CN106375330B - Data detection method and device - Google Patents

Data detection method and device Download PDF

Info

Publication number
CN106375330B
CN106375330B CN201610837999.4A CN201610837999A CN106375330B CN 106375330 B CN106375330 B CN 106375330B CN 201610837999 A CN201610837999 A CN 201610837999A CN 106375330 B CN106375330 B CN 106375330B
Authority
CN
China
Prior art keywords
data packet
working mode
bypass
detection
attribute
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610837999.4A
Other languages
Chinese (zh)
Other versions
CN106375330A (en
Inventor
金健
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Neusoft Corp
Original Assignee
Neusoft Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Neusoft Corp filed Critical Neusoft Corp
Priority to CN201610837999.4A priority Critical patent/CN106375330B/en
Publication of CN106375330A publication Critical patent/CN106375330A/en
Application granted granted Critical
Publication of CN106375330B publication Critical patent/CN106375330B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a data detection method and device, relates to the technical field of internet, and solves the problem that the development cost of the existing IPS for developing two sets of different deployment modes is high. The method of the invention comprises the following steps: acquiring working mode attributes of a security domain to which a data packet inlet interface belongs, wherein the working mode attributes comprise an online working mode and a bypass working mode, and the data packet inlet interface is a network port for receiving a data packet by an intrusion prevention system IPS; after receiving the data packet, determining a detection process of the data packet according to the working mode attribute of the corresponding security domain; if the working mode attribute is an online working mode, executing an online detection process; and if the working mode attribute is the bypass working mode, executing a bypass detection process. The invention is applied to the process of Internet intrusion prevention.

Description

Data detection method and device
Technical Field
The invention relates to the technical field of internet, in particular to a data detection method and device.
Background
The internet becomes an important part in daily operation of many enterprise organizations, but the risk of the internet is very high, and security problems such as malicious attack exist, so how to solve the internet security problem is very important. A firewall is a security system widely used to secure the internet, but the firewall cannot detect a deep intrusion threat. As a complement to the firewall security System, an Intrusion Prevention System (IPS) has appeared, which is a security System capable of detecting and defending against deep Intrusion threats.
IPS are typically deployed at the ingress and egress of a network, i.e., on the path of data forwarding. The IPS includes two deployment modes, an online deployment mode and a bypass deployment mode. The online deployment mode is to access the IPS to the network in a serial connection mode, can carry out deep detection on each data packet passing through the IPS, and defends malicious behaviors found in the detection process, such as discarding malicious data packets, cutting off application sessions and the like; the bypass deployment mode is that the IPS accesses the network through a line, the line is usually accessed to the switch, the IPS is enabled to access the network through the switch, the IPS in the bypass deployment mode detects a data packet after being mirrored by the switch, and when malicious behaviors are found, measures such as recording, alarming and the like are carried out.
In practical application, because the online deployment mode is that the IPS is directly connected in series in the network to detect and defend the data packet, if a detection error occurs, the original interaction of the data between the networks is likely to be influenced; the bypass deployment mode is not directly connected in series in the network, so that detection errors occur immediately, and data interaction between networks is not influenced. Therefore, in the trial operation stage of the IPS, in order to reduce the influence of data interaction between the original networks, the bypass mode is usually used to deploy the IPS as a transition, and after the accuracy of the IPS detection in the trial operation stage is stable, the online deployment mode is used to deploy the IPS at the network inlet/outlet. Because two modes of IPSs need to be used successively, two sets of systems of IPSs in an online deployment mode and IPSs in a bypass deployment mode need to be developed, and due to the difference of the two deployment modes, the corresponding data packet detection modes have larger difference, so the development cost for respectively developing the two sets of systems is larger.
Disclosure of Invention
In view of the above problems, the present invention provides a method and an apparatus for data detection, so as to solve the problem of relatively high development cost of developing two sets of IPS with different deployment modes.
In one aspect, the present invention provides a method for data detection, including:
acquiring working mode attributes of a security domain to which a data packet inlet interface belongs, wherein the working mode attributes comprise an online working mode and a bypass working mode, and the data packet inlet interface is a network port for receiving a data packet by an intrusion prevention system IPS;
after receiving the data packet, determining a detection process of the data packet according to the working mode attribute of the corresponding security domain;
if the working mode attribute is an online working mode, executing an online detection process;
and if the working mode attribute is the bypass working mode, executing a bypass detection process.
In another aspect, the present invention provides an apparatus for data detection, including:
the device comprises an attribute acquisition unit, a data packet processing unit and a data packet processing unit, wherein the attribute acquisition unit is used for acquiring working mode attributes of a security domain to which a data packet inlet interface belongs, the working mode attributes comprise an online working mode and a bypass working mode, and the data packet inlet interface is a network port for receiving a data packet by an intrusion prevention system IPS;
the flow determining unit is used for determining the detection flow of the data packet according to the working mode attribute of the corresponding security domain after receiving the data packet;
the first execution unit is used for executing the online detection process if the working mode attribute is the online working mode;
and the second execution unit is used for executing the bypass detection process if the working mode attribute is the bypass working mode.
The data detection method and the data detection device provided by the invention can firstly obtain the working mode attribute of the security domain to which the data packet inlet interface belongs, wherein the working mode attribute comprises an online working mode and a bypass working mode; secondly, determining a detection process of the data packet according to the working mode attribute of the security domain corresponding to the data packet; if the working mode attribute is an online working mode, executing an online detection process; and if the working mode attribute is the bypass working mode, executing a bypass detection process. Compared with the prior art, the data packet detection process can be controlled by the working mode attribute of the security domain corresponding to the data packet, and one set of IPS can support both an online detection mode and a bypass detection mode, so that one set of IPS can be deployed in the online mode and the bypass mode, and the development cost is greatly reduced compared with the existing IPS for developing two sets of different deployment modes.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
FIG. 1 is a flow chart of a method for data detection according to an embodiment of the present invention;
FIG. 2 is a block diagram illustrating an apparatus for data detection according to an embodiment of the present invention;
fig. 3 is a block diagram illustrating another apparatus for data detection according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
In order to solve the problem that the development cost of the existing IPS for developing two different deployment modes is high, the embodiment of the invention provides a data detection method, as shown in FIG. 1, the method comprises the following steps:
101. and acquiring the working mode attribute of the security domain to which the data packet inlet interface belongs.
Before obtaining the working mode attribute of the security domain to which the data packet ingress interface belongs, the security domain needs to be divided, and different computer terminals are connected with the IPS through different interfaces, so that the security domain is divided according to the user level corresponding to the computer terminal, for example, the security domain can be divided into a staff security domain, a boss security domain, and the like, the detection level of the boss security domain is higher, and the detection level of the staff security domain is lower. Different detection levels correspond to different depths of the packet detection strategy, so partitioning of the security domain is typically required. The computer terminal accesses to an interface of the IPS, that is, a data packet ingress interface, where the ingress interface is a network port through which the IPS receives a data packet.
The working mode attributes of the security domain comprise an online working mode and a bypass working mode, and different working mode attributes are freely selected by a user when the security domain is created.
102. And determining the detection flow of the data packet according to the working mode attribute of the corresponding security domain.
Different working mode attributes correspond to different data packet detection processes, so after the IPS receives a data packet, the IPS needs to select a corresponding detection process for detecting the data packet according to the working mode attribute of the corresponding security domain.
103. And if the working mode attribute is the online working mode, executing an online detection process.
It should be noted that the IPS only includes a complete data packet detection flow, and the on-line detection flow and the subsequent bypass detection flow are detection flows composed of all or part of the complete data packet detection flow. The complete data packet detection process comprises the following steps: the method comprises the steps of data packet inspection, session management, rule control, routing, protocol inspection, data stream recombination, attack detection, log collection and data packet sending, wherein all the steps are executed according to the arrangement sequence.
Specifically, in this embodiment, the online detection process is composed of all links in the complete data packet detection process.
104. And if the working mode attribute is the bypass working mode, executing a bypass detection process.
In this embodiment, the bypass detection module is composed of a part of links in a complete IPS data packet detection process, where the part of links is a detection link other than links related to data packet transmission.
It should be noted that the bypass operating mode corresponds to a bypass deployment mode of the IPS, and the bypass deployment mode only has an entry receiving a data packet and no exit sending the data packet, so that when the bypass detection process is executed, a detection link related to a data packet sending link is not executed.
Further, different working mode attributes may be selected for the security domains, and the different security domains may correspond to the different working mode attributes, so that one set of IPS in this embodiment may implement the online detection process and the bypass deployment process simultaneously.
The data detection method provided by the embodiment of the invention can firstly obtain the working mode attribute of the security domain to which the data packet inlet interface belongs, wherein the working mode attribute comprises an online working mode and a bypass working mode; secondly, determining a detection process of the data packet according to the working mode attribute of the security domain corresponding to the data packet; if the working mode attribute is an online working mode, executing an online detection process; and if the working mode attribute is the bypass working mode, executing a bypass detection process. Compared with the prior art, the data packet detection process of the embodiment of the invention can be controlled by the working mode attribute of the security domain corresponding to the data packet, and one set of IPS can support both an online detection mode and a bypass detection mode, so that one set of IPS can be deployed in both the online mode and the bypass mode, and the development cost is greatly reduced compared with the existing IPS for developing two sets of different deployment modes.
Further, the data detection method shown in fig. 1 is refined and expanded, and the specific refinement and expansion are as follows:
generally, in the on-line detection process, an ingress interface of a packet and an egress interface of the packet need to be determined, and in the bypass detection process, only the ingress interface of the packet needs to be determined. In this embodiment, since the bypass detection flow and the online detection flow share a complete data packet detection flow, in order to satisfy the requirements of the two detection flows and ensure the reusability of the egress interface, the egress interface of the data packet is set as the ingress interface when the bypass detection flow is executed, so that the egress interface of the data packet is consistent with the ingress interface of the data packet, which can ensure the requirement that the data packet does not send out in the bypass detection flow and also does not affect the determination of the egress interface of the data packet in the online detection flow. Specifically, in the online detection process, the egress interface of the data packet may be determined by a routing link. The method for determining the exit interface through the routing link includes two modes: in the first mode, an outlet interface of a data packet is determined through a routing function program and a neighbor function program in a routing link; in the second mode, the determination is performed through a cam table of a two-layer switch address table included in the routing link, and a corresponding relationship between a physical address (Media Access Control, MAC) address corresponding to the data packet and an egress interface of the data packet is recorded in the cam table, so that the egress interface of the data packet can be determined by querying the cam table.
Further, except for not executing a detection link related to data packet Transmission in the bypass detection process, when executing a protocol check loop, since the bypass detection process cannot receive all data packets, that is, an interactive process of a complete session cannot be obtained, a Transmission Control Protocol (TCP) state machine check in the protocol check link cannot be executed.
Further, the implementation process of only executing part of links in the complete IPS data packet detection process for the bypass detection process is as follows: before executing a detection link related to data packet sending, judging the working mode attribute of a security domain corresponding to the data packet; and if the working mode attribute of the security domain is the bypass working mode, executing the next link of the detection link related to the data packet sending. Similarly, the implementation manner for not performing the TCP state machine check in the protocol checking link is as follows: before TCP state machine inspection is executed, judging the working mode attribute of a security domain corresponding to a data packet; and if the working mode attribute of the security domain is the bypass working mode, skipping the TCP state machine check to execute the next check.
Further, when executing an attack detection loop, it is usually necessary to determine the direction of the data packet, where the direction of the data packet indicates that the direction of sending the data packet is a client or a server, because the same computer terminal can be used as both a client and a server, and different directions of the data packet correspond to different attack detection strategies, and the different attack detection strategies are also configured according to the setting of the user, for example, some users only set server attack detection, in this case, the attack detection is not performed on the data packet whose direction is the client direction, and only the attack detection is performed on the data packet whose direction is the server direction. In the prior art, the direction of a data packet in a corresponding data packet detection flow in an IPS in an online deployment mode is usually determined according to an entry of the data packet and an exit of the data packet, but in this embodiment, an online detection flow and a bypass detection flow share a complete data packet detection flow, and an entry interface and an exit interface of the data packet in the bypass detection flow are the same interface, so that a determination method of the direction of the data packet in the prior art cannot be used. The embodiment of the invention uniquely determines the direction of the data packet according to the session quintuple corresponding to the data packet, because one session quintuple can determine one session, and the direction of the corresponding data packet can be determined by determining one session, wherein the session quintuple comprises a source Internet Protocol (IP) address, a source port, a destination IP address, a destination port and a transport layer Protocol corresponding to the data packet. It should be noted that the session quintuple is acquired in the session management link, and is stored after being acquired in the session management link, and is called when attack detection needs to be performed.
Further, in practical application, for the requirement that IPS deployment needs to be performed successively by two deployment modes, namely, a bypass deployment mode and an online deployment mode, because a bypass detection flow corresponding to the bypass deployment mode and an online detection flow corresponding to the online deployment mode use a data packet detection flow together, the performance difference between the two deployment modes is not large. In the prior art, two IPS deployment modes are independently developed and designed, so that the performance of the IPS may have a large difference, and after the IPS deployment is performed by changing the bypass deployment mode to the online deployment mode, continuous debugging is required. In summary, the data packet detection mode of the data packet detection flow is used by both the bypass detection flow and the online detection flow, so that the later debugging work can be reduced, and the work efficiency is improved.
Further, as an implementation of the foregoing embodiments, another embodiment of the embodiments of the present invention further provides a data detection apparatus, configured to implement the method described in fig. 1. As shown in fig. 2, the apparatus includes: an attribute acquisition unit 21, a flow determination unit 22, a first execution unit 23, and a second execution unit 24.
The attribute obtaining unit 21 is configured to obtain a working mode attribute of a security domain to which a data packet ingress interface belongs, where the working mode attribute includes an online working mode and a bypass working mode, and the data packet ingress interface is an internet access of an intrusion prevention system IPS receiving a data packet.
Before obtaining the working mode attribute of the security domain to which the data packet ingress interface belongs, the security domain needs to be divided, and different computer terminals are connected with the IPS through different interfaces, so that the security domain is divided according to the user level corresponding to the computer terminal, for example, the security domain can be divided into a staff security domain, a boss security domain, and the like, the detection level of the boss security domain is higher, and the detection level of the staff security domain is lower. Different detection levels correspond to different depths of the packet detection strategy, so partitioning of the security domain is typically required. The computer terminal accesses to an interface of the IPS, that is, a data packet ingress interface, where the ingress interface is a network port through which the IPS receives a data packet.
The working mode attributes of the security domain comprise an online working mode and a bypass working mode, and different working mode attributes are freely selected by a user when the security domain is created.
The process determining unit 22 is configured to determine, after receiving the data packet, a detection process of the data packet according to the working mode attribute of the corresponding security domain.
Different working mode attributes correspond to different data packet detection processes, so after the IPS receives a data packet, the IPS needs to select a corresponding detection process for detecting the data packet according to the working mode attribute of the corresponding security domain.
The first executing unit 23 is configured to execute the online detection process if the operation mode attribute is the online operation mode.
It should be noted that the IPS only includes a complete data packet detection flow, and the on-line detection flow and the subsequent bypass detection flow are detection flows composed of all or part of the complete data packet detection flow. The complete data packet detection process comprises the following steps: the method comprises the steps of data packet inspection, session management, rule control, routing, protocol inspection, data stream recombination, attack detection, log collection and data packet sending, wherein all the steps are executed according to the arrangement sequence.
Specifically, in this embodiment, the online detection process is composed of all links in the complete data packet detection process.
The second execution unit 24 is configured to execute the bypass detection procedure if the operation mode attribute is the bypass operation mode.
In this embodiment, the bypass detection module is composed of a part of links in a complete IPS data packet detection process, where the part of links is a detection link other than links related to data packet transmission.
Further, as shown in fig. 3, the second execution unit 24 includes:
a determining module 241, configured to determine a working mode attribute of a security domain corresponding to a data packet before executing a link related to the data packet sending, where the link related to the data packet sending includes a routing link and a data packet sending link;
and an executing module 242, configured to execute a next link of links related to the data packet transmission if the operation mode attribute is the bypass operation mode.
Further, as shown in fig. 3, the apparatus further includes:
a bypass exit setting unit 25 configured to set an exit interface as an entry interface when executing a bypass detection procedure;
and the online outlet determining unit 26 is configured to determine an outlet interface of the data packet according to a routing manner or a manner of querying a cam table of the two-layer switch when performing the online detection process, so that the data packet is sent out from the outlet interface.
Generally, in the on-line detection process, an ingress interface of a packet and an egress interface of the packet need to be determined, and in the bypass detection process, only the ingress interface of the packet needs to be determined. In this embodiment, since the bypass detection flow and the online detection flow share a complete data packet detection flow, in order to satisfy the requirements of the two detection flows and ensure the reusability of the egress interface, the egress interface of the data packet is set as the ingress interface when the bypass detection flow is executed, so that the egress interface of the data packet is consistent with the ingress interface of the data packet, which can ensure the requirement that the data packet does not send out in the bypass detection flow and also does not affect the determination of the egress interface of the data packet in the online detection flow. Specifically, in the online detection process, the egress interface of the data packet may be determined by a routing link. The method for determining the exit interface through the routing link includes two modes: in the first mode, an outlet interface of a data packet is determined through a routing function program and a neighbor function program in a routing link; in the second mode, the data packet is determined through a cam table of a two-layer switch address table contained in the routing link, and the corresponding relation between the MAC address corresponding to the data packet and the data packet outlet interface is recorded in the cam table, so that the outlet interface of the data packet can be determined by inquiring the cam table.
Further, as shown in fig. 3, the apparatus further includes:
a quintuple obtaining unit 27, configured to obtain a session quintuple corresponding to the data packet, where the session quintuple includes a source IP address, a source port, a destination IP address, a destination port, and a transport layer protocol;
a direction determining unit 28, configured to determine, when executing an attack detection loop, a direction of a packet according to a session quintuple corresponding to the packet, where the direction of the packet indicates that the direction of sending the packet is a client or a server;
and a policy determining unit 29, configured to determine an attack detection policy in the attack detection link according to the direction of the data packet.
When executing an attack detection loop, it is usually necessary to determine the direction of a data packet, where the direction of the data packet indicates that the direction of sending the data packet is a client or a server, because the same computer terminal can be used as both a client and a server, and different data packet directions correspond to different attack detection strategies, and different attack detection strategies are also configured according to the settings of users, for example, some users only set server attack detection, in this case, no attack detection is performed on a data packet whose data packet direction is the client direction, and only attack detection is performed on a data packet whose data packet direction is the server direction. In the prior art, the direction of a data packet in a corresponding data packet detection flow in an IPS in an online deployment mode is usually determined according to an entry of the data packet and an exit of the data packet, but in this embodiment, an online detection flow and a bypass detection flow share a complete data packet detection flow, and an entry interface and an exit interface of the data packet in the bypass detection flow are the same interface, so that a determination method of the direction of the data packet in the prior art cannot be used. The embodiment of the invention uniquely determines the direction of the data packet according to the session quintuple corresponding to the data packet, because one session quintuple can determine one session, and the direction of the corresponding data packet can be determined by determining one session, wherein the session quintuple comprises a source IP address, a source port, a destination IP address, a destination port and a transport layer protocol corresponding to the data packet. It should be noted that the session quintuple is acquired in the session management link, and is stored after being acquired in the session management link, and is called when attack detection needs to be performed.
Further, as shown in fig. 3, the second execution unit 24 includes:
the determining module 241 is further configured to determine a working mode attribute of a security domain corresponding to the data packet before performing TCP state machine inspection in the protocol inspection link;
the executing module 242 is further configured to not execute the TCP state machine check if the operating mode attribute is the bypass operating mode.
Except for not executing a detection link related to data packet sending in the bypass detection process, when a protocol check link is executed, because the bypass detection process cannot receive all data packets, the interactive process of a complete session cannot be obtained, and therefore, the TCP state machine check in the protocol check link cannot be executed.
The data detection device provided by the embodiment of the invention can firstly acquire the working mode attributes of the security domain to which the data packet inlet interface belongs, wherein the working mode attributes comprise an online working mode and a bypass working mode; secondly, determining a detection process of the data packet according to the working mode attribute of the security domain corresponding to the data packet; if the working mode attribute is an online working mode, executing an online detection process; and if the working mode attribute is the bypass working mode, executing a bypass detection process. Compared with the prior art, the data packet detection process of the embodiment of the invention can be controlled by the working mode attribute of the security domain corresponding to the data packet, and one set of IPS can support both an online detection mode and a bypass detection mode, so that one set of IPS can be deployed in both the online mode and the bypass mode, and the development cost is greatly reduced compared with the existing IPS for developing two sets of different deployment modes.
In the foregoing embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
It will be appreciated that the relevant features of the method and apparatus described above are referred to one another. In addition, "first", "second", and the like in the above embodiments are for distinguishing the embodiments, and do not represent merits of the embodiments.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
The algorithms and displays presented herein are not inherently related to any particular computer, virtual machine, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. Moreover, the present invention is not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
The various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functions of some or all of the components in the title of the invention (e.g., a data detection device) according to an embodiment of the invention. The present invention may also be embodied as apparatus or device programs (e.g., computer programs and computer program products) for performing a portion or all of the methods described herein. Such programs implementing the present invention may be stored on computer-readable media or may be in the form of one or more signals. Such a signal may be downloaded from an internet website or provided on a carrier signal or in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.

