WO2007115457A1 - Point d'application de politiques et procédé et système de liaison pour système de détection d'intrus - Google Patents
Point d'application de politiques et procédé et système de liaison pour système de détection d'intrus Download PDFInfo
- Publication number
- WO2007115457A1 WO2007115457A1 PCT/CN2006/003793 CN2006003793W WO2007115457A1 WO 2007115457 A1 WO2007115457 A1 WO 2007115457A1 CN 2006003793 W CN2006003793 W CN 2006003793W WO 2007115457 A1 WO2007115457 A1 WO 2007115457A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- detection system
- policy enforcement
- connection
- intrusion detection
- enforcement point
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Definitions
- the invention belongs to the technical field of information network security, and relates to a linkage method of network security devices, in particular a policy execution point and a method and system thereof linked with an intrusion detection system. Background technique
- the policy enforcement point device is used to separate the intranet and the extranet, which is of great significance to the security of the network.
- a Policy Enforcement Point is a network entity that accepts policy management and is often referred to as a policy client. It is usually located on the network node. It actually performs policy decisions. It can be a router, a switch, a virtual private network (VPN) gateway, and a network device such as a firewall. It is responsible for executing the Policy Decision Point (PDP). The assigned policy, and it also sends information to the policy decision point, so that the policy decision point knows the network changes and the implementation of the policy.
- PDP Policy Decision Point
- the policy enforcement point itself has certain limitations, such as the coarse granularity of the inspection, it is difficult to deeply analyze and check the details of many protocols, and the policy enforcement point has the characteristics of prevention and prevention, which is difficult for internal users. The illegal behavior and the infiltrated attacks are effectively checked. Therefore, the policy enforcement point opens the relevant interface and associates with other security software to build a secure network through a combination of various technologies.
- the policy enforcement point is linked to the Intrusion Detection System (IDS) software, which can fully utilize the functions of the IDS software to perform detailed analysis and inspection of packets flowing through the network to detect various possible abnormal conditions and attack behaviors. Real-time response through policy enforcement points.
- IDS Intrusion Detection System
- the networking mode of the policy execution point PEP and IDS software is as shown in Figure 1:
- the policy enforcement point PEP is located between the internal and external networks, the IDS server and the management server are located on the intranet, and the IDS server confirms the illegal according to the information collected by the IDS detector. Behavior and attacks are generated and reported to the management server and policy enforcement point PEP, and the corresponding action is taken by the policy enforcement point PEP. The source or destination user is blocked or blacklisted.
- the function of the IDS of the intrusion detection system is mainly to analyze the data stream by means of interception and discover the intrusion behavior (such as trying to spy on the internal network structure, attacking the internal server, etc.).
- the policy enforcement point provides a linkage interface with the third-party IDS software.
- the IDS server When the IDS server detects an abnormal or aggressive behavior, it sends information to the policy enforcement point PEP through the interface, and the corresponding restriction measures are taken by the policy enforcement point (for example, the user is listed). Blacklist, etc.).
- PEP and IDS software implementations are linked through the network management system: There is no direct interface between the IDS software and the policy enforcement point, and all operations are completed through the network management.
- the IDS server reports the intrusion behavior to the NMS through the Simple Network Management Protocol (SMP).
- SMP Simple Network Management Protocol
- the administrator sends a message to the policy enforcement point through the network management system, and responds to the intrusion behavior through the policy enforcement point PEP.
- the ACL (Access Control List) rule is blocked, or the attack source or destination user is blacklisted. This kind of linkage requires network management support. In many applications, there is no unified network management to manage policy enforcement points and IDS software. Summary of the invention
- Embodiments of the present invention provide a policy enforcement point and a method and system thereof for linkage with an intrusion detection system, which can implement secure and efficient linkage between the two.
- the embodiment of the invention provides a method for linking a policy execution point with an intrusion detection system, which includes:
- a direct connection between the intrusion detection system and the policy enforcement point is established
- the intrusion detection system detects an attack behavior and sends the detection result to the policy execution.
- the policy execution point performs a corresponding operation according to the detection result.
- An embodiment of the present invention provides a policy enforcement point, including:
- a communication module configured to directly establish a linkage connection with the intrusion detection system and maintain communication; receive the detection result sent by the intrusion detection system and notify the execution module;
- the execution module performs corresponding operations according to the detection result.
- An embodiment of the present invention provides an intrusion detection system, including: a detecting unit, configured to detect an attack behavior;
- the communication unit is configured to directly establish a linkage connection with the policy enforcement point and maintain communication, and send the detection result of the detection unit to the policy execution point.
- the message interaction is established on the TCP connection.
- the message format is private, and IDS software cannot establish connections and linkages with policy enforcement points through other linkage protocols.
- a protocol packet carries only one message. If a packet with a counterfeit protocol packet is attacked, the TCP connection may be broken and the connection will be reconnected.
- the solution provided by the embodiment of the present invention improves the security defense capability of the intrusion detection system, effectively prevents false messages and other various attacks, and achieves high efficiency linkage. Improve the overall protection of safety products.
- FIG. 1 is a schematic diagram of a typical networking structure in which a policy execution point is linked with an intrusion detection system.
- 2 is a schematic diagram of a process in which a policy enforcement point is linked with an intrusion detection system in an embodiment of the present invention.
- FIG. 3 is a flow chart of processing a message between a policy enforcement point and an intrusion detection system in a specific embodiment of the present invention. detailed description
- FIG. 2 is a schematic diagram of a process in which a policy enforcement point is associated with an intrusion detection system in a specific embodiment of the present invention. As shown in FIG. 2, the embodiment provides a method for linking a policy execution point with an intrusion detection system, including the following steps. :
- a direct connection between the intrusion detection system and the policy enforcement point is established
- the intrusion detection system detects an attack behavior and sends the detection result to the policy execution
- the account execution point performs a corresponding operation according to the detection result.
- the policy execution point PEP establishes a linkage connection process with the intrusion detection system to Less include the following steps:
- Step 01 Intrusion Detection System
- the IDS software initiates the establishment of a linkage connection request, and the transmitted linkage connection request carries the relevant information of the IDS software;
- Step 02 The policy execution point checks the related information of the IDS software, and determines whether the linkage connection is allowed. If the connection is not allowed, step 03 is performed; if the linkage connection request is allowed, step 04 is performed;
- Step 03 The policy execution point PEP sends a linkage connection reject message, and closes the Transmission Control Protocol (TCP) connection;
- TCP Transmission Control Protocol
- Step 04 Policy Execution Point PEP sends a Linked Connection Response message.
- Step 11 periodically send a 'keep alive' message between the PEP and the IDS software at the policy execution point to indicate that both ends are in an active state;
- Step 12 After the linkage connection is successfully established, the policy enforcement point receives the linkage data sent by the IDS software.
- Step 13 During the message connection process, if the IDS finds an attack, it sends the linkage data to the policy enforcement point PEP, requesting to block;
- Step 14 Policy execution point PEP performs the corresponding operation according to the linkage data, and responds to the blocking result
- Step 15 Policy enforcement point PEP and IDS close any TCP connection and release the linkage connection.
- the connection request message sent in the step 01 includes an IDS type, an IDS version, an encryption mode, a linkage protocol version number, and data for authentication, and the data for authentication is obtained according to an encryption method.
- an embodiment of the present invention further provides a policy enforcement point, including: a communication module, configured to directly establish a linkage connection with an intrusion detection system and maintain communication; and receive a detection result sent by the intrusion detection system. Notifying the execution module;
- the execution module performs corresponding operations according to the detection result.
- connection module further includes an inspection module, which checks the received connection request message according to the intrusion detection system IDS type, the IDS version, the encryption mode, the linkage protocol version number, and the authentication data, and the check allows the linkage connection. Otherwise, the connection is rejected.
- an inspection module which checks the received connection request message according to the intrusion detection system IDS type, the IDS version, the encryption mode, the linkage protocol version number, and the authentication data, and the check allows the linkage connection. Otherwise, the connection is rejected.
- a TCP connection is first established between the connection module and the intrusion detection system, and related messages of the linkage connection, such as a linkage connection request message, a rejection message, etc., are sent or received through the TCP connection.
- an embodiment of the present invention further provides an intrusion detection system, including: a detecting unit, configured to detect an attack behavior;
- the communication unit is configured to directly establish a linkage connection with the policy enforcement point and maintain communication, and send the detection result of the detection unit to the policy execution point.
- the policy enforcement point and the intrusion detection system associate the protocol processing process, as shown in FIG.
- the intrusion detection system acts as a client, and the policy enforcement point acts as a server to interact through TCP connections.
- the message format is as follows:
- Length length of the message
- IDS type IDS software type
- IDS version IDS software version number
- Encryption mode 0 means no encryption, 1 means MD5 algorithm for encryption; Port: IDS software version of the linkage protocol version number, the value is Oxfffffl ⁇ indicates that it is consistent with the policy execution point side;
- Authentication data Data used for authentication (data obtained according to encryption).
- Connection reject message with a value of 2;
- Length The length of the message, which is 4 (bytes).
- Connection response message the value is 3; Version: Linkage protocol version number, the value is 1.0; Length: Packet length, the value is 8 (bytes);
- Policy Execution Point Type Policy Execution Point Type
- Policy Execution Point Version The version number of the policy enforcement point.
- Block request message (Block req.), as shown in Table 4, 15 31
- Block request message the value is 4; Version: Linkage protocol version number, the value is 1.0; Length: Packet length;
- the serial number is used to indicate the current packet content. It is used to indicate whether the current blocking request is successfully executed when the policy is executed.
- the value is OxfffffffffH ⁇ , indicating that the policy execution point cannot indicate the current message through the serial number, but must carry the message.
- Source IP address Source IP address, 32-bit value
- Source IP address mask Source IP address mask
- Source IP address mask 32-bit value
- Destination IP address Destination IP address, 32-bit value
- Destination IP address mask Destination IP address mask, 32-bit value
- Source port Source port number, when the protocol type is 0 or the ICMP protocol (Internet Control Message Protocol), the value is 0.
- Destination port Destination port number, when the protocol type is 0 or ICMP In the case of a protocol, the value is 0;
- Protocol type When the protocol type is 0, it means all protocols
- Action indication Indicates the specific action of blocking the request (blocking the source IP address, blocking the destination IP address, blocking the source and destination IP addresses, etc.); whether the response is required. ' A value of 0 does not require a policy execution point response. A value of 1 requires a policy enforcement point response;
- Time value The duration of the block. When the value is 0, the block is released (according to the corresponding action indication). The value is OxfffffffffB, indicating that it is blocked all the time. (5). Block response message (Block resp.), as shown in Table 5,
- Protocol type Action indication Reserved Message type: Block response message, value is 5; Version: Linkage protocol version number, value is 1.0; Length: 4 ⁇ text length;
- the serial number '. uses the serial number in the received block req. When the value is not OxffffffffH, only the 1, 2, and 8 fields exist, and the 8th field only has "response" meaning; when the value is Oxffffffff , 1-8 fields exist;
- Source IP address Block req source IP address, 32-bit value
- source IP address mask Block req source IP address in the mask, 32-bit value
- Destination IP address Destination IP address in Block req., 32-bit value; Destination IP address mask:
- Destination IP address mask in block req. 32-bit value
- Source port Source port number in Block req.
- Destination port Destination port number in Block req.
- Protocol type Protocol type in Block req.
- Action indication an action indication in Block req.
- a value of 0 indicates that the policy execution point was executed successfully.
- a value of 1 indicates that the policy execution point failed to execute.
- the 'keep alive' message is used to periodically send between the policy enforcement point and the IDS software to indicate that both ends are active; if the other party's 'keep alive' message cannot be received, the TCP connection should be closed and the corresponding resources should be released.
- the message format is as follows, as shown in Table 6: 15 31 Table 6
- the message interaction is established on the TCP connection.
- the message format is private, and the IDS software cannot establish a connection and linkage with the policy enforcement point through other linkage protocols.
- a protocol packet carries only one message. If there is a counterfeit protocol packet attack, the TCP connection may be broken and the connection will be reconnected. Therefore, the security defense capability of the intrusion detection system is improved, the pseudo message and other various attacks are effectively prevented, and the high efficiency linkage is realized at the same time. Improve the overall protection of security products.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Description
一种策略执行点及其与入侵检测系统联动的方法和系统 本申请要求于 2006 年 04 月 06 日提交中国专利局、 申请号为 200610034927.2,发明名称为 "一种策略执行点及其与入侵检测系统联动 的方法" 的中国专利申请的优先权, 其全部内容通过引用结合在本申请 中。 技术领域
本发明属于信息网絡安全技术领域, 涉及一种网络安全设备的联动 方法, 尤其是策略执行点及其与入侵检测系统联动的方法和系统。 背景技术
策略执行点设备用于分隔内网和外网, 对网络的安全有着重要的意 义。 策略执行点 (PEP, Policy Enforcement Point, )是接受策略管理的网 络实体, 通常也被称作策略客户端。 它一般位于网络节点上, 它实际执 行策略决策,可以是路由器、交换机、虚拟专用网( VPN, Virtual Pr ivate Network ) 网关以及防火墙等网络设备, 负责执行由策略决策点 (PDP, Policy Decision Point )分配来的策略, 同时它还向策略决策点发送信息, 使策略决策点知道网络的变化以及策略的执行情况。 由于策略执行点自 身具有一定的局限性, 如检查的颗粒度较粗, 难以对众多的协议细节进 行深入的分析与检查, 并且策略执行点具有防外不防内的特性, 难以对 内部用户的非法行为和已经渗透的攻击进行有效的检查的防范, 因此, 策略执行点开放相关接口, 与其它安全软件实现联动, 通过多种技术的 组合, 构建一个安全的网络, 成为一种需要。 策略执行点与入侵检测系 统(IDS, Intrude Detection System)软件联动, 可以充分利用 IDS软件的 功能, 对流经网络的报文进行详细的分析与检查, 探测各种可能的异常 情况和攻击行为, 并通过策略执行点进行实时的响应。
策略执行点 PEP与 IDS软件联动的组网方式如图 1所示: 策略执行 点 PEP位于内外网之间, IDS服务器和管理服务器位于内网, IDS服务器 根据 IDS探测器采集到的信息, 确认非法行为和攻击的产生, 并报告给 管理服务器和策略执行点 PEP, 由策略执行点 PEP采取相应的措施对攻
击源或目的用户进行阻断或列入黑名单。 入侵检测系统 IDS的功能主要 是通过监听的方式对数据流进行分析, 发现入侵行为 (如试图刺探内网 结构、 攻击内部服务器等) 。 策略执行点提供与第三方 IDS软件的联动 接口, 当 IDS服务器检测到异常或攻击行为时, 将通过该接口发送信息 到策略执行点 PEP, 由策略执行点采取相应的限制措施(如将用户列入 黑名单等) 。 现在策略执行点 PEP与 IDS软件很多通过网管实现联动: IDS软件 与策略执行点之间并没有直接的接口, 所有的操作通过网管来完成。 IDS 服务器通过简单网络管理协议(S MP, Simple Network Management Protocol ) 向网管报告入侵行为的发生, 由管理员通过网管系统向策略执 行点发送消息, 通过策略执行点 PEP对入侵行为进行响应, 如设置访问 控制列表(ACL, Access Control List )规则进行阻断, 或者将攻击源或目 的用户列入黑名单等。 这种联动方式, 需要网管的支持, 在许多应用场 合, 并没有一个统一的网管来管理策略执行点和 IDS软件。 发明内容
本发明实施例提供一种策略执行点及其与入侵检测系统联动的方法 和系统, 可实现两者间安全高效的联动。
本发明实施例提供一种策略执行点与入侵检测系统联动的方法, 包 括:
入侵检测系统与策略执行点之间直接建立联动连接;
所述策略执行点与所述入侵检测系统之间保持通信;
所述入侵检测系统检测攻击行为,并将检测结果发送给所述策略执行 占,
所述策略执行点根据所述检测结果进行相应的操作。
本发明实施例提供一种策略执行点, 包括:
通信模块,用于与入侵检测系统之间直接建立联动连接并保持通信; 接收所述入侵检测系统发送来的检测结果并通知执行模块;
执行模块, 根据所述检测结果进行相应的操作。
本发明实施例提供一种入侵检测系统, 包括:
检测单元, 用于检测攻击行为;
通信单元, 用于与策略执行点之间直接建立联动连接并保持通信, 将所述检测单元的检测结果发送给所述策略执行点。
本发明实施例提供的方案中, 消息交互建立在 TCP连接之上。 消息 格式是私有的, IDS软件不能通过其它联动协议来与策略执行点建立连接 及联动。 一个协议报文只携带一个消息, 如果有仿冒协议报文的攻击, 可能会造成 TCP连接断掉, 此时将会重新连接。
本发明实施例提供的方案提升了入侵检测系统的安全防御能力, 有 效防止了伪消息和其他各种攻击, 同时实现较高效率的联动。 提高了安 全产品的整体防护能力。 附图说明
图 1是策略执行点与入侵检测系统联动的典型组网结构示意图。 图 2是本发明的一个具体实施例中策略执行点与入侵检测系统实现 联动的过程示意图。
图 3 是本发明的一个具体实施例中策略执行点与入侵检测系统联动 协议消息处理流程图。 具体实施方式
为使本领域技术人员更加清楚地理解本发明的技术原理及特性和优 点, 下面结合具体实施例对本发明予以描述。
图 2是本发明的一个具体实施例中策略执行点与入侵检测系统实现 联动的过程示意图, 如图 2所示, 该实施例提供一种策略执行点与入侵 检测系统联动的方法, 包括以下步骤:
入侵检测系统与策略执行点之间直接建立联动连接;
所述策略执行点与所述入侵检测系统之间保持通信;
所述入侵检测系统检测攻击行为,并将检测结果发送给所述策略执行
.占- 所述策略执行点根据所述检测结果进行相应的操作。
进一步地, 策略执行点 PEP与入侵检测系统建立联动连接的流程至
少包括如下步骤:
步據 01: 入侵检测系统 IDS软件发起建立联动连接请求, 所发送的 联动连接请求中携带 IDS软件的相关信息;
步骤 02: 策略执行点检查上述 IDS软件的相关信息, 判断是否允许 联动连接, 如果连接不允许, 执行步骤 03; 如果联动连接清求被允许, 则执行步驟 04;
步驟 03: 策略执行点 PEP发送联动连接拒绝消息, 并关闭传输控制 协议 ( TCP, Transmission Control Protocol )连接;
步骤 04: 策略执行点 PEP发送联动连接响应消息。
策略执行点与入侵检测系统保持通信的流程至少包括如下步驟: 步骤 11: 在策略执行点 PEP与 IDS软件之间定时发送 '保活' 消息, 以表明两端均处于激活状态;
步骤 12: 联动连接建立成功之后, 策略执行点接收 IDS软件发来的 联动数据。
策略执行点 PEP 与入侵检测系统处理攻击的流程至少包括如下步 驟:
步骤 13: 消息连接过程中, IDS如果发现攻击, 向策略执行点 PEP 发送联动数据, 请求阻断;
步骤 14: 策略执行点 PEP根据联动数据执行相应操作, 响应阻断结 果;
步骤 15: 策略执行点 PEP与 IDS任一方关闭 TCP连接,释放联动连 接。
所述步骤 01发送的连接请求消息中包括 IDS类型、 IDS版本、 加密 方式、 联动协议版本号和用于认证的数据, 所述用于认证的数据根据加 密方式得到。
本发明实施例中的消息交互建立在 TCP连接之上。 消息格式是私有 的, IDS软件不能通过其它联动协议来与策略执行点建立连接及联动。一 个协议报文只携带一个消息, 如果有仿冒协议^ =艮文的攻击, 可能会造成 TCP连接断掉, 此时将会重新连接。
相应地, 本发明的实施例还提供一种策略执行点, 其包括: 通信模块,用于与入侵检测系统之间直接建立联动连接并保持通信; 接收所述入侵检测系统发送来的检测结果并通知执行模块;
执行模块, 根据所述检测结果进行相应的操作。
进一步, 所述的连接模块还包括检查模块, 其对接收到的连接请求 消息中根据入侵检测系统 IDS类型、 IDS版本、 加密方式、 联动协议版 本号、 认证数据进行检查, 检查通过则允许联动连接, 否则拒绝联动连 接。
所述连接模块与入侵检测系统之间首先建立 TCP连接, 联动连接的 相关消息, 如联动连接请求消息、 拒绝消息等, 通过 TCP连接来发送或 接收。
相应地, 本发明的实施例还提供一种入侵检测系统 , 包括: 检测单元, 用于检测攻击行为;
通信单元, 用于与策略执行点之间直接建立联动连接并保持通信, 将所述检测单元的检测结果发送给所述策略执行点。
本发明的一个具体实施例中策略执行点与入侵检测系统联动协议消 息处理流程, 如图 3所示。
入侵检测系统作为客户端, 而策略执行点作为服务器端通过 TCP连 接进行交互。
具体交互过程上文中已描述, 在此不再赘述。
本发明的具体实施方案中, 消息格式如下:
(1). 连接请求消息 ( Connect req. ) , 如表 1所示,
15 31
表 1 消息类型: 连接请求消息, 取值为 1;
版本: 联动协议版本号, 取值为 1.0;
长度: 报文长度;
IDS类型: IDS软件类型; IDS版本: IDS软件的版本号;
加密方式: 取 0表示不加密, 取 1表示采用 MD5算法进行加密; 端口: IDS软件处理的联动协议的版本号,取值为 Oxfffffl†表示与策略 执行点侧的一致;
认证数据: 用于认证的数据(根据加密方式得到的数据) 。
(2). 连接拒绝消息 ( Connect rej. ) , 如表 2所示,
15 31
表 2
消息类型: 连接拒绝消息, 取值为 2;
版本: 联动协议版本号, 取值为 1.0;
长度: 报文长度, 取值为 4 (字节) 。
(3). 连接响应消息 ( Connect resp. ) , 如表 3所示,
表 3
消息类型: 连接响应消息, 取值为 3; 版本: 联动协议版本号, 取值 为 1.0; 长度: 报文长度, 取值为 8 (字节) ;
策略执行点类型: 策略执行点类型; 策略执行点版本: 策略执行点 的版本号。
(4). 阻断请求消息 ( Block req. ) , 如表 4所示,
15 31
消息类型 版本 保留 长度 保留
序列号
源 IP地址
源 IP地址掩码
目的 IP地址
目的 IP地址掩码
源端口 目的端口
协议类型 动作指示 保留
时间值
*:是否需要响应
表 4
消息类型: 阻断请求消息, 取值为 4; 版本: 联动协议版本号, 取 值为 1.0; 长度: 报文长度;
序列号: 标识当前报文内容, 用于策略执行点响应时指示当前阻断 请求是否执行成功, 取值为 OxffffffffH†, 表明策略执行点响应时不能通过 序列号来指示当前消息, 而必须携带消息的内容信息;
源 IP地址: 源 IP地址, 32位值; 源 IP地址掩码:
源 IP地址掩码, 32位值; 目的 IP地址: 目的 IP地址, 32位值; 目的 IP地址掩码: 目的 IP地址掩码, 32位值;
源端口: 源端口号, 当协议类型为 0或为 ICMP协议(Internet Control Message Protocol, 因特网控制报文协议)时, 取值为 0; 目的端口: 目的 端口号, 当协议类型为 0或为 ICMP协议时, 取值为 0;
协议类型: 协议类型为 0时, 表示所有协议;
动作指示: 表明阻断请求的具体动作 (阻断源 IP地址, 阻断目的 IP 地址, 阻断源和目的 IP地址等); 是否需要响应.' 取值为 0时不需要策略 执行点响应, 取值为 1时需要策略执行点响应;
时间值: 阻断的持续时间, 取值为 0时表示解除阻断(根据相应的动 作指示) , 取值为 OxffffffffB†表示一直阻断。
(5). 阻断响应消息 ( Block resp. ) , 如表 5所示,
表 5
15 31
消息类型 版本 保留 长度 保留
序列号
源 IP地址
源 IP地址掩码
目的 IP地址
目的 IP地址掩码
源端口 目的端口
协议类型 动作指示 保留 消息类型: 阻断响应消息, 取值为 5; 版本: 联动协议版本号, 取值 为 1.0; 长度: 4艮文长度;
序列号'. 使用收到的 Block req.中的序列号, 当取值不为 OxffffffffH于, 只有 1、 2、 8字段存在,且第 8字段只有 "响应"有意义; 当取值为 Oxffffffff 时, 1-8字段有存在;
源 IP地址: Block req.中的源 IP地址, 32位值; 源 IP地址掩码: Block req.中的源 IP地址掩码 , 32位值;
目的 IP地址: Block req.中的目的 IP地址, 32位值; 目的 IP地址掩码:
Block req.中的目的 IP地址掩码, 32位值;
源端口: Block req.中的源端口号; 目的端口: Block req.中的目的端 口号; 协议类型: Block req.中的协议类型;
动作指示: Block req.中的动作指示;
响应: 取值为 0时表示策略执行点执行成功, 取值为 1时表示策略执 行点执行失败。
(6). '保活' 消息,
'保活' 消息用于在策略执行点与 IDS软件之间定时发送, 以表明两 端均处于激活状态; 如果不能收到对方的 '保活' 消息, 应该关闭 TCP 连接, 并释放相应资源。 '保活, 消息格式如下, 如表 6所示:
15 31
表 6
从上述本发明实施例提供的方案中可知 , 消息交互建立在 TCP连接 之上。 消息格式是私有的, IDS软件不能通过其它联动协议来与策略执行 点建立连接及联动。 一个协议报文只携带一个消息, 如果有仿冒协议报 文的攻击, 可能会造成 TCP连接断掉, 此时将会重新连接。 因此提升了 入侵检测系统的安全防御能力, 有效防止了伪消息和其他各种攻击, 同 时实现较高效率的联动。 提高了安全产品的整体防护能力。
上述实施例是用于说明和解释本发明的技术方案的。 可以理解, 本 发明的具体实施方式不限于此。 对于本领域技术人员而言, 在不脱离本 发明的实质和范围的前提下进行的各种变更和修改均涵盖在本发明的保 护范围之内。
Claims
1、 一种策略执行点与入侵检测系统联动的方法, 其特征在于, 包 括:
入侵检测系统与策略执行点之间直接建立联动连接;
所述策略执行点与所述入侵检测系统之间保持通信;
所述入侵检测系统检测攻击行为 , 并将检测结果发送给所述策略执 行点,
所述策略执行点根据所述检测结果进行相应的操作。 -
2、 根据权利要求 1所述的方法, 其特征在于, 还包括:
所述入侵检测系统与策略执行点之间首先建立 TCP连接,并通过该
TCP连接直接发送或接收所述联动连接的相关消息。
3、 根据权利要求 1所述的方法, 其特征在于, 所述策略执行点与 入侵检测系统之间直接建立联动连接, 包括:
所述入侵检测系统发起建立联动连接的请求,并在所发送的连接请 求消息中携带入侵检测系统的相关信息;
所述策略执行点检查所述入侵检测系统的相关信息,如果所述连接 请求不被允许, 所述策略执行点发送连接拒绝消息, 并关闭所述 TCP 连接;
如果所述连接请求被允许 , 则所述策略执行点发送连接成功消息。
4、 根据权利要求 3所述的方法, 其特征在于, 所述发送的连接请 求消息中包括:
入侵检测系统软件类型、 软件版本、 加密方式、 联动协议版本号和 用于认证的数据, 所述用于认证的数据采用加密措施。
5、根据权利要求 3所述的方法, 其特征在于, 所述连接请求消息格 式是私有的。
6、 根据权利要求 3所述的方法, 其特征在于, 所述通过该 TCP连 接发送或接收所述联动连接的相关消息时,一个协议报文只携带一个消
7、 根据权利要求 1或 2所述的方法, 其特征在于, 所述策略执行
点与所述入侵检测系统之间保持通信, 包括:
在所述策略执行点与所述入侵检测系统之间定时发送 '保活,消息, 使两端均处于激活状态;
所述联动连接建立成功之后,所述策略执行点接收所述入侵检测系 统发来的联动数据。
8、 根据权利要求 1或 2所述的方法, 其特征在于, 所述入侵检测 系统检测攻击并发送检测结果, 包括:
当所述入侵检测系统发现攻击时, 向所述策略执行点发送阻断请 求;
所述策略执行点进行相应的操作包括:
所述策略执行点根据所述阻断请求阻断所述攻击。
9、 一种策略执行点, 其特征在于, 包括:
通信模块,用于与入侵检测系统之间直接建立联动连接并保持通信; 接收所述入侵检测系统发送来的检测结果并通知执行模块;
执行模块, 根据所述检测结果进行相应的操作。
10、 根据权利要求 9所述的策略执行点, 其特征在于, 所述连接模 块与入侵检测系统之间首先建立 TCP连接, 联动连接的相关消息通过 TCP连接来发送或接收。
11、 根据权利要求 9所述的策略执行点, 其特征在于, 还包括检查 模块, 其对接收到的连接请求消息中根据入侵检测系统软类型、 软件版 本、 加密方式、 联动协议版本号、 认证数据进行检查, 检查通过则允许 联动连接, 否则拒绝联动连接。
12、 一种入侵检测系统, 其特征在于, 包括:
检测单元, 用于检测攻击行为;
通信单元, 用于与策略执行点之间直接建立联动连接并保持通信, 将所述检测单元的检测结果发送给所述策略执行点。
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP06840823A EP2007066A4 (en) | 2006-04-06 | 2006-12-31 | GUIDELINES AND CONNECTION METHOD AND SYSTEM FOR AN INTRUSION DETECTION SYSTEM |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNA2006100349272A CN1863093A (zh) | 2006-04-06 | 2006-04-06 | 一种策略执行点及其与入侵检测系统联动的方法 |
CN200610034927.2 | 2006-04-06 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2007115457A1 true WO2007115457A1 (fr) | 2007-10-18 |
Family
ID=37390426
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2006/003793 WO2007115457A1 (fr) | 2006-04-06 | 2006-12-31 | Point d'application de politiques et procédé et système de liaison pour système de détection d'intrus |
Country Status (3)
Country | Link |
---|---|
EP (1) | EP2007066A4 (zh) |
CN (1) | CN1863093A (zh) |
WO (1) | WO2007115457A1 (zh) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112422506A (zh) * | 2020-10-16 | 2021-02-26 | 郑州信大捷安信息技术股份有限公司 | 一种基于DoIP协议的入侵检测防御方法及系统 |
US20240048506A1 (en) * | 2022-08-08 | 2024-02-08 | Bank Of America Corporation | System and method for autonomous conversion of a resource format using machine learning |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102171993B (zh) * | 2011-04-14 | 2013-09-11 | 华为技术有限公司 | 联动策略实现方法及装置、开放平台单板和设备 |
CN104252584B (zh) * | 2013-06-28 | 2018-03-09 | 华为数字技术(苏州)有限公司 | 保护网站内容的方法和装置 |
CN110971622A (zh) * | 2020-03-04 | 2020-04-07 | 信联科技(南京)有限公司 | 一种公网应用系统与内网应用系统间双向访问方法及系统 |
JP2022085622A (ja) * | 2020-11-27 | 2022-06-08 | ブラザー工業株式会社 | 通信装置、通信装置のためのコンピュータプログラム、及び、通信装置によって実行される方法 |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6408391B1 (en) * | 1998-05-06 | 2002-06-18 | Prc Inc. | Dynamic system defense for information warfare |
CN1435977A (zh) * | 2002-02-01 | 2003-08-13 | 联想(北京)有限公司 | 防火墙入侵检测与响应的方法 |
WO2004095801A1 (en) * | 2003-03-31 | 2004-11-04 | Intel Corporation | Methods and systems for managing security policies |
CN1655526A (zh) * | 2004-02-11 | 2005-08-17 | 上海三零卫士信息安全有限公司 | 计算机网络应急响应之安全策略生成系统 |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7240368B1 (en) * | 1999-04-14 | 2007-07-03 | Verizon Corporate Services Group Inc. | Intrusion and misuse deterrence system employing a virtual network |
US7359962B2 (en) * | 2002-04-30 | 2008-04-15 | 3Com Corporation | Network security system integration |
-
2006
- 2006-04-06 CN CNA2006100349272A patent/CN1863093A/zh active Pending
- 2006-12-31 EP EP06840823A patent/EP2007066A4/en not_active Withdrawn
- 2006-12-31 WO PCT/CN2006/003793 patent/WO2007115457A1/zh active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6408391B1 (en) * | 1998-05-06 | 2002-06-18 | Prc Inc. | Dynamic system defense for information warfare |
CN1435977A (zh) * | 2002-02-01 | 2003-08-13 | 联想(北京)有限公司 | 防火墙入侵检测与响应的方法 |
WO2004095801A1 (en) * | 2003-03-31 | 2004-11-04 | Intel Corporation | Methods and systems for managing security policies |
CN1655526A (zh) * | 2004-02-11 | 2005-08-17 | 上海三零卫士信息安全有限公司 | 计算机网络应急响应之安全策略生成系统 |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112422506A (zh) * | 2020-10-16 | 2021-02-26 | 郑州信大捷安信息技术股份有限公司 | 一种基于DoIP协议的入侵检测防御方法及系统 |
CN112422506B (zh) * | 2020-10-16 | 2022-03-15 | 郑州信大捷安信息技术股份有限公司 | 一种基于DoIP协议的入侵检测防御方法及系统 |
US20240048506A1 (en) * | 2022-08-08 | 2024-02-08 | Bank Of America Corporation | System and method for autonomous conversion of a resource format using machine learning |
US12107774B2 (en) * | 2022-08-08 | 2024-10-01 | Bank Of America Corporation | System and method for autonomous conversion of a resource format using machine learning |
Also Published As
Publication number | Publication date |
---|---|
EP2007066A4 (en) | 2009-07-01 |
EP2007066A2 (en) | 2008-12-24 |
EP2007066A9 (en) | 2009-07-01 |
CN1863093A (zh) | 2006-11-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP2555486B1 (en) | Multi-method gateway-based network security systems and methods | |
US7930740B2 (en) | System and method for detection and mitigation of distributed denial of service attacks | |
US7984493B2 (en) | DNS based enforcement for confinement and detection of network malicious activities | |
US8347383B2 (en) | Network monitoring apparatus, network monitoring method, and network monitoring program | |
US8904514B2 (en) | Implementing a host security service by delegating enforcement to a network device | |
JP2006319982A (ja) | 通信ネットワーク内ワーム特定及び不活化方法及び装置 | |
JP2010268483A (ja) | 能動的ネットワーク防衛システム及び方法 | |
CN111988289B (zh) | Epa工业控制网络安全测试系统及方法 | |
WO2015174100A1 (ja) | パケット転送装置、パケット転送システム及びパケット転送方法 | |
CN111641639B (zh) | 一种IPv6网络安全防护系统 | |
WO2007115457A1 (fr) | Point d'application de politiques et procédé et système de liaison pour système de détection d'intrus | |
WO2016177131A1 (zh) | 防止dos攻击方法、装置和系统 | |
GB2583112A (en) | Efficient protection for an IKEv2 device | |
WO2014075485A1 (zh) | 网络地址转换技术的处理方法、nat设备及bng设备 | |
Saad et al. | A study on detecting ICMPv6 flooding attack based on IDS | |
Barham et al. | Techniques for lightweight concealment and authentication in IP networks | |
JP2008306610A (ja) | 不正侵入・不正ソフトウェア調査システム、および通信振分装置 | |
Patel et al. | A Snort-based secure edge router for smart home | |
JP2006099590A (ja) | アクセス制御装置、アクセス制御方法およびアクセス制御プログラム | |
Fowler et al. | Impact of denial of service solutions on network quality of service | |
JP4322179B2 (ja) | サービス拒絶攻撃防御方法およびシステム | |
WO2010133013A1 (zh) | 一种安全能力协商方法和系统 | |
Wang et al. | Analysis of denial-of-service attacks on denial-of-service defensive measures | |
Kumar et al. | An analysis of tcp syn flooding attack and defense mechanism | |
Juyal et al. | A comprehensive study of ddos attacks and defense mechanisms |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 06840823 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2006840823 Country of ref document: EP |
|
NENP | Non-entry into the national phase |
Ref country code: DE |