KR101416618B1 - An Intrusion Prevention System Using Enhanced Security Linux kernel - Google Patents

Abstract

The present invention relates to an intrusion prevention system based on a Linux kernel security, which detects an intrusion into a Linux system and limits an access authority of the access detected as an intrusion. The system includes: an IP table on which IP addresses which have to be blocked are recorded; a database which records the IP addresses which have to be blocked; a detecting engine which determines whether a packet which was not blocked by the IP table is an attack or not; a blocking engine which stores an IP address of the packet determined as an attack (hereinafter, an attack IP address) in the database, and orders to store the attack IP address in the IP table; and a resource monitoring module which shows the IP addresses stored in the database. The intrusion prevention system based on the Linux kernel security efficiently detects and prevents attacks such as unauthorized accesses to the system and illegally authorized acquisition, and reduces authority over the system when an intruder attempts to intrude, thereby preventing later intrusion attempts.

Description

An Intrusion Prevention System Using Enhanced Security Linux kernel,

The present invention relates to a Linux kernel security system for blocking an IP address that has previously attempted an attack through an IP table (Iptables) and for blocking an IP address of a blocking engine in the case where another IP is determined to be an attack through a detection engine Based intrusion prevention system.

Because Linux has the advantage that all related sources are available, many application systems ranging from systems used in Internet environments such as Web servers to information appliances are gradually being developed based on Linux. Along with the increasing use of Linux, Linux security has become a very important research and development task. Because the source of almost everything, including the kernel and general programs, is open, and hacking on many Linux systems is taking place.

Although the public awareness of the need for computer and network security has increased rapidly, it is pointed out that the current effort to provide security measures will not be successful. The reason is that most of the current security efforts are based on the misunderstood assumption of using the existing mainstream operating system, that is, the security functions of the unsecured operating system, to provide security at the application level, It is pointed out that it will result in "casting on the sand." Firewalls, and IDS are examples of providing security at the application level, and these have not been addressed in recent security issues, as are seen in many hacking cases and documents.

On the other hand, the United States developed and evaluated many security operating systems based on the Trusted Computer System Evaluation Criteria (TCSEC), which became the standard of the Defense Department in 1985, and are used by the military, the government, and so on. Most of the security operating systems implemented in TCSEC B1 level or higher computer systems employ security kernels. For computer systems rated B2 or above, they are prohibited from exporting to overseas. Therefore, in order to establish the sovereignty of information security in Korea, research and development of a security operating system, which is treated like a weapon system, is an essential and urgent task.

Next, a more detailed description of the conventional research on the security operating system and the security kernel of Linux will be described.

The security operating system is a reliable computing environment implemented by porting a security kernel and adding security services such as authentication and encryption to solve problems inherent in the existing operating system. Through the implementation of the reference monitor, the security operating system can control access to the kernel level through the identification and authentication of the user, access control, and intrusion detection, and can perform functions such as defense against the unknown attack, detection and response have. It also includes a function to prevent illegal intruders from removing traces of intrusions by protecting logs and audit records in strictly separated areas.

The study of operating system security has been mainly focused on the confidentiality and integrity of access control. In the United States, the TCSEC draft "Orange Book" was established in 1983 as a result of ongoing research into the construction and evaluation of safe computer systems centering on the Ministry of National Defense, NIST, and MITER. In 1985, 28-STD). TCSEC is classified into seven grades (D, C1, C2, B1, B2, B3, A1) in order to supply safe and reliable computer systems to the US Department of Defense and government agencies. · It is recommended to operate.

The TCSEC defines the requirements that each computer system should provide for each level of security policy, accountability, and warranty and documentation, and most of the functionality and assurance requirements are currently supported by ISO (International Organization for Standardization) Common Criteria v2.1) and Protection Profile, and the evaluation level of TCSEC is also mutually recognized with CC. In particular, the security operating system of class B1 or higher is required to perform mandatory access control according to the security label of user identification, authentication, subject, user, process and object in terms of security policy and accountability, It should have at least functions such as attaching labels when transmitting to external media, outputting security labels at printing, preventing object reuse, complete mediation with reference monitor, audit, and reliability path.

On the other hand, the security kernel does not target operating system only. All elements of the computing environment such as hardware, firmware, and software applications are subject to security and consist of various security mechanisms such as reference monitors, audit modules, identification and authentication modules.

Because the secure kernel must be complete, there are various requirements. The following three key requirements for the secure kernel are: First, it should be separate from the process of performing the reference monitor concept. And they must not be tampered with. Second, the reference monitor must control access to all activities that occur between the subject and the object. It should be impossible to circumvent the reference monitor by avoiding it. That is, the secure kernel must be implemented in a way that is complete and can not be erroneous. Finally, it should be small enough to be proven and tested in a complete and comprehensive way.

The Linux operating system can be installed free or at a low cost, and is rapidly gaining popularity due to its advantages of supporting various platforms, structured design, and offering various open software. The application area is relatively successful as the Internet server (web server, mail server, DB server, file server, etc.). However, in proportion to this, a hacking accident aiming at the Linux system is also increasing rapidly. However, security features implemented in existing Linux and security at application level are limited in solving security problems.

On the other hand, recent Linux OS security researches at the kernel level are insufficient compared with the necessity or vulnerability. Multi-level security research at the Linux kernel level was conducted as a project at the Naval Postgraduate School in the United States and is an example of implementing multi-level security features for computer security education by modifying the Linux operating system.

Most of the other Linux operating system security researches are add-on methods, mainly network application programs and utility-level security patches. On the other hand, US TIS developed the "DTMach (Distributed Trusted Mach)" security kernel for B3 grade using the "Mach" micro kernel developed by Carnegie Mellon University and discontinued B3 grade evaluation. Synergy project, DTOS (Distributed Trusted OS) and Flask project. The security kernel design concept of this Flask project was reflected in the "Secure Linux (seLinux)" project conducted by NSA, SCC and NAI Lab from September, 1999 to December, 2000, It is public. In Korea, research on the development of Unix and Linux security kernels is being conducted in a small number of universities, venture companies and research institutes.

That is, it is the security operating system (Sevure OS) that security function is added to the operating system kernel to solve the security flaw of the operating system itself and to enhance security. SElinux, a security operating system developed primarily by the US National Security Agency, uses a Linux Security Modules (LSM) framework to force a traditional Linux kernel that provides discretionary access control (DAC) It is a kernel based server side security system that implements Mandatory Access Control (MAC).

Currently, SELinux supports the following types of access control policies: Type Enforcement (TE), Role Based Access Control (RBAC), and Multi Level Security (MLS) policies. Using this access control policy, the system security administrator can define strict access control policy between the entity that refers to the user or programs and the object that refers to files and devices.

By applying the functions provided by SELinux, it can play a role similar to the Intrusion Detection System (IDS) for actual intrusion. However, detection and logging of intrusions are not sufficient in an environment where prompt response is required when a system intrusion occurs.

Therefore, if the access control policy is dynamically modified so as to eliminate or minimize the system usage right of the intruder in order to protect the system from the intruder at the time of detection, the intrusion prevention system (Intrusion Prevention System , And IPS).

[Non-Patent Document 1] Kim, Jeong-won, Seungwon Son, and Cheol-Hoon Lee, "Security and Performance Testing of Secure OS Access Control Policies", Information Processing Society D D10-D Volume 5 (2003.8). [Non-Patent Document 2] National Security Agency, http://www.nsa.gov/research/selinux/index.shtml [Non-Patent Document 3] http://www.tcpdump.org/ [Non-Patent Document 4] Elizabeth Tswikey et al. Building Internet Firewalls, Hanvit Media, 2003. [Non-Patent Document 5] C. E. Landwehr, A. R. Bull, J. P. McDermott, and W. S. Choi, "A Taxonomy of Computer Program Security Flaws," ACM Computing Surveys, Vol. 26 (3), pp. 211-254, 1994. [Non-Patent Document 6] M. Bishop and D. Bailey, "A Critical Analysis of Vulnerability Taxonomies," CSE-96-11, Sep. 1996 [Non-Patent Document 7] K. Jiwnani and M. Zelkowitz, "Maintaining Software with a Security Perspective," International Conference on Software Maintenance (ICSM'02), Montreal, Quebec, Cannada, Oct. 03-06, 2002. [Non-Patent Document 8] http://www.securityfocus.com/ [Non-Patent Document 9] I. Arce and E. Leby, " The Rising Threat of Vulnerabilities Due to Integer Errors ", IEEE Security & Privacy, 77-82, Jul./Aug. 2003. [Non-Patent Document 10] Kim, Sun-Young and Oh, Chang-Seok. "Detection of DDoS Attack Using Pattern Matching Technique", Journal of the Korea Contents Association, Vol. 3, No. 2, 2005. pp.189-194. [Non-Patent Document 11] Lee, Young-Moo; "(The Strongest) MySQL 4 Bible", GAME Publisher, 2003.

An object of the present invention is to solve the above-mentioned problems, and it is an object of the present invention to provide a method and system for preventing an IP attack that has attempted an attack through an IP table (Iptables) And to provide a Linux kernel security-based intrusion prevention system that causes the blocking engine to block the IP address.

In order to achieve the above object, the present invention relates to a Linux kernel security-based intrusion prevention system for detecting an intrusion of a Linux system and restricting an access right to an access detected by an intrusion, ; A database for recording IP addresses to be blocked; A detection engine for verifying whether or not an unblocked packet is attacked through the IP table; A blocking engine for storing an IP address (hereinafter referred to as an attack IP address) of a packet determined as an attack in the database and storing the attacking IP address in the IP table; and a resource monitoring And a module.

According to another aspect of the present invention, there is provided an intrusion prevention system based on Linux kernel security, wherein the detection engine detects a MAC, an IP address, a port, a TCP flag (TCP Flag ) And collects the packet to inspect the packet.

According to another aspect of the present invention, there is provided a Linux kernel security-based intrusion prevention system including a denial of service (DOS) detection method, a SYN / ACK (SYN Floating / ACK Storm) detection method, a DDoS , A port scan detection method, a TCP / SYN scan (TCP connect scan / SYN stealth scan) detection method, a hidden FIN / Xmas scan (Stealth FIN scan) Is inspected.

According to another aspect of the present invention, in a Linux kernel security-based intrusion prevention system, the blocking engine blocks a packet through the IP table, extracts information of the Linux system through a shell program, and records the information in a log file .

According to another aspect of the present invention, there is provided an intrusion prevention system for a Linux kernel security system, the interception engine including: a status processor for executing shell programming of a usage rate of a CPU, a memory, and a disk of the Linux system in real time; A CPU information section for extracting CPU utilization through shell programming; A memory information part for extracting a memory usage rate through shell programming; A disk information part for extracting the disk usage rate through Shell programming; An IP table command unit for retrieving an IP address stored in the database and adding the IP address to a table (Iptables); An On / Off state of the Linux system, a user information part for extracting a connection state of users; And a log file for storing the extracted usage rate, status, and status.

As described above, according to the Linux kernel security-based intrusion prevention system according to the present invention, it is possible not only to effectively detect and prevent attacks such as unauthorized access to the system and acquisition of illegal rights, It is possible to prevent the intrusion attempts from occurring in advance.

1 is a block diagram illustrating a structure of a security operating system of Linux according to an embodiment of the present invention;
2 is an example of an intrusion detection log generated by the security operating system of Linux according to the present invention.
3 is a flowchart illustrating an operation of a secure kernel of a secure operating system of Linux according to an embodiment of the present invention.
Figure 4 is an example of an allow clause extended for privilege restriction according to the present invention.
FIG. 5 is a block diagram illustrating a Linux kernel security-based intrusion prevention system according to an embodiment of the present invention; FIG.
FIG. 6 is a flowchart illustrating an operation process of a detection engine of a Linux kernel security-based intrusion prevention system according to the present invention; FIG.
FIG. 7 is a block diagram illustrating a structure of a blocking engine of a Linux kernel security-based intrusion prevention system according to the present invention; FIG.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, the present invention will be described in detail with reference to the drawings.

In the description of the present invention, the same parts are denoted by the same reference numerals, and repetitive description thereof will be omitted.

First, a security operating system of Linux according to an embodiment of the present invention will be described in detail with reference to FIG.

As shown in FIG. 1, the security operating system of Linux according to the present invention comprises an object manager and a security server.

The Object Manager provides control operations to the system and, when a security decision is made for a specific security policy at the security server, performs the security decision. It also provides functions such as applying and changing AVC (Active Vector Cache) management policy.

The security server determines the security policy, maintains the mapping between the security ID (SID) and the security context, and assigns the SID to the newly created object. Access to the system's resources on the secure operating system is defined by the 'allow' syntax, as shown below.

allow user_t bin_t: file {read write};

In the above syntax, a process with a type of user_t is an access policy that allows read and write system call requests for files of type bin_t.

Such a security operating system provides the following functions.

First, the security operating system performs various access control on the resource, and access control policies such as Type Enforcement TE, Role Based Access Control (RBAC), and Multi Level Security MLS .

In addition, the security operating system can protect against kernel insertion by inserting modules or direct writing to the kernel to prevent kernel modification by the attacker. To reduce the scope of the attack, the security operating system minimizes the impact on other processes or systems in case of damage by allocating only the minimum privileges required to execute the process. As an audit function, information about violation of security rules occurring in the system can be recorded in a file and used as audit data.

These features were developed as an insertable kernel module using the Linux Security Module (LSM) framework and replace DAC access control functions that were previously provided through module insertion.

For example, an intruder can inject malicious code, such as running a system shell into a process, through memory manipulation, such as a buffer overflow technique. However, the system controlled by the security operating system can not obtain the privilege necessary to execute the inserted malicious code, thereby preventing damage caused by such an attack. In addition, the security operating system can record audit information on this unauthorized access and can be used as audit data.

FIG. 2 shows a buffer overflow attack detection log generated by the security operating system. It can be seen from the log information of FIG. 2 that the shell was attempted to be executed via the ftp daemon (in.ftpd) (shell_exec_t) and that such access was denied (excuted). Generally, this kind of access does not happen with the ftp daemon. Furthermore, these behaviors are abnormal behaviors that occur as an exception to the system. As a result, this is a clear indication that an attacker has attempted a buffer overflow attack using the ftp daemon.

By applying the functions of the security operating system as above, logs of abnormal accesses can be recorded. However, the kernel's log information does not include a log of abnormal accesses that can be evidence of an intrusion and many general system-related logs, and can not determine in the kernel what kind of logs are dangerous. It is therefore necessary to implement a function that allows the kernel to determine what kind of access information is dangerous so that it can respond more effectively to the intrusion.

In the present invention, a "security check" for determining what kind of access information is dangerous by expanding the access control language of the security operating system and a "rights restriction" function for changing the access control list to a restricted access control list in response thereto are added Configure an enhanced secure kernel system.

By adding a security check and an authority restriction process, it is possible to restrict the system privilege to the intruder by modifying the system access control policy for the intruder as well as detecting and blocking the intrusion upon the intrusion attempt. FIG. 3 shows a process in which a limited access control is applied to an intruder by performing a "security check" and a "permission restriction" in order to prevent damage when an abnormal access occurs.

The security check determines which type of access information is dangerous by referring to the intrusion detection database. Add "strict" syntax to the access control language of the security operating system to describe access information that can be considered dangerous to the intrusion detection database. This grammar is similar to the "allow" syntax described above.

For example, you can write a strict grammar as follows:

strict ftpd_t shell_exec_t: file {execute};

The above syntax is a strict statement that defines an attack that invokes the system shell by attacking the ftp daemon in a buffer overflow manner. If access to the "strict" syntax occurs, intruders will be restricted from doing so through "permission restrictions". These security checks can detect unauthorized shell execution and attempts to acquire administrator privileges, tampering or deletion of configuration files or log files, and unauthorized access to resources.

In the previous step, all accesses were checked for access violation through security check. If an access violation is detected in the process, a restricted access control policy is enforced by executing "permission restrictions" to minimize the damage to the attack. This means that depending on the result of the security check, the access policy for the access can be dynamically changed. The privilege restriction function is to reduce the privilege on the system from the intruder when an intrusion occurs.

To define the restricted access control policy, we extend the 'allow' statement in the syntax of the security operating system. At the end of the 'allow' statement, the state option corresponding to the security level is placed so that the policy can be changed according to the corresponding state.

Figure 4 shows the allow syntax extended for permission restrictions.

Before an access violation is detected, the state 1 state is applied to perform write, read, and delete operations on the file. However, when an access violation is detected by the security check, the state value is changed to 3. Therefore, permissions to create, write, and delete files are deleted, and only the minimum permissions such as read are allowed to limit uploading of the ftp daemon.

These state values are added to the extended allow statement for permission restrictions and are modified in the security check. It is used to determine what access control policies should be applied in the authorization constraints. This value is internal to the kernel and can not be modified by user-level applications. Because user level applications can not change the security level, it is possible to prevent tampering by the intruder.

Next, a Linux attack detection system (Snort, Snort), a packet capture module (Libpcap), and an IP table (Iptables) used in the security operating system of the present invention will be described.

Linux IDS Snort is made open source and has the largest number of users worldwide. It handles a lot of information, supports both NIDS and HIDS, and is a great reference for IDS production. Snort itself, however, does not support GUIs, and because it uses textual information, it is difficult for administrators to use it, and it has a weak point in that there is a lot of difference between the time of occurrence and the time of information.

Snort is a network intrusion detection system (NIDS) that performs real-time traffic analysis and packet logging on the network. Snort allows protocol analysis, packet content inspection, pattern matching, and can be used to detect various attacks and detections such as buffer overflows, stealth port scans, CGI attacks, SMB detections, and OS fingerprinting attempts. It also uses a very flexible rule language, such as a detection engine with a modular plugin structure that is useful for capturing traffic. Snort is capable of real-time alerts such as syslog, specific files specified by the user, alerting mechanisms integrated with windows popup messages using UNIX socket or Sambaclient.

Snort has three main functions. First, Snort can be used directly as a packet sniffer, such as tcpdump. There is also a packet logger function useful for network traffic debugging. Finally, it has a complete network intrusion detection system (NIDS) capability. Snort records tcpdump binary format or Snort's ASCII format packet in the logging directory with the ip address of the external host as the name. Snort can be used anywhere libpcap is available.

Snort is a plug-in that allows you to easily change and modify the configuration of your snort, sniffer, preprocessor, detection engine, logging, (Output).

Snort first collects all packets passing through the Snort IDS via the sniffer. The data collected here is not routed through a rule-based detection engine, but rather through a preprocessor to check for a more efficient attack detection by matching some plug-ins such as HTTP encoding plug-ins or port scans first. Of course, the preprocessor is also modular and can be disabled if it is not necessary for your environment. For example, if you do not need to detect RPC traffic, you can comment out the RPC-related preprocessor.

Packets that pass through the preprocessor are checked through a rule-based detection engine, which is the core of Snort IDS, to match predefined detection rules. If the rule is matched, it will remain in the log according to the predefined policy, otherwise it will pass.

Next, the Portable Packet Capturing Library (Libpcap) is a function collection (library) for capturing packets. In addition to the packet capture module (Libpcap), there are tools for packet capture, but in most cases it is dependent on the operating system, so it is inconvenient to rewrite the code for each operating system. Typical tools include SOCK_PACKET, LSF, SNOOP, and SNIT. However, Libpcap provides APIs that can be used universally regardless of operating system, thus helping to make public programs or public libraries. The most popular programs using Libpcap are programs such as tcpdump and SAINT, and many commercial IDS products use Libpcap for packet analysis.

Next, the IP table (Iptables) is a program that can be used to configure the packet filtering function and is a tool for inserting or deleting filtering rules into the kernel packet filtering table. There are two tables, one is a filter table that filters packets and the other is a nat table that can be blocked by specifying a start address and a destination address separately. A lot of nat is used rather than a filter because the start address and the destination address can be set respectively. When you use nat, you need to specify the table to use when converting the network address by using '-t' option. Basic filtering consists of three logical chains named INPUT, OUTPUT, and FORWARD, respectively, which determine the ACCEPT or DROP of a packet according to the policy of the chain.

Next, a Linux kernel security-based intrusion prevention system according to an embodiment of the present invention will be described in detail with reference to FIG.

As shown in FIG. 5, the data coming into the system is primarily blocked by the IP table (Iptables) and the other IPs are attacked through the detection engine. IP. The blocking engine sends a command to the IP table (Iptables) to block the IP and stores the blocking IP in the database (DB). IP that is not problematic in the detection engine beyond the primary IP table (Iptables) can use the service in the system. Resource monitoring (resource monitoring module) shows the system information through DB through GUI.

Next, the detection engine will be described in more detail.

As shown in FIG. 6, the detection engine collects necessary information (mac, IP, Port, TCP Flag, etc.) for each header using Pcap from the attacker, checks the packet through the detection module, And transmits the attack information to the blocking engine.

At this time, the detection engine may include a denial of service (DOS) detection method, a SYN / ACK (SYN Flooding / ACK Storm) detection method, a DDoS (Distribute Denial of Sercice) detection method, a port scan detection method, (TCP connect scan / SYN stealth scan) detection method, and a hidden FIN / Xmas scan (stealth FIN scan) method.

First, a denial of service (DOS) detection method creates a connection list for an IP that is determined to be an attack attempt. If the size of the list is exceeded, delete the last node and insert the newly created node first. If the next attack occurs within 1 second, the count is incremented by 1, and if it exceeds 1 second, the count is reset to 1, and if the attack count reaches 200, the attack is determined.

Next, if the SYN / ACK signal is received from a specific address, the detection method of SYN Flooding / ACK Storm suspends the attack and stores information of the counterpart in the SYN / ACK list, If it is more than a certain number, it is judged as an attack.

Next, the detection method of the DDoS (Distributed Denial of Sercice) is determined to be an intentional DDoS attack if an attack is made to a specific service simultaneously within one second among the information of the IPs determined to be an attack attempt on the list of attackers.

Next, the port scan detection method creates a port table and stores the port to be scanned in a table. If the scanning is completed perfectly and the size of the table becomes more than a certain number of the stored pods, it is judged as a scanning attack. Otherwise, it is judged as a scanning attempt.

Next, the detection method of TCP connect scan / SYN stealth scan suspends SYN scan when SYN comes in. If SYN / ACK is sent, it is determined as stealth scan. If complete connection is made, it is decided as connect scan.

Next, the detection method of the Stealth FIN scan and the Stealth Xmas scan is suspected to be FIN scan when the FIN comes in, and Xmas scan when the FIN, URG, and PUSH comes in. If the scan fails, the RST is sent. If the scan is successful, the packet is ignored. In this case, it is determined as FIN or Xmas scan.

Next, the blocking engine will be described in more detail.

7, the blocking engine includes a status processor (Stat.sh), a CPU information unit (CPU_info.sh), a memory information unit (Memory_info.sh), a disk information unit (Disk_info.sh), an IP table command unit (Iptables command) , A user information section (Userinfo.sh), and a log file (LOG_File).

At the moment when the blocking engine is started, it receives a list of all blocked IPs from MySql and blocks through IP table (Iptables) command. Blocked IPs are blocked from accessing the server. System information (CPU, Memory, Disk) is recorded in log file through stat.sh, and recorded contents are recorded in DB in MySql. Userinfo, which contains information about the user's connection status and who is in the system, logs through the log file, and the recorded file is sent to the GUI via Soket communication.

Preferably, the status processing unit (Stat.sh), the CPU information unit (CPU_info.sh), the memory information unit (Memory_info.sh), the disk information unit (Disk_info.sh), the IP table command unit (Iptables command) sh) is implemented in each shell script running on the system.

The state processing unit (Stat.sh) executes the shell programming of the usage rates of CPU, Memory, and Disk in real time and updates.

The CPU information part (CPU_info.sh) extracts the CPU usage rate through Shell programming, the memory information part (Memory_info.sh) extracts the memory usage rate through Shell programming, and the disk information part (Disk_info.sh) .

The IP table command (Iptables command) is used to initialize the IP table (Iptables) when the system is first executed. Therefore, the blocked IP stored in the DB is loaded and added to the IP table (Iptables). Also, the user information section (Userinfo.sh) extracts the system On, Off status, and the connection status of the users (the connection time and the maintenance time are also known).

The log file (LOG_File) records all the extracted information of shell programming of the above mentioned components into a log file, and transmits the information through DB / Socket communication through the log file.

In the present invention, an enhanced security system of the Linux kernel is constructed by extending the function of the security operating system. Unlike existing network-based intrusion detection systems, it has little impact on system performance. In addition, the system according to the present invention can effectively detect and prevent attacks such as unauthorized access to the system and unauthorized acquisition of authority, as well as detection methods using existing signatures, By reducing authority, future intrusion attempts can be prevented in advance.

In addition, the system according to the present invention can implement a Linux-based IPS and actively block intrusions detected by real-time resource monitoring and packet analysis using an IP table (Iptables) without an administrator intervention.

The invention made by the present inventors has been described concretely with reference to the embodiments. However, it is needless to say that the present invention is not limited to the embodiments, and that various changes can be made without departing from the gist of the present invention.

Claims (5)

In a Linux kernel security-based intrusion prevention system that detects the intrusion of a Linux system and restricts access to an attack-detected access,
An IP table in which an IP address to be blocked is recorded;
A database for recording IP addresses to be blocked;
A detection engine for verifying whether or not an unblocked packet is attacked through the IP table; And
A blocking engine that stores an IP address (hereinafter, an attack IP address) of a packet determined as an attack in the database and stores the attacking IP address in the IP table;
And a resource monitoring module for displaying an IP address stored in the database,
Wherein the blocking engine blocks packets through the IP table and extracts the information of the Linux system through a shell program and records the information in a log file.
The method according to claim 1,
The detection engine collects at least one of a MAC, an IP address, a port, and a TCP flag (TCP Flag) for each header by using a packet capture module and inspects a packet received in the Linux system. Linux kernel based security intrusion prevention system.
The method according to claim 1,
The detection engine may include a denial of service (DOS) detection method, a SYN / ACK (SYN Flooding / ACK Storm) detection method, a DDoS (Distributed Denial of Sercice) detection method, a port scan detection method, A TCP connect scan / SYN stealth scan detection method, and a stealth FIN scan / stealth Xmas scan detection method.
delete 2. The engine of claim 1,
A status processing unit for executing shell programming of a usage rate of a CPU, a memory, and a disk of the Linux system in real time to update the shell program;
A CPU information section for extracting CPU utilization through shell programming;
A memory information part for extracting a memory usage rate through shell programming;
A disk information part for extracting the disk usage rate through Shell programming;
An IP table command unit for retrieving an IP address stored in the database and adding the IP address to a table (Iptables);
An On / Off state of the Linux system, a user information part for extracting a connection state of users; And
And a log file for storing the extracted usage rate, status, and status of the Linux kernel based intrusion prevention system.

Images