KR100351306B1 - Intrusion Detection System using the Multi-Intrusion Detection Model and Method thereof - Google Patents

Abstract

The present invention relates to an intrusion detection system and a method using various intrusion detection models, and more specifically, to add a security policy violation detection function and a reanalysis function to an intrusion detection function consisting only of conventional misuse detection and abnormal behavior detection. The present invention relates to an intrusion detection system and a method using various intrusion detection models to increase the intrusion detection rate, reduce the false positive rate, and provide a quick intrusion detection and response function.

Description

Intrusion detection system using the various intrusion detection model and its method {Intrusion Detection System using the Multi-Intrusion Detection Model and Method}

The present invention relates to an intrusion detection system, and more specifically, to the intrusion detection system, which is composed of only conventional misuse detection and abnormal behavior detection, an access control concept used in an intrusion detection system (Firewall), etc. By incorporating system / network-specific security policies into intrusion detection system, providing the function to detect violations, and configuring multiple intrusion systems by adding re-analysis function to prevent duplicate alarm and complex attack analysis. The present invention relates to an intrusion detection system using a variety of intrusion detection models and methods for shortening the response time and reducing the load on the system and having accurate intrusion analysis capability.

In the early days, computer system administrators had to manually handle daily stored log files to selectively accept and analyze only the information needed to manage security from a large amount of audit record information. Accordingly, the development of an automated audit tool was required to deal with this quickly, and the audit record analysis technology accumulated in the meantime was used to automatically analyze the audit records to find activities that illegally invaded or harmed the system. An attempt was made. However, there was a problem that intrusions discovered after death were not late, and the analysis and discovery of incidents were not easy due to the hackers' attempts to delete audit records.

In addition, in order to protect the system from intrusion techniques taking advanced and distributed attacks as the computing environment is switched to distributed and open environments, a real-time intrusion detection system capable of detecting and responding to intrusions in real time is required.

In the early 1980s, Anderson meant a set of behaviors that compromised the integrity, confidentiality, and availability of the resources that computers use intrusions. Dorothy E. Denning, which defined the general model of the intrusion detection system in 1987, defines the intrusion detection system as software that detects, identifies, and reports on unauthorized or abnormal behavior in the target system.

These intrusion detection systems are divided into two classification criteria.

One is classification method based on data source, and the other is classification method based on intrusion detection model.

Intrusion detection system based on data source can be classified into Host Based and Network Based. The host-based intrusion detection system uses audit data generated and collected from a host to determine intrusion and uses one host as a detection area. The network-based intrusion detection system collects network data and uses it to determine intrusion. The network-based intrusion detection system detects the entire network area where the intrusion detection system is installed.

The classification based on the intrusion detection model is classified into misuse detection and anomaly detection technology. Misuse detection is a method that detects attacking behaviors using known vulnerabilities of the system in advance and has characteristic information on the attack, and is highly dependent on system audit record information and relatively inexpensive to implement, but it is a known attack technique. Because it has only detection capability for the attack, it is necessary to continuously study the latest attack techniques and have difficulty in adding intrusion scenarios. Anomaly detection is a method that detects behaviors that deviate from this profile while maintaining a profile and system state of normal system usage, and thus requires relatively large amounts of existing data to generate a normal profile. This is big.

Intrusion Detection System (IDS) generally refers to a system that detects abnormal use, misuse, abuse, etc. of a computer system in real time if possible. The technical key in these intrusion detection systems depends on where, how accurately and quickly you can find the basis for judging computer system intrusion. In addition, the problem of reducing the false positive rate when determining intrusion is a big problem to be solved through technical continuous performance improvement.

1 is a block diagram for explaining the configuration of a conventional intrusion detection system.

As shown here, the data collection unit 120, data filtering and abbreviation unit 130, intrusion detection unit 140, warning and reporting unit 150, intrusion response unit 160 is composed of.

When a packet is generated from the external or internal network 100 to the network where the monitored server 110 is located, the data collector 120 collects all traffic and transmits it to the data filtering and abbreviation 130.

The data filtering and abbreviation unit 130 filters only traffic from a large amount of packets (Row Data) to the monitored server 110, and converts and condenses into meaningful information so that an intrusion detection can be performed. 140).

The intrusion detection unit 140 is composed of misuse detection unit 141 and abnormal behavior detection unit 142. The misuse detection unit 141 has an intrusion pattern database in which feature information on known attack behaviors of the system is stored. If the event occurs in the same manner as the contents of the intrusion pattern database, it is determined to be intrusion. The abnormal behavior detection unit 142 has a profile database that stores a profile and system state related to normal system use, and determines that the abnormal behavior is abnormal when the event occurs out of a threshold value stored in the profile database.

When the generated event is determined to be an intrusion in the intrusion detection unit 140, an alarm or the like is generated in the warning and reporting unit 150 to inform the administrator and store the related audit record. In addition, in response to the event determined to be intrusion, the intrusion response unit 160 performs an intrusion response function such as disconnection and resetting the environment of the access control system according to the response set by the administrator.

In the conventional intrusion detection system configured as described above, the misuse detection unit 141 is highly dependent on the system audit record information and has a relatively low implementation cost, but has only the ability to detect known attack techniques. Ongoing research is required and there is a difficulty in adding intrusion scenarios. Several methods have been studied for misuse detection, such as conditional probabilities, expert systems, state transition analysis, pattern matching, and colored petri-net (CPN) analysis, and how to express complex and diverse intrusions easily. To increase the intrusion detection rate. Most commercial intrusion detection systems use a method that converts audit events into information that can be directly found in audit trails, data patterns, etc. in audit trails and compares them with hacking databases. Also called signature analysis.

In addition, since the abnormal behavior detection unit 142 must analyze a lot of existing data in generating a normal profile, the implementation cost is relatively high. Several methods have been studied for the detection of abnormal behaviors, such as statistical techniques, expert systems, data mining, hidden markov models, computer immunology, and neural networks. Emphasis is placed on how to express and infer how the current events differ from normal behavior. Such anomaly detection technology has become the subject of much research today, but it is not used commercially because the implementation cost is too high and the error rate is high. Anomaly detection techniques used in commercial products maintain statistical profiles such as frequencies, covariances, and means, and determine intrusions when current events exceed these limits.

Until now, many studies have been conducted to improve the intrusion detection method or the abnormal behavior method to increase the intrusion detection rate and reduce the misjudgment rate. The combined use of misuse detection techniques and anomaly detection techniques means that misuse detection does not detect intrusions that are not in the hacking database of known attacks, and because anomalies represent only anomalies outside normal behavior, they do not pinpoint intrusions. In order to make up for the shortcomings between the two methods, they are used in parallel, but the method of analyzing the different intrusions by using the two methods is not studied.

As such, detection methods have been researched mainly on misuse detection and abnormal behavior detection technologies in intrusion detection systems. However, the introduction of other concepts or the use of various intrusion detection methods in addition to misuse and abnormal behavior detection increases the detection rate and reduces the false positive rate. Attempts are rarely made. This conventional intrusion detection system has the following problems.

First, the existing intrusion detection system is composed of only misuse detection and abnormal behavior detection, so it is difficult to reflect the security policy of the institution. Most intrusion detection systems warn that an event is an intrusion when the event occurs is equal to the specific contents of the hacking database of the misuse detection unit or exceeds the limit defined by the abnormal behavior detection unit. The administrator can only decide whether to check the security incident database for consistency or not, and re-establish the threshold. Conventional intrusion detection system can be applied uniformly regardless of the institution's security policy, so it has the same type of operation regardless of the characteristics of the organization or organization.

Second, the conventional intrusion detection system is determined to be an intrusion only if it matches the signature (Signature) defined in the security violation event database. If an intrusion is expressed in a sequence of signatures, the intrusion is not determined until a certain time has elapsed. As a result, despite the intrusion, the intrusion detection system only observes the event and delays response by noticing the intrusion only after a certain time has elapsed.

Third, the conventional intrusion detection system filters only the traffic to the monitoring target among the traffic, and is transmitted to the misuse detection unit and the abnormal behavior detection unit. The forwarded packet is analyzed if there is a corresponding analysis module in the misuse detection unit and the abnormal behavior detection unit. In order to prevent the search of all hacking databases, separate the hacking database by system characteristics or hacking database by service and distribute it. Some systems try to reduce the system load by installing only the database required for intrusion detection system installation. However, it is difficult to design a hacking database in consideration of the characteristics of both the system and the service. If the unnecessary database is removed, the service of the system needs to be reinstalled according to the change.

Fourth, the conventional intrusion detection system warns each of them when it is determined that they are different attacks. In the determination of an attack, the various signatures are related to each other and the specific attacks are analyzed. However, the association between the determined attacks is not defined as a new attack, and thus many alarms are generated when similar attacks occur.

The present invention has been made to solve the above problems, and the object of the present invention is to introduce an access control technology, which is a traditional concept of system security, into an intrusion detection system to violate the security policy set by the institution, although it is not a hacking behavior or abnormal behavior. It is to provide an intrusion detection system that can detect this case.

