KR100439174B1 - Method for managing alert database and policy propagation in ladon-security gateway system - Google Patents

Abstract

The present invention relates to a method of managing DB for policy delivery and alarm of Radon (SGS), and if it is not packet data by judging whether it is packet data to be blocked by referring to the blocking information in the alarm DB from the policy and system administrator. Condenses the data into events and provides the condensed events to the analyzer. The analyzer then stores the event in the cache and analyzes it using the type-specific analysis function where the stored event is multi-threaded and reads the pattern class in which the event is started according to the type-specific analysis function. If the start state does not exist, it is determined whether the state is FINAL. If the end state exists, the intrusion is detected and the action corresponding to the intrusion is defined as defined by the intrusion pattern. Therefore, the conventional intrusion detection system can solve the problem of spending a lot of time processing the monitoring data, and also through the configuration of the pattern schema using multi-threaded to improve the intrusion detection through a fast speed, new policy is If required, operations such as rebooting or stopping the intrusion detection and response system do not stop the function of harmful packet detection, and there is an effect that can be applied to the detection policy or the blocking policy.

Description

METHODO FOR MANAGING ALERT DATABASE AND POLICY PROPAGATION IN LADON-SECURITY GATEWAY SYSTEM}

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a method of managing a database (DB) for delivering and alerting a policy of a radon-security gateway system (SGS). In particular, the radon-cyber In case of cyber terror in the network between patrol control system (CPCS) and multiple radon-SGS, terror occurrence is detected in real time, and the response policy according to the terror type is reflected in the alarm DB in radon-SGS, The present invention relates to a method of updating a cache linked to an analyzer in radon-SGS so that an updated policy can be applied to future cyber terrorism.

Typically, an intrusion detection system is intended to detect intrusions from the outside, and the operation must be performed correctly so that correct detection according to the type of attack used for the intrusion should be made.

In this way, it is classified into an anomaly method and a miss use method according to the intrusion pattern used in the intrusion detection system.

Among them, the Anomaly method is an intrusion detection system based on a very small number of research levels, which is rarely implemented in current commercial systems. In the case of the Misuse method, when an intrusion occurs without an intrusion pattern, such an intrusion is not detected. In order to apply the intrusion pattern for the new intrusion to the intrusion detection and response system, there is a problem that the system operation is stopped, the intrusion pattern is newly added, and then driven again.

In addition, in order to apply the intrusion detection system to a high speed network, the processing speed of the packet capture sensor and analyzer of the intrusion detection system is most important.

On the other hand, as described above, the intrusion detection system, "Design of an efficient integrated intrusion detection system" announced at the 1998 Spring Conference of the Korean Information Science Society, and "Dynamic Signature Inspection-Based Network" registered in August 2001 IntrusionDetection "and the" Method and System for Adaptive Network Security using Network Vulnerability Assessment, "registered in October 2001.

That is, in detail describing the disclosed prior art, "Design of an efficient integrated intrusion detection system" announced at the spring meeting of the Korean Information Science Society in 1998, the intrusion pattern by internal and external users is advanced, diversified and advanced. However, since the information security system failed to perform its function again, the type and scale of damages are diversified and enlarged, which necessitates the need for an intrusion detection system.

Therefore, the intrusion detection system research started from the audit data analysis for the illegal use of the system in the mid-1960s is actively conducted based on various theories such as expert system, statistical technique, pattern matching, artificial intelligence, model-based. These intrusion detection systems are largely performed by a misuse intrusion detection system that detects intrusions using well-known vulnerabilities of systems, networks, and applications, and abnormally that detects intrusions through illegal use of system resources. It is classified as Anomaly Intrusion Detection System.

This journal is designed to improve the shortcomings of NIDES, design an intrusion detection system that can efficiently use system resources by segmenting abnormal intrusion detection, introducing the concept of unit agent, conducting differentiated misuse detection, and adjusting detection priority using supervision data. It is to present a plan.

In addition, "Dynamic Signature Inspection-Based Network Intrusion Detection", registered in August 2001, is a signature-based dynamic network intrusion detection system (NIDS) intrusion that characterizes known network security violations. Include signature profiles. These intrusion signature profiles consist of a collection of intrusion signature profiles according to the security requirements of network objects on the network.

Each network object is assigned to a set of intrusion signature profiles stored in signature profile memory along with the associated data for monitoring the network traffic associated with the network object.

As described above, the network objects corresponding to the signature are given and stored as addresses, and the network traffic is monitored in order to process such data.

During the detection of the data packets stored among the network objects, the packet's information is extracted from the data packets, and the extracted information detects the corresponding intrusion from the set of intrusion signature profiles corresponding to the associated data on a network basis.

If the packet is associated with a known security breach, the virtual processor uses the intrusion signature profile to determine whether it is an intrusion and generates an intrusion signature profile that is configured to be processed by the virtual processor in the absence of a corresponding intrusion signature by the virtual processor. Used by intrusion signature profile generator. It has a structure that can operate independantly on the intrusion signature generated in the intrusion signature profile, and the virtual processor used here is automatically possible by software or hardware.

Finally, in October 2001, "Method and System for Adaptive Network Security using Network Vulnerability Assessment," network security products, such as intrusion detection systems and firewalls, used passive filtering methods to detect policy violations, or Misuse patterns. Detection of security violations This passive filtering technique is performed by monitoring network packet data.

In order to properly detect these security rules, contests must be extracted through the association of items such as space, time, and events. Space means information such as source and destination at the port level, time is defined by the amount of consecutive packets between source-destination, and event is the type of connection defined by misuse or policy that is caused by each packet. Is defined as In the present invention, the network Vulnerability Assessment tool (tool) to find a system or method for network security.

This method is directly reflected in the demands on the network. The response to the requirements constitutes all the network information, which is then used to analyze the network security conventions.

That is, if detected for each, it is determined whether to perform a repeated scan (SCAN) through repeated system monitoring. It installs vulnerability analysis tools on each host, investigates each system's operating system, services, and potential vulnerabilities in advance, determines whether incoming packets are vulnerable and decides whether to perform repetitive tasks throughout the network. After each priority, it aims to provide network security through information such as protocol analysis, intrusion pattern detection, system service, memory usage, processor usage, and system bandwidth.

As described above, when looking at the technologies disclosed in the preceding papers and registered patents, existing known technologies include a security policy for detecting cyber terrorism in real time and executing appropriate countermeasures when a cyber terror occurs in a host or network. The host that caused the cyber terrorism is updated in the pattern table of the intrusion detection and response radon-SGS and updated in the policy cache used by the analyzer. There remains a problem that falls short of the need to perform policy-based network security controls that apply established policies.

Accordingly, the present invention has been made to solve the above-described problems, the object of which is to prevent terrorism when cyber terrorism occurs in a radon-cyber patrol control system (CPCS) and a plurality of radon-SGS networks. It detects in real time and reflects the response policy according to the terror type in the alarm DB in radon-SGS, updates it in the cache linked to the analyzer in radon-SGS, and applies the updated policy for cyber terrors that occur afterwards. Radon-SGS provides a database management method for policy delivery and alerting.

In the present invention for achieving the above object in the radon (SG) response method for intrusion detection and intrusion detection, the policy and system administrator to determine whether the packet data to block by referring to the blocking information in the DB for alarm If it is not packet data, shortening the packet data into an event and providing the abbreviated event to the analyzer; Storing the event in a cache by using an analyzer, and analyzing the stored event using a type-specific analysis function that operates in a multithreaded manner; According to the type-specific analysis function, if the start state does not exist by reading a pattern class in which an event starts (START), it is determined whether the state is FINAL. And performing an action corresponding to the intrusion as defined in the intrusion pattern.

In addition, in the present invention for achieving the above object, in the method of updating the intrusion pattern used for intrusion detection of Radon (SGS), steps of requesting the intrusion pattern update to the DB for policy and system administrator; Determining whether the intrusion pattern update is an intrusion pattern addition requirement in the DB for alerting, and when the intrusion pattern addition requirement is included, adding the intrusion pattern using the P_ID of the intrusion pattern related table as a key. do.

1 is an overall block diagram for performing a policy management and alarm database management method of a radon-security gateway system (SGS) according to the present invention,

FIG. 2 is a detailed block diagram of the radon-security gateway system (SGS) shown in FIG. 1.

3 is a flowchart illustrating in detail the intrusion detection and the countermeasures against intrusion detection according to the present invention;

4 is a flowchart illustrating a method for updating an intrusion pattern used for intrusion detection according to the present invention in detail.

FIG. 5 is a diagram illustrating a schema of a pattern table in detection information illustrated in FIG. 2 according to the present invention.

FIG. 6 is a diagram illustrating a pattern_port table in detection information shown in FIG. 2 according to the present invention.

FIG. 7 is a diagram illustrating a pattern_signal table in detection information illustrated in FIG. 2 according to the present invention.

8 is a diagram illustrating a schema of an ALERT table in alarm information shown in FIG. 2 according to the present invention.

9 is a diagram illustrating a schema of a block table in blocking information illustrated in FIG. 2 according to the present invention.

<Description of the symbols for the main parts of the drawings>

100: radon-CPCS 200-200-n: radon-SGS

211: Policy and System Administrator 213: Analyzer

215: Breaker 217: Application Program Interface

220: alarm DB 221: detection information

223: blocking information 225: alarm information

A: Network S1: Cache

S2: message queue

Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings.

1 is a block diagram illustrating a method of managing a database for policy delivery and alerting of a Radon-security gateway system (SGS) according to the present invention, which includes a Radon-CPCS 100 and A number of radon-SGS (200-200-n).

Radon-CPCS 100 is a security control server that provides intrusion detection and corresponding packet data to radon-SGS 200 via network A, and also provides intrusion detection through network A. Radon-SGS 200 is requested to update the intrusion pattern according to the update of the intrusion pattern used.

Any of the plurality of radon-SGSs 200-200-n is a secure gateway system, as shown in FIG. 2, with a policy and system administrator 211, an analyzer 213, The breaker 215 is provided, the application program interface 217, and the alarm DB 220 are provided.

The policy and system manager 211 receives the packet data from the radon-CPCS 100 via the network A, and then refers to the blocking information 223 in the DB 220 for alerting through the application program interface 217. If the packet data in the blocking information 223 is determined, the packet data is provided to the blocker 215 through the message queue S2. On the other hand, if the packet data is not in the blocking information 223, the packet data is abbreviated as an event, and the abbreviated event is provided to the analyzer 213 through the message queue S2.

The analyzer 213 stores the events provided from the policy and system manager 211 in the cache S1, and then analyzes the type-specific analysis function that operates as a multithreaded state in which the events are stored in the cache S1, that is, the domain name system (domain). name system (DNS) check, file transfer protocol (FTP) check, transmission control protocol (TCP) backdoor check, user data_gram protocol (UDP) backdoor check The stack class is read sequentially by using the FTP check and the simple mail transfer protocol (SMTP) check analysis function. The pattern class in which the event is started is read and the START state is started. Checks whether there is a

When the START state exists, the analyzer 213 inserts the pattern class into the stack class, whereas when the START state does not exist, the analyzer 213 determines whether the state is FINAL.

Then, when the end state exists, the analyzer is in a state of detecting an intrusion and performs an action corresponding to the intrusion according to the definition of the intrusion pattern, whereas when the end state does not exist, a constant time stamp is performed. If it exceeds the predetermined time stamp, it is determined that the incoming packet data is not harmful and deletes the pattern class.

On the other hand, if the analyzer 213 does not exceed a certain time stamp, it distinguishes whether all patterns belonging to the thread are checked, and if all patterns are checked by checking all patterns, the process of analyzing using the analysis function for each type. If you do not check all patterns by checking all patterns, it repeats from the process of checking whether the START status exists by reading the pattern class.

The blocker 215 blocks the packet data provided through the message queue S2 from the policy and system manager 211.

The application program interface 217 is a block that acts as an interface between the policy and system manager 211 and the alert DB 220. The application program interface 217 transmits / intrudes pattern updates according to packet data and intrusion patterns used for intrusion detection. Interface to receive.

The alert DB 220 internally includes detection information 221, blocking information 223, and alert information 225.

As shown in FIGS. 5 to 7, the detection information 221 is applied according to the pattern using P_ID as KEY in using a field existing in the schema of the table, and the detection of the actual harmful packet is a pattern signal. By using the contents of the (pattern_sig) table, among the detailed fields of the pattern table of FIG. 5, PRIORITY indicates the priority for intrusion, and the intrusion effect is applied in the IMPACT field, and the intrusion detection for each pattern is performed. Whether or not to apply is determined by the value of the ADOPT table.

The CONDI_TYPE indicates a case where an intrusion is determined in one packet and a state of a linear packet is determined when it is determined that the state of a repeated packet is used. In the case of the PATTERN_PORT table, it is used to detect based on the service number of the target host.

The detection information 221 indicates that the SEQ field of FIG. 6 is a PATTERN_CONDITION number corresponding to the CONDI_TYPE of the pattern table, and indicates whether the TYPE specifies a destination port or a source port.

Subsequently, the detection information 221 loads the detector in the schema of the pattern signal table of FIG. 7 in the cache area referring to the data of the Pattern related tables, and then performs intrusion detection on all incoming packets.

The blocking information 223 corresponds to the block list registration of FIG. 9, and the like, and the alert information 225 includes the transmission of the schema of the ALERT table of FIG. 8, the blocking of the session, and the like.

With reference to the flowchart of FIG. 3, the intrusion detection and the countermeasure for intrusion detection according to the present invention having the above-described configuration will be described in detail.

First, the policy and system manager 211 in any of the radon-SGS 200-200-n of the radon-SGS 200-200-n is obtained from the radon-cyber patrol control system (CPCS) 100. After receiving the packet data via the network A (step 301), the schema of the ALERT table in the blocking information 223 shown in FIG. The block information 223 in the alert DB 220 existing in the list is referred to to determine whether the packet data is present (step 302).

If the determination step 302 is packet data in the blocking information 223, the packet data is provided to the blocker 215 through the message queue S2 (step 303), and the blocker 215 is a policy and system manager 211. Block the packet data provided (step 304).

On the other hand, if it is not the packet data in the blocking information 223 in the determination step 302, the packet data is abbreviated as an event, and the abbreviated event is provided to the analyzer 213 through the message queue S2 (step 305). ).

The analyzer 213 stores the events provided from the policy and the system manager 211 in the cache S1 (step 306), and then analyzes the type-specific analysis function, that is, DNS, which operates in a multi-threaded state while the events are stored in the cache S1. Analysis is performed using the check, FTP check, TCP backdoor check, UDP backdoor check, FTP check, and SMTP check analysis functions (step 307).

That is, the analyzer 213 sequentially reads the stack class of the cache S1. The analyzer 213 reads the pattern class in which the event becomes the START state and checks whether the START state exists (step 308).

If there is a START state in the check step 308, a pattern class is inserted into the stack class (step 309). On the other hand, if the START state does not exist in the check step 309, it is determined whether the state (FINAL) state (step 310).

In the determination step 310, if there is a termination state, the intrusion is detected and the action corresponding to the intrusion is defined as defined in the intrusion pattern (step 311). In this case, detecting an intrusion and performing an action corresponding to the intrusion may be performed according to the pattern using P_ID as KEY in using a field present in the schema of the table, as shown in FIGS. 5 to 7. For detection of the actual harmful packet, the content of the pattern signature (pattern_sig) table is used.

That is, FIG. 5 is a diagram showing a schema of a pattern table in the detection information 221 shown in FIG. 2 according to the present invention. Among the detailed fields of the pattern table, PRIORITY is a priority against intrusion. Intrusion effect is applied in IMPACT field, and whether to apply to intrusion detection by pattern is determined by the value of ADOPT table.

The CONDI_TYPE indicates a case where an intrusion is determined in one packet and a state of a linear packet is determined when it is determined that the state of a repeated packet is used. In the case of the PATTERN_PORT table, it is used to detect based on the service number of the target host.

FIG. 6 is a diagram illustrating a pattern_port table in the detection information 221 shown in FIG. 2 according to the present invention. The SEQ field is a PATTERN_CONDITION number corresponding to a CONDI_TYPE of a pattern table. Indicates whether you specify a destination port or a source port.

Subsequently, FIG. 7 is a diagram illustrating a pattern_signal table in the detection information 221 shown in FIG. 2 according to the present invention, wherein a detector in a schema of a pattern signal table refers to caches referring to data of such Pattern related tables. After loading into the area, intrusion detection is performed on all incoming packets. As shown in FIG. 8, the schema transmission or session blocking of the ALERT table in the alert information 225 shown in FIG. As shown in Fig. 9, the schema of the block table in the block information 223 shown in Fig. 2 is a diagram, in which the corresponding action such as block list registration is performed.

If the end state does not exist in the determination step 310, it is checked whether a predetermined time stamp has been exceeded (step 312).

If the predetermined time stamp is exceeded in the check step 312, it is determined that the incoming packet data is not harmful (step 313). Here, deleting the pattern class means that the incoming packet data is not harmful.

On the other hand, if the check step 312 does not exceed a certain time stamp, it is determined whether all patterns belonging to the thread have been checked (step 314).

If all the patterns are checked in the dividing step 314 and all the patterns are checked, the process is repeated from step 307. If all the patterns are not checked in the dividing step 314, all the patterns are not checked. 308) is repeated. Here, iteration is to iterate until all the contents of the stack class are retrieved.

On the other hand, with reference to the flow chart of Figure 4, it will be described in detail the updating method of the intrusion pattern used for intrusion detection according to the present invention.

First, when the Radon-SGS 200 is provided with the intrusion detection and policy change through the network A from the Radon-CPCS 100, the policy and system administrator in the Radon-SGS 200. 211 requests the intrusion pattern update to the alert DB 220 via the application program interface 217 (step 401).

The alert DB 220 determines whether an intrusion pattern update required through the application program interface 217 from the policy and system manager 211 is an intrusion pattern addition requirement (step 402).

If the intrusion pattern addition requirement is determined in the determination step 402, an intrusion pattern is added using the P_ID of the intrusion pattern related table as a key (step 403). On the other hand, if it is not an intrusion pattern addition requirement in the determination step 402, it is checked whether it is an intrusion pattern change requirement (step 404).

If the intrusion pattern change request is made in the check step 404, the intrusion pattern is changed using the P_ID of the intrusion pattern related table as a key (step 405). On the other hand, if it is not the intrusion pattern change requirement in the check step 404, it is determined whether the intrusion pattern deletion requirement (step 406).

If the intrusion pattern deletion request is made in the determination step 406, the intrusion pattern is deleted using the P_ID of the intrusion pattern related table as a key (step 407). On the other hand, if it is not a requirement to delete the intrusion pattern in the determination step 406, a message indicating a wrong command is provided to the policy and system manager 211 through the application program interface 217 (step 408). Here, the updated patterns are loaded into the cache S1 used by the analyzer 213, and do not need to stop or restart the system, and operate the intrusion detection and response functions using the new patterns.

Therefore, the present invention detects a terror occurrence in real time when a cyber terror occurs in the network between radon-CPCS and radon-SGS, and reflects the response policy according to the terror type in the radon-SGS alarm DB, and the analyzer in radon-SGS By updating the cache linked to the network and applying an updated policy for future cyber terrorism, it is possible to solve the problem that conventional intrusion detection systems spend a lot of time processing the surveillance data. Through the configuration of the pattern schema, the intrusion detection can be improved at a high speed. When a new policy is required, operations such as rebooting or stopping the intrusion detection and response system will not stop the harmful packet detection function. It can be applied to a policy or a blocking policy.

Claims (15)

In response to intrusion detection and intrusion detection of a Radon-security gateway system (SGS) having a policy and system administrator, an analyzer, a breaker, and an alarm database (DB), Determining, by the policy and system administrator, whether the packet data is to be blocked by referring to the blocking information in the DB for alarming, if it is not packet data, shortening the packet data into an event and providing the abbreviated event to the analyzer; Storing the event in the cache by using the analyzer, and analyzing the stored event using a type-specific analysis function that operates in a multithreaded manner; According to the type-specific analysis function, if the start state does not exist by reading a pattern class in which the event is in the start state (START), it is determined whether it is in the end state (FINAL), and when the end state exists, the intrusion is detected. A method of managing a database for policy delivery and alerting of Radon-SGS, comprising the step of: entering a state and performing an action corresponding to the intrusion according to the definition of the intrusion pattern. The method of claim 1, wherein the determining of the packet data comprises: Radon-SGS policy management and alarm database management method, characterized in that for the packet data in the blocking information, providing the packet data to the blocker to block. The method of claim 1, wherein the type-specific analysis function is Domain name system check, file transfer protocol (FTP) check, transmission control protocol backdoor check, user data_gram protocol backdoor check, Method of managing database for policy delivery and alerting of Radon-SGS, characterized by FTP check, simple mail transfer protocol check analysis function. The method of claim 1, wherein when the START state exists, Radon-SGS database management method for the policy delivery and alerts, characterized in that for inserting the pattern class to the stack class. The method of claim 1, wherein detecting the intrusion and performing an action corresponding to the intrusion is performed by: In using the field present in the detection information in the alert DB, P_ID is applied as a KEY according to a corresponding pattern, and the detection of the packet data uses the contents of a pattern signature (pattern_sig) table. (Ladon) -SGS database management for policy delivery and alerts. The method of claim 4, wherein Among the detailed fields of the pattern table in the detection information, PRIORITY indicates the priority of intrusion, the intrusion effect is applied in the IMPACT field, and whether to apply to intrusion detection by pattern is determined by the value of the ADOPT table. The CONDI_TYPE is a radon characterized in that it is determined using a linear packet state when it is determined that an intrusion is determined as one packet and when the state of a repeated packet is used. (Ladon) -SGS database management for policy delivery and alerts. The method of claim 4, wherein In the case of the PATTERN_PORT table in the detection information, the PATTERN_CONDITION number corresponding to the CONDI_TYPE is detected based on the service number of the target host, and the TYPE indicates whether to specify a destination port or a source port. Radon-SGS policy management and database management method characterized by. The method of claim 1, wherein if there is no end state in the determining step, Radon-SGS policy forwarding and alerting characterized in that if the time stamp is exceeded by checking whether the time stamp is exceeded and the incoming packet data is not harmful, the pattern class is deleted. Database management methods. The method of claim 8, wherein when the check step does not exceed a certain time stamp, In the case of checking all patterns by checking whether all patterns belonging to the thread are checked and checking all patterns, the policy delivery of Radon-SGS, which is repeated from the analysis process using the analysis function by type, and How to manage alarm database. 10. The method of claim 9, wherein in the dividing step, if all the patterns are checked and not all the patterns are checked, radon is repeated from the step of checking whether the START state exists by reading the pattern class. ) -SGS database management for policy delivery and alerts. The method of claim 10, The iteration is repeated until it retrieves all the contents of the stack class Radon (SG) -SGS policy management and database management method for alerting. A method of updating an intrusion pattern used for intrusion detection of a Radon-security gateway system (SGS) having a policy and a system administrator, an analyzer, a breaker, and an alarm database (DB), Requesting an intrusion pattern update from the policy and system administrator to an alarm DB; Determining whether the intrusion pattern update is an intrusion pattern addition requirement in the alarm DB, and if the intrusion pattern addition requirement is included, adding the intrusion pattern using P_ID of the intrusion pattern related table as a key. Radon-SGS policy management and database management method characterized by. The method according to claim 12, wherein if the incidence step is not an additional requirement for intrusion pattern, Checking whether or not it is a change pattern of intrusion pattern, if it is a change pattern of intrusion pattern, Radon-SGS policy delivery and alarm characterized by changing the intrusion pattern by using P_ID of the intrusion pattern related table as a key. Database management methods. The method of claim 13, wherein if it is not a requirement to change the intrusion pattern in the checking step, Determination of the intrusion pattern deletion requirement, if the intrusion pattern deletion requirements, Radon-SGS policy delivery and alarm characterized in that the intrusion pattern is deleted using the P_ID of the intrusion pattern related table as a key (KEY) Database management methods. 15. The method of claim 14, wherein if the intrusion pattern deletion requirement is not determined at the determining step, Radon-SGS database management method for the policy delivery and alerts, characterized in that to provide a message that the wrong command to the policy and system administrator.