CN1791021A - Intrusion detecting system and network apparatus linking system and method - Google Patents
Intrusion detecting system and network apparatus linking system and method Download PDFInfo
- Publication number
- CN1791021A CN1791021A CNA2005101323307A CN200510132330A CN1791021A CN 1791021 A CN1791021 A CN 1791021A CN A2005101323307 A CNA2005101323307 A CN A2005101323307A CN 200510132330 A CN200510132330 A CN 200510132330A CN 1791021 A CN1791021 A CN 1791021A
- Authority
- CN
- China
- Prior art keywords
- linkage
- packets
- ids
- network
- group
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a system, which comprises: an IDS to detect whether contains attack message in data flow and send linkage message to following device when detecting attack message, and a network device linkage with at least a network device to receive and mirror data flow to IDS. It also discloses an opposite method. This invention makes linkage control much fine, and can define linkage strategy aimed to attack type.
Description
Technology
The present invention relates to the field of network security technology, and more specifically, the present invention relates to an intrusion detection system
System (IDS) and network equipment linkage system and method.
BACKGROUND
With the rapid development of computer technology, the network in people's daily life, study and work in the hair
Play an increasing role. Resulting also in a variety of network services office and gained popularity in life
And promotion. Network brings great convenience to people at the same time, network security issues are also increasingly by people
Attention. Currently, the endless variety of network attacks, network security caused great harm.
Network attacks often cause machine failures, network paralysis, and usually also bring substantial economic losses
Losses. Current common network attacks mainly worm propagation, password theft, virus attacks.
...
With the rapid development of computer technology, the network in people's daily life, study and work in the hair
Play an increasing role. Resulting also in a variety of network services office and gained popularity in life
And promotion. Network brings great convenience to people at the same time, network security issues are also increasingly by people
Attention. Currently, the endless variety of network attacks, network security caused great harm.
Network attacks often cause machine failures, network paralysis, and usually also bring substantial economic losses
Losses. Current common network attacks mainly worm propagation, password theft, virus attacks.
...
IDS system through the collection and analysis of computer network or computer system in a number of key points of the letter
Interest, to discover whether there are network or system behavior and security policy violations signs of being attacked. However
And, a separate IDS system does not guarantee a good network security. For example, if the switch,
Routers and other network devices are only responsible for the transmission of data, even if IDS can check out the attack packets
Also does not block the attack packet transmission.
% E5% 9B% A0% E6% AD% A4% EF% BC% 8C% E5% A6% 82% E6% 9E% 9C% E7% BD% 91% E7% BB% 9C% E8% AE% BE% E5 % A4% 87% E5% 92% 8CIDS% E4% B9% 8B% E9% 97% B4% E8% 83% BD% E5% A4% 9F% E8% 81% 94% E5% 8A% A8% EF% BC % 8C% E4% BB% 8E% E8% 80% 8C% E5% BD% A2% E6% 88% 90% E4% B8% 80% E4% B8% AA% E7% BB% 9F% E4% B8% 80 % E7% 9A% 84% E7% BD% 91% E7% BB% 9C% E5% B9% B3% 0A% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20 % E5% 8F% B0% EF% BC% 8C% E5% B9% B6% E4% B8% 94% E8% BF% 9B% E8% 80% 8C% E5% 9C% A8% E8% BF% 99% E4 % B8% AA% E7% BB% 9F% E4% B8% 80% E7% 9A% 84% E5% B9% B3% E5% 8F% B0% E4% B8% 8A% E5% 88% 87% E6% 96 % AD% E5% 90% 84% E7% A7% 8D% E7% BD% 91% E7% BB% 9C% E6% 94% BB% E5% 87% BB% E7% 9A% 84% E4% BC% A0 % E6% 92% AD% E9% 80% 94% E5% BE% 84% EF% BC% 8C% E6% 98% BE% E7% 84% B6% E5% 8F% AF% E4% BB% A5% 0A % 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% E6% 9B% B4% E5% A5% BD% E5% 9C% B0% E4% BF% 9D% E8 % AF% 81% E7% BD% 91% E7% BB% 9C% E7% 9A% 84% E5% AE% 89% E5% 85% A8% E6% 80% A7% E3% 80% 82
Figure 1 is a prior art apparatus and network IDS linkage networking diagram. Shown in Figure 1,
When the attacker tried to attack the enterprise data center, the switch mirror port by setting the attacker sent
Out data mirroring traffic to IDS devices; IDS device data flow analysis, as found in the data stream of attacks
Packets generated when specific data packets, which will need to block or restrict the flow characteristics of the packets assembled
As SNMP (SNMP) packets to the switch; switch based IDS sent
Over packet characteristics, issued the access control list (ACL) rules to its own specific port, from
And to achieve the attack packets blocked.
...
Existing IDS and network devices such linkage technique, when detected attack packets, IDS
Will be linked to all the linkage device sends packets to perform linkage, but does not have a choice of a few to the United
Dynamic linkage device sends packets, which resulted in a switch control is not refined linkage, the linkage is very blind.
Essentially, when it is detected after the attack packets do not necessarily need all the linkage device to perform linkage, than
For example, may require only a certain segment of the linkage device, or some type of linkage device to perform linkage.
In addition, the existing linkage techniques, only to realize the linkage control network devices, but does not implement
Now on the specific interface control linkage.
...
Existing IDS and network devices such linkage technique, when detected attack packets, IDS
Will be linked to all the linkage device sends packets to perform linkage, but does not have a choice of a few to the United
Dynamic linkage device sends packets, which resulted in a switch control is not refined linkage, the linkage is very blind.
Essentially, when it is detected after the attack packets do not necessarily need all the linkage device to perform linkage, than
For example, may require only a certain segment of the linkage device, or some type of linkage device to perform linkage.
In addition, the existing linkage techniques, only to realize the linkage control network devices, but does not implement
Now on the specific interface control linkage.
...
In addition, the prior art performed linkage, only supports block data streams do not support limiting. However
And, in many cases only need to limit the data flow, data flow does not need to completely blocked, for example:
When the attack machine through ftp to the enterprise data center a device to transfer files, you may only need to ftp
Restrict the flow rate, rather than be blocked.
SUMMARY OF THE INVENTION
In view of this, the main object of the present invention is to provide a linkage IDS systems and network equipment,
IDS and network equipment to make the linkage between the more refined.
Another object of the present invention is to provide a network device and IDS linkage method so IDS
Linkage between network devices and more refined.
To achieve the above object, the technical solution of the present invention is achieved:
One kind of linkage IDS systems and network equipment, the system comprising: IDS, for the detection of data flow
If it contains the attack packets, network equipment linkage groups, including at least one network device;
Wherein the network device receives a data stream, the data mirroring traffic to IDS, IDS detects when
The received data stream contains the attack packets, they send the network device for each network linkage group
Linkage device sends packets.
The linkage system further includes a management center for receiving IDS detect attacks when sending packets
The alarm information.
The network device linkage network device configuration within the group have the same properties.
The properties include the linkage group master switch, linkage groups enable switch, protection interface lists the IP protection
Address list, white list, at least one current-limiting type.
Disposed within the IDS linkage policy table, the linkage policy table includes the type of attack packets
Corresponding collaboration policy.
When IDS detects attack packets, further linkage policy table for queries and attack packets
Corresponds to the type of linkage strategy and send messages that contain the collaboration policy linkage packets.
The network equipment linkage group network devices in the same network segment.
Said network equipment linkage group network devices of the same model.
One kind of IDS linkage method and network equipment, network equipment will be based on pre-defined rules into
Network equipment linkage group; the method further comprises:
A, network device receives a data stream, the data mirroring traffic to IDS;
B, IDS test data stream contains the attack packets when packets contain attacks to mirror the number
The network device data flow network device belongs to the linkage group linked to each network device sends the packets;
C, the packet network equipment based on the linkage of the attack packets containing the data flow processing.
For assigned to the same linkage group network devices configured with the same attributes.
The properties include: linkage group master switch, linkage groups enable switch, protecting the list of interfaces, IP protection
Address list, white list, at least one current-limiting type.
Further pre-configured within the IDS linkage policy table, the table includes a linkage strategy of attack packets
Corresponding to the type of linkage strategies.
Step B IDS detects attack packets, further linkage policy table queries and attack packets
Corresponding to the type of linkage strategies, and send messages that contain the collaboration policy linkage packets; Step C network
Network equipment for the application of the linkage strategy of attack packets containing the data flow processing.
The step C as follows: the attack packets containing data streams to block or limit.
Wherein the data stream is limited to: the same type of multiple data streams to limit the total flow stream,
Or for each traffic stream individually limiting.
Further linkage group pre-set master switch, step B IDS detects attack packets, further
Determine the linkage group, the total state of the switch, when the main switch is turned on linkage group, mirroring the data stream to network devices
Equipment belongs to the network equipment linkage group linkage for each network device sends packets to switch off when the linkage group, the total
Closed, the linkage does not send packets.
Further linkage groups were set in advance to enable the switch, step B IDS detects attack packets,
Mirroring the data stream to further determine the network device belongs to group network devices linked to the linkage group enable switch
State when the linkage groups enable switch is turned on, to the linkage group linkage for each network device sends
Packets, when the linkage group enable switch is closed, the linkage does not send packets.
Further pre-set linkage group whitelist, Step B IDS detects attack packets, further
Determine the attack packet's source address / destination address is on the white list, while not in the whitelist when the linkage
Group interaction for each network device sends packets, when the white list, the message is not sent linkage.
Further linkage group protection pre-set list of interfaces, step B IDS detects attack packets,
Further determine whether the attack packets from the protected interface list, and if so, in each of the linkage group
Linkage network device sends packets; If not, the message is not sent linkage.
Further pre-set list of IP addresses linked group protection, Step B IDS detects attack packets,
IDS further determine the attack packet source / destination address is in linkage group protection IP address list,
When a list, to the linkage group linkage each network device sends packets when not, do not send
Linkage packets.
The pre-defined rules: will belong to the same segment network devices assigned to the same network equipment
Linkage group.
Said pre-defined rule is: the same type of network device assigned to the same network equipment linkage
Group.
The linkage packets are encapsulated TLV format.
