CN1581768A - Invasion detecting method - Google Patents
Invasion detecting method Download PDFInfo
- Publication number
- CN1581768A CN1581768A CN 03149743 CN03149743A CN1581768A CN 1581768 A CN1581768 A CN 1581768A CN 03149743 CN03149743 CN 03149743 CN 03149743 A CN03149743 A CN 03149743A CN 1581768 A CN1581768 A CN 1581768A
- Authority
- CN
- China
- Prior art keywords
- packet
- protocol stack
- detection system
- data packet
- intruding detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
Data packet from external network driven by network card is passed to protocol layer in kernel layer. Then the packet is transferred to application layer. In the method, hook code pointed to intrusion detection system (IDS) is setup in advance in data packet handling function called by network card, which transfers data packet to protocol stack. In procedure of transferring data packet to protocol stack, intrusion detection is carried out for the transferred data packet by IDS embedded in system kernel layer to detect whether the detected data packet is a intrusion data packet. If yes, the data packet is discarded or passed to protocol stack in upper layer based on preset setting; other wise, the detected data packet is transferred up to the protocol stack. Advantages are: reducing spending of CPU for intrusion detection, and no need of capturing packet for frequent context switch and data copying.
Description
Technical field
The present invention relates to the computer network security technology field, be meant a kind of intrusion detection method especially.
Background technology
At present, employed intruding detection system mostly is to realize in the application layer of computer system in the computer network security technology field, intruding detection system as a program running in application layer.When carrying out intrusion detection, the packet capturing software kit that intruding detection system is established in using, method by the monitor bypass duplicate packet, send external network to network interface card and logical network interface card and drive the packet that passes to protocol stack and duplicate and obtain, then intruding detection system detects according to the preset detection rule the packet that obtains again.As, the detection rule set that this packet traversal is write in advance, if with certain rule match, just explanation is invasion, detect the invasion packet after, and respond, as do daily record or report to the police etc. according to set response policy.
Because intruding detection system runs on the client layer, therefore when detecting packet, must utilize the packet capturing software kit to obtain this packet from the system kernel layer.Each packet capturing, intruding detection system all needs the packet capturing software kit to enter the system kernel layer, duplicates and obtains the packet of network interface card driving biography to protocol stack, then returns application layer, by intruding detection system the packet that obtains is detected.Thisly switch and data copy a large amount of expenses that increased CPU, influenced the performance of intruding detection system at the frequent context of system kernel layer and application layer.Consider that from another point of view intruding detection system move as an application program, attacked possible also arranged itself, therefore, the intruding detection system itself that is used to take precautions against invasion is also not too safe.
Summary of the invention
In view of this, the invention provides a kind of intrusion detection method, intruding detection system is embedded in the system kernel, make the expense of intrusion detection minimizing, do not need to carry out the packet capturing process that frequent context switches and data copy CPU.
The present invention is a kind of intrusion detection method, and the packet that external network sends is uploaded to after the protocol stack of inner nuclear layer via the network interface card driving, delivers to application layer again; Intruding detection system detects the packet that external network transmits, it is characterized in that, this method comprises: network interface card drives when protocol stack is uploaded the packet that receives, earlier the current packet of uploading is carried out intrusion detection, and then will send to protocol stack through the packet that detects by the intruding detection system that is embedded in the system kernel layer.
Wherein, this method further comprises: intruding detection system is according to predefined detection rule, judge current detection to packet whether be to invade packet, if then directly abandon this packet and withdraw from current intrusion detection flow process; Otherwise, will be uploaded to protocol stack through the packet that detects.
Wherein, this method further comprises: drive in the processing data packets function that packet is called when protocol stack is uploaded at network interface card in advance the hook code is set.
Wherein, this method further comprises: network interface card drives when uploading packet, carry out the hook code that self calls in the processing data packets function, the pointer function by the sensing intruding detection system that is provided with in the hook code enters intruding detection system, and the current packet of uploading is detected.
