CN1719780A - Invasion detecting system and method based on mobile agency - Google Patents
Invasion detecting system and method based on mobile agency Download PDFInfo
- Publication number
- CN1719780A CN1719780A CN 200510027781 CN200510027781A CN1719780A CN 1719780 A CN1719780 A CN 1719780A CN 200510027781 CN200510027781 CN 200510027781 CN 200510027781 A CN200510027781 A CN 200510027781A CN 1719780 A CN1719780 A CN 1719780A
- Authority
- CN
- China
- Prior art keywords
- main frame
- network
- incident
- controller
- agency
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
This invention relates to an intrusion test system and a method based on a mobile agent, in which, the test system is composed of a monitor, an executor, a controller, a coordinator, a vote agent, a result agent and a response agent (PIDS) when the host of PIDS system discovers some suspicious behaviors, it initiates the vote process, multiple peer hosts vote to decide together if said event is an evil behavior, if so, it informs all hosts in the network to apply suitable measures to avoid loss characterizing that if one host finds out EDV virus, it informs other hosts at once and the load of network is light, it can solve the problem of distributed intrusion.
Description
Technical field
The invention belongs to the network security technology field, be specifically related to a kind of intruding detection system and method with equity of self-learning capability.
Background technology
At present, along with the development network information of Internet rapidly expands, people more and more depend on network, but network has created convenience also for the propagation of virus.The propagation velocity of virus and the extent of injury all increase greatly, and the detection of virus is also difficult more.How effectively the important information resources of protection are not stolen and destruction becomes a significant problem.Desirable method is the infection and the hacker attacks of pre-anti-virus, in time upgrade-system.Antivirus software and firewall technology all can not well address this problem, and whether antivirus software can only detect file and infect and repair ruined file, and fire compartment wall can only prevent port to connect, and can not distinguish legal connection and illegal invasion.Traditional intruding detection system adopts the C/S structure, and server load is big, and server becomes object of attack easily, in case server is destroyed the whole system paralysis.Intruding detection system and method based on the equity of mobile proxy technology that we propose can address these problems better.
Summary of the invention
The objective of the invention is to propose a kind of detection system and the method that can initiatively find virus infections and network intrusions, so that other main frames in time take measures to avoid data destroyed or be stolen in the informing network.
The detection system that can initiatively find virus and network intrusions that the present invention proposes, form by monitor, actuator, controller, telegon, ballot agency, result agency and response agent, it is a kind of intruding detection system of the equity based on mobile proxy technology, notes the system into PIDS by abridging.Monitor, actuator, controller, telegon, ballot agency, result agency and response agent all are based on the program assembly that mobile proxy technology is realized, wherein monitor, actuator, controller and telegon are static, ballot agency, result agency and response agent are dynamic, can move in network.Mobile agent is simulating human behavior and relation, have certain intelligence and can independently move and provide the program of respective service between isomorphism or heterogeneous network main frame.The each several part of this system is described below respectively:
(1) monitor is the elementary cell of system, the main responsible security incident that takes place on the main frame that detects.Multiple monitor is arranged in the system, every kind of monitor is responsible for a kind of security incident, comprise surveillance daily record, file change, port connection, system login, search virus signature etc., monitor find security incident take place after immediately Collection Events characteristic information and to controller reporting.
(2) actuator also is the elementary cell of system, mainly is responsible for the relevant task of security incident that implementation controller is appointed processing.Similarly, every kind of responsible a kind of task of actuator comprises removing virus, reparation file, refusal connection, disconnection network etc.With monitor class seemingly, actuator also can increase and upgrade dynamically, to adapt to the needs that virus and invasion constantly change.
(3) controller is the intermediate layer, between monitor, actuator and telegon.Controller is responsible for analyzing the security event information by the monitor report, analyzes this incident according to the security knowledge base of this locality.If controller can be discerned, then directly send order to actuator, monitor is carried out handling procedure according to the order of controller.Otherwise controller extracts the key message of incident and reports to telegon from safety message, and voting process is initiated in request, monitors this type of incident jointly so that make judgement by a plurality of network nodes, takes further action thus.
(4) telegon is system coordination person, is responsible for initiating voting process after receiving the request of controller, and other node is chosen security incident jointly in a vote and whether belonged to malicious act in the request network.If then notify All hosts to take the necessary measures and avoid virus infections or network intrusions.
(5) the ballot agency is dynamic mobile agent.Telegon is realized a plurality of main frame Coordination Decision by sending other nodes acted on behalf of in the network of voting, the ballot agency carries the relevant informations such as feature, source address and ballot time limit of suspicious event, main frame in the network is voted with regard to this suspicious event according to the situation of this machine, and telegon statistics voting results are also made last decision-making.
(6) the result agency is the mobile agent that is used to carry each main frame voting results.Each main frame is filled among the result agency behind the ballot paper, sends the telegon that the result acts on behalf of the event source main frame, because secure context, voting results are through encryption.
(7) response agent is main frame final vote result's all in the informing network a mobile agent.The telegon statistics voting results of event source main frame, if effectively ballot surpasses half then thinks malicious act, and the notice All hosts prepares to respond.
The intrusion detection method based on mobile agent that the present invention proposes at first requires All hosts to add a multicast group, and the All hosts in the group constitutes a peer-to-peer network.The PIDS system discerns virus infections and network intrusions according to the knowledge base on each main frame, removes virus then, resists invasion; If a main frame is found suspicious incident (may be new virus or new invasion mode), then this main frame is initiated a voting process in network, and judges jointly by a plurality of main frames whether this incident belongs to malicious act; The concrete steps of voting process are: extract relevant information earlier, select the main frame of some to formulate a migratory route figure randomly in group, send then and carry the mobile agent of suspicious event information.Mobile agent is moved to each main frame according to route map, and whether each main frame is paid close attention to this type of incident and taken place at this machine, and the frequency that takes place, and makes judgement in the regular hour, sends an agency who carries voting results to the event source main frame.The PIDS system sets a coefficient of safety for each security-related event, this coefficient is according to the incident occurrence frequency and dynamic change, if coefficient of safety surpasses threshold values then thinks malicious act, PIDS votes according to the variation of the coefficient of safety of incident in section sometime.Initiate the main frame statistics voting results of ballot,, then think malicious act if poll surpasses half; As regard as malicious act, then all main frames are taked suitable safety measure in the informing network.
Among the present invention, All hosts adds a multicast group, newly adds main frame and notifies other main frames by multicast message, and the main frame of receiving this message is made and being replied, thus own existence and the interior All hosts of discovery group of statement.
Characteristics of the present invention are: be swift in response, main frame finds that virus then notifies other main frames immediately in the network, avoids losses such as the destroyed or data of file is stolen; Just initiate voting process when having only the suspicious actions of discovery,, can solve the distributed intrusion problem simultaneously so offered load is very little; Time delay and offered load are suitable for large scale network along with the increase variation of network size is smaller.
Description of drawings
Fig. 1 is the PIDS fundamental diagram.
Fig. 2 is the PIDS workflow diagram.
Fig. 3 is the local area network (LAN) system works principle of independently killing virus.
Number in the figure: 1 is monitor, and 2 is actuator, and 3 is controller, and 4 is telegon, and 5 are the ballot agency, and 6 are the result agency, and 7 is response agent.
Embodiment
Among the present invention, assemblies such as monitor, actuator, controller, telegon, ballot agency, result agency and response agent are interrelated, interdepend, and constitute a complete system with level.Monitor 1 and actuator 2 are the most basic unit of PIDS system, monitor is used for the comings and goings on the monitor node, the catching exception incident, actuator is to carry out the assembly of removing virus, reparation file, disconnecting operations such as network connection, and monitor and actuator all are the unit of the bottom under the controller.
As accompanying drawing 1, if the controller 3 in the A main frame has suspicious event to take place to telegon 4 reports, then telegon 4 selects the main frame of some (such as B in network at random, C) formulate a route map, in network, send a ballot agency 5 who carries this suspicious event information then, ballot agency 5 moves in network according to route map, notify other main frames (B, C) monitor the active situation of this type of incident on this machine, dynamically update the coefficient of safety of incident according to the motion frequency of this incident, when this coefficient of safety surmounts threshold values, just assert that this incident is a malicious act.Coefficient of safety is not along with incident occurrence frequency geometric ratio changes, but along with the increase of incident occurrence frequency increases more and more sooner, system is more timely thus promptly makes response.Coefficient of safety dynamic change such as certain incident is { 1/10,1/8,1/6,1/4,1/2,1}, in when, for the first time this type of incident taking place in the certain hour, coefficient of safety is 1/10, just becomes 1/8 for the second time, is 1/6 for the third time, the 4th time is 1/4, become 1/2, the six time for the 5th time and become 1 above the safety system threshold values, malicious act is confirmed.Certainly the frequency of incident generation is successively decreased gradually, and coefficient of safety is then successively decreased thereupon, and it is very fast to successively decrease at first, and the amplitude of successively decreasing subsequently is more and more littler.In the regular hour scope (time range is by ballot agency's requirement decision), other main frames (B, C) send the result who carries vote information to the A main frame and act on behalf of 6, initiate the host A statistics voting results of ballot, then regard as malicious act if surpass the half of number of valid ballots, and transmission response agent 7 notice All hosts take appropriate action in network.
Based on the intrusion detection method of mobile agent, we design one " local area network (LAN) independently kill virus system ".In this case (as accompanying drawing 3), and multiple host (S, A, B, C D) constitutes a simple local area network (LAN), installs on every main frame a cover " local area network (LAN) independently kill virus system " software all is installed, and this software adopts the basic framework as Fig. 1.With this system the autonomous testing process of mutation code red virus is introduced its working mechanism below:
(1) system on the main frame S " code red virus monitor " detects the suspicious event of the condition code information that is similar to code red virus, monitor is collected the characteristic information of suspected virus and is transmitted to the controller on native system upper strata, controller can't be confirmed according to the knowledge base on this machine, so be transmitted to telegon again after the information of collecting simply extracted processing, the telegon A in network, B, C, D main frame immediately sends " ballot agency " request assistance, initiates voting process thus.
Receive that (2) system A, B, C, the D of " ballot agency " monitor the active situation of this type of incident on this machine, (polling hours are set in the ballot agency by the system that initiates voting process) votes to the fail safe of this incident in the regular hour.System's initial factor of safety of suspicious event setting for this reason is { 1/10/1,1/8/2,1/6/3,1/4/4,1/2/5,1/1/6}, (being one minute here) suspicious event takes place 1 time just within a certain period of time, coefficient of safety is 1/10, twice is 1/8, and when taking place six times, coefficient of safety becomes 1, threshold value just, at this moment system throws and confirms ticket.Vote information is included among the result agency, and the result agency passes to the suspicious event source host.
(3) source host system statistics voting results, if surpass the half of effectively ballot then regard as malicious act, each main frame that sends in the response agent informing network is taked corresponding safety measure.In addition, each main frame can be notified and to other main frame transmitting system upgrade patch, finish system upgrade with the fastest speed, avoids the whole network of virus infections.(4) the viral recall rate of test shows system is more than 98%, compare with traditional system have intelligent, reaction fast, offered load is little and advantage such as suitable large scale network.
Claims (2)
1, a kind of intruding detection system based on mobile agent, be designated as the PIDS system, it is characterized in that forming by program assembly monitor, actuator, controller, telegon, ballot agency, result agency and response agent, wherein monitor, actuator, controller and telegon are static, ballot agency, result agency and response agent are dynamic, can move in network, particular content is as follows:
(1) monitor, it is the elementary cell of system, the main responsible security incident that takes place on the main frame that detects, multiple monitor is arranged in the system, every kind of monitor is responsible for a kind of security incident, comprise surveillance daily record, file change, port connection, system login, search virus signature etc., monitor find security incident take place after immediately Collection Events characteristic information and to controller reporting;
(2) actuator also is the elementary cell of system, mainly is responsible for the relevant task of security incident that implementation controller is appointed processing; Every kind of responsible a kind of task of actuator comprises removing virus, reparation file, refusal connection, disconnection network etc.; Actuator also can increase and upgrade dynamically, to adapt to the needs that virus and invasion constantly change;
(3) controller is the intermediate layer, between monitor, actuator and telegon; Controller is responsible for analyzing the security event information by the monitor report, analyzes this incident according to the security knowledge base of this locality; If controller can be discerned, then directly send order to actuator, monitor is carried out handling procedure according to the order of controller; Otherwise controller extracts the key message of incident and reports to telegon from safety message, and voting process is initiated in request, monitors this type of incident jointly so that make judgement by a plurality of network nodes, takes further action thus;
(4) telegon is system coordination person, is responsible for initiating voting process after receiving the request of controller, and other node is chosen security incident jointly in a vote and whether belonged to malicious act in the request network; If then notify All hosts to take the necessary measures and avoid virus infections or network intrusions;
(5) ballot agency, it is dynamic mobile agent, telegon is realized a plurality of main frame Coordination Decision by sending other nodes acted on behalf of in the network of voting, the ballot agency carries the relevant informations such as feature, source address and ballot time limit of suspicious event, main frame in the network is voted with regard to this suspicious event according to the situation of this machine, and telegon statistics voting results are also made last decision-making;
(6) result agency is the mobile agent that is used to carry each main frame voting results, and each main frame is filled among the result agency behind the ballot paper, sends the telegon that the result acts on behalf of the event source main frame;
(7) response agent is main frame final vote result's all in the informing network a mobile agent, the telegon statistics voting results of event source main frame, if effectively ballot surpasses half then thinks malicious act, and the notice All hosts prepares to respond.
2, a kind of intrusion detection method based on mobile agent is characterized in that at first requiring All hosts to add a multicast group, and the All hosts in the group constitutes a peer-to-peer network; The PIDS system discerns virus infections and network intrusions according to the knowledge base on each main frame, removes virus then, resists invasion; If a main frame is found suspicious incident, then this main frame is initiated a voting process in network, and judges jointly by a plurality of main frames whether this incident belongs to malicious act; The concrete steps of voting process are: extract relevant information earlier, and select the main frame of some to formulate a migratory route figure randomly in group, send then and carry the mobile agent of suspicious event information; Mobile agent is moved to each main frame according to route map, and whether each main frame is paid close attention to this type of incident and taken place at this machine, and the frequency that takes place, and makes judgement in the regular hour, sends an agency who carries voting results to the event source main frame; The PIDS system sets a coefficient of safety for each security-related event, this coefficient is according to the incident occurrence frequency and dynamic change, if coefficient of safety surpasses threshold values then thinks malicious act, PIDS votes according to the variation of the coefficient of safety of incident in section sometime; Initiate the main frame statistics voting results of ballot,, then think malicious act if poll surpasses half; As regard as malicious act, then all main frames are taked suitable safety measure in the informing network.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100277814A CN100450012C (en) | 2005-07-15 | 2005-07-15 | Invasion detecting system and method based on mobile agency |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100277814A CN100450012C (en) | 2005-07-15 | 2005-07-15 | Invasion detecting system and method based on mobile agency |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1719780A true CN1719780A (en) | 2006-01-11 |
| CN100450012C CN100450012C (en) | 2009-01-07 |
Family
ID=35931512
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005100277814A Expired - Fee Related CN100450012C (en) | 2005-07-15 | 2005-07-15 | Invasion detecting system and method based on mobile agency |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100450012C (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101231682B (en) * | 2007-01-26 | 2011-01-26 | 李贵林 | Computer information safe method |
| CN101127580B (en) * | 2006-08-18 | 2011-06-22 | 富士通株式会社 | Node device, control device, and control method |
| CN101685483B (en) * | 2008-09-22 | 2011-07-20 | 成都市华为赛门铁克科技有限公司 | Method and device for extracting virus feature code |
| CN101621427B (en) * | 2008-07-04 | 2011-12-28 | 阿尔卡特朗讯 | Anti-intrusion method and system for a communication network |
| CN101674324B (en) * | 2009-09-23 | 2012-05-23 | 南京邮电大学 | Multiple-mobile-agent credible interaction method for information acquisition system in open network |
| WO2014132157A1 (en) * | 2013-02-26 | 2014-09-04 | International Business Machines Corporation | Trust-based computing resource authorization in a networked computing environment |
| CN109729084A (en) * | 2018-12-28 | 2019-05-07 | 福建工程学院 | A kind of network safety event detection method based on block chain technology |
| CN111052005A (en) * | 2017-11-24 | 2020-04-21 | 欧姆龙株式会社 | Control device and control system |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1160899C (en) * | 2002-06-11 | 2004-08-04 | 华中科技大学 | Distributed dynamic network security protecting system |
| CN100414868C (en) * | 2003-06-24 | 2008-08-27 | 北京邮电大学 | Data merging mechanism for large distributive intrusion inspecting system |
| JP4201263B2 (en) * | 2003-10-27 | 2008-12-24 | 日本電信電話株式会社 | Intrusion detection system and recording medium |
| CN1300982C (en) * | 2003-12-05 | 2007-02-14 | 中国科学技术大学 | Hierarchical cooperated network virus and malice code recognition method |
-
2005
- 2005-07-15 CN CNB2005100277814A patent/CN100450012C/en not_active Expired - Fee Related
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101127580B (en) * | 2006-08-18 | 2011-06-22 | 富士通株式会社 | Node device, control device, and control method |
| CN101231682B (en) * | 2007-01-26 | 2011-01-26 | 李贵林 | Computer information safe method |
| CN101621427B (en) * | 2008-07-04 | 2011-12-28 | 阿尔卡特朗讯 | Anti-intrusion method and system for a communication network |
| CN101685483B (en) * | 2008-09-22 | 2011-07-20 | 成都市华为赛门铁克科技有限公司 | Method and device for extracting virus feature code |
| CN101674324B (en) * | 2009-09-23 | 2012-05-23 | 南京邮电大学 | Multiple-mobile-agent credible interaction method for information acquisition system in open network |
| WO2014132157A1 (en) * | 2013-02-26 | 2014-09-04 | International Business Machines Corporation | Trust-based computing resource authorization in a networked computing environment |
| US9813423B2 (en) | 2013-02-26 | 2017-11-07 | International Business Machines Corporation | Trust-based computing resource authorization in a networked computing environment |
| CN111052005A (en) * | 2017-11-24 | 2020-04-21 | 欧姆龙株式会社 | Control device and control system |
| US11516229B2 (en) | 2017-11-24 | 2022-11-29 | Omron Corporation | Control device and control system |
| CN109729084A (en) * | 2018-12-28 | 2019-05-07 | 福建工程学院 | A kind of network safety event detection method based on block chain technology |
| CN109729084B (en) * | 2018-12-28 | 2021-07-16 | 福建工程学院 | Network security event detection method based on block chain technology |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100450012C (en) | 2009-01-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103685575B (en) | A kind of web portal security monitoring method based on cloud framework | |
| CN104509034B (en) | Pattern merges to identify malicious act | |
| CN100450012C (en) | Invasion detecting system and method based on mobile agency | |
| CN100511159C (en) | Method and system for addressing intrusion attacks on a computer system | |
| CN103563302B (en) | Networked asset information management | |
| US8245297B2 (en) | Computer security event management system | |
| CN102594620B (en) | Linkable distributed network intrusion detection method based on behavior description | |
| CN108768917B (en) | Botnet detection method and system based on weblog | |
| WO2006071985A2 (en) | Threat scoring system and method for intrusion detection security networks | |
| CN114584405B (en) | Electric power terminal safety protection method and system | |
| Yu et al. | TRINETR: An architecture for collaborative intrusion detection and knowledge-based alert evaluation | |
| CN111049827A (en) | Network system safety protection method, device and related equipment | |
| Ghosh et al. | Agent-based distributed intrusion alert system | |
| CN100568876C (en) | The method and the equipment that is used to handle radio communication that are used for operating data processing system | |
| Victor et al. | Intrusion detection systems-analysis and containment of false positives alerts | |
| Goparaju et al. | Distributed Denial-of-Service (DDoS) Attack Detection using 1D Convolution Neural Network (CNN) and Decision Tree Model | |
| CN115766235A (en) | Network security early warning system and early warning method | |
| AlZoubi et al. | The effect of using honeypot network on system security | |
| Wang et al. | Network security situation evaluation based on modified DS evidence theory | |
| US20230097370A1 (en) | Threat control method and system | |
| Kamatchi et al. | An efficient security framework to detect intrusions at virtual network layer of cloud computing | |
| El‐Hajj et al. | Updating snort with a customized controller to thwart port scanning | |
| Yange et al. | A data analytics system for network intrusion detection using decision tree | |
| CN207612279U (en) | A kind of food processing factory's network security management system | |
| Fanfara et al. | Autonomous hybrid honeypot as the future of distributed computer systems security |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090107 Termination date: 20110715 |