Summary of the invention
In view of this, the invention provides a kind of intrusion detection method, intruding detection system is embedded in the system kernel, make the expense of intrusion detection minimizing, do not need to carry out the packet capturing process that frequent context switches and data copy CPU.
The present invention is a kind of intrusion detection method, and the packet that external network sends is uploaded to after the protocol stack of inner nuclear layer via the network interface card driving, delivers to application layer again; Intruding detection system detects the packet that external network transmits, it is characterized in that, this method comprises: network interface card drives when protocol stack is uploaded the packet that receives, earlier the current packet of uploading is carried out intrusion detection, and then will send to protocol stack through the packet that detects by the intruding detection system that is embedded in the system kernel layer.
Wherein, this method further comprises: intruding detection system is according to predefined detection rule, judge current detection to packet whether be to invade packet, if then directly abandon this packet and withdraw from current intrusion detection flow process; Otherwise, will be uploaded to protocol stack through the packet that detects.
Wherein, this method further comprises: drive in the processing data packets function that packet is called when protocol stack is uploaded at network interface card in advance the hook code is set.
Wherein, this method further comprises: network interface card drives when uploading packet, carry out the hook code that self calls in the processing data packets function, the pointer function by the sensing intruding detection system that is provided with in the hook code enters intruding detection system, and the current packet of uploading is detected.
By said method as can be seen, intruding detection system of the present invention is embedded in the system kernel, do not rely on the packet capturing software kit and obtain packet, therefore do not need the copies data bag to application layer, do not need frequent context to switch yet, thereby reduced the CPU expense, and saved the memory access bandwidth, improved detection efficiency and performance.On the other hand, intruding detection system is embedded in the system kernel, rather than is located away from outside the system kernel layer, thereby more safer than operating in application layer.In addition; because each packet that enters into protocol stack must at first pass through the examination of intruding detection system; have only the packet that does not constitute invasion just can be sent to protocol stack; if thinking, packet constitutes invasion after intruding detection system detects; will before being sent to protocol stack, packet abandon this packet; thereby the application program on the protocol stack can not be affected, and accomplished invasion prevention completely, particularly is applicable to the protection to Web server.
Embodiment
Fig. 1 is the schematic diagram that intruding detection system combines with system kernel.As Fig. 1, the present invention is embedded in system kernel with intruding detection system, for example, and for linux system, intruding detection system can use the loaded kernel module (LKM) of Linux to realize that the binary implementation instrument insmod that provides with Linux is embedded in intrusion detection in the system kernel.Simultaneously, intruding detection system also will be articulated between data link layer and the network layer, promptly between NIC driver and the protocol stack.When packet was uploaded in the network interface card driving, packet can at first be sent to intruding detection system, transmits to protocol stack more after tested like this.In addition, intruding detection system also comprises administration module, is used to control the realization of intrusion detection and correlation function thereof and finishes relevant data configuration, because the administration module function is not that packet is detected, its implementation can realize in application layer.
Intruding detection system is articulated to the implementation method between NIC driver and the protocol stack, be when network interface card drives the submission packet and prepares to upload to protocol stack, at processing data packets function such as the net_bh function that it called, insert a hook (hook), intruding detection system is articulated on this hook, utilize the hook guidance system to carry out the specified function of hook, continue the original operation of executive system again after executing this power function.In this example, this section hook code comprises a pointer function, and this pointer function points to intruding detection system, and the packet that passes to protocol stack just can at first be detected by intruding detection system according to this pointer in the hook code.
Below received the external network data bag to protect main frame, the process that uploads to protocol stack is an example, with reference to shown in Figure 1, intrusion detection implementation method of the present invention is further described.
Step 1, network interface card receives the packet that is sent by external network, and the packet that receives is upwards submitted to by NIC driver, calls the net_bh function, prepares packet is uploaded to protocol stack.
Step 2 when carrying out the net_bh function, triggers the hook in this net_bh function.Because this hook code is added in the net_bh function, therefore upload in the process of protocol stack the execution that must be triggered of this section hook at each packet.
At first, judge whether to enable intruding detection system according to the value of pointing to the pointer function of intruding detection system in the hook code, if this pointer function value representation not, then withdraws from this flow process, continue to carry out hook code former net_bh function code afterwards, packet is uploaded to protocol stack; If the pointer function value representation has been enabled intruding detection system, then packet is detected according to detecting rule by intruding detection system, and testing process is same as the prior art.Below as can be seen, any packet uploads to by network interface card in the process of protocol stack, and this packet must pass through the intrusion detection process earlier.
Step 3, if started the invasion prophylactic function by the administration module of intruding detection system, intruding detection system can abandon this packet after detecting the suspicious data bag, no longer uploads.
Invasion prevention described here is meant: in intruding detection system, can pass through its administration module, set and whether the invasion packet is prevented, end value according to its setting, intruding detection system is after detecting packet, return a value according to its testing result to the hook code, this return value is indicated next step processing to packet.Be exemplified below:
If the invasion packet is not prevented, promptly only packet is carried out intrusion detection, then after intruding detection system has detected this packet, return actuating code 0, after the hook code that the net_bh function inserts receives 0, continue execution and be positioned at hook code former net_bh function code afterwards, packet is continued to upload to protocol stack.
If the invasion packet is prevented, then after intruding detection system detects the suspicious data bag,, and return to the hook code and to withdraw from sign indicating number-1 directly with this data packet discarding.The hook code that inserts in the net_bh function receives-1, just directly withdraws from and finishes handling process to this packet, the upload procedure of ending this packet.Therefore, suspicious data wraps in data link layer and can be blocked and abandon, and can not upload to protocol stack, has guaranteed the safety of protected equipment.If think that packet is legal after detecting, then return actuating code 0, packet is continued to upload to protocol stack.
After step 4, intruding detection system were finished processing to packet, intruding detection system was carried out outcome record, and responds according to predefined response policy.
Outcome record comprises doing daily record or testing result being sent to database carries out record, and daily record can realize by calling the kernel function that realizes the syslog function, also can realize with the printk instruction.
Here, response policy is meant and preestablishes the action that will carry out when detecting the suspicious data bag, report to the police when detecting the suspicious data bag as response policy, when then intruding detection system detects the suspicious data bag, this incident is sent to control desk by the mode of reporting to the police, this can send to the warning agency of this machine by unix domainsocket, and the warning of this machine agency realizes the mode that warning sends to control desk more then.
The present invention is exemplified below in the method that Linux realizes: in the mode to the linux kernel patch installing, the place that the network interface card driving is submitted to protocol stack to packet in system kernel is provided with a hook code (hook), promptly the hook code is added in the net bh function, and recompilate kernel.Use insmod order that intruding detection system is inserted into kernel then, the pointer function by the hook code is articulated to intruding detection system on this hook.Then, use the intruding detection system administration module that the rule file of intrusion detection is imported in the system kernel.Afterwards, start intruding detection system, and use the intruding detection system administration module that hook is come into force, just can carry out intrusion detection.If need upgrading to upgrade the inbreak detection rule file of intruding detection system, then earlier hook was lost efficacy, import new rule then again hook is come into force again.
The above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being done, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.