Control) address is forwarded to the high-performance switch;
The 4th step, streamed data bag
The reception of high-performance switch sends to suitable detection engine by the identifying purpose MAC Address with packet after transmitting next packet by transponder, realizes the shunting of packet;
The 5th step, intrusion detection
Each detects and works alone after engine receives packet, respectively a part of packet from switch is carried out intrusion detection.
When handling a packet, handle other packet in the mode of streamline concurrent processing.
A kind of high performance network intruding detection system of the present invention and detection method make it compared with prior art owing to adopted above technical scheme, have following tangible characteristics and advantage:
1, carries out data distribution, improved the detection performance
Owing to adopted transponder and separate system be installed in transponder, a plurality of detection engines can will be diverted to from the big data on flows of express network, detect engine by each and independently focus on a part of flow, significantly reduced the generation of failing to report, report by mistake phenomenon, improved the detection performance.
2, retractility is good
Because use the switch substituting for computer to finish triage operator, the slot quantity of switch is many, also be easy to expand, it is few to detecting the restriction of engine quantity to have overcome common computer slot quantity, can select to detect the quantity of engine within a large range.
3, deployment is convenient, safety is easy-to-use
Because equipment such as the computer that uses among the present invention, switch all are the common equipment that administrative staff are familiar with, and are relatively low to bookkeeping personnel's specification requirement.Simultaneously, because the time that this kind equipment comes into operation is long, scope is wide, compares with special-purpose shunting device, technology is more perfect, uses safer.
4, be easy to safeguard, save operating cost
The switch that uses among the present invention generally is not easy the generation problem as a mature technique.Maintenance work only need guarantee that the work that transponder can be correct is just passable.Because the workflow of transponder is fairly simple, only need obtain packet from a network interface, revise target MAC (Media Access Control) address, be dealt into another network interface card and get final product, thereby the maintenance work of transponder also is easy to.
5, cost performance height,
Computer that uses among the present invention and switch all are comparatively common equipment, compare with special-purpose shunting device, and less expensive, cost performance is higher.
Description of drawings
By the description of following examples in conjunction with its accompanying drawing, can further understand purpose of the present invention, concrete structure characteristics and advantage, wherein, accompanying drawing is:
Fig. 1 is the block diagram of a kind of high performance network intruding detection system of prior art;
Fig. 2 is the block diagram of the another kind of high performance network intruding detection system of prior art;
Fig. 3 is the block diagram of high performance network intruding detection system of the present invention;
Fig. 4 is the building-block of logic of transponder;
Fig. 5 is the structural representation of standard ethernet packet;
Fig. 6 is the schematic diagram that transponder is revised the packet MAC Address;
Fig. 7 is the treatment step flow chart of high performance network intrusion detection method of the present invention to a packet.
Embodiment
See also Fig. 3, high performance network intruding detection system of the present invention detects engine by a transponder, at least one switch and Duo Tai and connects to form by information transmission line; The input of transponder connects express network, and its output connects one or connect many switches respectively, and the output of switch connects many detection engines respectively.Separate system is installed in the transponder, this separate system is made up of packet capturing module, packet handing module and the module of giving out a contract for a project, its logical construction as shown in Figure 4, the packet capturing module grasps after the network packet, packet handing module is transmitted amended packet toward the high-performance switch by the module of giving out a contract for a project then according to the target MAC (Media Access Control) address of predefined strategy modification packet.Switch is used to receive from the packet of transponder and according to destination address packet is sent to suitable detection engine.Each detects the independent respectively execution intrusion detection of engine.
The major function of transponder is to revise the target MAC (Media Access Control) address of packet.The Ethernet data bag mainly partly is made up of target MAC (Media Access Control) address, source MAC, type etc., and its basic structure as shown in Figure 5.Packet handing module is responsible for revising target MAC (Media Access Control) address part wherein, target MAC (Media Access Control) address is revised as and each detects the engine corresponding address according to predefined strategy, its objective is and shares the processing flow that respectively detects engine, for the triage operator of switch provides foundation.The modification process of target MAC (Media Access Control) address as shown in Figure 6.
