CN106790313A - Intrusion prevention method and device - Google Patents
Intrusion prevention method and device Download PDFInfo
- Publication number
- CN106790313A CN106790313A CN201710210829.8A CN201710210829A CN106790313A CN 106790313 A CN106790313 A CN 106790313A CN 201710210829 A CN201710210829 A CN 201710210829A CN 106790313 A CN106790313 A CN 106790313A
- Authority
- CN
- China
- Prior art keywords
- message
- feature
- blacklist
- white list
- classification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0245—Filtering by information in the payload
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a kind of intrusion prevention method and device, and methods described includes:Message is received, feature is obtained from the message;If there is the feature in the message in blacklist, the message is intercepted;If there is the feature in the message in white list, the message is forwarded;If judging whether the message is attack message using IPS feature databases in the absence of the feature of the message in the blacklist and white list, and corresponding defence operation is carried out according to judged result;Record has the feature of the message that need to be intercepted in the blacklist, and the feature that the feature and the white list that record has the message for allowing forwarding in the white list include is in the IPS feature databases.Can avoid judging whether message is attack message using fixed IPS feature databases using the application method, cause the defect reported by mistake or intercept by mistake.
Description
Technical field
The application is related to communication technical field, more particularly to intrusion prevention method and device.
Background technology
As the Internet, applications constantly expand with scale, network environment is increasingly complicated, network intrusions frequency and attack water
Standard is improved constantly, and Intranet is faced with acid test, in order to protect network internal data safety, prevents to come from time
Various unknown attacks inside and outside network, can dispose invasion defensive equipment at server farm entrance or Web portal
(Intrusion Prevention System, IPS).IPS equipment will defend substantial amounts of network attack daily, right for convenience
Network condition is analyzed and improves, and these information attacked can be recorded in the way of alarm log.For example, can be
The IPR feature databases including attack signature are preset with IPS equipment, IPS equipment judges whether message is attack by IPR feature databases
Message, if message is attack message, carries out corresponding defence operation, and produce alarm log;If message is not attack message,
Alarm log is not produced then, and forwards the message.
At present, when it is attack message to find message, message can be directly intercepted, or carry out alarm operation.It can be seen that, it is different
Defence policies may be different under application scenarios, judge whether message is attack message using fixed IPS feature databases, may intercept
Falling some allows the message of forwarding, or causes unnecessary wrong report.
The content of the invention
Judge whether message is attack message using fixed IPS feature databases in correlation technique to overcome, cause wrong report or
The defect for intercepting by mistake, this application provides intrusion prevention method and device.
According to the first aspect of the embodiment of the present application, there is provided a kind of intrusion prevention method, methods described includes:
Message is received, feature is obtained from the message;
If there is the feature in the message in blacklist, the message is intercepted;
If there is the feature in the message in white list, the message is forwarded;
If judging described using IPS feature databases in the absence of the feature of the message in the blacklist and white list
Whether message is attack message, and carries out corresponding defence operation according to judged result;
Record has the feature of the message that need to be intercepted in the blacklist, and record has the message for allowing forwarding in the white list
Feature and the feature that includes of the white list in the IPS feature databases.
Optionally, methods described also includes:
If there is the feature in the message in the blacklist/white list/feature database, the alarm log that will be generated
It is divided into corresponding blacklist classification/white list classification/gray list classification;
Inquiry control based on pre-generatmg, inquiry blacklist classification/white list classification/gray list is classified corresponding alarm day
Will.
Optionally, methods described also includes:
The alarm log generated on the feature because there is the message in IPS feature databases, if the alarm log
Generation frequency when being more than assigned frequency, prompting message is sent to association user with default advice method, it is described to point out
Be added to the feature of the message in blacklist or white list by association user.
Optionally, the feature in the blacklist/white list includes:The transmission time range of message, the original of message
In sensitive character in address realm and port numbers, the destination address scope of message and port numbers, message protocol, message content
One or more.
Optionally, methods described also includes:
Based on default list configuration interface, the blacklist or the white list are configured.
According to the second aspect of the embodiment of the present application, there is provided a kind of intrusion prevention device, described device includes:
Feature acquisition module, for obtaining feature from the message for receiving;
First defense module, if for there is the feature in the message in blacklist, intercepting the message;
Second defense module, if for there is the feature in the message in white list, forwarding the message;
3rd defense module, if for, in the absence of the feature of the message, being utilized in the blacklist and white list
IPS feature databases judge whether the message is attack message, and carry out corresponding defence operation according to judged result;
Record has the feature of the message that need to be intercepted in the blacklist, and record has the message for allowing forwarding in the white list
Feature and the feature that includes of the white list in the IPS feature databases.
Optionally, described device also includes:
Daily record sort module, if for there is the feature in the message in the blacklist/white list/feature database
When, the alarm log of generation is divided into corresponding blacklist classification/white list classification/gray list classification;
Log query module, for the inquiry control based on pre-generatmg, inquiry blacklist classification/white list classification/grey name
Single corresponding alarm log of classifying.
Optionally, described device also includes:
Information notification module, for the alarm log generated on the feature because there is the message in IPS feature databases,
If the generation frequency of the alarm log is more than assigned frequency, prompting message is sent to association with default advice method
User, to point out the association user that the feature of the message is added in blacklist or white list.
Optionally, the feature in the blacklist/white list includes:The transmission time range of message, the original of message
In sensitive character in address realm and port numbers, the destination address scope of message and port numbers, message protocol, message content
One or more.
Optionally, described device also includes:
List configuration module, for based on default list configuration interface, configuring the blacklist or the white list.
The application obtains feature from the message for receiving, if depositing feature in messages in blacklist, directly intercepts
Message, if depositing feature in messages in white list, directly E-Packets, if do not existed in blacklist and white list
The feature of message, judges that whether the message is attack message, and prevented accordingly according to judged result using IPS feature databases
Imperial operation, so as to avoid judging whether message is attack message using fixed IPS feature databases, causes that reports by mistake or intercept by mistake to lack
Fall into.
It should be appreciated that the general description of the above and detailed description hereinafter are only exemplary and explanatory, not
The application can be limited.
Brief description of the drawings
Accompanying drawing herein is merged in specification and constitutes the part of this specification, shows the implementation for meeting the application
Example, and it is used to explain the principle of the application together with specification.
Fig. 1 is a kind of application scenario diagram of the application according to an exemplary embodiment.
Fig. 2 is a kind of flow chart of intrusion prevention method of the application according to an exemplary embodiment.
Fig. 3 is the flow chart of another intrusion prevention method of the application according to an exemplary embodiment.
Fig. 4 is a kind of block diagram of intrusion prevention device of the application according to an exemplary embodiment.
Specific embodiment
Here exemplary embodiment will be illustrated in detail, its example is illustrated in the accompanying drawings.Following description is related to
During accompanying drawing, unless otherwise indicated, the same numbers in different accompanying drawings represent same or analogous key element.Following exemplary embodiment
Described in implementation method do not represent all implementation methods consistent with the application.Conversely, they be only with it is such as appended
The example of the consistent apparatus and method of some aspects described in detail in claims, the application.
It is the purpose only merely for description specific embodiment in term used in this application, and is not intended to be limiting the application.
" one kind ", " described " and " being somebody's turn to do " of singulative used in the application and appended claims is also intended to include majority
Form, unless context clearly shows that other implications.It is also understood that term "and/or" used herein refers to and wraps
May be combined containing one or more associated any or all of project listed.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the application
A little information should not necessarily be limited by these terms.These terms are only used for being distinguished from each other open same type of information.For example, not departing from
In the case of the application scope, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as
One information.Depending on linguistic context, word as used in this " if " can be construed to " ... when " or " when ...
When " or " in response to determining ".
IPS (Intrusion Prevention System) equipment:Entrance for controlling attack message, goes to attacking
It is to be detected and defendd with malicious act, so as to be played a protective role to accessed end.For example, can be pre- in IPS equipment
The IPR feature databases including feature are provided with, IPS equipment judges whether message is attack message by IPR feature databases, if message is to attack
Message is hit, then carries out corresponding defence operation, and produce alarm log;If message is not attack message, alarm day is not produced
Will, and forward the message.Wherein, it is characterized in by obtaining network flow data, using various data digging methods, to capture
Message carries out bed-by-bed analysis, so as to the individual features character for extracting.Substantial amounts of combinations of features is into feature database, network intrusion prevention
Equipment mainly uses preset IPS feature databases.
Because defence policies may be different under different application scene, using fixed IPS feature databases judge message whether be
Attack message, may intercept some allows the message of forwarding, or causes unnecessary wrong report.For example, for enterprises
Some necessity applications, probably due to message meets the feature in IPS feature databases, and are intercepted by mistake.In order to avoid such case, this
Application provides intrusion prevention method, and the method is one kind optimization to IPS equipment.
The application method can be applied in IPS equipment, and IPS equipment can be laid out in data center, come from for resisting
Intranet is attacked, protection Core server and core data;IPS equipment can also be laid out on wide area network border, come from for resisting
Branch attacks, protects wide area network connection bandwidth etc.;IPS equipment can also be laid out on outer net internet borders, be placed on anti-
Before wall with flues, the network infrastructures such as fire wall can be protected, Internet outlet bandwidths are finely controlled, prevent bandwidth
Abuse etc.;IPS equipment can also be laid out between LAN internally, can suppress Intranet malicious traffic stream, resist Intranet attack
Deng;IPS equipment can also be laid out in other positions, and this is no longer going to repeat them.
Understand for convenience, the application provides a kind of application scenarios and illustrated, as shown in figure 1, Fig. 1 is the application
A kind of application scenario diagram according to an exemplary embodiment.User terminal is connected by IPS equipment with server, and user is visiting
Before asking the data in server, IPS equipment can be detected and defendd to the message that user terminal sends.
Next the intrusion prevention method to the application is introduced.As shown in Fig. 2 Fig. 2 is the application according to an example
Property implement the flow chart of a kind of intrusion prevention method that exemplifies, comprise the following steps 201 to step 204:
In step 201, message is received, feature is obtained from the message.
In step 202., if there is the feature in the message in blacklist, the message is intercepted.
In step 203, if there is the feature in the message in white list, the message is forwarded.
In step 204, it is special using IPS if not existing the feature of the message in the blacklist and white list
Levy storehouse and judge whether the message is attack message, and corresponding defence operation is carried out according to judged result.
In the present embodiment, after message is received, feature is obtained from message, judge whether deposited in blacklist/white list
Feature in the message, if there is the feature in the message in blacklist, intercepts the message;If white list
The middle feature existed in the message, then forward the message.Judgement on blacklist/white list sequentially, can first judge
With the presence or absence of the feature in the message in blacklist, then judge the feature that whether there is in the message in white list;Also may be used
First to judge with the presence or absence of the feature in the message in white list, then judge in blacklist with the presence or absence of the spy in the message
Levy, the sequencing of judgement can not be limited.If in the absence of the feature of the message in the blacklist and white list,
Then judge whether the message is attack message using IPS feature databases, and corresponding defence operation is carried out according to judged result.
Wherein, record has the feature of the message that need to be intercepted in the blacklist, and the feature of the message that need to be intercepted can include
The feature of non-existent message in IPS feature databases.Record has the feature of the message for allowing forwarding and described white in the white list
The feature that list includes is in the IPS feature databases.
It can be seen that, can directly be intercepted according to blacklist for common attack message, answered without using IPS feature databases
Miscellaneous analysis, realizes quick interception, and the message that will allow forwarding using white list is directly forwarded, and can effectively reduce inevitable
Wrong report.
It is characterized in the relevant information of message on feature, such as message sends time, the raw address of message and port
Number, the destination address of message and port numbers, message protocol, message content etc..Accordingly, in the blacklist/white list
Feature, can include:The transmission time range of message, the raw address scope of message and port numbers, the destination address model of message
Enclose and port numbers, message protocol, message content in sensitive character in one or more.If feature in the message with
Characteristic matching in blacklist, represents that the message is the message that need to be intercepted, then intercept message;If feature in the message with
Characteristic matching in white list, represents that the message is the message for allowing forwarding, then forward the message.For example, the transmission of message
Time, the raw address of message and port numbers, the destination address of message and port numbers, message protocol, message content are in blacklist
In, then intercept the message.
It can be seen that, can be according to the transmission time of message, raw address and the extreme slogan of port numbers, destination address, agreement, sensitivity
Character etc. judges whether to intercept or E-Packets, and realizes quick detection and defence.
In one example, default list configuration interface can be based on, the blacklist or the white list is configured.Example
Such as, the feature of some common attack messages is recorded in blacklist, should by enterprises application or some known safety
With the feature of corresponding message, in listing white list in.
It can be seen that, list is configured by list configuration interface, realize the controllability of black and white lists.
Further, the feature of message can be detected respectively by three kinds of engines.For example, by default black name
Whether feature in single detecting and alarm detection message detects described in blacklist by default white list detecting and alarm
Whether the feature in message is in white list, if in the absence of the feature of the message in the blacklist and white list, led to
Cross gray list detecting and alarm and be based on whether the IPS feature databases detection message is attack message.
It can be seen that, the feature of message is detected respectively by three kinds of engines, detection efficiency can be improved.
