Method and Device for Intrusion Detection
First Claim
1. A method for intrusion detection, comprising:
- allocating one or more detection units in an intrusion detection device for each type of network attack event to detect;
configuring the type of object to detect of this type of network attack event, as well as a detection operator and a detection knowledge base to be used in intrusion detection of this type of object to detect; and
during the intrusion detection, said intrusion detection device performing the following processing;
acquiring network data packets in real time and pre-processing the network data packets to obtain the objects to detect in intrusion detection included in said network data packets; and
according to the types of the acquired objects to detect, corresponding detection units performing intrusion detection based on detection operators and detection knowledge bases configured for these types of objects to detect, and generating network attack alarm events.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and device for intrusion detection are provided. The method comprises: allocating one or more detection units for each type of network attack event to detect and configuring the type of object to detect of this type of network attack event, a detection operator and a detection knowledge base; in intrusion detection, acquiring network data packets in real time and acquiring the objects to detect included therein; then corresponding detection units performing intrusion detection according to the detection operators and detection knowledge bases configured, so as to generate network attack alarm events. The intrusion detection device comprises sequentially connected data pre-processing unit, data distribution unit and detection grid including one or more detection units, and a configuration management unit connected with them. The present invention supports accurate detection of various complex network attack events and considers the execution efficiency of the entire intrusion detection device.
-
Citations
18 Claims
-
1. A method for intrusion detection, comprising:
-
allocating one or more detection units in an intrusion detection device for each type of network attack event to detect; configuring the type of object to detect of this type of network attack event, as well as a detection operator and a detection knowledge base to be used in intrusion detection of this type of object to detect; and during the intrusion detection, said intrusion detection device performing the following processing; acquiring network data packets in real time and pre-processing the network data packets to obtain the objects to detect in intrusion detection included in said network data packets; and according to the types of the acquired objects to detect, corresponding detection units performing intrusion detection based on detection operators and detection knowledge bases configured for these types of objects to detect, and generating network attack alarm events. - View Dependent Claims (2, 3, 4, 5, 13, 14)
-
-
6. A device for intrusion detection of network attack events, comprising a data pre-processing unit, a data distribution unit and a detection grid which are connected sequentially, and a configuration management unit connecting with the data pre-processing unit, data distribution unit and detection grid, said detection grid comprising one or more detection units, wherein:
-
said configuration management unit comprises a customization subunit for allocating one or more detection units for each type of network attack event and configuring a type of object to detect of a type of network attack event to detect for each detection unit as well as a detection operator and a detection knowledge base to be used in intrusion detection; said data pre-processing unit is used to pre-process network data packets acquired in real time according to the types of objects to detect configured, in order to obtain the objects to detect in intrusion detection included in the network data packets and transfer the objects to detect to said data distribution unit; said data distribution unit is used to distribute the received objects to detect to corresponding detection units according to the types of objects to detect configured for the detection units; and each of the detection unit in said detection grid is used to scan and detect the object to detect distributed to the detection unit by using the configured detection operator and detection knowledge base, so as to generate a network attack alarm event. - View Dependent Claims (7, 8, 9, 10, 11, 12, 15, 16, 17, 18)
-
Specification