CN102594620A - Linkable distributed network intrusion detection method based on behavior description - Google Patents

Abstract

The invention discloses a linkable distributed network intrusion detection method based on behavior description, which achieves the real-time detection of abnormal flow in a network and timely makes a response by applying methods of the network behavior description and the feature extraction in a distributed detection system and linking with a fire wall, particularly comprising the steps of (a), a detection unit operation process and (b), a master control platform operation process: applying a detection strategy based on the behavior description on distributed detection units to effectively organize the distributed detection units to be an efficient organic whole, thus avoiding the low efficiency and the dispersibility of the existing system scheme, wherein the aim is to solve the low efficiency of the abnormal flow detection on a large network in the practical application and improve the whole detection ability and the protection effect of the detection system for the network.

Description

A kind of linkage distributed network intrusion detection method based on behavior description

Technical field

The present invention proposes a kind of linkage distributed network intrusion detection scheme based on behavior description; Be applied on the distributed detection system also and firewall linkage through network behavior being described with the abstract method of characteristic; Realization is also made response to the real-time detection of abnormal flow in the network in good time, belongs to the computer security technique field.

Background technology

Along with the continuous increase with network size of being on the increase of network application type, network security problem becomes increasingly conspicuous, and causes people's great attention.The main threat that current network faces has Denial of Service attack, network intrusions, malicious code etc.; In order to tackle these threats effectively; Need take to detect in real time and safeguard measure to network, safety problem is controlled in certain scope, reduce the loss of economy and interests as far as possible.Present existing network measuring and salvo mainly comprise disposes fire compartment wall and intruding detection system.

Fire compartment wall is a kind of system that is used for communicating by letter between the Control Network; It is deployed in in-house network and the interconnective place of extranets; The security strategy that just foundation is certain as same screen pack is handled the network data or the network of flowing through and is connected; Illegal data are intercepted in network-external with being connected, provide to greatest extent inner protect networks.The function of fire compartment wall comprises filtering fallacious flow, strengthens network security policy and auditing the network visit and access etc.Fire compartment wall is a kind of technological means of safeguard protection, can not solve all safety problems, attacks through forging the networking that meets firewall security policy meticulously as not stoping those, needs to cooperate other safe practices to use.

It is through collecting the data in current network and the system that intrusion detection detects; According to certain strategy or model monitoring network and system operation situation; Find the behavior of various attack attempt, attack or breach of security strategy as far as possible; And make report to keeper or management station's website, to guarantee the confidentiality, integrity, and availability of network system resources.Usually can be divided three classes: based on network intruding detection system, Host Based intruding detection system and DIDS.Based on network intruding detection system generally is deployed in the place, throat fortress of network, and it can keep watch on whole network like this, is the flow that it can keep watch on whole network more precisely.Host Based intruding detection system can only be kept watch on operating system, application program on its residing machine.

The deployed position of network invasion monitoring and main frame intrusion detection has determined them to have inborn limitation.When network size bigger; When host number is many; In the face of mass data, various attack type and the data source of dispersion, the isolated detecting unit inefficiency that just seems, function singleness; And lack the ability of analyzing flow and monitor network from the overall situation, so the distributed network invasion monitoring proposition of taking advantage of a situation.The substantive characteristics of distributed network invasion detecting system is formed by being distributed in network detector and central management control desk two large divisions everywhere; These detectors possibly be Network Intrusion Detection System or HIDS; Dispose according to the network security demand; They carry out the one's work of oneself, and periodically send report to the central management control desk, or notify the keeper through variety of way.Present distributed intrusion detection is in conceptual phase more, lacks actual effective application.Though many architectures and scheme have occurred; But still stress the performance and the detection method of single detecting unit more; The residing network environment of detecting unit of not considering these distributions is different with detecting target; The data source of the central management control desk of submitting to also is various, is lack of consistency, and makes troubles for the analysis and the storage of central manager.About how in reality, disposing such distributed system; And adopt which type of detection method could realize the analysis and the supervision of the network overall situation are not come to a conclusion, therefore need to study and how to dispose and take which type of strategy more effectively the detection that distributes comprehensively to be united.

Summary of the invention

Technical problem: the purpose of this invention is to provide a kind of linkage distributed network intrusion detection method based on behavior description; Detection strategy through on distributed detecting unit, using based on behavior description comes effectively the detecting unit that distributes to be organized into an organic whole efficiently; The inefficiencies and the dispersiveness of existing system scheme have been avoided; Its objective is to solve the poor efficiency that abnormal flow detects on the medium-and-large-sized network of practical application, and improve the whole detection ability and protection effect of detection system network.

Technical scheme: the deployment way of stressing distributed system based on the linkage distributed network abnormal flow detection method of behavior description; Find known and unknown attack traffic through behavior description; Produce consistent data; Improve the management and the analysis efficiency of central control board, and combine linkage technique to improve detection and protection effect.At first the deployment of detection system is wanted rationally so just can collect useful data, is beneficial to system handles and analyzes data, therefore in network configuration, selects suitable position deployment system extremely important.Consider that generally the key node place in network disposes, transmit, can collect all packets most possibly in such position, thereby guarantee that detection system can detect flows all in the network because the data in the network all need be passed through such node.Catenet generally has total import and export to link to each other with external network, and internal network is divided into several subnets based on the geographical position again.Subnet has the import and export of oneself again, and they link to each other through the backbone network of network internal, and the relatively independent sub-systems that has of one's own between subnet, therefore just can capture all flows most possibly as long as dispose detection system in these import and export.

Linkage distributed network intrusion detection method based on behavior description of the present invention realizes that by the detecting unit that distribution is deployed in each subnet import and export network connects the real-time detection of microscopic behavior; The abnormality detection that connects macroscopic behavior by total control Platform Implementation network; The detection efficiency that relative autonomy in each detecting unit and customizability improve exception flow of network effectively; Through adopting uniform data format to describe to the connection behavior; Improve the global administration and the analysis ability of central control board, and further improved the initiative and protection effect of system with the interlock of fire compartment wall.

System configuration

System is made up of the detecting unit of total control platform and distribution.A detecting unit is disposed in import and export in each sub-network, and these detecting units are accomplished the detection task that network connects microscopic behavior; Total control platform then is to manage the control centre of these detecting units and to the keeper operation interface is provided, and the microscopic behavior description data extraction that its scanning detecting unit is submitted to connects the macroscopic behavior of behavior, and then detects these macroscopic behaviors and detect.

System forms

Each detecting unit comprises data acquisition unit, processor, analyzer, controller and local data base, six parts of fire compartment wall.

Data acquisition unit: the packet on the collection network is given processor.

Processor: processor is connected the behavior description data structure that detects and generate correspondence with each network to each packet that collects.Processor comprises packet header detection module, data of description generation module, network connection detection module and four modules of content detection module.The packet header detection module is that packet is carried out format checking, eliminates invalid packets; Each effective data packets of data of description generation module scanning generates basic data of description structure; Network connects the behavior detection module and then based on detecting rule multiple detection is carried out in the connection behavior, and improves the behavior description data structure information; Content inspection module then is that the loading section to packet carries out content search and inspection.

Analyzer: the behavior description data structure whether analyzer will further generate processor according to the decision of the hazard index territory in the behavior description structure is carried out simple behavior inspection.Do not do further analysis for it that can judge behavior character, just with these data structure storage in local data base, and with the behavior notification controller more than the warning level.

Controller: controller is the message switching center of detecting unit, submits information to platform altogether termly; Also accept from the information of analyzer, also can when harmful grade, send control command and in time block the network connection to fire compartment wall with total control platform.

Local data Kuku: deposit trust rule, misuse rule, responsive character library, five types of data of local behavior description data in the local data base according to local network.

Fire compartment wall: fire compartment wall is accepted the security strategy completion access to netwoks controlled function that controller is provided with, and blocks illegal networking and connects, and can when detecting hazardous act, in time block the network connection and realize effectively protecting.

Total control platform: always control the administrative center of platform as the whole network; To the keeper administration interface is provided; The keeper can check current the whole network state, can formulate new detection rule and add data center to, can notify the detecting unit lastest imformation; Send the rule of various control commands to detecting unit, require detecting unit to submit up-to-date behavior description data immediately to like the change fire compartment wall.It is the behavior description data that the analyzing and testing unit is submitted to that total control platform also has an important function, does longer statistics of more detailed cycle, to administrative staff the data that make a policy foundation is provided.

The behavior description method

Network traffics are produced by the network service behavior, are connected with network through the various attributes of collection flow and with them to associate, and introduce the method for statistical analysis simultaneously and just can carry out the description of both macro and micro to behavior.Describe behavioural characteristic with a behavior description data structure among the present invention, the microscopic behavior that in detecting unit, generates behavior is described, and obtains macroscopic behavior at total control platform through the micro-data in statistical analysis a period of time and describes.

The general structure of microscopic behavior data of description comprises five-tuple information field, timestamp, hazard index, the unusual pointer in packet header, trust inspection pointer, hazards inspection pointer, essential information and details pointer.Wherein five-tuple information be source IP address, target ip address, source port, target port and host-host protocol be a packet or network be connected related essential information; These information can identify the logical data section that the IP packet is formed, and therefore can be used as an identification field.Timestamp has comprised the time that generates this data of description structure, and form is a Date-Time.Total control platform can combine it and five-tuple to make a distinction with other data of description structures as the sign of an overall situation in statistical analysis.Hazard index is represented the danger classes of the connection behavior of current data structrual description, comprises high-risk, warning, suspicious, normal and trust five ranks among the present invention.The back then comprises three inspect-type pointers.In the present invention, be respectively that packet header is unusual, trust inspection, hazards inspection is empty when they are initial.When the data of description structure is passed through each module in processor; In order to accelerate detection speed; In case make a determination according to detecting rule in certain module, then no longer carry out other inspections, fill the hazard index territory immediately; Generate corresponding inspection summary info and point to it in the pointer field assignment of correspondence, the inspection message pointer number is made up of inspection message table name and row.Among the present invention, the inspection summary info comprises inspect-type, matched rule number, three territories of inspection message.Which module inspect-type is illustrated in is made final decision, and matched rule number expression based on which bar rule makes a determination, and inspection message is represented judgment basis, as just depositing the trust information of this connection in this territory based on trusting regular connection is made a determination.The essential information of the i.e. connection of microscopic information of each connection of essential information storage; Fill by the data of description generation module; Specifically comprise upper-layer protocol, inbound data length, outbound data length, connection time started, connection concluding time, inbound IP message number, departures IP message number, connect originating end and be connected five territories of end; Upper-layer protocol is meant the protocol type of transport layer last layer; Inbound data length be in the whole connection procedure by the data total length of outside to local network, inbound message number then is meant in the whole connection procedure by the IP message number of outside to local network, outbound data length then is meant in the whole connection procedure by local network to outside data total length; Departures message number then is meant in the whole connection procedure by the IP message number of local network to the outside; Connect the time started and be the time that first IP message is gone up in this connections of capturing, the concluding time then is meant the time of catching last IP message in this connections, and the connection originating end is meant an end that connects; Connect end and be meant an end that finishes connection, the corresponding IP address of storage among the present invention.Network connects the inspection module and brings in constant renewal in these territories, until this connection behavior end network connection inspection module it is put in the desirable formation and gives analyzer.Details then are load transmitted partial datas in the whole connection procedure, and these data are divided inbound data and outbound data two parts.For raising the efficiency and improve the memory space utilance, only be identified as among the present invention and just store these data in suspicious, for the keeper or always control platform and carry out more deep data checks in the connection behavior.

It is the network behavior rule of certain internal machine in a period of time that macroscopic behavior is described; Specifically comprise home address, external address, application layer type, internal port, five identification field of outside port; Connect occurrence frequency (every day; Weekly, every month), connection setup time, connection duration, connect blanking time, outbound data amount, inbound data amount, outbound data bag number, eight statistics of inbound data bag number territory.Connect occurrence frequency and be meant the number of times that connection takes place within a certain period of time, comprise the number of times of every day, three indexs of number of times weekly and every month number of times.Connection setup time writes down and connects the time range of setting up, and characterizes the distribution situation of connection setup time.Connect the duration record and connect, characterize the situation that the duration distributes that connects from being established to the time span scope that termination continues.Connect and write down institute's interlude length range between adjacent twice connection at interval, characterize the distribution situation that connects blanking time.The outbound data amount is the total flow that is flowed to external network in the certain hour by internal network, and the inbound data amount is the total flow that is flowed to internal network in the certain hour by external network.Outbound data bag number is the packet total number that is flowed to external network in the certain hour by internal network, and inbound data bag number is meant in the certain hour packet total number that is flowed to internal network by external network.

System's operational process

A) detecting unit running:

1.) the packet on the packet collector collection network at first, and these data are put into give processor in the memory pool,

2.) the packet header detection module carries out package head format inspection and determines whether to be effective data packets, and eliminate invalid packets, and the abnormal data bag is generated behavior description structure, packet header abnormal information and hazard index,

3.) describe generation module scanning effective data packets and generate the behavior description structure and fill its essential information,

4.) network connects inspection module preprocessed data bag, and the individual data package informatin is associated with network connects,

5.) network connection inspection module is checked the behavior description data structure based on trusting rule (annotate: the trust rule is that legal network connects pairing list of rules); If it is legal then directly generate behavior description structure and hazard index; And give analyzer with the back that data structure is placed on desirable formation; Handle next data structure

6.) network connects the inspection module based on misuse rule (notes: the behavioural characteristic that the misuse rule is promptly gathered abnormal operation; Set up feature database, when user or the record in system action and the storehouse of monitoring were complementary, system just thought that this behavior is the rule of invasion) trust regular connection data structure and do not check meeting; If non-rule directly generates behavior description structure and hazard index; And give analyzer with the back that data structure is placed on desirable formation, handle next packet

7. be suspicious) for the connection data structure tag that does not meet the misuse rule; And give content inspection module with it; Fill the details in the behavior description structure by content inspection module; And carry out more detailed Content inspection, mainly be based on responsive character library data bag loading section is carried out the scanning of keyword

8.) analyzer is obtained each behavior description data structure successively in desirable formation, reads hazard index, according to hazard index decision operation behavior; If hazard index is suspicious, then need take further analysis operation; Here detect rule based on local behavior and carry out simple analysis; If analyze behavior difference not quite then do not change hazard index still for suspicious; Then not only to preserve the behavior description data structure; Also to preserve detailed message information and supply information centre further to analyze, otherwise hazard index is reset to warning;

9.) if hazard index is shown as trust, normal, warning or dangerous, then analyzer is only preserved the behavior description data to local data base, sends event notice to controller immediately for warning or dangerous also needing;

10.) controller cycle property ground is submitted up-to-date behavior description data to total control platform; After receiving the event notice that analyzer is sent; Transmit this event notice to total control platform immediately,, take measures to prevent that hazardous act from continuing if hazard index is sent control command to fire compartment wall immediately for dangerous the need; Control desk is also accepted the order from total control platform, like local data base update command, fire compartment wall control command or information submiting command;

B) always control the platform running:

The data that local detecting unit is submitted to total control comprise warning notice message and local behavior description data, when total control platform receives warning notice message, then immediately to the administration interface message that gives a warning; Or notify the keeper through lettergram mode; And log, when total control platform receives the behavior description data, different processing modes is arranged in the different stages; The operation of total control platform is divided into learning phase and decision phase, and learning phase is to observe training dataset to make up the behavior grader; Decision phase then is that the behavior grader that utilizes learning phase to make up comes the new data set of gathering from network classified that promptly to detect them be normally or unusual;

At learning phase:

B1.) always control each bar microscopic behavior data of description that platform storage detecting unit is submitted to, after certain time interval, from the macroscopic behavior information of these extracting data connections,

B2.) analyze the corresponding gross feature vector of each thresholding generation in the macroscopic behavior description scheme,

B3.) the gross feature vector of scanning generation with they training datasets as the grader learning phase, obtains decision function,

In the decision phase:

B4.) always control the microscopic behavior data of description that the platform scanner detecting unit is submitted to, use the same algorithm of learning phase to generate corresponding macroscopic behavior characteristic vector,

B5.) with the input of the macroscopic behavior characteristic vector that connects as decision function,

B6.) read the output of decision function, judged result detects rule and requires detecting unit to upgrade immediately if having unusually then generate misuse automatically; Simultaneously to the administration interface notice that gives the alarm, perhaps through the mail notification keeper, and log, wait for after the keeper does further analysis and decisioing making; If do not occur unusually, then be log information.

Beneficial effect:

1. be independent of system platform and application

Detection scheme based on behavior description only detects to network connection behavior; And do not relate to the system platform on the generation source and destination ground of network traffics, like this based on the detection scheme of behavior description in the network arbitrarily the network behavior of machine quite good detecting effectiveness is all arranged.Its also unqualified detection particular network is used in addition, can both detect for most of network applications.

2. be easy to maintenance management

Each detecting unit that is distributed among the present invention in the network is relatively independent, can not influence each other between separately; When network size enlarges, only need to increase the relevant detection unit and get final product, any adjustment need not done in other places of detection system; In this system of network deploy, only need dispose getting final product at each key node, can not influence the existing network topological structure; Adopt uniform data format in the system in addition, analyze data automatically and produce to detect rule, always controlling between platform and each detecting unit can real-time interactive, these be convenient to the keeper at total control platform to whole the administering and maintaining of network.

3. multi-functional

Detection task at total control platform is that further labor is carried out in suspicious network connection behavior, and this detection mode mainly is to unknown network abnormal behaviour; In detecting unit, then mainly detect to known hostile network behavior, can also on different subnets, the operating position according to subnet realize detecting regular customization, monitor each subnet ruuning situation neatly based on various detection rules.

4. high efficiency and accuracy

The known malicious behavior that in distributed each detecting unit, realizes local subnet detects task, and in the unknown abnormal behaviour analyzing and testing of total control Platform Implementation task, the performance bottleneck that can avoid like this focusing on improves detection efficiency.In different module, network behavior is carried out multiple detection, and also have more detailed analyzing and testing, improved the accuracy that detects, reduced the possibility of omission at total control platform based on the different detection rule.

5. real-time and validity

In distributed detecting unit, also increased the fire compartment wall control module; When detecting hazardous act; Can in time send control command and cut off the network connection to fire compartment wall; Overcome the passivity of detection system and the hysteresis quality of offline inspection to a certain extent, reduced the degree of danger of malicious act as far as possible, strengthened the real-time and protection effect of detection system.

Description of drawings

Fig. 1 is the detection scheme system assumption diagram,

Fig. 2 is the testing process in the detection system,

Fig. 3 is a DFD in the detection system.

Embodiment

The system constructing scheme:

The present invention disposes a surveillance equipment in total import and export of network, and this equipment is only done simple network condition statistics, to total flow status of total control platform reporting ent, and does not do other testings.Then dispose a detecting unit in the import and export of each sub-network, these detecting units are accomplished normal network measuring task.Each performs its own functions for each detection, and can on function, give priority to according to claimed network range characteristics.The detection task of whole network shared to avoid meeting with performance bottleneck on each detecting unit, improve detection efficiency, and also can not interfere with each other between the unit.Each detecting unit comprises data acquisition unit, processor, analyzer, controller and local data base.Deposit in the local data base based on this locality of local network customization and detect rule, trust rule, misuse rule, responsive character library, the local five types of data of data of description that connect.Data flow that the task of detecting unit is just flowed through on the duplicate network passively and analyzing and processing they, when emergency takes place, can not take the proper protection measure, wait for that the keeper disposes and can only give a warning.In order to remedy this passivity; Under each detecting unit system, increased a FWSM again; The main access to netwoks controlled function of accomplishing, detection system is when finding emergency like this, control module can be blocked network timely and connect effectively protection of realization.

Core in the detecting unit is processor and analyzer.Processor is connected the behavior description data structure that detects and generate correspondence with each network to each packet that collects.The behavior description data structure comprises a uniquely identified identification field, hazard index and other correlated characteristics, and wherein hazard index is that the aggregate of all characteristics is described.Processor comprises packet header detection module, data of description generation module, network connection detection module and four modules of content detection module.Packet header detection module, data of description generation module and network connection detection module are to move, and the content detection module then according to circumstances determines whether call by the network connection detection module.The result of these four module operations has unusual packet or network to connect to each to generate a behavior description data structure and corresponding hazard index thereof, by analyzer these behavior description data structures are analyzed.Whether decision is necessary that further analytical characteristic obtains more accurate hazard index to analyzer according to hazard index.Analyzer stores abnormal behaviour data of description structure into local data base, and whether decision wants notification controller according to hazard index.Controller is submitted information to platform altogether termly as the message switching center of local detecting unit, also can accept can also send control command to fire compartment wall from the notice of analyzer with total control platform.Controller is accepted the notice of analyzer; Confirm warning level according to hazard index; If low level is then just sent general warning notice information to total control platform, if the rank height also will send certain control command to take the proper protection measure to fire compartment wall.It can also accept always to control the information that platform is sent in addition, possibly be that to Update Information also possibly be control command.

Total control platform is as the inspection center of the whole network; To the keeper administration interface is provided; The keeper can check current the whole network state, can formulate new detection rule and add data center to, can notify the detecting unit lastest imformation; Send the rule of various control commands to detecting unit, require detecting unit to submit up-to-date behavior description data immediately to like the change fire compartment wall.It is the behavior description data that the analyzing and testing unit is submitted to that total control platform also has an important function, does longer statistics of more detailed cycle, to administrative staff the data that make a policy foundation is provided.

The behavior description scheme:

Transmission through network various packets, can analyze a part through general matching process and have unusual packet, then seems unable to do what one wishes but this method tackles the malicious operation that realizes through high-level application protocol.The malicious operation that realizes based on the method for protocol tunnel is difficult to show any off-note on packet.Application based on a kind of agreement (like HTTP Hypertext Transfer Protocol HTTP) also has number of different types in addition; Be legal only through analyzing which kind of application of the very difficult differentiation of packet; Which kind of application is illegal, therefore needs higher visual angle and analyzes.Usually, a kind of communication behavior corresponding a kind of behavioural characteristic collection, the behavior meeting of different types shows as different character.Based on this, the present invention compares the network behavior that notes abnormalities through communication behavior is described with behavioural characteristic that acquires and normal behavioural characteristic.Network traffics are produced by the network service behavior, are connected with network through the various attributes of collection flow and with them to associate, and introduce the method for statistical analysis simultaneously and just can carry out the description of both macro and micro to behavior.Describe behavioural characteristic with a behavior description data structure among the present invention, the microscopic behavior that in detecting unit, generates behavior is described, and obtains macroscopic behavior at total control platform through the micro-data in statistical analysis a period of time and describes.

The general structure of microscopic behavior data of description:

Wherein five-tuple information be source IP address, target ip address, source port, target port and host-host protocol be a packet or network be connected related essential information; These information can identify the logical data section that the IP packet is formed, and therefore can be used as an identification field.Timestamp has comprised the time that generates this data of description structure, and form is a Date-Time.Total control platform can combine it and five-tuple to make a distinction with other data of description structures as the sign of an overall situation in statistical analysis.Hazard index is represented the danger classes of the connection behavior of current data structrual description, comprises high-risk, warning, suspicious, normal and trust five ranks among the present invention.The back then comprises three inspect-type pointers.In the present invention, be respectively that packet header is unusual, trust inspection, hazards inspection is empty when they are initial.When the data of description structure is passed through each module in processor; In order to accelerate detection speed; In case make a determination according to detecting rule in certain module, then no longer carry out other inspections, fill the hazard index territory immediately; Generate corresponding inspection summary info and point to it in the pointer field assignment of correspondence, the inspection message pointer number is made up of inspection message table name and row.Among the present invention, the inspection summary info comprises inspect-type, matched rule number, three territories of inspection message.Which module inspect-type is illustrated in is made final decision, and matched rule number expression based on which bar rule makes a determination, and inspection message is represented judgment basis, as just depositing the trust information of this connection in this territory based on trusting regular connection is made a determination.The essential information of the i.e. connection of microscopic information of each connection of essential information storage; Fill by the data of description generation module; Specifically comprise upper-layer protocol, inbound data length, outbound data length, connection time started, connection concluding time, inbound IP message number, departures IP message number, connect originating end and be connected five territories of end; Upper-layer protocol is meant the protocol type of transport layer last layer; Inbound data length be in the whole connection procedure by the data total length of outside to local network, inbound message number then is meant in the whole connection procedure by the IP message number of outside to local network, outbound data length then is meant in the whole connection procedure by local network to outside data total length; Departures message number then is meant in the whole connection procedure by the IP message number of local network to the outside; Connect the time started and be the time that first IP message is gone up in this connections of capturing, the concluding time then is meant the time of catching last IP message in this connections, and the connection originating end is meant an end that connects; Connect end and be meant an end that finishes connection, the corresponding IP address of storage among the present invention.Network connects the inspection module and brings in constant renewal in these territories, until this connection behavior end network connection inspection module it is put in the desirable formation and gives analyzer.Details then are load transmitted partial datas in the whole connection procedure, and these data are divided inbound data and outbound data two parts.For raising the efficiency and improve the memory space utilance, only be identified as among the present invention and just store these data in suspicious, for the keeper or always control platform and carry out more deep data checks in the connection behavior.

It is the network behavior rule of certain internal machine in a period of time that macroscopic behavior is described; Specifically comprise home address, external address, application layer type, internal port, five identification field of outside port; Connect occurrence frequency (every day; Weekly, every month), connection setup time, connection duration, connect blanking time, outbound data amount, inbound data amount, outbound data bag number, eight statistics of inbound data bag number territory.Connect occurrence frequency and be meant the number of times that connection takes place within a certain period of time, comprise the number of times of every day, three indexs of number of times weekly and every month number of times.Connection setup time writes down and connects the time range of setting up, and characterizes the distribution situation of connection setup time.Connect the duration record and connect, characterize the situation that the duration distributes that connects from being established to the time span scope that termination continues.Connect and write down institute's interlude length range between adjacent twice connection at interval, characterize the distribution situation that connects blanking time.The outbound data amount is the total flow that is flowed to external network in the certain hour by internal network, and the inbound data amount is the total flow that is flowed to internal network in the certain hour by external network.Outbound data bag number is the packet total number that is flowed to external network in the certain hour by internal network, and inbound data bag number is meant in the certain hour packet total number that is flowed to internal network by external network.

Then whether with these gross feature attribute quantifications, it is normal just can to utilize mathematical method to analyze behavior.If note abnormalities then give notice, and produce the relevant detection rule automatically to the keeper.The keeper decisions making after doing further analysis; If then formulating, abnormal behaviour detects the detection rule that rule substitutes generation automatically more accurately; Otherwise cancel the detection rule that produces automatically, newly-increased simultaneously trust rule prevents to produce once more similar warning notice and the micro-data of the behavior is added in the training sample database.

The behavior detection scheme:

When whether the detection row is lawful acts, need promptly to show with the characteristic feature of set form with behavior according to detecting rule treatments, detection module is judged the warning level of connection behavior according to these detection rules.In the database of local detecting unit, having deposited three types and detected rule, is respectively to trust rule, and misuse rule and behavior detect rule.Trust the regular application behavioural characteristic that is used for describing those trusts; Like every web service access to certain address realm is legal, can this trust rule description be (external address: (port: 80) (application protocol: can add more details when HTTP) reality is formulated address value) like this.The misuse rule is used for describing those known hostile network behaviors; It sets up the unique identification of this attack according to the behavioural characteristic that a kind of network attack practical manifestation goes out, and sets up the misuse rule as waiting according to attack data packet length, port numbers, time, special string.It is a kind of description to the statistical nature of daily network behavior that behavior detects rule, wherein describes the rule of normal behaviour and adds in the trust rule set, describes the rule of malicious act and adds in the useless rule set.Detecting unit carries out simple analysis and detection based on them to the network behavior that collects, and always controls platform and then carries out detail analysis and detection based on them, through the behavior that notes abnormalities of the difference between them relatively.

Detecting the two kinds of methods that establish of rule, is respectively static method and dynamic approach.Static method is by the keeper rule of thumb and combine actual operating position manually to build to detect rule.The rule that this method generates is more accurate, but the keeper is required than higher, and As time goes on, the data that need check are more and more, and keeper's workload is increasing.Dynamic approach then is in running, to obtain certain law property data according to the relevant characteristic quantity of certain algorithm computation by system, and sets up thus and detect rule.This method does not need the keeper too much to participate in, but limited to by the algorithm of automatic create-rule, and the rule that generates automatically may not be efficient or perfect, needs manual work suitably to adjust according to detecting the warning daily record of effect and system.

Combine two kinds of methods in the present invention; The initial foundation that detects the storehouse needs the keeper to formulate the trust rule according to the network application situation; The external network scope that specifically can visit according to network; The operable COS of network, protocol type and access time section, these rules can also be carried out finer customization according to the different sub-network environment, corresponding microscopic behavior data of description structure and the macroscopic behavior data of description structure of final formation rule.The foundation of misuse rule is that known common attack behavioural characteristic is showed with microscopic behavior data of description structure among the present invention and macroscopic behavior data of description structure, supplies detecting unit and platform inquiry use altogether.In the intruding detection system that reality is used, existed ripe misuse to detect rule, specifically can be with reference to snort (a kind of intruding detection system) rule base.At system's initial operating stage; Above-mentioned two kinds of rules are made up by the keeper in advance; And behavior detection rule almost is blank at system's initial operating stage, and the keeper can only set up the most basic behavior description according to the situation of network application, which subnet can when visit what service like.After system deployment is moved a period of time; According to detecting unit behavior description data of uploading and the statistics of always controlling platform; System can generate the statistical nature of daily network behavior automatically; Be macroscopic behavior data of description structure, these data detected rule as behavior supply detecting unit and the inquiry of total control platform to use, and these behaviors detection rules can be because constantly new macroscopic behavior data of description of generation and constantly adjustment automatically of system.As time goes on; The keeper can trust rule according to the operation warning daily record of system and the adjustment in good time of system's daily behavior rule and the renewal of statistical analysis; Misuse rule and behavior detect rule, progressively set up perfect detection rule, thereby make the detection system capacity operate in optimum state.

Total control platform integrates control, management and analysis as the center of detection system.It is divided into foreground administration interface and background process two parts.The interface, foreground provides Query Information and interface operable interface to the keeper; The keeper can check the situation of the whole network or the operation conditions of certain detecting unit at any time; Can check the details of every behavior description data structure, can send various control commands to detecting unit.Background process then has two tasks, and one is analysis module, and it mainly scans the latest data behavior description situation that detecting unit uploads and more comprehensively checks, if note abnormalities then produce warning or danger reporting; Otherwise whether these storage are additionally joined in the statistical sample storehouse and produce new behavioral statistics rule as new by keeper's decision in the database.

Total control platform detects rule according to behavior when macroscopic behavior relatively judges the connection behavior, the data analysis of specifically adopting the method for SVMs that detecting unit the is uploaded behavior that notes abnormalities.Because what detecting unit was uploaded is about connecting the microscopic information of behavior; Wanting to carry out macroscopic behavior detects; Total control center at first need go out the macroscopic behavior characteristic attribute from these extracting data; And then convert these characteristic attributes to the characteristic vector value, utilize support vector machine method that these characteristic vectors are handled then.

The macroscopic behavior characteristic is here represented that by some numerical value its form is following,

The macroscopic behavior characteristic: attribute 1=value 1, attribute 2=value 2, attribute 3=value 3 ...

These numerical value have and are in fluctuation in certain scope, and need they standards be changed into the characteristic vector value could be as the input of SVMs, and normalized method is following:

At first calculate the average and the standard deviation of each statistical attribute,

Formula (1) computation of mean values: $\mathrm{Average}\left(x^j\right)=\frac{1}{n}{\mathrm{\Σ}}_{i=1}^n{x}_i^j$

Formula (2) basis of calculation is poor: $S\mathrm{Tan}\mathrm{Dard}\left(x^j\right)=\sqrt{\frac{1}{n-1}{\mathrm{\Σ}}_{i=1}^n{(x_i^j-\mathrm{Average}\left(x^i\right))}^2}$

The j dimension attribute among

representative sample i wherein, n is a sample size.

Then, calculate the characteristic of correspondence vector value based on formula.

Formula (3) calculated characteristics vector value: $\mathrm{Vector}\left(x_i^j\right)=\frac{x_i^j-\mathrm{Average}\left(x^j\right)}{S\mathrm{Tan}\mathrm{Dard}\left(x^j\right)}$

Obtain the characteristic vector value of following form thus,

Macroscopic behavior characteristic: { x ₁, x ₂, x ₃...

X wherein ₁For answering the vectorial characteristic value of attribute 1, x ₂For answering the vectorial characteristic value of attribute 2, x ₃For answering the vectorial characteristic value of attribute 3.

Can utilize the mathematical tool SVMs that these characteristic vectors are handled now.The structure of support vector machine classifier is divided into study and chooses two stages.At learning phase; At first confirm that by the keeper which data is that normal behaviour produces in the behavior description data structure that detecting unit is submitted to; With them as learning sample; Then total control platform is concentrated from these behavior description data structures and is extracted the macroscopic behavior characteristic attribute and calculate corresponding characteristic attribute value, based on RBF these training sample data study is obtained decision function then.

Formula (4): k _r(|| x-x _i||)=exp{-r||x-x _i|| ²}

Formula (5): $f\left(x\right)=\mathrm{Sgn}({\mathrm{\Σ}}_{i=1}^N{a}_i{k}_r\left(\right||x-x_i|\left|\right)+b)$

Formula (4) is a RBF, and wherein N is the support vector number, a _iBe expansion coefficient, x _iBe support vector, r is the width parameter of kernel function.RBF is the vector space that the non-linear characteristic vector space that divides is mapped to linear separability.Formula (5) is a decision function, and it is that input is classified, through output expression classification.Observe training dataset at the learning phase SVMs and obtain output, compare data set again, constantly adjust the feasible output of self parameter result, finally confirm parameter N, a as far as possible near training set data _i, x _i, r.In this process, need parameters R, w through control type (6) ₀Go to the boundary of minimise false probability.

Formula (6): ${\left|\right|w_0\left|\right|}^2={\mathrm{\Σ}}_{i=1}^1{a}_i^0{a}_j^{0}k(x_i,x_j)y_i{y}_j={\mathrm{\Σ}}_{i=1}^1{a}_i^0,$ $\mathrm{\Φ}(R,w_0,1)=\frac{R^2{\left|\right|w_0\left|\right|}^2}{1}$

Wherein R is the minimum hypersphere radius that comprises institute's directed quantity, and l is the sample number of training set, w ₀It is the vector of optimum hyperplane.

At detection-phase, utilize the decision function of learning phase gained, always control the data that platform submits to detecting unit and detect one by one.If testing result is hazardous act then the hazard index territory in the data of description structure of correspondence is changed to danger that the generation behavior detects rule notice detecting unit renewal local rules repository automatically, reports further accurately being provided with of expectation keeper to the keeper simultaneously; Otherwise hazard index is set to normal and to keeper's report, whether these new datas are added training set by keeper's decision.

Mainly form based on the distributed network invasion detecting system of behavior description by the detecting unit and the total control platform two large divisions of center that are distributed in the network.Detecting unit is misapplied and abnormality detection to the microcosmic performance of connection behavior, always controls platform and then carries out abnormality detection to the macro manifestations of connection behavior, and embodiment is following:

The detecting unit running:

1) packet on the packet collector collection network at first, and these data are put into give processor in the memory pool.

2) processor is obtained the packet of gathering in the memory pool; The packet header detection module carries out the packet header abnormal examination and determines whether to be effective data packets; If packet itself unusually then directly generate behavior description structure, packet header abnormal information and hazard index; And give analyzer with the back that behavior description structured data structure is placed on desirable formation, handle next packet; If the packet header inspection is normal, then give the description generation module.

3) describe generation module and accept the effective data packets that detection module is come from packet header, scan them and generate the behavior description structure and fill corresponding characteristic information, give network and connect the inspection module, and handle next packet.

4) network connects the inspection module had a preprocessing process before inspection, the individual data package informatin is changed into network connection information.Among the present invention, take different processing methods based on host-host protocol.For host-host protocol is the data of description structure of UDP, and each UDP message bag is worked as a network connection processing.For host-host protocol is the data of description structure of TCP, then need be with the description scheme of a plurality of IP packets in the same connection comprehensively to a data of description structure.

5) network connects the inspection module and based on trusting rule it is checked, if legal then directly generate behavior description structure and hazard index, and give analyzer with the back that data structure is placed on desirable formation, handle next data structure.

6) network connection inspection module is not checked meeting the regular connection data structure of trust based on the misuse rule; If non-rule directly generates behavior description structure and hazard index; And give analyzer with the back that data structure is placed on desirable formation, handle next packet.

7) be suspicious for the connection data structure tag that does not meet the misuse rule; And give content inspection module with it; Fill the details in the behavior description structure by content inspection module; And carry out more detailed Content inspection, mainly be based on responsive character library data bag loading section is carried out the scanning of keyword, because those known hostile network behaviors all have own special aspect ratio as at fixing deviation post place a special character string being arranged; Inspection finishes the behavior description structure is put in the desirable formation, and content inspection module is handled next data structure again.

8) analyzer is obtained each behavior description data structure successively in desirable formation, at first checks the hazard index in the behavior description data structure, according to hazard index decision operation behavior.In order to improve analysis speed, it is that suspicious behavioral data is taked further analysis operation to hazard index only.Here detect rule based on local behavior and carry out simple analysis, as analyzing connection setup time, if depart from more greatly then think that abnormal flow is revised as warning with its hazard index.If analyze behavior difference not quite then do not change hazard index still for suspicious, then not only to preserve the behavior description data structure, also to preserve detailed message information and supply information centre further to analyze.

9) if hazard index is shown as trust, normal, warning or dangerous, then analyzer is only preserved the behavior description data to local data base.Because can keeping relevant information in the behavior description scheme, processor a message or essential information that connection had are described as unusual based on packet header inspection module or normal based on trusting the rule inspection; These information can satisfy the statistical demand of total control platform, send event notice to controller immediately for warning or dangerous also needing.

10) controller cycle property ground is submitted up-to-date behavior description data to total control platform, and these data are deleted from local data base, to save local spatial, reduces local data and improves the local data inquiry velocity.Controller is transmitted this event notice to total control platform immediately after receiving the event notice that analyzer is sent, if hazard index is sent control command to fire compartment wall immediately for dangerous the need, take measures to prevent that hazardous act from continuing.Control desk is also accepted the order from total control platform in addition, like local data base update command, fire compartment wall control command or information submiting command.

Total control platform running:

The data that local detecting unit is submitted to comprise warning notice message and local behavior description data.When total control platform receives warning notice message, notify the keeper then immediately to the administration interface message that gives a warning, or through lettergram mode, and log.When total control platform receives the behavior description data, different processing modes is arranged in the different stages.The operation of total control platform is divided into learning phase and decision phase, and learning phase is to observe training dataset to make up support vector machine classifier; Decision phase then is that the support vector machine classifier that utilizes learning phase to make up comes the new data set of gathering from network classified that promptly to detect them be normally or unusual.

At learning phase:

1) always controls each bar microscopic behavior data of description that platform storage detecting unit is submitted to, after certain time interval, from the macroscopic behavior information of these extracting data connections.

2) average and the standard deviation of each thresholding in the calculating macroscopic behavior description scheme calculate the characteristic of correspondence vector value, generate the gross feature vector of connection behavior.

3) the gross feature vector of scanning generation with they training datasets as SVMs, is learnt constantly to adjust parameter based on RBF to them and is obtained decision function.

In the decision phase:

1) always controls the microscopic behavior data of description that the platform scanner detecting unit is submitted to, use the same algorithm of learning phase to generate corresponding macroscopic behavior characteristic vector.

2) with the input of the macroscopic behavior characteristic vector that connects as SVMs

3) read the output of SVMs, judged result.Detect the rule request detecting unit and upgrade immediately and detect rule base and prevent to produce once more similar warning notice if having unusually then generate misuse automatically; Simultaneously to the administration interface notice that gives the alarm, perhaps through the mail notification keeper, and log, wait for after the keeper does further analysis and decisioing making; If do not occur unusually, then be log information.Formulate the detection rule that detects the alternative generation automatically of rule more accurately if the keeper confirms abnormal behaviour, otherwise the automatic detection that produces of cancellation is regular.

The learning phase time that makes up support vector machine classifier is disposed according to actual conditions by the keeper.

Claims (1)

1. the linkage distributed network intrusion detection method based on behavior description is characterized in that

A) detecting unit running:

1.) the packet on the packet collector collection network at first, and these data are put into give processor in the memory pool,

2.) the packet header detection module carries out package head format inspection and determines whether to be effective data packets, and eliminate invalid packets, and the abnormal data bag is generated behavior description structure, packet header abnormal information and hazard index,

3.) describe generation module scanning effective data packets and generate the behavior description structure and fill its essential information,

4.) network connects inspection module preprocessed data bag, and the individual data package informatin is associated with network connects,

5.) network connection inspection module is checked the behavior description data structure based on trusting rule; If it is legal then directly generate behavior description structure and hazard index; And give analyzer with the back that data structure is placed on desirable formation, handle next data structure

6.) network connection inspection module is not checked meeting the regular connection data structure of trust based on the misuse rule; If non-rule directly generates behavior description structure and hazard index; And give analyzer with the back that data structure is placed on desirable formation, handle next packet

7. be suspicious) for the connection data structure tag that does not meet the misuse rule; And give content inspection module with it; Fill the details in the behavior description structure by content inspection module; And carry out more detailed Content inspection, mainly be based on responsive character library data bag loading section is carried out the scanning of keyword

8.) analyzer is obtained each behavior description data structure successively in desirable formation, reads hazard index, according to hazard index decision operation behavior; If hazard index is suspicious, then need take further analysis operation; Here detect rule based on local behavior and carry out simple analysis; If analyze behavior difference not quite then do not change hazard index still for suspicious; Then not only to preserve the behavior description data structure; Also to preserve detailed message information and supply information centre further to analyze, otherwise hazard index is reset to warning;

9.) if hazard index is shown as trust, normal, warning or dangerous, then analyzer is only preserved the behavior description data to local data base, sends event notice to controller immediately for warning or dangerous also needing;

10.) controller cycle property ground is submitted up-to-date behavior description data to total control platform; After receiving the event notice that analyzer is sent; Transmit this event notice to total control platform immediately,, take measures to prevent that hazardous act from continuing if hazard index is sent control command to fire compartment wall immediately for dangerous the need; Control desk is also accepted the order from total control platform, like local data base update command, fire compartment wall control command or information submiting command;

B) always control the platform running:

The data that local detecting unit is submitted to total control comprise warning notice message and local behavior description data, when total control platform receives warning notice message, then immediately to the administration interface message that gives a warning; Or notify the keeper through lettergram mode; And log, when total control platform receives the behavior description data, different processing modes is arranged in the different stages; The operation of total control platform is divided into learning phase and decision phase, and learning phase is to observe training dataset to make up the behavior grader; Decision phase then is that the behavior grader that utilizes learning phase to make up comes the new data set of gathering from network classified that promptly to detect them be normally or unusual;

At learning phase:

B1.) always control each bar microscopic behavior data of description that platform storage detecting unit is submitted to, after certain time interval, from the macroscopic behavior information of these extracting data connections,

B2.) analyze the corresponding gross feature vector of each thresholding generation in the macroscopic behavior description scheme,

B3.) the gross feature vector of scanning generation with they training datasets as the grader learning phase, obtains decision function,

In the decision phase:

B4.) always control the microscopic behavior data of description that the platform scanner detecting unit is submitted to, use the same algorithm of learning phase to generate corresponding macroscopic behavior characteristic vector,

B5.) with the input of the macroscopic behavior characteristic vector that connects as decision function,

B6.) read the output of decision function, judged result detects rule and requires detecting unit to upgrade immediately if having unusually then generate misuse automatically; Simultaneously to the administration interface notice that gives the alarm, perhaps through the mail notification keeper, and log, wait for after the keeper does further analysis and decisioing making; If do not occur unusually, then be log information.

Images