CN115776406B - Security protection method and device, electronic equipment and storage medium - Google Patents

Security protection method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN115776406B
CN115776406B CN202211531304.1A CN202211531304A CN115776406B CN 115776406 B CN115776406 B CN 115776406B CN 202211531304 A CN202211531304 A CN 202211531304A CN 115776406 B CN115776406 B CN 115776406B
Authority
CN
China
Prior art keywords
stream
threat
information
access router
flow
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211531304.1A
Other languages
Chinese (zh)
Other versions
CN115776406A (en
Inventor
陈吉宁
周飞
谈超洪
李森
梁少灵
彭凌华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangxi Zhuang Autonomous Region Information Center
Original Assignee
Guangxi Zhuang Autonomous Region Information Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangxi Zhuang Autonomous Region Information Center filed Critical Guangxi Zhuang Autonomous Region Information Center
Priority to CN202211531304.1A priority Critical patent/CN115776406B/en
Publication of CN115776406A publication Critical patent/CN115776406A/en
Application granted granted Critical
Publication of CN115776406B publication Critical patent/CN115776406B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

The application provides a safety protection method, a safety protection device, electronic equipment and a storage medium. The method is applied to safety protection equipment, the safety protection equipment is located in a safety protection framework, and the safety protection framework comprises: the safety protection equipment is connected with the boundary access router, and the method comprises the following steps: acquiring a service flow of an access target server, and analyzing the service flow to obtain an analyzed service flow; wherein the traffic flow is accessed from a border access router; if the threat stream exists in the service stream according to the analyzed service stream, extracting N-tuple information of the threat stream; generating route information according to the N-tuple information of the threat stream, and sending the route information to the boundary access router through a preset protocol; the preset protocol comprises a border gateway protocol flow rule, and the routing information comprises filtering rule information and blocking instruction information. The application realizes the blocking of threat flow according to the need, and improves the security and reliability of the network.

Description

Security protection method and device, electronic equipment and storage medium
Technical Field
The present application relates to the field of network security technologies, and in particular, to a security protection method, a security protection device, an electronic device, and a storage medium.
Background
The government affair external network is an important public infrastructure of the electronic government affairs in China, and is a government affair public network which is used for serving all levels of government affair departments and meeting the requirements of the government affair departments in aspects of economic regulation, market supervision, social management, public service and the like. According to the equity protection requirements of the government external network, a corresponding access control mechanism and a security threat protection network element are required to be deployed at the network boundary.
In the prior art, firewalls are deployed in all border access routers of the government external network, so that all border access routers support routing and security protection capabilities, and network security is guaranteed. However, firewalls are deployed at each access point, which is cost prohibitive to network construction and inconvenient to manage. That is, the prior art safety protection scheme is not optimal.
Therefore, improvement of security protection measures of the government external network is needed to effectively prevent network resources of the government external network from being maliciously damaged or illegally used.
Disclosure of Invention
The application provides a safety protection method, a safety protection device, electronic equipment and a storage medium, which are used for solving the problem that a safety protection scheme in the prior art is not an optimal scheme and needs to be improved in one step.
In one aspect, the present application provides a method of security protection, the method being applied to a security protection device, the security protection device being located in a security protection architecture, the security protection architecture comprising: the security protection apparatus and a border access router to which the security protection apparatus is connected, the method comprising:
acquiring a service flow of an access target server, and analyzing the service flow to obtain an analyzed service flow; wherein the traffic flow is accessed from the border access router;
if the threat stream exists in the service stream according to the analyzed service stream, extracting N-tuple information of the threat stream; the threat stream is a traffic stream with security threat or attack to the target server in the traffic stream, the N-tuple information is transmission attribute information of the threat stream, and N is a positive integer;
generating route information according to the N-tuple information of the threat stream, and sending the route information to the boundary access router through a preset protocol; the preset protocol comprises a border gateway protocol flow rule, the routing information comprises filtering rule information and blocking instruction information, and the blocking instruction information is used for indicating the border access router to block the threat flow according to the filtering rule information.
Optionally, the parsed service flow includes detailed information of the service flow; the determining that a threat stream exists in the service stream according to the parsed service stream comprises:
and if the business flow is determined to accord with the characteristics of the DoS/DDoS attack according to the detailed information, determining that a threat flow exists in the business flow.
Optionally, the routing information further includes: counting instruction information; wherein the statistical instruction information is used for instructing the boundary access router to determine the packet number and the total byte number of the blocked threat stream.
Optionally, the method further comprises:
receiving statistical data sent by the boundary access router; the statistics include a number of packets and a total number of bytes of the blocked threat stream;
if the fact that the threat stream does not exist in the service stream is determined according to the statistical data, transmitting revocation information to the boundary access router through the preset protocol; the revocation information is used for indicating the boundary access router to stop executing the blocking instruction information.
Optionally, the method further comprises:
if the number of packets and the total bytes of the blocked threat stream are not increased within the preset time, determining that the threat stream does not exist in the service stream.
Optionally, the security protection device includes a first server and a second server, wherein the first server is connected with the second server, and the second server is connected with the border access router.
Optionally, the preset protocol further includes one or more of the following: path computation element communication protocol, BGP SR protocol, BGP control protocol, and Telemetry technology.
In another aspect, the present application provides a safety shield apparatus for use with safety shield equipment located in a safety shield architecture comprising: the security protection apparatus and the border access router, the security protection apparatus and the border access router being connected, the apparatus comprising:
the acquisition unit is used for acquiring the service flow of the access target server, analyzing the service flow and obtaining the analyzed service flow; wherein the traffic flow is accessed from the border access router;
the extraction unit is used for extracting N-tuple information of the threat stream if the threat stream exists in the service stream according to the analyzed service stream; the threat stream is a traffic stream with security threat or attack to the target server in the traffic stream, the N-tuple information is transmission attribute information of the threat stream, and N is a positive integer;
The control unit is used for generating route information according to the N-tuple information of the threat stream and sending the route information to the boundary access router through a preset protocol; the preset protocol comprises a border gateway protocol flow rule, the routing information comprises filtering rule information and blocking instruction information, and the blocking instruction information is used for indicating the border access router to block the threat flow according to the filtering rule information.
Optionally, the parsed service flow includes detailed information of the service flow; the extraction unit comprises a determination module;
and the determining module is used for determining that a threat stream exists in the service stream if the service stream is determined to accord with the characteristics of the DoS/DDoS attack according to the detailed information.
Optionally, the routing information further includes: counting instruction information; wherein the statistical instruction information is used for instructing the boundary access router to determine the packet number and the total byte number of the blocked threat stream.
Optionally, the device further comprises a receiving unit, wherein the receiving unit comprises a receiving module and a revocation module;
the receiving module is used for receiving the statistical data sent by the boundary access router; the statistics include a number of packets and a total number of bytes of the blocked threat stream;
The revocation module is configured to send revocation information to the border access router through the preset protocol if it is determined that no threat stream exists in the service stream according to the statistical data; the revocation information is used for indicating the boundary access router to stop executing the blocking instruction information.
Optionally, the receiving unit further comprises a decision module;
and the judging module is used for determining that no threat stream exists in the service stream if the packet number and the total byte number of the blocked threat stream are determined not to be increased within the preset time.
Optionally, the security protection device includes a first server and a second server, wherein the first server is connected with the second server, and the second server is connected with the border access router.
Optionally, the preset protocol further includes one or more of the following: path computation element communication protocol, BGP SR protocol, BGP control protocol, and Telemetry technology.
In another aspect, the present application provides an electronic device, including: a processor, and a memory communicatively coupled to the processor;
the memory stores computer-executable instructions;
The processor executes computer-executable instructions stored in the memory to implement any of the methods described above.
In another aspect, the application provides a computer readable storage medium having stored therein computer executable instructions which when executed by a processor are adapted to carry out any of the methods described above.
In another aspect, the application provides a computer program product comprising a computer program which, when executed by a processor, implements any of the methods described above.
The application provides a safety protection method, a safety protection device, electronic equipment and a storage medium, wherein the method is applied to the safety protection equipment, the safety protection equipment is positioned in a safety protection framework, and the safety protection framework comprises the following components: the security protection apparatus and a border access router to which the security protection apparatus is connected, the method comprising: acquiring a service flow of an access target server, and analyzing the service flow to obtain an analyzed service flow; wherein the traffic flow is accessed from the border access router; if the threat stream exists in the service stream according to the analyzed service stream, extracting N-tuple information of the threat stream; the threat stream is a traffic stream with security threat or attack to the target server in the traffic stream, the N-tuple information is transmission attribute information of the threat stream, and N is a positive integer; generating route information according to the N-tuple information of the threat stream, and sending the route information to the boundary access router through a preset protocol; the preset protocol comprises a border gateway protocol flow rule, the routing information comprises filtering rule information and blocking instruction information, and the blocking instruction information is used for indicating the border access router to block the threat flow according to the filtering rule information. The scheme of the application realizes blocking threat flow according to the need, and does not form residual configuration in the boundary access router; the problems that when the QoS strategy of the complex flow class is realized through the static command line to block the threat service flow, the reliability is poor and the residual configuration is easy to form are also solved; and the command lines of different factories are not required to be adapted and converted when the safety protection is carried out, so that the management complexity is reduced, and the safety and reliability are improved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application.
Fig. 1 is a diagram of a protection architecture for deploying a firewall in a framework for a client to access a government cloud according to an embodiment of the present application;
FIG. 2 is a diagram of a further architecture for deploying a firewall in an architecture for a client to access a government cloud according to one embodiment of the present application;
fig. 3 is a diagram of a security protection architecture corresponding to an application scenario of a security protection method according to an embodiment of the present application;
FIG. 4 is a schematic flow chart of a method for protecting safety according to an embodiment of the present application;
fig. 5 is a signaling diagram of a security protection method completed by a fusion server and a boundary access router provided in an embodiment of the present application;
fig. 6 is a signaling diagram of a probe server, a security resource pool server, and a boundary access router according to the embodiment of the present application to complete a security protection method;
fig. 7 is a schematic structural diagram of a safety device according to an embodiment of the present application;
FIG. 8 is a schematic structural view of another safety device according to an embodiment of the present application;
fig. 9 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Specific embodiments of the present application have been shown by way of the above drawings and will be described in more detail below. The drawings and the written description are not intended to limit the scope of the inventive concepts in any way, but rather to illustrate the inventive concepts to those skilled in the art by reference to the specific embodiments.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the application. Rather, they are merely examples of apparatus and methods consistent with aspects of the application as detailed in the accompanying claims.
The terms "first," "second," "third," "fourth" and the like in the description and in the claims and in the above drawings, if any, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the application described herein may be implemented, for example, in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The government external network supports business application, information sharing and business coordination of cross-region and cross-department, and business which does not need to run on the government internal network. Based on the importance of the government external network, the network security protection of the government external network is also particularly important. The network security problem of the government external network is a key problem for supporting various network services and application further development of the government external network at present.
Exemplary, fig. 1 is a schematic diagram of a protection architecture for deploying a firewall in a framework for a client to access a government cloud according to an embodiment of the present application. As shown in fig. 1, each of the principals 20 accesses the traffic through the border access router 12 and forwards it through the aggregation router 14 and the core router 13 to access the government cloud 30. When forwarding the traffic, the traffic is realized by using an L3VPN (Virtual Private Network ).
Among the traffic flows accessed through the border access router 12, there may be threat flows, which not only occupy network resources of the border access router 12, the aggregation router 14, and the core router 13, but also cause security threat and attack to the government cloud 30, so network security protection is required.
In one example, a firewall is deployed in all border access routers of the government external network, so that all border access routers support routing and security protection capabilities, and network security is guaranteed. As shown in fig. 1, a firewall 121 is disposed beside the border access router 12, a firewall 131 is disposed beside the core router 13, and a firewall is disposed beside a router entering the government wide area network. Although all border nodes support threat identification, near blocking can be achieved; however, a firewall is deployed at each access point, so that the network construction cost is too high, and the management is inconvenient.
In one example, a firewall is hung only beside a convergence router or a core router of the government external network, so that all traffic flows accessing the government cloud server are led to the firewall to intensively complete the identification and blocking of threat flows. Fig. 2 is a schematic diagram of a firewall protection architecture in a structure for accessing government cloud by a client according to an embodiment of the present application. As shown in fig. 2, the firewall 131 is deployed only beside the core router 13. The method can intensively identify and block threat flows, has relatively low deployment cost and is convenient to manage and control; however, when the traffic is mutually visited between the principals 20, the principals 20 do not need to go through the aggregation router 14 and the core router 13, and cannot identify and block the threat flow when the traffic is mutually visited between the branches; moreover, the threat flows are blocked after reaching the aggregation router 14 or the core router 13, and the bandwidths of the boundary access router 12, the aggregation router 14 and the core router 13 are occupied, so that the normal access to the service flows of the government cloud server can be affected.
In one example, security protection equipment hung beside the core router only identifies the threat flows, and the boundary access router is used for completing the processing tasks of discarding, blocking and the like of the threat flows. The security protection device sends Qos (Quality of Service ) policies based on complex flow classification to the border access router through netconf/YANG protocol, and the border access router and the firewall beside the core router together complete the security protection function. The complex flow classification refers to fine classification of the message by adopting complex rules, such as five-tuple information, and then associating the rule of the complex flow classification with the corresponding executable flow to form the Qos policy. Illustratively, the five-tuple information may include: source address, source port number, protocol number, destination address, destination port number; the streaming action may include: traffic policing, congestion management, congestion avoidance, message filtering, etc. The security protection equipment forms a Qos strategy based on the rule of the complex flow classification and the corresponding executable flow action, and then sends the Qos strategy to the boundary access router through the netconf/YANG protocol. In network security protection, the Qos policy generally discards the threat stream and counts the total number of messages and the total number of bytes of the threat stream. And after the boundary access router receives the Qos strategy, finishing the security protection task according to the Qos strategy.
The netconf protocol (Network Configuration Protocol ) provides a mechanism for managing network devices, and a user can use the mechanism to add, modify and delete the configuration of the network devices to obtain the configuration and state information of the network devices; while YANG (Yet Another Next Generation) is a data modeling language, the yac model defines a hierarchical structure of data that can fully describe all data sent between the netcon f client and server. However, the netconf/YANG protocol has poor issuing performance, generally only a few rules and strategies can be issued per second, when the number of threat streams is large, performance bottlenecks can be formed, and when a large number of threat streams exist, blocking requirements cannot be met; moreover, when the safety protection equipment has a problem, the overall reliability is poor, and the boundary access router is easy to form residual configuration; in addition, the security protection equipment also needs to sense the manufacturer and command line difference of each network node, adapt and convert command lines of different manufacturers, and has high management complexity.
Therefore, how to realize the rapid identification and rapid blocking of a large number of security threat flows, how to improve the reliability of threat blocking actions without affecting the normal service of the existing network, how to realize command line intercommunication of multiple manufacturers, and the like are all the problems to be solved at present.
In order to solve the above problems, the present application provides a security protection method, a security protection device, an electronic device, and a storage medium. The safety protection device sends filtering rule and blocking instruction information to the boundary access router through the boundary gateway protocol flow rule, and the safety protection device and the boundary access router realize the safety protection function together. The boundary gateway protocol flow rule has stronger expandability and higher reliability, and the problem that command lines of multiple manufacturers are not communicated is solved.
The following describes the technical scheme of the present application and how the technical scheme of the present application solves the above technical problems in detail with specific embodiments. The following embodiments may be combined with each other, and the same or similar concepts or processes may not be described in detail in some embodiments. Embodiments of the present application will be described below with reference to the accompanying drawings.
The following describes a safety protection method and an application scenario provided by the embodiment of the application. When the following description refers to the accompanying drawings, the same data in different drawings represents the same or similar elements, unless otherwise indicated.
Fig. 3 is a diagram of a security protection architecture corresponding to an application scenario of a security protection method according to an embodiment of the present application. As shown in fig. 3, the security guard architecture 10 includes a security guard 11 and a border access router 12, and the security guard 11 is connected to the border access router 12. In practice, access server 20 accesses target server 30 through security guard architecture 10.
Illustratively, taking the example that each client accesses the government cloud, the access server 20 may be a server of each client, and the target server 30 may be the government cloud. Each of the principals accesses the government cloud, that is, the target server 30, through the security protection apparatus 11 by accessing the boundary access router 12 as the access server 20.
The number of the agents 20 may be plural, and the number of the border access routers 12 may be plural, so as to satisfy the access requirements of each agent. When there are a plurality of border access routers 12, for convenience of management and control, an interconnected aggregation router (not shown) and/or core router 13 may be further included between border access router 12 and security protection apparatus 11. The core router 13 is in turn connected to the security device 11.
Illustratively, the security protection device 11 is configured to parse the traffic flow of the access government cloud 30 accessed through the border access router 12, determine whether a threat flow exists in all the accessed traffic flows, extract N-tuple information of the threat if the threat flow exists, and send filtering rule information and blocking instruction information to the border access router 12. After the boundary access router 12 receives the filtering rule information and the blocking instruction information, the blocking instruction information is executed according to the filtering rule information, and the threat stream is blocked at the boundary access router 12, so as to realize the security protection of the target server 30.
In one example, the security guard 11 may include a first server 111 and a second server 112, where the first server 111 is connected to the second server 112 and the second server 112 is connected to the border access router 12. Identifying, by the first server 111, the traffic flow of the access target server 30 accessed from the border access router 12; then, the first server 111 and the second server 112 cooperatively determine whether a threat stream exists in the traffic stream, and if it is determined that the threat stream exists, the N-tuple information of the threat is extracted, and the filtering rule information and the blocking instruction information are transmitted to the border access router 12.
The present application is not limited to the allocation of functions of the first server 111 and the second server 112, and aims to cooperatively complete the protection task of the safety protection device 11. Illustratively, the first server 111 may be a probe server for resolving traffic of the access government cloud 30 accessed from the border access router 12 and transmitting the resolved traffic to the second server 112. The second server 112 may be a secure resource pool server, which is configured to determine, according to the parsed traffic flow, whether a threat flow exists in the traffic flow, and extract N-tuple information of the threat when the threat flow is determined to exist, and send filtering rule information, blocking instruction information, and the like to the border access router 12.
Fig. 4 is a schematic flow chart of a safety protection method according to an embodiment of the present application. The subject of the present application may be a safety shield apparatus, which may be located in a safety device. The safety protection method provided by the embodiment of the application is applied to safety protection equipment, the safety protection equipment is positioned in a safety protection framework, and the safety protection framework comprises the following components: the safety protection device is connected with the boundary access router.
As shown in fig. 4, the safety protection method provided in this embodiment includes:
s401, acquiring a service flow of an access target server, and analyzing the service flow to obtain an analyzed service flow; wherein the traffic flow is accessed from the border access router.
For example, among the traffic flows accessing the target server, there may be traffic flows that have a security threat or attack on the target server, which are referred to as threat flows. The existence of the threat stream may cause a security threat or attack on the target server, so that the target server cannot provide normal services, and thus, the threat stream needs to be blocked.
Illustratively, in the present application, the security protection apparatus first acquires all traffic flows accessed from the border access router that access the target server, and parses the traffic flows to obtain parsed traffic flows. And then determining whether threat streams exist in the service streams according to the analyzed service streams. Among them, network attacks are also often classified into various types according to security threats or attacks to a target server. The application does not limit how to determine whether the threat stream exists in the service stream according to the analyzed service stream, and can have different implementation modes according to different security threats or attacks.
For example, doS (Denial of Service )/DDoS (Distributed Denial of Service, distributed denial of service) attacks are a common and serious threat to network security. An attacker who attacks DoS/DDoS can control thousands of attack devices to simultaneously launch traffic attacks on the same destination address, network segment or server through a plurality of control ends, so that network congestion or occupation of a central processing unit (central processing unit, CPU) of the server is too high to provide services. In the service flow for accessing the target server, the application can also have DoS/DDoS attack, which can cause security threat to the target server. Therefore, whether a threat stream exists in the service stream can be determined according to the characteristics of the DoS/DDoS attack.
In one example, the parsed service flow includes detailed information of the service flow; determining, according to the parsed traffic flow, that a threat flow exists in the traffic flow may include:
and according to the detailed information, if the traffic flow is determined to accord with the characteristics of the DoS/DDoS attack, determining that a threat flow exists in the traffic flow.
Illustratively, the parsed service flow includes detailed information of the service flow, and the security protection device can determine whether a threat flow exists in the service flow according to the detailed information of the service flow. If the traffic flow is determined to accord with the characteristics of the DoS/DDoS attack, it can be determined that a threat flow exists in the traffic flow; if the traffic flow is determined not to accord with the characteristics of the DoS/DDoS attack, it can be determined that no threat flow exists in the traffic flow.
In addition, a security analysis algorithm engine can be deployed in the security protection device, and the security analysis algorithm engine is used for determining whether a threat stream exists in the traffic stream, so that the application is not limited.
S402, if the threat stream exists in the service stream according to the analyzed service stream, extracting N-tuple information of the threat stream; the threat stream is a traffic stream with security threat or attack to the target server in the traffic stream, the N-tuple information is transmission attribute information of the threat stream, and N is a positive integer.
Illustratively, if the security protection device determines that a threat stream exists in the service stream according to the parsed service stream, extracting N-tuple information of the threat stream. Wherein different threat streams may differ in their characteristics and the N-tuple information obtained may also differ.
The N-tuple information may be, for example, transmission attribute information of part or all of the threat stream for distinguishing from the normal traffic stream for subsequent generation of the filtering rule information. Where N is a positive integer, for example, when N is 3, it is 3-tuple information, and when N is 5, it is 5-tuple information. The value of N may vary depending on the characteristics of the threat stream. Illustratively, if the threat stream is determined according to the source address, the source port number, the protocol number, the destination address and the destination port number, the extracted N-tuple information of the threat stream is quintuple information. If the threat stream is determined according to the source address, the source port number, the destination address and the destination port number, the extracted N-tuple information of the threat stream is quadruple information; if the threat stream can be determined according to other information, the extracted N tuple information of the threat stream is tuple information of other values, which is not limited by the present application, and the specific value of N can be determined according to the characteristics of the threat stream.
S403, generating route information according to the N-tuple information of the threat stream, and sending the route information to the boundary access router through a preset protocol; the preset protocol comprises a border gateway protocol flow rule, and the routing information comprises filtering rule information and blocking instruction information, wherein the blocking instruction information is used for indicating the border access router to block threat flows according to the filtering rule information.
Illustratively, after the security protection apparatus extracts the N-tuple information of the threat stream, the routing information including the filtering rule information and the blocking instruction information may be generated according to the N-tuple information of the threat stream. The blocking instruction information is used for indicating the boundary access router to block the threat flow according to the filtering rule information.
Illustratively, after the security guard generates the routing information, the security guard sends the routing information to the border access router via a pre-set protocol, such as border gateway protocol flow rules (Border Gateway Protocol Flow Specification, BGP Flowspec). And after the boundary access router receives the routing information, blocking the threat flow according to the routing information so as to realize the safety protection of the target server.
The border gateway protocol flow rules BGP Flowspec also provide rich flow rules and flow actions using standard protocol defined reachability information and extended community attributes of the border gateway protocol (Border Gateway Protocol, BGP) network layer. Wherein, the flow rule defined by the current border gateway protocol BGP includes: destination Prefix (Destination Prefix), source Prefix (Source Prefix), IP Protocol (IP Protocol), port (Port), destination Port (Destination Port), source Port (Source Port), etc.; the current border gateway protocol BGP-defined flow actions include: traffic filtering operations (Traffic Filtering Actions), packet traffic rates (Traffic Rate in Packets), etc.
Based on the above, the application generates and transmits the route information to the boundary access router through the BGP flow spec, which can greatly improve the security and reliability of the network. Because the routing information in the application can carry the independent filtering rule information and the blocking instruction information, better maintainability can be realized, and the control of the service flow can be realized more pertinently. Specifically, real-time monitoring can be realized, the threat flow is rapidly responded in a timing sampling mode, and the control of the threat flow is realized; according to the characteristics of common attack traffic, a protection strategy can be deployed in advance, so that the common attack traffic has no opportunity to cause harm to a network, and is prevented from happening in the future, and the pre-protection is realized; in addition, a control strategy is not required to be independently established on each device, so that maintainability is improved, and cost is reduced; in addition, the BGP flow spec also supports a cross-domain propagation function, so that the harm of attack traffic to the network can be eliminated on equipment (a boundary access router in the application) which is as close to an attack source as possible, and the influence of the attack traffic to the network is greatly reduced.
In one example, the routing information further includes: counting instruction information; the statistical instruction information is used for instructing the boundary access router to determine the packet number and the total byte number of the blocked threat stream.
Illustratively, the routing information sent by the security protection apparatus may further include statistical instruction information for instructing the boundary access router to determine the number of packets and the total number of bytes of the blocked threat stream, and when the boundary access router receives the statistical instruction information, the statistical instruction information is executed to count the number of packets and the total number of bytes of the blocked threat stream.
In one example, if the routing information further includes statistical instruction information, the method may further include step S1 and step S2.
S1, receiving statistical data sent by a boundary access router; the statistics include the number of packets and total bytes of the blocked threat stream.
S2, if the fact that the threat stream does not exist in the service stream is determined according to the statistical data, transmitting withdrawal information to the boundary access router through a preset protocol; the revocation information is used to instruct the border access router to stop executing the blocking instruction information.
Illustratively, if the routing information further includes statistical instruction information, the security protection device further receives statistical data including the number of packets and the total number of bytes of the blocked threat stream sent by the border access router, so as to determine whether the threat stream exists in the traffic stream according to the statistical data. If the traffic flow is determined to have no threat flow, transmitting revocation information for indicating the boundary access router to stop executing the blocking instruction information to the boundary access router through a preset protocol such as a boundary gateway protocol flow rule BGP Flowspec.
The application does not limit how to determine, according to the statistical data, that no threat stream exists in the service stream. Illustratively, the attack characteristics of the threat stream can be analyzed according to the statistical data, and if the statistical data is not newly increased within a certain time, the threat stream can be considered to be absent in the traffic stream; or, if no threat stream appears in the duration, the threat stream is considered to be absent in the service stream; etc.
In one example, if it is determined that both the number of packets and the total number of bytes of the blocked threat stream no longer increase within a preset time, it is determined that there is no threat stream in the traffic stream.
For example, if it is determined that both the number of packets and the total number of bytes of the threat stream blocked in the statistics no longer increase within a preset time, it may be determined that there is no threat stream in the traffic stream. The preset time is not limited, and may be, for example, 2h/3 h.
In addition, because of the complexity and irregularity of network attacks, when it is determined that there is no threat flow in the traffic flow, the identification can be performed in combination with other features, not limited to the above manner. For example, in a regular network attack, the network attack may be a time interval network attack, and the above determination method is no longer applicable.
In addition, the statistical data can be analyzed through an AI algorithm and the like to determine whether a threat stream exists in the service stream, and the application is not limited.
Illustratively, when the border access router receives the revocation information, the revocation information is executed, the blocking instruction information is not executed any more, and the blocking action is stopped, at this time, all traffic of the access target server accessed from the border access router can be forwarded normally.
When a threat stream exists in the service stream, the safety protection equipment sends blocking instruction information to the boundary access router through a boundary gateway protocol stream rule BGP Flowspec, so that the boundary access router can be controlled to block the threat stream as required; and when the traffic flow does not have a threat flow, the traffic flow sends a revocation message to the boundary access router so that the boundary access router stops blocking actions. The dynamic safety protection scheme can not form residual configuration in the boundary access router while blocking threat flows as required, and solves the problems of poor reliability and easy formation of residual configuration when the QoS strategy of complex flows is used for blocking threat traffic flows through a static command line.
In addition, in the method of the application, when the safety protection equipment sends information to the boundary access router, the safety protection equipment can be realized through protocols such as PCEP or BGP SR besides the BGP flow spec. When the boundary access router sends information to the security protection device, the information can be realized through protocols such as PCEP or BGP SR or BMP or Telemetry technology besides the BGP flow spec. Wherein, PCEP is totally named Path Computation Element Communication Protocol and refers to a path computation element communication protocol; BGP SR is an extension of the border gateway protocol BGP to Segment Routing (Segment Routing) for implementing source Routing between autonomous systems; the full name BGP Monitoring Protocol of BMP refers to BGP control protocol; telemetry is a new generation of network monitoring technology that collects data from devices remotely at high speed. When the unified standard protocol is selected for information interaction, adaptation and conversion are not needed, and management is convenient.
According to the safety protection method provided by the embodiment of the application, the service flow of the access target server is obtained, and the service flow is analyzed, so that the analyzed service flow is obtained; wherein the traffic flow is accessed from a border access router; if the threat stream exists in the service stream according to the analyzed service stream, extracting N-tuple information of the threat stream; the threat stream is a traffic stream with security threat or attack to the target server in the traffic stream, N-tuple information is transmission attribute information of the threat stream, and N is a positive integer; generating route information according to the N-tuple information of the threat stream, and sending the route information to the boundary access router through a preset protocol; the preset protocol comprises a border gateway protocol flow rule, and the routing information comprises filtering rule information and blocking instruction information, wherein the blocking instruction information is used for indicating the border access router to block threat flows according to the filtering rule information.
The application sends route information to the boundary access router through the boundary gateway protocol flow rule, and based on the characteristic of the boundary gateway protocol flow rule, the threat flow is blocked according to the need, and the residual configuration is not formed in the boundary access router; the problems that when the QoS strategy of the complex flow class is realized through the static command line to block the threat service flow, the reliability is poor and the residual configuration is easy to form are also solved; and the border gateway protocol is used as a standard protocol, and adaptation and conversion of command lines of different factories are not needed when safety protection is carried out, so that the management complexity is reduced, and the safety and reliability of a network are improved.
Based on the above embodiments, the safety protection device in the present application may be deployed in a combined manner or may be deployed separately. If the deployment is merging, the safety protection device only comprises one merging server, so that the safety protection method of the embodiment can be completed. Only the information interaction between the security protection device and the border access router is included in the whole security protection.
Fig. 5 is a signaling diagram illustrating a method for implementing security protection by using a fusion server and a border access router according to an embodiment of the present application. As shown in fig. 5, the implementation process may include:
s501, the fusion server acquires the business flow which is accessed from the boundary access router and accesses the target server, analyzes the business flow, extracts N-tuple information of the threat flow if the threat flow exists in the business flow, and generates route information according to the N-tuple information of the threat flow.
The routing information may include filtering rule information, blocking instruction information, and statistical instruction information; the blocking instruction information is used for indicating the boundary access router to block the threat flow according to the filtering rule information; the statistical instruction information is used to instruct the border access router to determine the number of packets and the total number of bytes of the blocked threat stream.
S502, the fusion server sends route information to the boundary access router through protocols such as BGP Flowspec/PCEP/BGP SR.
S503, the boundary access router receives the route information, executes blocking instruction information according to filtering rule information in the route information, and blocks threat stream information; and executing statistical instruction information to count the number of packets and the total bytes of the blocked threat stream.
S504, the boundary access router sends statistical data to the fusion server through protocols such as BGP Flowspec/PCEP/BGP SR/BMP/Telemetry and the like.
S505, the fusion server determines whether a threat stream exists in the service stream according to the statistical data, and if the threat stream does not exist, the fusion server sends revocation information to the boundary access router through protocols such as BGP Flowspec/PCEP/BGP SR.
Wherein the revocation information is used for indicating the boundary access router to stop executing the blocking instruction information.
S506, the boundary access router receives the revocation information and stops executing the blocking instruction information.
The safety protection equipment is merged and deployed, namely, the safety protection method is completed cooperatively through the merging server and the boundary access router, so that the dynamic identification and the on-demand blocking of threat flows are realized; in addition, because the safety protection equipment is merged and deployed, only one server is provided, the management is convenient, and the management complexity is reduced.
For example, if the security protection apparatus is deployed separately, i.e. the security protection apparatus comprises at least two servers, it is the information interaction between the two servers in the security protection apparatus and the border access router throughout the security protection process.
Illustratively, the security guard may include a first server, which may be a probe server, and a second server, which may be a secure resource pool server. Analyzing the service flow of the access target server accessed from the boundary access router by the probe server; and determining whether a threat stream exists in the service stream by the secure resource pool server, if the threat stream exists, extracting N-tuple information of the threat, and sending information such as filtering rule information, blocking instruction information and the like to the boundary access router.
Fig. 6 is a signaling diagram of a probe server, a security resource pool server, and a boundary access router implementing a security protection method according to an embodiment of the present application. As shown in fig. 6, the implementation process may include:
s601, a probe server acquires a service flow of an access target server accessed from a boundary access router, analyzes the service flow, acquires the analyzed service flow, and sends the analyzed service flow to a secure resource pool server through protocols such as BGP Flowspec/PCEP/BGP SR and the like.
The parsed service flow may include detailed information of the service flow.
S602, the security resource pool server determines whether a threat stream exists in the service stream according to the analyzed service stream, extracts N-tuple information of the threat stream if the threat stream exists in the service stream, and generates route information according to the N-tuple information of the threat stream.
The routing information may include filtering rule information, blocking instruction information, and statistical instruction information; the blocking instruction information is used for indicating the boundary access router to block the threat flow according to the filtering rule information; the statistical instruction information is used to instruct the border access router to determine the number of packets and the total number of bytes of the blocked threat stream.
S603, the security resource pool server sends route information to the boundary access router through protocols such as BGP Flowspec/PCEP/BGP SR.
S604, the boundary access router receives the route information, executes blocking instruction information according to filtering rule information in the route information, and blocks threat stream information; and executing statistical instruction information to count the number of packets and the total bytes of the blocked threat stream.
S605, the boundary access router sends statistical data to the secure resource pool server through protocols such as BGP Flowspec/PCEP/BGP SR/BMP/TeleMetry and the like.
S606, the security resource pool server determines whether a threat stream exists in the service stream according to the statistical data, and if the threat stream does not exist, the security resource pool server sends revocation information to the boundary access router through protocols such as BGP Flowspec/PCEP/BGP SR and the like.
Wherein the revocation information is used for indicating the boundary access router to stop executing the blocking instruction information.
S607, the boundary access router receives the revocation information and stops executing the blocking instruction information.
The safety protection equipment is deployed separately, namely the safety protection equipment comprises at least two servers, and compared with the fusion server, the at least two servers share the working load pressure of the safety protection equipment, the working load pressure is smaller, the response speed of the safety protection equipment can be improved, and the safety protection efficiency is improved.
In addition, the safety protection device can be adaptively deployed into one or more safety protection devices according to the safety protection requirement, and the application is not limited.
The following are examples of the apparatus of the present application that may be used to perform the method embodiments of the present application. For details not disclosed in the embodiments of the apparatus of the present application, please refer to the embodiments of the method of the present application.
Fig. 7 is a schematic structural diagram of a safety device according to an embodiment of the present application. Wherein, the device is applied to safety protection equipment, and safety protection equipment is arranged in the safety protection framework, and the safety protection framework includes: the safety protection device is connected with the boundary access router. As shown in fig. 7, the safety shield apparatus 70 of the present embodiment includes: an acquisition unit 701, an extraction unit 702, and a control unit 703.
The acquiring unit 701 is configured to acquire a service flow of the access target server, and analyze the service flow to obtain an analyzed service flow; wherein the traffic flow is accessed from the border access router.
An extracting unit 702, configured to extract N-tuple information of a threat stream if it is determined that the threat stream exists in the service stream according to the parsed service stream; the threat stream is a traffic stream with security threat or attack to the target server in the traffic stream, the N-tuple information is transmission attribute information of the threat stream, and N is a positive integer.
A control unit 703, configured to generate routing information according to the N-tuple information of the threat stream, and send the routing information to the border access router through a preset protocol; the preset protocol comprises a border gateway protocol flow rule, and the routing information comprises filtering rule information and blocking instruction information, wherein the blocking instruction information is used for indicating the border access router to block threat flows according to the filtering rule information.
Fig. 8 is a schematic structural view of another safety device according to an embodiment of the present application. Wherein, the device is applied to safety protection equipment, and safety protection equipment is arranged in the safety protection framework, and the safety protection framework includes: the safety protection device is connected with the boundary access router. As shown in fig. 8, the safety shield apparatus 80 of the present embodiment includes: an acquisition unit 801, an extraction unit 802, and a control unit 803.
The acquiring unit 801 is configured to acquire a service flow of an access target server, and analyze the service flow to obtain an analyzed service flow; wherein the traffic flow is accessed from the border access router.
An extracting unit 802, configured to extract N-tuple information of a threat stream if it is determined that the threat stream exists in the service stream according to the parsed service stream; the threat stream is a traffic stream with security threat or attack to the target server in the traffic stream, the N-tuple information is transmission attribute information of the threat stream, and N is a positive integer.
A control unit 803, configured to generate routing information according to N-tuple information of the threat stream, and send the routing information to the border access router through a preset protocol; the preset protocol comprises a border gateway protocol flow rule, and the routing information comprises filtering rule information and blocking instruction information, wherein the blocking instruction information is used for indicating the border access router to block threat flows according to the filtering rule information.
In one example, the parsed service flow includes detailed information of the service flow; the extraction unit 802 includes a determination module 8021.
The determining module 8021 is configured to determine, according to the detailed information, that a threat stream exists in the service stream if it is determined that the service stream accords with the characteristics of the DoS/DDoS attack.
In one example, the routing information further includes: counting instruction information; the statistical instruction information is used for instructing the boundary access router to determine the packet number and the total byte number of the blocked threat stream.
In one example, the apparatus 80 further comprises a receiving unit 804, the receiving unit 804 comprising a receiving module 8041 and a revocation module 8042.
A receiving module 8041, configured to receive statistics data sent by the border access router; the statistics include the number of packets and the total number of bytes of the blocked threat stream;
a revocation module 8042, configured to send revocation information to the border access router through a preset protocol if it is determined that there is no threat flow in the traffic flow according to the statistical data; the revocation information is used to instruct the border access router to stop executing the blocking instruction information.
In one example, the receiving unit 804 further includes a decision module 8043.
A determining module 8043, configured to determine that there is no threat flow in the traffic flow if it is determined that both the packet number and the total byte number of the blocked threat flow no longer increase within the preset time.
In one example, the security guard includes a first server and a second server, wherein the first server is connected to the second server and the second server is connected to the border access router.
In one example, the preset protocol further includes one or more of the following: path computation element communication protocol, BGP SR protocol, BGP control protocol, and Telemetry technology.
It should be noted that, it should be understood that the division of the modules of the above apparatus is merely a division of a logic function, and may be fully or partially integrated into a physical entity or may be physically separated. And these modules may all be implemented in software in the form of calls by the processing element; or can be realized in hardware; the method can also be realized in a form of calling software by a processing element, and the method can be realized in a form of hardware by a part of modules. The functions of the above data processing module may be called and executed by a processing element of the above apparatus, and may be stored in a memory of the above apparatus in the form of program codes. The implementation of the other modules is similar. In addition, all or part of the modules can be integrated together or can be independently implemented. The processing element here may be an integrated circuit with signal processing capabilities. In implementation, each step of the above method or each module above may be implemented by an integrated logic circuit of hardware in a processor element or an instruction in a software form.
Fig. 9 is a schematic structural diagram of an electronic device according to an embodiment of the present application. As shown in fig. 9, the electronic device 90 includes: a processor 901, and a memory 902 communicatively coupled to the processor.
Wherein the memory 902 stores computer-executable instructions; processor 901 executes computer-executable instructions stored in memory 902 to implement a method as in any of the preceding claims.
In the specific implementation of the electronic device described above, it should be understood that the processor may be a central processing unit (Central Processing Unit, CPU), but may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The method disclosed in connection with the embodiments of the present application may be directly embodied as a hardware processor executing or may be executed by a combination of hardware and software modules in the processor.
Embodiments of the present application also provide a computer-readable storage medium having stored therein computer-executable instructions which, when executed by a processor, are adapted to carry out a method as any one of the preceding claims.
Those of ordinary skill in the art will appreciate that: all or part of the steps for implementing the method embodiments described above may be performed by computer instruction related hardware. The foregoing program may be stored in a computer readable storage medium. The program, when executed, performs steps including the method embodiments described above; and the aforementioned storage medium includes: various media that can store program code, such as ROM, RAM, magnetic or optical disks.
Embodiments of the present application also provide a computer program product comprising a computer program for implementing a method as in any of the preceding claims when executed by a processor.
Other embodiments of the application will be apparent to those skilled in the art from consideration of the specification and practice of the application disclosed herein. This application is intended to cover any variations, uses, or adaptations of the application following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the application pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.
It is to be understood that the application is not limited to the precise arrangements and instrumentalities shown in the drawings, which have been described above, and that various modifications and changes may be effected without departing from the scope thereof. The scope of the application is limited only by the appended claims.

