This application claims the priority of Korean Patent Application No. 2004-56415, filed on Jul. 20, 2004, in the Korean Intellectual Property Office, the disclosure of which is incorporated herein in its entirety by reference.
1. Field of the Invention
The present invention relates to a packet intrusion detection method and apparatus, and more particularly, to an intrusion detection rule simplification method and apparatus capable of reducing a load involved in an intrusion detection process and performing high-speed intrusion detection and a packet intrusion detection method and apparatus using the simplified intrusion detection rules.
2. Description of Related Art
An intrusion detection technique is classified into network-based and host (computer)-based techniques. In the network-based technique, the intrusion detection is performed by using network packets. On the other hand, in the host-based technique, the intrusion detection is performed by using log data of the associated system. These techniques have been used as an application program technique rather that a kernel-based technique in the system.
A conventional real-time kernel-based intrusion detection technique performs the packet intrusion detection by correcting the kernel based on the aforementioned two techniques and compensates for the kernel-based intrusion detection by using an additional demon program, that is, a monitoring program. However, there are limitations to the conventional kernel-based intrusion detection technique as follows.
1) An effective intrusion detection rule generation method within the kernel is not provided. A large number of intrusion detection rules need to be managed in the kernel memory and the packet intrusion detection need to be performed by using these intrusion detection rules. Therefore, there is a need for an effective intrusion detection rule generation method capable of minimizing a load involved in the inner-kernel intrusion detection process and performing high-speed packet intrusion detection.
2) An intrusion detection method suitable for operations within the kernel is not provided. In general, the inner-kernel intrusion detection process requires a high-cost test process, so that a relatively heavy load may be imposed on the kernel. Therefore, there is a need for an inner-kernel intrusion detection process capable of performing the packet intrusion detection with a minimized test cost and an inexpensive detection cost.
3) An intrusion detection mode adaptable to network situations is not provided. In network nodes such as routers and switches, there is a need to perform simplified intrusion detection or entire intrusion detection using the entire intrusion detection rules in accordance with the network situations or administrator's requests. Therefore, there is a need to modify or control the inner-kernel intrusion detection process at the user's application program level if necessary.