CN101505302A - Dynamic regulating method and system for security policy - Google Patents
Dynamic regulating method and system for security policy Download PDFInfo
- Publication number
- CN101505302A CN101505302A CNA2009100783797A CN200910078379A CN101505302A CN 101505302 A CN101505302 A CN 101505302A CN A2009100783797 A CNA2009100783797 A CN A2009100783797A CN 200910078379 A CN200910078379 A CN 200910078379A CN 101505302 A CN101505302 A CN 101505302A
- Authority
- CN
- China
- Prior art keywords
- security strategy
- testing result
- enhancing
- current
- network link
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 43
- 230000001105 regulatory effect Effects 0.000 title abstract 3
- 238000001514 detection method Methods 0.000 claims abstract description 35
- 238000012545 processing Methods 0.000 claims abstract description 6
- 230000002708 enhancing effect Effects 0.000 claims description 45
- 238000012360 testing method Methods 0.000 claims description 38
- 230000008569 process Effects 0.000 claims description 17
- 230000001681 protective effect Effects 0.000 claims description 16
- 230000000295 complement effect Effects 0.000 claims description 14
- 238000012217 deletion Methods 0.000 claims description 5
- 230000037430 deletion Effects 0.000 claims description 5
- 230000002265 prevention Effects 0.000 abstract description 49
- 238000005516 engineering process Methods 0.000 description 6
- 238000004458 analytical method Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 3
- 238000007689 inspection Methods 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000005728 strengthening Methods 0.000 description 2
- 208000012661 Dyskinesia Diseases 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 230000002950 deficient Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000010921 in-depth analysis Methods 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000003786 synthesis reaction Methods 0.000 description 1
Images
Abstract
The invention discloses a dynamic regulation method and a dynamic regulation system for security strategy. The dynamic regulation method for the security strategy comprises the following steps: detecting any one and a combination of network link flow, actual processing capability of a device and service type to acquire a detection result; and according to the detection result, dynamically regulating the current security strategy. The dynamic regulation system for the security strategy comprises a detection module and a regulation module, wherein the detection module is used for detecting any one and a combination of the network link flow, the actual processing capability of the device and the service type to acquire the detection result; and the regulation module is used for dynamically regulating the current security strategy according to the detection result detected by the detection module. The method and the system achieve the dynamic regulation for the security strategy of an intrusion prevention system, and achieve the dynamic balance of processing efficiency and security protection.
Description
Technical field
The present invention relates to network security technology, relate in particular to a kind of dynamic adjusting method and system of security strategy.
Background technology
Along with making constant progress of network technology, the network attack means are also complicated and diversified gradually, and the security facing of network is challenged greatly.Traditional protecting information safety system adopts firewall technology and/or Intrusion Detection Technique, and the fire compartment wall that serial is disposed can be tackled the attack to low layer, but can't stop the attack to deep layers such as application layers; The intruding detection system that bypass is disposed can in time detect the attack to deep layer, and with as effectively the replenishing of firewall technology, but it can't realize the real-time blocking-up to attack, promptly can't handle increasing " moment " attack.Therefore, for guaranteeing the effective and safe of network, intrusion prevention system arises at the historic moment.
Intrusion prevention system adopts series system to be deployed in the network egress position, and all data from the outside must serial just can send it to built-in system by intrusion prevention system.What intrusion prevention system adopted is active protection mode, and its principle of initiatively protecting is that intrusion prevention system has numerous filters, and after finding the new attack means, intrusion prevention system will be created corresponding new filter.Intrusion prevention system carries out byte-by-byte inspection to packet, can check and stop data link layer to the attack between the application layer, can effectively guarantee the fail safe of network.Yet the security strategy of intrusion prevention system of the prior art is the prior manual configuration of user and the configuration back is changeless, and the actual flow of protection link is a real-time change.If the safe class of security strategy of configuration is lower, though can guarantee treatment effeciency, when link flow hour, then can cause the idle of system resource; If the safe class of the security strategy of configuration is higher, though can guarantee the safety of network, when link flow is big, then can cause the restriction of link bandwidth, influence the user and normally use business.And the business that the user uses is not simultaneously, and is different to the requirement of the bandwidth of network and fail safe yet.Because the security strategy of intrusion prevention system of the prior art is a fixed configurations, therefore can not adjust in real time security strategy according to network state and business information, can not take into account the fail safe of network and the treatment effeciency of network.
Summary of the invention
The object of the present invention is to provide a kind of dynamic adjusting method and system of security strategy, realize the dynamic adjustment of the security strategy of intrusion prevention system is reached the dynamic equilibrium of treatment effeciency and security protection.
To achieve these goals, the invention provides a kind of dynamic adjusting method of security strategy, comprising:
Testing result is obtained in detection network link flow, equipment actual treatment ability and the type of service any one and combination thereof;
According to described testing result, dynamically adjust current security strategy.
The present invention also provides a kind of dynamic debugging system of security strategy, comprising:
Detection module is used for detecting any one and combination thereof of network link flow, equipment actual treatment ability and type of service, obtains testing result;
Adjusting module is used for dynamically adjusting current security strategy according to the detected described testing result of described detection module.
The dynamic adjusting method of a kind of security strategy provided by the invention and system, according to detected network link flow, equipment actual treatment ability and type of service current security strategy is adjusted, realized the dynamic adjustment of the security strategy of intrusion prevention system has been reached the dynamic equilibrium of treatment effeciency and security protection.
Description of drawings
Fig. 1 is the flow chart of the dynamic adjusting method embodiment of security strategy of the present invention;
Fig. 2 is the structure chart of dynamic debugging system one embodiment of security strategy of the present invention;
Fig. 3 is the structure chart of another embodiment of dynamic debugging system of security strategy of the present invention.
Embodiment
Below by drawings and Examples, technical scheme of the present invention is described in further detail.
Intrusion prevention system is as a kind of security protection system that effectively prevents attack, by technology such as traffic characteristic analysis and the detections of depth data bag, intrusion behaviors such as virus, attack, spam are detected and tackle, implement the security strategy of deep layer defence.Intrusion prevention system passes through the network data of a network port reception of equipment from external system; data are detected; after confirming wherein not comprise abnormal movement or suspicious content; by another network port data are sent in the built-in system again; if find that attack is then blocked immediately, therefore can guarantee to enter network by network boundary from the attack data of outside.Intrusion prevention system tends to provide initiatively protection, can tackle activity of invading and aggressive network traffics in advance, avoids it to cause damage, rather than just gives the alarm after malicious traffic stream transmits or arrives simply.The processing data packets engine of intrusion prevention system is specialized custom integrated circuit, can carry out byte-by-byte inspection to the content of the packet of data link layer to the application layer.Intrusion prevention system has a plurality of advantages, as embedded operation, in-depth analysis and control ability, high-quality characteristic storehouse and disposal ability efficiently, the aforementioned capabilities characteristics make intrusion prevention system can realize when carrying out network safety prevention the real-time inspection of network data and effective prevention of attack.
Security strategy is the core of intrusion prevention system, intrusion prevention system is realized effective and in good time protection by disposing rational security strategy, but the security strategy of intrusion prevention system of the prior art is user's manual configuration, the safe class of the security strategy of system is changeless within a certain period of time, there are a lot of drawbacks in the fixing intrusion prevention system of this safe class, user's particular demands can't be satisfied, the ability of equipment and system can not be given full play to.The present invention is directed to the defective that exists in the existing intrusion prevention system, for intrusion prevention system provides a kind of dynamic adjusting method of security strategy, to realize according to the dynamic adjustment of particular case to security strategy in the intrusion prevention system.
Fig. 1 is the flow chart of the dynamic adjusting method embodiment of security strategy of the present invention, and as shown in Figure 1, the dynamic adjusting method of a kind of security strategy provided by the invention specifically comprises the steps:
Because the user uses the frequency difference of network in each period, and use also difference of type of service that network carried out, must make the network state difference of different times, for example central processing unit (CentralProcessing Unit; Hereinafter to be referred as: the types of service that utilization rate CPU), memory usage, link bandwidth and user use etc. are all inequality at each time point.Because the security strategy of intrusion prevention system of the prior art is changeless after user's manual configuration is finished, promptly irrelevant with the situation of change of network state, the situation that security strategy and network state are not complementary will inevitably appear, cause or the safe class of security strategy higher and can not satisfy the situation of network state, perhaps long-term idle situation appears in the low Internet resources that make of safe class.Therefore, the present invention detects and obtains testing result to the network state in each period, adjusts current security strategy according to testing result.Wherein, the information of detection includes but not limited to following several information: network link flow, equipment actual treatment ability and type of service.The network link flow can comprise network link peak flow and network link flow average, promptly the network link flow in a certain period is added up completely, actual conditions with reflection current network link flow, when the network link flow-rate ratio is less or bigger, can adjust security strategy, fully and reasonably to utilize Internet resources.Equipment actual treatment ability can comprise CPU usage and memory usage, overall capacity level to equipment detects, with the current overall operating position of reflection equipment, lower or when higher when equipment actual treatment ability, can realize best equipment service efficiency by adjusting security strategy.Type of service is the type of the presently used main business of user, as mail service, audio frequency and video business or the like, different service types is all inequality to the requirement of the internet security and the network bandwidth etc., judges whether this business is higher to delay requirement, and is perhaps stronger etc. to the requirement of fail safe.For example, when using mail service, this business is had relatively high expectations to fail safe, and promptly the user would rather sacrifice bandwidth requirement and also will guarantee internet security; And when using audio frequency and video professional, this business is higher to delay requirement, and promptly the user wishes that current network bandwidth is enough wide, with the smoothness of the audio frequency and video that guarantee to be play.