In an optional implementation, if there is the feature in the message in the blacklist, i.e., described report
During characteristic matching in feature in text and blacklist, alarm log is generated, and the alarm log of generation is divided into corresponding
In blacklist classification;If there is the feature in the message in the white list, i.e., feature and white list in described message
In characteristic matching when, generate alarm log, and the alarm log of generation is divided into the classification of corresponding white list;If institute
The feature existed in the message in IPS feature databases is stated, i.e., the characteristic matching in the feature in described message and IPS feature databases
When, alarm log is generated, and the alarm log of generation is divided into corresponding gray list classification.
In one example, can show respectively blacklist classification alarm log, white list classification alarm log with
And the alarm log of gray list classification, it is easy to user to check.
Further, the inquiry control based on pre-generatmg, can inquire about blacklist classification/white list classification/gray list point
The corresponding alarm log of class.
It can be seen that, different alarm logs are carried out into classification storage, the inquiry control of pre-generatmg, inquiry blacklist point can be based on
Class/corresponding the alarm log of white list classification/gray list classification, so as to realize the Classification Management of alarm log, improves inquiry effect
Rate, effectively reduces maintenance difficulties, and facility is brought to user.
In one example, the alarm log for being generated on the feature because there is the message in IPS feature databases, if
When the generation frequency of the alarm log is more than assigned frequency, prompting message is sent to association with default advice method is used
Family, to point out the association user that the feature of the message is added in blacklist or white list.
For the alarm log that gray list is classified, the generation frequency of alarm log can be recorded, if the life of alarm log
May be to attack with the corresponding message of default advice method prompting association user alarm log when being more than assigned frequency into frequency
Message is hit, association user should take measures in time.For example, when the generation frequency of alarm log is more than assigned frequency, with short
The mode of letter or mail is sent to keeper, after keeper receives the prompting message, can be according to actual conditions by gray list
Character adjustment in white list or blacklist.
It can be seen that, for common attack, when the generation frequency of alarm log reaches assigned frequency, prompting message is notified to arrive
Association user, can take measures in time.
Various technical characteristics in embodiment of above can arbitrarily be combined, as long as the combination between feature does not exist
Conflict or contradiction, but as space is limited, described one by one, therefore various technical characteristics in above-mentioned implementation method is any
It is combined the scope for falling within this disclosure.
The application enumerates one of which combination and is illustrated.As shown in figure 3, Fig. 3 is the application exemplary according to
The flow chart of another intrusion prevention method that implementation is exemplified, comprises the following steps:
In step 301, message is received, feature is obtained from the message.
In step 302, characteristic matching is carried out to message using blacklist, if in there is the message in blacklist
Feature, into step 303, otherwise into step 304.
In step 303, the message is intercepted, and generates alarm log, the alarm log of generation is divided into corresponding
In blacklist classification, and it is shown.
In step 304, characteristic matching is carried out to message using white list, if in there is the message in white list
Feature, into step 305, otherwise into step 306.
In step 305, the message is forwarded, and generates alarm log, the alarm log of generation is divided into corresponding
In white list classification, and it is shown.
Within step 306, judge that whether the message is attack message, and enter according to judged result using IPS feature databases
The corresponding defence operation of row, if the message is attack message, generates alarm log, and the alarm log of generation is divided into
In corresponding gray list classification, and it is shown.
In step 307, if the generation frequency of the alarm log of certain message is more than assigned frequency in gray list classification,
Prompting message is sent to association user with default advice method, to point out the association user to add the feature of the message
Into blacklist/white list.
As seen from the above-described embodiment, the present embodiment can not only avoid sentencing using fixed IPS feature databases in correlation technique
Whether disconnected message is attack message, causes the defect reported by mistake or intercept by mistake, while carrying out Classification Management to alarm log, is effectively dropped
The low maintenance difficulties of daily record, bring advantage to the user, and in gray list classification the alarm log of certain message generation frequency
During more than assigned frequency, prompting message is sent to association user with default advice method, effectively reduce potential safety hazard.
Embodiment with foregoing intrusion prevention method is corresponding, present invention also provides the embodiment of intrusion prevention device.
As shown in figure 4, Fig. 4 is a kind of block diagram of intrusion prevention device of the application according to an exemplary embodiment,
Described device includes:Feature acquisition module 410, the first defense module 420, the second defense module 430, the 3rd defense module 440.
Feature acquisition module 410, for obtaining feature from the message for receiving;
First defense module 420, if for there is the feature in the message in blacklist, intercepting the message;
Second defense module 430, if for there is the feature in the message in white list, forwarding the message;
3rd defense module 440, if for the feature for not existing the message in the blacklist and white list, profit
Judge whether the message is attack message with IPS feature databases, and corresponding defence operation is carried out according to judged result;
Record has the feature of the message that need to be intercepted in the blacklist, and record has the message for allowing forwarding in the white list
Feature and the feature that includes of the white list in the IPS feature databases.
In an optional implementation, described device also includes:
Daily record sort module, if for there is the feature in the message in the blacklist/white list/feature database
When, the alarm log of generation is divided into corresponding blacklist classification/white list classification/gray list classification;
Log query module, for the inquiry control based on pre-generatmg, inquiry blacklist classification/white list classification/grey name
Single corresponding alarm log of classifying.
In an optional implementation, described device also includes:
Information notification module, for the alarm log generated on the feature because there is the message in IPS feature databases,
If the generation frequency of the alarm log is more than assigned frequency, prompting message is sent to association with default advice method
User, to point out the association user that the feature of the message is added in blacklist or white list.
In an optional implementation, the feature in the blacklist/white list includes:During the transmission of message
Between scope, the raw address scope of message and port numbers, the destination address scope of message and port numbers, message protocol, message content
In sensitive character in one or more.
In an optional implementation, described device also includes:
List configuration module, for based on default list configuration interface, configuring the blacklist or the white list.
The function of modules and the specific details of implementation process of effect are shown in correspondence step in the above method in said apparatus
Implementation process, will not be repeated here.
For device embodiment, because it corresponds essentially to embodiment of the method, so related part is referring to method reality
Apply the part explanation of example.Device embodiment described above is only schematical, wherein described as separating component
The module of explanation can be or may not be physically separate, and the part shown as module can be or can also
It is not physical module, you can with positioned at a place, or can also be distributed on multiple mixed-media network modules mixed-medias.Can be according to reality
Selection some or all of module therein is needed to realize the purpose of application scheme.Those of ordinary skill in the art are not paying
In the case of going out creative work, you can to understand and implement.
Those skilled in the art will readily occur to its of the application after considering specification and putting into practice invention disclosed herein
Its embodiment.The application is intended to any modification, purposes or the adaptations of the application, these modifications, purposes or
Person's adaptations follow the general principle of the application and including the undocumented common knowledge in the art of the application
Or conventional techniques.Description and embodiments are considered only as exemplary, and the true scope of the application and spirit are by following
Claim is pointed out.
It should be appreciated that the application is not limited to the precision architecture for being described above and being shown in the drawings, and
And can without departing from the scope carry out various modifications and changes.Scope of the present application is only limited by appended claim.
The preferred embodiment of the application is the foregoing is only, is not used to limit the application, all essences in the application
Within god and principle, any modification, equivalent substitution and improvements done etc. should be included within the scope of the application protection.
Claims (10)
1. a kind of intrusion prevention method, it is characterised in that methods described includes:
Message is received, feature is obtained from the message;
If there is the feature in the message in blacklist, the message is intercepted;
If there is the feature in the message in white list, the message is forwarded;
If judging the message using IPS feature databases in the absence of the feature of the message in the blacklist and white list
Whether it is attack message, and corresponding defence operation is carried out according to judged result;
Record has the feature of the message that need to be intercepted in the blacklist, and record has the spy of the message for allowing forwarding in the white list
Levy and feature that the white list includes is in the IPS feature databases.
2. method according to claim 1, it is characterised in that methods described also includes:
If there is the feature in the message in the blacklist/white list/feature database, the alarm log that will be generated is divided
To in the classification of corresponding blacklist classification/white list classification/gray list;
Inquiry control based on pre-generatmg, the corresponding alarm log of inquiry blacklist classification/white list classification/gray list classification.
3. method according to claim 1, it is characterised in that methods described also includes:
The alarm log generated on the feature because there is the message in IPS feature databases, if the life of the alarm log
When being more than assigned frequency into frequency, prompting message is sent to association user with default advice method, to point out the association
Be added to the feature of the message in blacklist or white list by user.
4. method according to claim 1, it is characterised in that the feature in the blacklist/white list includes:Report
The transmissions time range of text, the raw address scope of message and port numbers, the destination address scope of message and port numbers, message are assisted
One or more in sensitive character in view, message content.
5. the method according to any one of Claims 1-4, it is characterised in that methods described also includes:
Based on default list configuration interface, the blacklist or the white list are configured.
6. a kind of intrusion prevention device, it is characterised in that described device includes:
Feature acquisition module, for obtaining feature from the message for receiving;
First defense module, if for there is the feature in the message in blacklist, intercepting the message;
Second defense module, if for there is the feature in the message in white list, forwarding the message;
3rd defense module, if for the feature for not existing the message in the blacklist and white list, it is special using IPS
Levy storehouse and judge whether the message is attack message, and corresponding defence operation is carried out according to judged result;
Record has the feature of the message that need to be intercepted in the blacklist, and record has the spy of the message for allowing forwarding in the white list
Levy and feature that the white list includes is in the IPS feature databases.
7. device according to claim 6, it is characterised in that described device also includes:
Daily record sort module, if during for there is the feature in the message in the blacklist/white list/feature database, will
The alarm log of generation is divided into corresponding blacklist classification/white list classification/gray list classification;
Log query module, for the inquiry control based on pre-generatmg, inquiry blacklist classification/white list classification/gray list point
The corresponding alarm log of class.
8. device according to claim 6, it is characterised in that described device also includes:
Information notification module, for the alarm log generated on the feature because there is the message in IPS feature databases, if
When the generation frequency of the alarm log is more than assigned frequency, prompting message is sent to association with default advice method is used
Family, to point out the association user that the feature of the message is added in blacklist or white list.
9. device according to claim 6, it is characterised in that the feature in the blacklist/white list includes:Report
The transmissions time range of text, the raw address scope of message and port numbers, the destination address scope of message and port numbers, message are assisted
One or more in sensitive character in view, message content.
10. the device according to any one of claim 6 to 9, it is characterised in that described device also includes:
List configuration module, for based on default list configuration interface, configuring the blacklist or the white list.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710210829.8A CN106790313A (en) | 2017-03-31 | 2017-03-31 | Intrusion prevention method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710210829.8A CN106790313A (en) | 2017-03-31 | 2017-03-31 | Intrusion prevention method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106790313A true CN106790313A (en) | 2017-05-31 |
Family
ID=58965593
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710210829.8A Pending CN106790313A (en) | 2017-03-31 | 2017-03-31 | Intrusion prevention method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106790313A (en) |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107864156A (en) * | 2017-12-18 | 2018-03-30 | 东软集团股份有限公司 | Ssyn attack defence method and device, storage medium |
| CN109413091A (en) * | 2018-11-20 | 2019-03-01 | 中国联合网络通信集团有限公司 | A kind of network security monitoring method and apparatus based on internet-of-things terminal |
| CN109547427A (en) * | 2018-11-14 | 2019-03-29 | 平安普惠企业管理有限公司 | Black list user's recognition methods, device, computer equipment and storage medium |
| JP2019176273A (en) * | 2018-03-27 | 2019-10-10 | 日本電気株式会社 | Communication controller, client device, communication control method, and program |
| CN110545259A (en) * | 2019-07-27 | 2019-12-06 | 苏州哈度软件有限公司 | application layer attack protection method based on message replacement and protection system thereof |
| CN110751570A (en) * | 2019-09-16 | 2020-02-04 | 中国电力科学研究院有限公司 | Power service message attack identification method and system based on service logic |
| CN111314370A (en) * | 2020-02-28 | 2020-06-19 | 杭州迪普科技股份有限公司 | Method and device for detecting service vulnerability attack behavior |
| CN111314373A (en) * | 2020-03-05 | 2020-06-19 | 南水北调中线信息科技有限公司 | Message monitoring method and device |
| CN111352761A (en) * | 2020-02-28 | 2020-06-30 | 北京天融信网络安全技术有限公司 | Vehicle detection method and device, storage medium and electronic equipment |
| CN111917789A (en) * | 2020-08-08 | 2020-11-10 | 詹能勇 | Data processing method based on big data and Internet of things communication and cloud computing platform |
| CN112565297A (en) * | 2020-12-24 | 2021-03-26 | 杭州迪普科技股份有限公司 | Message control method and device |
| CN112637171A (en) * | 2020-12-15 | 2021-04-09 | 微医云(杭州)控股有限公司 | Data traffic processing method, device, equipment, system and storage medium |
| CN113472580A (en) * | 2021-07-01 | 2021-10-01 | 交通运输信息安全中心有限公司 | Alarm system and alarm method based on dynamic loading mechanism |
| CN114070624A (en) * | 2021-11-16 | 2022-02-18 | 北京天融信网络安全技术有限公司 | Message monitoring method and device, electronic equipment and medium |
| CN114079574A (en) * | 2020-08-14 | 2022-02-22 | 中移动信息技术有限公司 | Data filtering method, device, equipment and storage medium |
| CN114338233A (en) * | 2022-02-28 | 2022-04-12 | 北京安帝科技有限公司 | Network attack detection method and system based on flow analysis |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1996892A (en) * | 2006-12-25 | 2007-07-11 | 杭州华为三康技术有限公司 | Detection method and device for network attack |
| CN102571786A (en) * | 2011-12-30 | 2012-07-11 | 深信服网络科技(深圳)有限公司 | Method for linkage defense among multiple safety modules in firewall and firewall |
| CN103078854A (en) * | 2012-12-28 | 2013-05-01 | 北京亿赞普网络技术有限公司 | Message filtering method and device |
| US20130212680A1 (en) * | 2012-01-12 | 2013-08-15 | Arxceo Corporation | Methods and systems for protecting network devices from intrusion |
| CN103746996A (en) * | 2014-01-03 | 2014-04-23 | 汉柏科技有限公司 | Packet filtering method for firewall |
| CN103944915A (en) * | 2014-04-29 | 2014-07-23 | 浙江大学 | Threat detection and defense device, system and method for industrial control system |
| CN105827646A (en) * | 2016-05-17 | 2016-08-03 | 浙江宇视科技有限公司 | SYN attack protecting method and device |
| CN105959290A (en) * | 2016-06-06 | 2016-09-21 | 杭州迪普科技有限公司 | Detection method and device of attack message |
| CN105959250A (en) * | 2015-10-22 | 2016-09-21 | 杭州迪普科技有限公司 | Network attack black list management method and device |
| CN105991587A (en) * | 2015-02-13 | 2016-10-05 | 中国移动通信集团山西有限公司 | Intrusion detection method and system |
| CN106230815A (en) * | 2016-07-29 | 2016-12-14 | 杭州迪普科技有限公司 | The control method of a kind of alarm log and device |
-
2017
- 2017-03-31 CN CN201710210829.8A patent/CN106790313A/en active Pending
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1996892A (en) * | 2006-12-25 | 2007-07-11 | 杭州华为三康技术有限公司 | Detection method and device for network attack |
| CN102571786A (en) * | 2011-12-30 | 2012-07-11 | 深信服网络科技(深圳)有限公司 | Method for linkage defense among multiple safety modules in firewall and firewall |
| US20130212680A1 (en) * | 2012-01-12 | 2013-08-15 | Arxceo Corporation | Methods and systems for protecting network devices from intrusion |
| CN103078854A (en) * | 2012-12-28 | 2013-05-01 | 北京亿赞普网络技术有限公司 | Message filtering method and device |
| CN103746996A (en) * | 2014-01-03 | 2014-04-23 | 汉柏科技有限公司 | Packet filtering method for firewall |
| CN103944915A (en) * | 2014-04-29 | 2014-07-23 | 浙江大学 | Threat detection and defense device, system and method for industrial control system |
| CN105991587A (en) * | 2015-02-13 | 2016-10-05 | 中国移动通信集团山西有限公司 | Intrusion detection method and system |
| CN105959250A (en) * | 2015-10-22 | 2016-09-21 | 杭州迪普科技有限公司 | Network attack black list management method and device |
| CN105827646A (en) * | 2016-05-17 | 2016-08-03 | 浙江宇视科技有限公司 | SYN attack protecting method and device |
| CN105959290A (en) * | 2016-06-06 | 2016-09-21 | 杭州迪普科技有限公司 | Detection method and device of attack message |
| CN106230815A (en) * | 2016-07-29 | 2016-12-14 | 杭州迪普科技有限公司 | The control method of a kind of alarm log and device |
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107864156B (en) * | 2017-12-18 | 2020-06-23 | 东软集团股份有限公司 | SYN attack defense method and device and storage medium |
| CN107864156A (en) * | 2017-12-18 | 2018-03-30 | 东软集团股份有限公司 | Ssyn attack defence method and device, storage medium |
| JP7067187B2 (en) | 2018-03-27 | 2022-05-16 | 日本電気株式会社 | Communication control device, communication control method, and program |
| JP2019176273A (en) * | 2018-03-27 | 2019-10-10 | 日本電気株式会社 | Communication controller, client device, communication control method, and program |
| CN109547427A (en) * | 2018-11-14 | 2019-03-29 | 平安普惠企业管理有限公司 | Black list user's recognition methods, device, computer equipment and storage medium |
| CN109413091A (en) * | 2018-11-20 | 2019-03-01 | 中国联合网络通信集团有限公司 | A kind of network security monitoring method and apparatus based on internet-of-things terminal |
| CN110545259A (en) * | 2019-07-27 | 2019-12-06 | 苏州哈度软件有限公司 | application layer attack protection method based on message replacement and protection system thereof |
| CN110751570A (en) * | 2019-09-16 | 2020-02-04 | 中国电力科学研究院有限公司 | Power service message attack identification method and system based on service logic |
| CN111314370A (en) * | 2020-02-28 | 2020-06-19 | 杭州迪普科技股份有限公司 | Method and device for detecting service vulnerability attack behavior |
| CN111352761A (en) * | 2020-02-28 | 2020-06-30 | 北京天融信网络安全技术有限公司 | Vehicle detection method and device, storage medium and electronic equipment |
| CN111314373A (en) * | 2020-03-05 | 2020-06-19 | 南水北调中线信息科技有限公司 | Message monitoring method and device |
| CN111917789A (en) * | 2020-08-08 | 2020-11-10 | 詹能勇 | Data processing method based on big data and Internet of things communication and cloud computing platform |
| CN114079574A (en) * | 2020-08-14 | 2022-02-22 | 中移动信息技术有限公司 | Data filtering method, device, equipment and storage medium |
| CN112637171A (en) * | 2020-12-15 | 2021-04-09 | 微医云(杭州)控股有限公司 | Data traffic processing method, device, equipment, system and storage medium |
| CN112565297A (en) * | 2020-12-24 | 2021-03-26 | 杭州迪普科技股份有限公司 | Message control method and device |
| CN113472580A (en) * | 2021-07-01 | 2021-10-01 | 交通运输信息安全中心有限公司 | Alarm system and alarm method based on dynamic loading mechanism |
| CN113472580B (en) * | 2021-07-01 | 2023-04-07 | 交通运输信息安全中心有限公司 | Alarm system and alarm method based on dynamic loading mechanism |
| CN114070624A (en) * | 2021-11-16 | 2022-02-18 | 北京天融信网络安全技术有限公司 | Message monitoring method and device, electronic equipment and medium |
| CN114070624B (en) * | 2021-11-16 | 2024-01-23 | 北京天融信网络安全技术有限公司 | Message monitoring method, device, electronic equipment and medium |
| CN114338233A (en) * | 2022-02-28 | 2022-04-12 | 北京安帝科技有限公司 | Network attack detection method and system based on flow analysis |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106790313A (en) | Intrusion prevention method and device | |
| US10587636B1 (en) | System and method for bot detection | |
| CN100448203C (en) | System and method for identifying and preventing malicious intrusions | |
| US7644365B2 (en) | Method and system for displaying network security incidents | |
| CN110730175B (en) | Botnet detection method and detection system based on threat information | |
| CN101176331B (en) | Computer network intrusion detection system and method | |
| CN101087196B (en) | Multi-layer honey network data transmission method and system | |
| CN105915532B (en) | A kind of recognition methods of host of falling and device | |
| CN106657025A (en) | Network attack behavior detection method and device | |
| CN107370755A (en) | A kind of method of the profound detection APT attacks of various dimensions | |
| CN105376245A (en) | Rule-based detection method of ATP attack behavior | |
| CN110519150B (en) | Mail detection method, device, equipment, system and computer readable storage medium | |
| CN106650436A (en) | Safety detecting method and device based on local area network | |
| EP1244967A2 (en) | Method for automatic intrusion detection and deflection in a network | |
| CN103746885A (en) | Test system and test method oriented to next-generation firewall | |
| KR20060013491A (en) | Network attack signature generation | |
| CN113691566B (en) | Mail server secret stealing detection method based on space mapping and network flow statistics | |
| KR20120090574A (en) | Method for detecting arp spoofing attack by using arp locking function and recordable medium which program for executing method is recorded | |
| CN105959290A (en) | Detection method and device of attack message | |
| CN109981587A (en) | A kind of network security monitoring traceability system based on APT attack | |
| CN108234486A (en) | A kind of network monitoring method and monitoring server | |
| CN102970309B (en) | The detection method of zombie host, detection device and fire wall | |
| US20220342966A1 (en) | Multichannel threat detection for protecting against account compromise | |
| CN111859374A (en) | Method, device and system for detecting social engineering attack event | |
| CN115695029A (en) | Enterprise intranet attack defense system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170531 |