TWO-STAGE INTRUSION DETECTION SYSTEM FOR HIGH-SPEED PACKET PROCESSING USING NETWORK PROCESSOR AND METHOD THEREOF

US 20130160122A1
Filed: 04/22/2012
Published: 06/20/2013
Est. Priority Date: 12/15/2011
Status: Active Grant

First Claim

Patent Images

1. An intrusion detection system, comprising:

a first intrusion detector, configured to use a first network processor to perform intrusion detection on layer 3 and layer 4 of a protocol field, among information included in a packet header of packets transmitted to the intrusion detection system, and when no intrusion is detected, classify the packets according to stream and transmit the classified packets to a second intrusion detector; and

a second intrusion detector, configured to use a second network processor to perform intrusion detection through deep packet inspection (DPI) for the packet payload of the packets transmitted from the first intrusion detector.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for detecting network intrusion by using a network processor are provided. The intrusion detection system includes: a first intrusion detector, configured to use a first network processor to perform intrusion detection on layer 3 and layer 4 of a protocol field among information included in a packet header of a packet transmitted to the intrusion detection system, and when no intrusion is detected, classify the packets according to stream and transmit the classified packets to a second intrusion detector; and a second intrusion detector, configured to use a second network processor to perform intrusion detection through deep packet inspection (DPI) for the packet payload of the packets transmitted from the first intrusion detector. Thereby, intrusion detection for high-speed packets can be performed in a network environment.

240 Citations

16 Claims

1. An intrusion detection system, comprising:
- a first intrusion detector, configured to use a first network processor to perform intrusion detection on layer 3 and layer 4 of a protocol field, among information included in a packet header of packets transmitted to the intrusion detection system, and when no intrusion is detected, classify the packets according to stream and transmit the classified packets to a second intrusion detector; and
  
  a second intrusion detector, configured to use a second network processor to perform intrusion detection through deep packet inspection (DPI) for the packet payload of the packets transmitted from the first intrusion detector.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The intrusion detection system of claim 1, wherein the first intrusion detector drops the transmitted packets so as not to perform the deep packet inspection of the second intrusion detector when an intrusion is detected in a protocol field of layer 3 and layer 4 of the packet header.
  - 3. The intrusion detection system of claim 1, further comprising:
    - a plurality of second intrusion detectors connected in parallel, wherein the first intrusion detector transmits the packets to different second intrusion detectors in correspondence with classification of the packets according to stream so as to perform the deep packet inspection in parallel.
  - 4. The intrusion detection system of claim 3, wherein the plurality of second intrusion detectors each comprise a second network processor for performing the intrusion detection through the deep packet inspection.
  - 5. The intrusion detection system of claim 1, wherein the first intrusion detector generates the streams according to a 5-tuple based on packet header information of the packets to again perform the intrusion detection on each of the generated streams when the intrusion detector for the packet header is completed, and again generates the streams according to the 2-tuple based on the packet header information of the packets to perform the classification according to stream when no intrusion is detected in each of the generated streams.
  - 6. The intrusion detection system of claim 1, wherein the first network processor comprises a network processor performing high-speed processing on the packet header through a micro code, andthe second network processor comprises a network processor applying deep packet inspection for a packet payload.
  - 7. The intrusion detection system of claim 5, wherein the first intrusion detector detects layer 4 DDoS and layer 7 DDoS for a source IP of the stream generated according to the 5-tuple to again perform the intrusion detection.
  - 8. The intrusion detection system of claim 5, wherein the first intrusion detector adds a final position of the source IP address of the streams generated according to the 2-tuple to a final position of the destination IP, and then performs a modular operation thereon to perform the classification according to stream and transmit classified packets to the second intrusion detector.

9. An intrusion detection method of an intrusion detection system including a first intrusion detector and a second intrusion detector, the intrusion detection method comprising:
- performing intrusion detection on layer 3 and layer 4 of a protocol field, among information included in a packet header of a packet transmitted to the intrusion detection system, by allowing the first intrusion detector to use a first network processor;
  
  classifying the packets according to stream by the first intrusion detector and transmitting the classified packets to the second intrusion detector when no intrusion is detected as a result of performing the intrusion detection; and
  
  performing intrusion detection through deep packet inspection (DPI) for a packet payload of the packet transmitted from the first intrusion detector by allowing the second intrusion detector to use a second network processor.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The intrusion detection method of claim 9, wherein the transmitting the packets to the second intrusion detector comprises dropping the transmitted packets so as not to perform the deep packet inspection of the second intrusion detector, when an intrusion is detected in a protocol field of layer 3 and layer 4 of the packet header.
  - 11. The intrusion detection method of claim 9, wherein the transmitting the packets to the second intrusion detector comprises transmitting, by the first intrusion detector, the packets to any one of the plurality of second intrusion detectors included in the intrusion detection system in correspondence with the classification of the packets according to stream, andthe performing of the intrusion detection through the deep packet inspection comprises performing, by the plurality of second intrusion detectors, intrusion detection in parallel through deep packet inspection.
  - 12. The intrusion detection method of claim 9, wherein the performing the intrusion detection through the deep packet inspection comprises using, by the plurality of second intrusion detectors, a second network processor included in each of the second intrusion detectors to perform the intrusion detection in parallel through the deep packet inspection.
  - 13. The intrusion detection method of claim 9, wherein the transmitting the packets to the second intrusion detector comprises:
    - generating, by the first intrusion detector, the streams according to a 5-tuple based on packet header information of the packets and again performing the intrusion detection on each of the generated streams generated according to the 5-tuple, when the intrusion detection for the packet header is completed;
      
      again generating, by the first intrusion detector, the streams according to the 2-tuple based on the packet header information of the packets, when no intrusion for each of the generated streams is detected; and
      
      classifying, by the first intrusion detector, the packets according to each of the generated streams according to the 2-tuple to transmit the classified packets to the second intrusion detector.
  - 14. The intrusion detection method of claim 9, wherein the performing the intrusion detection on the protocol field comprises:
    - performing the intrusion detection on the protocol field of layer 3 and layer 4 among information included in the packet header of the packet transmitted to the intrusion detection system by using the first network processor performing a high-speed processing through a micro code; and
      
      the performing the intrusion detection through the deep packet inspection comprises;
      
      using, by the second intrusion detector, the second network processor applying the deep packet inspection to perform the intrusion detection through the deep packet inspection on the packet payload of the packets transmitted from the first intrusion detector.
  - 15. The intrusion detection method of claim 13, wherein the again performing the intrusion detection on each of the generated streams generated according to 5-tuple comprises again performing the intrusion detection by detecting layer 4 DDoS and layer 7 DDoS for a source IP of the streams generated according to the 5-tuple.
  - 16. The intrusion detection method of claim 13, wherein the transmitting the packets to the second intrusion detector comprises adding a final position of a source IP address of the streams generated according to the 2-tuple to a final position of a destination IP, and then performing a modular operation thereon to perform the classification according to stream and transmit the classified packets to the second intrusion detector.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Electronics and Telecommunications Research Institute
Original Assignee
Electronics and Telecommunications Research Institute
Inventors
KIM, Deok-Jin, BAE, Byung-Chul, PARK, Sang-Woo, YOON, E-Joong, CHOI, Young-Han, LEE, Sung-Ryoul, LEE, Man-Hee

Granted Patent

US 8,732,833 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/0236   Filtering by address, proto...

H04L 63/0245   Filtering by information in...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1458   Denial of Service

TWO-STAGE INTRUSION DETECTION SYSTEM FOR HIGH-SPEED PACKET PROCESSING USING NETWORK PROCESSOR AND METHOD THEREOF

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

240 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

TWO-STAGE INTRUSION DETECTION SYSTEM FOR HIGH-SPEED PACKET PROCESSING USING NETWORK PROCESSOR AND METHOD THEREOF

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

240 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links