Method and Device for Intrusion Detection

US 20110016528A1
Filed: 08/21/2008
Published: 01/20/2011
Est. Priority Date: 08/15/2008
Status: Abandoned Application

First Claim

Patent Images

1. A method for intrusion detection, comprising:

allocating one or more detection units in an intrusion detection device for each type of network attack event to detect;

configuring the type of object to detect of this type of network attack event, as well as a detection operator and a detection knowledge base to be used in intrusion detection of this type of object to detect; and

during the intrusion detection, said intrusion detection device performing the following processing;

acquiring network data packets in real time and pre-processing the network data packets to obtain the objects to detect in intrusion detection included in said network data packets; and

according to the types of the acquired objects to detect, corresponding detection units performing intrusion detection based on detection operators and detection knowledge bases configured for these types of objects to detect, and generating network attack alarm events.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and device for intrusion detection are provided. The method comprises: allocating one or more detection units for each type of network attack event to detect and configuring the type of object to detect of this type of network attack event, a detection operator and a detection knowledge base; in intrusion detection, acquiring network data packets in real time and acquiring the objects to detect included therein; then corresponding detection units performing intrusion detection according to the detection operators and detection knowledge bases configured, so as to generate network attack alarm events. The intrusion detection device comprises sequentially connected data pre-processing unit, data distribution unit and detection grid including one or more detection units, and a configuration management unit connected with them. The present invention supports accurate detection of various complex network attack events and considers the execution efficiency of the entire intrusion detection device.

Citations

18 Claims

1. A method for intrusion detection, comprising:
- allocating one or more detection units in an intrusion detection device for each type of network attack event to detect;
  
  configuring the type of object to detect of this type of network attack event, as well as a detection operator and a detection knowledge base to be used in intrusion detection of this type of object to detect; and
  
  during the intrusion detection, said intrusion detection device performing the following processing;
  
  acquiring network data packets in real time and pre-processing the network data packets to obtain the objects to detect in intrusion detection included in said network data packets; and
  
  according to the types of the acquired objects to detect, corresponding detection units performing intrusion detection based on detection operators and detection knowledge bases configured for these types of objects to detect, and generating network attack alarm events.
- View Dependent Claims (2, 3, 4, 5, 13, 14)
- - 2. The method as claimed in claim 1, further comprising:
    - before the intrusion detection, generating a process tree of objects to detect according to the types of objects to detect configured, with leaf nodes of the process tree of objects to detect being objects to detect configured, and other nodes being intermediate objects required to be obtained during processing of the network data packets for obtaining the objects to detect corresponding to the lower layer leaf nodes; and
      
      during the intrusion detection, said intrusion detection device only processing the intermediate objects in said process tree of objects to detect layer by layer to finally obtain the objects to detect in detection.
  - 3. The method as claimed in claim 1, wherein,in said intrusion detection device, a multi-core hardware platform is employed for achieving parallel running of at least part of the detection units in intrusion detection.
  - 4. The method as claimed in claim 1, further comprising:
    - after generating the network attack alarm events, said intrusion detection device comprehensively analyzing the network attack alarm events to generate higher level network intrusion attack events.
  - 5. The method as claimed in claim 4, further comprising:
    - when pre-processing the acquired network data packets, said intrusion detection device collecting environmental information data of a monitored network, including a fingerprint of an operating system and/or a fingerprint of an application system; and
      
      after generating the network attack alarm events, said intrusion detection device comprehensively analyzing the generated network attack alarm events by using said environmental information data to verify the validity of the attack events.
  - 13. The method as claimed in claim 2, wherein,in said intrusion detection device, a multi-core hardware platform is employed for achieving parallel running of at least part of the detection units in intrusion detection.
  - 14. The method as claimed in claim 2, further comprising:
    - after generating the network attack alarm events, said intrusion detection device comprehensively analyzing the network attack alarm events to generate higher level network intrusion attack events.

6. A device for intrusion detection of network attack events, comprising a data pre-processing unit, a data distribution unit and a detection grid which are connected sequentially, and a configuration management unit connecting with the data pre-processing unit, data distribution unit and detection grid, said detection grid comprising one or more detection units, wherein:
- said configuration management unit comprises a customization subunit for allocating one or more detection units for each type of network attack event and configuring a type of object to detect of a type of network attack event to detect for each detection unit as well as a detection operator and a detection knowledge base to be used in intrusion detection;
  
  said data pre-processing unit is used to pre-process network data packets acquired in real time according to the types of objects to detect configured, in order to obtain the objects to detect in intrusion detection included in the network data packets and transfer the objects to detect to said data distribution unit;
  
  said data distribution unit is used to distribute the received objects to detect to corresponding detection units according to the types of objects to detect configured for the detection units; and
  
  each of the detection unit in said detection grid is used to scan and detect the object to detect distributed to the detection unit by using the configured detection operator and detection knowledge base, so as to generate a network attack alarm event.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 15, 16, 17, 18)
- - 7. The intrusion detection device as claimed in claim 6, wherein,said configuration management unit further comprises a process tree generation subunit for generating a process tree of objects to detect according to the types of objects to detect configured, with leaf nodes of the process tree of objects to detect being the objects to detect configured, and other nodes being intermediate objects required to be obtained during processing of the network data packets for obtaining the objects to detect corresponding to the lower layer leaf nodes;
    - andwhen pre-processing the network data, said data pre-processing unit only processes the intermediate objects in said process tree of objects to detect layer by layer to obtain the objects to detect in detection.
  - 8. The device as claimed in claim 6, wherein,said detection grid is realized based on a multi-core hardware platform, and at least part of the detection units can run in parallel during intrusion detection.
  - 9. The device as claimed in claim 6, further comprising a comprehensive analysis verification unit, wherein,each of the detection units is further used to report the generated network attack alarm event to said comprehensive analysis verification unit;
    - andsaid comprehensive analysis verification unit is used to comprehensively analyze a network attack event sequence reported by, the detection units to generate higher level network intrusion attack events.
  - 10. The device as claimed in claim 9, wherein,when pre-processing the network data packets, said data pre-processing unit further collects environmental information data of a monitored network from the network data packets, the environmental information data including a fingerprint of an operating system and/or a fingerprint of an application system, and sends these environmental information data to said comprehensive analysis verification unit;
    - andwhen comprehensively analyzing said network attack alarm event sequence, said comprehensive analysis verification unit uses said environmental information data to comprehensively analyze the generated network attack alarm events, so as to verify the validity of the attack events.
  - 11. The device as claimed in claim 6, wherein,said customization subunit is further used to reconfigure the detection units in the detection grid, including updating the detection operator and detection knowledge base of a detection unit, allocating a detection unit for a new type of network attack event and configuring the type of object to detect, the detection operator and the detection knowledge base, and releasing an allocated detection unit and deleting corresponding configuration information.
  - 12. The device as claimed in claim 6, wherein,said customization subunit allocates one or more detection units for each type of network attack event according to the occurrence frequency of each type of network attack event, and configures the type of object to detect of this type of network attack event for these detection units;
    - andwhen a type of object to detect corresponds to a group of detection units with the same configuration, said data distribution unit distributes the object to detect to an idle detection unit in the detection units.
  - 15. The device as claimed in claim 7, wherein,said detection grid is realized based on a multi-core hardware platform, and at least part of the detection units can run in parallel during intrusion detection.
  - 16. The device as claimed in claim 7, further comprising a comprehensive analysis verification unit, wherein,each of the detection units is further used to report the generated network attack alarm event to said comprehensive analysis verification unit;
    - andsaid comprehensive analysis verification unit is used to comprehensively analyze a network attack event sequence reported by the detection units to generate higher level network intrusion attack events.
  - 17. The device as claimed in claim 7, wherein,said customization subunit is further used to reconfigure the detection units in the detection grid, including updating the detection operator and detection knowledge base of a detection unit, allocating a detection unit for a new type of network attack event and configuring the type of object to detect, the detection operator and the detection knowledge base, and releasing an allocated detection unit and deleting corresponding configuration information.
  - 18. The device as claimed in claim 7, wherein,said customization subunit allocates one or more detection units for each type of network attack event according to the occurrence frequency of each type of network attack event, and configures the type of object to detect of this type of network attack event for these detection units;
    - andwhen a type of object to detect corresponds to a group of detection units with the same configuration, said data distribution unit distributes the object to detect to an idle detection unit in the detection units.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Venus Info Tech Incorporated, Beijing Venus Information Security Technology Co. Ltd. (Venustech Group Inc.)
Original Assignee
Beijing Venus Information Security Technology Comp Any Limited, Venus Info Tech Incorporated
Inventors
Zhou, Tao, Ye, Runguo, Zhou, Lidan, Li, Bo

Application Number

US12/920,462
Publication Number

US 20110016528A1
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 41/0677 Localisation of faults

H04L 63/1416 Event detection, e.g. attac...

Method and Device for Intrusion Detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method and Device for Intrusion Detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links