See also Fig. 7, high performance network intrusion detection method of the present invention, implement by high performance network intruding detection system of the present invention, this detection method is after the high performance network intruding detection system starts, to the treatment step of a packet, at first carry out following three steps of the first step to the by transponder:
The first step, extracting packet
Packet capturing module in the transponder grasps packet from express network;
Second step, modification target MAC (Media Access Control) address
Packet handing module in the transponder is revised as and each detection engine corresponding address according to the target MAC (Media Access Control) address of predefined strategy with first step institute captured packets;
The 3rd step, forwarding packet
The packet that the module of giving out a contract for a project in the transponder will be revised behind the target MAC (Media Access Control) address is forwarded to the high-performance switch;
Then carried out for the 4th step: the streamed data bag by the high-performance switch
The reception of high-performance switch sends to suitable detection engine by the identifying purpose MAC Address with packet after transmitting next packet by transponder, realizes the shunting of packet;
Detect engine by each at last and carried out for the 5th step: intrusion detection
Each detects and works alone after engine receives packet, respectively a part of packet from switch is carried out intrusion detection.
When handling a packet, handle other packet in the mode of streamline concurrent processing.
Claims (4)
1, a kind of high performance network intruding detection system, this system links to each other with express network, comprises the detection engine of carrying out intrusion detection, it is characterized in that:
Also comprise a transponder and at least one switch,
Described detection engine is many, and the input of described transponder connects express network, and its output connects one or connect many switches respectively, and switch connects many detection engines simultaneously respectively;
Described transponder is used for grasping packet, being forwarded to switch after revising the target MAC (Media Access Control) address of packet from express network, and switch is used to receive from the packet of transponder and according to destination address packet is sent to suitable detection engine.
2, high performance network intruding detection system according to claim 1 is characterized in that: in the described transponder separate system is installed, this separate system is made up of packet capturing module, packet handing module and the module of giving out a contract for a project; The packet capturing module is used to grasp network packet, and packet handing module is used to revise the target MAC (Media Access Control) address of packet, and the module of giving out a contract for a project is used for amended packet is mail to switch.
3, a kind of high performance network intrusion detection method is implemented by the high performance network intruding detection system, and it is characterized in that: this detection method is as follows to the treatment step of a packet:
The first step, extracting packet
Packet capturing module in the transponder grasps packet from express network;
Second step, modification target MAC (Media Access Control) address
Packet handing module in the transponder is revised as and each detection engine corresponding address according to the target MAC (Media Access Control) address of predefined strategy with first step institute captured packets;
The 3rd step, forwarding packet
The packet that the module of giving out a contract for a project in the transponder will be revised behind the target MAC (Media Access Control) address is forwarded to the high-performance switch;
The 4th step, streamed data bag
The reception of high-performance switch sends to suitable detection engine by the identifying purpose MAC Address with packet after transmitting next packet by transponder, realizes the shunting of packet;
The 5th step, intrusion detection
Each detects and works alone after engine receives packet, respectively a part of packet from switch is carried out intrusion detection.
4, high performance network intrusion detection method as claimed in claim 3 is characterized in that: this method is handled other packet in the mode of streamline concurrent processing when handling a packet.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN03116970A CN1450758A (en) | 2003-05-16 | 2003-05-16 | High performance network intrusion detecting system and detecting method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN03116970A CN1450758A (en) | 2003-05-16 | 2003-05-16 | High performance network intrusion detecting system and detecting method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN1450758A true CN1450758A (en) | 2003-10-22 |
Family
ID=28684308
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN03116970A Pending CN1450758A (en) | 2003-05-16 | 2003-05-16 | High performance network intrusion detecting system and detecting method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1450758A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1321516C (en) * | 2004-11-25 | 2007-06-13 | 上海复旦光华信息科技股份有限公司 | Safety filtering current shunt of exchange structure based on network processor and CPU array |
| CN100342692C (en) * | 2005-09-02 | 2007-10-10 | 杭州华三通信技术有限公司 | Invasion detecting device and invasion detecting system |
| CN100407754C (en) * | 2004-03-19 | 2008-07-30 | 华为技术有限公司 | Fax quality test method |
| CN100461765C (en) * | 2006-11-24 | 2009-02-11 | 南京大学 | A method for kilomega NIDS parallel processing based on NP and BS |
| CN101390369B (en) * | 2006-02-28 | 2012-11-14 | 国际商业机器公司 | Detection and control of peer-to-peer communication |
| CN104539549A (en) * | 2014-12-30 | 2015-04-22 | 天津市锦标科技有限公司 | Data message processing method based on high-density network flow |
-
2003
- 2003-05-16 CN CN03116970A patent/CN1450758A/en active Pending
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100407754C (en) * | 2004-03-19 | 2008-07-30 | 华为技术有限公司 | Fax quality test method |
| CN1321516C (en) * | 2004-11-25 | 2007-06-13 | 上海复旦光华信息科技股份有限公司 | Safety filtering current shunt of exchange structure based on network processor and CPU array |
| CN100342692C (en) * | 2005-09-02 | 2007-10-10 | 杭州华三通信技术有限公司 | Invasion detecting device and invasion detecting system |
| CN101390369B (en) * | 2006-02-28 | 2012-11-14 | 国际商业机器公司 | Detection and control of peer-to-peer communication |
| CN100461765C (en) * | 2006-11-24 | 2009-02-11 | 南京大学 | A method for kilomega NIDS parallel processing based on NP and BS |
| CN104539549A (en) * | 2014-12-30 | 2015-04-22 | 天津市锦标科技有限公司 | Data message processing method based on high-density network flow |
| CN104539549B (en) * | 2014-12-30 | 2018-01-02 | 天津市锦标科技有限公司 | A kind of data message processing method based on high density network flow |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1716959A (en) | System safety realizing method, medium and relative system using state form | |
| CN1564547A (en) | High speed filtering and stream dividing method for keeping connection features | |
| CN1166130C (en) | Method and system for transmitting asynchronous transfer mode unit in asynchronous transfor mode chain road | |
| CN1819560A (en) | Message serial number inspection and inspector with multi-unit transmission | |
| CN101056306A (en) | Network device and its access control method | |
| CN1968278A (en) | Data packet content analysis and processing method and system | |
| CN112532642B (en) | Industrial control system network intrusion detection method based on improved Suricata engine | |
| CN113037567B (en) | Simulation method of network attack behavior simulation system for power grid enterprise | |
| CN1450758A (en) | High performance network intrusion detecting system and detecting method | |
| CN1677982A (en) | Individually programmable most significant bits of virtual LAN ID | |
| CN1741504A (en) | Flow controlling method based on application and network equipment for making applied flow control | |
| CN1968180A (en) | Multilevel aggregation-based abnormal flow control method and system | |
| CN1450767A (en) | Data packet forwarding controller and method | |
| CN1826768A (en) | A scalable approach to large scale queuing through dynamic resource allocation | |
| CN1271833C (en) | Apparatus and method without IP rcombination, distribution and group | |
| CN1933451A (en) | Interplate communicating method and interface plate | |
| CN1249956C (en) | Method for virtual Ethernet adapter card | |
| CN1968207A (en) | Broadcast storm control system and method | |
| CN1622069A (en) | Apparatus for realizing access of driven devices on a unified bus by a plurality of active devices | |
| CN100337170C (en) | Network separated industrial controller on spot and realizing method thereof | |
| CN101063952A (en) | Universal serial bus host controller rapid testing system and method thereof | |
| CN1642142A (en) | Multimedia communication device using software and hardware protocol stacks and communication method thereof | |
| CN1893332A (en) | Method and apparatus for shortening SDH multi-plexing segement protective rearranging time | |
| CN101771575A (en) | Method, device and system for processing IP partitioned message | |
| CN1304972C (en) | Network connecting device and its data package transferring method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |