KR100728446B1 - Hardware based intruding protection device, system and method - Google Patents

Abstract

Provided are a hardware-based intrusion prevention apparatus, system, and method using an intelligent system on chip (SoC). An intrusion prevention device for this purpose includes a session / traffic controller that detects abnormal sessions or harmful traffic from packets input through an input / output interface, a preprocessor that performs a predetermined preprocessing process for pattern matching, and pattern matching on preprocessed packets. And a pattern matching engine for performing the operation, a corresponding engine for performing a predetermined intrusion prevention action on the intrusion-detected packet, and a bandwidth manager for determining once more whether the bandwidth criterion is exceeded even if it is determined to be a normal packet. In particular, the session / traffic controller and the preprocessor are implemented as an intelligent complex chip (SoC). According to the present invention, the intrusion detection process can be implemented in one chip, thereby greatly improving the processing speed, and also performing bandwidth management in addition to pattern matching to maximize the intrusion prevention effect.

Intrusion Prevention System, IPS, IDS, SoC, Pattern Matching, Bandwidth, Session, Traffic

Description

Hardware based intruding protection device, system and method

1 is an internal block diagram of a function of a conventional intrusion prevention system.

Figure 2 is an internal block diagram of the function of the intrusion detection apparatus and system according to the present invention.

3 is a flowchart showing each step of the intrusion detection method according to the present invention.

The present invention relates to a hardware-based intrusion prevention apparatus, system and method using an intelligent system on chip (SoC), in particular, the intrusion prevention apparatus according to the present invention is an abnormal session or harmful from a packet input through the input and output interface A session / traffic controller that detects traffic, a preprocessor that performs a predetermined preprocessing process for pattern matching, a pattern matching engine that performs pattern matching on preprocessed packets, and predetermined intrusion prevention measures for intrusion-detected packets. It may further include a bandwidth manager that is made to include a corresponding engine for performing the operation and determines whether or not it exceeds the bandwidth criteria even if it is determined to be a normal packet.

In recent years, due to the popularization of computers and the steady spread of the Internet, various electronic transactions such as e-commerce and e-mail have been activated, but accordingly, they illegally invade specific systems to steal important data or distribute harmful data such as computer viruses. Side effects such as paralyzing the network are also faced with a situation that cannot be ignored.

In order to solve this problem, a firewall or an intrusion detection system (IDS; Intrusion Protection System) has been proposed, which prevents unauthorized network intrusion from the external network or the internal network. In other words, database of various patterns known as intrusion are made by blocking the same packet.

Herein, the conventional operation method of the intrusion prevention system will be described and the problems thereof will be examined together. For reference, Figure 1 shows an internal block diagram for each function of such a conventional intrusion prevention system.

When a packet is input through the input PHY 110 of the input / output interface, the packet is transmitted to the first security module, and whether the intrusion is primarily detected through the pattern matching engine 120 provided with the predetermined pattern information. If it is determined that the intrusion packet is a predetermined intrusion prevention action is taken through the response engine 130, but if it is determined that the normal packet is transmitted to the second security module connected through the interface 140 such as PCI and stored here. Through the post-processing program included in the unit 160, dynamic attacks such as DoS and DDoS, which could not be detected by pattern matching, are secondarily detected. This post-processing program is driven by the central processing unit 150 of the second security module.

According to the conventional intrusion prevention system, the dynamic attack detection procedure in the second security module is processed by software by a post-processing program, so the processing speed is limited, which is not suitable for a network environment that is getting larger. In addition, there is a time gap that cannot be ignored until the detection request from the first security module to the second security module through PCI is notified and the result value is notified, further reducing the efficiency of the detection process. there was.

In addition, when various evasion techniques that cannot be filtered out by pattern matching appear, there is a limitation in detecting whether or not an invasion is performed using only the pattern matching engine, but there is a problem in that there is no countermeasure.

In addition, even though the traffic should be considered as an element that destabilizes the network and excessively monopolizes the network resources in addition to the aggressive packets, no countermeasures have been taken. Therefore, it was necessary to stay in an incomplete security device.

In addition, intrusion packets or harmful traffic not detected by the first security module and the second security module are bypassed as they are, and there is no way for the administrator to further extend the security policy. There was a problem that it could not actively cope with the attempt.

The present invention has been proposed to solve the above problems, and the object of the present invention is to improve the speed of intrusion detection to the maximum in accordance with a large-capacity network environment by implementing session management and traffic management in hardware in the intrusion detection apparatus.

Another object of the present invention is to maximize the accuracy of pattern matching by undergoing a predetermined pretreatment process prior to pattern matching.

Another object of the present invention is to prevent congestion caused by abnormal traffic by further checking whether the bandwidth criteria according to a predetermined policy is exceeded even when determined to be normal.

Another object of the present invention is to maximize the processing speed by implementing the session / traffic management and pre-processing in SoC.

Another object of the present invention is to extend the security function by auxiliary connection of an external security device having a separate security policy.

Intrusion prevention apparatus of the present invention for achieving the above object, the input and output interface for receiving a packet from the external network or the internal network, and outputs the packet after the intrusion detection procedure to the internal or external network, respectively, the input and output interface A session / traffic controller that determines whether an abnormal session or harmful traffic is input from a packet input to the packet, a preprocessor that performs a predetermined preprocessing process for pattern matching on the packet received from the session / traffic controller, and the preprocessing process A pattern matching engine that determines whether an intrusion is performed by performing pattern matching on the rough packet, and a corresponding engine that performs a predetermined intrusion prevention action on the packet when intrusion detection is notified from the session / traffic controller or the pattern matching engine. It is done by

Here, at least one of the session / traffic controller or the preprocessor may be implemented as an intelligent system on chip (SoC).

The apparatus may further include a bandwidth manager for determining whether a predetermined bandwidth criterion is exceeded for a packet determined to be normal in the pattern matching engine, and requesting a predetermined intrusion prevention measure to the corresponding engine when the criterion is exceeded.

In addition, mirror the packet input through the input and output interface to an external security device, and receives data of the intrusion determination result from the external security device to communicate with the auxiliary detection module and the external security device for notifying the corresponding engine. Communication port for may be further included.

On the other hand, the intrusion prevention system of the present invention for achieving the above object, the intrusion prevention apparatus and the management of the detection policy and log records to be applied to the intrusion prevention apparatus while being connected to the intrusion prevention apparatus and a predetermined interface. It includes a management host to perform the.

Hereinafter, exemplary embodiments will be described in detail with reference to the accompanying drawings. First, in adding reference numerals to the elements of each drawing, it should be noted that the same elements are denoted by the same reference numerals as much as possible even if they are shown in different drawings. In the following description of the present invention, if it is determined that a detailed description of a related known function or configuration may unnecessarily obscure the subject matter of the present invention, the detailed description thereof will be omitted.

2 is an internal block diagram for each function of the intrusion detection apparatus and system according to the present invention.

While the input / output interface 210 receives a packet coming from an external network or an internal network through an input PHY 211 at a physical level, the packet that has completed various intrusion detection procedures according to the present invention is output through an output PHY 212. Output to internal network or external network.

The session / traffic controller 220 analyzes the packet inputted to the input / output interface 210 to determine whether an abnormal session is formed or whether harmful traffic is introduced.

Here, session control refers to session management of network traffic, particularly TCP (Transfer Control Protocol) traffic. The TCP protocol is a connection-based protocol, which establishes a session by establishing a connection through a 3-way handshaking process before sending and receiving data, and attempts to transmit and receive data without going through such a normal session establishment process. The TCP packets that make up this attempt are determined to be intrusion. In addition, the TCP sessions that occupy a large portion of the network traffic are monitored for the amount of traffic transmitted and received per packet flow, IP address / port number / IDLE time, and the like. It may further be responsible for the function of preparing a predetermined criterion for easily identifying the abnormal session in the future through the database of the packet characteristics and the packet information of the. Of course, basically, the monitored packet information is transmitted to the management host 280 so that the management host 280 maintains a predetermined database and the abnormal session discrimination criteria.

In addition, the traffic control refers to determining whether the traffic is harmful by a predetermined detection rule. In addition, the load of the network is determined by a predetermined speed index (eg, BPS; Bit Per Second, PPS; Packet Per Second). While the above-mentioned harmful traffic occurs, the packet information may be provided in a database, and a function of providing a predetermined criterion for easily determining whether there is harmful traffic thereafter may be further provided. The packet information may include a service port, an IP address list, and the like, which are higher in the distribution of the rate indices, and thus, service level and IP information of a higher level, which currently occupy bandwidth of the network, may be included. By grasping, it is possible to determine whether the traffic is harmful. Of course, in the case of such traffic control, basically, the corresponding packet information is transmitted to the management host 280 so that the management host 280 maintains a predetermined database and the abnormal session discrimination criteria. At this time, the speed index may be identified for the traffic inflow, traffic blocking amount and harmful traffic detection amount according to the direction to the internal network / external network, respectively.

The preprocessor 230 performs a predetermined preprocessing process in preparation for subsequent pattern matching on the packet received from the session / traffic controller 220. The preprocessing process may include preprocessing of IP fragmentation, preprocessing of TCP segmentation, and web bypass attack, but it is apparent to those skilled in the art that various preprocessing processes for efficient pattern matching may be added.

IP Fragmentation preprocessing refers to recombination of incoming packets before performing pattern matching. While the IP packet passes through the intermediate nodes from the source IP to the destination IP, if the transmitted data is larger than the MTU of the network interface, the IP packet is transmitted by dividing it into an appropriate packet size to fit the size of the MTU. At the receiving end, the split packet is reassembled and delivered to the application layer. In view of this, an attacker maliciously divides and transmits intrusion data (harmful traffic) in order to bypass the intrusion detection / prevention system. However, the pattern matching engine that performs packet-by-packet inspection cannot detect an intrusion in such a case. . Therefore, before the packet is delivered to the pattern matching engine, a preprocessing process for reassembling the packet to filter the harmful traffic is performed.

TCP Segmentation preprocessing also refers to recombination of input frames before performing pattern matching. If the size of a frame that is exchanged between sessions is large, TCP transmits it by segmenting it into an appropriate size and transmits it to the application layer by recombining it again to the application layer. The preprocessing process is to reassemble the frame to filter out harmful traffic before delivery.

The pattern matching engine 240 determines whether an intrusion is performed by performing pattern matching on the packet that has undergone the preprocessing process, and when a packet is determined to be invasive, the pattern matching engine 240 notifies the detection engine of the detection to take an appropriate action. Request. Such pattern information is maintained by the management host 280 and is updated from the management host 280 at predetermined intervals or whenever updated with new pattern information.

When the intrusion detection is notified from the session / traffic controller 220 or the pattern matching engine 240, the response engine 260 performs a predetermined intrusion prevention action on the packet, and the intrusion prevention action varies depending on the intrusion type. It may be set, and may include termination of abnormal sessions, blocking of harmful traffic, blocking of intrusion packets, generation of log information about the packets, and the like, and may be changed according to a security policy at the management host 280.

The session / traffic controller 220 and / or the preprocessor 230 may be implemented as an intelligent system on chip (SoC) so that such functions are implemented in software and simply implemented in hardware on the board. It guarantees a relatively improved speed of operation.

Meanwhile, the intrusion detection apparatus including the above configuration may further include a bandwidth manager 250, an auxiliary detection module 290, and a communication port 295 for connecting an external device.

The bandwidth manager 250 receives the packet determined to be normal from the pattern matching engine 240 to determine whether the predefined bandwidth criterion is exceeded, so that even if the data itself is normal, the bandwidth manager 250 enters the excessive traffic and congests the network. To detect the abnormal traffic, and request an intrusion prevention measure from the response engine 260 upon detection of the abnormal traffic. In addition, for the corresponding address registered in advance, the traffic is forwarded according to the guaranteed bandwidth, and even if the address is registered in advance, the bandwidth management criteria applied to each may be different, and thus the address corresponding to the higher priority among those addresses is assigned. May prefer to allow bandwidth usage.

The auxiliary detection module 290 mirrors the packet input through the input / output interface 210 to an external security device having a separate security policy, and receives a determination result of the intrusion from the external security device to the corresponding engine 260. To pass. The communication port 295 for connecting an external security device is a transmission path for exchanging data with the external security device.

Such an intrusion prevention device may be connected to a separate management host 280, thereby configuring an intrusion prevention system.

The management host 280 is connected to a predetermined interface 270 such as an intrusion prevention apparatus and a PCI, and manages detection policies and log records to be applied to the intrusion prevention apparatus. Therefore, the storage unit 282 of the management host 280 records a predetermined management program and a database for maintaining detection policies and log records, and intrudes the management program through the central processing unit 281 to intrude. Manage various data used in the prevention device.

Now, let's take a closer look at each procedure to detect and respond to intrusions through the above intrusion prevention devices and intrusion prevention systems. For reference, Figure 3 is a flow chart showing each step of the intrusion detection method according to the present invention.

When a packet is introduced from an external network or an internal network (S301), first, whether a session is abnormally detected is detected (S303), and if a session is normally formed, then it is detected whether the corresponding packet is harmful traffic (S305). Here, if it is an abnormal session or if it is determined that the traffic is harmful, predetermined intrusion prevention measures such as blocking the packet and recording log information thereof are taken (S317), and then information related to the packet is transmitted to the management host (S317). S319) The analysis is performed so that the security policy to be applied in the future is updated (S321).

Packets that have undergone the session / traffic inspection step as described above are modified and recombined through a predetermined preprocessing process to increase the accuracy of subsequent pattern matching (S307). Pattern matching is performed on the packets that have undergone such preprocessing in a manner that is compared with predetermined pattern information (S309). If it is found that the packet corresponds to the intrusion pattern, steps S317 to S321 are performed.

In this case, even if it is determined that the packet is a normal packet, it is possible to prevent the network from congestion due to abnormal traffic by selectively again determining whether or not the predetermined bandwidth criterion is exceeded (S323). If the bandwidth criteria is exceeded, steps S317 to S321 may be performed in the same manner. If not, the corresponding packet is output on the network as it is and the next packet is received.

On the other hand, a copy of the packet input to the intrusion prevention device is transmitted to an external security device that detects the intrusion in a separate security policy (S311), if it is determined that the intrusion as a result of the inspection in the external security device (S313) The device is notified (S315) c such that the predetermined intrusion prevention measures S317 to S321 are performed.

As described above, in the detailed description of the present invention, specific embodiments have been described. However, various modifications may be made without departing from the scope of the present invention. Therefore, the scope of the present invention should not be limited to the described embodiments, but should be defined not only by the scope of the following claims, but also by those equivalent to the scope of the claims.

According to the present invention having the configuration as described above, the processing speed of the intrusion detection is significantly increased compared to the method previously operated by software in a separate host through the session / traffic controller implemented in hardware in the intrusion detection apparatus.

In addition, it is possible to maximize the accuracy of pattern matching by going through simple pre-processing by packet recombination or the like before the pattern matching.

In addition, even if the packet is determined to be normal, the security can be further enhanced by additionally checking whether or not the predetermined bandwidth criterion is exceeded and identifying the abnormal traffic not found in the pattern matching.

In addition, it is possible to maximize the processing speed by implementing the above session / traffic management and preprocessing process in SoC.

In addition, by providing a communication port for utilizing the detection function of the external security device, the security of the intrusion prevention device can be further enhanced.

Claims (10)

An input / output interface for receiving a packet from an external network or an internal network and outputting a packet that has completed the intrusion detection procedure to the internal or external network, respectively; A session / traffic controller that determines whether an abnormal session or harmful traffic is received from the packet input to the input / output interface; Performing a preprocessing process including pre-processing for IP fragmentation preprocessing, TCP segmentation preprocessing, and web bypass attack against packets received from the session / traffic controller in preparation for pattern matching. Preprocessor; A pattern matching engine that determines whether an intrusion is performed by performing pattern matching on the packet which has passed the preprocessing process; And When intrusion detection is notified from the session / traffic controller or pattern matching engine, intrusion prevention measures including termination of abnormal session, blocking of harmful traffic, blocking of intrusion packet, and generation of log information for the packet are performed on the packet. Corresponding engine; Hardware-based intrusion prevention device comprising a. The method of claim 1, The hardware may further include a bandwidth manager that determines whether a predetermined bandwidth criterion is exceeded for a packet determined to be normal in the pattern matching engine, and requests a predetermined intrusion prevention measure from the corresponding engine when the criterion is exceeded. Based intrusion prevention device. The method of claim 1, At least one of the session / traffic controller or the preprocessor is a hardware-based chip prevention device, characterized in that implemented as an intelligent complex chip (SoC; System on Chip). The method according to any one of claims 1 to 3, An auxiliary detection module for mirroring a packet input through the input / output interface to an external security device and receiving an intrusion determination result from the external security device to notify the corresponding engine; And A communication port for data communication with the external security device; Hardware-based intrusion prevention device characterized in that it further comprises. Intrusion prevention device of claim 1; And A management host connected to the intrusion prevention device through a predetermined interface and performing management of detection policies and log records to be applied to the intrusion prevention device; Hardware-based intrusion prevention system comprising a. Detecting whether an abnormal session is formed through a packet introduced from an external network or an internal network; Detecting whether a packet introduced from an external network is harmful traffic; Performing a preprocessing process including preprocessing for IP fragmentation preprocessing, TCP segmentation preprocessing, and web bypass attack against packets imported from an external network in preparation for pattern matching; Performing pattern matching to determine whether an intrusion is made on packets that have passed through the preprocessing process; And For the packet determined to be intrusion by the abnormal session detection, harmful traffic detection or pattern matching, including the termination of the abnormal session for the packet, blocking the harmful traffic, blocking the intrusion packet, and generating log information for the packet. Performing an intrusion prevention measure; Hardware-based intrusion prevention method comprising a. The method of claim 6, Determining whether a predetermined bandwidth criterion is exceeded for a packet determined to be normal in the pattern matching step; And Performing a predetermined intrusion prevention measure accordingly when the criterion is exceeded; Hardware-based intrusion prevention method characterized in that it further comprises. The method of claim 6, Any one or more of the abnormal session detection step, harmful traffic detection step or preprocessing step is performed by an intelligent complex chip (SoC; System on Chip) that implements the function. The method according to any one of claims 6 to 8, Mirroring packets introduced to an external security device; And Performing a predetermined intrusion prevention measure according to the notification that the mirrored packet is determined to be intrusion; Hardware-based intrusion prevention method characterized in that it further comprises. The method of claim 9, If it is determined that the intrusion is detected in the abnormal session detection step, the harmful traffic detection step, or the pattern matching step, transmitting corresponding packet information to a management host; And Managing detection policies and log records to be applied in a corresponding step based on the received packet information in a management host; Hardware-based intrusion prevention method characterized in that it further comprises.

Images