By said method as can be seen, intruding detection system of the present invention is embedded in the system kernel, do not rely on the packet capturing software kit and obtain packet, therefore do not need the copies data bag to application layer, do not need frequent context to switch yet, thereby reduced the CPU expense, and saved the memory access bandwidth, improved detection efficiency and performance.On the other hand, intruding detection system is embedded in the system kernel, rather than is located away from outside the system kernel layer, thereby more safer than operating in application layer.In addition; because each packet that enters into protocol stack must at first pass through the examination of intruding detection system; have only the packet that does not constitute invasion just can be sent to protocol stack; if thinking, packet constitutes invasion after intruding detection system detects; will before being sent to protocol stack, packet abandon this packet; thereby the application program on the protocol stack can not be affected, and accomplished invasion prevention completely, particularly is applicable to the protection to Web server.
Description of drawings
Fig. 1 is the schematic diagram that intruding detection system combines with system kernel.
Embodiment
Fig. 1 is the schematic diagram that intruding detection system combines with system kernel.As Fig. 1, the present invention is embedded in system kernel with intruding detection system, for example, and for linux system, intruding detection system can use the loaded kernel module (LKM) of Linux to realize that the binary implementation instrument insmod that provides with Linux is embedded in intrusion detection in the system kernel.Simultaneously, intruding detection system also will be articulated between data link layer and the network layer, promptly between NIC driver and the protocol stack.When packet was uploaded in the network interface card driving, packet can at first be sent to intruding detection system, transmits to protocol stack more after tested like this.In addition, intruding detection system also comprises administration module, is used to control the realization of intrusion detection and correlation function thereof and finishes relevant data configuration, because the administration module function is not that packet is detected, its implementation can realize in application layer.
Intruding detection system is articulated to the implementation method between NIC driver and the protocol stack, be when network interface card drives the submission packet and prepares to upload to protocol stack, at processing data packets function such as the net_bh function that it called, insert a hook (hook), intruding detection system is articulated on this hook, utilize the hook guidance system to carry out the specified function of hook, continue the original operation of executive system again after executing this power function.In this example, this section hook code comprises a pointer function, and this pointer function points to intruding detection system, and the packet that passes to protocol stack just can at first be detected by intruding detection system according to this pointer in the hook code.
Below received the external network data bag to protect main frame, the process that uploads to protocol stack is an example, with reference to shown in Figure 1, intrusion detection implementation method of the present invention is further described.
Step 1, network interface card receives the packet that is sent by external network, and the packet that receives is upwards submitted to by NIC driver, calls the net_bh function, prepares packet is uploaded to protocol stack.
Step 2 when carrying out the net_bh function, triggers the hook in this net_bh function.Because this hook code is added in the net_bh function, therefore upload in the process of protocol stack the execution that must be triggered of this section hook at each packet.
At first, judge whether to enable intruding detection system according to the value of pointing to the pointer function of intruding detection system in the hook code, if this pointer function value representation not, then withdraws from this flow process, continue to carry out hook code former net_bh function code afterwards, packet is uploaded to protocol stack; If the pointer function value representation has been enabled intruding detection system, then packet is detected according to detecting rule by intruding detection system, and testing process is same as the prior art.Below as can be seen, any packet uploads to by network interface card in the process of protocol stack, and this packet must pass through the intrusion detection process earlier.
Step 3, if started the invasion prophylactic function by the administration module of intruding detection system, intruding detection system can abandon this packet after detecting the suspicious data bag, no longer uploads.
Invasion prevention described here is meant: in intruding detection system, can pass through its administration module, set and whether the invasion packet is prevented, end value according to its setting, intruding detection system is after detecting packet, return a value according to its testing result to the hook code, this return value is indicated next step processing to packet.Be exemplified below:
If the invasion packet is not prevented, promptly only packet is carried out intrusion detection, then after intruding detection system has detected this packet, return actuating code 0, after the hook code that the net_bh function inserts receives 0, continue execution and be positioned at hook code former net_bh function code afterwards, packet is continued to upload to protocol stack.
If the invasion packet is prevented, then after intruding detection system detects the suspicious data bag,, and return to the hook code and to withdraw from sign indicating number-1 directly with this data packet discarding.The hook code that inserts in the net_bh function receives-1, just directly withdraws from and finishes handling process to this packet, the upload procedure of ending this packet.Therefore, suspicious data wraps in data link layer and can be blocked and abandon, and can not upload to protocol stack, has guaranteed the safety of protected equipment.If think that packet is legal after detecting, then return actuating code 0, packet is continued to upload to protocol stack.
After step 4, intruding detection system were finished processing to packet, intruding detection system was carried out outcome record, and responds according to predefined response policy.
Outcome record comprises doing daily record or testing result being sent to database carries out record, and daily record can realize by calling the kernel function that realizes the syslog function, also can realize with the printk instruction.
Here, response policy is meant and preestablishes the action that will carry out when detecting the suspicious data bag, report to the police when detecting the suspicious data bag as response policy, when then intruding detection system detects the suspicious data bag, this incident is sent to control desk by the mode of reporting to the police, this can send to the warning agency of this machine by unix domainsocket, and the warning of this machine agency realizes the mode that warning sends to control desk more then.
The present invention is exemplified below in the method that Linux realizes: in the mode to the linux kernel patch installing, the place that the network interface card driving is submitted to protocol stack to packet in system kernel is provided with a hook code (hook), promptly the hook code is added in the net bh function, and recompilate kernel.Use insmod order that intruding detection system is inserted into kernel then, the pointer function by the hook code is articulated to intruding detection system on this hook.Then, use the intruding detection system administration module that the rule file of intrusion detection is imported in the system kernel.Afterwards, start intruding detection system, and use the intruding detection system administration module that hook is come into force, just can carry out intrusion detection.If need upgrading to upgrade the inbreak detection rule file of intruding detection system, then earlier hook was lost efficacy, import new rule then again hook is come into force again.
The above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being done, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (4)
1, a kind of intrusion detection method, the packet that external network sends is uploaded to after the protocol stack of inner nuclear layer via the network interface card driving, deliver to application layer again, it is characterized in that, this method comprises: network interface card drives when protocol stack is uploaded the packet that receives, at first the current packet of uploading is carried out intrusion detection, and then will send to protocol stack through the packet that detects by the intruding detection system that is embedded in the system kernel layer.
2, method according to claim 1, it is characterized in that this method further comprises: intruding detection system is according to predefined detection rule, judge current detection to packet whether be to invade packet, if then directly abandon this packet and withdraw from current intrusion detection flow process; Otherwise, will be uploaded to protocol stack through the packet that detects.
3, method according to claim 1 is characterized in that, this method further comprises: drive in the processing data packets function that packet is called when protocol stack is uploaded at network interface card in advance the hook code is set.
4, method according to claim 3, it is characterized in that, this method further comprises: network interface card drives when uploading packet, carry out the hook code that self calls in the processing data packets function, pointer function by the sensing intruding detection system that is provided with in the hook code enters intruding detection system, and the current packet of uploading is detected.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 03149743 CN1581768A (en) | 2003-08-04 | 2003-08-04 | Invasion detecting method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 03149743 CN1581768A (en) | 2003-08-04 | 2003-08-04 | Invasion detecting method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN1581768A true CN1581768A (en) | 2005-02-16 |
Family
ID=34579651
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 03149743 Pending CN1581768A (en) | 2003-08-04 | 2003-08-04 | Invasion detecting method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1581768A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101282244B (en) * | 2008-05-09 | 2010-12-01 | 浙江大学 | Method for detecting instruction based on SPM |
| CN101335752B (en) * | 2008-06-03 | 2011-07-27 | 电子科技大学 | Network intrusion detection method based on frequent fragment rule |
| CN101442518B (en) * | 2007-11-22 | 2011-12-28 | 北京启明星辰信息技术股份有限公司 | Protocol analysis method and system for abnormal detection |
| CN102968578A (en) * | 2012-10-30 | 2013-03-13 | 山东中创软件商用中间件股份有限公司 | Injection prevention method and system |
| CN101060411B (en) * | 2007-05-23 | 2013-04-03 | 西安交大捷普网络科技有限公司 | A multi-mode matching method for improving the detection rate and efficiency of intrusion detection system |
| CN105119912A (en) * | 2015-08-06 | 2015-12-02 | 上海斐讯数据通信技术有限公司 | Port anti-scanning method, system and electronic device |
| CN109672681A (en) * | 2018-12-25 | 2019-04-23 | 上海点融信息科技有限责任公司 | Intrusion detection method and invasion detecting device |
| CN114900347A (en) * | 2022-04-28 | 2022-08-12 | 重庆长安汽车股份有限公司 | Ethernet-based intrusion detection method and data packet distribution method |
-
2003
- 2003-08-04 CN CN 03149743 patent/CN1581768A/en active Pending
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101060411B (en) * | 2007-05-23 | 2013-04-03 | 西安交大捷普网络科技有限公司 | A multi-mode matching method for improving the detection rate and efficiency of intrusion detection system |
| CN101442518B (en) * | 2007-11-22 | 2011-12-28 | 北京启明星辰信息技术股份有限公司 | Protocol analysis method and system for abnormal detection |
| CN101282244B (en) * | 2008-05-09 | 2010-12-01 | 浙江大学 | Method for detecting instruction based on SPM |
| CN101335752B (en) * | 2008-06-03 | 2011-07-27 | 电子科技大学 | Network intrusion detection method based on frequent fragment rule |
| CN102968578A (en) * | 2012-10-30 | 2013-03-13 | 山东中创软件商用中间件股份有限公司 | Injection prevention method and system |
| CN105119912A (en) * | 2015-08-06 | 2015-12-02 | 上海斐讯数据通信技术有限公司 | Port anti-scanning method, system and electronic device |
| CN109672681A (en) * | 2018-12-25 | 2019-04-23 | 上海点融信息科技有限责任公司 | Intrusion detection method and invasion detecting device |
| CN114900347A (en) * | 2022-04-28 | 2022-08-12 | 重庆长安汽车股份有限公司 | Ethernet-based intrusion detection method and data packet distribution method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108848067B (en) | OPC protocol safety protection method for intelligently learning and presetting read-only white list rule | |
| US7752662B2 (en) | Method and apparatus for high-speed detection and blocking of zero day worm attacks | |
| EP1654608B1 (en) | Method and system for detecting unauthorised use of a communication network | |
| US7334264B2 (en) | Computer virus generation detection apparatus and method | |
| KR20040101490A (en) | Detecting and countering malicious code in enterprise networks | |
| DE10249888A1 (en) | Node, method and computer readable medium for introducing a burglary prevention system into a network stack | |
| CN103065092A (en) | Method for intercepting operating of suspicious programs | |
| CN103034807A (en) | Method and device for detecting malicious program | |
| CN1581768A (en) | Invasion detecting method | |
| CN111212035A (en) | Host computer defect confirming and automatic repairing method and system based on same | |
| CN115840938A (en) | File monitoring method and device | |
| CN101587521A (en) | Method and device for acquiring remote computer information | |
| CN1175351C (en) | Automatic SOLARIS process protecting system | |
| JP2006268687A (en) | Computer virus monitoring program and computer terminal employing the same | |
| CN117040931A (en) | Network attack detection method and system with low false alarm rate and related equipment | |
| CN115086081B (en) | Escape prevention method and system for honeypots | |
| WO2019240054A1 (en) | Communication device, packet processing method, and program | |
| CN1574729A (en) | Intrusion detection method and system | |
| CN112887303B (en) | Series threat access control system and method | |
| KR100503772B1 (en) | A monitoring system and method of auditing performanced work connected to database server by utility method | |
| KR102182397B1 (en) | Web Service Protection and Automatic Recovery Method and System Thereof | |
| Carbone et al. | A mechanism for automatic digital evidence collection on high-interaction honeypots | |
| Kim et al. | Design and implementation of the honeypot system with focusing on the session redirection | |
| KR100398044B1 (en) | Method for detecting a malicious java applet in a proxy server | |
| CN112214757B (en) | Terminal registry security protection method and system based on windows driving technology |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| ASS | Succession or assignment of patent right |
Owner name: LEGEND WANGYU TECHNOLOGY (BEIJING) LTD. Free format text: FORMER OWNER: LIANXIANG (BEIJING) CO. LTD. Effective date: 20050311 |
|
| C10 | Entry into substantive examination | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20050311 Address after: 100086 Beijing City, Haidian District Zhongguancun South Street No. 6 in the information building 801810 room Applicant after: Lenovo Leadsec (Beijing) Co., Ltd Address before: 100086 Beijing City, Haidian District Zhongguancun South Street No. 6 in the information building 801810 room Applicant before: Lenovo (Beijing) Co., Ltd. |
|
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |