CN1578227A - Dynamic IP data packet filtering method - Google Patents
Dynamic IP data packet filtering method Download PDFInfo
- Publication number
- CN1578227A CN1578227A CN 03141917 CN03141917A CN1578227A CN 1578227 A CN1578227 A CN 1578227A CN 03141917 CN03141917 CN 03141917 CN 03141917 A CN03141917 A CN 03141917A CN 1578227 A CN1578227 A CN 1578227A
- Authority
- CN
- China
- Prior art keywords
- packet
- network
- decision
- detector
- dynamic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The dynamic IP data package filtering method has functional modules including four pats of detector, analyzing statistic device, decision processor and filter; and realization process including corresponding four steps of detecting classification, intelligent analysis and search, decision processing and filtering. The present invention features that the detector is used in initial analysis and classification of IP header of data package, the analyzing statistic device has the function of further analysis and judgment of the classified information and decisive judgment, the decision processor performs detail and comprehensive analysis to decide final information processing mode, and the filter completes corresponding filtering operation, so as to realize dynamic filtering of the IP data package. The present invention has two technologies of NIDS and fire wall combined to form new defence mode to control harmful invalid flow and protect network bandwidth and router resource effectively.
Description
Technical field:
The present invention relates to a kind of Internet technology, relate in particular to a kind of network security method, particularly a kind of dynamic IP packet filtering method.
Background technology:
On existing Internet, have a large amount of useless, harmful, the information packet of reaction, as various types of network attacks, network intrusions, computer virus, reaction speech etc.These information no matter for the user of Internet still concerning the merchant is inserted in the Internet, all be a kind of disaster.Especially in the Internet that this information begins to spread unchecked, how packet is classified and be filtered into the headache problem that the merchant is inserted in present Internet.Especially packet being classified exactly is a suitable difficult technologies.To the control of armful traffic with trace the suitable acid test that becomes small-sized access merchant.In the prior art field, the traffic filtering technology of network access layer has NIDS (Network Intrusion Detection System), fire compartment wall usually.In present NIDS, owing to just detect, when having the packet of intrusion attempt, discovery reports to the police and daily record at the data in the network, can not stop the harm of this data flow usually.And static access control because fire compartment wall all is to carry out static configuration usually, can only be accomplished usually in the fire compartment wall aspect, prevents scanning, prevents these 3 functions of D.O.S.
Summary of the invention:
Technical problem to be solved by this invention is: on existing Internet, have a large amount of useless, harmful, the information packet of reaction, as various types of network attacks, network intrusions, computer virus, reaction speech etc.These information no matter for the user of Internet still concerning the merchant is inserted in the Internet, all be a kind of disaster.In the prior art field, the traffic filtering technology of network access layer has NIDS (Network Intrusion Detection System), fire compartment wall usually.In present NIDS, owing to just detect, when having the packet of intrusion attempt, discovery reports to the police and daily record at the data in the network, can not stop the harm of this data flow usually.And static access control because fire compartment wall all is to carry out static configuration usually, can only be accomplished usually in the fire compartment wall aspect, prevents scanning, prevents these 3 functions of D.O.S.The present invention provides a kind of dynamic IP packet filtering method for the technical method that above-mentioned technical problem adopted that solves in the prior art, its functional module is by detector, the analytic statistics device, four parts of decision processor and filter constitute, its implementation procedure also is divided into accordingly surveys classification, intellectual analysis and searching, four steps are filtered in decision-making treatment and execution, it is characterized in that described detector, the analytic statistics device, decision processor and filter are all separate, finish its function separately, carry out communication by standard interface then, in described detection classification step, described detector is placed on the backbone links of network, and backbone links is carried out the supervision of Port Mirroring and flow, described detector carries out preliminary analysis and classification to the IP packet header of packet, described detector utilizes CRC check to come the correctness of judgment data bag, after the decision data bag is correct, described detector is according to the 32 potential source IP in front of the IP in the packet, 32 purpose IP, 4 header length, 16 bit-identifies, 3 bit flags, 16 total length, 16 an IP verification and, 3 bit-identify positions, the skew of 13 bit slices, 8 TTL, 8 bit protocol fields, what also have is exactly that option bit (elongated position) comes packet is mated classification, and according to different matching characteristics, after the packet header of packet and content replication, stamp a coupling label, be sent to described analytic statistics device, described detector has comprised coupling classification submodule again, counter submodule and speed device submodule, described counter submodule is counted the packet that hits rule, speed device submodule then hits the rule except basis, can also carry out carrying out the calculating of speed at the packet of each source IP or purpose IP or source port or destination interface, in described intellectual analysis and finding step, described analytic statistics device will provide result of determination to the data that receive, at network intrusions and attack, described analytic statistics device has adopted the method for characteristic matching, at the virus of propagating by network and system vulnerability, D.O.S, network sweep, described analytic statistics device has adopted the method for abnormality processing, wherein, be judged to be virus, the bag content of D.O.S class and scan type, system's its feature of meeting Automatic Extraction, putting into feature database after its feature extraction, use characteristic is judged, can significantly accelerate judgement speed and accuracy, simultaneously, the method of use agreement analysis of the present invention and pattern matching combination is come network data package in network engine, result of determination passes to described decision processor by described analytic statistics device, in described decision processor, described decision processor is to carry out refinement and analysis-by-synthesis according to the judgement that described analytic statistics device provides, the information processing mode is uploaded in final decision, in described execution filtration step, described filter is according to information processing manner that described decision processor determined, the data-signal of uploading is carried out corresponding filter operation, thereby realized the filtration of dynamic IP packet, concrete, described detector, the analytic statistics device, decision processor and filter can be arranged on same the equipment, also can independently become an independent equipment respectively, form distributed systems.
The present invention and prior art contrast, and effect is positive and tangible.A kind of dynamic IP packet filtering method of the present invention combines the characteristics of this NIDS and 2 technology of fire compartment wall.Form novel defense mechanism.Be similar to present also at the NIPS of talking stage (network intrusions protection system).But of the present inventionly focus on controlling invalid, harmful flow, protection to as if bandwidth, the resource of router.
Purpose of the present invention, feature and advantage will be elaborated in conjunction with the accompanying drawings by embodiment.
Description of drawings:
Fig. 1 is the logic function schematic diagram of a preferred embodiment of a kind of dynamic IP packet filtering method of the present invention.
Embodiment:
As shown in Figure 1, a kind of dynamic IP packet filtering method of the present invention, its functional module is made of detector, analytic statistics device, decision processor and four parts of filter, its implementation procedure also be divided into accordingly survey classification, intellectual analysis and search, decision-making treatment and execution filter four steps, it is characterized in that described detector, analytic statistics device, decision processor and filter are all separate, finish its function separately, carry out communication by standard interface then.
In described detection classification step, described detector is placed on the backbone links of network, backbone links is carried out the supervision of Port Mirroring and flow, if in the huge network of a complexity or flow, the quantity of detector will be carried out suitable increase, monitoring policy is adjusted accordingly, and principle is to accomplish load balancing as far as possible, does not have the data of reprocessing.Such as: in the network of a big flow, outlet of the common supervision of 3 detectors is arranged, at this time, detector A should surveillance source IP be this network segment of 10.1.1.0 just, detector B should surveillance source IP be this network segment of 10.2.2.0 just, and detector C is 10.3.3.0 and these 2 network segments of 10.4.4.0 with regard to the less source IP of monitor traffic.Survey its main purpose of classification and be simple analysis and classification are carried out in the IP packet header of packet, its effect of this detection is the simple classification first time of carrying out flow and data.It is analyzed content and comprises IP 32 potential source IP in front, 32 purpose IP, 4 header length, 16 bit-identifies, 3 bit flags, 16 total length, 16 an IP verification and, 3 bit-identify positions, the skew of 13 bit slices, 8 TTL, 8 bit protocol fields, what also have is exactly option bit (elongated position).Here need to carry out preliminary judgement, comprise at first and will judge at CRC, whether what look at this bag is the packet of a no parity check mistake.The words that are wrong bag add one on mistake bag record, and record belongs to, and that SRC IP sends.The verification bag is long then.Judge that this packet is behind the correct bag, to carry out source IP, purpose IP, source port, destination interface, protocol type, length etc. are classified, if data are surrounded by the situation of burst, carry out mating classification again after the packet reorganization.According to different matching characteristics, after the packet header of packet and content replication, stamp a coupling label, be sent to one, perhaps many intellectual analysis and inquiry.Owing to used the mode that labels, just can directly mate rule and analyzer on the intellectual analysis, do not need to carry out once more the computing of matched rule.So just significantly reduce the operand on the intelligent analyzer.Except the coupling classification, detector also comprises counter and speed device.The counter effect is exactly that a packet that hits rule is counted, and the speed device is then except according to the concrete rule, can also carry out carrying out the calculating of speed at the packet of each source IP or purpose IP or source port or destination interface.The function of counter mainly is at network traffics and situation analysis, and the effect of speed device also is to gather the proper network data, and antagonism D.O.S or D.D.O.S prepare.Aspect matched rule, use be the principle (method of similar IPTABLES) jumped out of coupling, and abandon using alternative matching principle as IPFILTER.Promptly finding has the packet of the IP head that the match is successful to enter next handling process at once, rather than continues to look at whether also have the energy rule that the match is successful.Consideration based on this kind principle is for the consideration on the efficient, adds that this rule-like should be to be disposed meticulously by webmaster.So the data packet head of repeated matching needing should not occur.If the rule of EACH field is arranged in the rule base, then all packets all need to mate once more.The matching algorithm aspect uses simple HASH algorithm to mate, and 16 bit value were as matching attribute after IP coupling aspect was used, and its conflict possibility is quite low, and conflicting under the abominable situation in actual the use probably is about 5.Adopt HASH mode again after the conflict, carry out HASH to the 12nd to the 16th, conflict again because conflict situations should seldom be used wheel instead and seek coupling this time, guarantees that the HASH at 3-4 time can hit.But the method committed memory is bigger.The port match method then is to adopt the mode of BTREE to mate, because the relative IP of appropriate ports number is few, so BTREE is enough to deal with.
In described intellectual analysis and finding step, the effect of described analytic statistics device is that the classified information that described detector is brought is carried out more deep analysis and judgement, because the analytic statistics device finally need carry out conclusive judgement to the packet of coming in, so this part is a most important and difficulty the best part in the whole system.This part has identical greatly with present popular various NIDS.In the model of present various IDS, generally there are 2 big classifications in analyzer, a kind of analysis that is based on unusual (behavior), and another kind is based on signature analysis.Whether the detection based on behavior refers to judge whether invasion according to user's behavior or resource behaviour in service do not occur detecting and rely on concrete behavior, so be also referred to as abnormality detection (Anomaly Detection).Relative with system irrelevant based on the detection of behavior, versatility is stronger.It in addition might detect before the attack method that do not occur, unlike the restriction that based on the detection of knowledge, is subjected to known fragility.But because can not comprehensively describe all user behaviors in the whole system, moreover each user's behavior is often to change, so that its major defect is false drop rate is very high.Especially numerous in number of users, or in the frequent environment that changes of work purpose.Secondly because the statistics abridged table will be brought in constant renewal in, if the invador knows certain system under the supervision of detector, they can train detection system at leisure,, after a period of time training, also thought normally to such an extent as to think unusual behavior at first.Detection method based on behavior mainly contains following two kinds.
1, probabilistic method: the method for outline statistics mainly is by to user behavior Feature Extraction and quantification, and quantitative information is compared, and sees that whether having exceeded normal threshold values judges.
2, neural net method: each step operation of the common user in predicting user of the method for a UNIX keeper, experimental results show that it is to predict its behavior.In case prediction of failure and when exceeding threshold values is judged as unusual.
Refer to use the known attack method based on feature detection, according to the intrusion model that has defined, by judging whether these intrusion models occur detecting.Because invasion greatly is a fragility of having utilized system, can specifically describe the sign of intrusion behavior by feature, condition, arrangement and the interevent relation of analyzing phagocytic process.Detection based on knowledge is also referred to as detection (Misuse Detection) in violation of rules and regulations.This method so accuracy in detection is very high, and because testing result has clear and definite reference, also provides convenience for the system manager makes corresponding measure owing to judge according to concrete feature database.Major defect is that not only system transplantation is bad with specifically system's dependence is too strong, and maintenance workload is big, and it is also very difficult that specifically invasion means are abstracted into knowledge.And examination scope is limited by knowledge level.In sum, 2 kinds of methods are the methods that belong to complementary types, and its shortcoming is the other side's advantage just.To this, analysis module will adopt diverse ways to analyze at different situations.Because for network attack and invasion all is a series of work in steps, wherein any one link is blocked, and its intrusion behavior all can be terminated.And this system use be the mode (BLOCK) of avoiding so real-time is required and can relax relatively, emphasis can be placed on:
1, at network intrusions and attack: this type of incident all is the invasion that utilizes all types of leaks of host computer system to carry out usually, because the utilization to leak usually is that very set form is arranged, so can improve the efficient of accuracy greatly in the method for this occasion use characteristic coupling.Such as: (msg: " WEB-CGI Hyper Seek hsx.cgi directory traversalattempt "; Uricontent: "/hsx.cgi "; Content: " ../../"; Content: " %00 "; Flow:to_server, established; )-j 192.168.0.10.The meaning of this configuration is if in the HTTP that sends here the request, in URL, comprise " " hsx.cgi "; in packet content, comprise " %00 "; state is the words of the ESTABLISHE of TCP; just be judged as and utilize the hsx..cgi leak to make the invasion mode, this information is sent on this decision processor of 192.168.0.10.Key is the selected aspect that is tagged word.
2, at virus, D.O.S or the network sweep etc. of propagating, because this class behavior can be initiated the connection of 80,25,445,137,139 a large amount of ports such as grade, so, use abnormality processing to detect to these situations at this by network and system vulnerability.Wherein, be judged to be virus, the bag content of D.O.S class and scan type, system's its feature of meeting Automatic Extraction, putting into feature database after its feature extraction, use characteristic is judged, can significantly accelerate judgement speed and accuracy.Judged result is issued described decision-making device makes a strategic decision.Wait for the judgement of decision-making device then.
Pattern matching is the employed network packet analytical technology based on attack signature of the first generation and second generation intruding detection system.Advantages such as his analysis speed is fast, rate of false alarm is little are that other analytical method is incomparable.The simple method of pattern matching of using has very big drawback, and the method for use agreement analysis of the present invention and pattern matching combination is come network data package in network engine.
The course of work of simple method for mode matching is as follows:
1) whether each packet on the phase-split network has certain attack signature.Be analyzed as follows:
2) packet header from network packet begins to compare with attack signature
3), then detect a possible attack if comparative result is identical
4) if the comparative result difference, comparison is restarted in next position from network packet.
5) all bytes match in detecting attack or network packet finish, and an attack signature coupling finishes
6), repeat 2 for each attack signature) comparison of beginning.
7) finish up to each attack signature coupling, the coupling of giving packet is finished.
Provide an example below its operation principle can well be described.
AF7*Hy289s820800B9v5yt$0611tbhk76500801293ugdB2%00397e39
12345678901234567890123456789012345678901234567890123456
Be the network packet that listens to,, at first begin comparison from the packet head for attack mode " GET/cgi-bin/./phf ":
GET/cgi-bin/./phf---
AF7*Hy289s820800B9v5yt$0611tbhk76500801293ugdB2%00397e39
12345678901234567890123456789012345678901234567890123456
More unsuccessful, move a byte and compare again
-/cgi-bin/./phf--
AF7*Hy289s820800B9v5yt$0611tbhk76500801293ugdB2%00397e39
12345678901234567890123456789012345678901234567890123456
Still unsuccessful, move once again:
--GET/cgi-bin/./phf-
AF7*Hy289s820800B9v5yt$0611tbhk76500801293ugdB2%00397e39
12345678901234567890123456789012345678901234567890123456
Repeat comparison, once the match is successful.
The problem of traditional mode matching process:
Amount of calculation is big: the maximum times that need compare for the per second of a particular network is: attack signature byte number * network packet byte number * per second data packet number * attack signature quantity, if all attack signature length are 20 bytes, the network packet average length is 30 bytes, per second 30,000 packet has 4000 features, so in the supply characteristic storehouse, the per second number of comparisons is: 20 * 300 * 30,000 * 4,000=720,000,000,000.
Detection accuracy: traditional pattern matching can only detect the attack of particular type.Small distortion all will make and detect failure to attack signature.For example, for the WEB server
GET /cgi-bin/phf
HEAD /cgi-bin/phf
GET //cgi-bin/phf
GET /cgi-bin/foobar/../phf
GET /cgi-bin/./phf
GET%00?/cgi-bin/phf
GET /%63%67%69%2d%62%69%6e/phf
All be legal and effective.But above matching process can not detect.
The problem of the detection method of traditional pattern matching is that he regards network packet as unordered random byte stream at all.He does not understand fully to the internal structure of this network packet.He mates equally for image transmitted in the network or audio stream.Network communication protocol is highly formative, as to have a clear and definite implication and value data flow, if protocal analysis and method for mode matching are combined, can obtain better efficient, more accurate result.
Protocal analysis has effectively utilized the level of procotol and the knowledge of related protocol to judge apace whether attack signature exists.His efficient amount of calculation of coupling that makes reduces significantly.Even in the network of 100M, can detect each packet fully.
How the intruding detection system that below is based on protocal analysis handles packet in the top example:
AF7*Hy289s820800B9v5yt$0611tbhk76500801293ugdB2%00397e39
12345678901234567890123456789012345678901234567890123456
The view standard points out that the 13rd byte place in the data packet from Ethernet has comprised the 3rd layer protocol sign of two bytes.Utilizing this knowledge to begin the first step based on the intruding detection system of protocal analysis detects:
1) skips 12 bytes in front, read the 2 byte protocol-identifiers at 13 byte places: 0800.
Can judge that according to protocol specification this network packet is the IP bag.
2) there is the 4th layer protocol sign of one 1 byte at the 24th byte place of IP agreement regulation IP bag.So 15 to 24 bytes that system is skipped directly read the 4th layer protocol sign: 06, and this packet is a Transmission Control Protocol.
3) Transmission Control Protocol has the application layer protocol sign (port numbers) of one 2 byte at the 35th byte place.So the port numbers that the 25th to 34 byte directly reads the 35th byte is skipped by system: 80.This packet is the packet of a http protocol.
Http protocol stipulates that the 55th byte is that URL begins the place, and the present invention will detect supply characteristic " GET/cgi-bin/./phf ", therefore will carefully detect this URL.
As can be seen, utilize protocal analysis can reduce the amount of calculation of pattern matching greatly, improve the accuracy of mating, reduce rate of false alarm.
Matching algorithm is the key that detects engine, and it directly influences the real-time performance of system.When network data search packet invasion feature, need an effective string search algorithm.
In the string search algorithm, the present invention selects to have used the Boyer-Moore-Horspool algorithm.For example the present invention will be in " substring searching algorithm " search " search ", when just beginning, and substring and text flush left,
substring?searching?algorithm
search^
Matching result is to find not match at second character place for the first time, so will move substring backward.But what should move? Here it is the various algorithms place that each show his special prowess, the simplest way are to move a character position; KMP utilizes that the information of compatible portion moves; The BM algorithm is to do reverse comparison, and determines amount of movement according to the part of having mated.What of displacement the Boyer-Moore-Horspool algorithm decide according to last character (" r ") that is compared string alignment.Method of the present invention is according to obtaining displacement immediately following that character (" i " among the last figure) after current substring.Obviously, since the failure of last coupling, mobile being inevitable, and therefore, establishing mobile step number is N, then N>=1.Are but what the maximum of N? if this character in pattern string, obviously should decide according to the position of pattern string.If it just not occurs in pattern string, obviously he oneself also without comparative quantity, therefore can move to this character ground character late begins comparison.With top example, there be not " i " in the substring " search ", then explanation can directly be skipped a sheet ofly, begins to do next step comparison from " i " that character afterwards, and is as follows:
substring?searching?algorithm
search^
Result relatively, first character does not match again, sees that character of substring back again, is " r ", and it appears at antepenulatimate in substring, so substring is moved forward three, make two " r " alignment, and is as follows:
substring?searching?algorithm
search
So far the match is successful, looks back whole process, and the present invention has only moved twice substring and just found matched position, as can be seen, uses this algorithm, and the amount of movement in each step is all big than BMH algorithm, so faster than BM algorithm certainly.
In described decision-making treatment step, described decision processor is to carry out refinement and analysis-by-synthesis according to the judgement that the analytic statistics device provides, and the information which kind of mode final decision uses analyzer is uploaded is up handled.Decision-making treatment comprises 2 principles.1, by the different situations processing of classifying.2, all abnormality processing must just be carried out successor operation by manually confirming after confirming.
Filtration is an effective method, also is simultaneously the operation of a relative risk, because the network environment relative complex, some resource is to guarantee its network service, and some visit of some main frame also must guarantee.Causing classification to handle is necessary process.
General processing can be divided into 6 classification:
1. even note abnormalities or invade, do not carry out any action yet, just ignore
2. note abnormalities or invade, block its source IP, destination interface
3. note abnormalities or invade, block origin IP, destination address
4. note abnormalities or invade, block its Target IP
5. note abnormalities or invade, block its target port
6. note abnormalities or invade, block its source IP.
Wherein:
1. first kind of situation is to occur on the Core server, even be subjected to clear and definite attack or invasion, do not allow to be undertaken by automatic processing.Must handle in person by the system manager.
2. this situation is to use when occurring in the user service that is used is in a large number attacked or invaded, as external mad the spam (behavior is out of favour) of user, for stoping this behavior to guarantee other normal mail flows again, must carry out this kind processing.
3. this situation is to occur in that the user attacks at certain particular host or the behavior that is out of favour such as invasion, is scanning www.i-168.com in a large number as the user
4. this situation betides a large number of users and certain particular host is carried out D.D.O.S attacks, and by such big flow exhausted and the measure taked for fear of the CPU of bandwidth and route this moment
5. this situation is applicable to that those are non-common, and the attack in the inessential service can scan at TCP 445 ports in a large number as giant virus, consumes massive band width and CPU, and block this service this time fully is best choice
6. last a kind of situation is the strictest situation, is equivalent to the suspension to the user, so the flow that is sent by him all can be blocked, designs at malicious user.
Described decision-making device is final judging unit, so all operations that this element is done and data all must all be noted and the operation of completely reversibility.
Another function of decision-making device is exactly a warning function, and its warning comprises sound, light, EMAIL, note etc.
In described execution filtration step, carrying out filter is exactly the equipment that filters of in fact carrying out in network, can be fire compartment wall, router, server, switch etc.Described filter carries out corresponding filter operation according to the information processing manner that described decision processor determined to the data-signal of uploading, thereby has realized the filtration of dynamic IP packet.
Claims (5)
1, a kind of dynamic IP packet filtering method, its functional module is by detector, the analytic statistics device, four parts of decision processor and filter constitute, its implementation procedure also is divided into accordingly surveys classification, intellectual analysis and searching, four steps are filtered in decision-making treatment and execution, it is characterized in that: described detector, the analytic statistics device, decision processor and filter are all separate, finish its function separately, carry out communication by standard interface then, in described detection classification step, described detector is placed on the backbone links of network, and backbone links is carried out the supervision of Port Mirroring and flow, described detector carries out preliminary analysis and classification to the IP packet header of packet, described detector utilizes CRC check to come the correctness of judgment data bag, after the decision data bag is correct, described detector is according to the 32 potential source IP in front of the IP in the packet, 32 purpose IP, 4 header length, 16 bit-identifies, 3 bit flags, 16 total length, 16 an IP verification and, 3 bit-identify positions, the skew of 13 bit slices, 8 TTL, 8 bit protocol fields, what also have is exactly that option bit comes packet is mated classification, and according to different matching characteristics, after the packet header of packet and content replication, stamp a coupling label, be sent to described analytic statistics device, described detector has comprised coupling classification submodule again, counter submodule and speed device submodule, described counter submodule is counted the packet that hits rule, speed device submodule then hits the rule except basis, can also carry out carrying out the calculating of speed at the packet of each source IP or purpose IP or source port or destination interface, in described intellectual analysis and finding step, described analytic statistics device will provide result of determination to the data that receive, at network intrusions and attack, described analytic statistics device has adopted the method for characteristic matching, at the virus of propagating by network and system vulnerability, D.O.S, network sweep, described analytic statistics device has adopted the method for abnormality processing, wherein, be judged to be virus, the bag content of D.O.S class and scan type, system's its feature of meeting Automatic Extraction, putting into feature database after its feature extraction, use characteristic is judged, can significantly accelerate judgement speed and accuracy, simultaneously, the method of use agreement analysis of the present invention and pattern matching combination is come network data package in network engine, result of determination passes to described decision processor by described analytic statistics device, in described decision-making treatment step, described decision processor is to carry out refinement and analysis-by-synthesis according to the judgement that described analytic statistics device provides, the information processing mode is uploaded in final decision, in described execution filtration step, described filter is according to information processing manner that described decision processor determined, the data-signal of uploading is carried out corresponding filter operation, thereby realized the filtration of dynamic IP packet.
2, a kind of dynamic IP packet filtering method as claimed in claim 1 is characterized in that: described detector, analytic statistics device, decision processor and filter all are arranged on same the equipment.
3, a kind of dynamic IP packet filtering method as claimed in claim 1 is characterized in that: described detector, analytic statistics device, decision processor and filter are respectively independently equipment, form distributed systems.
4, a kind of dynamic IP packet filtering method as claimed in claim 1 is characterized in that: port of more than one described detector monitored in common, and divide by the network segment and to monitor separately.
5, a kind of dynamic IP packet filtering method as claimed in claim 1, it is characterized in that: described decision processor is provided with alarm module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 03141917 CN1578227A (en) | 2003-07-29 | 2003-07-29 | Dynamic IP data packet filtering method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 03141917 CN1578227A (en) | 2003-07-29 | 2003-07-29 | Dynamic IP data packet filtering method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN1578227A true CN1578227A (en) | 2005-02-09 |
Family
ID=34579297
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 03141917 Pending CN1578227A (en) | 2003-07-29 | 2003-07-29 | Dynamic IP data packet filtering method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1578227A (en) |
Cited By (30)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007079677A1 (en) * | 2006-01-10 | 2007-07-19 | Lin Dong | A metering system and method of data flow direction and quantity of p2p network and the business mode based on this technique |
| WO2008003254A1 (en) * | 2006-06-28 | 2008-01-10 | Huawei Technologies Co., Ltd. | An implementation method, system and apparatus for packet filtering |
| WO2008061483A1 (en) * | 2006-11-24 | 2008-05-29 | Hangzhou H3C Technologies Co., Ltd. | A method and apparatus for identifying the data content |
| CN100393047C (en) * | 2005-12-21 | 2008-06-04 | 杭州华三通信技术有限公司 | Intrusion detecting system and network apparatus linking system and method |
| CN100431302C (en) * | 2005-08-30 | 2008-11-05 | 飞塔信息科技(北京)有限公司 | Log device, system and method with function of analyzing network traffic |
| CN100571202C (en) * | 2006-01-27 | 2009-12-16 | 华为技术有限公司 | A kind of transfer approach and transfer system that carries the data of routing iinformation |
| CN101702723A (en) * | 2009-10-30 | 2010-05-05 | 曙光信息产业(北京)有限公司 | Method and device for filtering IP message |
| CN101047509B (en) * | 2006-05-31 | 2010-05-12 | 华为技术有限公司 | Session attack detection system and method |
| CN1992674B (en) * | 2005-12-31 | 2010-05-12 | 华为技术有限公司 | Method of multi-dimensional packet classification based on muti-bit segmentation |
| CN101060492B (en) * | 2007-05-29 | 2010-08-11 | 杭州华三通信技术有限公司 | Talk detection method and talk detection system |
| CN101064597B (en) * | 2006-04-25 | 2010-09-08 | Lgcns株式会社 | Network security device and method for processing packet data using the same |
| CN1992673B (en) * | 2005-12-31 | 2011-02-16 | 华为技术有限公司 | Method of implementing fast packet flow recognition in high-speed router and firewall |
| CN101981891A (en) * | 2008-03-31 | 2011-02-23 | 法国电信公司 | Defence communication mode for an apparatus able to communicate by means of various communication services |
| CN101582833B (en) * | 2008-05-15 | 2011-10-05 | 成都市华为赛门铁克科技有限公司 | Method and device for processing spoofed IP data packet |
| CN101610264B (en) * | 2009-07-24 | 2011-12-07 | 深圳市永达电子股份有限公司 | Firewall system, safety service platform and firewall system management method |
| CN102346825A (en) * | 2010-07-21 | 2012-02-08 | 三星Sds株式会社 | Device and method for providing soc-based anti-malware service |
| CN101355567B (en) * | 2008-09-03 | 2012-05-09 | 中兴通讯股份有限公司 | Method for protecting safety of route-exchanging device central processing unit |
| CN101005455B (en) * | 2006-12-30 | 2012-06-27 | 中国科学院计算技术研究所 | Flow control method based on by-path interference |
| US8250646B2 (en) | 2007-09-27 | 2012-08-21 | Huawei Technologies Co., Ltd. | Method, system, and device for filtering packets |
| CN101635720B (en) * | 2009-08-31 | 2012-09-05 | 杭州华三通信技术有限公司 | Filtering method of unknown flow rate and bandwidth management equipment |
| WO2012167756A1 (en) * | 2011-07-11 | 2012-12-13 | 华为技术有限公司 | P2p traffic charging method and isp charging device |
| CN101783786B (en) * | 2009-01-19 | 2013-01-16 | 中兴通讯股份有限公司 | Method and device for filtering data packets |
| CN101252467B (en) * | 2006-12-18 | 2013-03-13 | Lgcns株式会社 | Apparatus and method of securing network |
| CN105574562A (en) * | 2015-12-09 | 2016-05-11 | 浪潮电子信息产业股份有限公司 | Method for blocking USB port |
| CN105893462A (en) * | 2016-03-20 | 2016-08-24 | 百势软件(北京)有限公司 | User network behavior analysis method and device |
| CN105959255A (en) * | 2016-01-08 | 2016-09-21 | 杭州迪普科技有限公司 | Intrusion message shunting method and device |
| CN109271783A (en) * | 2018-09-20 | 2019-01-25 | 珠海市君天电子科技有限公司 | A kind of virus hold-up interception method, device and electronic equipment |
| CN110839021A (en) * | 2019-10-29 | 2020-02-25 | 深圳市高德信通信股份有限公司 | Communication transmission system capable of preventing information from being mistransmitted |
| CN115529145A (en) * | 2021-06-25 | 2022-12-27 | 中国移动通信集团广东有限公司 | Network security intrusion detection and protection system and method |
| US20240048506A1 (en) * | 2022-08-08 | 2024-02-08 | Bank Of America Corporation | System and method for autonomous conversion of a resource format using machine learning |
-
2003
- 2003-07-29 CN CN 03141917 patent/CN1578227A/en active Pending
Cited By (37)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100431302C (en) * | 2005-08-30 | 2008-11-05 | 飞塔信息科技(北京)有限公司 | Log device, system and method with function of analyzing network traffic |
| CN100393047C (en) * | 2005-12-21 | 2008-06-04 | 杭州华三通信技术有限公司 | Intrusion detecting system and network apparatus linking system and method |
| CN1992674B (en) * | 2005-12-31 | 2010-05-12 | 华为技术有限公司 | Method of multi-dimensional packet classification based on muti-bit segmentation |
| CN1992673B (en) * | 2005-12-31 | 2011-02-16 | 华为技术有限公司 | Method of implementing fast packet flow recognition in high-speed router and firewall |
| WO2007079677A1 (en) * | 2006-01-10 | 2007-07-19 | Lin Dong | A metering system and method of data flow direction and quantity of p2p network and the business mode based on this technique |
| CN100571202C (en) * | 2006-01-27 | 2009-12-16 | 华为技术有限公司 | A kind of transfer approach and transfer system that carries the data of routing iinformation |
| US7894442B2 (en) | 2006-01-27 | 2011-02-22 | Huawei Technologies Co., Ltd. | Data transmission method and a system thereof |
| CN101064597B (en) * | 2006-04-25 | 2010-09-08 | Lgcns株式会社 | Network security device and method for processing packet data using the same |
| CN101047509B (en) * | 2006-05-31 | 2010-05-12 | 华为技术有限公司 | Session attack detection system and method |
| CN1997010B (en) * | 2006-06-28 | 2010-08-18 | 华为技术有限公司 | An implementation method for packet filtering |
| WO2008003254A1 (en) * | 2006-06-28 | 2008-01-10 | Huawei Technologies Co., Ltd. | An implementation method, system and apparatus for packet filtering |
| US8089962B2 (en) | 2006-06-28 | 2012-01-03 | Huawei Technologies Co., Ltd | Method, system and apparatus for filtering packets |
| US8060633B2 (en) | 2006-11-24 | 2011-11-15 | Hangzhou H3C Technologies Co., Ltd. | Method and apparatus for identifying data content |
| WO2008061483A1 (en) * | 2006-11-24 | 2008-05-29 | Hangzhou H3C Technologies Co., Ltd. | A method and apparatus for identifying the data content |
| CN101252467B (en) * | 2006-12-18 | 2013-03-13 | Lgcns株式会社 | Apparatus and method of securing network |
| CN101005455B (en) * | 2006-12-30 | 2012-06-27 | 中国科学院计算技术研究所 | Flow control method based on by-path interference |
| CN101060492B (en) * | 2007-05-29 | 2010-08-11 | 杭州华三通信技术有限公司 | Talk detection method and talk detection system |
| US8250646B2 (en) | 2007-09-27 | 2012-08-21 | Huawei Technologies Co., Ltd. | Method, system, and device for filtering packets |
| CN101981891B (en) * | 2008-03-31 | 2014-09-03 | 法国电信公司 | Defence communication mode for an apparatus able to communicate by means of various communication services |
| CN101981891A (en) * | 2008-03-31 | 2011-02-23 | 法国电信公司 | Defence communication mode for an apparatus able to communicate by means of various communication services |
| CN101582833B (en) * | 2008-05-15 | 2011-10-05 | 成都市华为赛门铁克科技有限公司 | Method and device for processing spoofed IP data packet |
| CN101355567B (en) * | 2008-09-03 | 2012-05-09 | 中兴通讯股份有限公司 | Method for protecting safety of route-exchanging device central processing unit |
| CN101783786B (en) * | 2009-01-19 | 2013-01-16 | 中兴通讯股份有限公司 | Method and device for filtering data packets |
| CN101610264B (en) * | 2009-07-24 | 2011-12-07 | 深圳市永达电子股份有限公司 | Firewall system, safety service platform and firewall system management method |
| CN101635720B (en) * | 2009-08-31 | 2012-09-05 | 杭州华三通信技术有限公司 | Filtering method of unknown flow rate and bandwidth management equipment |
| CN101702723A (en) * | 2009-10-30 | 2010-05-05 | 曙光信息产业(北京)有限公司 | Method and device for filtering IP message |
| CN102346825A (en) * | 2010-07-21 | 2012-02-08 | 三星Sds株式会社 | Device and method for providing soc-based anti-malware service |
| US8973130B2 (en) | 2010-07-21 | 2015-03-03 | Samsung Sds Co., Ltd. | Device and method for providing SOC-based anti-malware service, and interface method |
| WO2012167756A1 (en) * | 2011-07-11 | 2012-12-13 | 华为技术有限公司 | P2p traffic charging method and isp charging device |
| CN105574562A (en) * | 2015-12-09 | 2016-05-11 | 浪潮电子信息产业股份有限公司 | Method for blocking USB port |
| CN105959255A (en) * | 2016-01-08 | 2016-09-21 | 杭州迪普科技有限公司 | Intrusion message shunting method and device |
| CN105893462A (en) * | 2016-03-20 | 2016-08-24 | 百势软件(北京)有限公司 | User network behavior analysis method and device |
| CN109271783A (en) * | 2018-09-20 | 2019-01-25 | 珠海市君天电子科技有限公司 | A kind of virus hold-up interception method, device and electronic equipment |
| CN110839021A (en) * | 2019-10-29 | 2020-02-25 | 深圳市高德信通信股份有限公司 | Communication transmission system capable of preventing information from being mistransmitted |
| CN110839021B (en) * | 2019-10-29 | 2021-02-19 | 深圳市高德信通信股份有限公司 | Communication transmission system capable of preventing information from being mistransmitted |
| CN115529145A (en) * | 2021-06-25 | 2022-12-27 | 中国移动通信集团广东有限公司 | Network security intrusion detection and protection system and method |
| US20240048506A1 (en) * | 2022-08-08 | 2024-02-08 | Bank Of America Corporation | System and method for autonomous conversion of a resource format using machine learning |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1578227A (en) | Dynamic IP data packet filtering method | |
| CN112738015B (en) | Multi-step attack detection method based on interpretable convolutional neural network CNN and graph detection | |
| CN107241352B (en) | Network security event classification and prediction method and system | |
| US8650646B2 (en) | System and method for optimization of security traffic monitoring | |
| CN1655518A (en) | Network security system and method | |
| CN111431939B (en) | CTI-based SDN malicious flow defense method | |
| JP2020530638A (en) | Malware Host NetFlow Analysis System and Method | |
| CN114679338A (en) | Network risk assessment method based on network security situation awareness | |
| CN1889573A (en) | Active decoy method and system | |
| CN106850647B (en) | Malicious domain name detection algorithm based on DNS request period | |
| WO2009135396A1 (en) | Network attack processing method, processing device and network analyzing and monitoring center | |
| CN1697404A (en) | System and method for detecting network worm in interactive mode | |
| CN104022924A (en) | Method for detecting HTTP (hyper text transfer protocol) communication content | |
| KR100684602B1 (en) | Corresponding system for invasion on scenario basis using state-transfer of session and method thereof | |
| CN1738257A (en) | Network intrusion detection system and method based on application protocol detection engine | |
| CN110958231A (en) | Industrial control safety event monitoring platform and method based on Internet | |
| CN112800424A (en) | Botnet malicious traffic monitoring method based on random forest | |
| CN115134250B (en) | Network attack tracing evidence obtaining method | |
| CN113904881B (en) | Intrusion detection rule false alarm processing method and device | |
| CN101039179A (en) | Method and system for warning accurately intrusion detection | |
| CN113079150A (en) | Intrusion detection method for power terminal equipment | |
| Gad et al. | A distributed intrusion detection system using machine learning for IoT based on ToN-IoT dataset | |
| CN113660267B (en) | Botnet detection system, method and storage medium for IoT environment | |
| CN1257632C (en) | Firm gateway system and its attack detecting method | |
| CN112104628B (en) | Adaptive feature rule matching real-time malicious flow detection method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |