Research, Script-based Intrusion Prevention System

IPS (Intrusion Preventation and Protection System-IPS) is a new network Security technology, which combines with a variety of security technologies, such as firewalls, intrusion detection, anti-virus, vulnerability scanning and so on. And it provides comprehensive and intensive network border security.Nowadays, commercialization of the IPS usually is implemented by specific hardware and operating system, which limits the universality and scalability of system. With the development of hardware computing power and the diversification invasion, the cost is bound to increase because of the exclusive detection equipment. The relative fixed strategy can not detect completely all kinds of invasion, so the accurate rate of detection drops.In this paper, through separating the mechanisms and strategy in ordinary circumstances, we realize a script interpreter for strategy. Then we use the script interpreter to explain and execute the analytic script. The script can track recombined message in the entire conversation, and detect abnormal behaviors. Besides, the script can analyse the event generated by the engine. When the attack signature is found, triggering corresponding operation, such as for alarm, record, creating new event and blocking defense.Intrusion prevention system based-script includes three parts:(1) Events generating engine:detecting the network card which collect the protocol class of data message by using dynamic protocol detection technology. According to the type of protocol determine the current state of connectivity, it provides different events for the script to deal with.(2)strategy script interpreter:strategy script interpreter:it interprets and execute strategy script. The language of script can analyse the abstract events. If it is combined with the application layer protocol analysis in events generating engine and the ability of script analysis, it can provide more powerful intrusion detection. Both the script interpret and the regular match aim at a complete conversation of reorganization data, which achieve fine-grained of detection and improve the accuracy of intrusion detection.(3) Interdiction and linkage technology:according to the events abstracted by strategy script interpreter, the IPS interdiction modules forge iptables command linking to kernel firewall or forge command-line linking to other defense modules through script in order to interdict the invasion.In the real environment, using universal computer platform and Kilomega environment, we test the IPS system. The result is satisfactory.