CN115603985A - Intrusion detection method, electronic device and storage medium - Google Patents

Intrusion detection method, electronic device and storage medium Download PDF

Info

Publication number
CN115603985A
CN115603985A CN202211216784.2A CN202211216784A CN115603985A CN 115603985 A CN115603985 A CN 115603985A CN 202211216784 A CN202211216784 A CN 202211216784A CN 115603985 A CN115603985 A CN 115603985A
Authority
CN
China
Prior art keywords
xdp
program
intrusion detection
data packet
detection module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211216784.2A
Other languages
Chinese (zh)
Inventor
崔圳
纪建芳
范雪俭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202211216784.2A priority Critical patent/CN115603985A/en
Publication of CN115603985A publication Critical patent/CN115603985A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL

Abstract

The application provides an intrusion detection method, an electronic device and a storage medium, wherein the method comprises the following steps: the network card driver receives the data packet, calls an XDP program on an XDP network hook, and submits the data packet to an intrusion detection module through the XDP program; the intrusion detection module detects the data packet to obtain a processing action corresponding to a detection result; and the XDP program acquires the processing action returned by the intrusion detection module and processes the data packet according to the processing action. According to the scheme, the scheme intrusion detection module is deployed in the application layer, and only the key fields need to be analyzed for detection, so that the detection rate of the data packet is greatly improved. Compared with the related art, the data packet is detected before entering the protocol stack through the intrusion detection system of the application layer, and intrusion detection is realized under the condition of low deployment difficulty.

Description

Intrusion detection method, electronic device and storage medium
Technical Field
The present disclosure relates to the field of communication security technologies, and in particular, to an intrusion detection method, an electronic device, and a computer-readable storage medium.
Background
Network security is particularly important today where internet communications are ubiquitous. An enterprise providing an internet service may recognize malicious traffic through an Intrusion Prevention System (IPS), and intercept such malicious traffic from entering an enterprise network. Generally, the IPS function may be deployed in the direction of the stacking traffic to monitor and check whether there are vulnerabilities and exploits in the stacking traffic, and if a threat is detected, take appropriate measures according to security defense policies, such as: preventing access to, quarantining the host, or preventing access to external websites to avoid introducing potential threats, etc. Fig. 1 is a schematic diagram of an intrusion detection method in the related art. As shown in fig. 1, in the related art, an intrusion detection system is deployed in a network protocol stack of a kernel layer of a security host, and a network card of a security device receives a message and then transmits the message to the network protocol stack. The network protocol stack can send the analyzed message to the application of the application layer, so that the intrusion detection system deployed in the network protocol stack can perform security detection on the message.
However, the network protocol stack has rich functions and is complex to implement, and the intrusion detection system needs to perform security detection on the information of the message in the link layer, the network layer, the transmission layer and the application layer, so that deployment needs to be performed at multiple positions in the protocol stack, which is complex to implement.
Disclosure of Invention
An object of the embodiments of the present application is to provide an intrusion detection method, an electronic device, and a computer-readable storage medium, which implement intrusion detection with low deployment difficulty.
In one aspect, the present application provides an intrusion detection method, including:
the network card driver receives the data packet, calls an XDP program on the XDP network hook, and submits the data packet to an intrusion detection module through the XDP program;
the intrusion detection module detects the data packet to obtain a processing action corresponding to a detection result;
and the XDP program acquires the processing action returned by the intrusion detection module and processes the data packet according to the processing action.
By the measures, the detection rate of the data packet is greatly improved. Compared with the related art, the data packet is detected before entering the protocol stack through the intrusion detection system of the application layer, and intrusion detection is realized under the condition of low deployment difficulty.
In an embodiment, the XDP program includes an XDP filter program and an XDP message processing program, the XDP filter program is used for filtering a data packet to be detected, and the XDP message processing program is used for submitting the data packet and processing the data packet;
the calling the XDP program on the XDP network hook submits the data packet to an intrusion detection module through the XDP program, and the method comprises the following steps:
calling an XDP filter program on the XDP network hook, and filtering the data packet through the XDP filter program to obtain a data packet to be detected;
calling an XDP message processing program on the XDP network hook, and submitting the data packet to be detected to an intrusion detection module through the XDP message processing program.
By the measures, the data packet with larger threat can be subjected to targeted detection, so that the calculated amount of an intrusion detection module is reduced, and the overall detection efficiency is improved.
In an embodiment, before the calling the XDP program on the XDP network hook and submitting the data packet to the intrusion detection module through the XDP program, the method further includes:
the intrusion detection module analyzes a preset filtering rule file to obtain a filtering rule; the filtering rule is used for filtering out a data packet to be detected;
and the intrusion detection module generates the XDP filter program for the filter rule and writes the XDP filter program carrying the filter rule into the XDP network hook.
By the measures, the data packet to be detected can be filtered out through the XDP filter program on the XDP network hook subsequently, and therefore the calculated amount of the intrusion detection module is reduced.
In one embodiment, the XDP program includes an XDP white list program and an XDP message processing program, the XDP white list program is used for passing through a data packet of trusted traffic, and the XDP message processing program is used for submitting the data packet and processing the data packet;
the calling the XDP program on the XDP network hook submits the data packet to an intrusion detection module through the XDP program, and the method comprises the following steps:
calling an XDP white list program on the XDP network hook, checking a data packet hitting a white list through the XDP white list program, and submitting the data packet hitting the white list to a protocol stack;
calling an XDP message processing program on the XDP network hook, and submitting the data packet which does not hit the white list to an intrusion detection module through the XDP message processing program.
Through the measures, the white list can be set to carry out inspection-free processing on the credible flow, so that the calculated amount of the intrusion detection module is reduced, and the overall processing efficiency of the data packet is improved.
In an embodiment, before the calling the XDP program on the XDP network hook and submitting the data packet to the intrusion detection module through the XDP program, the method further includes:
the intrusion detection module analyzes a preset white list file to obtain a white list;
and the intrusion detection module generates the XDP white list program for the white list and writes the XDP white list program carrying the white list into the XDP network hook.
By the measures, the XDP white list program on the XDP network hook can directly pass through the data packet of the credible flow, so that the calculated amount of the intrusion detection module is reduced.
In one embodiment, the XDP program includes an XDP blacklist program and an XDP message handling program, the XDP blacklist program is used for blocking a data packet of abnormal traffic, and the XDP message handling program is used for submitting the data packet and handling the data packet;
the calling the XDP program on the XDP network hook submits the data packet to an intrusion detection module through the XDP program, and the method comprises the following steps:
calling an XDP blacklist program on the XDP network hook, checking a data packet hitting a blacklist through the XDP blacklist program, and discarding the data packet hitting the blacklist;
calling an XDP message processing program on the XDP network hook, and submitting the data packet which does not hit the blacklist to an intrusion detection module through the XDP message processing program.
Through the measures, the blacklist can be set to block the abnormal flow on the network card driving layer, so that the calculated amount of the intrusion detection module is reduced, and the overall processing efficiency of the data packet is improved.
In an embodiment, before the calling the XDP program on the XDP network hook and submitting the data packet to the intrusion detection module through the XDP program, the method further includes:
the intrusion detection module analyzes a preset blacklist file to obtain a blacklist;
and the intrusion detection module generates the XDP blacklist program for the blacklist and writes the XDP blacklist program carrying the blacklist into the XDP network hook.
By the measures, the data packets with abnormal flow can be directly discarded by an XDP blacklist program on the XDP network hook subsequently, so that the calculated amount of an intrusion detection module is reduced.
In an embodiment, after writing the XDP black name program carrying the black list into the XDP network hook, the method further includes:
the intrusion detection module determines a plurality of abnormal flows according to historical detection results of a specified time period and generates a blacklist for the plurality of abnormal flows;
and the intrusion detection module issues the generated blacklist to the XDP blacklist program.
By the measures, the blacklist of the XDP blacklist program can be dynamically updated, so that the XDP blacklist program can discard the data packets with abnormal flow according to the latest blacklist.
In another aspect, the present application provides an electronic device, comprising:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to perform the intrusion detection method described above.
Furthermore, the present application provides a computer-readable storage medium having stored thereon a computer program executable by a processor to perform the above intrusion detection method.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings required to be used in the embodiments of the present application will be briefly described below.
FIG. 1 is a schematic diagram of an intrusion detection method in the related art;
fig. 2 is a schematic structural diagram of an electronic device according to an embodiment of the present application;
fig. 3 is a schematic flowchart of an intrusion detection method according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of an intrusion detection method according to an embodiment of the present application;
fig. 5 is a flowchart illustrating an intrusion detection method according to another embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
Like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.
As shown in fig. 2, the present embodiment provides an electronic apparatus 1 including: at least one processor 11 and a memory 12, one processor 11 being exemplified in fig. 2. The processor 11 and the memory 12 are connected by a bus 10, and the memory 12 stores instructions executable by the processor 11, and the instructions are executed by the processor 11, so that the electronic device 1 can execute all or part of the flow of the method in the embodiments described below. In an embodiment, the electronic device 1 may be a security device of a server (e.g. a firewall) or a server or a vehicle gateway for performing the intrusion detection method. For convenience of description, the electronic device is hereinafter taken as an execution subject.
The Memory 12 may be implemented by any type of volatile or non-volatile Memory device or combination thereof, such as Static Random Access Memory (SRAM), electrically Erasable Programmable Read-Only Memory (EEPROM), erasable Programmable Read-Only Memory (EPROM), programmable Read-Only Memory (PROM), read-Only Memory (ROM), magnetic Memory, flash Memory, magnetic disk or optical disk.
The present application also provides a computer-readable storage medium, which stores a computer program executable by the processor 11 to perform the intrusion detection method provided by the present application.
Referring to fig. 3, a flowchart of an intrusion detection method according to an embodiment of the present application is shown, and as shown in fig. 3, the method may include the following steps 310 to 330.
Step 310: and the network card driver receives the data packet, calls an XDP program on the XDP network hook, and submits the data packet to the intrusion detection module through the XDP program.
After the network card of the electronic device receives the data packet sent by the external network, the data packet can be submitted to the network card driver. An XDP (eXpress Data Path) network hook (hook) is set on the network card driver, and an XDP program is set on the XDP network hook.
After the network card driver receives the data packet, the XDP program can be called to process the data packet. The XDP program can forward the data packet to an intrusion detection module of an application layer through an XDP _ REDIRECT mechanism.
Referring to fig. 4, which is a schematic structural diagram of an intrusion detection method according to an embodiment of the present application, as shown in fig. 4, an intrusion detection module is located in an application layer, not in a protocol stack. The intrusion detection module can monitor the XDP program through an AF _ XDP type socket so as to receive a data packet forwarded by the XDP program.
Step 320: and the intrusion detection module detects the data packet and obtains a processing action corresponding to the detection result.
After receiving the data packet, the intrusion detection module may perform protocol analysis on the data packet, and extract various key fields, such as a Media Access Control (MAC) Address of a link layer, from the data packet; information such as an IP (Internet Protocol Address) Address, FLAG, fragment, and the like of the network layer; port and zone bit information of the transmission layer and message data information of the application layer.
The intrusion detection module can perform security detection of various abnormal types according to the extracted key fields and the context information of the data packet. Exemplary exception types may include ARP (Address Resolution Protocol) spoofing, packet fragmentation attacks, flooding attacks, and the like. After the detection, it can be determined whether the data packet belongs to abnormal traffic. In one aspect, if the packet belongs to an abnormal traffic, the processing action may be determined to be a DROP (XDP _ DROP). On the other hand, if the packet belongs to normal traffic, it may be determined that the processing action is forwarding (XDP _ PASS).
The intrusion detection module, after obtaining the processing action, may return the processing action to the XDP program.
Step 330: and the XDP program acquires the processing action returned by the intrusion detection module and processes the data packet according to the processing action.
The XDP program obtains a processing action to process the data packet. In one aspect, the processing action is discard and the packet may be discarded. On the other hand, the processing action is forwarding, and the data packet can be submitted to the protocol stack, so that the data packet is transferred from the protocol stack to other applications of the application layer for processing.
Because the attention of the protocol stack to the data packet is high, the analysis is complex, and the intrusion detection module deployed in the protocol stack needs to consume more time to detect the data packet. According to the scheme, the intrusion detection module is deployed in the application layer, and only the key fields need to be analyzed for detection, so that the detection rate of the data packet is greatly improved. Compared with the related art, the data packet is detected before entering the protocol stack through the intrusion detection system of the application layer, and intrusion detection is realized under the condition of low deployment difficulty. In addition, because the intrusion detection module does not need to be customized and changed for different systems or kernels of different versions, the portability is higher, and the intrusion detection defense function can be realized only by carrying out simple configuration on the target equipment in the transplanting process.
Referring to fig. 5, which is a schematic flow chart of an intrusion detection method according to another embodiment of the present application, as shown in fig. 5, after a network data packet enters a network card, an XDP program in a network card driver may submit the data packet to an intrusion detection module (intrusion process engine). And the intrusion detection module judges whether the progress of the data packet is abnormal or not and returns a processing action corresponding to the detection result to the XDP program. The XDP program determines whether to discard the data packet according to the processing action, and processes the data packet according to the determination result.
In one embodiment, the XDP program includes an XDP filter program and an XDP message handler program. The XDP message processing program is used for submitting the data packets and processing the data packets.
When calling the XDP program and submitting the data packet to the intrusion detection module through the XDP program, the network card driver can call the XDP filter program and the XDP message processing program.
The XDP filtering program can filter the data packet according to the filtering rule to obtain the data packet to be detected. Here, the filtering rule is used to filter out the data packets that may present a threat, and the filtering rule may be a rule determined by one or more fields of IP, MAC, protocol, port, etc.
After filtering out the data packet to be detected, the XDP message processing program may submit the data packet to be detected to the intrusion detection module. For the filtered packets, it can be considered as packets without threat, and the XDP message handler can submit the packets to the protocol stack.
In this embodiment, the subsequent XDP message handler may receive the processing action from the intrusion detection module, and further process the data packet.
By the aid of the measures, the data packet with large threat can be subjected to targeted detection, so that the calculated amount of the intrusion detection module is reduced, and the overall detection efficiency is improved.
In an embodiment, before submitting the data packet to the intrusion detection module through the XDP program, the intrusion detection module may write an XDP message processing program on the XDP network hook, so that the data packet received by the subsequent network card driver may be submitted to the intrusion detection module through the XDP message processing program.
In an embodiment, before submitting the data packet to the intrusion detection module through the XDP program, the intrusion detection module may parse the preset filter rule file to obtain the filter rule. Wherein, the filtering rule file records at least one filtering rule configured by a user; the filtering rules are used for filtering the data packets to be detected.
The intrusion detection module may generate an XDP filter for the filter rules, the XDP filter being used to execute the filter rules. The intrusion detection module can write the XDP filter program carrying the filter rules into the XDP network hook. The processing sequence of the XDP filter program written to the XDP network hook is earlier than that of the XDP message processing program.
By the measures, the data packet to be detected can be filtered out through the XDP filter program on the XDP network hook subsequently, and therefore the calculated amount of the intrusion detection module is reduced.
In one embodiment, the XDP programs include an XDP white list program and an XDP message handling program. The XDP white list program is used for passing through a data packet of trusted flow, and the trusted flow is flow which does not need to be detected. The XDP message handler is used to submit packets and process packets.
When calling the XDP program and submitting the data packet to the intrusion detection module through the XDP program, the network card driver can call an XDP white list program and an XDP message processing program.
The XDP whitelist program may check whether the packet hits a whitelist, where the whitelist is used to record trusted traffic. The XDP white list program may extract information of one or more fields such as IP, MAC, protocol, port, etc. from the data packet, and determine whether the extracted information hits the white list. In one aspect, the packet is white-listed, and the XDP white-list program can submit the white-listed packet directly to the protocol stack. On the other hand, the data packet misses the white list, and the XDP message processing program can submit the data packet that misses the white list to the intrusion detection module.
Through the measures, the white list can be set to carry out inspection-free processing on the credible flow, so that the calculated amount of the intrusion detection module is reduced, and the overall processing efficiency of the data packet is improved.
In an embodiment, before submitting the data packet to the intrusion detection module through the XDP program, the intrusion detection module may parse the preset white list file to obtain the white list. Wherein, the white list file records at least one white list configured by the user. The white list indicates trusted traffic through information in one or more fields of IP, MAC, protocol, port, etc.
The intrusion detection module may generate an XDP white list program for the white list, the XDP white list program being configured to filter out data packets of the trusted traffic. The intrusion detection module can write the XDP white list program carrying the white list into the XDP network hook. The processing sequence of the XDP white list program written into the XDP network hook is earlier than that of the XDP message processing program.
By the measures, the XDP white list program on the XDP network hook can directly pass through the data packet of the credible flow, so that the calculated amount of the intrusion detection module is reduced.
In one embodiment, the XDP programs include an XDP blacklist program and an XDP message handling program. The XDP blacklist program is used for blocking data packets of abnormal traffic. The XDP message handler is used to submit packets and process packets.
When calling the XDP program and submitting the data packet to the intrusion detection module through the XDP program, the network card driver can call the XDP blacklist program and the XDP message processing program.
The XDP blacklisting program may check whether the data packet hits a blacklist, where the blacklist is used to record abnormal traffic. The XDP blacklisting program may extract information of one or more fields such as IP, MAC, protocol, port, etc. from the data packet, and determine whether the extracted information hits the blacklist. In one aspect, packets hit on the blacklist, and the XDP blacklist program can directly discard the packets hitting the blacklist. On the other hand, the data packet does not hit the blacklist, and the XDP message handler may submit the data packet not hitting the blacklist to the intrusion detection module.
Through the measures, the blacklist can be set to block the abnormal flow on the network card driving layer, so that the calculated amount of the intrusion detection module is reduced, and the overall processing efficiency of the data packet is improved.
In an embodiment, before submitting the data packet to the intrusion detection module through the XDP program, the intrusion detection module may parse the preset blacklist file to obtain a blacklist. Wherein, the blacklist file records at least one blacklist configured by the user. The blacklist indicates abnormal traffic by information of one or more fields of IP, MAC, protocol, port, etc.
The intrusion detection module may generate an XDP blacklist program for the blacklist, the XDP blacklist program being used to filter out data packets of abnormal traffic. The intrusion detection module can write the XDP black name program carrying the black list into the XDP network hook. The processing sequence of the XDP black name program written into the XDP network hook is earlier than that of the XDP message processing program.
By the measures, the data packets with abnormal flow can be directly discarded by an XDP blacklist program on the XDP network hook subsequently, so that the calculated amount of an intrusion detection module is reduced.
In an embodiment, the intrusion detection module may dynamically update the blacklist in the XDP blacklist program after the XDP network hook writes in the XDP blacklist program.
The intrusion detection module can determine a plurality of abnormal flows according to historical detection results of the specified time period. Here, the specified time period may be configured as needed, and for example, the specified time period may be one month before the black list is generated. The intrusion detection module can determine the abnormal flow which frequently occurs from the historical detection results. For example, the intrusion detection module may determine frequently-occurring abnormal traffic according to evaluation indexes of dimensions such as occurrence times and occurrence frequency. The intrusion detection module may generate a blacklist for the screened abnormal traffic.
Furthermore, the intrusion detection module can issue the dynamically generated blacklist to the XDP blacklist program, so that the XDP blacklist program can filter the data packet with abnormal traffic according to the updated blacklist. The intrusion detection module can update the blacklist of the XDP blacklist program at regular time, so that the XDP blacklist program can discard the data packets with abnormal flow according to the latest blacklist.
In an embodiment, the XDP program may include an XDP message processing program and one or more combinations of an XDP white list program, an XDP black name program, and an XDP filtering program, so that before the data packet is submitted to the intrusion detection module, the data packet to be detected is more finely screened out, the calculation amount of the intrusion detection module is reduced, and the overall working efficiency of the electronic device is improved.
The deployment of the scheme is simple, the XDP attribute in the network card can be started by using an iplink command on the electronic equipment, and the intrusion detection module is deployed at the application layer. And starting an intrusion detection module through a command line, and appointing storage paths of a preset filtering rule file, a preset white list file and a preset black list file. The intrusion detection module can read corresponding files, analyze and generate an XDP program and write the XDP program into the XDP network hook, so that data packets submitted by the XDP program are subsequently received for detection.
The method and the device have the advantages that the flexibility is high, the intrusion detection module is deployed in the application layer, and for the conditions of rule updating, software updating and the like, only corresponding files need to be replaced or new-version application programs need to be installed, and kernel codes do not need to be modified and recompiled.

Claims (10)

1. An intrusion detection method, comprising:
the network card driver receives the data packet, calls an XDP program on an XDP network hook, and submits the data packet to an intrusion detection module through the XDP program;
the intrusion detection module detects the data packet to obtain a processing action corresponding to a detection result;
and the XDP program acquires the processing action returned by the intrusion detection module and processes the data packet according to the processing action.
2. The method according to claim 1, wherein the XDP program comprises an XDP filter program and an XDP message processing program, the XDP filter program is used for filtering data packets to be detected, and the XDP message processing program is used for submitting data packets and processing data packets;
the calling of the XDP program on the XDP network hook submits the data packet to an intrusion detection module through the XDP program, and the method comprises the following steps:
calling an XDP filter program on the XDP network hook, and filtering the data packet through the XDP filter program to obtain a data packet to be detected;
calling an XDP message processing program on the XDP network hook, and submitting the data packet to be detected to an intrusion detection module through the XDP message processing program.
3. The method according to claim 2, wherein before the calling the XDP program on the XDP network hook submits the data packet to the intrusion detection module through the XDP program, the method further comprises:
the intrusion detection module analyzes a preset filtering rule file to obtain a filtering rule; the filtering rule is used for filtering out a data packet to be detected;
and the intrusion detection module generates the XDP filter program for the filter rule and writes the XDP filter program carrying the filter rule into the XDP network hook.
4. The method of claim 1, wherein the XDP programs include an XDP white list program and an XDP message handling program, the XDP white list program is used for passing data packets of trusted traffic, and the XDP message handling program is used for submitting data packets and processing data packets;
the calling the XDP program on the XDP network hook submits the data packet to an intrusion detection module through the XDP program, and the method comprises the following steps:
calling an XDP white list program on the XDP network hook, checking a data packet hitting a white list through the XDP white list program, and submitting the data packet hitting the white list to a protocol stack;
calling an XDP message processing program on the XDP network hook, and submitting the data packet which does not hit the white list to an intrusion detection module through the XDP message processing program.
5. The method according to claim 4, wherein before the calling the XDP program on the XDP network hook, submitting the data packet to the intrusion detection module through the XDP program, the method further comprises:
the intrusion detection module analyzes a preset white list file to obtain a white list;
and the intrusion detection module generates the XDP white list program for the white list and writes the XDP white list program carrying the white list into the XDP network hook.
6. The method according to claim 1, wherein the XDP program comprises an XDP blacklist program and an XDP message handling program, the XDP blacklist program is used for blocking data packets of abnormal traffic, and the XDP message handling program is used for submitting data packets and processing data packets;
the calling the XDP program on the XDP network hook submits the data packet to an intrusion detection module through the XDP program, and the method comprises the following steps:
calling an XDP blacklist program on the XDP network hook, checking a data packet hitting a blacklist through the XDP blacklist program, and discarding the data packet hitting the blacklist;
calling an XDP message processing program on the XDP network hook, and submitting the data packet which does not hit the blacklist to an intrusion detection module through the XDP message processing program.
7. The method of claim 6, wherein before the calling the XDP program on the XDP network hook, submitting the data packet to an intrusion detection module by the XDP program, the method further comprises:
the intrusion detection module analyzes a preset blacklist file to obtain a blacklist;
and the intrusion detection module generates the XDP blacklist program for the blacklist and writes the XDP blacklist program carrying the blacklist into the XDP network hook.
8. The method of claim 7, wherein after the writing the XDP blacklist program carrying the blacklist to the XDP network hook, the method further comprises:
the intrusion detection module determines a plurality of abnormal flows according to historical detection results of a specified time period and generates a blacklist for the plurality of abnormal flows;
and the intrusion detection module issues the generated blacklist to the XDP blacklist program.
9. An electronic device, characterized in that the electronic device comprises:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to perform the intrusion detection method of any one of claims 1-8.
10. A computer-readable storage medium, characterized in that the storage medium stores a computer program executable by a processor to perform the intrusion detection method according to any one of claims 1 to 8.
CN202211216784.2A 2022-09-30 2022-09-30 Intrusion detection method, electronic device and storage medium Pending CN115603985A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211216784.2A CN115603985A (en) 2022-09-30 2022-09-30 Intrusion detection method, electronic device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211216784.2A CN115603985A (en) 2022-09-30 2022-09-30 Intrusion detection method, electronic device and storage medium

Publications (1)

Publication Number Publication Date
CN115603985A true CN115603985A (en) 2023-01-13

Family

ID=84844477

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211216784.2A Pending CN115603985A (en) 2022-09-30 2022-09-30 Intrusion detection method, electronic device and storage medium

Country Status (1)

Country Link
CN (1) CN115603985A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115883255A (en) * 2023-02-02 2023-03-31 中信证券股份有限公司 Data filtering method, device and computer readable medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115883255A (en) * 2023-02-02 2023-03-31 中信证券股份有限公司 Data filtering method, device and computer readable medium

Similar Documents

Publication Publication Date Title
JP6894003B2 (en) Defense against APT attacks
US11089057B1 (en) System, apparatus and method for automatically verifying exploits within suspect objects and highlighting the display information associated with the verified exploits
US11102223B2 (en) Multi-host threat tracking
US11271955B2 (en) Platform and method for retroactive reclassification employing a cybersecurity-based global data store
US10505953B2 (en) Proactive prediction and mitigation of cyber-threats
US10893059B1 (en) Verification and enhancement using detection systems located at the network periphery and endpoint devices
US10601848B1 (en) Cyber-security system and method for weak indicator detection and correlation to generate strong indicators
US20190207966A1 (en) Platform and Method for Enhanced Cyber-Attack Detection and Response Employing a Global Data Store
JP4961153B2 (en) Aggregating knowledge bases from computer systems and proactively protecting computers from malware
JP6104149B2 (en) Log analysis apparatus, log analysis method, and log analysis program
US11240275B1 (en) Platform and method for performing cybersecurity analyses employing an intelligence hub with a modular architecture
CA2545916A1 (en) Apparatus method and medium for detecting payload anomaly using n-gram distribution of normal data
KR102222377B1 (en) Method for Automatically Responding to Threat
CN115603985A (en) Intrusion detection method, electronic device and storage medium
CN112953957A (en) Intrusion prevention method, system and related equipment
EP1751651B1 (en) Method and systems for computer security
CN115622754B (en) Method, system and device for detecting and preventing MQTT loopholes
CN114189360B (en) Situation-aware network vulnerability defense method, device and system
CN114301689B (en) Campus network security protection method and device, computing equipment and storage medium
CN115622754A (en) Method, system and device for detecting and preventing MQTT vulnerability
Singh Intrusion detection system (IDS) and intrusion prevention system (IPS) for network security: a critical analysis
CN114070648A (en) Evaluation method, device, equipment and storage medium for configuring network security policy

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination