1. Field of Invention
The present invention relates to an intrusion detection system, and more particularly to an intrusion detection system having a network card capable of executing a packet decode procedure and a packet pre-process procedure.
2. Related Art
Usually, in most of network security solutions, antivirus softwares and firewalls are used to achieve the purpose of basic network security and protection. The antivirus softwares are used to protect computer systems against viruses and the firewalls are used to protect private data from stealing. Although most of malicious intrusions may be prevented from getting into the computer systems by firewalls and antivirus softwares, some hackers are still able to penetrate the firewalls to get access to the computer systems. Then, a network intrusion detection system (NIDS) technology is developed to become an important technology for protecting data in computer systems from stealing or preventing malicious damages to the computers. The intrusion detection system (IDS) acts with the firewalls to efficiently prevent malicious intrusion from the extra-net or intra-net. The intrusion detection system (IDS) mainly monitors and analyzes the network activities of a computer system, discovers the unauthorized or abnormal network packet activities in the system through analyzing all the received network packets, sends an alert about the abnormal access actions once the computer is intruded, and records statistical analysis results in a report. Generally speaking, the network intrusion detection system may be a computer/server built at an important Internet node, e.g. the rear end of a boundary router in the intra-net or the front end of an important (protected) server/computer mainframe, and may send alert signals once detecting malicious attacks or suspicious link activities, thereby blocking or filtering attacks caused by the malicious link and protecting the intra-net against the attacks to cause data stealing and data damage. The main detection methods of the network intrusion detection may be signature based detection, behavioral anomaly detection, and protocol anomaly detection. The server of the network intrusion detection system inspects network link states and the contents of the transmitted packets flowing through the server of the network intrusion detection system, and when discovering a network attack event or an abnormal event in consistency with that defined by the administrator of the network intrusion detection system, sends an alert to inform the administrator of the network intrusion detection system to defense or further record the abnormal event in a program or a log file.
The current network intrusion detection technology may be classified into two types, i.e., network-based intrusion detection system and mainframe-based intrusion detection system. In the network-based network intrusion detection system, the mainframe of the network intrusion detection system is placed at an important endpoint in a network segment, so as to carry out the characteristic analysis on each data packet or suspicious packet types flowing through the mainframe of the network intrusion detection. The mainframe-based network intrusion detection system is mainly used to analyze and determine the login file of a mainframe or a system. However, the network intrusion detection systems in spite of their types will consume certain system resources when carrying out the intrusion detection. The network intrusion detection system analyzes the types of the packets and even parses the contents of the packets. Therefore, in the high-speed network or the network with heavy traffic, such as ultra-high-speed Gigabit Ethernet, the intrusion attacks may be more complicated or the virus transmission may be at a high speed, but the network intrusion detection system is impossible to detect the network intrusion attacks in real time due to its poor response capability.
In view of the problem that the response capability of the network intrusion detection system cannot keep up with a network environment with heavy traffic, the present invention is directed to provide a network intrusion detection system, in which a microprocessor capable of executing a packet decode procedure and a packet pre-process procedure is added on a network card so as to shoulder a part of the workload of a system core processor of a network intrusion detection system.
In order to achieve the aforementioned objectives, in the present invention, the network intrusion detection system is built at an important network node to detect and monitor network packets. The network intrusion detection system includes a network card and a system core processor. The network card receives multiple network packets. A memory and a microprocessor are disposed on the network card. The memory stores a packet decode procedure and a packet pre-process procedure, and temporarily stores the received network packets. The microprocessor is used to execute the packet decode procedure to parse the received network packets, and then to execute the packet pre-process procedure to analyze the parsing results, so as to generate multiple IDS format packets. The system core processor reads the IDS format packets, and determines whether the IDS format packets are normal formats/contents based on an IDS rule table, thereby determining whether the network has abnormal phenomena. If the network has abnormal phenomena, an anomaly alert report is sent to inform that the network is under intrusion.
In the network intrusion detection system according to the preferred embodiment of the present invention, the packet decode procedure includes the following steps. First, a netfilter is called to capture the packets flowing through the network card. The source addresses, destination addresses, and network communication protocol types of the packets are parsed. Afterwards, the parsing results of the packets are recorded in a network-flow info table. The packet decode procedure may respectively parse different network communication protocols by the use of multiple threads.
In the network intrusion detection system according to the preferred embodiment of the present invention, the packet pre-process procedure includes the following steps. First, multiple pre-processors are loaded. The network-flow info table is read, and the IDS format packets are generated based on the IDS rule table and the network-flow info table. An IDS rule may be added to or deleted from the IDS rule table through an user interface. In addition, through the user interface, a new pre-processor may be added or one of the loaded pre-processors may be removed.
In the network intrusion detection system according to the preferred embodiment of the present invention, an anomaly alert report when generated may be sent through an intrusion detection record file, an intrusion detection voice prompt, or an intrusion detection text prompt.
Based on the above, in the present invention, a microprocessor capable of executing a packet decode procedure and a packet pre-process procedure is added to shoulder a part of the workload of the system core processor. The microprocessor of the network card performs the pre-processing on the network packet, and the system core processor just determines whether a packet is abnormal. Since the steps of parsing the packet and determining whether a packet is abnormal may be performed at the same time, the network intrusion detection system may process at a higher speed, so as to meet the processing requirements of a heavy packet flow in the high-speed network environment and avoid losing packets which reduces the accuracy of the network intrusion detection.
The present invention will become more fully understood from the detailed description given herein below for illustration only, and thus are not limitative of the present invention, and wherein:
The objectives of the present invention and the provided network intrusion detection system will be illustrated in detail in the following preferred embodiments. However, the concept of the present invention may also be used in other scopes. The following embodiments are merely to illustrate the objectives and implementation methods of the present invention, and are not intended to limit the scope.
Then, the architecture of the network intrusion detection system of the present invention is described.
The packet decode procedure includes the following steps. First, a netfilter is called to capture the packets flowing through the network card 210. Subsequently, the header information such as source addresses, destination addresses, and network communication protocol types of the packets is parsed, and the contents of the packets are inspected to determine whether carry particular symbols or are deemed as malicious data such as viruses or Trojan horses. After these network packets have been parsed, the parsing results are recorded in a network-flow info table and the network-flow info table is temporarily stored in the memory 214 of the network card 210. In addition, when the microprocessor 212 of the network card 210 executes the packet decode procedure, the microprocessor 212 respectively processes data of different communication protocols through a plurality of threads, thereby enhancing the speed of the parsing packets. The packet pre-process procedure is used to set the network intrusion detection system, which includes loading multiple pre-processors in advance, reading the network-flow info table stored in the memory 214 of the network card 210 and generating the corresponding IDS format packets based on the IDS rule table and the network-flow info table.
Each intrusion action has its special mode. For example, Denial of Service (DOS) means that an attacker after intruding into a server controls a large amount of packets transmitted by the intruded server in a specific time period, thereby attempting to prevent the server from providing normal link services. Such intrusion action mode is defined as the intrusion rules and gathered to form an IDS rule table. If the information carried by the received packet meets the conditions listed in the IDS rule table, it is considered that the intrusion action is confirmed. Meanwhile, it is determined that the link established by the source addresses of the packets or the services or connection ports to be accessed become abnormal, and an alert report is sent to inform the network administrator to make an appropriate response to the intrusion action.
In order to clarify the intrusion detection system (IDS) provided by the present invention, an attacking manner named “NT IIS Showcode ASP” will be illustrated, which gets illegal access rights through a structural website. Such attacking manner is a kind of network intrusion which sends a URL link request to a network server, so as to read the files in the server illegally (without permission), for example, sending a URL link “http://attack.host/msadc/Samples/SELECTOR/showcode.asp?source=/msadc/Samples/ . . . / . . . / . . . / . . . / . . . /boot.ini.” When this network packet of this attacking manner is received, firstly, the microprocessor on the network card parses the source address of the packet and the accessed connection port, and parses the control code “/selector/showcode.asp” contained in the content of the data segment of the packet. After the packet is parsed, the IDS format packet including the source address, the destination address, the connection port, and the carried special data segment content (the specific control code carried by the packet is recorded in the field of the special data segment content) of the packet is generated. The system core processor reads that the packet type is the TCP and includes a specific control code, and further determines whether the control code is showcode.asp. If it is the showcode.asp, such link is determined whether to be the link sent by a trusted segment (i.e., a default network address segment). If it is not the link sent by the trusted segment, the link is determined to be abnormal and an anomaly alert report will be sent to inform the network administrator to make further conformation and record the relevant information about the abnormal link in the alert log file “syslog.txt.”