TW201141155A - Alliance type distributed network intrusion prevention system and method thereof - Google Patents

Alliance type distributed network intrusion prevention system and method thereof Download PDF

Info

Publication number
TW201141155A
TW201141155A TW99115571A TW99115571A TW201141155A TW 201141155 A TW201141155 A TW 201141155A TW 99115571 A TW99115571 A TW 99115571A TW 99115571 A TW99115571 A TW 99115571A TW 201141155 A TW201141155 A TW 201141155A
Authority
TW
Taiwan
Prior art keywords
network
alliance
reaper
decision
firewall
Prior art date
Application number
TW99115571A
Other languages
Chinese (zh)
Inventor
Rui-Mao Chen
Guo-Da Xie
Zun-Mu Wang
Original Assignee
Nat Univ Chin Yi Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nat Univ Chin Yi Technology filed Critical Nat Univ Chin Yi Technology
Priority to TW99115571A priority Critical patent/TW201141155A/en
Publication of TW201141155A publication Critical patent/TW201141155A/en

Links

Landscapes

  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates to an alliance type distributed network intrusion prevention system and its method. At least one alliance network is formed by a distributed intrusion prevention system and includes plural subsystems, a central server for controlling the alliance networks and a firewall. Each subsystem includes a decision-making module, intrusion detection software, and an intrusion detection component for collecting suspicious network activity packets, each alliance network has a group code. Each subsystem of the alliance networks has a different ID code, and the group code of the alliance network and the ID code of the decision-making module must be firstly registered to a central management module and recorded in a database. When the central server determines that a decision-making module is legitimate, the decision-making module can connect with the central server to enable the central server to assist information communication and sharing among decision-making modules. When the intrusion detection software detects an attacking event, it will send an alarm to all decision-making modules. The decision-making modules then issue block commands to the firewall and necessary actions are simultaneously taken according to defensive measures defined in the database.

Description

201141155 六、發明說明: 【發明所屬之技術領域】 本發明係有關一種結盟型態之分散式網路入侵防御 法,找-種著重於在分散絲統設計絲,設計^同防禦聯盟系 統’错以達到低成本、高安全性、高效率的網路入侵防護目的之技術。 【先前技術】 隨著網際網路的普及率及重要性不斷地提升,由於網路的普及 #化:駭客人數增加、漏洞數目迅速成長及自動攻擊程式的工具化等現 象等產生的緣故,使得—般企#或是個人細㈣者鱗細無不擔 憂自身的電腦系統遭到駭客的無情攻擊與破壞,所以資訊安全以及入 侵防護的因應措施已經逐漸地受到研料位以及冑大消費大眾們的重 為建構-套全面性的網路安全系統,則必須配置各種不同功用與 性能的防《設備,如建構防火牆無毒倾等。然而,對於中小企業 而言,為維護網路的安全性,就必須花費大量的成本。再者目前各種 網路安全設備w贿n,戰lps皆獨自運作,因此,在有心人士 的先進駭客卫具攻擊下,早已無網路安全性可言 〜依據目續知_關專利前案如中華關專利第挪测號『網路 女王系Ί該、、轉*全系統檢視並處理—使用者所發出的—使用者要 該者要求係針對—⑽資㈣統崎出,該鱗安全系統包含: 反制系統’檢查板組,該檢查模組接收該使用者要求並檢查該使 用者要求疋否#合—職安全條件,以產生—檢查結果;及一轉接系 3 201141155 統,該轉接纽接收該檢查·之該檢查結果,,其中當該檢查 不該使用者要求符合該縱安全條㈣,雜接魏_使用^ 相同格式 轉接給_部資'統,當該檢紐果顯補者要林符人旬 定安全條料’ _接纽_使用者要求轉接給觀⑽、統,該反 制系統以—預定回應方式依據該使用者要求提供—喊郁,且軸 應内容與簡部資料純_該使用者要求所作之—喊結果且有—201141155 VI. Description of the invention: [Technical field to which the invention pertains] The present invention relates to a decentralized network intrusion prevention method of an alliance type, which is focused on designing a wire and a defense alliance system in a distributed silk system. A technology that achieves low-cost, high-security, and high-efficiency network intrusion prevention. [Prior Art] As the popularity and importance of the Internet continue to increase, due to the popularity of the Internet, the number of guests has increased, the number of vulnerabilities has grown rapidly, and the tools of automatic attack programs have become more common. Make the "general enterprise #" or the individual fine (four) of the scales are all concerned that their computer systems have been ruthlessly attacked and destroyed by hackers, so the information security and intrusion prevention response measures have gradually been subject to research and consumption. Our focus on construction - a comprehensive network security system, must be configured with a variety of different functions and performance of the anti-"device, such as the construction of a firewall non-toxic dump. However, for SMEs, in order to maintain the security of the network, it must cost a lot. In addition, all kinds of network security devices are currently bribes, and the lps are all operated by themselves. Therefore, under the attack of advanced hackers, there is no network security at all. For example, the Zhonghuaguan Patent No. 1 "Network Queen System", and the whole system inspection and processing - issued by the user - the user wants the person to be targeted - (10) capital (four) Tongqi, the scale safety The system comprises: a counter system 'inspection board group, the check module receives the user request and checks the user request 疋 no #合-职安全条件 to generate-check result; and a transfer system 3 201141155 system, The transfer button receives the check result of the check, wherein when the check does not require the user to comply with the vertical security bar (4), the miscellaneous Wei_ uses the same format to transfer to the _ department's system, when the check The New Fruit Appreciator wants Lin Furen to fix the safety strip ' _ _ _ _ user request transfer to view (10), the system, the counter system is based on the intended response method according to the user request - shouting, and The axis should be the content and the brief information pure _ the user request - The results of shouting and there -

另有-種如中華民國專利第12隨號『網頁伺服裝置』的專利前 案’其可提供-連接端透過—網路對該網頁伺服敍進行—網頁及一 圖檀之存取並執行Κ該網龍服裝置包含:—開放區域處理模植 储供1態網頁·_之存取,於該職輯模_無法執行該 私式’以及-限疋區域處職組,係須經—身份鑑定後,且該連線端 需存有了第―次合法連線所配發之—連線縱碼,方可存取該網頁及 該圖槽並執行該程式,酬雜定區域處理模_依對該連接端發出 -網站維修訊息翻頁移置訊息’並欺為—非法連接端。 再^一種如中華民國專利公告第偶40號『嵌入式入侵偵測系統』 專利⑴案其伽於n網站安全上,該受保護之網站可由遠端使 用者、工由麟彻其提供之資源或服務,其巾連上曝之通訊協定定 義^『第-協定』’該系統包括:至少—舰器電腦,用於提供遠端使用 者貝源或服務之平台;至少—監控電腦,連結伺服器電腦,用於監控 司服器電腦運作之狀況;其特徵在於該系統更包括:祕狀態收集模組, 係儲存於伺服器電腦或監控電腦中,包括:a•搜集單用以在舰器 201141155 電腦上進行收集監控資料的工作;b.傳送單元,將搜集單元所收集之 監控資料遵循『第—協定』傳給監控制;以及—監控模組,保存於 監控電腦中,包括:3.分析單元,肋魏並分減_紐態 組於伺服器電腦所收隼之龄抻咨社.^^ ^ 態收集模組之執行。讀,以及b•控制單元,用以控制系統狀 上述該等制結構雖然具有—定程度的網路賴、防毒效果,惟, 該等習用驗雜物蝴韻赠鍋(di伽buted prevention system,DIPS),因此,無法利用結盟型態的 ^制來達成聯盟成狀_互助合作、資訊的分享輯獅護網路安 2功效’以致谷易翻駭客的各個突破,因而無法達到預期的網路 安全防護效果。再者,—錄體若有任何關在發佈之後,—般而言, 系’先並不會立刻進仃更新,此時有心人士為了新的漏洞特製一個掃描 器,在找出網路上有那些系統尚未更新,針對新的漏洞進行渗透入侵^ 以致該等習用結構無法以條件合法機率的觀念來找出那些是新的攻又擊 手法並Z錄於身料庫以利後續的觀察與處理’因❿容易遭到有心人 4又肩路系、、’先而大肆破壞電腦軟體,有鑑於此,該等習用結構確實 有再改善的必要性。 、 【發明内容】 /本之主要目的在於提供-観盟型態之分散式網路人侵防禦 糸統要透過結盟型態的機制來達_盟成員之_互助合作與資 況上的》子’同時在分散式的系統轉下可進—步提供系統設計及配 置搭配上的靈雜,因具有降低硬體裝置成本、降低區域網路對網際 201141155 文全性與南效率的網路安 使電腦系統遭到破壞的情 網路的威脅性、具備協同防禦聯盟機制、高 全防護性,私可以大幅降低物骇客攻擊 事等諸多特點。 為達成上述功效,本翻聰肖之技财㈣、包 統’一控管該聯盟網路的十央飼服器及一防 ^^ 侵偵測元件,每,盟包的入 葬立猶具有—群組代碼,該聯盟鱗内的每— 辭系統财具有—_碼,雌聯侧路中之該群組代碼及該決策 核組之該識別顯先向該巾央管理池註敎記錄在—資料庫中,♦ 該中央值n舣該決__合法時,決紐_可财央飼^ 進行連線,使該中央舰器得以協助各該絲模組之騎行資訊的溝 通與分享,當該人健測軟體偵_攻擊事件時,則會傳送—警告給 所有的該決策模組,該決策模組則下達阻擒的命令給該防火牆,同時 依據該資料庫當t所定義之防禦措施而採取相關的行動者。 【實施方式】 壹·本發明之技術概念 請參看第一至四、六圖所示,本發明主要係建構一套著重於在分 散式系統設計概念上的全面性網路安全防護系統,是目前市面上尚未 出現的全新產品,本發明結合各種不同系統能力以達到抵禦入侵攻擊 之目的,更透過分散結盟型式的系統架構,提向了整個網路環境的安 全性。在已知的入侵攻擊方面,可以透過網路入侵偵測系統(此切〇浊 Intrusion Detection Systems,NIDS)的入侵偵測功能來協助系統抵 [S3 201141155 不攻4 ’而在未知的人侵攻擊部份,可以透猶件合法機率在一定的 穩定網路資料量訓練之下找出異於正常流量的網路封包,進而記錄於 資料庫中’而且可以提供一個全年無休的有效率的網路安全系統,並 月b大量降低在建構-個安全網路環境所需的成本,經實關證明本發 明所設計_路安全防護系統確實可以被躺於實際的酿環境,以 解決駭客入侵所致的電腦系統破壞與困擾。 貳·本發明實施例 • 2.1本發明的基本實施例 請參看第一、七至九圖所示,本發明基本實施例可以是一種分散 式入知:防濩系統(distributed intrusion prevention system, DIPS),並經連結而形成至少一聯盟網路(11),本發明基本實施例則包 括有複數個子系統(20)(IPS)、一控管聯盟網路(π)的中央伺服器 Root(10)以及一防火牆(24),每一該子系統(2〇)(ips)包括有一決策模 組Reaper(21)、一入侵偵測軟體(22),及一用以收集可疑網路活動封 鲁包的入侵偵測元件(23),每一聯盟網路(11)具有一群組代碼,如第七 圖中之GP1-0〜GP2所示,此聯盟網路(π)内的每一子系統(2〇)(脱) 則各具有一識別碼’且聯盟網路(11)中之群組代碼及決策模組 Reaper(21)之識別碼須先向該中央伺機器Root(10)註冊且記錄在一資 料庫(27)中’當中央词服器R〇〇t(10)判定決策模組知即打(21)為合法 時,該決策模組Reaper(21)則可與該中央伺服器R0〇t(i〇)進行連線, 使中央伺服器Root(lO)得以協助各決策模組Reaper(2i)之間進行資訊 的溝通與分享’當入侵彳貞測軟體(22)偵測到攻擊事件時,則會傳送一 201141155 s告給所有的決策模組Reaper(21),該決策模組Reaper(21)則下達阻 播的命令給防火牆(24),同時依據資料庫(27)當中所定義之防禦措施 而採取相關的行動。 2. 2中央伺服器Root 請參看第一、三圖及第七至九圖所示,本發明是將分散式系統架 構和群組(Group)的概念一起放入設計的想法中,而中央伺服器 Root(10)就是一個群組的中央管理者,記載著哪些決策模組Reaper(21) 鲁是合法的’合法的決策模組Reaper(2i)則可向中央伺服器R〇〇t(1〇)要 求進行連線。中央伺服器R〇〇t(10)本身還有一個更為重要的任務,是 扮演著各決策模組Reaper(21)之間資訊分享和溝通的角色,在這個大 型模擬網路中,共分成A、B、C三個網路區域,如第七圖所示,中央伺 服器Root(l〇)所管轄的聯盟網路⑴)Gr〇upID (群組代碼)為肥,且自 己本身所帶有的ID(編號)為〇。在此聯盟網路(11;)中,有四個子系統 IPS ( 2 0)的決策模組Reaper (21)可以和中央伺服器R〇〇t 〇 〇 )進行連 籲線,要求資訊的分享及溝通,因為它們帶有相同的(^〇1旧1]),但想要達 成這些事情的前提,就是這些決策模組Reaper(21)的相關資訊,必須 是已經事先向中央伺服器Root(l〇)註冊並且記錄在資料庫 (27)(Database)之中。 2. 3入侵偵測軟體 清參看第-、二圖及第八、九圖所示,上述入侵偵測軟體⑽的 具體實施例可以是_套網賴放賴碼(Qpen s_e)&人侵偵測軟 體(22)SN0RT,此侵偵測軟體SNORT具有大量的攻擊範本(pattern),以 8 201141155 對聯盟網路(11)上已存在的惡意行為及渗透入侵進行檢測與比對,當 入侵侧軟伽附料㈣,_—料(㈣ut piugins) 傳送警告給決賴她aper(21),而被人侵_元件(23)收集到的可 疑網路活動封包則由中央伺服馳〇t⑽進行分析,以產生新的規則 並加入入侵價測軟體(22),以對新的攻擊手法進行檢測比對。另一方 面’決策模組Reaper®)將該入侵偵測元件⑽所監聽到的該聯盟網 路(11)上財賴包流量,糊—條件合法機率演算絲找出屬於可 # M(S_ci0us Packets)的封包’並做適當的分析處理之後,儲存於 該資料庫(27)當中。 上述具體實施例中,所採用的入侵偵測軟體NIDS(22),是一套網 路開放原料(_ s_e)其蚊位成"w單輕巧(咖㈣㈣"的 入侵價測軟體(郎腫T ’在鹏可以輕綠得。在本祕架構上,它 存在之目的有兩個,如第八、九圖所示。第一:入侵债測軟體祕㈣ 本身已有大量的攻擊範本(Pattern),可供對網路上已存在的一些惡意 _订為及渗透入侵進行檢測與比對,所以當入侵偵測軟體NIDS(22)有偵 測到攻擊事件時’可以透過本發賴改寫的人侵侧紐随㈣插 件(Output-plugins)傳送警告Wlert)給系統上的決策模組 Reaper(21)。而決策模組Reaper(2i)接收到這個警告(Alert)的時候, 則會根據資料庫(27)當中所定義的防禦措施(Criteri〇n),採取行動。 第二:入侵偵測軟體NIDS(22)本身可以使用規則(Rules)來進行檢測比 對網路封包的内容,而且可以讓系統管理者手動新增、修改'刪除規 則等動作。所以本發明可以透過被入侵偵測元件(23 )Scent收集到的可 201141155 動封包’再由系統官理者進行分析產生新的規則並加入入侵 偵測軟體1VIDS(22) ’即可騎的攻擊手法進行檢測比對。 二 2. 4入侵偵測元件scent 〇月參看第一、七至九圖所示,入侵偵測元件(23)Scent則是建構在 FreeBSD,系統上’並以自行c++開發的網路封包監聽元件^⑽士,在角色 疋義上’人侵_元件(挪⑽必須監聽網路上所有的封包流量, 所乂程式必須克服效能上不可遺漏任何封包的可能等問題主,而為一 籲個π全獨立的執行緒(Thread),並可結合有一個動態分配的仔列 (Queue) ’藉以克服可能遺漏封包關題產生。 2. 5決策模組Reaper /請參看第-、四圖及第七至九圖所示,決策模組r琴犷⑻為子 系、、充(20)的核%構件’因而不必依賴中央伺服凯⑽⑽所提供的資 訊即可直接與人侵躺軟體⑽合作喊立—獨立運行的子系統 IPS(20)。且上述防集措施可以在決策模組⑻下達阻擋的命令 φ、,。防火1(24:的同時發送一電子郵件給中央飼服器此付⑽。 在系、、先架構上’決策模組Reaper(21)系統核心部分主要扮演的角 色疋所有事件對應行為的決策者。當決策模嫌叩er㈤收到入侵偵 測軟體NIDS(22)所發出的警告(Alert)之後,會立刻查閱資料庫⑵) 所定義㈣禦措施(Criteri〇n),如下達阻擔的命令給防火牆 (24)(FireWall)、發魏子郵件㈣統管理者等。而在設計上決策模 組Reaper(21)身上還有另一個重要的任務,則是將入侵偵測元件 (23)Scent所監❹丨的_上所有賴包流量,_〃條件合法機率演 201141155 算法”來找出那些網路上活動的封包是屬於可疑(Suspicious Packets),並做適當的分析處理之後,儲存於資料庫(π)當中。 以配置而言決策模組[{扮〇江(21)本身可獨立存在(如第七圖中的 GP2-1),不必依賴中央伺服器Root(1〇)所提供的資訊,如黑名單 (Blacklist),可以只和入侵偵測軟體nids(22)合作的情況之下,建立 獨立運行的IPS(如第七®巾的GPH)。當然決策模組Reaper(2i)也可 以不用設置入侵偵測軟麵DS(22),只需透過和+央伺服_〇t〇〇) 籲之間的資訊分享,來進行防禦(透過別人的學習和通知的)。 2· 6防火牆 睛參看第一圖所示,本發明防火牆(24)ipfw(ip FIRE WALL)則是 一個由FreeBSD發起的防火牆(24)應用軟體,此防火牆(24)應用軟體則 疋由決策杈組Reaper(21)來控管。其使用傳統的無狀態規則和規則編 寫方式’以期制簡單狀態邏輯所期望的目標。刪内部由七個元件 組成。首先是防火牆(24)過濾規則處理器(kernel firewaU futerAnother type of patent, such as the Republic of China Patent No. 12 with the "Web Server" patent, can provide - the connection through the network - the web server - the web page and a map access and execution The network dragon service device includes: - an open area processing model storage for 1 state web page _ access, in the job mode _ can not perform the private 'and the limited area of the service group, the system must pass - identity After the identification, and the connection end needs to store the serial number of the first legal connection, you can access the web page and the slot and execute the program. According to the connection, the website repair message is turned over and the message is 'discarded' - the illegal connection. Then, for example, the Patent (1) of the Republic of China Patent Notice No. 40 "Embedded Intrusion Detection System" is gambling on the website security. The protected website can be provided by remote users and workers. Or service, its towel is exposed to the communication protocol definition ^ "the first - agreement" 'the system includes: at least - the ship computer, used to provide a platform for remote users to source or service; at least - monitor the computer, connect the servo Computer for monitoring the operation of the server computer; characterized in that the system further comprises: a secret state collection module, which is stored in the server computer or the monitoring computer, and includes: a • collection form for use in the ship 201141155 The work of collecting monitoring data on the computer; b. The transmitting unit transmits the monitoring data collected by the collecting unit to the monitoring system according to the “first-agreement”; and the monitoring module is stored in the monitoring computer, including: 3. The analysis unit, the ribs and the _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Reading, and b• control unit, for controlling the system-like structure of the above-mentioned system, although having a certain degree of network reliance and anti-virus effect, only such a custom-made test object is a di-buted prevention system. DIPS), therefore, it is impossible to use the alliance type system to achieve alliance formation _ mutual assistance cooperation, information sharing, lion protection network security 2 effect, so that the valley breaks the hacker's breakthrough, and thus can not reach the expected network Road safety protection effect. In addition, if there is any closure of the recording body, in general, the system will not be updated immediately. At this time, people who are interested in making a scanner for the new vulnerability will find out which ones are on the network. The system has not been updated, and the new vulnerabilities have been infiltrated. Therefore, these custom structures cannot find out the new attack and attack methods and Z recorded in the body library for subsequent observation and processing. Because of the fact that it is easy for the minded person to shoulder the shoulders, and to destroy the computer software first, in view of this, the conventional structure does have the necessity of further improvement. [Invention] The main purpose of this book is to provide a decentralized network intrusion prevention system of the 観 型 type to achieve the _ alliance member's _ mutual assistance cooperation and the status of the sub- At the same time, in the decentralized system, the system design and configuration can be provided in a step-by-step manner, because of the network security computer that reduces the cost of the hardware device and reduces the regional network to the Internet 201141155. The system is threatened by the destruction of the network, has a synergistic defense alliance mechanism, high security, and can greatly reduce the number of attacks on the object. In order to achieve the above-mentioned effects, the technology of this confession (four), Bao Tong's control of the ten-central feeding device of the alliance network and an anti-intrusion detection component, each of the burial of the ally has - a group code, each of the system scales has a -_ code, the group code in the female side road and the identification of the decision core group are first recorded in the management pool of the towel - In the database, ♦ The central value n 舣 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ When the person is testing the software detection_attack event, it will transmit a warning to all the decision-making modules, and the decision-making module will issue a blocking command to the firewall, and according to the database, the defense defined by t Take measures to take the relevant actors. [Embodiment] 壹· The technical concept of the present invention is shown in the first to fourth and sixth figures. The present invention mainly constructs a comprehensive network security protection system focusing on the concept of distributed system design. The new product that has not appeared on the market, the present invention combines various system capabilities to achieve the purpose of resisting intrusion attacks, and promotes the security of the entire network environment through a distributed system architecture. In the case of known intrusion attacks, the intrusion detection function of the network intrusion detection system (NIDS) can help the system to resist [S3 201141155 not attack 4 ' and attack the unknown person. In part, you can use the legal probability of a certain amount of stable network data to find out the network packets different from normal traffic, and then record them in the database' and provide a year-round efficient network. Road safety system, and the monthly b large reduction in the cost of constructing a safe network environment, the actual design proves that the road safety protection system can be lying in the actual brewing environment to solve the hacker invasion. The resulting computer system is disrupted and troubled.实施 · 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本And connecting to form at least one federated network (11), the basic embodiment of the present invention includes a plurality of subsystems (20) (IPS), a central control network (π) of the central server Root (10) And a firewall (24), each of the subsystems (2) (ips) including a decision module Reaper (21), an intrusion detection software (22), and a collection of suspicious network activity seals Intrusion detection component (23), each alliance network (11) has a group code, as shown in GP1-0~GP2 in the seventh figure, each subsystem in the alliance network (π) (2〇) (off) each has an identification code 'and the group code in the alliance network (11) and the identification code of the decision module Reaper (21) must first be registered with the central server machine (10) and Recorded in a database (27) 'When the central word server R〇〇t (10) determines that the decision-making module knows that hitting (21) is legal, the decision mode Reaper (21) can be connected to the central server R0〇t (i〇), so that the central server Root (10) can assist the communication and sharing of information between the decision modules Reaper (2i). When the intrusion detection software (22) detects an attack event, it transmits a 201141155 s report to all decision makers Reaper (21), and the decision module Reaper (21) issues a command to block the firewall ( 24), and take relevant actions based on the defensive measures defined in the database (27). 2. 2 Central Server Root Please refer to the first, third and seventh to ninth diagrams. The present invention puts the concept of distributed system architecture and group into the design idea together, and the central servo Root(10) is the central manager of a group, which records which decision-making module Reaper(21) Lu is legal. The legal decision-making module Reaper(2i) can be sent to the central server R〇〇t (1). 〇) Request to connect. The central server R〇〇t (10) itself has a more important task, which plays the role of information sharing and communication between the decision modules Reaper (21). In this large analog network, it is divided into A, B, C three network areas, as shown in the seventh figure, the central server Root (l〇) governs the alliance network (1)) Gr〇upID (group code) is fat, and it is brought by itself Some IDs (numbers) are 〇. In this network (11;), there are four subsystems IPS (20) decision-making module Reaper (21) can be connected with the central server R〇〇t 〇〇), requesting information sharing and Communication, because they have the same (^〇1 old 1)), but the premise of achieving these things is that the information about these decision-making modules Reaper (21) must be already in advance to the central server Root (l 〇) Register and record in the database (27) (Database). 2. 3 Intrusion Detection Software See the first, second, and eighth and ninth diagrams. The specific embodiment of the above-mentioned intrusion detection software (10) can be _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Detection software (22) SN0RT, the intrusion detection software SNORT has a large number of attack patterns, and detects and compares the existing malicious behavior and penetration intrusion on the alliance network (11) by 8 201141155. Side soft gamma (4), _ material ((4) ut piugins) to send a warning to rely on her aper (21), and the suspicious network activity packet collected by the invader_ component (23) is carried out by the central servo ride t (10) Analysis to generate new rules and join the intrusion price test software (22) to detect new attack techniques. On the other hand, the 'decision module Reaper®' finds the traffic on the federation network (11) monitored by the intrusion detection component (10), and the paste-conditional legal probability calculation finds the belonging # M(S_ci0us Packets After the package is properly analyzed, it is stored in the database (27). In the above specific embodiment, the intrusion detection software NIDS (22) is a set of network open raw materials (_ s_e) whose mosquito position is "w single light (ca (4) (four) " intrusion price measurement software (lang swollen T' can be light green in Peng. In the secret structure, it exists for two purposes, as shown in the eighth and ninth figures. First: the intrusion of debt testing software (4) itself has a large number of attack templates (Pattern ), it can be used to detect and compare some malicious _ subscriptions and intrusion intrusions already on the network, so when the intrusion detection software NIDS (22) detects an attack, the person who can be rewritten by this spoof The intrusion side (four) plug-in (output-plugins) sends a warning Wlert) to the decision module Reaper (21) on the system. When the decision module Reaper (2i) receives this warning (Alert), it will be based on the database. (27) The defensive measures defined in it (Criteri〇n), take action. Second: the intrusion detection software NIDS (22) itself can use the rules (Rules) to detect the contents of the network packet, and can make The system administrator manually adds and modifies the actions of deleting rules, etc. The invention can be transmitted through the intrusion detection component (23) Scent and can be analyzed by the system administrator to generate new rules and join the intrusion detection software 1VIDS (22) 'can be attacked by the attack method Detecting the comparison. 2.2.4 Intrusion detection component scent 〇月 See the first, seventh to ninth diagram, the intrusion detection component (23) Scent is constructed on FreeBSD, the system is 'developed by its own c++ network The road packet monitoring component ^ (10), in the role of the meaning of the "human intrusion _ component (Nove (10) must listen to all packet traffic on the network, the program must overcome the possibility of not missing any packets in the performance, etc. Calling a π fully independent thread (Thread), and can be combined with a dynamically allocated queue (Queue) to overcome the possibility of missing the package. 2. 5 decision module Reaper / please refer to the -, four As shown in Figures 7 to 9, the decision module r 犷 犷 (8) is a sub-system, and the core component of the charge (20)' thus can directly invade the software (10) without relying on the information provided by the central servo Kay (10) (10). Cooperation shouting - independent operation System IPS (20). And the above-mentioned anti-collection measures can issue a blocking command φ, in the decision module (8). Fire 1 (24: simultaneously send an e-mail to the central feeding device for this payment (10). Architecturally, the core part of the decision-making module Reaper (21) system plays the role of the decision maker of all event-related behaviors. When the decision-making model 叩 er (5) receives the warning issued by the intrusion detection software NIDS (22) (Alert) , will immediately check the database (2)) defined (4) Royal measures (Criteri〇n), the following orders to the firewall (24) (FireWall), send Weizi mail (four) system administrators. Another important task in the design decision-making module Reaper (21) is to use the intrusion detection component (23) Scent to monitor all the packet traffic, _〃 conditional probability rate 201141155 The algorithm is to find out that the packets on the network are Suspicious Packets, and after proper analysis and processing, they are stored in the database (π). In terms of configuration, the decision module [{〇〇江(21 ) itself can exist independently (such as GP2-1 in the seventh picture), without relying on the information provided by the central server Root (1〇), such as Blacklist, can only be used with the intrusion detection software nids (22) In the case of cooperation, establish an independent IPS (such as the GPH of the seventh® towel). Of course, the decision module Reaper (2i) can also set the intrusion detection soft surface DS (22), only through the + and the central servo _〇t〇〇) Call for information sharing to defend (through other people's learning and notification). 2·6 Firewall eye See the first figure, the invention firewall (24) ipfw (ip FIRE WALL) It is a firewall (24) application software initiated by FreeBSD. This firewall (24) should The software is controlled by the decision group Reaper (21), which uses traditional stateless rules and rule writing methods to achieve the desired goals of simple state logic. The internals are composed of seven components. The first is the firewall (24). Filter rule processor (kernel firewaU futer

_ rule processor) ’和與其整合的封包計數功能,1〇g紀錄功能,和MT 功能相、结合的導向(divert)規則’及進階的特殊目的功能控管流量控 制功能,’fwd rule,轉向功能,橋接功能(bridge faciuty),和 ipstealth功能。防火牆(24)Firewall的控管(如規則(Rules)的新增或 疋移除)統一由決策模組Reaper ( 21)來進行。 2. 7子系統IPS部署的具體實施 請參看第五圖所示,本發明子祕lps⑽的第—種具體實施例係 部署在-電腦設備端⑽)與防火牆(24)之間的網路骨幹上,此防火牆 201141155 (24) ,結-路由n⑽而與—網際網路⑽峨連通,使電腦設備端 =0)付以與嶋鱗⑽連結,⑽鹏上所有向外、向内的網路流 里進行孤1' ’再經由該決策模組Reaper⑵)進行分析與記錄。 人請參看第六圖所示’本發明子系統ips⑽的第二種具體實施例更 含卩署在電私5免備端(30)與防火牆(24)之間網路上的交換器 (25) ’此交換器⑽與子系統lps⑽)訊號連通,而防火踏⑽則經一 路由器(26)而與-網際網路⑽訊號連通,使電腦賴端⑽)得以愈 •此網際網路⑽連結,再以子系統ips⑽對網路上所有向外、向内及 内對内的流量透過鏡射(Mirror)進行監聽,再經由決策模組此聯⑵) 進行分析及記錄,雜也可以透過交換器⑼進行關R;_45璋的動 作。相對地’系統的設計及流程上相較於上述方案,會變得更新複雜 許多。輯料的結盟賴之分散式人·縣騎採_方案為第 二種’在結盟鶴之分散式人侵防護祕架構圖中,中間決策模组 _er⑻部份就會為了可以和交換器⑽之間進行溝通,所以架構 _圖會新增交換器(25)的部份。 在此結盟賴之分散式人侵防護祕巾,面對網路攻擊時,是如 何相互的合作’抵禦這些攻擊。以攻擊的類型來當成我們的出發點的 話,會分成兩個部份說明,分別是外部攻擊(〇utside Attad〇及内部 攻擊(Inside Attack)。 如第八、九圖所示,共有兩個不同的聯盟網路⑼分別為吧 及GP2,所以在系統分佈上擁有相同的群_所構成的網路環境,為一 聯盟網路(1 i)A11 i ed Network。 201141155 請參看第八圖所示’所謂外部攻擊為攻擊者來自聯盟網路 (ll)Allied Network的外部(〇ut of Allied Netw〇rk),不是_所監 控的聯盟網路細。内部攻擊為攻擊者來自Amed 的内部: 就外部攻擊而言’首姑-個攻擊從Internet進人,目標為圖中右上 方的電腦設備端(3G)(即受害端vietim),假設位於此主幹上的 HardwareFirewall未對其攻擊來源1?進行阻擋,如路徑①所示此時 部署在此網路區段中的NIDS發現到了這個可疑的活動事件,入侵偵測 ❿軟It NID S (2 2 )會根據所監聽到網路封包比對系統管理者事先所設定好 的特徵規則(SignatureRules),此時如果封包本身真的具有攻擊特徵 時’就會發送UDPAlert封包給Reaper,如路徑②所示。*當決策模組 Reaper(21)本纽到這鑛ert,會先去輯來敎_衫屬於本身 所管理的(I域晴之内,可啸明綱發現到答案是紋的,此時決 策核組Reaper(21)會立刻把此警sAlert資訊轉送給所屬的中央伺服 器Root(10),如路徑③所示。當中央伺服器R〇〇t(1〇)收到這個a㈣ #的時候’就會去註冊表(Register Entry)中尋找此來源攻擊ιρ是否有 屬於任何已連線註冊的決策模組Reaper(21)所管理的區域網路,可以 狼明顯的發現到是沒有的,此時令央飼服器R〇〇t(1〇)就會把這個AW 的貧訊透過廣播(實作上是以unicast達成)送至聯盟網路内的決策模 組Reaper(21),如路徑④所示。當決策模組Reaper(21)們收到中央伺 服器Root(lO)送來的Alert廣播時,就會新增規則至防火牆 (24)Firewall ’要求阻擋來源攻擊ip位址,保護整個聯盟網路的安全。 請參看第九圖所*,首先仙可讀财右下肖的網際網路 201141155 (12)Intranet發出了假造來源端ip的攻擊,如路徑①所示,其目的端 為電腦設備端(30)(即受害端Victim),這類的攻擊如DDoS,ARP Spoofing等。由於在右下角的子系統IPS(2〇)未裝備入侵偵測軟體 NIDS(22),所以無法在第一時間反應,此時在右上方子系統Ips(2〇) 内的入知偵測軟體NIDS(22)偵測到了這個攻擊事件,並回報給決策模 組Reaper(21),一樣是透過UDP Alert的方式,如路徑②所示。同時, 決策模組Reaper(21)在分析上會發現到這是一個”假造來源的多重攻 籲擊,決桌模組ReaPer(21)會先發送一個SNMP的詢問給交換器(25), 詢問每個埠(Port)在單位__傳送網路封包流量織,可以明顯 的發現到/又有異¥的情況發生。決策模組Reaper(21)此時就會發送一 個透過中央伺服器R0〇t(l〇)要求全體的決策模组此即打⑵)進行檢查 流里疋否存在著異常的情況,如路徑③所示。中央伺服凯⑽⑽收 受到這個貧訊,要求全體檢查,如路徑④所示^決策模組此啊⑵) 們收到這個資訊就會檢查自己所屬的區_的交換器⑽,全面進行 鲁傳送網路封包流量的檢測,如路徑⑤所示,再由決策模⑽琴r(2i) 來決定是砰_嫌⑽intranet所連料(RI_45 p〇rt)。 中央飼服器R〇〇t(10)的監控畫面如附件一則所示,而決策模组 ⑻的監控晝面則如附件一圖2所示,上述監控晝面是為協助管 理者了解令央飼服器Root⑽的系統狀態,如目前系統有那些程序及 錯誤事件發生,可社_過顯祕晝面上的訊息得知,如果在事後 想要查詢這些訊息’也可以透過所輸出的難來達成。另外目前系統 是否有任何的傳送⑺或是接收⑻網路封包的動作發生以及目前 201141155_ rule processor) 'and its integrated packet counting function, 1〇g record function, and MT function phase, combined with the divert rule' and advanced special purpose function control flow control function, 'fwd rule, turn Features, bridge function (bridge faciuty), and ipstealth functionality. Firewall (24) Firewall control (such as the addition or removal of rules) is unified by the decision module Reaper ( 21). 2. The specific implementation of the 7 subsystem IPS deployment, as shown in the fifth figure, the first embodiment of the present invention lps (10) is deployed in the network backbone between the computer device (10) and the firewall (24) On the firewall 201141155 (24), the junction-route n(10) is connected to the Internet (10), so that the computer device end = 0) is connected with the scale (10), and (10) all the outward and inward networks on the Peng. In the flow, the lone 1'' is analyzed and recorded via the decision module Reaper(2). For the second embodiment of the subsystem ips (10) of the present invention, please refer to the switch (25) on the network between the wireless private 5 (30) and the firewall (24). 'The switch (10) is connected to the subsystem lps (10)), and the fire step (10) is connected to the Internet (10) via a router (26), so that the computer (10) can be connected to the Internet (10). Then, the subsystem ips(10) monitors all outgoing, inward and inbound traffic on the network through a mirror (Mirror), and then analyzes and records through the decision module (2). The hybrid can also pass through the switch (9). Perform the action of closing R;_45璋. Relatively the design and flow of the system is much more complicated than the above. The aggregated material of the alliance is based on the decentralized people and the county riding _ scheme is the second type. In the framework of the decentralized protection system of the alliance, the middle decision module _er(8) will be part of the switch (10). Communicate between, so the architecture_map will add the part of the switch (25). In this case, the decentralized invaders and protective masks are all about how to cooperate with each other in the face of cyber attacks. Taking the type of attack as our starting point, it will be divided into two parts, namely, external attack (〇utside Attad〇 and Inside Attack). As shown in the eighth and ninth figures, there are two different ones. The network (9) is the same as the GP2, so the network environment consisting of the same group in the system distribution is a network of alliances (1 i) A11 i ed Network. 201141155 See Figure 8 The so-called external attack is from the outside of the Alliance network (ll) Allied Network (〇ut of Allied Netw〇rk), not the _ monitored network. The internal attack is the attacker from Amed's internal: external attack In the case of 'the first aunt' attack from the Internet, the target is the computer device (3G) at the top right of the figure (ie, the victim vietim), assuming that the HardwareFirewall located on this trunk does not block its attack source 1? As shown in path 1, the NIDS deployed in this network segment finds this suspicious activity event, and the intrusion detection software Soft It NID S (2 2 ) will compare the network packet according to the monitored network packet. thing The set signature rule (SignatureRules), at this time if the packet itself really has an attack feature, 'will send a UDPAlert packet to Reaper, as shown in path 2. * When the decision module Reaper (21) Ben New to this mine Ert, will go to the series first _ _ shirt belongs to its own management (I domain within the clear, can Xiaoming Gang found that the answer is the pattern, then the decision-making nuclear group Reaper (21) will immediately transfer the police sAlert information The associated central server Root (10), as shown in path 3. When the central server R〇〇t (1〇) receives this a (four) #, it will go to the registry (Register Entry) to find this source attack. Whether ιρ has a regional network managed by any decision-making module Reaper (21) that has been registered, can be clearly found by the wolf, and the central feeding device R〇〇t (1〇) The AW's poor news will be sent to the decision-making module Reaper (21) in the alliance network through the broadcast (actually achieved by unicast), as shown in path 4. When the decision module Reaper (21) received When the Alert broadcast from the central server Root (lO) is broadcast, the rule will be added to the firewall (24) Firewall. 'Requires to block the source from attacking the ip address and protect the security of the entire network. Please refer to the figure in the ninth figure. First, the Internet of the Internet 201141155 (12) Intranet issued a false source ip attack. As shown in path 1, the destination end is the computer device end (30) (ie, the victim terminal Victim), such attacks such as DDoS, ARP Spoofing, and the like. Since the subsystem IPS (2〇) in the lower right corner is not equipped with the intrusion detection software NIDS (22), it cannot be reacted in the first time. At this time, the detection software in the upper right subsystem Ips (2〇) The NIDS (22) detected the attack and reported it to the decision module Reaper (21), the same way as UDP Alert, as shown in path 2. At the same time, the decision module Reaper (21) will find out that this is a "multiple attack from the fake source. The table module ReaPer (21) will first send an SNMP query to the switch (25), asking Each port (Port) in the unit __ transport network packet traffic weaving, can be clearly found / there are different circumstances. The decision module Reaper (21) will send a through the central server R0〇 t(l〇) requires the decision-making module of the whole to call (2)) to check whether there is an abnormality in the flow, as shown in path 3. The central servo Kai (10) (10) receives this poor news and requires all inspections, such as the path. 4^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ (10) Qin r (2i) to determine the 砰 _ _ (10) intranet connected (RI_45 p〇rt). The monitoring screen of the central feeding device R〇〇t (10) is shown in Annex 1, and the decision module (8) monitoring The face is shown in Figure 2 of Annex I. The above monitoring face is to assist the manager. Solve the system state of Root Feeder Root(10). If there are any programs and error events in the system, you can find out the message on the secret surface. If you want to query these messages afterwards, you can also use the output. To achieve this, in addition, whether the system currently has any transmission (7) or receiving (8) network packet action and currently 201141155

ThreadPool中執行緒被伯用的情況等等,都可透過顯示於畫面上的訊 息,方便進行線上管理或者進行事後查詢。 入铋偵測大方向可分成兩大類,分別為誤用偵測(Misuse Detection)及異常現象偵測(An〇maiyDetec1;i〇n)兩種。在我們的系統 當中,所使用的NIDS(Snort)正是屬於誤用侧(Misuse Detecti〇n), 其特色為有著較高的偵測能力、較低的錯誤警告(False p〇sitive), 最大的缺點在於對於新出現的攻擊手法可以說是無能為力,完全無偵 鲁/則率可6兒,所以為了補足誤用偵測(Misuse Detection)的不足,許多 的系統同時也採用了異常現象偵測(Anomaiy Detecti〇n)來加強新的 攻擊手法的偵測能力,其缺點為需要乾淨的環境進行訓練(透過統計學 (Statistics)或是類神經網路(Artificial Neural Network))之後, 才有能力進行偵測。 本發明的系統架構上亦疋採用結合誤用摘測(Misuse Detection) 及異常現象偵測(Anomaly Detection)兩種入侵偵測來提高整體系統 籲的偵測能力。在誤用偵測(Misuse Detection)部份,就是透過入侵偵 測軟體NIDS(22)的幫助,傳送Alert給我們的決策模組Reaper(21),再 做過濾及分析’在異常現象偵測(Anomaly Detection)部份,是透過條 件合法機率演算法來達成。 參·本發明具體實施的運作 請參看第一、七圖所示’本發明可以切成兩個大元件來加以說明。 在分割線以上的為結盟型態之分散式入侵防護系統中(DI p S )的子系統 (20)(IPS),其核心為決策模組Reaper(21) ’另一個部份為控管一個聯 [s] ,15 201141155 盟網路(ll)(Allied network)的中央伺服器Ro〇t(10)。聯盟網路 (llXAllied network)指的是所欲保護的網路範圍,每一個聯盟網路 (11)會以一個GroupID (群組代碼)來代表之,另外聯盟網路(丨丨)内的 子系統IPS(20)會有指定給一個π)。原則上,一個中央伺服器R〇〇t(10) 在同一個時間點,可以同時接受二十個決策模組Reaper(21)系統的連 線要求,協助各決策模組Reaper(2l)進行資訊的溝通、分享,所以結 盟型態之分散式入侵防護系統是採用分散式的想法、階層式的控管方 •式來進行設計的。 本發明包含五個元件(Root,NIDS,Reaper,Scent,Firewall) 說明。圖中有兩個聯盟網路,分別為⑶丨與卬?。Gpi聯盟網路内有R〇〇t 與四個IPS’編號分別是〇,i,2,3, 4以GP卜0, GP卜1,...GPH表示 之。 肆·本發明實驗例與與驗證 為測試結盟型態之分散式入侵防護系統對於入侵防護的效力為 _何’本發明使用了評估入侵偵測系統的標準_Α 2〇〇〇及一般常見的 測試工具來進行實驗模擬。 4.1測試工具 fcestok (_ Ethereal) n網路封包分析軟體且是一套 開放原始碼的(0penSource)軟體。網路封包分析軟體的功能是娜網 路封包,並盡可能顯示出最為詳細的網路封包資料。網路封包分析軟 體的功能可絲成"電工技師制電表來量測電流、輕、電阻"的 工作-只是將場景雜_路上,電線替換細路線。程式可由 201141155 http://www.wireshark.org/下載,Linux 平台需先安裝 iibcap 函式 庫’而Windows平台下需先安裝Winpcap函式庫。In the case where the thread is used in the ThreadPool, the information displayed on the screen can be easily managed online or after the event. The direction of detection can be divided into two categories, namely Misuse Detection and Anomaly Detec1 (i〇n). In our system, the NIDS (Snort) used is the misuse side (Misuse Detecti〇n), which features high detection capability, low false alarm (False p〇sitive), and the largest The disadvantage is that there is nothing to do with the emerging attack methods. There is no detectable/definite rate of 6 children. Therefore, in order to compensate for the lack of misuse detection, many systems also use anomaly detection (Anomaiy). Detecti〇n) to enhance the detection capabilities of new attack techniques. The disadvantage is that it requires a clean environment for training (through Statistics or Artificial Neural Network). Measurement. The system architecture of the present invention also employs two types of intrusion detection, Misuse Detection and Anomaly Detection, to improve the overall system call detection capability. In the Misuse Detection section, through the help of the intrusion detection software NIDS (22), Alert is sent to our decision module Reaper (21), and then filtered and analyzed 'Anomaly detection (Anomaly The Detection section is achieved through a conditional probability algorithm. Referring to the operation of the specific implementation of the present invention, reference is made to the first and seventh figures. The present invention can be cut into two large components for explanation. The subsystem (20) (IPS) of the distributed intrusion prevention system (DI p S ) above the split line is the decision module Reaper (21). The other part is the control one. Union [s], 15 201141155 Allied network (ll) (Allied network) central server Ro〇t (10). The llXAllied network refers to the range of networks to be protected. Each federation network (11) will be represented by a GroupID (group code), and the children in the alliance network (丨丨) The system IPS (20) will be assigned to a π). In principle, a central server R〇〇t(10) can simultaneously accept the connection requirements of the twenty decision-making modules Reaper (21) at the same time point, and assist the decision-making module Reaper (2l) to carry out information. The communication and sharing, so the decentralized intrusion prevention system of the alliance type is designed with decentralized ideas and hierarchical control methods. The invention contains five components (Root, NIDS, Reaper, Scent, Firewall) instructions. There are two alliance networks in the picture, which are (3) 丨 and 卬? . In the Gpi Alliance network, there are R〇〇t and four IPS' numbers respectively, i, 2, 3, 4 are represented by GP Bu 0, GP Bu 1, ... GPH.肆· The effectiveness of the experimental example of the present invention and the decentralized intrusion prevention system verified as a test alliance type for intrusion prevention is _he' This invention uses the standard for evaluating intrusion detection systems _Α 2〇〇〇 and generally common Test tools to perform experimental simulations. 4.1 Test Tools fcestok (_ Ethereal) n Network packet analysis software and is a set of open source (0penSource) software. The function of the network packet analysis software is to cover the network packet and display the most detailed network packet data as much as possible. The function of the network packet analysis software can be used to measure the current, light, and resistance of an electrician's electricity meter—just replace the scene with the _ road and the wire. The program can be downloaded from 201141155 http://www.wireshark.org/, the iibcap library must be installed on the Linux platform and the Winpcap library must be installed on the Windows platform.

Nmap 全名是 Network Mapper,是由 Fyodor Vaskovich 所開發的The full name of Nmap is Network Mapper, developed by Fyodor Vaskovich.

一套開放原始碼的(OpenSource)軟體,用於允許系統管理員察看網路 系統有哪此主機以及其主機上運行何種服$(Service),也廣為駭客群 當作掃描工具’支援多種協定的掃描如:UDP、TCP ConnectO、TCP SYN 、 ftp proxy(bounce attack) 、 Reverse-ident 、 ICMP(ping 籲 sweep)、FIN、ACK sweep、Xmas Tree、SYN sweep 和 Null 等,也提 供了-些實用性的功能如:透過TCP/IP來偵測作業系統的類型、秘 密掃描、動態延遲和重發、平行掃描、通過並行的PING偵測下屬的主 機、欺騙掃描、埠過濾探測、直接的RPC掃描,分佈掃描、靈活的目 標還擇以及埠的描述。其擁有強大的掃描功能,因此被稱為掃描器之 王,可由http://www· insecure.org/下載程式以及相關教學文件。 TFN2K的縮寫為“Tribal Flood Network 2K” ,這個程式實際上 鲁疋更新一個原始的程式TFN。TFN2K是德國黑客Mixter用來發出d〇s 攻擊針對存在於網路上的FTP或是HTTP伺服器。TFN2K的原始程式碼 已發佈到公開的網路系統上,可直接用於Unix* Linux系統。tfn2k 在設計上最有利於黑客的就是可以混淆Sinffer之類的探測工具,透 過偽造的來源端IP位址來防止查明真正的來源端ιρ位址。在網路系 統上所使用主幹過濾(ex : Firewali),TFN2K可以透過偽造的封包表 示來自相同的網域,進入網路進行破壞。這些攻擊本身還能夠引起洪 水攻擊(Fl〇〇dingAttack),透過發送大量且懷有惡意或無效的封包至 17 201141155 目的端造成系統癱瘓。 美國國防部高級研究計劃局(DARPAIT0)和美國空軍研究實驗室 (AFRL/SNHS)贊助’由美國麻省理工學院林肯實驗室(MIT LincolnAn open source (OpenSource) software that allows system administrators to see which host on the network system and what service (Service) is running on its host. It is also widely used as a scanning tool for the hacker group. Various protocols such as UDP, TCP ConnectO, TCP SYN, ftp proxy (bounce attack), Reverse-ident, ICMP (ping), FIN, ACK sweep, Xmas Tree, SYN sweep, and Null are also provided - Some useful functions such as: detecting the type of operating system through TCP/IP, secret scanning, dynamic delay and retransmission, parallel scanning, detecting subordinate hosts through parallel PING, spoofing scanning, 埠 filtering detection, direct RPC scanning, distributed scanning, flexible target selection and awkward description. It has a powerful scanning function and is therefore called the king of scanners. The program and related teaching files can be downloaded from http://www.insecure.org/. TFN2K is abbreviated as "Tribal Flood Network 2K", and this program is actually recklessly updating an original program TFN. TFN2K is used by German hacker Mixter to issue d〇s attacks against FTP or HTTP servers that exist on the network. The original TFN2K code has been released to public network systems for direct use on Unix* Linux systems. Tfn2k is best designed for hackers to confuse detection tools such as Sinffer and prevent fake source-side IP addresses from being falsified by source IP addresses. For trunk filtering (ex : Firewali) used on network systems, TFN2K can use the fake packets to indicate that they are from the same domain and enter the network for destruction. These attacks can also cause flood attacks (Fl〇〇dingAttack), causing system crashes by sending a large number of malicious or invalid packets to the destination of 17 201141155. Sponsored by the US Department of Defense Advanced Research Projects Agency (DARPAIT0) and the US Air Force Research Laboratory (AFRL/SNHS) by the Massachusetts Institute of Technology Lincoln Laboratory (MIT Lincoln)

Laboratory)的 IST(Information Systems Technology Group)所收集 及發佈的第一份評估網絡入侵偵測系統(丨DS)偵測能力的標準。 這些評估標準的存在是為了測試每一個入侵偵測系統的入侵偵測 率(probability of detection)及誤報警告率(probability of false 鲁alarm)。DARAP 2000目前有兩組測試資料庫,如下: (l)LLDOS 1.0 - Scenario One : 在這個數據庫當中’包含多個網路區段及連線追縱記錄,共分為 五個時間區段(Phase)的記錄,分別為攻擊者嘗試尋找網路系統上有哪 些的主機及服務是開啟的,再透過服務的本身所存在的漏洞(s〇laris sadmind)進行滲透入侵’再取得系統管理者root的權限之後,安裴特 洛伊木馬(Troy),最後階段進行DDoS攻擊。 • (2)LLD0S 1.0 - Scenario Two : 這個數據庫和Scenario One —樣共分成五個時間區段的記錄,但 在攻擊多了許多的Stealth的攻擊手法。 4. 2實驗數據 如附件二表4所示,使用DARPA 2000最主要的原因是為了測試入 侵偵測軟體NIDSC22)在這個數據庫上所表現的偵測能力,及和決策模 組Reaper(21)、防火牆(24)Firewall合作上是否令人滿意,以下為實 驗結果。 201141155 在攻擊流程上,共分成五個時間區段對於一個完整的DD〇s攻擊, 先觀察圖’第一個時間區段為Sweep,其目的為搜尋網路區段上有 那些的主機是有開啟的’確定網路位址,第二個時間區段為pr〇be, 其目的為找出該主機上有那些服務是對外開放的,先做一個記錄動 作,第二個時間區段為Breaking,透過剛剛對外開啟的服務進行滲透 入侵,第四個時間區段為installing,安裝DD〇s攻擊軟體,第五個 時間區段為開始進行DDoS攻擊。在第八圖中,除了標示了不同的時間 區段,也標記了在不同的時間區段所使用的攻擊手法及攻擊次數。 在附件二表1 t,可以發現到雖然入侵偵測軟體附仍(22)在整體 偵測表現上不是非常的亮眼,但在Phase 2及phase 3已有足夠的資 讓决策模組Reaper(21)來做出適當的反應,所以整個攻擊的過程 中,決策模組Reaper(21)可以在phase 2發現到異常情況,避免後續 的事件發生。在Phase 5巾,如果攻擊是發生在決紐組Reaper⑻ 所控管_路區段當巾’就可贿過和交㈣(25)的斜來找出攻擊 來源’ “s己為一個v,而如果是Network外部的話,決策模組 ReaPer(21)就無法進行阻擋的動作,標記為一個χ。 在附件二表1中,可以發現到雖然入侵偵測軟體NIDS(22)在整體 偵測表現上不是非常的党眼,但在phase 2及phase 3已有足夠的資 訊讓決策模組Reaper(21)來做出適當的反應,所以整個攻擊的過程 中,決策模組Reaper(21)可以在phase 2發現到異常情況,避免後續 的事件發生。在Phase 5中’如果攻擊是發生在決賴組Reaper⑵) 所控管的網雜段當中’就可以透過和交換1(25)_通來找出攻擊 201141155 來源,標記為一個v,而如果 就無法進行阻擋====,· 4· 3常見攻擊測試 路I_X NlDaP及™2Κ為主㈣試工具,魏—k比對網 數據的正確性。如附件二表2中尸j 表示對柯 从_倾臓(22)欄位 …攻擊疋否具有伽愧力,v代表具有侧能力而X為否, 嫌㈣細_恤雜·力,鳴 測旎力,而X為否。 map知描上,首先第—個所使用的參數為-sx,即為Xmas的掃 田:可以發現到,娜在這個項目的表現上,有非常不錯的偵測率。 但疋在2〜4項的掃描當中,參數分別為_sS、_sU及,的情況之下, 結果令人失望,反而在碰K的_攻擊中,使时數分職c 5、 —C 4及-c 6的情況之下,有著較令人滿意的結果。—樣地,如啊 在面對_偽造來源端⑽址的情況之下’如果是在同一網路區段 籲内’就可以進行阻擋避免的動作(v),如果是屬於外部攻擊,就 阻擋(X)。 …' 4· 4條件合法機率用於常見攻擊測試 於此範圍t,-樣使用Nmap及TF腹為主要測試工具,搭配 Wireshark比對網路數據的正確性。如附件三表1NJI31G49,仰招^為 -個時間週_所收制賴賴包分觸況,在触標部份(χ坐 標),最小值為〇,最大值是我們剛剛在條件合法機率所定義的門檻值 (Threshold) mnNN比值,那這個區間共分割成100個等份,若該=包 [S1 20 201141155 的條件合法機率落入最後一個區間,我們就會視為可疑封包,』 資料庫(27)當中,在縱坐標(Y坐標)部份為封包個數的計: 以發現到在正常(N_l)網路活動當巾,有大約_個封包落入最後 -個區間,這代表著條件合法機率的FalsePQsitive的次數。在㈣ 二表2〜表4係為所表示的分佈情況,是除了正常的網路封包還加上了 _ TCP Probe、UDP Probe或ICMP Probe、網路活動所產生的結果。 在附件三表5〜表7係為表示除了正常的網路封包還加上了 tf腿Laboratory's IST (Information Systems Technology Group) collects and publishes the first standard to assess network intrusion detection system (丨DS) detection capabilities. These evaluation criteria exist to test the intrusion detection system's probability of detection and the probability of false alarm. DARAP 2000 currently has two sets of test databases, as follows: (l) LLDOS 1.0 - Scenario One: In this database, 'containing multiple network segments and connection tracking records, divided into five time segments (Phase The records are for the attacker to try to find out which hosts and services are available on the network system, and then through the vulnerability of the service itself (s〇laris sadmind) to infiltrate the intrusion 'and then get the system administrator root After the privilege, the Trojan, the final stage of the DDoS attack. • (2) LLD0S 1.0 - Scenario Two: This database is divided into five time segments in the same way as the Scenario One, but there are many more Stealth attacks in the attack. 4. 2 Experimental data As shown in Table 4 in Annex 2, the main reason for using DARPA 2000 is to test the detection capability of the intrusion detection software NIDSC22 on this database, and the decision module Reaper (21), Firewall (24) Firewall cooperation is satisfactory, the following is the experimental results. 201141155 In the attack process, divided into five time segments for a complete DD〇s attack, first observe the figure 'the first time zone is Sweep, the purpose is to search for those hosts on the network segment. Open the 'determine the network address, the second time zone is pr〇be, the purpose is to find out that the services on the host are open to the outside, first make a record action, the second time zone is Breaking Infiltrate the intrusion through the service that has just been opened, the fourth time zone is installing, the DD〇s attack software is installed, and the fifth time zone is to start the DDoS attack. In the eighth figure, in addition to indicating different time segments, the attack techniques and the number of attacks used in different time segments are also marked. In Table 1 t of Annex 2, it can be found that although the intrusion detection software is still not very bright in overall detection performance, there are enough resources for decision making module Reaper in Phase 2 and Phase 3. 21) To make an appropriate response, so during the entire attack, the decision module Reaper (21) can find an abnormal situation in phase 2 to avoid subsequent events. In the Phase 5 towel, if the attack occurs in the control group Reaper (8) controlled by the _ road section, the towel can be bribed and handed over (four) (25) to find the source of the attack ''s own for a v, and If it is outside the Network, the decision module ReaPer (21) can not block the action, marked as a χ. In Table 1 of Annex 2, we can find that although the intrusion detection software NIDS (22) is in the overall detection performance Not very party eyes, but there is enough information in phase 2 and phase 3 for the decision module Reaper (21) to respond appropriately, so the decision module Reaper (21) can be in the phase during the entire attack. 2 I found an abnormal situation and avoided subsequent events. In Phase 5, if the attack occurred in the network segment controlled by the relying group Reaper(2), it can be found through the exchange and exchange 1(25)_ Attack 201141155 Source, marked as a v, and if it can not block ====, · 4.3 Common attack test road I_X NlDaP and TM2 Κ mainly (four) test tools, Wei-k comparison network data is correct. As shown in Table 2 of Annex 2, the corpse j indicates the position of Ke from the _ 臓 (22) field. ...attacks have gamma force, v means side ability and X is no, suspicion (four) fine_shirts and force, sound test force, and X is no. map knowledge, first the first used parameter For -sx, that is Xmas's sweeping field: It can be found that Na has a very good detection rate in the performance of this project. However, in the 2 to 4 scans, the parameters are _sS, _sU and In the case of , the results were disappointing. On the contrary, in the case of the attack of K, the time when the hours were divided into c 5, -C 4 and -c 6 had satisfactory results. In the case of _ falsification of the source (10) address, 'If it is within the same network segment', you can block the action (v), if it is an external attack, block (X) ) . . . 4 ' 4 conditional legal probability for common attack test in this range t, - use Nmap and TF belly as the main test tool, with Wireshark to compare the correctness of the network data. For example, the attached table 1NJI31G49, Yang Calling ^ for a time week _ the collection depends on the package, in the touch part (χ coordinates), the minimum is 〇, the most The value is the Threshold mnNN ratio we just defined in the conditional probability. Then the interval is divided into 100 equal parts. If the conditional probability of the package [S1 20 201141155 falls into the last interval, we will It will be regarded as a suspicious packet. In the database (27), the number of packets is counted in the ordinate (Y coordinate): It is found that in the normal (N_l) network activity, there are about _ packets. Into the last interval, this represents the number of FalsePQsitive conditions for the legal probability. In the case of (4) two tables 2 to 4, the distribution is represented by the addition of _TCP Probe, UDP Probe or ICMP Probe, and network activity in addition to the normal network packet. In Annex 3, Tables 5 to 7 are shown to add tf legs in addition to normal network packets.

TCP DDoS、UDP DDoS或ICMP DDoS網路活動所產生的結果。 由附件二表3中得知,其係針對不同項目,以分別記錄侧如纪The result of TCP DDoS, UDP DDoS, or ICMP DDoS network activity. It is known from Table 3 of Annex II that it is for different projects to record the side as the case

Positive (誤報率)以及False Negative (漏報率)。條件合法機率在 -般正常網路流量當中,False p〇sitive (誤報率)大約是2·5⑽而 在Nmap的Probe掃描之下,False p〇sitive及如纪Ν咖^ (漏報 率)分別大約落在1%以下及3%以下,在1?呢1(的1)1)〇3攻擊之下的測試,Positive (false positive rate) and False Negative (false negative rate). Conditional legal probability In the normal network traffic, False p〇sitive (false positive rate) is about 2.5 (10) and under Nmap's Probe scan, False p〇sitive and Ν Ν Ν ^ (false negative rate) respectively Tests that fall below 1% and below 3%, under 1? 1 (1) 1) 〇 3 attacks,

False Positive及False Negative分別大約落在1〇%以下及3%以下。 • 伍.結論 藉由上述技術特徵的建置’本發明確實具備下列特點: 1.本發明可以透過結盟型態的機制來達到聯盟成員之間的互助合 作與負§仗上的分享’同時在分散式的系統架構下可進一步提供系統設 汁及配置搭配上的靈活性’因具有降低硬體裴置成本、降低區域網路 對網際網_威·、具備協同防獅盟機制、高安全性與高效率的 網路安全防護性’進而可以大幅降低遭到駭客攻擊使電腦系統遭到破 壞的情事。 21 201141155 .為降低顿4置上的成本,本發明以自由軟體為基底的入侵防 護系統,來替換掉硬财置,且運行在免f的作業系統False Positive and False Negative are respectively below about 1% and below 3%. • Wu. Conclusion Through the construction of the above technical features, the present invention does have the following characteristics: 1. The invention can achieve mutual cooperation and cooperation between the members of the alliance through the alliance type mechanism. Decentralized system architecture can further provide flexibility in system configuration and configuration. 'Because it has the cost of reducing hardware, reducing the network area to the Internet, and has a synergistic anti-lion alliance mechanism, high security. And high-efficiency network security protection, which can greatly reduce the damage caused by hacking attacks on the computer system. 21 201141155 . In order to reduce the cost of the placement of the 4th, the present invention replaces the hard-won-protection system with a free software-based intrusion prevention system, and operates in an operation system free of f

FreeBSD 上, 從而降低成本上的需求。 本發月採用〃政式架構設計⑽,有鑑於目前市面上的硬體褒 置’皆是獨立作業,彼此之間沒有任何合作簡係,於是本發明設計 一個以分散式的架構,使得IPS之間可以進行資訊的溝通和交換。On FreeBSD, thereby reducing the cost requirements. This month's month adopts a sui-style architecture design (10). In view of the fact that the current hardware devices on the market are all independent operations, there is no cooperation between them. Therefore, the present invention designs a decentralized architecture that makes IPS Information can be communicated and exchanged.

,4.本發明可以降低區域網路對網際網路的威脅性,無論是那一類 型攻擊手法,如果是透侧路的機健行驗,細祕必定坐落於 f固區域網路之内,如果能在某些區段上建構-⑽統,以内到外而 系統社要任務就是在第-時_發現_監視的網路是否有發 生可疑的活動並且立刻進行防護,降低對外的威脅性,以外到内而/ 透過上述的B點分散式架構,達顧域聯防的效果。 ° 、上崎僅為本發明之一可行實施例,並非用以限定本發明 ^利範圍,凡舉_下_求撕叙邮、舰叹其 =變化_實施,皆應包含於本發明之__。本發明^ ^於物之壤徵,未見於_品,且具實祕與生: ^付5發0轉.件,纽法具域Μ請,騎觸依法核予專 利’以維護本申請人合法之權益。 X予專 【圖式簡單說明】 圖係本發明結盟型態之分散式人侵防護系統架構示意圖 =圖係本㈣人侵細倾雖之纽轉示意圖。 第三圖係本發明中央做器_之系統架構示意圖。 ί S] 22 201141155 第四圖係本發微顧組Reapem贿構示意圖。 第五圖係本發日轩系統第―種佈署架構示意圖。 第六圖係本發明子系統第二種佈署架構示意圖。 第七圖係本發明運作模擬網路之示意圖。 第八圖係本發明模擬網路外部攻擊之示咅圖。 第九圖係本發明模擬網路内部攻擊之示意圖。4. The present invention can reduce the threat of the regional network to the Internet. No matter which type of attack method is used, if it is a machine-passing inspection of the side-by-side, the secret must be located within the f-solid area network, if It can be constructed in some sections - (10) system, inside and outside the system and the task of the system is to detect whether there is suspicious activity on the network in the first - time _ discovery _ monitoring and immediately protect against external threats. Into the inside / through the above-mentioned B-point decentralized architecture, to achieve the effect of the domain defense. °, Uesaki is only one of the possible embodiments of the present invention, and is not intended to limit the scope of the present invention, and the ___ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _. The invention is not found in the soil of the object, and is not found in the product, and has the secret and the raw: ^ pay 5 rounds and 0 turns. The New Zealand has the domain request, and the rider touches the patent according to law to maintain the applicant. Legal rights. X 予专 [Simple diagram of the diagram] The diagram is a schematic diagram of the architecture of the decentralized intrusion prevention system of the alliance type of the present invention = Figure 4 (4) Schematic diagram of the intrusion of the person. The third figure is a schematic diagram of the system architecture of the central controller of the present invention. ί S] 22 201141155 The fourth picture is a schematic diagram of the Reapem bribe of the present micro-practical group. The fifth picture is a schematic diagram of the first-in-one deployment structure of the Nissin System. The sixth figure is a schematic diagram of the second deployment architecture of the subsystem of the present invention. The seventh figure is a schematic diagram of the operational simulation network of the present invention. The eighth figure is a schematic diagram of the external attack of the simulated network of the present invention. The ninth figure is a schematic diagram of the internal attack of the simulated network of the present invention.

附件一 ··圖1係中央伺服器Root的監控畫面 的監控晝面。 ’圖2係決策模組Reaper 附件二 表1係LLDOS u實驗結果;表2係為常見攻擊實驗結果; 表3係條件合法機率戦攻擊實驗絲;表4飢應以 攻擊流程示意表。 附件三:表丨為一個時間週期内所收制的網路封包分佈示意結果; 表2為加上TCP Probe所收集到的網路封包分佈示意結果 表3為加上UDP Probe所收集到的網路封包分佈示意結果; 表4為加上ICMP Probe所收集到的網路封包分佈示意結果; 表5為加上TFN2K TCP DDoS Attack所收集到的網路封包分 佈示意結果;表6為加上丽2KUDPDD〇s她伙所收集到 的網路封包分佈示意結果;表7為加上TFN2K ICMpp DD()S Attack所收集到的網路封包分佈示意結果。 【主要元件符號說明】 (1〇)中央伺服器 (11)聯盟網路 (12)網際網路 (20)子系統 [S] ,23 201141155 (21)決策模組 (22)入侵偵測軟體 (23)入侵偵測元件 (24)防火牆 (25)交換器 (26)路由器 (27)資料庫 (30)電腦設備端 [Si 24Attachment 1 · Figure 1 is the monitoring screen of the monitoring screen of the central server Root. Figure 2 is the decision module Reaper Annex II Table 1 is the LLDOS u experimental results; Table 2 is the common attack experiment results; Table 3 is the conditional legal probability 戦 attack test wire; Table 4 hunger should be the attack flow schematic table. Annex 3: Table shows the results of the distribution of network packets collected in a time period; Table 2 shows the distribution results of the network packets collected by TCP Probe. Table 3 shows the network collected by adding UDP Probe. The road packet distribution shows the results; Table 4 shows the results of the network packet distribution collected by the ICMP Probe; Table 5 shows the results of the network packet distribution collected by adding the TFN2K TCP DDoS Attack; 2KUDPDD〇s her network collected packet distribution results; Table 7 is the result of the network packet distribution collected by TFN2K ICMpp DD()S Attack. [Main component symbol description] (1) Central server (11) Alliance network (12) Internet (20) subsystem [S], 23 201141155 (21) Decision module (22) Intrusion detection software ( 23) Intrusion Detection Component (24) Firewall (25) Switch (26) Router (27) Database (30) Computer Device Terminal [Si 24

Claims (1)

201141155 七、申請專利範圍: 1. -種結盟鶴之分散式鱗人侵防m其為_分散式入侵 防護系統(DIPS)而形成至少一聯盟網路,其包括有複數個子系統 (ips) ’ 一控管該聯盟網路的中央伺服器(R〇〇t)及一防火牆,每一該子 系統(IPS)包括有-決策模組(Reaper)、一入侵侦測軟體及一用以 收集可疑網路活動封包的入侵價測元件,每一該聯盟網路具有一群組 代碼’該聯盟網路_每-該子祕(IPS)則各具有—識別碼,且該 #聯盟網路中之該群組代碼及該決策模組(Reaper)之該識別碼須先向該 中2管職組(_)註冊攸錄在—紐庫中,t該中央伺服器(Root) 判定該決紙⑽eaper)為合法時,該決賴_鄉的貞彳可與該中 央伺服器伽⑷進行連線’使該中央値雑⑽)得以協助各該決策 模組(Reaper)之舰行資訊的溝軸分享,當該入侵偵測軟體_到 攻擊事件時’則會傳送一警告給所有的該決策模組卿),該決策 模組(Reaper)辭雜命令給雜火牆,_依_¥料庫當中 籲所定義之防禦措施而採取相關的行動。 2.如明求項1所述之結盟型態之分散式網路人侵防絮系、統,其中, 該入侵偵測軟體為-套網路開放原始碼(〇pen s〇urce)的入侵侧軟 體s_,該侵侧軟體職τ具有大量的攻擊範本(pattern),以對該 聯盟網路上已存在的惡意行為及渗透人侵進行檢顺崎,當該入侵 制軟體偵測到攻擊事件時,則以其一插件(〇utput_plugins)傳送該 警告給該決顏組(Reaper),而被該人侵_元件收制的可疑網路 活動封包則_中央舰器(此⑻進行分析,以產生新的規則並加入 [SJ 25 201141155 該入侵偵測軟體,以對新的攻擊手法進行檢測比對。 3. 如請求項1所述之結盟塑態之分散式網路入侵防禦系統,其中, 在該決策模組(Reaper)下達阻擋的命令給該防火牆時,則發送一電子 郵件給該中央伺服器(Root)。 4. 如請求項1所述之結盟型態之分散式網路入侵防禦系統,其中, 該決策模組(Reaper)將該入侵偵測元件所監聽到的該聯盟網路上所有 的封包流量’利用一條件合法機率演算法來找出屬於可疑(Suspici〇us # Packets)的封包,並做適當的分析處理之後,儲存於該資料庫當中。 5. 如請求項1所述之結盟型態之分散式網路入侵防禦系統,其中, 該決策模組(Reaper)不依賴該中央伺服器(R00t)所提供的資訊,而可 直接與該入侵偵測軟體合作而建立一獨立運行的該子系統1?8。 6. 如請求項1所述之結盟型態之分散式網路入侵防禦系統,其中, 該入侵偵測元件是在FreeBSD系統上以C++開發的網路封包監聽元件 Scent ’其用以監聽該聯盟網路上所有的封包流量,而為一個完全獨立 _的執行緒(Thread) ’並結合有一個動態分配的佇列(Queue)。 7. 如請求項1所述之結盟型態之分散式網路入侵防禦系統,其中, 該防火牆是一個由FreeBSD發起的防火牆應用軟體,該防火牆應用軟體 則由該決策模組(Reaper )來控管。 8. 如請求項1所述之結盟型態之分散式網路入侵防禦系統,其中, 該子系統IPS部署在一電腦設備端與該防火牆之間的網路骨幹上該防 火牆連結一路由器而與一網際網路訊號連通,使該電腦設備端得以與 该網際網路連結,以對該網路上所有向外' 向内的網路流量進行監聽, 【s] 26 201141155 再經由該決策模組(Reaper)進行分析與記錄。 9.如請求項1所述之結盟縣之分散式網路人·禦祕,其更包 含-部署在-電腦設備端與該防火牆之_路上的交換器,該交換器 與該子系統IPS訊號連通,該防火牆則經一路由器而與一網際網路訊號 連通’使該電腦設備端得以與細際網路連結,並以該子系統肥對網 路上所有向外、向内及内對内的流量透過鏡射(Mirr〇r)進行監聽,再 經由該決策模組(Reaper)進行分析及記錄。 • 1Q,種結盟賴之分散式網路人侵防禦方法,其包含下列步驟: 提供-種如請求項1所述之結盟型態之分散式網路人侵防禦系統; 於該聯盟網路設有該群組代碼,並於每一該子系統設有該識別 碼;及 次:將鱗喊碼及職料向該巾央魏⑽。⑻註冊後記錄於該 貝料庫中’使該決策模組(ReaPer)可以向該中央魏器(Root)要求進 :連線’以協助各該決策模組(Reaper)之Μ進行資訊的溝通及分享, 鲁二认域概體伽彳到攻擊事件時,該人侵侧軟體會傳送一警告 ^ ^A上的所有該決策模組(ReaPer),該決策模組(Reaper)接收到 。亥3 °時’則據該資料庫當中所定義之防禦措施而採取相關的行動。 m 27201141155 VII. The scope of application for patents: 1. - The decentralized scale intrusion prevention of the kind of alliance cranes is _ decentralized intrusion prevention system (DIPS) to form at least one alliance network, which includes multiple subsystems (ips) A central server (R〇〇t) and a firewall that control the network of the alliance, each of the subsystems (IPS) including a decision-making module (Reaper), an intrusion detection software, and a collection of suspicious Intrusion measurement component of the network activity packet, each of the alliance networks has a group code 'the alliance network_each-the secret (IPS) each has an identification code, and the #联盟 network The group code and the identification code of the decision module (Reaper) must first be registered in the middle 2 management group (_) in the - Newcu, and the central server (Root) determines the paper (10) eaper When it is legal, the decision-making _ _ 贞彳 can be connected to the central server gamma (4) 'to enable the central 値雑 (10)) to assist the decision-making module (Reaper) When the intrusion detection software _ to the attack event, a warning will be sent to all the decision makers) Decision Module (Reaper) Miscellaneous speech commands to the hybrid firewall, and take relevant action _ called on defensive measures, as defined in accordance with the material _ ¥ library among. 2. The decentralized network intrusion prevention system of the alliance type described in claim 1, wherein the intrusion detection software is an intrusion side of the network open source code (〇pen s〇urce) The software s_, the invading software τ has a large number of attack patterns to check for the malicious behavior and infiltration of the existing network on the alliance network, when the intrusion software detects the attack event, Then use a plugin (〇utput_plugins) to send the warning to the Reaper, and the suspicious network activity packet that is hacked by the _ component is _ the central ship (this (8) analyzes to generate new The rules are added to [SJ 25 201141155 the intrusion detection software to detect the new attack methods. 3. The decentralized network intrusion prevention system as described in claim 1 When the decision module (Reaper) issues a blocking command to the firewall, it sends an email to the central server (Root). 4. The distributed network intrusion prevention system of the alliance type described in claim 1 Wherein, the decision module (Reaper) uses the intrusion detection All packet traffic on the federation network monitored by the measuring component uses a conditional legal probability algorithm to find packets that are suspicious (Suspici〇us # Packets), and after appropriate analysis processing, is stored in the database. 5. The distributed network intrusion prevention system of the alliance type described in claim 1, wherein the decision module (Reaper) does not depend on the information provided by the central server (R00t), but can directly The intrusion detection software cooperates to establish an independently operating subsystem 1-8. 6. The decentralized network intrusion prevention system of the alliance type described in claim 1, wherein the intrusion detection component is in FreeBSD The network packet listening component Scent 'developed in C++ on the system is used to listen to all packet traffic on the federation network, and is a completely independent Thread Thread ' combined with a dynamically allocated queue (Queue) 7. The decentralized network intrusion prevention system of the alliance type described in claim 1, wherein the firewall is a firewall application software initiated by FreeBSD, and the firewall application software is The decision module (Reaper) is controlled. 8. The decentralized network intrusion prevention system of the alliance type described in claim 1, wherein the subsystem IPS is deployed between a computer device and the firewall. The firewall connects to a router and communicates with an Internet signal, so that the computer device can be connected to the Internet to monitor all outgoing 'inbound network traffic on the network. s] 26 201141155 Analysis and recording through the decision module (Reaper). 9. The decentralized network person, the secret of the alliance county described in claim 1, further comprising: a switch deployed on the computer device side and the firewall, the switch is connected to the subsystem IPS signal The firewall is connected to an internet signal via a router to enable the computer device to connect with the fine network, and to use the subsystem to perform all external, inbound and inbound traffic on the network. It is monitored by mirroring (Mirr〇r) and analyzed and recorded by the decision module (Reaper). • 1Q, a method of decentralized network intrusion prevention, which comprises the following steps: providing a decentralized network intrusion prevention system of the alliance type as described in claim 1; The group code is provided with the identification code in each of the subsystems; and the second time: the scale code and the service material are directed to the towel (10). (8) Recorded in the library after registration, so that the decision module (ReaPer) can request the connection to the central device (Root) to connect the information to facilitate the communication between the decision modules (Reaper). And sharing, Lu II recognizes the domain gamma to the attack event, the person invading the software will send a warning ^ ^ A on all of the decision module (ReaPer), the decision module (Reaper) received. At 3 °, the action is taken according to the defensive measures defined in the database. m 27
TW99115571A 2010-05-14 2010-05-14 Alliance type distributed network intrusion prevention system and method thereof TW201141155A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW99115571A TW201141155A (en) 2010-05-14 2010-05-14 Alliance type distributed network intrusion prevention system and method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW99115571A TW201141155A (en) 2010-05-14 2010-05-14 Alliance type distributed network intrusion prevention system and method thereof

Publications (1)

Publication Number Publication Date
TW201141155A true TW201141155A (en) 2011-11-16

Family

ID=46760472

Family Applications (1)

Application Number Title Priority Date Filing Date
TW99115571A TW201141155A (en) 2010-05-14 2010-05-14 Alliance type distributed network intrusion prevention system and method thereof

Country Status (1)

Country Link
TW (1) TW201141155A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI489826B (en) * 2013-01-14 2015-06-21 Univ Nat Taiwan Science Tech Method for ddos detection based on flow motion model
US9141777B2 (en) 2012-08-24 2015-09-22 Industrial Technology Research Institute Authentication method and code setting method and authentication system for electronic apparatus
TWI667589B (en) * 2017-09-05 2019-08-01 關貿網路股份有限公司 Guardian security methods, systems, computer program products and computer readable recording media
US11328056B2 (en) 2018-08-22 2022-05-10 CyCarrier Technology Co., Ltd. Suspicious event analysis device and related computer program product for generating suspicious event sequence diagram

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9141777B2 (en) 2012-08-24 2015-09-22 Industrial Technology Research Institute Authentication method and code setting method and authentication system for electronic apparatus
TWI489826B (en) * 2013-01-14 2015-06-21 Univ Nat Taiwan Science Tech Method for ddos detection based on flow motion model
TWI667589B (en) * 2017-09-05 2019-08-01 關貿網路股份有限公司 Guardian security methods, systems, computer program products and computer readable recording media
US11328056B2 (en) 2018-08-22 2022-05-10 CyCarrier Technology Co., Ltd. Suspicious event analysis device and related computer program product for generating suspicious event sequence diagram

Similar Documents

Publication Publication Date Title
Premaratne et al. An intrusion detection system for IEC61850 automated substations
US20040078592A1 (en) System and method for deploying honeypot systems in a network
Mukhopadhyay et al. A comparative study of related technologies of intrusion detection & prevention systems
Chen et al. Intrusion detection
CN110493195A (en) A kind of network access control method and system
JP2004030286A (en) Intrusion detection system and intrusion detection program
Signorini et al. Advise: anomaly detection tool for blockchain systems
CN104363240A (en) Unknown threat comprehensive detection method based on information flow behavior validity detection
CN111970300A (en) Network intrusion prevention system based on behavior inspection
Victor et al. Intrusion detection systems-analysis and containment of false positives alerts
TW201141155A (en) Alliance type distributed network intrusion prevention system and method thereof
Rowe et al. Thwarting cyber-attack reconnaissance with inconsistency and deception
Guan Network forensics
CN116781380A (en) Campus network security risk terminal interception traceability system
Li et al. A new type of intrusion prevention system
CN113395288B (en) Active defense DDOS system based on SDWAN
Chen et al. An Internet-worm early warning system
Sharma Honeypots in Network Security
CN113489694A (en) Dynamic defense system for resisting large-flow attack in honey farm system
Portokalidis et al. SweetBait: Zero-hour worm detection and containment using honeypots
Agrawal et al. Proposed multi-layers intrusion detection system (MLIDS) model
Kotenko et al. The software environment for multi-agent simulation of defense mechanisms against ddos attacks
Rizvi et al. A review on intrusion detection system
Hart et al. An introduction to automated intrusion detection approaches
Hunter et al. Tartarus: A honeypot based malware tracking and mitigation framework.