It is another object of the present invention to filter the audit data transmitted to the misuse detection unit and the abnormal behavior detection unit in the security policy by the structure of shipping and distributed after attack detection of the security policy, thereby reducing the load on the system and filtering results based on the security policy. It is to provide an intrusion detection system that can efficiently and fast intrusion detection by configuring only the optimal intrusion detection module for each monitoring target.

It is still another object of the present invention to provide an intrusion detection method that can perform rapid intrusion detection and response and accurate intrusion analysis by performing the first detection function and the immediate response function based on the security policy and analyzing the detailed intrusion information through the reanalysis function. To provide.

Another object of the present invention is to re-analyze intrusion data determined as an intrusion in the misuse analysis unit and abnormal behavior detection unit to prevent duplicate alarms for the same attack type and to express related attacks in one attack form, unnecessary alarm It is to provide an intrusion detection method that prevents.

1 is a block diagram for explaining the configuration of a conventional intrusion detection system,

Figure 2 is a block diagram for explaining the configuration of the intrusion detection system according to the present invention,

3 is an interaction diagram for explaining the interaction of the intrusion detection system according to the present invention,

4 is a flowchart illustrating a data filtering and abbreviation unit and a security policy violation detection unit according to the present invention;

5 is a flowchart illustrating a misuse detection unit according to the present invention;

6 is a flowchart illustrating an abnormal behavior detection unit according to the present invention;

7 is a flowchart illustrating a result adjustment and audit data generation unit according to the present invention;

8 is a flowchart illustrating a reanalysis unit according to the present invention;

9 is an interaction diagram for explaining the interaction of the intrusion detection system according to another embodiment of the present invention.

Explanation of symbols on the main parts of the drawings

200: internal / external network 210: monitoring target server

220: data collection unit 230: data filtering and abbreviation

240: intrusion detection unit 241: security policy violation detection unit

242: misuse detection 243: abnormal behavior detection

244: reanalysis unit 250: warning and reporting unit

260: intrusion counterpart

In order to achieve the above object, the present invention provides a data collection unit for collecting all traffic when a network packet with a server to be monitored in the external or internal network; A data filtering and abbreviation unit for filtering the data collected by the data collection unit only data necessary for intrusion detection and converting and condensing into meaningful information to enable intrusion detection; An intrusion detection unit for detecting and analyzing a violation of the data filtered by the data filtering and abbreviation unit; A warning and reporting unit for leaving a warning and an associated audit record when the intrusion detection unit is analyzed as an intrusion; In addition, when the intrusion detection unit is analyzed as an intrusion, characterized in that it comprises a chip-in response unit for performing a defined response action, such as disconnection, resetting the environment of the access control system.

The intrusion detection unit may further include a security policy violation detection unit that detects a violation of data collected by the data filtering and abbreviation unit based on an IP address and a service port, based on an allowable policy and a non-permissive policy database for each monitored server; A misuse detection unit that has a feature database of known attack behavior of the system and notifies an intrusion when an event such as a hacking database occurs; An abnormal behavior detection unit which maintains a profile regarding the normal system usage and system state and detects behaviors which deviate from this profile; And a re-analyzer configured to re-analyze the packet violated by the security policy violation detection unit and the data determined as the intrusion by the misuse detection unit and the abnormal behavior detection unit.

Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings.

2 is a block diagram illustrating a configuration of a multiple intrusion detection system based on a security policy according to the present invention.

As shown here, the intrusion detection system according to the present invention is a data collection unit 220, data filtering and abbreviation unit 230, intrusion detection unit 240, warning and reporting unit 250, intrusion counterpart ( 260).

The data collector 220 collects all traffic from the external or internal network 200 to the network in which the monitored server 210 is located, and transmits the traffic to the data filtering and abbreviation 230.

The data filtering and contracting unit 230 filters and converts only traffic to a surveillance system, extracts only data necessary for intrusion detection, and converts and converts into meaningful information so that intrusion detection can be performed.

The intrusion detection unit 240 is composed of a security policy violation detection unit 241, misuse detection unit 242, abnormal behavior detection unit 243, re-analysis unit 244. The security policy violation detection unit 241 detects violations with an allow policy and a deny policy for each monitoring target server 210 based on the access control policy. The violated packet performs the post-analysis function in the reanalysis unit 244, and the permitted packet is analyzed in the misuse detection unit 242 and the abnormal behavior detection unit 243. The misuse detection unit 242 has an intrusion pattern database in which feature information on known attack behavior of the system is stored. If the event occurs is the same as the contents of the intrusion pattern database, the misuse detection unit 242 determines that the intrusion is invasive. The abnormal behavior detection unit 243 has a profile database that stores a profile of the normal system usage and a system state, and determines that the abnormal behavior is an abnormal behavior when the event that deviates from the state stored in the profile database exceeds a threshold. The reanalysis unit 244 re-analyzes the data determined to be intrusion to prevent duplicate alarms for the same attack type and to express related attacks in one attack type, thereby preventing unnecessary alarms.

If it is determined that the intrusion detection unit 240 is an intrusion, the warning and reporting unit 250 leaves a warning and the related audit record, and the intrusion response unit 260 defines a response such as disconnecting and resetting the environment of the access control system. Perform the action.

As shown in FIG. 3, when the packet is generated from the external or internal network 300 to the network where the monitored server 301 is located, the data collection unit 302 is configured to handle all traffic. Collect it and pass it to the data filtering and abbreviation 303.

The data filtering and abbreviation unit 303 filters the traffic based on the surveillance target list of the surveillance target list storage unit 312 from a large amount of packets (Row Data) and provides meaningful information to enable intrusion detection. Transition and abbreviation of and passes to the security policy violation detection unit 304.

The security policy violation detection unit 304 determines whether the security policy of the organization has been violated based on the security policy list for each monitoring target of the security policy storage unit 313 for each monitoring target. The allowed packet is delivered to the misuse detection unit 305 and the abnormal behavior detection unit 306, and the violated packet is analyzed by the reanalysis unit 307 through the result adjustment and audit data generation unit 308, and the immediate response and report. In order to be transmitted to the intrusion response unit 309 and the warning and reporting unit 310.

The misuse detection unit 305 analyzes only packets allowed by the security policy violation detection unit 304 and compares them with the intrusion pattern database of the intrusion pattern storage unit 314 to determine that there is a match. The data determined as the intrusion is analyzed by the reanalysis unit 307 through the result adjustment and audit data generation unit 308 and transmitted to the intrusion response unit 309 and the warning and reporting unit 310 for immediate response and reporting.

The abnormal behavior detection unit 306 analyzes only packets allowed by the security policy violation detection unit 304 and compares the profile database with the profile database of the profile storage unit 315 to determine abnormal behavior. The data determined as intrusion is analyzed by the reanalysis unit 307 through the result adjustment and audit data generation unit 308, and is transmitted to the intrusion response unit 309 and the warning and reporting unit 310 for immediate response and reporting. .

The result adjustment and audit data generation unit 308 receives the intrusion detection result from the security policy violation detection unit 304, the misuse detection unit 305, the abnormal behavior detection unit 306, the reanalysis unit 307, the intrusion response Intrusion response unit 309, warning and reporting for transforming the data into a form suitable for processing in the unit 309, warning and reporting unit 310, and generates abbreviated audit data, and for quick response to the first detected attack The unit 310 is first transmitted to the reanalysis unit 307 for successive attacks and the like, and delivers the results back to the intrusion counterpart 309 and the warning and report unit 310.

The reanalyzer 306 analyzes detailed intrusion information with respect to the event determined to be rejected by the security policy violation detector 304 in comparison with a reanalysis pattern database, and analyzes the misuse detector 305 and the abnormal behavior detector 306. In the case of the same attack for the event determined to be an intrusion in the) is recognized as a duplicate alarm, and provides information such as a predetermined time interval or the end time and the number of times, the misuse detection unit 305 and abnormal behavior detection unit 306 When several events are determined to be intrusions and different information, the related attacks are expressed in a single attack form or compared to the reanalysis pattern database, or multiple attacks are detected.

When the intrusion response unit 309 receives the intrusion action from the result adjustment and audit data generation unit 308, the intrusion response unit 309 performs the corresponding action based on the intrusion response rule of the intrusion response rule storage unit 317.

When the warning and report unit 310 receives the intrusion activity from the result adjustment and audit data generation unit 308, it generates an alarm to notify the administrator and reports to the security management unit 311.

The security management unit 311 manages all data used in the intrusion detection system.

4 is a flowchart illustrating a data filtering and contracting unit and a security policy violation detecting unit according to the present invention.

As shown here, the packet collected by the data collecting unit S400 is compared with the monitoring target traffic by referring to the monitoring target list S413 in the data filtering and abbreviation S410 (S412). If it is not the traffic to be monitored, the packet is dropped (S411). Otherwise, if the traffic is to be monitored, the packet is transmitted to the security policy violation detection unit S420.

The security policy violation detection unit S420 first searches a security policy search database for a monitoring target (S421) and compares whether the security policy is an allow policy or a reject policy (S422). The security policy for each monitoring target includes an allow list (S425) and a deny list (S426).

If, in the case of the allow policy, it is checked whether the service is allowed by referring to the allow list (S425) (S423). If the service is allowed, delivers the packet to the misuse detection unit (S440) and abnormal behavior detection unit (S450), otherwise the service is not allowed, intrusion response unit (S432) through the result adjustment and audit data generation unit (S430). ) And the reanalysis unit (S434).

If the rejection policy, the service is checked with reference to the deny list (S426) (S424). If the service is not denied, the packet is transmitted to the misuse detection unit S440 and the abnormal behavior detection unit S450. If the service is denied, the intrusion response unit S432 is transmitted through the result adjustment and audit data generation unit S430. It is transmitted to the reanalysis unit (S434).

5 is a flowchart illustrating the misuse detection unit according to the present invention.

As shown here, only the data allowed by the security policy violation detection unit S420 is transferred to the misuse detection unit S510. In the misuse detection unit S510, first, a network protocol related signature is generated. Extraction (S511). Next, it is determined whether the network protocol attack is compared with the intrusion pattern database (S518) (S512). If it is a network protocol attack, it is transmitted to the intrusion counterpart S432 and the reanalyzer S434 through the result adjustment and audit data generator S430. Otherwise, if it is not a network protocol attack, the application service is identified and the data is transmitted to the corresponding detection module (S513). The individual application service detection module first extracts a signature for each application service (S514) and sets an intrusion detection range (S515). It is determined whether the application service attack is compared with the intrusion pattern database (S518) (S516). If it is an application service attack, it is transmitted to the intrusion counterpart S432 and the reanalysis unit S434 through the result adjustment and audit data generation unit S430. Otherwise, the application service attack is terminated (S517).

6 is a flowchart illustrating an abnormal behavior detection unit according to the present invention.

As shown here, only the data allowed by the security policy violation detection unit S420 is transferred to the abnormal behavior detection unit S450. In the abnormal behavior detection unit S450, first, a state value required from the packet data is provided. Is extracted (S611), and the state value for the entire network is calculated (S612). The status value of the entire network is compared with the profile database S617 to determine whether it is abnormal (S613). If abnormal traffic is transmitted to the intrusion response unit S432 and the reanalysis unit S434 through the result adjustment and audit data generation unit S430, and in the case of normal traffic, the network status value for each monitoring target / service is displayed. Calculate (S614). The network state value for each monitoring target / service is compared with the profile database S617 to compare whether it is abnormal (S615). In case of abnormal traffic, the result is adjusted and transmitted to the intrusion counterpart S432 and the reanalysis unit S434 through the audit data generation unit S430, and when it is normal, the process ends (S616).

7 is a flowchart illustrating a result adjustment and audit data generation unit according to the present invention.

As shown here, the data determined as intrusion in the security policy violation detection unit (S420), the misuse detection unit (S440), the abnormal behavior detection unit (S450) or the result of the re-analysis in the re-analysis unit (S740) is a result adjustment and The audit data generating unit S630 is transmitted. The result adjustment and audit data generating unit S630 generates audit data by configuring the necessary information in the reanalysis unit S740, the warning and reporting unit S650, and the intrusion response unit S432 from the data determined as the intrusion (S630). S631). Next, the attack type and the detection unit are identified (S632), and it is determined whether it is a result of reanalysis or a result determined as an intrusion by another intrusion detection unit (S633). If the result of the re-analysis, it is identified whether the intrusion response is necessary (S635), if no response is sent to the warning and reporting unit (S650), if necessary, the warning and reporting unit (S650) and intrusion response unit (S432). Is delivered.

Otherwise, if it is not the result of reanalysis, it is determined whether it is the first detected attack (S634). If it is the first detected attack, it is transmitted to the step of identifying whether the intrusion response is necessary (S635), and also passed to the reanalysis unit (S740) for reanalysis. If the subject and object information of the attack is similar and not the first attack, it is transmitted to the reanalysis unit S740 to analyze the duplicate alarm prevention, similar attack, and multiple attacks.

8 is a flowchart illustrating a reanalysis unit according to the present invention.

As shown here, the data determined as intrusion in the security policy violation detection unit (S420), misuse detection unit (S44) and abnormal behavior detection unit (S450) is re-analyzed through the result adjustment and audit data generation unit (S630). It is transmitted to the unit (S740). The reanalysis unit S740 extracts attack information (S711), and compares the similarity between the subject and the object (S712). If there is no similar subject or object information, it is recognized as the first attack and stored in the detection information temporary storage (S716). Otherwise, if there is similar subject and object information, it is compared whether or not the same attack (S713). If the same attack, the relevant information is corrected in the detection information temporary storage (S716). If it is not the same attack, it is compared with the reanalysis pattern database (S717) to compare whether a new attack type, such as a similar attack and multiple attacks (S714). If the attack can not be newly defined, the result is sent to the adjustment and audit data generation unit (S630), if there is a pattern, such as the reanalysis pattern database (S717) to report a new type of attack (S715), the result adjustment and audit data Transfer to the generation unit (S630). The detection information temporary storage S716 periodically inspects and manages detection information in order to accept new information and delete old information that is not used (S718). A timeout or a time interval defined by an administrator is checked (S719), and the modified data is transmitted to the result adjustment and audit data generation unit (S630).

9 is another embodiment according to the present invention, which shows that the security policy violation detection unit, misuse detection unit, abnormal behavior detection unit, and reanalysis unit partially perform this function without using result adjustment and audit data generation unit. Drawing.

As shown here, when a packet occurs from the external or internal network 900 to the network where the server 901 is monitored, the data collector 902 collects all traffic to the data filtering and abbreviation 903. Convey it.

The data filtering and abbreviation unit 903 filters the traffic based on the watch list of the watch list storage unit 911 from a huge amount of packets (Row Data) and converts it into meaningful information to enable intrusion detection. Conversion and abbreviation are passed to the security policy detection unit 904.

The security policy violation detection unit 904 determines whether the security policy of the organization has been violated based on the list of security policies for each monitoring target of the security policy storage unit 312 for each monitoring target. Allowed packets are forwarded to the misuse detection unit 905 and abnormal behavior detection unit 906, and the violated packets are forwarded to the intrusion response unit 908 and warning and reporting unit 909 for immediate response and reporting. In order to analyze the intrusion information is passed to the re-analysis unit 907.

The misuse detection unit 905 analyzes only the packets allowed by the security policy violation detection unit 904 and compares them with the intrusion pattern database of the intrusion pattern storage unit 913 and determines that there is a match. It is transmitted to the intrusion response unit 908 and the warning and report unit 909 for the immediate response and report determined as the intrusion, and to the re-analysis unit 907 to analyze the duplicate alarm prevention, similar attacks and multiple attacks.

The abnormal behavior detection unit 906 analyzes only the packets allowed by the security policy violation detection unit 304 and compares the packet with the profile database of the profile storage unit 914 to determine an abnormal behavior. Data determined as an intrusion is transmitted to the intrusion response unit 908 and the warning and reporting unit 909 for immediate response and reporting, and to the re-analysis unit 907 to analyze duplicate alarm prevention, similar attacks, and multiple attacks. do.

The re-analysis unit 907 analyzes detailed intrusion information with respect to the event determined to be rejected by the security policy violation detection unit 904 in comparison with the re-analysis pattern database, and misuse detection unit 905 and abnormal behavior detection unit 906. In the case of the same attack for the event determined to be an intrusion at the same time, it is recognized as a duplicate alarm and provides information such as a predetermined time interval or the time and number of times, and misuse detection unit 905 and abnormal behavior detection unit 906 If it is determined to be an intrusion and the information is different, it can be expressed as a single attack type or detected multiple attacks compared to the reanalysis pattern database for related attacks.

When the intrusion response unit 908 receives an intrusion action from each intrusion detection unit, the intrusion response unit 908 performs a corresponding response action based on the intrusion response rule of the intrusion response rule storage unit 916.

The warning and reporting unit 909 generates an alarm and reports the result to the security management unit 910 when the intrusion activity is received from each intrusion detection unit.

The security management unit 910 manages all data used in the intrusion detection system.

As another example, there may be a case where the re-analysis unit is not used and a security policy violation detection unit is not used as follows.

First of all, the misuse detection unit and the abnormal behavior detection unit are combined with the security policy violation detection unit without using the re-examination unit. The independent use of the security policy violation detection unit, that is, the security policy violation detection unit, the misuse detection unit, and the abnormal behavior detection unit are used in parallel. It may be.

In addition, without using the security policy violation detection unit, the misuse detection unit and abnormal behavior detection unit may be used in combination with the reanalysis unit.

Therefore, as described above, the present invention applies the access control technology used in the intrusion prevention system to the intrusion detection system, and establishes the security policy of the organization for the system or the network and reflects it to the intrusion detection system. Various security violations that can not be detected by the detection unit can be detected. Recently, hacking tools encrypt packets, while existing intrusion detection systems cannot analyze encrypted packets. However, since most backdoors use services that are not allowed by the organization, they have the advantage of detecting unauthorized packets without analyzing the packets.

In addition, the present invention has the advantage that by performing a re-analysis function for the event detected as a violation in the security policy violation detection unit, enabling pre-detection, response, and post-analysis and reduce the false positive rate ?? In case of port scan, the existing intrusion detection system detects a port scan when the connection request is over the limit port and performs the corresponding action. However, if a legitimate system administrator checks several ports to check the network, this is also determined to be an intrusion. In the present invention, when an authorized administrator checks an authorized port, it is not determined to be an intrusion and is regarded as an intrusion when an unauthorized user attempts to use the service. When an unauthorized user accesses a service port, it detects a security policy violation and performs countermeasures. Therefore, it has a faster operation structure than an existing intrusion detection system that only observes during multiple ports. Like the existing intrusion detection system, in order to provide administrators with more detailed intrusion-related information, the reanalysis unit analyzes packets during response actions and informs them of port scan.

In addition, in the present invention, since only the packets allowed in the security policy violation detection unit are delivered to the misuse detection unit and the abnormal behavior detection unit, many packets are filtered and only the analysis module allowed in the security policy operates in the misuse detection unit and the abnormal behavior detection unit. This reduces the load on the intrusion detection system. Therefore, there is an advantage that the misuse detection unit and abnormal behavior detection unit can operate faster than the existing intrusion detection system.

In addition, the present invention by re-analyzing the data determined to be intrusion in the misuse analysis unit and abnormal behavior detection unit, to prevent duplicate alarms for the same attack type and to express unnecessary alarms by expressing a new attack type for other related attack types There is an advantage that can be prevented.

Claims (8)

In the intrusion detection system that detects intrusions and analyzes traffic between networks that are monitored in an external or internal network, A data collection unit for collecting data such as network packets from the system usage history provided by the monitored server or the monitored server; A data filtering and contracting unit for filtering only data necessary for intrusion detection and converting and condensing into meaningful information to enable intrusion detection; Based on the IP address and service port for detecting and analyzing the violations of the data collected by the data filtering and abbreviation unit, the data collected by the data collection and abbreviation unit has a policy of allowing and disallowing policy for each monitored server. Security policy violation detection unit that detects violations, database of characteristic information about known attack behavior of the system, misuse detection unit that informs intrusion when an event such as hacking database occurs, and profile of normal system usage An abnormality detection unit that detects activities that are out of this profile while maintaining the system state, and a packet violated by the security policy violation detection unit, and data determined as an intrusion by the misuse detection unit and an abnormality detection unit Configured to include reanalyses to reanalyze An intrusion detection unit; A warning and reporting unit for leaving a warning and an associated audit record when the intrusion detection unit is analyzed as an intrusion; Intrusion detection system using a variety of intrusion detection model characterized in that the intrusion detection unit comprises a chip intrusion response unit for performing a defined response action, such as disconnection, resetting the environment of the access control system. According to claim 1, Intrusion detection results are received from the security policy violation detection unit, misuse detection unit, abnormal behavior detection unit, and transforms the data into a form suitable for processing in the re-analysis unit, intrusion response unit, warning and reporting unit, etc. Intrusion detection system using a variety of intrusion detection model, characterized in that further comprises a result adjustment and audit data generation unit for generating the abbreviated audit data. In the intrusion detection method for analyzing the traffic between the network to be monitored in the external or internal network and intrusion detection, The packet collected by the data collection unit is a first determination step of comparing whether or not the traffic to be monitored by referring to the monitoring target list in the data filtering and contraction unit, If the traffic is not to be monitored in the first determination step, dropping a packet; A search step of searching a security policy search database for the monitored object, if the monitored traffic is detected in the first determination step; A second judgment step of comparing whether the data retrieved in the search step is a permission policy or a reject policy; A third judgment step of checking whether the service is allowed by referring to the allow list in the case of the allowable policy in the second decision step; If the service is permitted in the third determination step, forwarding the packet to the misuse detection unit and the abnormal behavior detection unit; If the service is not allowed in the third determination step, the result of the adjustment and audit data generation unit is passed to the intrusion response unit and the re-analysis unit, A fourth decision step of checking whether the service is denied by referring to the deny list in the case of the denial policy in the second decision step; Delivering the packet to the misuse detection unit and the abnormal behavior detection unit, if the service is not rejected in the fourth determination step; If the service is rejected in the fourth determination step, intrusion detection method using a variety of intrusion detection model comprising the step of passing to the intrusion response unit and the re-analysis unit through the result adjustment and audit data generation unit. The method of claim 3, wherein the misuse detection unit firstly extracts a network protocol related signature; A fifth determination step of comparing the signature extracted in the first extraction step with the intrusion pattern database to determine whether the attack is a network protocol attack; If the network protocol attack in the fifth determination step, the result of the coordination and audit data generation unit is transmitted to the intrusion response unit and the re-analysis unit, A distribution step of identifying an application service and distributing data to a corresponding detection module if the network protocol attack is not performed in the fifth determination step; A second extraction step of extracting a signature for each application service from the data distributed in the distribution step; A setting step of setting an intrusion detection range using the data extracted in the second extraction step; A sixth judging step of determining whether an application service attack is compared with the data set in the setting step and the intrusion pattern database; If the application service attack in the sixth judging step, the result adjustment and the audit data generation unit is passed to the intrusion response unit and the re-analysis unit, Intrusion detection method using a variety of intrusion detection model comprising the step of terminating, if not the application service attack in the sixth determination step. The method of claim 3, wherein the abnormal behavior detection unit first comprises: a conversion step of extracting a required state value from packet data; A first calculation step of calculating a state value for the entire network with the data converted in the conversion step; A seventh judging step of comparing the status value and the profile database for the entire network to determine whether it is abnormal; In the case of abnormal traffic in the seventh judging step, the result adjustment and the audit data generation unit is passed to the intrusion response unit and the re-analysis unit, A second calculation step of calculating a network state value for each monitoring target / service in case of normal traffic in the seventh determination step; An eighth judging step of comparing the network state value for each monitoring target / service and the profile database for abnormality; In the case of abnormal traffic in the eighth judgment step, the result is delivered to the intrusion response unit and the re-analysis unit through the result adjustment and audit data generation unit, Intrusion detection method using a variety of intrusion detection model comprising the step of terminating, if the normal traffic in the eighth determination step. 4. The method of claim 3, wherein the result adjustment and audit data generation unit comprises: a generation step of generating audit data by configuring information required by the re-analysis unit, warning and report unit, and intrusion response unit from the data determined as the intrusion; An identification step of identifying the audit data generated in the generation step as an attack type and a detection unit; A ninth judgment step of determining whether the data identified in the identification step is a result of reanalysis or a result determined by the other intrusion detection unit as an intrusion; A tenth judging step of determining whether the first detected attack is not the result of reanalysis in the ninth judging step; An eleventh step of identifying whether an intrusion response is required if the attack is detected first in the tenth judgment step; If the intrusion response is necessary in the eleventh judgment step, the step of being delivered to the warning and reporting unit and the intrusion response unit, If the intrusion response is not necessary in the eleventh judging step, and delivered to the warning and reporting unit, If it is not the first detected attack in the tenth judgment step, and delivered to the re-analysis unit to analyze the duplicate alarm prevention, similar attacks and multiple attacks, If the result of the re-analysis in the ninth determination step, the intrusion detection method using a variety of intrusion detection model comprising the step of moving to the eleventh determination step to identify whether intrusion response is necessary. The method of claim 3, wherein the re-analyzing unit comprises a third extraction step of extracting attack information, A twelfth judgment step of comparing the similarity between the subject and the object of the data extracted in the third extraction step; If there is no similar subject or object information in the twelfth judgment step, recognizing it as the first attack and storing it in a detection information temporary repository; In a twelfth judgment step, if there is similar subject and object information, the thirteenth judgment step of comparing the same attack, Modifying the relevant information in the detection information temporary storage in case of the same attack in the thirteenth judgment step; In the thirteenth judgment step, if the same attack is not the same, comparing with the reanalysis pattern database, a fourteenth judgment step of comparing whether a new attack type such as a similar attack or a multiple attack can be specified; If the attack cannot be newly defined in the fourteenth judging step, the result is passed to a result adjustment and audit data generation unit; In the case of the 14th determination step, if there is a pattern such as a reanalysis pattern database, an intrusion using various intrusion detection models comprising reporting a new type of attack, and transmitting the result to the result adjustment and audit data generation unit. Detection method. 8. The method of claim 7, wherein the temporary storage of detection information includes a management step of periodically inspecting and managing detection information to receive new information and delete old information that is not in use; Intrusion using a variety of intrusion detection model comprising the step of checking the data checked in the management step timeout or a predetermined time interval defined by the administrator and deliver the modified data to the result adjustment and audit data generation unit Detection method.