When the step B to determine the data stream contains attack packets, to further determine whether the attack packets with
There are virtual LAN (VLAN) tag, and if so, to that VLAN, IDS-ACL (access control list
Table) enabled network device sends packets linkage, if not, then withdraw from the process.
From the above technical solution, it can be seen, in the present invention, by the network device to the linkage
Group, IDS only attack packets to the mirror that contains a data stream network equipment network equipment belongs to linkage group
Send linkage packets, rather than to all network device sends packets linkage, the present invention makes
IDS and network linkage between devices more refined. Moreover, by open or close linkage group, the total open
Off, the user can for all network equipment as a whole is involved in linkage unified control; through
Open or close linkage groups enable switch, users can for each linkage group as a whole is involved in joint
Dynamic unified control; linkage group protection by setting the IP address list, the user can specify the IP address for
Address for linkage protection; linkage group by setting the white list, the user can fully trust to come from
Address of the packets without linkage; linkage group protection by setting the list of interfaces, users can right linkage
Control further refinement to the interface, thus more accurately interface protection.
...
From the above technical solution, it can be seen, in the present invention, by the network device to the linkage
Group, IDS only attack packets to the mirror that contains a data stream network equipment network equipment belongs to linkage group
Send linkage packets, rather than to all network device sends packets linkage, the present invention makes
IDS and network linkage between devices more refined. Moreover, by open or close linkage group, the total open
Off, the user can for all network equipment as a whole is involved in linkage unified control; through
Open or close linkage groups enable switch, users can for each linkage group as a whole is involved in joint
Dynamic unified control; linkage group protection by setting the IP address list, the user can specify the IP address for
Address for linkage protection; linkage group by setting the white list, the user can fully trust to come from
Address of the packets without linkage; linkage group protection by setting the list of interfaces, users can right linkage
Control further refinement to the interface, thus more accurately interface protection.
...
Meanwhile, the present invention uses TLV encapsulated packets linkage, linkage strategy can be based on
Configuration, making it easy to add new linkage strategy.
BRIEF DESCRIPTION
Figure 1 is a prior art apparatus and network IDS linkage networking diagram;
According to the present invention, Figure 2 is an exemplary network device and an IDS linkage networking diagram;
Figure 3 according to the present invention, the linkage IDS and network equipment flow diagram of an exemplary method;
Figure 4 is an embodiment according to the present invention, IDS and network equipment schematic flow diagram of the linkage method.
Specific embodiments
For purposes of this invention, technical solutions and advantages of the express more clearly understood, the following conjunction with the accompanying
Figure and the specific examples illustrate the present invention is described in more detail further.
The main idea of the present invention are: advance network devices network equipment linkage group; when the network set up
Ready to receive the data stream, the data mirroring traffic to IDS; IDS detection data stream contains attack
Packets, and when it is detected that contains attack packets, mirroring the data stream to a network device belongs network
Equipment linkage group linkage for each network device sends packets, network equipment, network equipment linkage group
Which according to the data stream linkage packet processing.
Figure 2 is exemplary of the present invention IDS linkage system and network equipment network structure schematically
Figure. The system comprising: a network apparatus 203, the network device 204, the network device 205 and IDS 202.
Network device 203, the network device 204, the network device 205 receives the data stream, respectively, and the number of
According mirroring traffic to IDS 202; these network devices, network devices 203 and 204 form a network set up
Preparation linkage group 200, and the network device 205 does not belong to the linkage groups. IDS 202 for each network device
Mirrored backup data stream is analyzed to detect whether it contains attack packets. When the attack is detected included
Chance packets, IDS 202 to mirror the data flow network equipment network equipment belongs to linkage group
Each network device sends packets linkage, in response to the attack packets. For example, in Figure 2, when the attack
Strike by 201 to 203 network devices transmit data stream, the network device 203 will be first through the mirror port
Data mirroring traffic to IDS 202; IDS 202 analyzed by the network device 203 over the data flow mirroring
Contains the attack packets, sent to the entire linkage group 200 includes features linkage attack packets packets
Linkage attack packets include packets for linkage strategy; Then, the linkage group 200 in all network
Equipment, which is the network devices 203 and 204, according to the characteristics of the attack packets and collaboration policy, issued
ACL rules to a specific port, to achieve the attack packets blocking or limiting.
...
Network device 203, the network device 204, the network device 205 receives the data stream, respectively, and the number of
According mirroring traffic to IDS 202; these network devices, network devices 203 and 204 form a network set up
Preparation linkage group 200, and the network device 205 does not belong to the linkage groups. IDS 202 for each network device
Mirrored backup data stream is analyzed to detect whether it contains attack packets. When the attack is detected included
Chance packets, IDS 202 to mirror the data flow network equipment network equipment belongs to linkage group
Each network device sends packets linkage, in response to the attack packets. For example, in Figure 2, when the attack
Strike by 201 to 203 network devices transmit data stream, the network device 203 will be first through the mirror port
Data mirroring traffic to IDS 202; IDS 202 analyzed by the network device 203 over the data flow mirroring
Contains the attack packets, sent to the entire linkage group 200 includes features linkage attack packets packets
Linkage attack packets include packets for linkage strategy; Then, the linkage group 200 in all network
Equipment, which is the network devices 203 and 204, according to the characteristics of the attack packets and collaboration policy, issued
ACL rules to a specific port, to achieve the attack packets blocking or limiting.
...
Preferably, IDS detect the attack packets, and further on the type of attack packets for analysis and
And the results of the analysis to the network device sends packets containing the attacker corresponding to the type of linkage strategies associated
Move packets. In other words, IDS based on the type of attack packets to configure different linkage strategies. For instance,
For the same linkage device, when subjected to DOS attacks, IDS 202 can send blocking the source address 1000
Second linkage packets; when subjected to buffer overflow attacks, IDS 202 transmit data stream 100 seconds blocking
Linkage packets. IDS 202 and attacks to the network device sends packets corresponding to the type of linkage packets
Network device which can vary according to the type of attack on the data stream to perform different response operation. Network
Devices can attack packets containing data streams completely blocked, it can be restricted. In the data
Stream execution limit, either for the same type of multiple data streams to limit the total traffic flow, but also
So the data stream for each individual flow limiting.
...
IDS 202 can also be configured within a linkage policy table, the linkage policy table includes the class of attack packets
Type the corresponding linkage strategy. IDS 202 when the detected attack packets, in collaboration policy table query
Attack packets corresponding to the type of linkage strategies, and send messages that contain the collaboration policy linkage packets. In
Before sending packets linkage, IDS 202 packets need to be encapsulated linkage, linkage attack packets are encapsulated
Strike packet characteristics and linkage strategy, preferably based on the linkage TLV format packet encapsulation. In linkage
Policy, the policy options of the various linkage TLV format package. Each policy contains a linkage
TLV of one or more binary field, and issued in accordance with the option number. Where, T (type) is
1 byte; L (length) is 1 byte; V (value) of a length determined by the L. Because according to TLV format
Linkage type to encapsulate packets, making it easy to extend a new linkage policy options. When you need to add a new linkage election
Items, only need to add a linked list of options you can define new TLV, each TLV field
Including flow and operating parameters in two parts.
...
IDS 202 can also be configured within a linkage policy table, the linkage policy table includes the class of attack packets
Type the corresponding linkage strategy. IDS 202 when the detected attack packets, in collaboration policy table query
Attack packets corresponding to the type of linkage strategies, and send messages that contain the collaboration policy linkage packets. In
Before sending packets linkage, IDS 202 packets need to be encapsulated linkage, linkage attack packets are encapsulated
Strike packet characteristics and linkage strategy, preferably based on the linkage TLV format packet encapsulation. In linkage
Policy, the policy options of the various linkage TLV format package. Each policy contains a linkage
TLV of one or more binary field, and issued in accordance with the option number. Where, T (type) is
1 byte; L (length) is 1 byte; V (value) of a length determined by the L. Because according to TLV format
Linkage type to encapsulate packets, making it easy to extend a new linkage policy options. When you need to add a new linkage election
Items, only need to add a linked list of options you can define new TLV, each TLV field
Including flow and operating parameters in two parts.
...
| Sequence Number | Flow parameters | T | L | Explanation |
| 1 | Terminator | 0 | 0 | Identifies the end of stream parameters |
| 2 | Source MAC address | 1 | 6 | |
| 3 | Destination MAC address | 2 | 6 | |
| 4 | VLAN TAG | 3 | 2 | Network order; contain VLAN information for Linkage message, the switch should be used only in the case of The physical interface to the VLAN down ACL rules. |
| 5 | Source IP Address (IPv4) | 4 | 4 | |
| 6 | Source IP address mask (IPv4) | 5 | 4 | Normal mask; such as 255.255.255.255 Said the host mask |
| 7 | Destination IP Address (IPv4) | 6 | 4 | |
| 8 | Destination IP address mask (IPv4) | 7 | 4 | Normal mask; such as 255.255.255.255 Said the host mask |
| 9 | Source IP address (IPv6) | 8 | 16 | |
| 10 | Source IP address mask (IPv6) | 9 | 16 | |
| 11 | Destination IP address (IPv6) | 10 | 16 | |
| 12 | Destination IP address mask (IPv6) | 11 | 16 | |
| 13 | Source port | 12 | 2 | Network order; Layer 4 port number |
| 14 | Destination port | 13 | 2 | Network order; Layer 4 port number |
| 15 | ICMP packets TYPE | 14 | 1 | ICMP packet type |
| 16 | ICMP packets CODE | 15 | 1 | ICMP message code |
| 17 | Protocol Type | 16 | 1 | ICMP is 1, IP to 0, TCP is 6, UDP is 17. The Layer 3 protocol type, Transport layer protocol based on IP header fields Standard definition |
| Sequence Number | Operating Parameters | T | L | Explanation |
| 1 | Terminator | 0 | 0 | Identifies the operating parameters of the end of the |
| 2 | Effective Time | 1 | 4 | Network order, in seconds, not included This parameter indicates the block forever |
| 3 | Flow control rate | 2 | 4 | Network order, in kbps for Flow control. Class ID the same stream, Its flow control should be consistent for the class Total Flow |
| 4 | Class ID | 3 | 4 | Network order, for flow control logo A common stream with the same general |
| Flow volume threshold. The same "class ID" Generation The same type of flow meter. The same "class ID "stream can contain different" streams ID ". Extreme cases, each containing only A stream, then a flow restriction Rate threshold. |
Table 1
Users can be visualized via the Web configuration to configure the collaboration policy, and upon completion of associated configuration
Dynamic linkage strategy write strategy table, and the linkage policy table into the collaboration policy database to facilitate inquiries
And use. Meanwhile, in the linkage strategy to increase the limit support. For one attack, the user can
Select blocking or limiting. Preferably, you can specify the linkage policy supports VLAN Tag function. If
This feature is specified for the packets with VLAN Tag, the linkage device only for this VLAN
And IDS-ACL-enabled port issued linkage rules. Linkage strategy in the configuration, you can also further decided
Blocking the full seven-tuple, or blocked quintuple, seven tuple includes the source MAC address, destination
MAC address, source IP address, destination IP address, source port, destination port, protocol type; quintuple
Including the source IP address, destination IP address, source port, destination port, and protocol type.
...
Users can be visualized via the Web configuration to configure the collaboration policy, and upon completion of associated configuration
Dynamic linkage strategy write strategy table, and the linkage policy table into the collaboration policy database to facilitate inquiries
And use. Meanwhile, in the linkage strategy to increase the limit support. For one attack, the user can
Select blocking or limiting. Preferably, you can specify the linkage policy supports VLAN Tag function. If
This feature is specified for the packets with VLAN Tag, the linkage device only for this VLAN
And IDS-ACL-enabled port issued linkage rules. Linkage strategy in the configuration, you can also further decided
Blocking the full seven-tuple, or blocked quintuple, seven tuple includes the source MAC address, destination
MAC address, source IP address, destination IP address, source port, destination port, protocol type; quintuple
Including the source IP address, destination IP address, source port, destination port, and protocol type.
...
Specifically, the network device can switch or router device, and the connection data, respectively
Centers to exchange the data stream to its connected data center. In Figure 2, the network device 203 and
206 connected to the data center, the network device 204 connected to the data center 207, the network device 205 and the number of
According to the center 208 connection.
The linkage system may further include a management center 209, when the IDS detects the attack packets when
When, IDS management center 209 to send alarm information to management center 209 can know is there attack
Chance packet data center attack.
While the present invention is an IDS linkage system and network devices are described below according to the present
IDS and network equipment inventive linkage method described.
Figure 3 according to the present invention, the linkage IDS and network equipment schematic flow diagram of an exemplary method.
In this method, the at least one network device in advance a network equipment linkage group, which preferably is a
Network devices on the same network segment, or the same type of network equipment network equipment installed in the same linkage group
Medium. Shown in Figure 3, the method further comprising the steps of:
Step 301: The network device receives a data stream, and data mirroring traffic to IDS;
Here, the network device receives first data stream is then connected with the mirror port IDS
Data Mirroring to IDS. Preferably, the network device having a data exchange function switch or path
Router. When the attacker attack packets sent, you need to through a switch or router sends the data stream
To the data center, then the switch or router forwards data mirroring traffic to IDS.
Step 302: IDS test data stream contains the attack packets, when the attack packets contain,
Mirroring the data stream to the network device belongs to the group of network devices linked each network device sends
Linkage packets;
Here, IDS mirrored by the network equipment to analyze the data flow when analyzing the data flow
Contains the attack packets, to mirror the data flow network equipment network equipment belongs to linkage group
Each network device sends packets linkage, in response to the attack packets. That is, when the analysis of the data
Stream contains attack packets, IDS device to the linkage group linkage for each network device sends packets.
Linkage packet attack packets encapsulated preferred characteristics and linkage strategies, network device receives linkage newspaper
Man, you can parse out the attack packets characteristics and linkage policies.
Step 303: The network equipment according to the linkage packet attack packets containing the data flow processing.
Here, the network device receives packets linkage, the first parse out the attack packets characteristics and associated
Action strategies, according to the characteristics of the attack packets can be determined attack packets contain the data flow, according to the linkage policy
Little data stream can be processed, such as the attack packets containing the data flow block or
Those restrictions. Restrict the data stream which can be the same type of a plurality of data streams total flow
To limit the current, or the flow rate of each stream individually limiting. Specifically, the further pre-
Configured within the IDS linkage policy table, which includes the policy table linkage attack packets corresponding to the type
Linkage strategy. IDS detects attack packets, in collaboration with the policy table query class attack packets
Type corresponding linkage strategy and send messages that contain the collaboration policy linkage packets, network equipment received
The linkage packet, then apply the linkage strategy attack packets containing the data flow processing. Is
Say, IDS attack packets according to the type of linkage to configure different policies. In addition, IDS preferred
Packets on the linkage TLV format package, when you need to add a new option, only need to choose the linkage
List of items to add to the definition of a TLV, which facilitates the linkage strategy for expansion.
...
Here, the network device receives packets linkage, the first parse out the attack packets characteristics and associated
Action strategies, according to the characteristics of the attack packets can be determined attack packets contain the data flow, according to the linkage policy
Little data stream can be processed, such as the attack packets containing the data flow block or
Those restrictions. Restrict the data stream which can be the same type of a plurality of data streams total flow
To limit the current, or the flow rate of each stream individually limiting. Specifically, the further pre-
Configured within the IDS linkage policy table, which includes the policy table linkage attack packets corresponding to the type
Linkage strategy. IDS detects attack packets, in collaboration with the policy table query class attack packets
Type corresponding linkage strategy and send messages that contain the collaboration policy linkage packets, network equipment received
The linkage packet, then apply the linkage strategy attack packets containing the data flow processing. Is
Say, IDS attack packets according to the type of linkage to configure different policies. In addition, IDS preferred
Packets on the linkage TLV format package, when you need to add a new option, only need to choose the linkage
List of items to add to the definition of a TLV, which facilitates the linkage strategy for expansion.
...
The above process, it is preferable to further advance the linkage group settings separately for each linkage group that can open
Off When IDS detects attack packets, mirroring the data stream to further determine network device belongs
Network equipment linkage group linkage groups enable switch state, when the linkage group enable switch is opened, to the
Linkage group, linked to each network device sends packets when the linkage group enable the switch is closed, do not send
Linkage to send packets. Thus, depending on the configuration linkage group enable state of the switch can be made for each linkage group
As a whole is involved in linkage unified control.
The above process, it is preferable to further advance the linkage group settings separately for each linkage group that can open
Off When IDS detects attack packets, mirroring the data stream to further determine network device belongs
Network equipment linkage group linkage groups enable switch state, when the linkage group enable switch is opened, to the
Linkage group, linked to each network device sends packets when the linkage group enable the switch is closed, do not send
Linkage to send packets. Thus, depending on the configuration linkage group enable state of the switch can be made for each linkage group
As a whole is involved in linkage unified control....
The above process, preferably, the further pre-set linkage group whitelist whitelist includes a network
Network of trusted host or network IP address. Upon detection of attack packets, to further determine attack reported
The source address / destination address is in the whitelist, when not in the white list, the linkage group to
Each network device sends packets linkage, when the white list, the message is not sent linkage. In this way, the root
According to the white list settings linkage group, you can have full confidence in the address from the packet without linkage.
The above process, it is preferable to further pre-set list of interfaces linkage group protection, when IDS
Detect the attack packets, to further determine whether the attack packets from the protected interface list, and if yes,
The linkage group to each of the network device sends packets linkage; if not, the linkage does not send packets.
Thus, according to linkage group set up to protect the interface list, you can further refine the control linkage to the ground
Mouth, more precisely on the interface protection.
According to specific needs, you can set the master switch linkage group, linkage groups enable switch, linkage group White
List, the linkage group protection interface list operations make the appropriate selections.
Figure 4 is an embodiment according to the present invention, IDS and network equipment schematic flow diagram of the linkage method.
Shown in Figure 4, the method comprising:
Step 401: Each network device receives a data stream and the data stream respectively mirrored to IDS;
Step 402: IDS for each network device mirroring data flow analysis to determine which is the
Whether it contains the attack packets, when included, perform step 403 and subsequent steps, when not included, knot
Beam the process;
Step 403: IDS determine the linkage group master switch has been turned on, when turned on, perform steps
404 and subsequent steps, when closed, the end of this process;
Step 404: IDS attack packets judge image contains a data stream network device belongs linkage
Groups enable switch is turned on, when turned on, perform step 405 and subsequent steps, when closed,
The end of this process;
Step 405: IDS determine whether the attack packets from the protected interface list contains protection
Interfaces, if it is, step 406 and subsequent steps, and if not, then the end of the process;
Step 406: IDS attack packets determine the source or destination address is in the whitelist,
If not, step 407 and subsequent steps, if it is, then the end of the process;
Step 407: IDS linkage assembly packets and attack packets to the mirror that contains a data stream network
Network device belongs linkage linkage group to send messages.
Which IDS based on the type of attack packets to extract the source MAC address, destination MAC address, source
IP address, destination IP address, source port, destination port, protocol type, and VLAN Tag, and bear
Combined linkage strategy generation scalable linkage TLV format packets.
At this point, the linkage group linkage each network device receives a packet, the packet according to the linkage
Linkage strategy contained in the data stream and dealt with accordingly.
Above are only preferred embodiments of the present invention only, not intended to limit the present invention is to
Range. Where in the spirit and principles of the invention within any modification, equivalent replacement, or improvement
Should be included in the present invention within the scope of.
Claims (24)
1 An intrusion detection system (IDS) and network equipment linkage, characterized in that the system package
Including: IDS, is used to detect whether the data stream contains the attack packets, network equipment linkage groups, including at least
A network device;
Wherein the network device receives a data stream, the data mirroring traffic to IDS, IDS detects when
The received data stream contains the attack packets, they send the network device for each network linkage group
Linkage device sends packets.
Wherein the network device receives a data stream, the data mirroring traffic to IDS, IDS detects when
The received data stream contains the attack packets, they send the network device for each network linkage group
Linkage device sends packets....
Wherein the network device receives a data stream, the data mirroring traffic to IDS, IDS detects when
The received data stream contains the attack packets, they send the network device for each network linkage group
Linkage device sends packets....
4, according to claim 3, wherein the linkage system, characterized in that said properties include the linkage group, the total
Switch, linkage groups enable switch, protection interface list, protecting IP address list, white list, current limiting type
At least one.
5, according to claim 1, wherein the linkage system, characterized in that the linkage is disposed within the IDS
Policy table, the table includes a linkage strategy of attack packets corresponding to the type of linkage strategies.
6, according to claim 5, wherein the linkage system, characterized in that, IDS attack packets when it is detected
When further linkage policy table for queries and attack packets corresponding to the type of linkage strategies and
And send messages that contain the collaboration policy linkage packets.
7, according to claim 1, wherein the linkage system, characterized in that said network equipment linkage group
Network devices in the same network segment.
8, according to claim 1, wherein the linkage system, characterized in that said network equipment linkage group
The network device of the same model.
9 A linkage IDS and network devices, characterized in that the network device according to pre-determined
Defined rules into network equipment linkage group; the method further comprises:
A, network device receives a data stream, the data mirroring traffic to IDS;
B, IDS test data stream contains the attack packets when packets contain attacks to mirror the number
The network device data flow network device belongs to the linkage group linked to each network device sends the packets;
C, the packet network equipment based on the linkage of the attack packets containing the data flow processing.
A process according to claim 9, wherein the linkage, characterized in that assigned to the same linkage for
Group of network devices, configured with the same attributes.
11, according to claim 10, wherein the linkage, characterized in that said attribute comprises: Linkage
The total switch, linkage groups enable switch, protection interface list, protecting IP address list, white list, limit
At least one type.
12, according to the linkage of claim 9, characterized in that the further advance within the IDS
Configuring linkage policy table, the table includes a linkage strategy of attack packets corresponding to the type of linkage strategies.
13, according to claim 12, wherein the linkage, characterized in that the detection step B IDS
After the attack packets, further linkage policy table queries and attack packets corresponding to the type of linkage strategies
Slightly, and send messages that contain the collaboration policy linkage packets; Step C network equipment to apply the collaboration policy
The attack packets containing the data flow processing.
14, according to claim 9, wherein the linkage, characterized in that said step C is: the
Attack packets containing data streams to block or limit.
15, according to claim 14, wherein the linkage, characterized in that the limit of the data stream
System is: the same type of multiple data streams to limit the total flow stream, or for each data stream
Limiting traffic alone.
16, according to the linkage of claim 9, characterized in that the linkage further pre-set
The total switch, step B IDS detects attack packets, to further determine the linkage group, the total state of the switch,
When the main switch is turned on linkage group to mirror the data flow network equipment network equipment belongs linkage group
Each network device sends packets linkage, linkage group when the main switch is turned off, the linkage does not send packets.
17, according to the linkage of claim 9, characterized in that the further advance respectively
Linkage groups enable switch, step B IDS detects attack packets, mirroring the data stream to further determine
Network equipment network equipment belongs to linkage group linkage group enable state of the switch, and when the linkage group enable
Switch is open, to the linkage group linkage for each network device sends packets when the linkage group that can open
Shut off, the linkage does not send packets.
18, according to the linkage of claim 9, characterized in that the linkage further pre-set
White list group, Step B IDS detects attack packets, to further determine the source address of the attack packets /
Destination address is in the whitelist, when not in the white list, the linkage group to each network device made
Linkage to send packets, when the white list, the message is not sent linkage.
19, according to the linkage of claim 9, characterized in that the linkage further pre-set
Group protection interface list, step B IDS detects attack packets, to further determine whether the attack packets
Protection interface from the list, if it is, to the linkage group linked to each network device sends the packets;
If not, the message is not sent linkage.
20, according to the linkage of claim 9, characterized in that the linkage further pre-set
Group protection IP address list, step B IDS detects attack packets, IDS attacks reported further determine
The source address / destination address is in linkage group protection IP address list, when the list, to the United
Dynamic group interaction for each network device sends packets when not, do not send packets linkage.
21, according to claim 9, wherein the linkage, characterized in that said pre-defined rules
Is: will belong to the same segment of the network devices into network devices linked to the same group.
22, according to claim 9, wherein the linkage, characterized in that said pre-defined rules
As follows: the same type of network devices to the device linked to the same network group.
23, according to claim 9, wherein the linkage, characterized in that said linkage packets TLV
Format is encapsulated.
24, according to claim 9, wherein the linkage, characterized in that when the data flow determining step B
Contains the attack packets, to further determine whether the attack packets with the virtual LAN (VLAN) tag,
If so, then the VLAN to the IDS-ACL (Access Control List)-enabled network device sends linkage
Packets, if not, then withdraw from the process.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005101323307A CN100393047C (en) | 2005-12-21 | 2005-12-21 | Intrusion detecting system and network apparatus linking system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005101323307A CN100393047C (en) | 2005-12-21 | 2005-12-21 | Intrusion detecting system and network apparatus linking system and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1791021A true CN1791021A (en) | 2006-06-21 |
| CN100393047C CN100393047C (en) | 2008-06-04 |
Family
ID=36788544
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005101323307A Active CN100393047C (en) | 2005-12-21 | 2005-12-21 | Intrusion detecting system and network apparatus linking system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100393047C (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101127692B (en) * | 2006-08-17 | 2012-06-27 | 华为技术有限公司 | A method and device for identifying and limiting network traffic |
| CN105939338A (en) * | 2016-03-16 | 2016-09-14 | 杭州迪普科技有限公司 | Protection method and device of intrusion message |
| CN106656975A (en) * | 2016-10-18 | 2017-05-10 | 新华三技术有限公司 | Attack defense method and attack defense device |
| WO2018035770A1 (en) * | 2016-08-24 | 2018-03-01 | 深圳天珑无线科技有限公司 | Network anomaly processing method and system |
| CN109474531A (en) * | 2018-12-24 | 2019-03-15 | 安徽皖兴通信息技术有限公司 | A kind of method that packet access network exchange table entries delete synchronization |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2003525000A (en) * | 2000-02-22 | 2003-08-19 | トップ レイヤー ネットワークス,インク. | Data flow mirror processing system and method in network switch |
| JP4108486B2 (en) * | 2003-01-08 | 2008-06-25 | Necインフロンティア株式会社 | IP router, communication system, bandwidth setting method used therefor, and program thereof |
| CN1578227A (en) * | 2003-07-29 | 2005-02-09 | 上海聚友宽频网络投资有限公司 | Dynamic IP data packet filtering method |
| CN1300984C (en) * | 2004-12-02 | 2007-02-14 | 上海交通大学 | Method for establishing complex network running environmental analog stimulative platform |
| CN1309214C (en) * | 2004-12-20 | 2007-04-04 | 华中科技大学 | Cooperative intrusion detection based large-scale network security defense system |
-
2005
- 2005-12-21 CN CNB2005101323307A patent/CN100393047C/en active Active
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101127692B (en) * | 2006-08-17 | 2012-06-27 | 华为技术有限公司 | A method and device for identifying and limiting network traffic |
| CN105939338A (en) * | 2016-03-16 | 2016-09-14 | 杭州迪普科技有限公司 | Protection method and device of intrusion message |
| CN105939338B (en) * | 2016-03-16 | 2019-05-07 | 杭州迪普科技股份有限公司 | Invade the means of defence and device of message |
| WO2018035770A1 (en) * | 2016-08-24 | 2018-03-01 | 深圳天珑无线科技有限公司 | Network anomaly processing method and system |
| CN106656975A (en) * | 2016-10-18 | 2017-05-10 | 新华三技术有限公司 | Attack defense method and attack defense device |
| CN106656975B (en) * | 2016-10-18 | 2020-01-24 | 新华三技术有限公司 | Attack defense method and device |
| CN109474531A (en) * | 2018-12-24 | 2019-03-15 | 安徽皖兴通信息技术有限公司 | A kind of method that packet access network exchange table entries delete synchronization |
| CN109474531B (en) * | 2018-12-24 | 2021-06-25 | 安徽皖兴通信息技术有限公司 | Method for deleting synchronization of packet access network switching table items |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100393047C (en) | 2008-06-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110168499B (en) | Executing context-rich attribute-based services on a host | |
| CN111095901B (en) | Service operation linking method, device, system, and readable storage medium | |
| CN108701187B (en) | Apparatus and method for hybrid hardware-software distributed threat analysis | |
| US9584531B2 (en) | Out-of band IP traceback using IP packets | |
| US20070022474A1 (en) | Portable firewall | |
| JP5324225B2 (en) | How to provide virtual router functionality | |
| US20070022479A1 (en) | Network interface and firewall device | |
| US20130305365A1 (en) | System and method for optimization of security traffic monitoring | |
| Xue et al. | Traffic classification: Issues and challenges | |
| US20150120909A1 (en) | Dns-assisted application identification | |
| US7849503B2 (en) | Packet processing using distribution algorithms | |
| JP2010268483A (en) | Active network defense system and method | |
| US8272056B2 (en) | Efficient intrusion detection | |
| US9521154B2 (en) | Detecting suspicious network activity using flow sampling | |
| CN1725709A (en) | Method of linking network equipment and invading detection system | |
| US10819682B1 (en) | Systems and methods for high-efficiency network-packet filtering | |
| EP3885939A1 (en) | Information query method, apparatus, device, and storage medium | |
| CN1791021A (en) | Intrusion detecting system and network apparatus linking system and method | |
| CN116938507A (en) | Electric power internet of things security defense terminal and control system thereof | |
| US7917649B2 (en) | Technique for monitoring source addresses through statistical clustering of packets | |
| Shankar et al. | Deep packet inspection in residential gateways and routers: Issues and challenges | |
| CN1523851A (en) | Security method for operator access control of network management system | |
| US11627110B2 (en) | Systems and methods for operating a networking device | |
| WO2024099078A1 (en) | Method for detecting attack traffic, and related device | |
| US20240163294A1 (en) | System and method for capturing malicious flows and associated context for threat analysis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: Huasan Communication Technology Co., Ltd. |
|
| CP03 | Change of name, title or address | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20180921 Address after: 230088 the 541 phase of H2 two, two innovation industrial park, No. 2800, innovation Avenue, Hi-tech Zone, Hefei, Anhui. Patentee after: Xinhua three information Safe Technology Ltd Address before: 310052 Changhe Road, Binjiang District, Hangzhou, Zhejiang Province, No. 466 Patentee before: Xinhua three Technology Co., Ltd. |
|
| TR01 | Transfer of patent right |