CN111131192A - Bypass protection method and device - Google Patents
Bypass protection method and device Download PDFInfo
- Publication number
- CN111131192A CN111131192A CN201911258586.0A CN201911258586A CN111131192A CN 111131192 A CN111131192 A CN 111131192A CN 201911258586 A CN201911258586 A CN 201911258586A CN 111131192 A CN111131192 A CN 111131192A
- Authority
- CN
- China
- Prior art keywords
- user host
- processing action
- action
- server
- mirror image
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/143—Termination or inactivation of sessions, e.g. event-controlled end of session
Abstract
The application provides a bypass protection method and a bypass protection device, which can enable bypass protection equipment to obtain a mirror image message corresponding to a message sent by a user host to a server; acquiring a user host identity carried by the mirror image message, and locally searching whether a historical processing action corresponding to the user host identity exists; and if the historical processing action is found, executing the historical processing action to disconnect the session connection between the user host and the server. Compared with the prior art, the method and the device have the advantages that the messages sent by the same user host can be protected by using historical processing actions, the situation that the bypass protection device carries out safety detection on the mirror image messages of the same user host every time is avoided, the processing time of the bypass protection device is shortened, the attack source cannot continuously attack the attack object is ensured, and therefore the safety protection effect is improved.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to a bypass protection method and apparatus.
Background
The bypass protection technology is to adopt a bypass interception mode to acquire the flow in a network link, further restore and detect whether the restored content violates a security policy through protocol content, and execute corresponding actions on the session violating the security policy so as to play a protection role. In the scheme adopted by the existing bypass protection technology, traffic of a network link is mirrored to bypass protection equipment through a switch or optical splitter, and when the bypass protection equipment detects malicious traffic violating an anti-security policy, a data packet which can end a current session is forged and injected into a network to end the session.
However, the above technical solution has a great disadvantage, because all the traffic flowing into the bypass protection device is mirror traffic, when the bypass protection device detects malicious traffic violating the security policy and forges a packet ending the current session and injects the packet into the network, because the processing time is long, the malicious traffic often arrives at the destination before the packet ending the session, and the attack effect is achieved. If the attack source continuously uses the new session to transmit malicious data, the purpose of continuous attack can be achieved.
Disclosure of Invention
In view of this, the present application provides a bypass protection method and apparatus to solve the problem that an attack source continuously attacks an attack object.
Specifically, the method is realized through the following technical scheme:
in a first aspect, the present application provides a bypass protection method, which is applied to a bypass protection device, and includes:
acquiring a mirror image message corresponding to a message sent to a server by a user host;
acquiring a user host identity carried by the mirror image message, and locally searching whether a historical processing action corresponding to the user host identity exists;
and if the historical processing action is found, executing the historical processing action to disconnect the session connection between the user host and the server.
Further, the method further comprises:
if the historical processing action is not found, determining a current processing action corresponding to the mirror image message based on a preset security strategy, and executing the current processing action;
and when the current processing action is not a release action, recording the user host identification of the mirror image message, and recording the current processing action as a historical processing action corresponding to the user host identification.
Further, when the current processing action is not a release action, recording a user host identifier of the mirror image packet, and recording the current processing action as a historical processing action corresponding to the user host identifier, further comprising:
adding an aging time to the historical processing action;
the locally searching whether a history processing action corresponding to the user host identity exists further comprises:
when the history processing action of the local record is aged, deleting the user host identification and the corresponding history processing action;
if the historical processing action is found, the method further comprises the following steps:
updating an aging time of the historical processing action.
Further, the executing the history processing action to disconnect the session between the user host and the server specifically includes:
and when the history processing action is taken as a blocking action, the bidirectional RESET message corresponding to the fake mirror image message is respectively sent to the user host and the server so as to disconnect the session connection between the user host and the server.
Further, the executing the history processing action to disconnect the session between the user host and the server specifically includes:
and when the history processing action is used as a pushing action, the bidirectional RESET message corresponding to the forged mirror image message is respectively sent to the user host and the server so as to break the session connection between the user host and the server and push preset safety prompt information to the user host.
In a second aspect, the present application provides a bypass protection device, the device being applied to a bypass protection apparatus, the device comprising:
the system comprises an acquisition unit, a storage unit and a processing unit, wherein the acquisition unit is used for acquiring a mirror image message corresponding to a message sent to a server by a user host;
the searching unit is used for acquiring the user host identity carried by the mirror image message and locally searching whether a historical processing action corresponding to the user host identity exists or not;
and the processing unit is used for executing the historical processing action to disconnect the session connection between the user host and the server if the historical processing action is found.
Further, the apparatus further comprises:
a determining unit, configured to determine, based on a preset security policy, a current processing action corresponding to the mirror image packet if the historical processing action is not found, and execute the current processing action;
and the recording unit is used for recording the user host identity of the mirror image message when the current processing action is not the release action, and recording the current processing action as the historical processing action corresponding to the user host identity.
Further, the recording unit is further configured to add an aging time to the historical processing action;
the search unit is further configured to delete the user host identifier and the corresponding historical processing action when the locally recorded historical processing action is aged;
the processing unit is further configured to update the aging time of the historical processing action.
Further, the processing unit is specifically configured to, when the history processing action is a blocking action, send a bidirectional RESET message corresponding to the fake mirror image message to the user host and the server, respectively, so as to disconnect a session connection between the user host and the server.
Further, the processing unit is specifically configured to, when the history processing action is a push action, send a bidirectional RESET message corresponding to the fake mirror image message to the user host and the server, respectively, to disconnect a session connection between the user host and the server, and push preset security prompt information to the user host.
In a third aspect, the present application further provides a computer-readable storage medium, in which a computer program is stored, and the computer program, when executed by a processor, implements any one of the steps of the above-mentioned bypass protection method.
In a fourth aspect, the present application further provides a network device, which includes a memory, a processor, a communication interface, and a communication bus; the memory, the processor and the communication interface are communicated with each other through the communication bus;
the memory is used for storing a computer program;
the processor is configured to execute the computer program stored in the memory, and when the processor executes the computer program, any step of the bypass protection method is implemented.
Therefore, the method and the device can enable the bypass protection equipment to obtain the mirror image message corresponding to the message sent by the user host to the server; acquiring a user host identity carried by the mirror image message, and locally searching whether a historical processing action corresponding to the user host identity exists; and if the historical processing action is found, executing the historical processing action to disconnect the session connection between the user host and the server. Compared with the prior art, the method and the device have the advantages that the messages sent by the same user host can be protected by using historical processing actions, the situation that the bypass protection device carries out safety detection on the mirror image messages of the same user host every time is avoided, the processing time of the bypass protection device is shortened, the attack source cannot continuously attack the attack object is ensured, and therefore the safety protection effect is improved.
Drawings
FIG. 1 is a schematic diagram of a bypass protection network in an exemplary embodiment of the present application;
FIG. 2 is a process flow diagram of a bypass prevention method in an exemplary embodiment of the present application;
FIG. 3 is a process flow diagram of another bypass prevention method in an exemplary embodiment of the present application;
FIG. 4 is a logical block diagram of a bypass prevention device in an exemplary embodiment of the present application;
fig. 5 is a hardware block diagram of a network device in an exemplary embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
Referring to fig. 1, which is a schematic diagram of a bypass protection networking in an exemplary embodiment of the present application, a switch between a subscriber host and a server may mirror a message sent by the subscriber host to a server to a bypass protection device, so that the bypass protection device performs security protection.
Referring to fig. 2, a flowchart of a method for bypass protection according to an exemplary embodiment of the present application is shown, where the method is applied to a bypass protection device, and the method includes:
in this embodiment, the switch may mirror a message sent by the user host to the server to obtain a mirror image message, and then send the mirror image message to the bypass protection device, so that the bypass protection device obtains the mirror image message corresponding to the message sent by the user host to the server.
in this embodiment, after obtaining the mirror image packet, the bypass protection device may obtain a user host identifier carried in the mirror image packet, where the user host identifier refers to information capable of identifying uniqueness of the user host, such as a source IP address of the mirror image packet, and may also be triplet information or quintet information of a user session.
After the bypass protection device obtains the user host identifier carried by the mirror image message, whether a historical processing action corresponding to the user host identifier exists can be further searched locally.
And 203, if the historical processing action is found, executing the historical processing action to disconnect the session connection between the user host and the server.
If the history processing action is found, the user host is not sent to the server for the first time, and the user host can be an attack source, so the bypass protection device can execute the history processing action to disconnect the session connection between the user host and the server.
The executing the history processing action to disconnect the session between the user host and the server specifically includes: and when the history processing action is taken as a blocking action, the bidirectional RESET message corresponding to the fake mirror image message is respectively sent to the user host and the server. The bypass protection device respectively sends a RESET message to the user host and the server according to the source address (namely the address of the user host) and the destination address (namely the address of the server) in the mirror image message, so that the user host and the server are regarded as being sent by opposite ends when receiving the RESET message, thereby ending the session and disconnecting the session connection between the user host and the server.
In addition, when the blocking action is executed, or when the history processing action is a pushing action, the bypass protection device may send, to the user host and the server, the bidirectional RESET message corresponding to the mirror image message to be forged, respectively, so as to disconnect the session connection between the user host and the server, and may also push preset security prompt information to the user host, so that the user knows that the client of the user may have a security risk through the security prompt information, and may take a corresponding security protection means for processing.
In an embodiment, if the bypass protection device does not find the historical processing action, it indicates that the user host may send a message to the server for the first time, and obtains that the message sent by the user host is a legal message, and in order to further detect the security of the user host, the bypass protection device may determine, based on a preset security policy, a current processing action corresponding to the mirror image message. Specifically, the bypass protection device may perform security detection on information such as an address and a field carried in the mirror image packet according to a preset security policy, and if it is determined that the mirror image packet conforms to the security policy, the corresponding current processing action is a release action, and if it is determined that the mirror image packet does not conform to the security policy, the corresponding current processing action is a blocking action or a push action. And after the current processing action is determined, executing the current processing action.
When the current processing action is not a release action, it is stated that the user host may be an attack source, so that the bypass protection device may record the user host identifier of the mirror image packet, record the current processing action as a historical processing action corresponding to the user host identifier, so that when the user host sends a packet to the server again, the session between the user host and the server may be blocked based on the recorded historical processing action corresponding to the user host identifier. Since the detection time of the bypass protection device is long when the bypass protection device detects based on the security policy, when the current processing action corresponding to the user host is determined, the message of the user host and the message reaching the server may cause an attack, so that the detection of the security policy on the message sent by the same user host every time in the related art cannot prevent the attack in time, and if the user host sends the attack message by the method every time, the server is attacked continuously. However, according to the method and the device, the security of the user host can be detected through the security policy when the user host sends the message for the first time, if the user host has attack risk, the processing action corresponding to the user host can be recorded, so that when the message of the user host is received again, the security protection can be directly performed based on the recorded historical processing action without performing security policy detection again, the time of the security protection is shortened, the session connection between the user host and the server can be blocked before the message of the user host does not reach the server, and the purpose of the security protection is achieved. Therefore, the method and the device can avoid the persistent attack of the user host.
Further, when the current processing action is not a release action, that is, when the current processing action is a blocking action or a pushing action, the bypass protection device may record the user host identifier of the mirror message, record the current processing action as a historical processing action corresponding to the user host identifier, and add an aging time to the historical processing action, where the aging time may be determined according to an actual requirement. Therefore, in step 202, when the bypass protection device locally searches whether there is a historical processing action corresponding to the user host identifier, it may further determine whether the historical processing action is aged, and if the locally recorded aging time of the historical processing action expires, it indicates that the historical processing action is aged, and delete the user host identifier and the corresponding historical processing action, so as to further detect the mirror packet through the security policy; if the historical processing action is found and is not aged, the aging time of the historical processing action can be updated.
According to the method and the system, the aging time of the historical processing action is increased for the attack source, so that the attack source is controlled by the historical processing action within a period of time, and an administrator can control the action time of the historical processing action on the attack source according to the aging time, so that the attack source cannot continuously attack an attack object, and normal access of a legal user cannot be influenced.
In order to make the objects, technical solutions and advantages of the present application more apparent, the solution of the present application is further described in detail below with reference to fig. 1 and 3.
When the user host sends a message to the server, the processing flow of the bypass protection device is shown in fig. 3, which includes:
301, acquiring a mirror image message corresponding to a message sent by a user host to a server, and acquiring a user host identifier carried by the mirror image message;
and 308, recording the user host identifier of the mirror image message, recording the current processing action as a historical processing action corresponding to the user host identifier, adding aging time to the historical processing action, and ending.
The specific implementation process is as follows:
assuming that the IP address of the user host is 1.1.1.1 and the IP address of the server is 2.2.2.2, the security policy is to start SQL injection protection, the action is blocking, and the aging time is 1 minute.
When the user host carries the SQL injection attack request message for the first time and sends the message to the server, the message will be mirrored to the bypass protection device through the mirroring drainage device (e.g. the switch). In the bypass protection device, because the IP address of the user host is 1.1.1.1 image message received for the first time, no corresponding historical processing action exists, the image message can be detected by using a security policy, and when the SQL injection attack is detected, the user host is determined to be executed with a blocking action, so that the bypass protection device forges a bidirectional RESET message to end the session between the user host and the server. Meanwhile, because the processing action is a blocking action, the bypass protection device can establish a corresponding relation between the IP address 1.1.1.1 of the user host and the blocking action, and the aging time is 1 minute.
In the following one minute, if the user host (IP address 1.1.1.1) establishes connection with the server again, after the user host flows into the bypass protection device through the mirror image drainage device, the corresponding relation containing the IP address is searched again, and at this time, the corresponding relation of the IP address is found, and the time does not exceed 1 minute, the bidirectional RESET message is forged according to the blocking action in the corresponding relation, and the current session is ended. Meanwhile, the aging time of the subscriber host, i.e., the current action duration, is also updated to 1 minute. If the time exceeds 1 minute, when the user host sends the message to the server again, the bypass protection device records the corresponding relation between the IP address 1.1.1.1 of the user host and the blocking action, the aging time is 1 minute, and the message is aged, so that the bypass protection device can detect the message again through the security policy, and the new processing action corresponding to the message is determined. Therefore, the method and the device can ensure that the attack object is not subjected to the continuous attack risk of the attacker in the bypass protection.
Corresponding to the embodiment of the bypass protection method, the application also provides an embodiment of the bypass protection device.
Referring to fig. 4, a schematic structural diagram of a bypass protection device in an exemplary embodiment of the present application, the device is applied to a bypass protection apparatus, and the device 40 includes:
an obtaining unit 401, configured to obtain a mirror message corresponding to a message sent by a user host to a server;
a searching unit 402, configured to obtain a user host identifier carried in the mirror image packet, and locally search whether a history processing action corresponding to the user host identifier exists;
a processing unit 403, configured to execute the historical processing action to disconnect the session connection between the user host and the server if the historical processing action is found.
As an embodiment, the apparatus further comprises:
a determining unit 404, configured to determine, based on a preset security policy, a current processing action corresponding to the mirror image packet if the historical processing action is not found, and execute the current processing action;
a recording unit 405, configured to record the user host identifier of the mirror message when the current processing action is not a release action, and record the current processing action as a historical processing action corresponding to the user host identifier.
The recording unit 405, for an embodiment, is further configured to add an aging time to the historical processing action;
the searching unit 402 is further configured to delete the user host identifier and the corresponding historical processing action when the locally recorded historical processing action is aged;
the processing unit 403 is further configured to update the aging time of the history processing action.
As an embodiment, the processing unit 403 is specifically configured to, when the history processing action is a blocking action, send a bidirectional RESET message corresponding to a fake mirror message to the user host and the server, respectively, so as to disconnect a session connection between the user host and the server.
As an embodiment, the processing unit 403 is specifically configured to, when the history processing action is a push action, send a bidirectional RESET message corresponding to a fake mirror image message to the user host and the server respectively, so as to disconnect a session between the user host and the server, and push preset security prompt information to the user host
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
Corresponding to the foregoing embodiments of the bypass protection method, the present application also provides embodiments of a network device implementing the bypass protection method.
As shown in fig. 5, the network device includes a memory 51, a processor 82, a communication interface 53, and a communication bus 54; wherein, the memory 51, the processor 52 and the communication interface 53 communicate with each other through the communication bus 54;
the memory 51 is used for storing computer programs;
the processor 52 is configured to execute the computer program stored in the memory 51, and when the processor 52 executes the computer program, any step of the bypass protection method provided in the embodiment of the present application is implemented.
The present application further provides a computer-readable storage medium, in which a computer program is stored, and the computer program, when executed by a processor, implements any step of the bypass protection method provided in the embodiments of the present application.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for embodiments of the network device and the computer-readable storage medium, since they are substantially similar to the method embodiments, the description is relatively simple, and in relation to the description, reference may be made to some portions of the description of the method embodiments.
In summary, the present application enables the bypass protection device to obtain a mirror image message corresponding to a message sent by the user host to the server; acquiring a user host identity carried by the mirror image message, and locally searching whether a historical processing action corresponding to the user host identity exists; and if the historical processing action is found, executing the historical processing action to disconnect the session connection between the user host and the server. Compared with the prior art, the method and the device have the advantages that the messages sent by the same user host can be protected by using historical processing actions, the situation that the bypass protection device carries out safety detection on the mirror image messages of the same user host every time is avoided, the processing time of the bypass protection device is shortened, the attack source cannot continuously attack the attack object is ensured, and therefore the safety protection effect is improved.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.
Claims (10)
1. A bypass protection method is characterized in that the method is applied to bypass protection equipment, and comprises the following steps:
acquiring a mirror image message corresponding to a message sent to a server by a user host;
acquiring a user host identity carried by the mirror image message, and locally searching whether a historical processing action corresponding to the user host identity exists;
and if the historical processing action is found, executing the historical processing action to disconnect the session connection between the user host and the server.
2. The method of claim 1, further comprising:
if the historical processing action is not found, determining a current processing action corresponding to the mirror image message based on a preset security strategy, and executing the current processing action;
and when the current processing action is not a release action, recording the user host identification of the mirror image message, and recording the current processing action as a historical processing action corresponding to the user host identification.
3. The method according to claim 2, wherein when the current processing action is not a release action, recording a user host identifier of the mirror packet, and recording the current processing action as a historical processing action corresponding to the user host identifier, further comprising:
adding an aging time to the historical processing action;
the locally searching whether a history processing action corresponding to the user host identity exists further comprises:
when the history processing action of the local record is aged, deleting the user host identification and the corresponding history processing action;
if the historical processing action is found, the method further comprises the following steps:
updating an aging time of the historical processing action.
4. The method according to claim 1, wherein the performing the history processing action to disconnect the session between the user host and the server specifically comprises:
and when the history processing action is taken as a blocking action, the bidirectional RESET message corresponding to the fake mirror image message is respectively sent to the user host and the server so as to disconnect the session connection between the user host and the server.
5. The method according to claim 1, wherein the performing the history processing action to disconnect the session between the user host and the server specifically comprises:
and when the history processing action is used as a pushing action, the bidirectional RESET message corresponding to the forged mirror image message is respectively sent to the user host and the server so as to break the session connection between the user host and the server and push preset safety prompt information to the user host.
6. A bypass protection device, wherein the device is applied to a bypass protection device, the device comprising:
the system comprises an acquisition unit, a storage unit and a processing unit, wherein the acquisition unit is used for acquiring a mirror image message corresponding to a message sent to a server by a user host;
the searching unit is used for acquiring the user host identity carried by the mirror image message and locally searching whether a historical processing action corresponding to the user host identity exists or not;
and the processing unit is used for executing the historical processing action to disconnect the session connection between the user host and the server if the historical processing action is found.
7. The apparatus of claim 6, further comprising:
a determining unit, configured to determine, based on a preset security policy, a current processing action corresponding to the mirror image packet if the historical processing action is not found, and execute the current processing action;
and the recording unit is used for recording the user host identity of the mirror image message when the current processing action is not the release action, and recording the current processing action as the historical processing action corresponding to the user host identity.
8. The apparatus of claim 7,
the recording unit is further used for adding aging time to the historical processing action;
the search unit is further configured to delete the user host identifier and the corresponding historical processing action when the locally recorded historical processing action is aged;
the processing unit is further configured to update the aging time of the historical processing action.
9. The apparatus of claim 6,
and the processing unit is specifically configured to, when the history processing action is a blocking action, send the bidirectional RESET message corresponding to the fake mirror image message to the user host and the server respectively, so as to disconnect the session connection between the user host and the server.
10. The method of claim 6,
and the processing unit is specifically configured to, when the historical processing action is a pushing action, send a bidirectional RESET message corresponding to the fake mirror image message to the user host and the server respectively, so as to disconnect a session connection between the user host and the server, and push preset security prompt information to the user host.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911258586.0A CN111131192A (en) | 2019-12-10 | 2019-12-10 | Bypass protection method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911258586.0A CN111131192A (en) | 2019-12-10 | 2019-12-10 | Bypass protection method and device |
Publications (1)
Publication Number | Publication Date |
---|---|
CN111131192A true CN111131192A (en) | 2020-05-08 |
Family
ID=70498045
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201911258586.0A Pending CN111131192A (en) | 2019-12-10 | 2019-12-10 | Bypass protection method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111131192A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113595927A (en) * | 2021-07-30 | 2021-11-02 | 北京天空卫士网络安全技术有限公司 | Method and device for processing mirror flow in bypass mode |
CN114978561A (en) * | 2021-02-26 | 2022-08-30 | 中国科学院计算机网络信息中心 | Real-time high-speed network TCP (Transmission control protocol) bypass batch host blocking method and system |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110078309A1 (en) * | 2006-04-29 | 2011-03-31 | Eric Bloch | Apparatus for Filtering Server Responses |
US8151341B1 (en) * | 2011-05-23 | 2012-04-03 | Kaspersky Lab Zao | System and method for reducing false positives during detection of network attacks |
US20140325588A1 (en) * | 2013-04-25 | 2014-10-30 | Rajkumar Jalan | Systems and methods for network access control |
CN105959250A (en) * | 2015-10-22 | 2016-09-21 | 杭州迪普科技有限公司 | Network attack black list management method and device |
CN107347047A (en) * | 2016-05-04 | 2017-11-14 | 阿里巴巴集团控股有限公司 | Attack guarding method and device |
CN107948195A (en) * | 2017-12-25 | 2018-04-20 | 杭州迪普科技股份有限公司 | A kind of method and device of protection Modbus attacks |
CN108183950A (en) * | 2017-12-28 | 2018-06-19 | 新华三技术有限公司 | A kind of network equipment establishes the method and device of connection |
CN109587156A (en) * | 2018-12-17 | 2019-04-05 | 广州天懋信息系统股份有限公司 | Abnormal network access connection identification and blocking-up method, system, medium and equipment |
-
2019
- 2019-12-10 CN CN201911258586.0A patent/CN111131192A/en active Pending
Patent Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110078309A1 (en) * | 2006-04-29 | 2011-03-31 | Eric Bloch | Apparatus for Filtering Server Responses |
US8151341B1 (en) * | 2011-05-23 | 2012-04-03 | Kaspersky Lab Zao | System and method for reducing false positives during detection of network attacks |
US8302180B1 (en) * | 2011-05-23 | 2012-10-30 | Kaspersky Lab Zao | System and method for detection of network attacks |
CN102761539A (en) * | 2011-05-23 | 2012-10-31 | 卡巴斯基实验室封闭式股份公司 | System and method for reducing false positives during detection of network attacks |
US20140325588A1 (en) * | 2013-04-25 | 2014-10-30 | Rajkumar Jalan | Systems and methods for network access control |
CN105959250A (en) * | 2015-10-22 | 2016-09-21 | 杭州迪普科技有限公司 | Network attack black list management method and device |
CN107347047A (en) * | 2016-05-04 | 2017-11-14 | 阿里巴巴集团控股有限公司 | Attack guarding method and device |
CN107948195A (en) * | 2017-12-25 | 2018-04-20 | 杭州迪普科技股份有限公司 | A kind of method and device of protection Modbus attacks |
CN108183950A (en) * | 2017-12-28 | 2018-06-19 | 新华三技术有限公司 | A kind of network equipment establishes the method and device of connection |
CN109587156A (en) * | 2018-12-17 | 2019-04-05 | 广州天懋信息系统股份有限公司 | Abnormal network access connection identification and blocking-up method, system, medium and equipment |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114978561A (en) * | 2021-02-26 | 2022-08-30 | 中国科学院计算机网络信息中心 | Real-time high-speed network TCP (Transmission control protocol) bypass batch host blocking method and system |
CN114978561B (en) * | 2021-02-26 | 2023-11-07 | 中国科学院计算机网络信息中心 | Real-time high-speed network TCP protocol bypass batch host blocking method and system |
CN113595927A (en) * | 2021-07-30 | 2021-11-02 | 北京天空卫士网络安全技术有限公司 | Method and device for processing mirror flow in bypass mode |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105939326B (en) | Method and device for processing message | |
US9749337B2 (en) | System and apparatus for rogue VoIP phone detection and managing VoIP phone mobility | |
US9038182B2 (en) | Method of defending against a spoofing attack by using a blocking server | |
KR101270041B1 (en) | System and method for detecting arp spoofing | |
CN101136922B (en) | Service stream recognizing method, device and distributed refusal service attack defending method, system | |
JP2020529776A (en) | Methods, systems, and computer-readable media for mobility management entity (MME: MOBILITY MANAGEMENT ENTITY) authentication for outbound roaming subscribers using the Diameter Edge Agent (DEA: DIAMETER EDGE AGENT). | |
EP2779574A1 (en) | Attack detection and prevention using global device fingerprinting | |
CN109474568B (en) | Detection method and system for realizing malicious attack by using domain pre-positioning technology | |
CN104768139B (en) | A kind of method and device that short message is sent | |
KR20000054538A (en) | System and method for intrusion detection in network and it's readable record medium by computer | |
US20160308878A1 (en) | Exception prompting method, apparatus, and system using the same | |
CN101626368A (en) | Device, method and system for preventing web page from being distorted | |
KR20110061784A (en) | Method and apparatus for preventing network attacks, method and apparatus for processing transmission and receipt of packet comprising the same | |
CN107347057B (en) | Intrusion detection method, detection rule generation method, device and system | |
WO2008141584A1 (en) | Message processing method, system, and equipment | |
WO2020107446A1 (en) | Method and apparatus for obtaining attacker information, device, and storage medium | |
KR101252787B1 (en) | Security management system with multiple gateway servers and method thereof | |
KR20060030037A (en) | Network attack combating method, network attack combating device and network attack combating program | |
CN111131192A (en) | Bypass protection method and device | |
CN108810008B (en) | Transmission control protocol flow filtering method, device, server and storage medium | |
CN112434304A (en) | Method, server and computer readable storage medium for defending network attack | |
CN110602111A (en) | Interface anti-brushing method and system based on long connection | |
CN111031077B (en) | Flow cleaning method, flow cleaning system and equipment | |
CN111669352B (en) | Method and device for preventing denial of service attack | |
CN114285649B (en) | Equipment protection method, system, protection equipment and computer readable storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200508 |