Claims (10)

1. A method of data detection, the method comprising:
acquiring working mode attributes of a security domain to which a data packet inlet interface belongs, wherein the working mode attributes comprise an online working mode and a bypass working mode, and the data packet inlet interface is a network port for receiving a data packet by an intrusion prevention system IPS;
after receiving the data packet, determining a detection process of the data packet according to the working mode attribute of the corresponding security domain;
if the working mode attribute is an online working mode, executing an online detection process;
if the working mode attribute is a bypass working mode, executing a bypass detection process;
the on-line detection process is composed of all links in the complete data packet detection process, and the bypass detection process is composed of part of links in the complete data packet detection process.
2. The method of claim 1, wherein the performing a bypass detection procedure comprises:
before executing links related to data packet sending, judging the working mode attribute of a security domain corresponding to the data packet, wherein the links related to the data packet sending comprise a routing link and a data packet sending link;
and if the working mode attribute is the bypass working mode, executing the next link of the links relevant to the data packet sending.
3. The method of claim 1, further comprising:
setting an outlet interface as an inlet interface when a bypass detection flow is executed;
and when the online detection process is executed, determining an outlet interface of the data packet according to a routing mode or a mode of inquiring a cam table of a two-layer switch, so that the data packet is sent out from the outlet interface.
4. The method of claim 1, further comprising:
acquiring a session five-tuple corresponding to the data packet, wherein the session five-tuple comprises a source IP address, a source port, a destination IP address, a destination port and a transport layer protocol;
when an attack detection loop is executed, determining the direction of a data packet according to a session quintuple corresponding to the data packet, wherein the direction of the data packet represents that the sending direction of the data packet is a client or a server;
and determining an attack detection strategy in an attack detection link according to the direction of the data packet.
5. The method of claim 1, wherein the performing a bypass detection procedure comprises:
before executing the Transmission Control Protocol (TCP) state machine check in a protocol check link, judging the working mode attribute of a security domain corresponding to the data packet;
if the working mode attribute is the bypass working mode, the TCP state machine check is not executed.
6. An apparatus for data detection, the apparatus comprising:
the device comprises an attribute acquisition unit, a data packet processing unit and a data packet processing unit, wherein the attribute acquisition unit is used for acquiring working mode attributes of a security domain to which a data packet inlet interface belongs, the working mode attributes comprise an online working mode and a bypass working mode, and the data packet inlet interface is a network port for receiving a data packet by an intrusion prevention system IPS;
the flow determining unit is used for determining the detection flow of the data packet according to the working mode attribute of the corresponding security domain after receiving the data packet;
the first execution unit is used for executing the online detection process if the working mode attribute is the online working mode;
the second execution unit is used for executing the bypass detection process if the working mode attribute is the bypass working mode;
the on-line detection process is composed of all links in the complete data packet detection process, and the bypass detection process is composed of part of links in the complete data packet detection process.
7. The apparatus of claim 6, wherein the second execution unit comprises:
the device comprises a judging module, a judging module and a judging module, wherein the judging module is used for judging the working mode attribute of a security domain corresponding to a data packet before executing links related to the data packet sending, and the links related to the data packet sending comprise a routing link and a data packet sending link;
and the execution module is used for executing the next link of the links related to the data packet sending if the attribute of the working mode is the bypass working mode.
8. The apparatus of claim 6, further comprising:
the bypass outlet setting unit is used for setting an outlet interface as an inlet interface when a bypass detection flow is executed;
and the online outlet determining unit is used for determining an outlet interface of the data packet according to a routing mode or a mode of inquiring a cam table of a two-layer switch when an online detection process is executed so as to enable the data packet to be sent out from the outlet interface.
9. The apparatus of claim 6, further comprising:
a quintuple obtaining unit, configured to obtain a session quintuple corresponding to the data packet, where the session quintuple includes a source internet protocol IP address, a source port, a destination IP address, a destination port, and a transport layer protocol;
the direction determining unit is used for determining the direction of a data packet according to the session quintuple corresponding to the data packet when an attack detection loop is executed, wherein the direction of the data packet indicates that the sending direction of the data packet is a client or a server;
and the strategy determining unit is used for determining an attack detection strategy in an attack detection link according to the direction of the data packet.
10. The apparatus of claim 7, wherein the second execution unit comprises:
the judging module is further configured to judge a working mode attribute of a security domain corresponding to the data packet before performing TCP state machine inspection in a protocol inspection link;
and the execution module is also used for not executing the check of the TCP state machine if the attribute of the working mode is the bypass working mode.
CN201610837999.4A 2016-09-21 2016-09-21 Data detection method and device Active CN106375330B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610837999.4A CN106375330B (en) 2016-09-21 2016-09-21 Data detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610837999.4A CN106375330B (en) 2016-09-21 2016-09-21 Data detection method and device

Publications (2)

Publication Number Publication Date
CN106375330A CN106375330A (en) 2017-02-01
CN106375330B true CN106375330B (en) 2020-01-17

Family

ID=57897905

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610837999.4A Active CN106375330B (en) 2016-09-21 2016-09-21 Data detection method and device

Country Status (1)

Country Link
CN (1) CN106375330B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111277567B (en) * 2020-01-09 2022-10-25 奇安信科技集团股份有限公司 Intrusion prevention processing method and device

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101635701A (en) * 2008-07-21 2010-01-27 山石网科通信技术(北京)有限公司 Method for controlling safe access
KR101107742B1 (en) * 2008-12-16 2012-01-20 한국인터넷진흥원 SIP Intrusion Detection and Response System for Protecting SIP-based Services
CN102457415B (en) * 2011-12-27 2015-08-19 华为数字技术(成都)有限公司 IPS check processing method, Network Security Device and system
US9342415B2 (en) * 2014-07-14 2016-05-17 International Business Machines Corporation Run-to-completion thread model for software bypass fail open for an inline intrusion protection system

Also Published As

Publication number Publication date
CN106375330A (en) 2017-02-01

Similar Documents

Publication Publication Date Title
US11082436B1 (en) System and method for offloading packet processing and static analysis operations
Xing et al. Snortflow: A openflow-based intrusion prevention system in cloud environment
JP4906504B2 (en) Intelligent integrated network security device
Jero et al. Beads: Automated attack discovery in openflow-based sdn systems
US20190058722A1 (en) Traffic enforcement in containerized environments
JP2019021294A (en) SYSTEM AND METHOD OF DETERMINING DDoS ATTACKS
US20140259140A1 (en) Using learned flow reputation as a heuristic to control deep packet inspection under load
US20130263259A1 (en) Analyzing response traffic to detect a malicious source
US9491190B2 (en) Dynamic selection of network traffic for file extraction shellcode detection
Cuppens et al. Handling stateful firewall anomalies
JP7388613B2 (en) Packet processing method and apparatus, device, and computer readable storage medium
CN106330951B (en) A kind of network protection methods, devices and systems
Bringhenti et al. Improving the formal verification of reachability policies in virtualized networks
US10893065B2 (en) Malware detection in distributed computer systems
US20230362131A1 (en) Systems and methods for monitoring and securing networks using a shared buffer
CN102891855B (en) Method and device for securely processing network data streams
CN114826969B (en) Network connectivity checking method, device, equipment and storage medium
Sharma et al. Packet filtering using IP tables in Linux
CN106375330B (en) Data detection method and device
Combe et al. An sdn and nfv use case: Ndn implementation and security monitoring
JP6623702B2 (en) A network monitoring device and a virus detection method in the network monitoring device.
EP3432544B1 (en) System and method of determining ddos attacks
US11128646B1 (en) Apparatus and method for cloud-based accelerated filtering and distributed available compute security processing
JP6740191B2 (en) Attack response system and attack response method
Junior et al. A User-friendly Approach to Write and Enforce Rules for Detecting Anomalous Network Traffic in IoT Environments

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant