Intrusion detection and authority management system based on embedded system
Http://91mail.51.net Abstract: This paper introduces the main functions of the intrusion detection and authority management system based on the embedded system, and the software and hardware configuration is listed in detail, and the system is compared. Other products have the advantages.
Keywords: embedded system, intrusion detection, authority management, artificial intelligence
Current intrusion detection and authority management are two hotspots in the network security, but most of this product is software form, the performance of the runtime relies on its affiliated operating system and server, so performing efficiency and stability, etc. Aspect is unable to compare with pure hardware products. We invade the intrusion detection and authority management software developed into the embedded system, greatly improves the operating speed and stability of the system.
This system mainly has the following functions: 1, intrusion detection, using rule-based work mode, rule matching data package content to detect multiple different intrusion behavior and probe activities, such as cache overflow, hidden port scan, CGI attack, SMB detection, etc., and has a real-time alarm and the function of preventing intrusion, you can send an alert information to the system log file and prevent intrusion behavior. 2, permission management, can control the access to the WAN access and the access between the intranet computer, and grade the access rights of the intranet computer. 3, the information encryption between the intranet computer 4, alarms the exception operation of the internal personnel, for example, if a computer in the internal network is monitoring, the system immediately displays the IP address and computer name of the computer, and A warning sound reminder administrator to solve.
The main function of this system is intrusion detection, intrusion detection is divided into analytics: abnormal detection model and misuse detection model. The exception detection model is characterized by summarizing the characteristics of the normal operation. After the model is drawn, the subsequent operation is monitored, and once the operation mode in the normal statistical sense is found, the alarm is discovered. The system uses a misuse detection model. The misuse detection model is characterized by collecting the characteristics of abnormal operations, establishing a related feature library based on manually intelligent positive reasoning. In a subsequent process, the collected data is compared to the feature code in the feature library. Whether the invasion is conclusive.
The intrusion detection module of this system uses standard C advanced language development, complying with CIDF standard framework model, has a good user interface, can be portable, and there is a long-term test. The structural diagram of the intrusion detection module is shown in Figure 1. The decoding module and rule processing module is the core of this program. The decoding module mainly uses computer immune technology and neural network technology and genetic algorithm, and the rule processing module integrates various rules for different network applications. In addition to its basic function, the intrusion detection module has functions such as network sniffing and packet analysis, after implanting embedded systems, since the entire program is cured in Flash, it is not only greatly improved, but also improves the application. Safety.
The authority management module of this system is implemented based on the LightWeight Directory Access Protocol (LDAP) protocol and the Address Resolution Protocol (ARP) protocol. LDAP is a software protocol that allows anyone to find other resources such as organizations, individuals or files, or other resources, whether it is public Internet or intranet. As the name suggests, LDAP is "Lightweight" (program code less smaller amount of code) version of DAP (DIRECTORY Access Protocol), which is part of the network directory service standard X.500. The ARP is the address conversion protocol is a link layer protocol, which works in the second layer of FIG. 2, in the layer and the hardware interface, and serve the upper layer (network layer). Store the computer information of the intranet in the LDAP tree database, and then the ARP cache in the intranet is real-time control through the ARP protocol to implement permission management of the entire internal network. Finally, the hardware and software required for the following sets are described. Hardware Basic Configuration: MPC8245 processor, 32-bit processor 665dhrystone 2.1MIPS @ 350MHz; Two-piece 16 × 2M bit data width flash; 256M byte SDRAM; four standard 1000M optical port, etc., can change according to user requirements . Software configuration: embedded Linux system and source code.
In summary, the system has the following characteristics:
1. Corware of the software into an embedded system to make the execution efficiency, security, and stability of the program.
2. Use artificial intelligence technology to develop the theory of misuse detection model, which greatly improves detection efficiency.
3, the decoding module fused the computer immune technology and neural network technology and genetic algorithm, improve the efficiency of understanding.
The intrusion detection and authority management system based on the embedded system In hardware, improves the security of the system, saving hardware investment, simplifies management processes, and there will be broad application prospects in my country's informationization processes. .
references:
[1] Tang Zhengjun et al, the design and realization of network invasion monitoring system, Electronic Industry Press, April 2001
[2] Han Donghai Wang Chao Li Qun compiled, invading monitoring system example analysis, Tsinghua University Press, May 2002, First Edition
