TW201141155A - Alliance type distributed network intrusion prevention system and method thereof - Google Patents

Abstract

The present invention relates to an alliance type distributed network intrusion prevention system and its method. At least one alliance network is formed by a distributed intrusion prevention system and includes plural subsystems, a central server for controlling the alliance networks and a firewall. Each subsystem includes a decision-making module, intrusion detection software, and an intrusion detection component for collecting suspicious network activity packets, each alliance network has a group code. Each subsystem of the alliance networks has a different ID code, and the group code of the alliance network and the ID code of the decision-making module must be firstly registered to a central management module and recorded in a database. When the central server determines that a decision-making module is legitimate, the decision-making module can connect with the central server to enable the central server to assist information communication and sharing among decision-making modules. When the intrusion detection software detects an attacking event, it will send an alarm to all decision-making modules. The decision-making modules then issue block commands to the firewall and necessary actions are simultaneously taken according to defensive measures defined in the database.

Description

201141155 VI. Description of the invention: [Technical field to which the invention pertains] The present invention relates to a decentralized network intrusion prevention method of an alliance type, which is focused on designing a wire and a defense alliance system in a distributed silk system. A technology that achieves low-cost, high-security, and high-efficiency network intrusion prevention. [Prior Art] As the popularity and importance of the Internet continue to increase, due to the popularity of the Internet, the number of guests has increased, the number of vulnerabilities has grown rapidly, and the tools of automatic attack programs have become more common. Make the "general enterprise #" or the individual fine (four) of the scales are all concerned that their computer systems have been ruthlessly attacked and destroyed by hackers, so the information security and intrusion prevention response measures have gradually been subject to research and consumption. Our focus on construction - a comprehensive network security system, must be configured with a variety of different functions and performance of the anti-"device, such as the construction of a firewall non-toxic dump. However, for SMEs, in order to maintain the security of the network, it must cost a lot. In addition, all kinds of network security devices are currently bribes, and the lps are all operated by themselves. Therefore, under the attack of advanced hackers, there is no network security at all. For example, the Zhonghuaguan Patent No. 1 "Network Queen System", and the whole system inspection and processing - issued by the user - the user wants the person to be targeted - (10) capital (four) Tongqi, the scale safety The system comprises: a counter system 'inspection board group, the check module receives the user request and checks the user request 疋 no #合-职安全条件 to generate-check result; and a transfer system 3 201141155 system, The transfer button receives the check result of the check, wherein when the check does not require the user to comply with the vertical security bar (4), the miscellaneous Wei_ uses the same format to transfer to the _ department's system, when the check The New Fruit Appreciator wants Lin Furen to fix the safety strip ' _ _ _ _ user request transfer to view (10), the system, the counter system is based on the intended response method according to the user request - shouting, and The axis should be the content and the brief information pure _ the user request - The results of shouting and there -

Another type of patent, such as the Republic of China Patent No. 12 with the "Web Server" patent, can provide - the connection through the network - the web server - the web page and a map access and execution The network dragon service device includes: - an open area processing model storage for 1 state web page _ access, in the job mode _ can not perform the private 'and the limited area of the service group, the system must pass - identity After the identification, and the connection end needs to store the serial number of the first legal connection, you can access the web page and the slot and execute the program. According to the connection, the website repair message is turned over and the message is 'discarded' - the illegal connection. Then, for example, the Patent (1) of the Republic of China Patent Notice No. 40 "Embedded Intrusion Detection System" is gambling on the website security. The protected website can be provided by remote users and workers. Or service, its towel is exposed to the communication protocol definition ^ "the first - agreement" 'the system includes: at least - the ship computer, used to provide a platform for remote users to source or service; at least - monitor the computer, connect the servo Computer for monitoring the operation of the server computer; characterized in that the system further comprises: a secret state collection module, which is stored in the server computer or the monitoring computer, and includes: a • collection form for use in the ship 201141155 The work of collecting monitoring data on the computer; b. The transmitting unit transmits the monitoring data collected by the collecting unit to the monitoring system according to the “first-agreement”; and the monitoring module is stored in the monitoring computer, including: 3. The analysis unit, the ribs and the _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Reading, and b• control unit, for controlling the system-like structure of the above-mentioned system, although having a certain degree of network reliance and anti-virus effect, only such a custom-made test object is a di-buted prevention system. DIPS), therefore, it is impossible to use the alliance type system to achieve alliance formation _ mutual assistance cooperation, information sharing, lion protection network security 2 effect, so that the valley breaks the hacker's breakthrough, and thus can not reach the expected network Road safety protection effect. In addition, if there is any closure of the recording body, in general, the system will not be updated immediately. At this time, people who are interested in making a scanner for the new vulnerability will find out which ones are on the network. The system has not been updated, and the new vulnerabilities have been infiltrated. Therefore, these custom structures cannot find out the new attack and attack methods and Z recorded in the body library for subsequent observation and processing. Because of the fact that it is easy for the minded person to shoulder the shoulders, and to destroy the computer software first, in view of this, the conventional structure does have the necessity of further improvement. [Invention] The main purpose of this book is to provide a decentralized network intrusion prevention system of the 観 型 type to achieve the _ alliance member's _ mutual assistance cooperation and the status of the sub- At the same time, in the decentralized system, the system design and configuration can be provided in a step-by-step manner, because of the network security computer that reduces the cost of the hardware device and reduces the regional network to the Internet 201141155. The system is threatened by the destruction of the network, has a synergistic defense alliance mechanism, high security, and can greatly reduce the number of attacks on the object. In order to achieve the above-mentioned effects, the technology of this confession (four), Bao Tong's control of the ten-central feeding device of the alliance network and an anti-intrusion detection component, each of the burial of the ally has - a group code, each of the system scales has a -_ code, the group code in the female side road and the identification of the decision core group are first recorded in the management pool of the towel - In the database, ♦ The central value n 舣 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ When the person is testing the software detection_attack event, it will transmit a warning to all the decision-making modules, and the decision-making module will issue a blocking command to the firewall, and according to the database, the defense defined by t Take measures to take the relevant actors. [Embodiment] 壹· The technical concept of the present invention is shown in the first to fourth and sixth figures. The present invention mainly constructs a comprehensive network security protection system focusing on the concept of distributed system design. The new product that has not appeared on the market, the present invention combines various system capabilities to achieve the purpose of resisting intrusion attacks, and promotes the security of the entire network environment through a distributed system architecture. In the case of known intrusion attacks, the intrusion detection function of the network intrusion detection system (NIDS) can help the system to resist [S3 201141155 not attack 4 ' and attack the unknown person. In part, you can use the legal probability of a certain amount of stable network data to find out the network packets different from normal traffic, and then record them in the database' and provide a year-round efficient network. Road safety system, and the monthly b large reduction in the cost of constructing a safe network environment, the actual design proves that the road safety protection system can be lying in the actual brewing environment to solve the hacker invasion. The resulting computer system is disrupted and troubled.实施 · 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本And connecting to form at least one federated network (11), the basic embodiment of the present invention includes a plurality of subsystems (20) (IPS), a central control network (π) of the central server Root (10) And a firewall (24), each of the subsystems (2) (ips) including a decision module Reaper (21), an intrusion detection software (22), and a collection of suspicious network activity seals Intrusion detection component (23), each alliance network (11) has a group code, as shown in GP1-0~GP2 in the seventh figure, each subsystem in the alliance network (π) (2〇) (off) each has an identification code 'and the group code in the alliance network (11) and the identification code of the decision module Reaper (21) must first be registered with the central server machine (10) and Recorded in a database (27) 'When the central word server R〇〇t (10) determines that the decision-making module knows that hitting (21) is legal, the decision mode Reaper (21) can be connected to the central server R0〇t (i〇), so that the central server Root (10) can assist the communication and sharing of information between the decision modules Reaper (2i). When the intrusion detection software (22) detects an attack event, it transmits a 201141155 s report to all decision makers Reaper (21), and the decision module Reaper (21) issues a command to block the firewall ( 24), and take relevant actions based on the defensive measures defined in the database (27). 2. 2 Central Server Root Please refer to the first, third and seventh to ninth diagrams. The present invention puts the concept of distributed system architecture and group into the design idea together, and the central servo Root(10) is the central manager of a group, which records which decision-making module Reaper(21) Lu is legal. The legal decision-making module Reaper(2i) can be sent to the central server R〇〇t (1). 〇) Request to connect. The central server R〇〇t (10) itself has a more important task, which plays the role of information sharing and communication between the decision modules Reaper (21). In this large analog network, it is divided into A, B, C three network areas, as shown in the seventh figure, the central server Root (l〇) governs the alliance network (1)) Gr〇upID (group code) is fat, and it is brought by itself Some IDs (numbers) are 〇. In this network (11;), there are four subsystems IPS (20) decision-making module Reaper (21) can be connected with the central server R〇〇t 〇〇), requesting information sharing and Communication, because they have the same (^〇1 old 1)), but the premise of achieving these things is that the information about these decision-making modules Reaper (21) must be already in advance to the central server Root (l 〇) Register and record in the database (27) (Database). 2. 3 Intrusion Detection Software See the first, second, and eighth and ninth diagrams. The specific embodiment of the above-mentioned intrusion detection software (10) can be _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Detection software (22) SN0RT, the intrusion detection software SNORT has a large number of attack patterns, and detects and compares the existing malicious behavior and penetration intrusion on the alliance network (11) by 8 201141155. Side soft gamma (4), _ material ((4) ut piugins) to send a warning to rely on her aper (21), and the suspicious network activity packet collected by the invader_ component (23) is carried out by the central servo ride t (10) Analysis to generate new rules and join the intrusion price test software (22) to detect new attack techniques. On the other hand, the 'decision module Reaper®' finds the traffic on the federation network (11) monitored by the intrusion detection component (10), and the paste-conditional legal probability calculation finds the belonging # M(S_ci0us Packets After the package is properly analyzed, it is stored in the database (27). In the above specific embodiment, the intrusion detection software NIDS (22) is a set of network open raw materials (_ s_e) whose mosquito position is "w single light (ca (4) (four) " intrusion price measurement software (lang swollen T' can be light green in Peng. In the secret structure, it exists for two purposes, as shown in the eighth and ninth figures. First: the intrusion of debt testing software (4) itself has a large number of attack templates (Pattern ), it can be used to detect and compare some malicious _ subscriptions and intrusion intrusions already on the network, so when the intrusion detection software NIDS (22) detects an attack, the person who can be rewritten by this spoof The intrusion side (four) plug-in (output-plugins) sends a warning Wlert) to the decision module Reaper (21) on the system. When the decision module Reaper (2i) receives this warning (Alert), it will be based on the database. (27) The defensive measures defined in it (Criteri〇n), take action. Second: the intrusion detection software NIDS (22) itself can use the rules (Rules) to detect the contents of the network packet, and can make The system administrator manually adds and modifies the actions of deleting rules, etc. The invention can be transmitted through the intrusion detection component (23) Scent and can be analyzed by the system administrator to generate new rules and join the intrusion detection software 1VIDS (22) 'can be attacked by the attack method Detecting the comparison. 2.2.4 Intrusion detection component scent 〇月 See the first, seventh to ninth diagram, the intrusion detection component (23) Scent is constructed on FreeBSD, the system is 'developed by its own c++ network The road packet monitoring component ^ (10), in the role of the meaning of the "human intrusion _ component (Nove (10) must listen to all packet traffic on the network, the program must overcome the possibility of not missing any packets in the performance, etc. Calling a π fully independent thread (Thread), and can be combined with a dynamically allocated queue (Queue) to overcome the possibility of missing the package. 2. 5 decision module Reaper / please refer to the -, four As shown in Figures 7 to 9, the decision module r 犷 犷 (8) is a sub-system, and the core component of the charge (20)' thus can directly invade the software (10) without relying on the information provided by the central servo Kay (10) (10). Cooperation shouting - independent operation System IPS (20). And the above-mentioned anti-collection measures can issue a blocking command φ, in the decision module (8). Fire 1 (24: simultaneously send an e-mail to the central feeding device for this payment (10). Architecturally, the core part of the decision-making module Reaper (21) system plays the role of the decision maker of all event-related behaviors. When the decision-making model 叩 er (5) receives the warning issued by the intrusion detection software NIDS (22) (Alert) , will immediately check the database (2)) defined (4) Royal measures (Criteri〇n), the following orders to the firewall (24) (FireWall), send Weizi mail (four) system administrators. Another important task in the design decision-making module Reaper (21) is to use the intrusion detection component (23) Scent to monitor all the packet traffic, _〃 conditional probability rate 201141155 The algorithm is to find out that the packets on the network are Suspicious Packets, and after proper analysis and processing, they are stored in the database (π). In terms of configuration, the decision module [{〇〇江(21 ) itself can exist independently (such as GP2-1 in the seventh picture), without relying on the information provided by the central server Root (1〇), such as Blacklist, can only be used with the intrusion detection software nids (22) In the case of cooperation, establish an independent IPS (such as the GPH of the seventh® towel). Of course, the decision module Reaper (2i) can also set the intrusion detection soft surface DS (22), only through the + and the central servo _〇t〇〇) Call for information sharing to defend (through other people's learning and notification). 2·6 Firewall eye See the first figure, the invention firewall (24) ipfw (ip FIRE WALL) It is a firewall (24) application software initiated by FreeBSD. This firewall (24) should The software is controlled by the decision group Reaper (21), which uses traditional stateless rules and rule writing methods to achieve the desired goals of simple state logic. The internals are composed of seven components. The first is the firewall (24). Filter rule processor (kernel firewaU futer

_ rule processor) 'and its integrated packet counting function, 1〇g record function, and MT function phase, combined with the divert rule' and advanced special purpose function control flow control function, 'fwd rule, turn Features, bridge function (bridge faciuty), and ipstealth functionality. Firewall (24) Firewall control (such as the addition or removal of rules) is unified by the decision module Reaper ( 21). 2. The specific implementation of the 7 subsystem IPS deployment, as shown in the fifth figure, the first embodiment of the present invention lps (10) is deployed in the network backbone between the computer device (10) and the firewall (24) On the firewall 201141155 (24), the junction-route n(10) is connected to the Internet (10), so that the computer device end = 0) is connected with the scale (10), and (10) all the outward and inward networks on the Peng. In the flow, the lone 1'' is analyzed and recorded via the decision module Reaper(2). For the second embodiment of the subsystem ips (10) of the present invention, please refer to the switch (25) on the network between the wireless private 5 (30) and the firewall (24). 'The switch (10) is connected to the subsystem lps (10)), and the fire step (10) is connected to the Internet (10) via a router (26), so that the computer (10) can be connected to the Internet (10). Then, the subsystem ips(10) monitors all outgoing, inward and inbound traffic on the network through a mirror (Mirror), and then analyzes and records through the decision module (2). The hybrid can also pass through the switch (9). Perform the action of closing R;_45璋. Relatively the design and flow of the system is much more complicated than the above. The aggregated material of the alliance is based on the decentralized people and the county riding _ scheme is the second type. In the framework of the decentralized protection system of the alliance, the middle decision module _er(8) will be part of the switch (10). Communicate between, so the architecture_map will add the part of the switch (25). In this case, the decentralized invaders and protective masks are all about how to cooperate with each other in the face of cyber attacks. Taking the type of attack as our starting point, it will be divided into two parts, namely, external attack (〇utside Attad〇 and Inside Attack). As shown in the eighth and ninth figures, there are two different ones. The network (9) is the same as the GP2, so the network environment consisting of the same group in the system distribution is a network of alliances (1 i) A11 i ed Network. 201141155 See Figure 8 The so-called external attack is from the outside of the Alliance network (ll) Allied Network (〇ut of Allied Netw〇rk), not the _ monitored network. The internal attack is the attacker from Amed's internal: external attack In the case of 'the first aunt' attack from the Internet, the target is the computer device (3G) at the top right of the figure (ie, the victim vietim), assuming that the HardwareFirewall located on this trunk does not block its attack source 1? As shown in path 1, the NIDS deployed in this network segment finds this suspicious activity event, and the intrusion detection software Soft It NID S (2 2 ) will compare the network packet according to the monitored network packet. thing The set signature rule (SignatureRules), at this time if the packet itself really has an attack feature, 'will send a UDPAlert packet to Reaper, as shown in path 2. * When the decision module Reaper (21) Ben New to this mine Ert, will go to the series first _ _ shirt belongs to its own management (I domain within the clear, can Xiaoming Gang found that the answer is the pattern, then the decision-making nuclear group Reaper (21) will immediately transfer the police sAlert information The associated central server Root (10), as shown in path 3. When the central server R〇〇t (1〇) receives this a (four) #, it will go to the registry (Register Entry) to find this source attack. Whether ιρ has a regional network managed by any decision-making module Reaper (21) that has been registered, can be clearly found by the wolf, and the central feeding device R〇〇t (1〇) The AW's poor news will be sent to the decision-making module Reaper (21) in the alliance network through the broadcast (actually achieved by unicast), as shown in path 4. When the decision module Reaper (21) received When the Alert broadcast from the central server Root (lO) is broadcast, the rule will be added to the firewall (24) Firewall. 'Requires to block the source from attacking the ip address and protect the security of the entire network. Please refer to the figure in the ninth figure. First, the Internet of the Internet 201141155 (12) Intranet issued a false source ip attack. As shown in path 1, the destination end is the computer device end (30) (ie, the victim terminal Victim), such attacks such as DDoS, ARP Spoofing, and the like. Since the subsystem IPS (2〇) in the lower right corner is not equipped with the intrusion detection software NIDS (22), it cannot be reacted in the first time. At this time, the detection software in the upper right subsystem Ips (2〇) The NIDS (22) detected the attack and reported it to the decision module Reaper (21), the same way as UDP Alert, as shown in path 2. At the same time, the decision module Reaper (21) will find out that this is a "multiple attack from the fake source. The table module ReaPer (21) will first send an SNMP query to the switch (25), asking Each port (Port) in the unit __ transport network packet traffic weaving, can be clearly found / there are different circumstances. The decision module Reaper (21) will send a through the central server R0〇 t(l〇) requires the decision-making module of the whole to call (2)) to check whether there is an abnormality in the flow, as shown in path 3. The central servo Kai (10) (10) receives this poor news and requires all inspections, such as the path. 4^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ (10) Qin r (2i) to determine the 砰 _ _ (10) intranet connected (RI_45 p〇rt). The monitoring screen of the central feeding device R〇〇t (10) is shown in Annex 1, and the decision module (8) monitoring The face is shown in Figure 2 of Annex I. The above monitoring face is to assist the manager. Solve the system state of Root Feeder Root(10). If there are any programs and error events in the system, you can find out the message on the secret surface. If you want to query these messages afterwards, you can also use the output. To achieve this, in addition, whether the system currently has any transmission (7) or receiving (8) network packet action and currently 201141155

In the case where the thread is used in the ThreadPool, the information displayed on the screen can be easily managed online or after the event. The direction of detection can be divided into two categories, namely Misuse Detection and Anomaly Detec1 (i〇n). In our system, the NIDS (Snort) used is the misuse side (Misuse Detecti〇n), which features high detection capability, low false alarm (False p〇sitive), and the largest The disadvantage is that there is nothing to do with the emerging attack methods. There is no detectable/definite rate of 6 children. Therefore, in order to compensate for the lack of misuse detection, many systems also use anomaly detection (Anomaiy). Detecti〇n) to enhance the detection capabilities of new attack techniques. The disadvantage is that it requires a clean environment for training (through Statistics or Artificial Neural Network). Measurement. The system architecture of the present invention also employs two types of intrusion detection, Misuse Detection and Anomaly Detection, to improve the overall system call detection capability. In the Misuse Detection section, through the help of the intrusion detection software NIDS (22), Alert is sent to our decision module Reaper (21), and then filtered and analyzed 'Anomaly detection (Anomaly The Detection section is achieved through a conditional probability algorithm. Referring to the operation of the specific implementation of the present invention, reference is made to the first and seventh figures. The present invention can be cut into two large components for explanation. The subsystem (20) (IPS) of the distributed intrusion prevention system (DI p S ) above the split line is the decision module Reaper (21). The other part is the control one. Union [s], 15 201141155 Allied network (ll) (Allied network) central server Ro〇t (10). The llXAllied network refers to the range of networks to be protected. Each federation network (11) will be represented by a GroupID (group code), and the children in the alliance network (丨丨) The system IPS (20) will be assigned to a π). In principle, a central server R〇〇t(10) can simultaneously accept the connection requirements of the twenty decision-making modules Reaper (21) at the same time point, and assist the decision-making module Reaper (2l) to carry out information. The communication and sharing, so the decentralized intrusion prevention system of the alliance type is designed with decentralized ideas and hierarchical control methods. The invention contains five components (Root, NIDS, Reaper, Scent, Firewall) instructions. There are two alliance networks in the picture, which are (3) 丨 and 卬? . In the Gpi Alliance network, there are R〇〇t and four IPS' numbers respectively, i, 2, 3, 4 are represented by GP Bu 0, GP Bu 1, ... GPH.肆· The effectiveness of the experimental example of the present invention and the decentralized intrusion prevention system verified as a test alliance type for intrusion prevention is _he' This invention uses the standard for evaluating intrusion detection systems _Α 2〇〇〇 and generally common Test tools to perform experimental simulations. 4.1 Test Tools fcestok (_ Ethereal) n Network packet analysis software and is a set of open source (0penSource) software. The function of the network packet analysis software is to cover the network packet and display the most detailed network packet data as much as possible. The function of the network packet analysis software can be used to measure the current, light, and resistance of an electrician's electricity meter—just replace the scene with the _ road and the wire. The program can be downloaded from 201141155 http://www.wireshark.org/, the iibcap library must be installed on the Linux platform and the Winpcap library must be installed on the Windows platform.

The full name of Nmap is Network Mapper, developed by Fyodor Vaskovich.

An open source (OpenSource) software that allows system administrators to see which host on the network system and what service (Service) is running on its host. It is also widely used as a scanning tool for the hacker group. Various protocols such as UDP, TCP ConnectO, TCP SYN, ftp proxy (bounce attack), Reverse-ident, ICMP (ping), FIN, ACK sweep, Xmas Tree, SYN sweep, and Null are also provided - Some useful functions such as: detecting the type of operating system through TCP/IP, secret scanning, dynamic delay and retransmission, parallel scanning, detecting subordinate hosts through parallel PING, spoofing scanning, 埠 filtering detection, direct RPC scanning, distributed scanning, flexible target selection and awkward description. It has a powerful scanning function and is therefore called the king of scanners. The program and related teaching files can be downloaded from http://www.insecure.org/. TFN2K is abbreviated as "Tribal Flood Network 2K", and this program is actually recklessly updating an original program TFN. TFN2K is used by German hacker Mixter to issue d〇s attacks against FTP or HTTP servers that exist on the network. The original TFN2K code has been released to public network systems for direct use on Unix* Linux systems. Tfn2k is best designed for hackers to confuse detection tools such as Sinffer and prevent fake source-side IP addresses from being falsified by source IP addresses. For trunk filtering (ex : Firewali) used on network systems, TFN2K can use the fake packets to indicate that they are from the same domain and enter the network for destruction. These attacks can also cause flood attacks (Fl〇〇dingAttack), causing system crashes by sending a large number of malicious or invalid packets to the destination of 17 201141155. Sponsored by the US Department of Defense Advanced Research Projects Agency (DARPAIT0) and the US Air Force Research Laboratory (AFRL/SNHS) by the Massachusetts Institute of Technology Lincoln Laboratory (MIT Lincoln)

Laboratory's IST (Information Systems Technology Group) collects and publishes the first standard to assess network intrusion detection system (丨DS) detection capabilities. These evaluation criteria exist to test the intrusion detection system's probability of detection and the probability of false alarm. DARAP 2000 currently has two sets of test databases, as follows: (l) LLDOS 1.0 - Scenario One: In this database, 'containing multiple network segments and connection tracking records, divided into five time segments (Phase The records are for the attacker to try to find out which hosts and services are available on the network system, and then through the vulnerability of the service itself (s〇laris sadmind) to infiltrate the intrusion 'and then get the system administrator root After the privilege, the Trojan, the final stage of the DDoS attack. • (2) LLD0S 1.0 - Scenario Two: This database is divided into five time segments in the same way as the Scenario One, but there are many more Stealth attacks in the attack. 4. 2 Experimental data As shown in Table 4 in Annex 2, the main reason for using DARPA 2000 is to test the detection capability of the intrusion detection software NIDSC22 on this database, and the decision module Reaper (21), Firewall (24) Firewall cooperation is satisfactory, the following is the experimental results. 201141155 In the attack process, divided into five time segments for a complete DD〇s attack, first observe the figure 'the first time zone is Sweep, the purpose is to search for those hosts on the network segment. Open the 'determine the network address, the second time zone is pr〇be, the purpose is to find out that the services on the host are open to the outside, first make a record action, the second time zone is Breaking Infiltrate the intrusion through the service that has just been opened, the fourth time zone is installing, the DD〇s attack software is installed, and the fifth time zone is to start the DDoS attack. In the eighth figure, in addition to indicating different time segments, the attack techniques and the number of attacks used in different time segments are also marked. In Table 1 t of Annex 2, it can be found that although the intrusion detection software is still not very bright in overall detection performance, there are enough resources for decision making module Reaper in Phase 2 and Phase 3. 21) To make an appropriate response, so during the entire attack, the decision module Reaper (21) can find an abnormal situation in phase 2 to avoid subsequent events. In the Phase 5 towel, if the attack occurs in the control group Reaper (8) controlled by the _ road section, the towel can be bribed and handed over (four) (25) to find the source of the attack ''s own for a v, and If it is outside the Network, the decision module ReaPer (21) can not block the action, marked as a χ. In Table 1 of Annex 2, we can find that although the intrusion detection software NIDS (22) is in the overall detection performance Not very party eyes, but there is enough information in phase 2 and phase 3 for the decision module Reaper (21) to respond appropriately, so the decision module Reaper (21) can be in the phase during the entire attack. 2 I found an abnormal situation and avoided subsequent events. In Phase 5, if the attack occurred in the network segment controlled by the relying group Reaper(2), it can be found through the exchange and exchange 1(25)_ Attack 201141155 Source, marked as a v, and if it can not block ====, · 4.3 Common attack test road I_X NlDaP and TM2 Κ mainly (four) test tools, Wei-k comparison network data is correct. As shown in Table 2 of Annex 2, the corpse j indicates the position of Ke from the _ 臓 (22) field. ...attacks have gamma force, v means side ability and X is no, suspicion (four) fine_shirts and force, sound test force, and X is no. map knowledge, first the first used parameter For -sx, that is Xmas's sweeping field: It can be found that Na has a very good detection rate in the performance of this project. However, in the 2 to 4 scans, the parameters are _sS, _sU and In the case of , the results were disappointing. On the contrary, in the case of the attack of K, the time when the hours were divided into c 5, -C 4 and -c 6 had satisfactory results. In the case of _ falsification of the source (10) address, 'If it is within the same network segment', you can block the action (v), if it is an external attack, block (X) ) . . . 4 ' 4 conditional legal probability for common attack test in this range t, - use Nmap and TF belly as the main test tool, with Wireshark to compare the correctness of the network data. For example, the attached table 1NJI31G49, Yang Calling ^ for a time week _ the collection depends on the package, in the touch part (χ coordinates), the minimum is 〇, the most The value is the Threshold mnNN ratio we just defined in the conditional probability. Then the interval is divided into 100 equal parts. If the conditional probability of the package [S1 20 201141155 falls into the last interval, we will It will be regarded as a suspicious packet. In the database (27), the number of packets is counted in the ordinate (Y coordinate): It is found that in the normal (N_l) network activity, there are about _ packets. Into the last interval, this represents the number of FalsePQsitive conditions for the legal probability. In the case of (4) two tables 2 to 4, the distribution is represented by the addition of _TCP Probe, UDP Probe or ICMP Probe, and network activity in addition to the normal network packet. In Annex 3, Tables 5 to 7 are shown to add tf legs in addition to normal network packets.

The result of TCP DDoS, UDP DDoS, or ICMP DDoS network activity. It is known from Table 3 of Annex II that it is for different projects to record the side as the case

Positive (false positive rate) and False Negative (false negative rate). Conditional legal probability In the normal network traffic, False p〇sitive (false positive rate) is about 2.5 (10) and under Nmap's Probe scan, False p〇sitive and Ν Ν Ν ^ (false negative rate) respectively Tests that fall below 1% and below 3%, under 1? 1 (1) 1) 〇 3 attacks,

False Positive and False Negative are respectively below about 1% and below 3%. • Wu. Conclusion Through the construction of the above technical features, the present invention does have the following characteristics: 1. The invention can achieve mutual cooperation and cooperation between the members of the alliance through the alliance type mechanism. Decentralized system architecture can further provide flexibility in system configuration and configuration. 'Because it has the cost of reducing hardware, reducing the network area to the Internet, and has a synergistic anti-lion alliance mechanism, high security. And high-efficiency network security protection, which can greatly reduce the damage caused by hacking attacks on the computer system. 21 201141155 . In order to reduce the cost of the placement of the 4th, the present invention replaces the hard-won-protection system with a free software-based intrusion prevention system, and operates in an operation system free of f

On FreeBSD, thereby reducing the cost requirements. This month's month adopts a sui-style architecture design (10). In view of the fact that the current hardware devices on the market are all independent operations, there is no cooperation between them. Therefore, the present invention designs a decentralized architecture that makes IPS Information can be communicated and exchanged.

4. The present invention can reduce the threat of the regional network to the Internet. No matter which type of attack method is used, if it is a machine-passing inspection of the side-by-side, the secret must be located within the f-solid area network, if It can be constructed in some sections - (10) system, inside and outside the system and the task of the system is to detect whether there is suspicious activity on the network in the first - time _ discovery _ monitoring and immediately protect against external threats. Into the inside / through the above-mentioned B-point decentralized architecture, to achieve the effect of the domain defense. °, Uesaki is only one of the possible embodiments of the present invention, and is not intended to limit the scope of the present invention, and the ___ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _. The invention is not found in the soil of the object, and is not found in the product, and has the secret and the raw: ^ pay 5 rounds and 0 turns. The New Zealand has the domain request, and the rider touches the patent according to law to maintain the applicant. Legal rights. X 予专 [Simple diagram of the diagram] The diagram is a schematic diagram of the architecture of the decentralized intrusion prevention system of the alliance type of the present invention = Figure 4 (4) Schematic diagram of the intrusion of the person. The third figure is a schematic diagram of the system architecture of the central controller of the present invention. ί S] 22 201141155 The fourth picture is a schematic diagram of the Reapem bribe of the present micro-practical group. The fifth picture is a schematic diagram of the first-in-one deployment structure of the Nissin System. The sixth figure is a schematic diagram of the second deployment architecture of the subsystem of the present invention. The seventh figure is a schematic diagram of the operational simulation network of the present invention. The eighth figure is a schematic diagram of the external attack of the simulated network of the present invention. The ninth figure is a schematic diagram of the internal attack of the simulated network of the present invention.

Attachment 1 · Figure 1 is the monitoring screen of the monitoring screen of the central server Root. Figure 2 is the decision module Reaper Annex II Table 1 is the LLDOS u experimental results; Table 2 is the common attack experiment results; Table 3 is the conditional legal probability 戦 attack test wire; Table 4 hunger should be the attack flow schematic table. Annex 3: Table shows the results of the distribution of network packets collected in a time period; Table 2 shows the distribution results of the network packets collected by TCP Probe. Table 3 shows the network collected by adding UDP Probe. The road packet distribution shows the results; Table 4 shows the results of the network packet distribution collected by the ICMP Probe; Table 5 shows the results of the network packet distribution collected by adding the TFN2K TCP DDoS Attack; 2KUDPDD〇s her network collected packet distribution results; Table 7 is the result of the network packet distribution collected by TFN2K ICMpp DD()S Attack. [Main component symbol description] (1) Central server (11) Alliance network (12) Internet (20) subsystem [S], 23 201141155 (21) Decision module (22) Intrusion detection software ( 23) Intrusion Detection Component (24) Firewall (25) Switch (26) Router (27) Database (30) Computer Device Terminal [Si 24

Claims (1)

201141155 VII. The scope of application for patents: 1. - The decentralized scale intrusion prevention of the kind of alliance cranes is _ decentralized intrusion prevention system (DIPS) to form at least one alliance network, which includes multiple subsystems (ips) A central server (R〇〇t) and a firewall that control the network of the alliance, each of the subsystems (IPS) including a decision-making module (Reaper), an intrusion detection software, and a collection of suspicious Intrusion measurement component of the network activity packet, each of the alliance networks has a group code 'the alliance network_each-the secret (IPS) each has an identification code, and the #联盟 network The group code and the identification code of the decision module (Reaper) must first be registered in the middle 2 management group (_) in the - Newcu, and the central server (Root) determines the paper (10) eaper When it is legal, the decision-making _ _ 贞彳 can be connected to the central server gamma (4) 'to enable the central 値雑 (10)) to assist the decision-making module (Reaper) When the intrusion detection software _ to the attack event, a warning will be sent to all the decision makers) Decision Module (Reaper) Miscellaneous speech commands to the hybrid firewall, and take relevant action _ called on defensive measures, as defined in accordance with the material _ ¥ library among. 2. The decentralized network intrusion prevention system of the alliance type described in claim 1, wherein the intrusion detection software is an intrusion side of the network open source code (〇pen s〇urce) The software s_, the invading software τ has a large number of attack patterns to check for the malicious behavior and infiltration of the existing network on the alliance network, when the intrusion software detects the attack event, Then use a plugin (〇utput_plugins) to send the warning to the Reaper, and the suspicious network activity packet that is hacked by the _ component is _ the central ship (this (8) analyzes to generate new The rules are added to [SJ 25 201141155 the intrusion detection software to detect the new attack methods. 3. The decentralized network intrusion prevention system as described in claim 1 When the decision module (Reaper) issues a blocking command to the firewall, it sends an email to the central server (Root). 4. The distributed network intrusion prevention system of the alliance type described in claim 1 Wherein, the decision module (Reaper) uses the intrusion detection All packet traffic on the federation network monitored by the measuring component uses a conditional legal probability algorithm to find packets that are suspicious (Suspici〇us # Packets), and after appropriate analysis processing, is stored in the database. 5. The distributed network intrusion prevention system of the alliance type described in claim 1, wherein the decision module (Reaper) does not depend on the information provided by the central server (R00t), but can directly The intrusion detection software cooperates to establish an independently operating subsystem 1-8. 6. The decentralized network intrusion prevention system of the alliance type described in claim 1, wherein the intrusion detection component is in FreeBSD The network packet listening component Scent 'developed in C++ on the system is used to listen to all packet traffic on the federation network, and is a completely independent Thread Thread ' combined with a dynamically allocated queue (Queue) 7. The decentralized network intrusion prevention system of the alliance type described in claim 1, wherein the firewall is a firewall application software initiated by FreeBSD, and the firewall application software is The decision module (Reaper) is controlled. 8. The decentralized network intrusion prevention system of the alliance type described in claim 1, wherein the subsystem IPS is deployed between a computer device and the firewall. The firewall connects to a router and communicates with an Internet signal, so that the computer device can be connected to the Internet to monitor all outgoing 'inbound network traffic on the network. s] 26 201141155 Analysis and recording through the decision module (Reaper). 9. The decentralized network person, the secret of the alliance county described in claim 1, further comprising: a switch deployed on the computer device side and the firewall, the switch is connected to the subsystem IPS signal The firewall is connected to an internet signal via a router to enable the computer device to connect with the fine network, and to use the subsystem to perform all external, inbound and inbound traffic on the network. It is monitored by mirroring (Mirr〇r) and analyzed and recorded by the decision module (Reaper). • 1Q, a method of decentralized network intrusion prevention, which comprises the following steps: providing a decentralized network intrusion prevention system of the alliance type as described in claim 1; The group code is provided with the identification code in each of the subsystems; and the second time: the scale code and the service material are directed to the towel (10). (8) Recorded in the library after registration, so that the decision module (ReaPer) can request the connection to the central device (Root) to connect the information to facilitate the communication between the decision modules (Reaper). And sharing, Lu II recognizes the domain gamma to the attack event, the person invading the software will send a warning ^ ^ A on all of the decision module (ReaPer), the decision module (Reaper) received. At 3 °, the action is taken according to the defensive measures defined in the database. m 27