After detecting and getting access to current each status detection result, according to this testing result current security strategy is adjusted, promptly, adjust current security strategy according to the type of service of the network link peak flow, network link flow average, CPU usage, memory usage and the current use that get access to.Before the adjustment of carrying out security strategy, need carry out comprehensive analysis and judgement to each information that gets access to, to coordinate current network state, finish reasonable adjustment to security strategy.If the current network link flow is less, equipment actual treatment ability is higher, and the delay requirement of main business then can be adjusted the security strategy of intrusion prevention system when low, to improve the safe class of security strategy, realize protection than high safety grade to network.If the current network link flow is bigger, equipment actual treatment ability is lower, and the delay requirement of main business then can adjust the security strategy of intrusion prevention system when higher, to reduce the safe class of security strategy, improves the treatment effeciency of equipment.In addition, also have other multiple situation, for example the current network link flow is less, and professional delay requirement then needs the overall condition of current state is carried out analysis-by-synthesis when higher, and current security strategy is adjusted and how to be adjusted to decision whether again.
The dynamic adjusting method of a kind of security strategy provided by the invention, according to detected network link flow, equipment actual treatment ability and type of service current security strategy is adjusted, realized the dynamic adjustment of the security strategy of intrusion prevention system has been reached the dynamic equilibrium of treatment effeciency and security protection.
Particularly, above-mentioned steps 101 can be specially: according to default sense cycle, periodically detect any one and combination thereof in network link flow, equipment actual treatment ability and the type of service.During equipment operation, with certain sense cycle current state is detected, this sense cycle is provided with according to the situation of network self for the user, if the variation of network state is more frequent, short sense cycle then is set, otherwise long sense cycle is set.According to the sense cycle that has been provided with, current state is monitored, promptly the type of service of the network link peak flow in the sense cycle, network link flow average, CPU usage, memory usage and use is monitored.According to the monitored results that current state is monitored, obtain each state information in this sense cycle.
Above-mentioned steps 102 can be specially: according to described testing result, on the basis of basic security strategy, adjust the enhancing security strategy in the current security strategy in keeping current security strategy.In embodiments of the present invention, the security strategy in the intrusion prevention system comprises the basic security strategy and strengthens security strategy.Wherein, under any circumstance all dispose the basic security strategy, and can dynamically adjust strengthening security strategy according to testing result, on the basis that is implemented in the basic function of safety protection that guarantees intrusion prevention system, adjust security strategy according to the actual conditions of network.
Further, before step 101, also comprise the steps:
At first, the basic security strategy is set.The user is provided with the basic security strategy of intrusion prevention system according to the situation of network self, the basic security strategy can be for the safe class of system the combination of one or more minimum security strategies.Preserve all security strategies of corresponding device in intrusion prevention system, basic security strategy one or more security strategies for selecting from all security strategies, remaining security strategy are then for strengthening security strategy.In the present embodiment, in order to guarantee the safety of network, under any circumstance, intrusion prevention system all disposes this basic security strategy.
Secondly, according to the protective capacities and the resource occupation information that strengthen security strategy, the safe class that strengthens security strategy is divided.Intrusion prevention system is decided by the security strategy that wherein is provided with the protective capacities of network, the different protective capacities of the corresponding intrusion prevention system of different security strategies, and different security strategy is distinguished by the safe class of security strategy.The user is according to the self networks characteristics, formulate all security strategies in the intrusion prevention system, in the present embodiment, the user is according to the protective capacities and the resource occupation information of security strategy, the safe class that strengthens security strategy is divided, promptly the safe class of the security strategy except the basic security strategy in the intrusion prevention system is divided, that is to say, according to the situation of the protective capacities of each security strategy and resource occupation etc., all are strengthened security strategies carry out the ordering of safe class.In the present embodiment, when dividing the safe class of security strategy, except considering its protective capacities, also consider this security strategy of configuration situations such as resource occupation afterwards, because when carrying out the adjustment of security strategy, the resource that the security strategy that certain protective capacities is very strong may take is bigger, then select the cost performance of this security strategy of increase just not high, therefore need comprehensive its resource occupation information to come the safe class of each security strategy is divided so that in follow-up security strategy adjustment process to the adjustment of security strategy.
When carrying out the initial configuration of the network equipment, utilize said process just can finish to all configurations of the safe class of security strategy in the intrusion prevention system.In addition, when finding the new attack behavior is arranged, intrusion prevention system can be created a new filter, promptly create new security strategy, when new security strategy was created, intrusion prevention system need upgrade current security strategy, to comprise new strategy.Therefore, when the security strategy in the renewal intrusion prevention system, also need new security strategy is carried out the division of safe class, division methods and said method are similar.
Further, the adjustment to security strategy of indication can be specially in the present embodiment increases security strategy or reduces security strategy, then above-mentioned according to testing result, in keeping current security strategy on the basis of basic security strategy, the step of adjusting the enhancing security strategy in the current security strategy can be specially: if when the testing result of obtaining is any one and combination thereof in the following situation: the network link flow is lower than the first default link flow thresholding, the safety requirements that equipment actual treatment ability is higher than first default device processes thresholding and type of service is higher than default safety requirements thresholding, then increases the enhancing security strategy in the current security strategy.Wherein, the first link flow thresholding, the first device processes thresholding and safety requirements thresholding are respectively a default particular value or are a default particular range, and this value or scope can be set according to actual conditions by the user.The testing result that gets access to is carried out analysis and judgement, if the network link flow is lower than the first default link flow thresholding, be that the network link flow-rate ratio is less, comprise network link flow average and network link peak flow in section detection time, the safe class that then shows current security strategy is not high, can increase security strategy,, improve the protective capacities of intrusion prevention system to improve the safe class of security strategy.Perhaps, if detected equipment actual treatment ability is higher than the first default device processes thresholding, be that equipment actual treatment ability is higher, comprise CPU usage and memory usage, maintain below 30% as the CPU usage in the detection time section, then can increase security strategy, to improve the safe class of security strategy.Perhaps, if be higher than default safety requirements thresholding by the safety requirements that detects the main business of finding the current use of user, the safety requirements that is main business is higher, as use mail service etc., the user wishes to improve protective capacities to guarantee enough fail safes, then increase security strategy,, satisfy the security of users demand to improve the safe class of security strategy.It is pointed out that when detecting one or more the combination that above-mentioned situation occurs, all carry out the step that increases security strategy, repeat no more herein.
Perhaps, if when the testing result obtained was any one and combination thereof in the following situation: the network link flow was higher than the second default link flow thresholding, the delay requirement that equipment actual treatment ability is lower than second default device processes thresholding and type of service is higher than default delay requirement thresholding, then reduces the enhancing security strategy in the current security strategy.Wherein, the second link flow thresholding, the second device processes thresholding and safety requirements thresholding are respectively a default particular value or are a default particular range, this value or scope can be set according to actual conditions by the user, certainly, the second link flow thresholding is greater than the first link flow thresholding, and the second device processes thresholding is less than the first device processes thresholding.The testing result that gets access to is carried out analysis and judgement, if the network link flow is higher than the second default link flow thresholding, be that the network link flow-rate ratio is bigger, comprise network link flow average and network link peak flow in section detection time, the safe class that then shows current security strategy is higher, can reduce the safe class of security strategy by reducing security strategy, reduce network traffics.Perhaps, if detected equipment actual treatment ability is lower than the second default device processes thresholding, be that equipment actual treatment ability is lower, comprise CPU usage and memory usage, maintain more than 70% as the CPU usage in the detection time section, then can reduce security strategy, reduce the safe class of security strategy, to improve device processes efficient.Perhaps, if be higher than default delay requirement thresholding by the delay requirement that detects the main business of finding the current use of user, the delay requirement that is main business is higher, as use audio frequency and video business etc., the user wishes to increase the network bandwidth to guarantee professional normal use, then by reducing security strategy, reduces the safe class of security strategy, improve device processes efficient, satisfy user's demand.It is pointed out that when detecting one or more the combination that above-mentioned situation occurs, all carry out the step that reduces security strategy, repeat no more herein.
Particularly, the enhancing security strategy in the above-mentioned increase current security strategy is specially: select the enhancing security strategy corresponding than high safety grade that be complementary with testing result; This enhancing security strategy is added in the current security strategy.When the step of the increase security strategy of carrying out the embodiment of the invention, all the other of preserving from intrusion prevention system strengthen selects one or more security strategies in the security strategy, the enhancing security strategy that selection and detected current each testing result are complementary, because before according to the protective capacities and the resource occupation information that strengthen security strategy, each is strengthened security strategy carried out the division of safe class, when selecting the enhancing security strategy that increases, just can select and detected current network link flow, the enhancing security strategy that equipment actual treatment ability and type of service are complementary.The implication that herein is complementary can be to adapt to most with current network state for the enhancing security strategy of selecting, in the highest security strategy of cost performance of considering its protective capacities and resource occupation information etc., after guaranteeing increasing this security strategy, can not bring greatly expending of resource because of the raising of safe class.
Enhancing security strategy in the above-mentioned minimizing current security strategy is specially: select the corresponding enhancing security strategy of safe class that is complementary with testing result in current security strategy; This enhancing security strategy of deletion from current security strategy.When the step of the increase security strategy of carrying out the embodiment of the invention, in current security strategy, one or more enhancing security strategies that selection and detected current each testing result are complementary, deletion these one or more strengthens security strategy from current security strategy.Because before according to the protective capacities and the resource occupation information that strengthen security strategy, each is strengthened security strategy carried out the division of safe class, when the enhancing security strategy of selecting to reduce, just can select the enhancing security strategy that is complementary with detected current network link flow, equipment actual treatment ability and type of service.
The invention provides a kind of dynamic adjusting method of security strategy, by the basic security strategy under any circumstance all is set, and the safe class that strengthens security strategy divided, by detected network link flow, equipment actual treatment ability and type of service current security strategy is adjusted, make on the basis that guarantees the basic security safeguard function, can satisfy user's demand, realize the balance between network security and the device processes efficient.
Fig. 2 is the structure chart of dynamic debugging system one embodiment of security strategy of the present invention, and as shown in Figure 2, the dynamic debugging system of this security strategy comprises: detection module 1 and adjusting module 2.Wherein, detection module 1 is used for any one and combination of network link flow, equipment actual treatment ability and/or type of service, obtains testing result.Adjusting module 2 is used for adjusting current security strategy according to detection module 1 detected testing result.Particularly, after detection module 1 gets access to current testing result, according to the type of service of the network link peak flow that gets access to, network link flow average, CPU usage, memory usage and current use, utilize adjusting module 2 to adjust current security strategy.The adjustment of 2 pairs of security strategies of adjusting module can be specially in the present embodiment increases security strategy or reduces security strategy, then the operation of adjusting module 2 execution can be specially: if the network link flow that obtains is less, or equipment actual treatment ability is higher, or the safety requirements of type of service is higher, then increases the enhancing security strategy in the current security strategy.Perhaps, if the network link flow that obtains is bigger, or equipment actual treatment ability is lower, or the delay requirement of type of service is higher, then reduces the enhancing security strategy in the current security strategy.
The invention provides a kind of dynamic debugging system of security strategy, detect network link flow, equipment actual treatment ability and type of service according to detection module, utilize adjusting module that current security strategy is adjusted, realized dynamic adjustment, realized the balance between network security and the device processes efficient the security strategy of intrusion prevention system.
Fig. 3 is the structure chart of another embodiment of dynamic debugging system of security strategy of the present invention, as shown in Figure 2, the difference of present embodiment and the foregoing description is that the dynamic debugging system of a kind of security strategy that this embodiment provides also comprises: module 3 and grade classification module 4 are set.Wherein, the basic security strategy that module 3 is used for being provided with current security strategy is set.Grade classification module 4 is used for according to the protective capacities of the enhancing security strategy of current security strategy and resource occupation information, and the safe class that strengthens security strategy is divided.The user is according to the situation of network self, by the basic security strategy that module 3 is provided with intrusion prevention system is set, the basic security strategy can be for the safe class of system the combination of one or more minimum security strategies.In the present embodiment, in order to guarantee the safety of network, under any circumstance, intrusion prevention system all disposes this basic security strategy.In the present embodiment, the user divides by 4 pairs of safe classes that strengthen security strategy of grade classification module according to the protective capacities and the resource occupation information of security strategy.
Particularly, adjusting module 2 can comprise the first policy selection unit 21 and the first tactful adjustment unit 22.Wherein, the first policy selection unit 21 is used to select the corresponding enhancing security strategy of safe class that is complementary with detection module 1 detected testing result.The first tactful adjustment unit 22 is used for the enhancing security strategy according to 21 selections of the first policy selection unit, and the enhancing security strategy is added in the current security strategy.Perhaps, adjusting module 2 can comprise the second policy selection unit and the second tactful adjustment unit.Wherein, the second policy selection unit is used in current security strategy is selected and detection module 1 detected testing result is complementary the corresponding enhancing security strategy of safe class.The second tactful adjustment unit is used for the enhancing security strategy according to the selection of the second policy selection unit, this enhancing security strategy of deletion from current security strategy.
The invention provides a kind of dynamic debugging system of security strategy, by module is set the basic security strategy is set, the grade classification Module Division strengthens the safe class of security strategy, and according to detection module detection network link flow, equipment actual treatment ability and type of service, utilize adjusting module that current security strategy is adjusted, make on the basis that guarantees the basic security safeguard function, can satisfy user's demand, realize the balance between network security and the device processes efficient.
It should be noted that at last: above embodiment only in order to technical scheme of the present invention to be described, is not intended to limit; Although with reference to previous embodiment the present invention is had been described in detail, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that previous embodiment is put down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution break away from the spirit and scope of embodiment of the invention technical scheme.
Claims (13)
1, a kind of dynamic adjusting method of security strategy is characterized in that, comprising:
Testing result is obtained in detection network link flow, equipment actual treatment ability and the type of service any one and combination thereof;
According to described testing result, dynamically adjust current security strategy.
2, the dynamic adjusting method of security strategy according to claim 1 is characterized in that, and is described according to described testing result, dynamically adjusts current security strategy and is specially:
According to described testing result, in keeping described current security strategy, on the basis of basic security strategy, dynamically adjust the enhancing security strategy in the described current security strategy.
3, the dynamic adjusting method of security strategy according to claim 2 is characterized in that, before any one in described detection network link flow, equipment actual treatment ability and type of service and the combination thereof, also comprises:
Described basic security strategy is set;
According to the protective capacities and the resource occupation information of described enhancing security strategy, the safe class of described enhancing security strategy is divided.
4, according to the dynamic adjusting method of claim 2 or 3 described security strategies, it is characterized in that, described according to described testing result, on the basis of basic security strategy, the enhancing security strategy of dynamically adjusting in the described current security strategy is specially in keeping described current security strategy:
If described testing result comprises that described network link flow is lower than the first default link flow thresholding, the safety requirements that described equipment actual treatment ability is higher than first default device processes thresholding and described type of service is higher than any one and the combination thereof in the default safety requirements thresholding, then increases the enhancing security strategy in the current security strategy;
If described testing result comprises that described network link flow is higher than the second default link flow thresholding, the delay requirement that described equipment actual treatment ability is lower than second default device processes thresholding and described type of service is higher than any one and the combination thereof in the delay requirement thresholding, then reduces the enhancing security strategy in the current security strategy.
5, the dynamic adjusting method of security strategy according to claim 4 is characterized in that, the enhancing security strategy in the described increase current security strategy is specially:
Select the corresponding enhancing security strategy of safe class that is complementary with described testing result;
Described enhancing security strategy is added in the described current security strategy.
6, the dynamic adjusting method of security strategy according to claim 4 is characterized in that, the enhancing security strategy in the described minimizing current security strategy is specially:
In described current security strategy, select the corresponding enhancing security strategy of safe class that is complementary with described testing result;
The described enhancing security strategy of deletion from described current security strategy.
7, the dynamic adjusting method of security strategy according to claim 1 is characterized in that, any one in described detection network link flow, equipment actual treatment ability and the type of service and combination thereof are specially:
According to default sense cycle, periodically detect any one and combination thereof in network link flow, equipment actual treatment ability and the type of service.
8, the dynamic adjusting method of security strategy according to claim 7 is characterized in that, described network link flow comprises network link peak flow and network link flow average.
9, the dynamic adjusting method of security strategy according to claim 7 is characterized in that, described equipment actual treatment ability comprises central processing unit utilization rate and memory usage.
10, a kind of dynamic debugging system of security strategy is characterized in that, comprising:
Detection module is used for detecting any one and combination thereof of network link flow, equipment actual treatment ability and type of service, obtains testing result;
Adjusting module is used for dynamically adjusting current security strategy according to the detected described testing result of described detection module.
11, the dynamic debugging system of security strategy according to claim 10 is characterized in that, also comprises:
Module is set, is used for being provided with the basic security strategy of described current security strategy;
The grade classification module is used for protective capacities and resource occupation information according to the enhancing security strategy of described current security strategy, and the safe class of described enhancing security strategy is divided.
12, the dynamic debugging system of security strategy according to claim 11 is characterized in that, described adjusting module comprises:
The first policy selection unit is used to select the corresponding enhancing security strategy of safe class that is complementary with the detected testing result of described detection module;
The first tactful adjustment unit is used for the enhancing security strategy according to the selection of the described first policy selection unit, and described enhancing security strategy is added in the described current security strategy.
13, the dynamic debugging system of security strategy according to claim 11 is characterized in that, described adjusting module comprises:
The second policy selection unit is used for the corresponding enhancing security strategy of safe class that is complementary in described current security strategy selection and described testing result;
The second tactful adjustment unit is used for from the described enhancing security strategy of described current security strategy deletion.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2009100783797A CN101505302A (en) | 2009-02-26 | 2009-02-26 | Dynamic regulating method and system for security policy |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2009100783797A CN101505302A (en) | 2009-02-26 | 2009-02-26 | Dynamic regulating method and system for security policy |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101505302A true CN101505302A (en) | 2009-08-12 |
Family
ID=40977369
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2009100783797A Pending CN101505302A (en) | 2009-02-26 | 2009-02-26 | Dynamic regulating method and system for security policy |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101505302A (en) |
Cited By (22)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102075927A (en) * | 2011-01-11 | 2011-05-25 | 中国联合网络通信集团有限公司 | Security configuration method and system for wireless network equipment |
| CN102497292A (en) * | 2011-11-30 | 2012-06-13 | 中国科学院微电子研究所 | Computer cluster monitoring method and system thereof |
| CN102843367A (en) * | 2012-08-13 | 2012-12-26 | 北京神州绿盟信息安全科技股份有限公司 | Denial-of-service protective strategy configuration method and device and relevant equipment |
| CN103023867A (en) * | 2011-09-30 | 2013-04-03 | 卡巴斯基实验室封闭式股份公司 | Portable security device and methods for dynamically configuring network security settings |
| CN105471618A (en) * | 2015-08-03 | 2016-04-06 | 汉柏科技有限公司 | Network safety management method and system based on firewall |
| CN107277070A (en) * | 2017-08-15 | 2017-10-20 | 山东华诺网络科技有限公司 | A kind of computer network instrument system of defense and intrusion prevention method |
| CN107395617A (en) * | 2017-08-14 | 2017-11-24 | 中国联合网络通信集团有限公司 | Security policy manager method and device |
| CN109218281A (en) * | 2017-06-29 | 2019-01-15 | 瞻博网络公司 | Network security policy modification based on intention |
| CN109286630A (en) * | 2018-10-15 | 2019-01-29 | 深信服科技股份有限公司 | Deng guarantor's processing method, device, equipment and storage medium |
| CN110336801A (en) * | 2019-06-20 | 2019-10-15 | 杭州安恒信息技术股份有限公司 | A kind of method of anti-DDoS equipment selection |
| CN110521179A (en) * | 2017-03-22 | 2019-11-29 | 赛门铁克公司 | System and method for enforcing dynamic network security strategy |
| CN110807205A (en) * | 2019-09-30 | 2020-02-18 | 奇安信科技集团股份有限公司 | File security protection method and device |
| CN110868371A (en) * | 2018-08-27 | 2020-03-06 | 中国电信股份有限公司 | Security policy processing method and system, cloud management platform and subnet management device |
| CN111311912A (en) * | 2020-02-25 | 2020-06-19 | 北京天融信网络安全技术有限公司 | Internet of vehicles detection data determination method and device and electronic equipment |
| CN111600912A (en) * | 2020-07-22 | 2020-08-28 | 四川新网银行股份有限公司 | Network security policy management system |
| CN111835790A (en) * | 2015-11-09 | 2020-10-27 | 创新先进技术有限公司 | Risk identification method, device and system |
| CN112291264A (en) * | 2020-11-17 | 2021-01-29 | 珠海大横琴科技发展有限公司 | Safety control method and device |
| CN112333130A (en) * | 2019-08-05 | 2021-02-05 | 阿里巴巴集团控股有限公司 | Data processing method, device and storage medium |
| CN112910824A (en) * | 2019-11-19 | 2021-06-04 | 苏州至赛信息科技有限公司 | Network security policy configuration method and device, computer equipment and storage medium |
| CN114448709A (en) * | 2022-02-16 | 2022-05-06 | 上海雾帜智能科技有限公司 | Information security policy generation method, system, device and medium |
| CN114844662A (en) * | 2022-03-01 | 2022-08-02 | 天翼安全科技有限公司 | Network security policy management method, device and equipment |
| CN117040912A (en) * | 2023-09-13 | 2023-11-10 | 湖南新生命网络科技有限公司 | Network security operation and maintenance management method and system based on data analysis |
-
2009
- 2009-02-26 CN CNA2009100783797A patent/CN101505302A/en active Pending
Cited By (34)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102075927A (en) * | 2011-01-11 | 2011-05-25 | 中国联合网络通信集团有限公司 | Security configuration method and system for wireless network equipment |
| CN103023867A (en) * | 2011-09-30 | 2013-04-03 | 卡巴斯基实验室封闭式股份公司 | Portable security device and methods for dynamically configuring network security settings |
| CN103023867B (en) * | 2011-09-30 | 2016-10-26 | 卡巴斯基实验室封闭式股份公司 | Portable secure device and method for dynamically configuration network security setting |
| CN102497292A (en) * | 2011-11-30 | 2012-06-13 | 中国科学院微电子研究所 | Computer cluster monitoring method and system thereof |
| CN102843367A (en) * | 2012-08-13 | 2012-12-26 | 北京神州绿盟信息安全科技股份有限公司 | Denial-of-service protective strategy configuration method and device and relevant equipment |
| CN105471618A (en) * | 2015-08-03 | 2016-04-06 | 汉柏科技有限公司 | Network safety management method and system based on firewall |
| CN111835790B (en) * | 2015-11-09 | 2022-12-09 | 创新先进技术有限公司 | Risk identification method, device and system |
| CN111835790A (en) * | 2015-11-09 | 2020-10-27 | 创新先进技术有限公司 | Risk identification method, device and system |
| CN110521179A (en) * | 2017-03-22 | 2019-11-29 | 赛门铁克公司 | System and method for enforcing dynamic network security strategy |
| CN110521179B (en) * | 2017-03-22 | 2022-06-03 | Ca公司 | System and method for enforcing dynamic network security policies |
| CN109218281A (en) * | 2017-06-29 | 2019-01-15 | 瞻博网络公司 | Network security policy modification based on intention |
| US10944793B2 (en) | 2017-06-29 | 2021-03-09 | Juniper Networks, Inc. | Rules-based network security policy modification |
| CN109218281B (en) * | 2017-06-29 | 2021-06-25 | 瞻博网络公司 | Intent-based network security policy modification |
| CN107395617A (en) * | 2017-08-14 | 2017-11-24 | 中国联合网络通信集团有限公司 | Security policy manager method and device |
| CN107277070A (en) * | 2017-08-15 | 2017-10-20 | 山东华诺网络科技有限公司 | A kind of computer network instrument system of defense and intrusion prevention method |
| CN110868371B (en) * | 2018-08-27 | 2022-03-01 | 中国电信股份有限公司 | Security policy processing method and system, cloud management platform and subnet management device |
| CN110868371A (en) * | 2018-08-27 | 2020-03-06 | 中国电信股份有限公司 | Security policy processing method and system, cloud management platform and subnet management device |
| CN109286630A (en) * | 2018-10-15 | 2019-01-29 | 深信服科技股份有限公司 | Deng guarantor's processing method, device, equipment and storage medium |
| CN110336801B (en) * | 2019-06-20 | 2021-07-06 | 杭州安恒信息技术股份有限公司 | Method for selecting anti-DDoS (distributed denial of service) equipment |
| CN110336801A (en) * | 2019-06-20 | 2019-10-15 | 杭州安恒信息技术股份有限公司 | A kind of method of anti-DDoS equipment selection |
| CN112333130A (en) * | 2019-08-05 | 2021-02-05 | 阿里巴巴集团控股有限公司 | Data processing method, device and storage medium |
| CN112333130B (en) * | 2019-08-05 | 2023-04-07 | 阿里巴巴集团控股有限公司 | Data processing method, device and storage medium |
| CN110807205A (en) * | 2019-09-30 | 2020-02-18 | 奇安信科技集团股份有限公司 | File security protection method and device |
| CN112910824A (en) * | 2019-11-19 | 2021-06-04 | 苏州至赛信息科技有限公司 | Network security policy configuration method and device, computer equipment and storage medium |
| CN111311912B (en) * | 2020-02-25 | 2021-08-24 | 北京天融信网络安全技术有限公司 | Internet of vehicles detection data determination method and device and electronic equipment |
| CN111311912A (en) * | 2020-02-25 | 2020-06-19 | 北京天融信网络安全技术有限公司 | Internet of vehicles detection data determination method and device and electronic equipment |
| CN111600912A (en) * | 2020-07-22 | 2020-08-28 | 四川新网银行股份有限公司 | Network security policy management system |
| CN112291264A (en) * | 2020-11-17 | 2021-01-29 | 珠海大横琴科技发展有限公司 | Safety control method and device |
| CN114448709A (en) * | 2022-02-16 | 2022-05-06 | 上海雾帜智能科技有限公司 | Information security policy generation method, system, device and medium |
| CN114448709B (en) * | 2022-02-16 | 2024-03-12 | 上海雾帜智能科技有限公司 | Information security policy generation method, system, device and medium |
| CN114844662A (en) * | 2022-03-01 | 2022-08-02 | 天翼安全科技有限公司 | Network security policy management method, device and equipment |
| CN114844662B (en) * | 2022-03-01 | 2024-03-12 | 天翼安全科技有限公司 | Network security policy management method, device and equipment |
| CN117040912A (en) * | 2023-09-13 | 2023-11-10 | 湖南新生命网络科技有限公司 | Network security operation and maintenance management method and system based on data analysis |
| CN117040912B (en) * | 2023-09-13 | 2024-01-05 | 湖南新生命网络科技有限公司 | Network security operation and maintenance management method and system based on data analysis |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101505302A (en) | Dynamic regulating method and system for security policy | |
| US7808897B1 (en) | Fast network security utilizing intrusion prevention systems | |
| US7545748B1 (en) | Classification and management of network traffic based on attributes orthogonal to explicit packet attributes | |
| US7860006B1 (en) | Integrated methods of performing network switch functions | |
| US8862765B2 (en) | Fair bandwidth redistribution algorithm | |
| CN100428688C (en) | Protective method for network attack | |
| US20100251370A1 (en) | Network intrusion detection system | |
| CN101227289A (en) | Uniform intimidation managing device and loading method of intimidation defense module | |
| US10523692B2 (en) | Load balancing method and apparatus in intrusion detection system | |
| KR20050081439A (en) | System of network security and working method thereof | |
| CN113748660B (en) | Method and apparatus for processing an alert message indicating that an anomaly is detected in traffic transmitted via a network | |
| KR20130005301A (en) | Method for adapting security policies of an information system infrastructure | |
| US20140259140A1 (en) | Using learned flow reputation as a heuristic to control deep packet inspection under load | |
| KR101010095B1 (en) | Method and system for processing incoming packets in a communication network | |
| CN103916387A (en) | DDOS attack protection method and system | |
| CA2791317C (en) | Application level admission overload control | |
| CN109657463A (en) | A kind of defence method and device of message flood attack | |
| CN108183884B (en) | Network attack determination method and device | |
| CN104125213A (en) | Distributed denial of service DDOS attack resisting method and device for firewall | |
| US20140317718A1 (en) | IPS Detection Processing Method, Network Security Device, and System | |
| US20170374097A1 (en) | Denial-of-service (dos) mitigation based on health of protected network device | |
| CN102075535B (en) | Distributed denial-of-service attack filter method and system for application layer | |
| Arfaoui et al. | A stochastic game for adaptive security in constrained wireless body area networks | |
| EP2207322B1 (en) | Adaptive security for information devices | |
| Gupta et al. | Security Issues in Software-Defined Networks. |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20090812 |