KR20070104761A - Signature graph hybrid intrusion detection system - Google Patents

Abstract

A signature graph hybrid IDS is provided to analyze intrusion by automatically storing information about attack to a log file, classifying contents of the log file into each signature, storing the classified signatures a database, and comparing the signature of the newly inputted attack with the signatures stored in the database. A DCM(Data Collection Module) collects audit data by capturing data in the network. An ADGM(Audit Data Generation Module) generates the audit data capable of determining intrusion by analyzing the collected audit data. An IDSGM(Intrusion Detection Signature Generation Module) generates an intrusion detection signature by separating the audit data into an alert and log event. An ATES(Algorithm Transforming the Existing Signature) generates the intrusion detection signature for similar or mutative intrusion based on the generated intrusion detection signature. An SGGM(Signature Graph Generation Module) makes a signature graph by analyzing correlation between the classified signatures. An information database determines the intrusion if a connection event is not agreed with the audit data stored in the information database by linking with an analysis engine, and issues the alert to a manager through a response module.

Description

Signature Graph Hybrid Intrusion Detection System using Signature Graph

1 is a view showing the type of intrusion detection system,

2 is a basic block diagram of an intrusion detection system;

3 is a conceptual diagram illustrating a classification of an intrusion detection system according to a data source;

4 is a conceptual diagram showing the operation between the information flow and system components of the present invention;

5 is a flow chart of a sensor (analysis engine) module of the present invention;

6 is a conceptual diagram of a packet filtering operation.

7 is a flowchart of a packet filtering operation.

8 is a flowchart of an MP;

9 is an MP configuration diagram for detecting an intrusion on a host;

10 is a flowchart for generating a modified signature in anticipation of intrusion;

11 is a conceptual diagram for generating a new signature through ATES;

12 is a conceptual diagram illustrating a process of generating a new intrusion signature;

13 is a flow chart of the signature graph generation applied to the present invention;

14 is a state diagram of a signature graph;

15A is a step explanatory diagram of the signature detection process according to the stepwise operation;

15B is a step explanatory diagram of the signature detection process according to the step-by-step operation (continued),

16 is a configuration diagram of an information database of SGHIDS;

17 is a network utilization analysis graph,

18 is an analysis graph according to an event type;

19 is an analysis graph using a signature graph,

20 is a graph comparing the success rate and failure rate of SGHIDS signature detection.

The present invention is a hybrid using a signature graph designed by integrating a network-based Signature Graph Network Intrusion Detection System (SGNIDS) and a host-based Signature Graph Intrusion Detection System (SGIDA). Based intrusion detection system "(Signature Graph Hybrid Intrusion Detection System).

Recently, the importance of computer security is increasing due to the spread of e-business. This is especially true in the situation where the rapid spread of the Internet is rapidly increasing not only company-related tasks but also various businesses such as individual businesses and individuals through the Internet. However, the Internet is a collection of unreliable networks, which makes it difficult to control the flow of information. In addition, while maximizing the use of important resources on the Internet, there is a need for a solution for protecting internal critical resources, and the information security market in Korea is moving from the introduction stage to the growth stage. Therefore, the focus of security is shifting from security first generation products and services such as firewalls and antivirus to security second generation products and services such as intrusion detection systems and security consulting. This chapter introduces intrusion detection technology related to existing intrusion detection systems and types of intrusion detection systems.

Intrusion detection system (IDS)

Intrusion detection means either unauthorized use of a system or network, or detection of attacks on the system or network. Intrusion Detection Systems (IDS) are designed to detect and prevent such attacks, or the use of unauthorized persons by the systems, networks, and related resources. Intrusion detection systems can be software-based, or a combination of hardware and software, like a firewall.

There are various types of intrusion detection systems depending on the judgment criteria. Intrusion detection systems are divided into network based, host based, and distributed intrusion detection systems according to their functions. In addition, the classification criteria of the intrusion detection system may be an intrusion detection model that determines the source of the data to be detected and the determination of the attack behavior. 1 shows various kinds of intrusion detection systems.

Intrusion Detection System Structure

2 shows a schematic structure of an intrusion detection system. An event generator collects data on all events, and an event analyzer analyzes the collected data to perform intrusion detection. An event database stores information necessary for intrusion detection, and a response unit performs a response to detected intrusions.

Classification of Intrusion Detection System

1. Types of Intrusion Detection System

 Intrusion Detection System (IDS) is classified into host-based intrusion detection system, network-based intrusion detection system, and hybrid based intrusion detection system combining them according to data source. 3 shows a classification of an intrusion detection system according to a data source.

(1) Host Based Intrusion Detection System

A host-based intrusion detection system is a system installed on a single host to detect intrusions using the audit data of the system. In most cases, this checks the integrity of the files on the system, which detects whether critical files or security-related files on the host have been modified, or whether any user attempts to access files beyond your own security level. It is. Host-based intrusion detection system has the problem of compatibility by system because it is installed in the host and has a disadvantage that can put a load on system resources, but has the advantage that it is not dependent on the network environment.

(2) network-based intrusion detection system

Network-based intrusion detection systems are typically dedicated systems that monitor the entire network segment. In most cases, it is installed in the network segment outside the firewall or in the main network segment inside, which inspects all packets flowing on the network for analysis of known attacks or suspicious behavior. Unlike the host-based intrusion detection system, the network segment is monitored so that an effective intrusion detection environment can be provided and the system can be constructed without interruption or impact of existing services regardless of the compatibility of network servers to be protected. However, since all traffic flowing on the network is inspected, the network traffic capacity is greatly affected. Table 1 compares the advantages and disadvantages of host and network-based intrusion detection systems.

Host-based Network-based Advantages  Block console worker attacks.  It provides cost-effective security at low cost, supports large networks, and detects before host attacks. Disadvantages  It is difficult to manage and maintain, and large network support is difficult. It also affects host performance.  Attacks by console workers are not detected.

2. Classification by Intrusion Detection Model

(1) Misuse

The misuse detection model is also known as the signature-based detection model, which defines signatures for signature-specific means of intrusion methods that exploit vulnerabilities in known systems and detects intrusions by comparing traffic accordingly. That's the way.

(2) Anomaly Detection

The anomaly detection model is also known as a profile-based detection model. This method collects and analyzes the behavior of users on the network and detects anomalous behavior by statistical analysis. Table 2 below compares the advantages and disadvantages of misuse detection and anomaly detection.

Misuse detection Anomaly Detection Advantages  Low system resources and high detection probability.  Universal statistical processing methods are available, and the security human resources share is less than the misuse method. Disadvantages  Every time a new hack appears, a new signature needs to be reflected and a security expert is needed to manage the signature.  The weight of system resources is required, and the statistical criteria are set to make the detection results less certain.

In the existing intrusion detection system, signatures need to be updated at every intrusion, and the function to prevent new intrusions or variants in advance is rather weak. In addition, by generating and storing intrusion signatures in anticipation of intrusions in advance, it is necessary to continuously update signatures for each new intrusion, thereby increasing administrative costs. Existing intrusion detection systems can detect attacks in real time. There was no. In addition, since the attack root detection range of the existing network-based intrusion detection system and the host-based intrusion detection system is limited, the security is somewhat low.

In order to overcome this problem, the present invention, unlike the existing intrusion detection system, the network-based Signature Graph Network Intrusion Detection System (SGNIDS) and host-based signature graph intrusion detection system (SGIDA, Signature A hybrid-based intrusion detection system using a signature graph designed by integrating a Graph Intrusion Detection Agent (hereinafter referred to as "SGHIDS (Signature Graph Hybrid Detection System)") is disclosed.

Therefore, the purpose of the present invention, when an attack from the outside, the information of the attack is automatically stored in the log file inside the computer, the contents of the stored file is classified into a signature and stored in the DB, newly incoming attack It is to provide a hybrid-based intrusion detection system using a signature graph, characterized in that by analyzing for, comparing with the signature stored in the DB to analyze whether or not intrusion.

4 shows a general configuration of the intrusion detection system 100 according to the present invention and the information flow between each component.

Intrusion detection system 100 according to the present invention is largely informed in real time about the sensor that can detect the intrusion, that is, the analysis engine 110, the information database 120 storing the intrusion signature, and the intrusion in real time Consists of a response module 130 for intrusion (see Figure 4).

Intrusion detection sensor (analysis engine) of SGHIDS according to the present invention is "DCM" (Data Collection Module, data collection module), "ADGM" (Audit Data Generation Module, audit data generation module), "IDSGM" (Intrusion Detection Signature Generation) Module, Intrusion Detection Signature Generation Module), "ATES" (Algorithm Transforming the Existing Signature), and "SGGM" (Signature Graph Generation Module) Create a signature graph for.

IDSGM generates intrusion signatures for intrusions on networks and hosts. Intrusion signatures generated through IDSGM automatically generate new intrusion signatures or similar ones using ATES and store them in the SGHIDS information database. This not only improves the intrusion detection ability to detect new intrusions compared to existing intrusion detection systems, but also compensates for the disadvantage of having to update signatures every time intrusion by predicting new intrusion signatures and storing them in the SGHIDS information database. . In addition, the security module is enhanced by enabling intrusion response module to monitor, detect and respond to network packets inside the system in real time.

In the present invention, a signature graph that detects illegal access connected to the network and an intrusion-related activity in the system in an abnormal way in the exchange of information using packets on the network, and also uses the audit data and log files to invade The information provided in this section can be added or deleted using the administrative console independently managed by the log server that stores data and log files. Therefore, the added intrusion information can be detected accordingly. The side is strengthened.

As described above, the hybrid-based intrusion detection system (SGHIDS) using the signature graph according to the present invention is an intrusion detection system combining a network-based signature graph intrusion detection system and a host-based signature graph intrusion detection system. The intrusion detection system according to the present invention comprises a sensor (analysis engine) for detecting intrusion, an information database for recording intrusion signatures and log files, and a response module for intrusion (see Fig. 4).

The analysis engine 110 firstly generates audit data to collect and analyze the audit data to determine an intrusion, and secondly, separates the audit data into alert and log events to generate an intrusion signature. Third, based on this generated intrusion signature, create similar type of intrusion or new type of intrusion signature using ATES, and finally, create a signature graph by analyzing the correlation between signatures classified as alert and log event types. give.

The information database 120 having intrusion information is stored in the information database 120 when it is not a legitimate connection such as a network packet, audit data, or system log by directly interworking with the analysis engine 110 that determines whether an intrusion is performed. If it does not match the audit data, it is determined to be an intrusion, and the response module for the intrusion enables the administrator to make a more reliable intrusion detection by alerting the administrator.

When the sensor configuration of the intrusion detection system according to the present invention is described repeatedly, DCM which captures data on the network to generate only audit data, ADGM for generating only audit data for determining intrusion among collected packets, and alert Analyzes the correlation between IDSGM, which separates the database into log events and log events, ATES generates new intrusion signatures or similar types of signatures based on intrusion signatures generated by the signature generation module, and signatures classified by event type. It consists of a PGGM that creates a signature graph. 5 is a flowchart illustrating a process of each module of the present invention, and the representative operation of each module is shown. It describes each module.

Data Collection Module (DCM)

DCM filters the packet using a packet capture library, and the filtered packet undergoes a process of reducing the packet to generate the audit data required by the present invention.

Packet capture

 Packet capture accepts packets sent to them (no matter where they are intended) and checks the contents of the packets. This is also applicable to statistics on network usage, monitoring for security purposes, network debugging, and sniffer. Table 3 illustrates the packet capture algorithm.

 struct pcap {int snapshot; int linktype; int tzoff; int offset; struct pcap_sf sf; struct pcap_md md; / * Read buffer. * / int bufsize; u_char * buffer; u_char * bp; int cc; / * Place holder for pcap_next (). * / u_char * pkt; / * Placeholder for filter code if bpf not in kernel. * / struct bpf_program fcode; char errbuf [PCAP_ERRBUF_SIZE]; } typedef struct pcap pcap_t;

Packet Filter

1) packet filter

To filter the packet, a packet filter rule consisting of source / destination address, source / destination port number, protocol flag, and action (permit or reject) is defined as shown in Table 3 (example of packet filter rule), and the packet filter rule is Defines an access list, which is a sequential set of accesses to allow or deny conditions that apply to ground Internet addresses. The actions in the access list are sequentially determined whether to allow or deny the packet, and are checked sequentially until the access list corresponding to the packet appears or until the last access list is reached.

2) filter rules

Filter rules are used to select which packets to output. If a large amount of packets are collected, only packets that meet the conditional expression are output. A filter rule consists of one or several primitives and the format is shown in Table 4. Table 5 also illustrates the algorithm for the rules of the packet filter.

Rule Number Source Address Source Port Destination Address Destination port Protocol Action One 130.1.20.1 1024 203.239.46.1 80 TCP PASS 2 130.1.20.5 50 203.239.46.1 80 TCP REJECT

 action [direction] [log] [quick] [on interface] [af] [proto protocol] \ [from src_addr [port src_port]] [to dst_addr [prot dst_port]] \ [flag tcp_flags] [state]

3) Packet Filter Operation

Packet filtering rules should only be defined for ports of packet filter devices. Also, when a packet arrives at the port, the packet header is analyzed. The packet filtering apparatus examines only the areas contained in the IP, TCP, and UDP headers. 6 shows a concept of a packet filtering operation, and FIG. 7 shows a flowchart of a packet filtering operation. Packet filter rules are stored in a specific order. Each rule applies to packets in the order in which the packet filter rules are stored.

Audit Data Generation Module (ADGM)

Since the data collected through DCM are not suitable as audit data for detecting an intrusion, the ADGM is used to extract audit data that can determine the intrusion from the collected packets (see FIG. 5). Since the data collected through DCM receives the Ethernet frame as a whole, the ADGM is used to analyze whether it is an IP or ARP packet at the Ethernet layer, and secondly, whether it is ICMP, TCP and UDP at the IP layer. To generate audit data for detecting intrusion, and the generated audit data is stored in the information database 120.

Table 6 shows the data collected through DCM using the unsigned char. An example of an algorithm for handing a packet of a type to a pointer of an Ethernet header and separating the packet for each protocol by passing it to a pointer of an IP header when the packet passed to the pointer of the Ethernet header is an IP protocol.

 void packet_analysis (unsigned char * user, const struct pacap_pkthdr * h, const unsinged char * p) {unsigned int length = h-> len; struct ether_header * ep; unsinged short ether_type; length-= sizeof (struct ether_header); ep = (struct ether_header *) p; p = + = sizeof (struct ether_header)… … if (ip-> protocol == IPPROTO_TCP) {// TCP protocol tcph = (struct tcphdr *) (P + (iph-> ihl * 4) + (tcph-> doff * 4)); tcpdata = (unsigned char *) (p + (iph-> ihl * 4) + (tcph-> doff * 4)); }… … if (ip-> protocol == IPPROTO_UDP) {/// UDP protocol udph = (struct udphdr *) (p + iph-> ihl *); udpdata = (unsigned char *) (p_iph-> ihl * 4) + 8; }… if (ip-> protocol == IPPROTO_ICMP) {/// ICMP protocol icmp = (struct icmp *) ((+ iph-> ihl * 4); icmpdata = (unsigned char *) (p + iph-> ihl * 4) + 8; … }

Intrusion Detection Signature Generation Module (IDSGM)

In order to detect intrusions, the present invention generates a signature for detecting intrusions through IDSGM based on audit data extracted through ADGM.

Intrusion Detection Signature Generation

Audit data extracted through ADGM generates intrusion detection signature using IDSGM to detect intrusion into packets such as TCP, UDP, ICMP. Rules for generating this are aeui.rule, iava.rule, acva.rule, srac.rule, spi.rule, mpi.rule, fpi.rule, ift.rule, and pmp.rule. This is an intrusion detection rule for generating an intrusion detection signature on a host and an intrusion on a network. Table 7 shows the rules for signature generation and examples of typical attacks.

aeui.rule  buffer overflow iava.rule  Command Line Interface (CLI) acva.rule  Attempts to access FTP or TELNET from a host forbidden by the TCPwrapper. srac.rule  CPU resource depletion via UDP flooding spi.rule  Denial of Service mpi.rule  Distriibuted Denial of Service (DDoS) fpi.rule  Fragmented Packet Attack ift.rule  Password file transfer pmp.rule  sniffit intercepts user ID and password

On the other hand, Table 8 shows the structure for TCP data, and Table 9 shows the signature format.

 struct tcp_data {unsigned short s_port; // source port number unsigned short d_port; // destination port number int flat; // TCP flag char content [200]; // data int c_size; // content length of content int p_size; // size of payload char msg [200]; // message}

alert tcp $ EXTERNAL_NET any-> $ HOME_NET 80 (content: "| 90C8 C0FF FFFF | / bin / sh" msg: "IMAP buffer overflow!";)

The signatures in Table 9 are tcp-based packets flowing from all external network ports to internal network port 80, which contain a hexadecimal array such as content: "~" or contain / bin / sh characters. If there is, it shows alert message and logs to var / log / alert. In the present invention, for this purpose, an analysis engine capable of detecting an intrusion and an information database capable of directly comparing the intrusion information can be used.

MP (Master Process)

When audit data is generated to detect an intrusion through the ADGM, a signature is generated. Intrusion on the network can be determined, but intrusion on the host is difficult to determine, so MP is also able to detect intrusion on the host. The MP manages an intrusion determination related database, retrieves the information database 120 and stores intrusion signatures, where data from the AAP (Audit Analysis Process) and ACP (Agent Controlling Process) are gathered. Compared to the above, it enables intrusion detection. 8 shows a flowchart of the MP.

 master_process (audit_data, agent_info) {Signature = agent_controll (agent_info); check_Signature (Signature); Signature = audit_process (audit_data); check_Signature (Signature); } check_Signature (Signature) {if (search_DB (Signature, D_Signature)) {reject (Signature); } else {save_DB (Signature, D_Signature); } return (); }

Table 10 shows the signature table in the SGHIDS information database after receiving signatures from the Audit Analysis Process (AAP) and Agent Controlling Process (ACP), and deletes the detected signature when the signature is found; otherwise, the signature table in the SGHIDS database. MP algorithm designed to store signatures. 9 also shows a processing flow of the MP for detecting an intrusion on the host. Hereinafter, AAP and ACP are explained in full detail.

1) Audit Analysis Process (AAP)

The AAP is a host-based analysis of the audit data generated by the ADGM. By using audit data that records important information and network communication history while operating system, operating system, etc., it is used to generate signatures for intrusion detection system and transmit the generated signatures to MP. . The audit data of the window collected by AAP is composed as shown in Table 11, and after the intrusion scenario is composed based on the collected data, it is changed into signature graph using SGGM and analyzed.

Configure Event Logging Organization  System log, application log, security log Event record type  Date, time, user, computer name, event_identifier, software, type, category Security logging and audit policy  Logon / Logoff, Object Access, Privilege Use, Account Retention Policy Changes, System Events, Handler Tracking

Table 12 illustrates the processing algorithm of AAP. This changes the audit data into a text file, removes unnecessary events and saves them to the Audit_event table in SGHIDS's database. Create an attack scenario using Audit_event.

 audit_process (audit_data) {text_convert (audit_data, text_file); read (text_file_data); while (! EOF (text_file_data)) {if (check_rule (text_file_data)) {save_DB (text_file_data, audit_event); } read (text_file_data); } create_scenario (audit_event, attack_scenario); Signature = Signature_detection (attack_scenario); return (Signature); }

2) Agent Controlling Process (ACP)

The ACP maintains and manages the information database 120 of the present invention by receiving the agent information containing the signature, which serves to maintain the information of the signature of the information database consistently. Table 13 is an algorithm of ACP, and extracts the signature from each information received from the MP and delivers the extracted signature to the MP.

 agent_controll (agent_info) {Signature = search_Signature (agent_info) retrun (Signature); }

Algorithm Transforming the Existing Signature

Table 14 and FIG. 10 show ATES and show algorithms and flowcharts that can automatically generate new intrusion signatures for new types of intrusions based on signatures generated by IDSGM.

 procedure ATES () initialize (Population); evaluate (Population); while not (terminal condition satisfied) do MatingPool = reproduce (Population); MutationPool = crossover (MatingPool); Population = mutation (MutationPool); evaluate (Population); end while end procedure

Based on the intrusion signature stored in the information database through IDSGM, a new signature or variant signature is newly generated using ATES and stored in the information database in the form of a new intrusion signature so that the intrusion detection rate is higher than that of the existing intrusion detection system. Improved. Table 15 shows the process of calculating condition satisfaction for intrusion signature generation. This repeats the process of generating a new signature until the suitability satisfies the desired level for the modified signature generation that is expected to invade in the calculation process as shown in FIG. 10.

f (H): Average goodness of fit of signatures containing schema (i.e. signature) H

f: average goodness of fit of all signatures

pc: Significance signature probability

pm: variant signature probability

FIG. 11 illustrates a process for generating a new intrusion signature for an intrusion signature in an information database through ATES, and FIG. 12 illustrates a modified signature for which intrusion is expected based on an intrusion signature stored in an information database. This is a simplified procedure for creating a new intrusion signature.

For example, I-Worm.Win32.Bagle.AL spread through e-mail and network file sharing programs can be found at the same time, starting with the .AL version. It has similar proliferation methods and multiplications, except for the name change, including the name registered in the registry. For this variant, the present invention stores the intrusion signature for the first intrusion in the information database, and the stored intrusion signature generates the intrusion signature for the similar type or modified intrusion through the ATES and stores the intrusion signature in the information database. Can be prevented in advance, improving security aspects. In addition, since the signature is stored in advance in anticipation of intrusion, the existing intrusion detection system can compensate for the disadvantage of updating the signature each time an intrusion is found.

Signature Graph Generation Module (SGGM)

The signature graph generation module analyzes the correlations of the signatures stored in the information database by IDSGM to determine the intrusion. By using the generated signature graph, it is possible to prevent accidental intrusion. Table 16 shows the structure of the signature graph.

 struct Signature_graph {char p_name [50] // name of Signature graph unsigned short n_id; // node number unsigned short s_port; // source port number char content [200]; // data char msg [200]; // message}

Signature Detection Algorithm

In the intrusion detection system of the present invention, in order to deal with an attack, ASL (Attack Specification Language) is changed to a signature graph, which is a data structure suitable for the present invention, and the signature graph is a tree form of a scenario development process. If there is no event, it becomes the last node of the signature graph. The description of each node in the signature graph is called a message. Table 17 shows the message format.

form <Node ID, timestamp, attribute value> Node ID  Number of each node in the signature graph timestamp  Event occurrence time     Attribute value  Attribute value of the event

Each node's message is stored in the event pool when the node's event is a transmission, and the remaining events are stored in the pass pool. In this process, constraints are generated on each node during the process of changing to the signature graph. In this case, there are static constraints with fixed constant values and dynamic constraints with variable values.

 Signature_detection (attack_scenario) {if (search_DB (attack_scenario) == FALSE) {// Detect if the attack scenario exists in the SGHIDS information database i = 0; // initialize node number while (! EOF) {read (attack_scenario); // read scenario by event create_constrain (node, i); // create constraints on the node message = create_message (node, i); // create a message for the node if event (send) {save (event_pool, message);} // save the message to the event_pool else {save (pass_pool, message);} // save the message to the pass_pool create_graph (Signature, event_pool , pass_pool, i); // create signature graph for node idp i = i + 1;} // increment node number return (Signature); }

Table 18 shows an algorithm for generating a signature graph. To detect a signature, first, an attack scenario is detected when an intrusion is detected, and a signature is detected. Second, an attack scenario is searched for in the information database. In this case, since the intrusion signature already exists in the information database, it is not necessary to generate the signature graph separately. If not, the operation continues. Third, the node number is initialized. Fourth, the attack scenario is read in event units. Fifth, create constraints on nodes for scenarios read in event units. Sixth, when an event is received, a message is stored in an event pool or a pass pool. Seventh, a signature graph is generated for node i, and nodes are incremented by one until the root node constraint is satisfied. If the root node constraint is satisfied, the signature graph is generated.

The above process refers to the signature graph generation flowchart in FIG. 13 showing the steps from the attack scenario to the step of detecting the signature and generating the signature graph. Table 19 shows an example of the algorithm of the attack scenario.

 ATTACK "sample" [a, b, c, d, f, g, h] a {send (c): e1 [$ p = a0;]} b {e2 [$ q = al;] send (c): e3 [a2 == $ p;]} c {e4 [a2 == $ q;]} d {send (g): e5 [$ r = d0;] f {e6 [$ s = dl;] send (g ): e7 [d2 == $ t;]} g {e8 [d2 == $ s;]} s {send (h): e4 [$ g = a2;]} q {e8 [$ s = cl;] send (h): e9 [d2 == $ g;]} h {e10 [] e11 [c9 == $ s;]}

To deal with the attack, the transformation from ASL to a data structure suitable for the present invention is an attack scenario. By connecting the event occurrence sequence of the attack scenario, a signature graph that can detect the signature is generated. The signature graph depicts the scenario development process in a tree form, with no transmission event being the last node in the tree. Each node in the signature graph is considered the root of the subtree of the complete tree signature. Node constraints are assigned to each node in the graph, and if the node constraints are met, it is an event filled with dynamic constraints of the complete subtree. Each time the node's constraints are met, the message is moved one step closer to the root node. Thus, the signature is detected when the event at the root node satisfies the constraint.

The process of generating the signature graph is shown in FIG. 14. First, when nodes a and b are looked at first, event e1 of node a becomes signature node 0 according to each event occurrence time of a and b. Second, the events e2 and e3 of the node b become nodes 1 and 2, respectively. Messages m0, m1 and m2 are generated for each event occurrence, and the generated messages are delivered to node c. Third, if the delivered message is a send event, it is stored in the event pool. Otherwise, it is stored in the pass pool of the information database and transmitted to the next node for processing. Fourth, since there was an event in node c, the next node is checked. As described in the first step, nodes d and f are prioritized after nodes a and b according to the event occurrence time. Event e5 of node d becomes node 4 of the signature graph over time. Fifth, nodes d and f go through a second process and a third process. Sixth, since the event is not generated in the nodes c and g and the graph is not finished, the nodes c and g go through the second process and the third process again. Seventh, since event e10 of node h has no constraint, it compares m3 and m8 in the event pool and processes the next event e11 when the dynamic condition is satisfied. Finally, e11 of node h refers to the event pool and pass pool. When node e11 and dynamic constraints are satisfied, only the last referenced message and the root node's message remain in the event pool. Therefore, the message remaining in the event pool becomes a signature. In the present invention, the reason for classifying a message into an event pool and a pass pool and delivering the message to a next node is to reduce the amount of data to be transmitted and to reduce a transmission time.

15A and 15B exemplarily illustrate step-by-step operations in which the signature of an attack scenario is detected by the signature detection algorithm.

In step 1, as the event <0,0,2> occurs, the event <0,0,2> of node 0 becomes the signature node 0 and the message <0,0,2> is generated. . The message stored in the event pool is m0. Node 0 does not generate a pass pool.

In step 2, as the event <1,1,1> occurs, the event <1,1,1> of the node 1 becomes the signature node 1 and the message <1,1,1> is generated. . The message stored in the event pool is m1. Node 1 does not generate a pass pool.

In step 3, as the event <2,2,2> occurs, the event <2,2,2> of the node 2 becomes the signature node 2, and the message <1,1,1> <2,2,2 Shows how the> is generated. The messages stored in the event pool are m1 and m2. At Node 2, a Pass Pool m1 is generated.

In step 4, as the event <3,3,3> occurs, the event <3,3,3> of the node 3 becomes the signature node 3, and the message <0,0,2> <2,2,2 > <3,3,3> This shows the process of generating <1,1,1>. The message stored in the event pool is m4. Node 3 does not generate a pass pool.

In step 5, as the event <4,4,4> occurs, the event <4,4,4> of the node 4 becomes the signature node 4 and the message <4,4,4> is generated. . The message stored in the event pool is m5. Node 4 does not generate a pass pool.

In step 6, as the event <5,5,5> occurs, the event <5,5,5> of the node 5 becomes the signature node 5 and the message <5,5,5> is generated. . The message stored in the event pool is m5. Node 5 does not generate a pass pool.

In step 7, as the event <6,6,6> occurs, the event <6,6,6> of the node 6 becomes the signature node 6, and the message <5,5,5> <6,6,6 Shows how the> is generated. The messages stored in the event pool are m5 and m6. Node 6 does not generate a pass pool.

In step 8, as the event <7,7,7> occurs, the event <7,7,7> of the node 7 becomes the signature node 7 and the message <4,4,4> <6,6,6 > <7,7,7> <5,5,5> shows the process of generating. The messages stored in the event pool are m4, m6, and m7. At node 7, a pass pool m5 occurs.

In step 9, as the event <3,3,3> occurs, the event <3,3,3> of the node 3 becomes the signature node 3, and the message <0,0,2> <2,2,2 > <3,3,3> <1,1,1> is shown. The messages stored in the event pool are m4, m6, m7, and m8. At Node 3, a Pass Pool m3 occurs.

In step 10, as the event <7,7,7> occurs, the event <7,7,7> of the node 7 becomes the signature node 7 and the message <4,4,4> <6,6,6 > <7,7,7> <5,5,5> shows the process of generating. The messages stored in the event pool are m4, m6, and m7. In node 7, a pass pool m5 occurs.

In step 11, as event <8,8,8> occurs, event <8,8,8> of node 8 becomes signature node 8 and message <4,4,4> <6,6,6> <7,7,7> <8,8,8> shows the process of generating. The messages stored in the event pool are m4, m6, m7, and m8. The node does not generate a pass pool.

In step 12, as event <9,9,9> occurs, event <9,9,9> of node 9 becomes signature node 9, and message <0,0,2> <2,2,2 > <3,3,3> <8,8,8> <9,9,-> <4,4,4> <6,6,6> <7,7,7> . The messages stored in the event pool are m0, m2, m3, m8, and m9. Pass nodes m4, m6, and m7 occur at node 9.

In step 13, as the event <10,10,1> occurs, the event <10,10,1> of the node 10 becomes the signature node 10, and the message <0,0,2> <2,2,2 > <3,3,3> <8,8,8> <9,9,-> <10,10,1> is shown. The messages stored in the event pool are m0, m2, m3, m8, m9, and m10. The node does not generate a pass pool. At this time, the event <10,10,1> of the node 10 refers to the event pool and the pass pool, and when the event <10,10,1> of the node 10 and the dynamic constraint are satisfied, Only messages remain in the event pool, and the messages remaining in the event pool become signatures.

Information database

The information database 120 of the present invention does not coincide with the audit data stored in the information database when it is not a legitimate connection such as a network packet, audit data, or system log by directly interfacing with the analysis engine 110 that determines whether an invasion occurs. If not, it is determined to be an intrusion, and accordingly the response module 130 for the attack by alerting the administrator to enable a more reliable intrusion detection.

16 shows the structure of an information database. The information database of the present invention stores information of Audit_event, D_Signature, Text_file, Attack_scenario, and log_file. The information database firstly changes the audit data into a text file, and secondly, the changed text file is stored in the text_file table of the information database and the contents of the saved text_file are used as event abbreviation data. Third, the abbreviated event is stored in the Audit_Event table of the information database and the attack scenario is created by using the contents of the Audit_Event table. Fourth, the created attack scenario is stored in the Attack_Scenario table. Finally, log records are stored in the information database by the Log_file table. Table 20 is an algorithm for generating an information database, Table 21 is a table format of Text_file, Table 22 is an Attack_Scenario table format, Table 23 is a D_Signature table format, and Table 24 is a Log_file table format.

CREATE DATABASE [database] [CONTROLFILE REUSE] [LOGFILE [GROUP integer] filespec [, [GROUP integer] FILESPEC] ...] [MAXLOGFILES integer] [MAXLOGMEMBERS integer] [MAXLOGHISTORY integer] [MAXDATAFILES integer] [MAXINSTANCES integer] [ARCHIVELOG | NOARCHIVELOG] [CHARACTER SET charset] [NATIONAL CHARACTER SET charset] [DATAFILE filespec [autoextend_clause] [, filespec [autoextend_clause] ...]] filespec: == 'filename' [SIZE integer] [KIM] [REUSE] autoextend_clause: = = [AUTOEXTEND {OFF | ON [NEXT integer [KIM]] [REUSE] [MAXSIZE UNLIMITED_integer [KIM]}]}]

Field Field type Field size Explanation  Event_No int 4  Event sequence occurred  Occurance_Date varchar 30  Occurred  Occurance_Time varchar 30  Time of day  Event_type int 4  Event type  Event_Category int 4  Event category  Event_ID int 4  Event identifier  Event_Source text 16  Event source  User varchar 30  user  Computer varchar 30  Computer name  Strings text 16  Remarks

Field Field type Field size Explanation  Signature_Name text 16  Signature name  Node_ID varchar 30  Node name  Event varchar 30  event  Target_ID int 4  Target node name  Event_ID int 4  Event identifier  Constraint text 16  Constraints

Field Field type Field size Explanation  Signature_No int 4  Signature number  Signature_Name text 16  Signature name  Constraint text 16  Constraints  Arg1 text 16  Factor 1  Arg2 text 16  Factor 2

Field Field type Field size Explanation  Log_file_ID int 10  Log name  Fid char 32  Fid of the corresponding attachment in the File table  Saved_path varchar 255  Path where attachment is stored  FileName varchar 255  File name  State char One  File deletion  Log_time char 14  Log record time

Simulation of the Invention

A signature graph was generated using all packets on the network and 12 attack scenarios of the intrusion detection system according to the present invention. After detecting the signature using the generated signature graph, if it matches the signature of the SGHIDS information database prepared for the experiment, it is regarded as successful intrusion detection, and if the signature detected in the signature graph does not match the signature of the SGHIDS database, the intrusion detection fails. Was considered. In addition, the designed packet filter enables packet capture under TCP, IP, UDP and ICMP environments, and reduces the time to collect and analyze existing packets by performing real-time network, and responds to immediate abnormal intrusion. I could do it. The signature graph also enables user-defined intrusion detection by circumventing internal users. Table 25 shows the simulation environment of the present invention.

division Hardware  Inter Pentium Ⅳ Operating system  Hancom Linux 4.0 Professional Compiler  gcc Editor  vi Detection target  network packet

Network utilization analysis

Figure 17 shows the average delay time of each event when reporting the information detected by the present invention to the server. In other words, it shows the delay of the transport packet according to the change of network utilization, and it can be seen that the delay increases significantly above 0.8.

-Analysis by Event Type

 Table 26 shows the number of events for each data type processed by the packet filtering rule for 24 hours according to the present invention, and FIG. 18 shows the delay according to the types of alert and log events. The delay for each event can be seen to increase with network utilization.

Event Type 24 hours alert 32,448 log 33,127

-Analysis using signature graph

In the present invention, a signature graph is created using the correlation between each event to detect the intrusion. Each event is used to create a signature graph, store it in a database, and use the signature graph to detect intrusions. 19 is a ratio of detecting an intrusion by the network delay rate using the signature graph between each event.

Signature detection of the present invention

Table 27 shows the depth of signatures used in the simulation. In the present invention, the signature was detected using 16 signature graphs for simulation. As shown in Table 27, when the signature graph is generated according to the attack scenario, the number of nodes of the graph can be seen. The depth of the signature used in the experiment means the number of graph nodes when the signature graph is generated using the attack scenario.

Signature depth One 2 3 4 Count 4 2 4 2 Success rate 75% 71% 68% 62% Failure rate 25% 29% 32% 38%

As shown in FIG. 20, the success rate coinciding with the database of the present invention is 75% when the signature depth is 1, 71% when the signature depth is 2, 68% when the signature depth is 3, and 68% when the signature depth is 4 days. 62% of cases. In other words, as the signature depth increases, the intrusion detection success rate decreases, which indicates that the detection rate decreases as more data are processed through multiple nodes.

Although the preferred embodiments of the present invention have been illustrated and described above, the present invention is not limited to the specific embodiments described above, and the present invention is not limited to the specific embodiments of the present invention without departing from the spirit of the present invention as claimed in the claims. Anyone skilled in the art can make various modifications, as well as such modifications are within the scope of the claims.

Signature Graph Hybrid Intrusion Detection System (SGHIDS), which is a hybrid-based intrusion detection system using the signature graph of the present invention, firstly, based on an intrusion signature generated by an intrusion detection signature generation module (IDSGM), unlike a conventional intrusion detection system. By using ATES (Algorithm Transforming the Existing Signature), intrusion signatures similar to the modified intrusion signatures are automatically generated and stored in the SGHIDS information database to prevent new intrusions. In other words, I-Worm.Win32.Bagle.AL, which is spread through e-mail and network file sharing programs, has been found in three consecutive versions, starting with the .AL version, which includes names registered in the registry. Except for the changes, .AM, .AN, and .AO all have similar proliferation methods and multiplications, which can be prevented by using ATES based on intrusion signatures that were first discovered and stored in SGHIDS information databases. This not only improves the efficiency of intrusion detection, but also improves security aspects. Second, by creating and storing intrusion signatures in anticipation of intrusions, the disadvantage of having to continuously update signatures for each new intrusion is not only compensated for, but also minimizes administrative costs. Third, the existing intrusion detection system could not detect an attack in real time, so that SGHIDS can simultaneously operate each agent for a large number of logs, events, and network packets. By doing so, security has been improved. Finally, SGHIDS improves security by integrating the limited range of attack root detection range of the existing network-based intrusion detection system and host-based intrusion detection system.

Claims (5)

The intrusion detection system consists of an analysis engine, a sensor that can detect intrusions, an information database storing intrusion signatures, and a response module for intrusions that informs intrusions in real time. The intrusion detection sensor, that is, the analysis engine, "DCM" (Data Collection Module) which captures data on the network and collects audit data, and an audit that can determine intrusion by analyzing the collected audit data. "ADGM" (Audit Data Generation Module) to generate data, and "IDSGM" (Intrusion Detection Signature Generation Module) to generate intrusion signature by separating audit data into alert and log events. Module), "ATES" (Algorithm Transforming the Existing Signature), which generates intrusion detection signatures for significant intrusions or variant intrusions based on the generated intrusion detection signatures, and classified into alert and log event types. "SGGM" (Signature Graph Generation Module, signature graph) that creates a signature graph by analyzing the interrelationships between signatures Generation module) The information database includes means for converting audit data into a text file, a Text_file table for storing the changed text file Text_file to use the contents of this file as event abbreviation data, and storing the abbreviated event using the contents. It includes an Audit_Event table that allows you to create attack scenarios, an Attack_Scenario table that stores the created attack scenarios, and a Log_file table that stores log records. The information database is linked with the analysis engine, and determines that the intrusion if the access event does not match the audit data stored in the information database, using the signature graph, characterized in that to alert the administrator through the response module Hybrid based intrusion detection system. The method of claim 1, wherein the ADGM is The data collected through the DCM means to analyze whether it is an IP or ARP packet in the Ethernet layer, and ICMP, TCP, and UDP in the IP layer, respectively, to generate and generate audit data for detecting an intrusion. A hybrid-based intrusion detection system using a signature graph, comprising means for storing audit data in an information database. The method of claim 1, wherein the IDSGM comprises means for generating an intrusion detection signature using rules for generating intrusion detection on a network and intrusion detection signature on a host, wherein the means comprises: This function analyzes audit data generated through ADGM based on host and creates signature for use in intrusion detection system by using audit data that records important information and network communication history during operation performed in the system. AAP (Audit Analysis Process), Including the ACP (Agent Controlling Process), which serves to maintain the information of the signature of the information database by maintaining and managing the information database by receiving the agent information containing the signature, The signature graph is characterized by retrieving the signature table of the information database after receiving the signature from the AAP and ACP and deleting the detected signature when the signature is retrieved. Otherwise, the signature graph is stored in the signature table of the information database. Hybrid-based intrusion detection system using. The method of claim 1, wherein the ATES Hybrid signature-based intrusion detection system using a signature graph, characterized in that for repeating the process to generate a new signature until the suitability satisfies the desired level for the modified signature generation expected intrusion in the calculation process. The method of claim 1, wherein the SGGM is Means to search for attack scenarios when intrusions are detected and signatures are detected, search for scenarios present in the information database, stop operations if detected, and continue operations otherwise, and initialize the node number. Means for reading attack scenarios in units of events, creating constraints on nodes for scenarios read in units of events, storing messages when an event is received, and signature graphs for nodes i. And means for generating a signature graph by incrementing the nodes one by one until the constraint of the root node is satisfied, and generating a signature graph if the root node's constraints are satisfied.

Images