Claims (6)

1. A method of safeguarding, the method being applied to a safety equipment, the safety equipment being located in a safety architecture comprising: the safety protection equipment is connected with the boundary access router, a core router is arranged between the boundary access router and the safety protection equipment, and the core router is connected with the safety protection equipment, wherein after the access server is accessed to the boundary access router, the access server accesses the target server through the core router and the safety protection equipment; the method comprises the following steps:
acquiring a service flow of an access target server, and analyzing the service flow to obtain an analyzed service flow; wherein the traffic flow is accessed from the border access router;
if the threat stream exists in the service stream according to the analyzed service stream, extracting N-tuple information of the threat stream; the threat stream is a traffic stream with security threat or attack to the target server in the traffic stream, the N-tuple information is transmission attribute information of the threat stream, and N is a positive integer;
Generating route information according to the N-tuple information of the threat stream, and sending the route information to the boundary access router through a preset protocol; the routing information comprises filtering rule information, blocking instruction information and statistical instruction information, wherein the blocking instruction information is used for indicating the boundary access router to block the threat stream according to the filtering rule information; the statistical instruction information is used for instructing the boundary access router to determine the packet number and the total byte number of the blocked threat stream;
receiving statistical data sent by the boundary access router; the statistics include a number of packets and a total number of bytes of the blocked threat stream;
if the number of packets and the total bytes of the blocked threat stream are not increased within the preset time, determining that the threat stream does not exist in the service stream, and transmitting revocation information to the boundary access router through the preset protocol; the revocation information is used for indicating the boundary access router to stop executing the blocking instruction information;
the preset protocol includes one or more of the following: path computation element communication protocol, BGPSR protocol, BGP control protocol, telemetry technology.
2. The method according to claim 1, wherein the parsed traffic stream includes detailed information of the traffic stream; the determining that a threat stream exists in the service stream according to the parsed service stream comprises:
and if the business flow is determined to accord with the characteristics of the DoS/DDoS attack according to the detailed information, determining that a threat flow exists in the business flow.
3. The method according to claim 1 or 2, wherein the security guard comprises a first server and a second server, wherein the first server is connected to the second server, and wherein the second server is connected to the border access router.
4. A safety shield apparatus, the apparatus being for use with a safety shield device, the safety shield device being located in a safety shield architecture, the safety shield architecture comprising: the safety protection equipment is connected with the boundary access router, a core router is arranged between the boundary access router and the safety protection equipment, and the core router is connected with the safety protection equipment, wherein after the access server is accessed to the boundary access router, the access server accesses the target server through the core router and the safety protection equipment; the device comprises:
The acquisition unit is used for acquiring the service flow of the access target server, analyzing the service flow and obtaining the analyzed service flow; wherein the traffic flow is accessed from the border access router;
the extraction unit is used for extracting N-tuple information of the threat stream if the threat stream exists in the service stream according to the analyzed service stream; the threat stream is a traffic stream with security threat or attack to the target server in the traffic stream, the N-tuple information is transmission attribute information of the threat stream, and N is a positive integer;
the control unit is used for generating route information according to the N-tuple information of the threat stream and sending the route information to the boundary access router through a preset protocol; the routing information comprises filtering rule information, blocking instruction information and statistical instruction information, wherein the blocking instruction information is used for indicating the boundary access router to block the threat stream according to the filtering rule information; the statistical instruction information is used for instructing the boundary access router to determine the packet number and the total byte number of the blocked threat stream; the preset protocol includes one or more of the following: path computation element communication protocol, BGPSR protocol, BGP control protocol, and Telemetry technique;
A receiving unit comprising: the device comprises a receiving module, a judging module and a revocation module;
the receiving module is used for receiving the statistical data sent by the boundary access router; the statistics include a number of packets and a total number of bytes of the blocked threat stream;
the judging module is used for determining that no threat stream exists in the service stream if the packet number and the total byte number of the blocked threat stream are determined not to be increased within the preset time;
the revocation module is configured to send revocation information to the border access router through the preset protocol if it is determined that no threat stream exists in the service stream according to the statistical data; the revocation information is used for indicating the boundary access router to stop executing the blocking instruction information.
5. An electronic device, the electronic device comprising: a processor, and a memory communicatively coupled to the processor;
the memory stores computer-executable instructions;
the processor executes computer-executable instructions stored by the memory to implement the method of any one of claims 1-3.
6. A computer readable storage medium having stored therein computer executable instructions which when executed by a processor are adapted to carry out the method of any of claims 1-3.
CN202211531304.1A 2022-12-01 2022-12-01 Security protection method and device, electronic equipment and storage medium Active CN115776406B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211531304.1A CN115776406B (en) 2022-12-01 2022-12-01 Security protection method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211531304.1A CN115776406B (en) 2022-12-01 2022-12-01 Security protection method and device, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN115776406A CN115776406A (en) 2023-03-10
CN115776406B true CN115776406B (en) 2023-10-10

Family

ID=85390971

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211531304.1A Active CN115776406B (en) 2022-12-01 2022-12-01 Security protection method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN115776406B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110830469A (en) * 2019-11-05 2020-02-21 中国人民解放军战略支援部队信息工程大学 DDoS attack protection system and method based on SDN and BGP flow specification
CN111294365A (en) * 2020-05-12 2020-06-16 腾讯科技(深圳)有限公司 Attack flow protection system, method and device, electronic equipment and storage medium
CN112861132A (en) * 2021-02-08 2021-05-28 杭州迪普科技股份有限公司 Cooperative protection method and device

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10701103B2 (en) * 2017-02-16 2020-06-30 Dell Products, L.P. Securing devices using network traffic analysis and software-defined networking (SDN)
US11558410B2 (en) * 2019-05-29 2023-01-17 Arbor Networks, Inc. Measurement and analysis of traffic filtered by network infrastructure

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110830469A (en) * 2019-11-05 2020-02-21 中国人民解放军战略支援部队信息工程大学 DDoS attack protection system and method based on SDN and BGP flow specification
CN111294365A (en) * 2020-05-12 2020-06-16 腾讯科技(深圳)有限公司 Attack flow protection system, method and device, electronic equipment and storage medium
CN112861132A (en) * 2021-02-08 2021-05-28 杭州迪普科技股份有限公司 Cooperative protection method and device

Also Published As

Publication number Publication date
CN115776406A (en) 2023-03-10

Similar Documents

Publication Publication Date Title
US10972437B2 (en) Applications and integrated firewall design in an adaptive private network (APN)
EP3151470B1 (en) Analytics for a distributed network
US10708146B2 (en) Data driven intent based networking approach using a light weight distributed SDN controller for delivering intelligent consumer experience
EP3449600B1 (en) A data driven intent based networking approach using a light weight distributed sdn controller for delivering intelligent consumer experiences
US11546266B2 (en) Correlating discarded network traffic with network policy events through augmented flow
US11522798B2 (en) Method and system for triggering augmented data collection on a network based on traffic patterns
US20130294449A1 (en) Efficient application recognition in network traffic
CN112787959A (en) Traffic scheduling method and system
US8964763B2 (en) Inter-router communication method and module
CN112202646A (en) Flow analysis method and system
US20070033641A1 (en) Distributed Network Security System
Ibrahimov et al. Performance of Multi-Service Telecommunication Systems Using the Architectural Concept of Future Networks
CN115776406B (en) Security protection method and device, electronic equipment and storage medium
CN114978604A (en) Security gateway system for software defined service perception
Mei et al. Psa: An architecture for proactively securing protocol-oblivious sdn networks
Feamster Implications of the software defined networking revolution for technology policy
RU181257U1 (en) Data Clustering Firewall
Quingueni et al. Reduction of traffic between switches and IDS for prevention of DoS attack in SDN
US20140195685A1 (en) System and method for session control in converged networks
Zhang et al. On Providing Secure and Survivable QoS Service in the Next Generation Internet

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant