US20140223558A1 - Method and device for integrating multiple threat security services - Google Patents
Method and device for integrating multiple threat security services Download PDFInfo
- Publication number
- US20140223558A1 US20140223558A1 US14/249,349 US201414249349A US2014223558A1 US 20140223558 A1 US20140223558 A1 US 20140223558A1 US 201414249349 A US201414249349 A US 201414249349A US 2014223558 A1 US2014223558 A1 US 2014223558A1
- Authority
- US
- United States
- Prior art keywords
- layer
- security services
- multiple threat
- packet data
- patterns
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0245—Filtering by information in the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Definitions
- the various embodiments described herein generally relate to network threat security services and, more particularly, to a method and device for integrating multiple threat security services.
- IPS Intrusion Detection/Protection System
- CF content filter
- WF worm filter
- a single threat security service in a single device is not an effective solution because of the uncontrolled expenses of on-site administration and troubleshooting.
- Many platforms offer a multitude of security services in one Unified Threat Management (UTM) device, which is a combination of the above security services with a firewall and which is used by enterprises and service providers to increase their security while reducing total operating costs.
- UTM Unified Threat Management
- a common characteristic among the aforementioned security threat security services is that they all need to scan the entire packet data to obtain corresponding application data. That is to say, each threat security service has its own protocol stack, and each always parses the packet data to obtain corresponding application data. Illustration will be provided in the context of an example according to the prior art, as shown in FIG. 2 .
- an IP packet enters a gateway, it first enters a firewall threat security service, which performs parsing to determine whether to apply a corresponding threat security service to the packet.
- the packet enters an Intrusion Detection/Protection threat security service, at which parsing processing is again performed on the packet in order to obtain application data required by the Intrusion Detection/Protection threat security service so that it may be determined whether the Intrusion Detection/Protection threat security service should be applied to this incoming packet. Similar steps are performed until for the rest of the preset multiple threat security services (e.g., the Content Filter, Worm Filter, and Anti Virus Anti Spam threat security services as shown in FIG. 2 ).
- protocol parsing has been one of the most computation-intensive operations. This situation is a significant obstacle against UTM's popularity.
- the various embodiments described herein provide a method for integrating multiple threat security services that can filter incoming data packets with respect to multiple threat security services.
- a method for integrating multiple threat security services.
- the method may parse an incoming packet at a current layer and may analyze the packet with respect to multiple threat security services so that one or more threat security services needed by the packet may be determined.
- a device for integrating multiple threat security services.
- the device may comprise a plurality of parsers, wherein each parser of the plurality of parsers is configured for parsing an incoming packet at a current layer.
- the device may comprise an analyzer configured for analyzing the packet with respect to the multiple threat security services so that one or more threat security services needed by the packet may be determined.
- integrated multiple threat security services may filter application data and parse network packet data via a single integrated entity.
- the method and device may involve a protocol stack constructed based on multiple threat security services. Accordingly, the efficiency of filtering application data may be improved, and computation overhead may be reduced.
- FIG. 1 provides an arrangement of multiple threat security services in a network according to the prior art.
- FIG. 2 provides a procedure of processing multiple threat security services according to the prior art.
- FIG. 3 provides a schematic view of a network security service environment in which an exemplary embodiment may be implemented.
- FIG. 4 is a simplified schematic view illustrating the principles of an exemplary embodiment.
- FIG. 5 provides a flowchart showing an operation of integrating multiple threat security services according to an exemplary embodiment.
- FIG. 6 provides an architectural view of an integrated security service stack according to an exemplary embodiment.
- FIG. 7 is a schematic view illustrating an operation performed by an event analyzer according to an exemplary embodiment.
- FIG. 8 provides a flowchart of an operating procedure of an event analyzer management module according to an exemplary embodiment.
- FIG. 9 provides an illustration of an operating procedure of an event analyzer scheduling module according to an exemplary embodiment.
- FIG. 3 provides a typical network security service environment 30 in which an exemplary embodiment may be implemented.
- an integrated threat security service device 31 on which multiple threat security services may be integrated may be connected on a link between a local area network 32 and the Internet 33 in a serial pattern or in a routing pattern. That is to say, all incoming/outgoing local area network data (e.g., SMTP, POP3, HTTP, etc.) may pass through the device 31 .
- SMTP Short SMTP
- POP3 HyperText Transfer Protocol
- HTTP HyperText Transfer Protocol
- the device 31 may connect the two networks at the data link layer and may forward data frames according to a network card physical address.
- a network bridge including the device 31 may form a transparent pathway between the local area network 32 and the Internet 33 and may enable the device 31 to monitor and filter the communication between a client and a server without changing the network configuration or informing the client.
- the device 31 If the device 31 is connected among networks in a routing pattern, then it may be regarded as a node in the network configuration and may be passed through by appropriately configuring a route. Data messages passing through the device 31 may be monitored and filtered.
- the device 31 needs to secure the pathways to the Internet 33 .
- the device 31 may support the connection between the local area network 32 and the Internet 33 , thereby guaranteeing the network service.
- the device 31 may be interconnected with a database 34 and a control node 35 via a network (can be via a link or by multiplexing).
- the database 34 may have multiple functions. One function may be to store information of a system on which multiple threat security services are integrated, such as configuration and matching patterns, in order to provide the information to be used by the device 31 during initialization and running. Another function may be to store illegal behavior patterns found by the device 31 during operation thereof.
- the control node 35 may add keywords to the database 34 , may control integration information of the integrated multiple threat security services, and/or may view detection results.
- FIG. 4 is a simplified schematic view illustrating the principles of an exemplary embodiment.
- multiple threat security services in the form of a histogram are shown in conjunction with a protocol hierarchical structure and various corresponding parsers (described in further detail herein), each shown by a dotted line.
- the firewall security service may use an Internet Protocol (IP) parser
- the content/worm filter security service may use an IP parser, a Transmission Control Protocol (TCP) parser, or an application layer protocol parser.
- IP Internet Protocol
- TCP Transmission Control Protocol
- the right portion of FIG. 4 shows an integrated security service stack 401 according to an exemplary embodiment.
- Each parser in the integrated security service stack 401 may send parsed packet data to an event analyzer 400 after the completion of corresponding parsing, and the event analyzer 400 may process the data with respect to multiple threat security services, thereby determining the one or more threat security services to be executed.
- FIG. 5 is a flowchart showing the operation of integrating multiple threat security services according to an exemplary embodiment.
- a packet entering a network may be parsed at each layer in accordance with the hierarchical structure of the integrated security service stack 401 .
- the packet being parsed at a current layer may be analyzed with respect to multiple threat security services.
- the one or more threat security services required by the packet may be determined via matching algorithms. With reference to FIGS. 6-9 , a detailed description will be provided for the steps shown in FIG. 5 .
- FIG. 6 provides an architecture view of the integrated security service stack according to an exemplary embodiment.
- parsers are distributed according to the layers in the histogram of FIG. 4 .
- the parsers illustrated in FIG. 6 include a TCP/IP parser 610 , an application layer protocol parser 611 , and a file parser 612 .
- the device 31 after receiving a data message, the device 31 first may send the data message to the TCP/IP parser 610 .
- the TCP/IP parser 610 may restore data packets entering the transport layer by invoking corresponding plug-ins based on different classifications of protocols.
- the TCP/IP parser 610 upon capturing a TCP message, the TCP/IP parser 610 first may establish information on a connection and may submit the established information on the connection to the corresponding TCP protocol processing plug-in. Then, in step 602 the corresponding TCP protocol processing plug-in may send the restored information (e.g., an IP source address, source port number, destination address, destination port number, message length, etc.) to the event analyzer 400 for further analysis and filtering (a detailed description will be provided herein regarding the operation of the event analyzer 400 ).
- the restored information e.g., an IP source address, source port number, destination address, destination port number, message length, etc.
- the TCP/IP parser 610 may send generated packets from the transport layer to the appropriate application layer protocol parser 611 (e.g., HTTP protocol parser, SMTP protocol parser, POP3 protocol parser, FTP protocol parser, or Telnet protocol parser).
- This step may entail identifying the appropriate application layer protocol type.
- a general method of identifying a protocol type is to determine the type of a protocol using the protocol default port specified by the Request for Comments (RFC). However, the accuracy of such method is not high.
- RRC Request for Comments
- a few protocols e.g., the DNS and SMTP protocols
- all protocols can change a connected port.
- the HTTP protocol uses the port 80 in a default situation under the RFC
- a large amount of HTTP services use other ports, such as 1080, 8080, etc., in practical applications.
- the protocol type may be identified intelligently by intensifying analysis of the content of a data message.
- the application layer protocol parser 611 may restore the uploaded content and may send the restored information to the event analyzer 400 for analysis and filtering.
- the application layer protocol parser 611 may send the data to the file parser 612 in step 605 .
- the file parser 612 may parse the received file, may restore the data, and may send it to the event analyzer 400 for filtering.
- parsers of the various embodiments described herein are not limited to the described TCP/IP parser 610 , application layer protocol parser 611 , and file parser 612 . Accordingly, other types of parsers may be constructed for hierarchical structures of various security service protocol stacks without departing from the spirit and scope of the disclosure.
- FIG. 7 provides the event analyzer 400 and pattern databases (i.e., pattern DBs) DB1 through DBn.
- Pattern database DB1 may be a virus pattern database
- pattern database DB2 may be an IPS pattern database
- pattern database DB3 may be a WF pattern database
- pattern database DBn may be a CF pattern database.
- the event analyzer 400 may comprise a management module 701 , a string matching algorithm pool 704 comprising string matching algorithms 702 , and a scheduling module 703 .
- the pattern databases DB1 through DBn may store patterns corresponding to all threat security services.
- the pattern database of each threat security service may comprise patterns for the various layers in the integrated security service stack 401 .
- the management module 701 of the event analyzer 400 may be responsible for initializing all of the string matching algorithms 702 , which comprise the core of the event analyzer 400 .
- the event analyzer 400 may carry out a matching procedure that may be divided primarily into three phases: a pattern input phase, a compiling phase, and a string matching phase.
- the management module 701 may extract patterns from the pattern databases DB1 through DBn and may arrange them into a pattern set.
- the patterns may be tagged so that the threat security service corresponding to each pattern may be identified.
- tag 1 may be assigned to patterns from the pattern database DB1
- tag 2 may be assigned to patterns from the pattern database DB2, and so forth. Such tagging will be further described herein with reference to FIG. 8 .
- the second phase (compiling phase) may be executed after all patterns have been prepared; in this phase, string matching algorithms 702 may be compiled using the patterns.
- This phase may be fulfilled by the management module 701 , as is further described herein with reference to FIG. 8 .
- the third phase (string matching phase) may occur when the system service is running. After data from a parser in the integrated security service stack 401 (i.e., the TCP/IP parser 610 , the application layer protocol parser 611 , or the file parser 612 as described herein and shown in FIG. 6 ) is sent to the event analyzer 400 , the scheduling module 703 may select a corresponding string matching algorithm 702 based on the type of inputted data (i.e., based on the stack layer at which the data is sent).
- a parser in the integrated security service stack 401 i.e., the TCP/IP parser 610 , the application layer protocol parser 611 , or the file parser 612 as described herein and shown in FIG. 6
- the scheduling module 703 may select a corresponding string matching algorithm 702 based on the type of inputted data
- FIG. 8 provides a flowchart of the operating procedure of the management module 701 of the event analyzer 400 according to an exemplary embodiment.
- the management module 701 may read patterns for multiple threat security services at a respective layer from various pattern databases.
- the management module 701 may read patterns from pattern databases DB1 through DBn for all security services at the TCP/IP layer (e.g., pattern 1.1.1.1, pattern 10.10.10.10:80, etc.).
- the multiple security service patterns as read may be tagged in order to identify the threat security service that corresponds to each pattern. As shown in FIG.
- tag 1 may be assigned to each of multiple patterns from the virus pattern database DB1
- tag 2 may be assigned to each of multiple patterns from the IPS pattern database DB2
- tag 3 may be assigned to each of multiple patterns from the WF pattern database DB3
- tag n may be assigned to each of multiple patterns from the CF pattern database DBn.
- the management module 701 may generate (i.e., compile) a string matching algorithm 702 for the respective layer by using the tagged patterns, wherein all patterns focusing on the layer in the integrated security service stack 401 may be merged into a pattern set used for initializing such string matching algorithm 702 . This procedure may be followed for multiple threat security services at all layers in the integrated security service stack 401 .
- a TCP/IP string matching algorithm, an application layer string matching algorithm, and the like may be generated via the operation procedure of the management module 701 .
- the string matching algorithms 702 for the various layers may be placed into the string matching algorithm pool 704 , as indicated by the grouping of spring matching algorithms 702 in FIG. 7 .
- one or more state machines may be generated so that a lookup for a certain section of inputted text can be performed via such state machines. Such procedure is named “string search”.
- Highly efficient string matching algorithms 702 may improve the performance of a program.
- a finite state machine algorithm is that each of all possible inputs for a matching character string has a state value in each step, and if this state value is equal to the length of the matching character string, a successful match is proven.
- matching algorithms may be divided into software pattern matching, TCAM pattern matching, and ASCI pattern matching.
- an algorithm matching one character string is called a single-pattern matching algorithm, and an algorithm for simultaneously matching multiple character strings is called a multi-pattern matching algorithm.
- TCAM pattern matching involves a dedicated chip used for table lookup operations and is characterized by scoring a hit only once (i.e., an inspection is made all at one time). Moreover, the lookup speed is irrelevant to the size of a table.
- TCAM pattern matching requires the location of a matching character string to be relatively fixed.
- ASCI pattern matching requires a character string that is to be detected to be first complied with a regular expression and then loaded to a chip. Afterwards, matching is performed.
- the string matching algorithms described herein are merely illustrative. Accordingly, any suitable string matching algorithm may be selected to implement the various embodiments by those skilled in the art without departing from the spirit and scope of the disclosure.
- FIG. 9 shows the operating procedure of the scheduling module 703 of the event analyzer 400 according to an exemplary embodiment.
- the scheduling module 703 may select a corresponding string matching algorithm 702 from the string matching algorithm pool 704 to filter (i.e., match) the data and then may return one or more results with tag i (with i being one of tag 1, tag 2 . . . tag n). Due to the tag i, a receiver of the filtering result (not shown) may know to which one of multiple pattern databases the pattern identified by tag i belongs, and accordingly the receiver may determine threat security services corresponding to the incoming packet based on such knowledge.
- the threat security services may detect whether the packet contains one or more threats and may perform appropriate response processing such as alarming, blocking, and the like (e.g., via event responders) in order to address any such threats.
- the procedure for integrating multiple threat security services will be provided in the context of an exemplary incoming message.
- the IP address of a user is 1.1.1.1 and that the user accesses the port 80 of a remote Web server 10.10.10.10 through the local port 25467 (i.e., sends a HTTP request).
- the content of the first message ‘P’ sent by the user generally includes a request command and request content, such as “GET http://news.zzz.com/20071205/12345.shtml”.
- the event analyzer 400 may perform the following operations.
- the scheduling module 703 of the event analyzer 400 invokes the string matching algorithm 702 for the TCP/IP layer.
- the scheduling module 703 filters the sent information and finds that the information matches the pattern 1.1.1.1 assigned with tag 3 and corresponding to the WF threat security service and that the information also matches the pattern 10.10.10.10:80 assigned with tag 2 and corresponding to the IPS threat security service.
- the scheduling module 703 may provide tags 3 and 2 indicating corresponding threat security services WF and IPS (respectively) to a receiver, and the receiver may determine from the tags 3 and 2 that the threat security services WF and IPS (respectively) need to be provided. Once provided, if one or both of the WF and IPS threat security services detect that the message contains one or more threats, then one or both may drive one or more corresponding event responders in order to perform appropriate processing such as alarming, blocking, and the like.
- the scheduling module 703 invokes the string matching algorithm 702 for the application layer. As a result, the scheduling module 703 filters the sent information and finds that the information matches the pattern news.zzz.com assigned with tag 2 and corresponding to the IPS threat security service. Accordingly, the scheduling module 703 may provide tag 2 indicating corresponding threat security service IPS to a receiver, and the receiver may determine from the tag 2 that the threat security service IPS needs to be provided. Once provided, if the IPS threat security service detects that the message contains one or more threats, then it may drive one or more corresponding event responders in order to perform appropriate processing such as alarming, blocking, and the like.
Abstract
Description
- The present application is a continuation application of U.S. patent application Ser. No. 12/331,912, filed Dec. 10, 2008. The present application claims priority under 35 U.S.C. §120 to U.S. patent application Ser. No. 12/331,912, which claims priority under 35 U.S.C. §119 to Chinese Patent Application No. 200710199827.X filed Dec. 13, 2007, the contents of which are incorporated herein by reference.
- The various embodiments described herein generally relate to network threat security services and, more particularly, to a method and device for integrating multiple threat security services.
- With the growing application of communication networks, individuals attach increasing importance to security and prevention of threats within communication networks. To this end, a range of security services can be activated on a gateway, such as Intrusion Detection/Protection System (IPS), anti virus, anti spam, content filter (CF) (i.e., firewall), and worm filter (WF), as shown in
FIG. 1 according to the prior art. However, a single threat security service in a single device is not an effective solution because of the uncontrolled expenses of on-site administration and troubleshooting. Many platforms offer a multitude of security services in one Unified Threat Management (UTM) device, which is a combination of the above security services with a firewall and which is used by enterprises and service providers to increase their security while reducing total operating costs. - A common characteristic among the aforementioned security threat security services is that they all need to scan the entire packet data to obtain corresponding application data. That is to say, each threat security service has its own protocol stack, and each always parses the packet data to obtain corresponding application data. Illustration will be provided in the context of an example according to the prior art, as shown in
FIG. 2 . When an IP packet enters a gateway, it first enters a firewall threat security service, which performs parsing to determine whether to apply a corresponding threat security service to the packet. If the firewall threat security service does not need to be provided, then the packet enters an Intrusion Detection/Protection threat security service, at which parsing processing is again performed on the packet in order to obtain application data required by the Intrusion Detection/Protection threat security service so that it may be determined whether the Intrusion Detection/Protection threat security service should be applied to this incoming packet. Similar steps are performed until for the rest of the preset multiple threat security services (e.g., the Content Filter, Worm Filter, and Anti Virus Anti Spam threat security services as shown inFIG. 2 ). Along with an increasing number of integrated threat security services and growth of computation complicacy, protocol parsing has been one of the most computation-intensive operations. This situation is a significant obstacle against UTM's popularity. - In view of this situation, current mechanisms focus on hardware acceleration to improve UTM performance, such as Fortinet's FortiGate, which is an ASIC-accelerated multi-threat security system. However, only some security services can be integrated into Fortinet's UTM device.
- Therefore, there is currently a need for a more complete solution for integrating multiple threat security services that can reduce computation overhead.
- In order to overcome the deficiencies in the prior art, the various embodiments described herein provide a method for integrating multiple threat security services that can filter incoming data packets with respect to multiple threat security services.
- According to one aspect of the various embodiments, a method is provided for integrating multiple threat security services. The method may parse an incoming packet at a current layer and may analyze the packet with respect to multiple threat security services so that one or more threat security services needed by the packet may be determined.
- According to another aspect of the various embodiments, a device is provided for integrating multiple threat security services. The device may comprise a plurality of parsers, wherein each parser of the plurality of parsers is configured for parsing an incoming packet at a current layer. Moreover, the device may comprise an analyzer configured for analyzing the packet with respect to the multiple threat security services so that one or more threat security services needed by the packet may be determined.
- According to the method and device of an exemplary embodiment, integrated multiple threat security services may filter application data and parse network packet data via a single integrated entity. Specifically, the method and device may involve a protocol stack constructed based on multiple threat security services. Accordingly, the efficiency of filtering application data may be improved, and computation overhead may be reduced.
- The various embodiments described herein will be described in detail with reference to the following figures.
-
FIG. 1 provides an arrangement of multiple threat security services in a network according to the prior art. -
FIG. 2 provides a procedure of processing multiple threat security services according to the prior art. -
FIG. 3 provides a schematic view of a network security service environment in which an exemplary embodiment may be implemented. -
FIG. 4 is a simplified schematic view illustrating the principles of an exemplary embodiment. -
FIG. 5 provides a flowchart showing an operation of integrating multiple threat security services according to an exemplary embodiment. -
FIG. 6 provides an architectural view of an integrated security service stack according to an exemplary embodiment. -
FIG. 7 is a schematic view illustrating an operation performed by an event analyzer according to an exemplary embodiment. -
FIG. 8 provides a flowchart of an operating procedure of an event analyzer management module according to an exemplary embodiment. -
FIG. 9 provides an illustration of an operating procedure of an event analyzer scheduling module according to an exemplary embodiment. - Description will be provided below with respect to various exemplary embodiments with reference to the accompanying drawings.
-
FIG. 3 provides a typical networksecurity service environment 30 in which an exemplary embodiment may be implemented. In theenvironment 30, an integrated threatsecurity service device 31 on which multiple threat security services may be integrated may be connected on a link between alocal area network 32 and the Internet 33 in a serial pattern or in a routing pattern. That is to say, all incoming/outgoing local area network data (e.g., SMTP, POP3, HTTP, etc.) may pass through thedevice 31. - If the
device 31 is connected between networks in a serial pattern, it may connect the two networks at the data link layer and may forward data frames according to a network card physical address. A network bridge including thedevice 31 may form a transparent pathway between thelocal area network 32 and the Internet 33 and may enable thedevice 31 to monitor and filter the communication between a client and a server without changing the network configuration or informing the client. - If the
device 31 is connected among networks in a routing pattern, then it may be regarded as a node in the network configuration and may be passed through by appropriately configuring a route. Data messages passing through thedevice 31 may be monitored and filtered. - The
device 31 needs to secure the pathways to the Internet 33. In the event of a system failure, thedevice 31 may support the connection between thelocal area network 32 and the Internet 33, thereby guaranteeing the network service. Thedevice 31 may be interconnected with adatabase 34 and acontrol node 35 via a network (can be via a link or by multiplexing). - The
database 34 may have multiple functions. One function may be to store information of a system on which multiple threat security services are integrated, such as configuration and matching patterns, in order to provide the information to be used by thedevice 31 during initialization and running. Another function may be to store illegal behavior patterns found by thedevice 31 during operation thereof. Thecontrol node 35 may add keywords to thedatabase 34, may control integration information of the integrated multiple threat security services, and/or may view detection results. -
FIG. 4 is a simplified schematic view illustrating the principles of an exemplary embodiment. In the left portion ofFIG. 4 , multiple threat security services in the form of a histogram are shown in conjunction with a protocol hierarchical structure and various corresponding parsers (described in further detail herein), each shown by a dotted line. For example, as indicated by the histogram, the firewall security service may use an Internet Protocol (IP) parser, and the content/worm filter security service may use an IP parser, a Transmission Control Protocol (TCP) parser, or an application layer protocol parser. The right portion ofFIG. 4 shows an integratedsecurity service stack 401 according to an exemplary embodiment. Each parser in the integratedsecurity service stack 401 may send parsed packet data to anevent analyzer 400 after the completion of corresponding parsing, and theevent analyzer 400 may process the data with respect to multiple threat security services, thereby determining the one or more threat security services to be executed. -
FIG. 5 is a flowchart showing the operation of integrating multiple threat security services according to an exemplary embodiment. Instep 501, a packet entering a network may be parsed at each layer in accordance with the hierarchical structure of the integratedsecurity service stack 401. Instep 502, the packet being parsed at a current layer may be analyzed with respect to multiple threat security services. Instep 503, the one or more threat security services required by the packet may be determined via matching algorithms. With reference toFIGS. 6-9 , a detailed description will be provided for the steps shown inFIG. 5 . -
FIG. 6 provides an architecture view of the integrated security service stack according to an exemplary embodiment. InFIG. 6 , parsers are distributed according to the layers in the histogram ofFIG. 4 . The parsers illustrated inFIG. 6 include a TCP/IP parser 610, an applicationlayer protocol parser 611, and afile parser 612. As shown inFIG. 6 , after receiving a data message, thedevice 31 first may send the data message to the TCP/IP parser 610. In step 601, the TCP/IP parser 610 may restore data packets entering the transport layer by invoking corresponding plug-ins based on different classifications of protocols. For example, upon capturing a TCP message, the TCP/IP parser 610 first may establish information on a connection and may submit the established information on the connection to the corresponding TCP protocol processing plug-in. Then, instep 602 the corresponding TCP protocol processing plug-in may send the restored information (e.g., an IP source address, source port number, destination address, destination port number, message length, etc.) to theevent analyzer 400 for further analysis and filtering (a detailed description will be provided herein regarding the operation of the event analyzer 400). - In
step 603, the TCP/IP parser 610 may send generated packets from the transport layer to the appropriate application layer protocol parser 611 (e.g., HTTP protocol parser, SMTP protocol parser, POP3 protocol parser, FTP protocol parser, or Telnet protocol parser). This step may entail identifying the appropriate application layer protocol type. A general method of identifying a protocol type is to determine the type of a protocol using the protocol default port specified by the Request for Comments (RFC). However, the accuracy of such method is not high. At present, while a few protocols (e.g., the DNS and SMTP protocols) can make a determination based on the destination port of a TCP connection, all protocols can change a connected port. For example, while the HTTP protocol uses the port 80 in a default situation under the RFC, a large amount of HTTP services use other ports, such as 1080, 8080, etc., in practical applications. In addition to or in lieu of using a protocol default port specified by the RFC, the protocol type may be identified intelligently by intensifying analysis of the content of a data message. - After invoking a corresponding application layer protocol analysis plug-in, in
step 604 the applicationlayer protocol parser 611 may restore the uploaded content and may send the restored information to theevent analyzer 400 for analysis and filtering. - If a file from the application data stream (e.g., a mail attachment) needs to be reverted, the application
layer protocol parser 611 may send the data to thefile parser 612 instep 605. Instep 606, thefile parser 612 may parse the received file, may restore the data, and may send it to theevent analyzer 400 for filtering. - It should be noted that the parsers of the various embodiments described herein are not limited to the described TCP/
IP parser 610, applicationlayer protocol parser 611, andfile parser 612. Accordingly, other types of parsers may be constructed for hierarchical structures of various security service protocol stacks without departing from the spirit and scope of the disclosure. - Referring to
FIG. 7 , a detailed description will be provided regarding the operation procedure of theevent analyzer 400 according to an exemplary embodiment.FIG. 7 provides theevent analyzer 400 and pattern databases (i.e., pattern DBs) DB1 through DBn. Pattern database DB1 may be a virus pattern database, pattern database DB2 may be an IPS pattern database, pattern database DB3 may be a WF pattern database, and pattern database DBn may be a CF pattern database. Theevent analyzer 400 may comprise amanagement module 701, a stringmatching algorithm pool 704 comprisingstring matching algorithms 702, and ascheduling module 703. The pattern databases DB1 through DBn may store patterns corresponding to all threat security services. The pattern database of each threat security service may comprise patterns for the various layers in the integratedsecurity service stack 401. Themanagement module 701 of theevent analyzer 400 may be responsible for initializing all of thestring matching algorithms 702, which comprise the core of theevent analyzer 400. - The
event analyzer 400 may carry out a matching procedure that may be divided primarily into three phases: a pattern input phase, a compiling phase, and a string matching phase. In the first phase (pattern input phase), themanagement module 701 may extract patterns from the pattern databases DB1 through DBn and may arrange them into a pattern set. The patterns may be tagged so that the threat security service corresponding to each pattern may be identified. For example,tag 1 may be assigned to patterns from the pattern database DB1,tag 2 may be assigned to patterns from the pattern database DB2, and so forth. Such tagging will be further described herein with reference toFIG. 8 . The second phase (compiling phase) may be executed after all patterns have been prepared; in this phase,string matching algorithms 702 may be compiled using the patterns. Different compiling methods may be used based on different matching algorithms. This phase may be fulfilled by themanagement module 701, as is further described herein with reference toFIG. 8 . The third phase (string matching phase) may occur when the system service is running. After data from a parser in the integrated security service stack 401 (i.e., the TCP/IP parser 610, the applicationlayer protocol parser 611, or thefile parser 612 as described herein and shown inFIG. 6 ) is sent to theevent analyzer 400, thescheduling module 703 may select a correspondingstring matching algorithm 702 based on the type of inputted data (i.e., based on the stack layer at which the data is sent). -
FIG. 8 provides a flowchart of the operating procedure of themanagement module 701 of theevent analyzer 400 according to an exemplary embodiment. First, in step 801 themanagement module 701 may read patterns for multiple threat security services at a respective layer from various pattern databases. For example, themanagement module 701 may read patterns from pattern databases DB1 through DBn for all security services at the TCP/IP layer (e.g., pattern 1.1.1.1, pattern 10.10.10.10:80, etc.). Next, instep 802 the multiple security service patterns as read may be tagged in order to identify the threat security service that corresponds to each pattern. As shown inFIG. 7 ,tag 1 may be assigned to each of multiple patterns from the virus pattern database DB1,tag 2 may be assigned to each of multiple patterns from the IPS pattern database DB2, tag 3 may be assigned to each of multiple patterns from the WF pattern database DB3, and tag n may be assigned to each of multiple patterns from the CF pattern database DBn. Subsequently, in step 803 themanagement module 701 may generate (i.e., compile) astring matching algorithm 702 for the respective layer by using the tagged patterns, wherein all patterns focusing on the layer in the integratedsecurity service stack 401 may be merged into a pattern set used for initializing suchstring matching algorithm 702. This procedure may be followed for multiple threat security services at all layers in the integratedsecurity service stack 401. - According to an exemplary embodiment, a TCP/IP string matching algorithm, an application layer string matching algorithm, and the like may be generated via the operation procedure of the
management module 701. Thestring matching algorithms 702 for the various layers may be placed into the stringmatching algorithm pool 704, as indicated by the grouping ofspring matching algorithms 702 inFIG. 7 . According to existing patterns, one or more state machines may be generated so that a lookup for a certain section of inputted text can be performed via such state machines. Such procedure is named “string search”. Highly efficientstring matching algorithms 702 may improve the performance of a program. - A brief illustration will be provided of a
string matching algorithm 702 that may be employed according to an exemplary embodiment. Suchstring matching algorithm 702 may be used for determining whether a text such as Text=t1 . . . tn contains a method for one or more character strings P=p1 . . . pm. For example, the principle of a finite state machine algorithm is that each of all possible inputs for a matching character string has a state value in each step, and if this state value is equal to the length of the matching character string, a successful match is proven. - According to an implementation manner, matching algorithms may be divided into software pattern matching, TCAM pattern matching, and ASCI pattern matching. Among string matching algorithms, an algorithm matching one character string is called a single-pattern matching algorithm, and an algorithm for simultaneously matching multiple character strings is called a multi-pattern matching algorithm. TCAM pattern matching involves a dedicated chip used for table lookup operations and is characterized by scoring a hit only once (i.e., an inspection is made all at one time). Moreover, the lookup speed is irrelevant to the size of a table. TCAM pattern matching requires the location of a matching character string to be relatively fixed. ASCI pattern matching requires a character string that is to be detected to be first complied with a regular expression and then loaded to a chip. Afterwards, matching is performed. It should be noted that the string matching algorithms described herein are merely illustrative. Accordingly, any suitable string matching algorithm may be selected to implement the various embodiments by those skilled in the art without departing from the spirit and scope of the disclosure.
-
FIG. 9 shows the operating procedure of thescheduling module 703 of theevent analyzer 400 according to an exemplary embodiment. After data from a parser in the integratedsecurity service stack 401 is sent to theevent analyzer 400, thescheduling module 703 may select a correspondingstring matching algorithm 702 from the stringmatching algorithm pool 704 to filter (i.e., match) the data and then may return one or more results with tag i (with i being one oftag 1,tag 2 . . . tag n). Due to the tag i, a receiver of the filtering result (not shown) may know to which one of multiple pattern databases the pattern identified by tag i belongs, and accordingly the receiver may determine threat security services corresponding to the incoming packet based on such knowledge. The threat security services may detect whether the packet contains one or more threats and may perform appropriate response processing such as alarming, blocking, and the like (e.g., via event responders) in order to address any such threats. - For illustrative purposes, a detailed description will be provided of the procedure for integrating multiple threat security services according to an exemplary embodiment in the context of an exemplary incoming message. Assume that the IP address of a user is 1.1.1.1 and that the user accesses the port 80 of a remote Web server 10.10.10.10 through the local port 25467 (i.e., sends a HTTP request). In this case, the content of the first message ‘P’ sent by the user generally includes a request command and request content, such as “GET http://news.zzz.com/20071205/12345.shtml”.
- Suppose that there is a pattern 1.1.1.1 assigned with tag 3 at the TCP/IP layer in the WF pattern database DB3 (
FIG. 7 ), there is a pattern 10.10.10.10:80 assigned withtag 2 at the TCP/IP layer in the IPS pattern database DB2 (FIG. 7 ), and there is a pattern news.zzz.com assigned withtag 2 at the application layer in the IPS pattern database DB2 (FIG. 7 ). After the parser at each layer in the integratedsecurity service stack 401 sends the parsed content to theevent analyzer 400, theevent analyzer 400 may perform the following operations. - When the TCP/
IP parser 610 sends information (e.g., IP source address 1.1.1.1, source port number 25467, destination address 10.10.10.10, destination port number 80, the length of a message, etc.) to theevent analyzer 400, thescheduling module 703 of theevent analyzer 400 invokes thestring matching algorithm 702 for the TCP/IP layer. As a result, thescheduling module 703 filters the sent information and finds that the information matches the pattern 1.1.1.1 assigned with tag 3 and corresponding to the WF threat security service and that the information also matches the pattern 10.10.10.10:80 assigned withtag 2 and corresponding to the IPS threat security service. Accordingly, thescheduling module 703 may providetags 3 and 2 indicating corresponding threat security services WF and IPS (respectively) to a receiver, and the receiver may determine from thetags 3 and 2 that the threat security services WF and IPS (respectively) need to be provided. Once provided, if one or both of the WF and IPS threat security services detect that the message contains one or more threats, then one or both may drive one or more corresponding event responders in order to perform appropriate processing such as alarming, blocking, and the like. - Similarly, when the
application protocol parser 611 sends the information “GET http://news.zzz.com/20071205/12345.shtml” to theevent analyzer 400, thescheduling module 703 invokes thestring matching algorithm 702 for the application layer. As a result, thescheduling module 703 filters the sent information and finds that the information matches the pattern news.zzz.com assigned withtag 2 and corresponding to the IPS threat security service. Accordingly, thescheduling module 703 may providetag 2 indicating corresponding threat security service IPS to a receiver, and the receiver may determine from thetag 2 that the threat security service IPS needs to be provided. Once provided, if the IPS threat security service detects that the message contains one or more threats, then it may drive one or more corresponding event responders in order to perform appropriate processing such as alarming, blocking, and the like. - It should be noted that in order to facilitate easier understanding of the various embodiments described herein, the foregoing description omits various technical details that are well known to those skilled in the art.
- The various embodiments have been presented for purposes of illustration and description and are not intended to be exhaustive or limited to the form disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art. Accordingly, the various embodiments have been chosen and described in order to best explain key principles and to enable others of ordinary skill in the art to understand that all modifications and alterations made without departing from the spirit of disclosure fall within the scope as defined in the appended claims.
Claims (24)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/249,349 US20140223558A1 (en) | 2007-12-13 | 2014-04-09 | Method and device for integrating multiple threat security services |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNA200710199827XA CN101459660A (en) | 2007-12-13 | 2007-12-13 | Method for integrating multi-threat security service |
CN200710199827.X | 2007-12-13 | ||
US12/331,912 US8751787B2 (en) | 2007-12-13 | 2008-12-10 | Method and device for integrating multiple threat security services |
US14/249,349 US20140223558A1 (en) | 2007-12-13 | 2014-04-09 | Method and device for integrating multiple threat security services |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US12/331,912 Continuation US8751787B2 (en) | 2007-12-13 | 2008-12-10 | Method and device for integrating multiple threat security services |
Publications (1)
Publication Number | Publication Date |
---|---|
US20140223558A1 true US20140223558A1 (en) | 2014-08-07 |
Family
ID=40755123
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US12/331,912 Active 2030-08-21 US8751787B2 (en) | 2007-12-13 | 2008-12-10 | Method and device for integrating multiple threat security services |
US14/249,349 Abandoned US20140223558A1 (en) | 2007-12-13 | 2014-04-09 | Method and device for integrating multiple threat security services |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US12/331,912 Active 2030-08-21 US8751787B2 (en) | 2007-12-13 | 2008-12-10 | Method and device for integrating multiple threat security services |
Country Status (2)
Country | Link |
---|---|
US (2) | US8751787B2 (en) |
CN (1) | CN101459660A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107332784A (en) * | 2017-06-19 | 2017-11-07 | 上海高顿教育培训有限公司 | A kind of security protection system for server interface |
CN107579960A (en) * | 2017-08-22 | 2018-01-12 | 深圳市盛路物联通讯技术有限公司 | A kind of data filtering method and device |
CN111262812A (en) * | 2018-11-30 | 2020-06-09 | 比亚迪股份有限公司 | Data packet screening method and device |
Families Citing this family (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7606225B2 (en) | 2006-02-06 | 2009-10-20 | Fortinet, Inc. | Integrated security switch |
US9065799B2 (en) | 2011-04-15 | 2015-06-23 | Lockheed Martin Corporation | Method and apparatus for cyber security |
CN102546606B (en) * | 2011-12-23 | 2014-12-31 | 华为数字技术(成都)有限公司 | Telnet command filter method, network safety device and network safety system |
CN102594623B (en) | 2011-12-31 | 2015-07-29 | 华为数字技术(成都)有限公司 | The data detection method of fire compartment wall and device |
CN102891855B (en) * | 2012-10-16 | 2015-06-03 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for securely processing network data streams |
CN103346980B (en) * | 2013-07-02 | 2016-08-10 | 华为技术有限公司 | A kind of business scheduling method, device and the network equipment |
CN103607313B (en) * | 2013-12-09 | 2017-04-19 | 深圳市双赢伟业科技股份有限公司 | TCP (transmission control protocol) message matching method on Regular expression |
CN103825888A (en) * | 2014-02-17 | 2014-05-28 | 北京奇虎科技有限公司 | Network threat processing method and apparatus |
WO2019136282A1 (en) * | 2018-01-04 | 2019-07-11 | Opaq Networks, Inc. | Control maturity assessment in security operations environments |
CN108462707B (en) * | 2018-03-13 | 2020-08-28 | 中山大学 | Mobile application identification method based on deep learning sequence analysis |
US10333898B1 (en) | 2018-07-09 | 2019-06-25 | Centripetal Networks, Inc. | Methods and systems for efficient network protection |
US11646995B2 (en) | 2019-12-11 | 2023-05-09 | Cisco Technology, Inc. | Partitioned intrusion detection |
FR3114212B1 (en) * | 2020-09-14 | 2023-02-10 | Mbda France | Method and firewall configured to control messages transiting between two communication elements. |
CN113608741B (en) * | 2021-07-07 | 2023-08-29 | 中国电子科技集团公司第三十研究所 | Network security service integration method and device |
US20230224275A1 (en) * | 2022-01-12 | 2023-07-13 | Bank Of America Corporation | Preemptive threat detection for an information system |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030145226A1 (en) * | 2002-01-28 | 2003-07-31 | International Business Machines Corporation | Integrated intrusion detection services |
US20030154399A1 (en) * | 2002-02-08 | 2003-08-14 | Nir Zuk | Multi-method gateway-based network security systems and methods |
US20060123481A1 (en) * | 2004-12-07 | 2006-06-08 | Nortel Networks Limited | Method and apparatus for network immunization |
US20090003317A1 (en) * | 2007-06-29 | 2009-01-01 | Kasralikar Rahul S | Method and mechanism for port redirects in a network switch |
US7891001B1 (en) * | 2005-08-26 | 2011-02-15 | Perimeter Internetworking Corporation | Methods and apparatus providing security within a network |
US8166554B2 (en) * | 2004-02-26 | 2012-04-24 | Vmware, Inc. | Secure enterprise network |
Family Cites Families (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6625650B2 (en) * | 1998-06-27 | 2003-09-23 | Intel Corporation | System for multi-layer broadband provisioning in computer networks |
US7765313B2 (en) | 2001-10-09 | 2010-07-27 | Alcatel Lucent | Hierarchical protocol classification engine |
EP1563393A4 (en) | 2002-10-22 | 2010-12-22 | Unho Choi | Integrated emergency response system in information infrastructure and operating method therefor |
US20040088425A1 (en) | 2002-10-31 | 2004-05-06 | Comverse, Ltd. | Application level gateway based on universal parser |
CA2442799A1 (en) | 2003-09-26 | 2005-03-26 | Ibm Canada Limited - Ibm Canada Limitee | Generalized credential and protocol management of infrastructure |
US7421737B1 (en) * | 2004-05-04 | 2008-09-02 | Symantec Corporation | Evasion detection |
US7460476B1 (en) * | 2004-10-18 | 2008-12-02 | Ubicom, Inc. | Automatic adaptive network traffic prioritization and shaping |
US8656488B2 (en) * | 2005-03-11 | 2014-02-18 | Trend Micro Incorporated | Method and apparatus for securing a computer network by multi-layer protocol scanning |
CN1905555B (en) * | 2005-07-30 | 2010-07-07 | 华为技术有限公司 | Fire wall controlling system and method based on NGN service |
-
2007
- 2007-12-13 CN CNA200710199827XA patent/CN101459660A/en active Pending
-
2008
- 2008-12-10 US US12/331,912 patent/US8751787B2/en active Active
-
2014
- 2014-04-09 US US14/249,349 patent/US20140223558A1/en not_active Abandoned
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030145226A1 (en) * | 2002-01-28 | 2003-07-31 | International Business Machines Corporation | Integrated intrusion detection services |
US20030154399A1 (en) * | 2002-02-08 | 2003-08-14 | Nir Zuk | Multi-method gateway-based network security systems and methods |
US8166554B2 (en) * | 2004-02-26 | 2012-04-24 | Vmware, Inc. | Secure enterprise network |
US20060123481A1 (en) * | 2004-12-07 | 2006-06-08 | Nortel Networks Limited | Method and apparatus for network immunization |
US7891001B1 (en) * | 2005-08-26 | 2011-02-15 | Perimeter Internetworking Corporation | Methods and apparatus providing security within a network |
US20090003317A1 (en) * | 2007-06-29 | 2009-01-01 | Kasralikar Rahul S | Method and mechanism for port redirects in a network switch |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107332784A (en) * | 2017-06-19 | 2017-11-07 | 上海高顿教育培训有限公司 | A kind of security protection system for server interface |
CN107579960A (en) * | 2017-08-22 | 2018-01-12 | 深圳市盛路物联通讯技术有限公司 | A kind of data filtering method and device |
CN111262812A (en) * | 2018-11-30 | 2020-06-09 | 比亚迪股份有限公司 | Data packet screening method and device |
Also Published As
Publication number | Publication date |
---|---|
CN101459660A (en) | 2009-06-17 |
US20090158428A1 (en) | 2009-06-18 |
US8751787B2 (en) | 2014-06-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8751787B2 (en) | Method and device for integrating multiple threat security services | |
US7706378B2 (en) | Method and apparatus for processing network packets | |
EP1873992B1 (en) | Packet classification in a network security device | |
CN101213811B (en) | Multi-pattern packet content inspection mechanisms employing tagged values | |
CA2892471C (en) | Systems and methods for detecting and mitigating threats to a structured data storage system | |
US9769276B2 (en) | Real-time network monitoring and security | |
US7548848B1 (en) | Method and apparatus for semantic processing engine | |
US7954151B1 (en) | Partial document content matching using sectional analysis | |
US8522348B2 (en) | Matching with a large vulnerability signature ruleset for high performance network defense | |
US7302480B2 (en) | Monitoring the flow of a data stream | |
US6609205B1 (en) | Network intrusion detection signature analysis using decision graphs | |
US20030084326A1 (en) | Method, node and computer readable medium for identifying data in a network exploit | |
Li et al. | Netshield: massive semantics-based vulnerability signature matching for high-speed networks | |
CN108701187A (en) | Mixed hardware software distribution threat analysis | |
US20050091537A1 (en) | Inferring content sensitivity from partial content matching | |
KR20070087198A (en) | Network interface and firewall device | |
US20030084330A1 (en) | Node, method and computer readable medium for optimizing performance of signature rule matching in a network | |
Zhuang et al. | Applying data fusion in collaborative alerts correlation |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: INTERNATIONAL BUSINESS MACHINES CORPORATION, NEW Y Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:WANG, BAI LING;REEL/FRAME:032639/0807 Effective date: 20140319 |
|
AS | Assignment |
Owner name: LENOVO ENTERPRISE SOLUTIONS (SINGAPORE) PTE. LTD., SINGAPORE Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:INTERNATIONAL BUSINESS MACHINES CORPORATION;REEL/FRAME:034194/0111 Effective date: 20140926 Owner name: LENOVO ENTERPRISE SOLUTIONS (SINGAPORE) PTE. LTD., Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:INTERNATIONAL BUSINESS MACHINES CORPORATION;REEL/FRAME:034194/0111 Effective date: 20140926 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |