WO2021254397A1 - Network security detection method and system, and device and controller - Google Patents

Network security detection method and system, and device and controller Download PDF

Info

Publication number
WO2021254397A1
WO2021254397A1 PCT/CN2021/100383 CN2021100383W WO2021254397A1 WO 2021254397 A1 WO2021254397 A1 WO 2021254397A1 CN 2021100383 W CN2021100383 W CN 2021100383W WO 2021254397 A1 WO2021254397 A1 WO 2021254397A1
Authority
WO
WIPO (PCT)
Prior art keywords
detection
drainage
data
detection device
strategy
Prior art date
Application number
PCT/CN2021/100383
Other languages
French (fr)
Chinese (zh)
Inventor
张镇伟
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2021254397A1 publication Critical patent/WO2021254397A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/12Network monitoring probes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0894Policy-based network configuration management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks

Definitions

  • This application relates to the field of communication technology, and in particular to a network security detection method, system, device, and controller.
  • the first is to deploy a firewall device with security functions in the egress area.
  • the security detection is performed by diverting traffic from the core switch to the firewall, and then the detected traffic is injected back from the firewall to the core switch.
  • the second is to deploy switch equipment with network security functions across the entire network to protect the entire network.
  • the first method above is limited by the processing performance of the firewall
  • the second method is limited by the processing performance of the switch; when the traffic is large, only part of the traffic is transmitted to the firewall or switch for detection, resulting in undetected Traffic spreads in the network, threatening network security.
  • This application provides a network security detection method, system, equipment, and controller to automatically allocate security resources of the entire network to avoid traffic missed detection caused by service degradation of network equipment.
  • this application provides a network security detection method, including: a controller receives the security detection performance of multiple detection devices in the network; Send a first diversion strategy; wherein, the first diversion strategy is used to instruct the device to be processed and at least one detection device of the plurality of detection devices to establish a drainage tunnel.
  • the enterprise network architecture generally includes: egress firewall, core layer, convergence layer, and access layer.
  • Threat defense points are set at the egress firewall, core layer, convergence layer, and access layer respectively, so that the entire network is safe. Defense function.
  • network element devices with security detection performance in the egress firewall, core layer, convergence layer, and access layer are used as detection equipment, and network elements that do not have security detection performance in the egress firewall, core layer, convergence layer, and access layer are used as detection equipment.
  • the meta device serves as the access device. All detection devices and access devices are in communication with the controller, and the controller receives the safety detection performance of multiple detection devices in the network.
  • the security detection performance is used to characterize the ability of the detection device to perform security detection on data, including the amount of data processed and the type of data processed.
  • the controller issues the first drainage strategy to the device to be processed in the access device according to the safety detection performance of the detection device, so that the device to be processed in the access device establishes a drainage tunnel with at least one detection device.
  • the data output by the device to be processed is sent through the drainage tunnel to at least one detection device for safety detection.
  • the first drainage strategy in the network security detection method provided by this application further includes: a correspondence between a data type and a detection device capable of detecting the data type; the first drainage strategy is also used for Instruct the device to be processed to send traffic belonging to the data type to the detection device capable of detecting the data type via the drainage tunnel.
  • the controller first needs to obtain the type of data in the device to be processed, and then finds that it is capable of detecting the data type The ability of testing equipment. Finally, the first diversion strategy is generated to instruct the device to be processed to send the data type traffic to the detection device capable of detecting the corresponding data type via the diversion tunnel for security detection. In this way, the flow of the device to be processed can be drained and detected according to the data type, and the detection performance of different detection devices in the network can be fully utilized to meet the detection requirements of more data types.
  • the network security detection method provided by the present application further includes: determining the at least one detection device according to the amount of data passed on the device to be processed and the security detection capabilities of multiple detection devices, wherein the at least one detection device The sum of the security detection capabilities meets the detection of the data passed on the device to be processed.
  • the controller determines the detection device that establishes a drainage tunnel with the device to be processed based on the amount of data passed on the device to be processed and the safety detection capabilities of the multiple detection devices. Therefore, it is possible to perform drainage detection on the traffic of the device to be processed according to the amount of data to be processed, and make full use of the detection performance of different detection devices in the network to meet the detection requirements of higher data volume.
  • the network security detection method provided by the present application further includes: when the amount of data passing on the device to be processed increases, so that the sum of the security detection capabilities of the at least one detection device cannot meet the requirements on the device to be processed.
  • a second drainage strategy is sent to one or more detection devices in the at least one detection device; the second drainage strategy is used to instruct one or more detection devices and the at least one detection device Establish a drainage tunnel with other detection equipment.
  • the traffic output by the device to be processed is a variable value.
  • the controller will send the second drainage strategy to the detection device that has established a drainage tunnel with the device to be processed, and/or the remaining detection devices that have not established a drainage tunnel with the device to be processed, So that the traffic is sent to more testing equipment for safety testing. Therefore, it can adapt to the dynamic change of the flow, so that the scheduled detection device can always meet the flow detection requirements of the device to be processed, and the detection efficiency is improved.
  • the present application provides a network security detection method, the method includes: an access device sends a data type and/or a data amount to a controller; receiving a first drainage strategy from the controller; wherein, the The first drainage strategy is related to the data type and/or data volume; according to the first drainage strategy, a drainage tunnel is established with at least one detection device; and data is sent to the detection device through the drainage tunnel.
  • the enterprise network architecture generally includes: egress firewall, core layer, convergence layer, and access layer.
  • Threat defense points are set at the egress firewall, core layer, convergence layer, and access layer respectively, so that the entire network is safe. Defense function.
  • network element devices with security detection performance in the egress firewall, core layer, convergence layer, and access layer are used as detection equipment, and network elements that do not have security detection performance in the egress firewall, core layer, convergence layer, and access layer are used as detection equipment.
  • the meta device serves as the access device.
  • All detection equipment and access equipment are in communication connection with the controller, and the access equipment sends the data type and/or data volume to the controller, and according to the first drainage strategy sent by the controller, connects the equipment to be processed in the equipment Establish a drainage tunnel with at least one detection device.
  • the data output by the device to be processed is sent through the drainage tunnel to at least one detection device for safety detection.
  • the present application provides a network security detection method, the method includes: when the detection capability of the detection device does not meet the detection requirement for the data from the first drainage tunnel, the detection device receives the drainage flow sent by the controller Strategy; The detection device establishes a second drainage tunnel with another detection device according to the drainage strategy, and sends data beyond the detection capability of the detection device to the other detection device using the second drainage tunnel.
  • the enterprise network architecture generally includes: egress firewall, core layer, convergence layer, and access layer.
  • Threat defense points are set at the egress firewall, core layer, convergence layer, and access layer respectively, so that the entire network is safe. Defense function.
  • network element devices with security detection performance in the egress firewall, core layer, convergence layer, and access layer are used as detection equipment, and network elements that do not have security detection performance in the egress firewall, core layer, convergence layer, and access layer are used as detection equipment.
  • the meta device serves as the access device. All detection devices and access devices are in communication with the controller. When the detection capability of the detection device does not meet the detection requirements for the data from the first drainage tunnel, the detection device receives the drainage strategy sent by the controller and communicates with another detection device.
  • the device establishes a second drainage tunnel, so that traffic that exceeds the performance of the detection device is transmitted to another detection device for detection via the second drainage tunnel. Therefore, it can adapt to the dynamic change of the flow, so that the scheduled detection device can always meet the flow detection requirements of the device to be processed, and the detection efficiency is improved.
  • the present application provides a controller, including:
  • the receiving module is used to receive the security detection performance of multiple detection devices in the network
  • the processing module is configured to issue a first drainage strategy to the device to be processed in the access device according to the security detection performance of the detection device; wherein, the first drainage strategy is used to instruct the device to be processed and the device to be processed At least one of the multiple detection devices establishes a drainage tunnel.
  • the first drainage strategy further includes: a correspondence between a data type and a detection device capable of detecting the data type;
  • the first diversion strategy is also used to instruct the detection device to send traffic belonging to the data type to the detection device capable of detecting the data type via the diversion tunnel.
  • processing module is further used for:
  • the at least one detection device is determined according to the amount of data passed on the device to be processed and the security detection capabilities of multiple detection devices, where the sum of the security detection capabilities of the at least one detection device meets the requirements for passing on the device to be processed Data detection.
  • processing module is further used for:
  • the second diversion strategy is used to instruct one or more detection devices to establish a diversion tunnel with other detection devices other than the at least one detection device.
  • this application provides an access device, including:
  • the sending module is used to send the data type and/or data amount to the controller
  • a receiving module configured to receive a first drainage strategy from the controller; wherein the first drainage strategy is related to the data type and/or data volume;
  • a processing module configured to establish a drainage tunnel with at least one detection device according to the first drainage strategy
  • the sending module is configured to send data to the detection device through the drainage tunnel.
  • this application provides a detection device, including:
  • the receiving module is used to receive the drainage strategy sent by the controller when the detection capability of the detection device does not meet the detection requirement for the data from the first drainage tunnel;
  • the processing module is configured to establish a second drainage tunnel with another detection device according to the drainage strategy, and send data beyond the detection capability of the detection device to the another detection device using the second drainage tunnel.
  • the present application provides a network security detection system, the system includes: a controller, an access device, and a detection device; wherein:
  • the controller is configured to execute the method according to any one of the first aspect
  • the access device is used to execute the method described in the second aspect
  • the detection device is used to perform the method as described in the third aspect.
  • the present application provides a readable storage medium on which a computer program is stored; when the computer program is executed, the method described in the present application in the first aspect is implemented.
  • the present application provides a program product, the program product includes a computer program, the computer program is stored in a readable storage medium, and at least one processor of a communication device can read all data from the readable storage medium.
  • the computer program is executed by the at least one processor to enable the device to implement any of the methods described in the present application in the first aspect.
  • the network security detection method, system, device, and controller provided in this application, the controller receives the security detection performance of multiple detection devices in the network; according to the security detection performance of the detection device, downloads the device to be processed in the access device Send a first diversion strategy; wherein, the first diversion strategy is used to instruct the device to be processed and at least one detection device of the plurality of detection devices to establish a drainage tunnel.
  • the controller diverts the traffic of the access device to the detection device for detection through a diversion strategy, so that it can automatically allocate the security resources of the entire network to avoid traffic missed detection caused by the degradation of network equipment services.
  • FIG. 1 is a schematic diagram of a network security defense architecture provided by an embodiment of this application.
  • FIG. 2 is a first schematic flowchart of a network security detection method provided by an embodiment of this application
  • FIG. 3 is a second schematic flowchart of a network security detection method provided by an embodiment of this application.
  • FIG. 4 is a schematic diagram 1 of signaling interaction of a network security detection method provided by an embodiment of this application;
  • FIG. 5 is a second schematic diagram of signaling interaction of a network security detection method provided by an embodiment of this application.
  • FIG. 6 is a first structural diagram of a controller provided by an embodiment of the application.
  • FIG. 7 is a schematic structural diagram of an access device provided by an embodiment of this application.
  • FIG. 8 is a schematic structural diagram of a detection device provided by an embodiment of the application.
  • FIG. 9 is a schematic structural diagram of a switch device provided by an embodiment of this application.
  • FIG. 10 is a second structural diagram of a controller provided by an embodiment of this application.
  • Figure 1 is a schematic diagram of a network security defense architecture provided by an embodiment of this application; as shown in Figure 1, it includes: egress firewall, core layer, convergence layer, and access layer, which are respectively located at the egress firewall, core layer, convergence layer, and Threat defense points are set at the access layer to enable the entire network to have security defense functions. Furthermore, network element devices with security detection performance in the egress firewall, core layer, convergence layer, and access layer are used as detection equipment, and network elements that do not have security detection performance in the egress firewall, core layer, convergence layer, and access layer are used as detection equipment.
  • the meta device serves as the access device. All detection devices and access devices are in communication with the controller, and the controller receives the safety detection performance of multiple detection devices in the network.
  • the security detection performance is used to characterize the ability of the detection device to perform security detection on data, including the amount of data processed and the type of data processed.
  • the controller issues the first drainage strategy to the device to be processed in the access device according to the safety detection performance of the detection device, so that the device to be processed in the access device establishes a drainage tunnel with at least one detection device.
  • the data output by the device to be processed is sent through the drainage tunnel to at least one detection device for safety detection.
  • FIG. 2 is a schematic flowchart 1 of a network security detection method provided by an embodiment of this application; as shown in FIG. 2, the method in this embodiment may include:
  • the controller receives the safety detection performance of multiple detection devices in the network.
  • the network security detection method in this embodiment is applicable to a local area network scenario such as an industrial park network or an enterprise network.
  • the enterprise network includes multiple network element devices, and these network element devices may be switches, firewalls, and so on.
  • the network element device with its own security detection capability is called the detection device
  • the network element device that does not have the security detection capability or has limited security detection capability and needs to rely on other detection devices for security detection is called the access device. All access devices and detection devices in the network are connected to the controller in communication.
  • the controller receives the safety detection performance of multiple detection devices in the network.
  • Table 1 shows the safety detection performance of the detection equipment named xxx and yyy
  • Table 2 shows the safety detection performance of different data types.
  • the safety detection performance of different detection equipment in the network is different. Therefore, after the network is built, the controller needs to obtain the safety detection performance of each detection equipment in the network to facilitate subsequent deployment of the inspection equipment .
  • S102 According to the safety detection performance of the multiple detection devices, issue a first drainage strategy to the device to be processed in the access device.
  • the first diversion strategy is used to instruct the device to be processed to establish a diversion tunnel with at least one detection device among the multiple detection devices.
  • the controller issues the first drainage strategy to the device to be processed in the access device according to the safety detection performance of the detection device, so that the device to be processed in the access device establishes a drainage tunnel with at least one detection device.
  • the data output by the device to be processed is sent through the drainage tunnel to at least one detection device for safety detection.
  • the first drainage strategy issued by the controller to the device to be processed may include a correspondence between a data type and a detection device capable of detecting the data type.
  • the to-be-processed device diverts data of different data types to a detection device capable of detecting data types for safety detection.
  • the data output by the device to be processed has only one general type of data, that is, any detection device can perform detection, it can be based on the amount of data passed on the device to be processed and the safety of multiple detection devices.
  • the detection capability determines at least one detection device, wherein the sum of the safety detection capabilities of the at least one detection device meets the detection of the data passed on the device to be processed.
  • the at least one detection device when the amount of data passing on the device to be processed increases, so that the sum of the safety detection capabilities of at least one detection device cannot meet the detection of the data passing on the device to be processed, the at least one detection device One or more detection devices in the device send a second diversion strategy; the second diversion strategy is used to instruct one or more detection devices to establish a diversion tunnel with at least one detection device other than the at least one detection device.
  • the traffic output by the device to be processed is a variable value.
  • the controller will send the second diversion strategy to the detection devices that have established a drainage tunnel with the device to be processed, and/or the remaining detection devices that have not established a drainage tunnel with the device to be processed, so that the traffic is sent to more The testing equipment for safety testing. Therefore, it can adapt to the dynamic change of the flow, so that the scheduled detection device can always meet the flow detection requirements of the device to be processed, and the detection efficiency is improved.
  • FIG. 3 is a schematic diagram of the second flow of a network security detection method provided by an embodiment of this application; as shown in FIG. 3, the method in this embodiment may include:
  • the controller receives the safety detection performance of multiple detection devices in the network.
  • the network security detection method in this embodiment is applicable to a local area network scenario such as an industrial park network or an enterprise network.
  • the enterprise network includes multiple network element devices, and these network element devices may be switches, firewalls, and so on.
  • the network element device with its own security detection capability is called the detection device
  • the network element device that does not have the security detection capability or has limited security detection capability and needs to rely on other detection devices for security detection is called the access device. All access devices and detection devices in the network are connected to the controller in communication.
  • the controller receives the safety detection performance of multiple detection devices in the network.
  • the access device sends the data type and/or data amount to the controller.
  • the access device sends the data type and/or data amount to the controller, so as to facilitate the controller to formulate the first drainage strategy according to the data type and/or data amount.
  • the first diversion strategy is used to instruct the device to be processed to establish a diversion tunnel with at least one of the multiple detection devices.
  • the controller issues a first drainage strategy to the device to be processed in the access device according to the safety detection performance of the multiple detection devices.
  • step S203 the controller issues a first drainage strategy to the device to be processed in the access device according to the safety detection performance of the detection device, so that the device to be processed in the access device and at least one detection device Establish drainage tunnels.
  • the data output by the device to be processed is sent through the drainage tunnel to at least one detection device for safety detection.
  • the access device receives the first diversion strategy from the controller.
  • the device to be processed receives a first drainage strategy sent by the controller, and the first drainage strategy includes: a data type and a data type capable of detecting the data type. Correspondence between testing equipment.
  • the first diversion strategy is also used to instruct the device to be processed to send traffic belonging to the data type to the detection device capable of detecting the data type via the diversion tunnel.
  • the access device establishes a diversion tunnel with at least one detection device according to the first diversion strategy.
  • the device to be processed establishes a drainage tunnel with at least one detection device according to the first drainage strategy.
  • the amount of data passing through the device to be processed matches the safety monitoring performance of the detection device that establishes the drainage tunnel. That is, the sum of the safety detection capabilities of the detection equipment meets the detection of the data passed on the processing equipment.
  • the access device sends data to the detection device through the drainage tunnel.
  • step S206 the device to be processed sends the corresponding data to the detection device through the drainage tunnel for safety detection.
  • This makes full use of the deployment function of the controller, so that the controller can divert the traffic of the access device to the detection device for detection according to the data type and/or data volume through a drainage strategy, so as to realize the automatic deployment of the security resources of the entire network and avoid the network Missed traffic detection caused by equipment service degradation.
  • the method in this embodiment may further include:
  • the detection device when the detection capability of the detection device does not meet the detection requirements for data from the first drainage tunnel, the detection device receives the drainage strategy sent by the controller, and establishes a second drainage tunnel with another detection device, so that the detection device exceeds the detection device. The performance traffic is transmitted to another detection device for detection through the second drainage tunnel.
  • the detection device establishes a second drainage tunnel with another detection device according to the drainage strategy, and sends data beyond the detection capability of the detection device to the other detection device through the second drainage tunnel.
  • the number of established drainage tunnels is not limited in this embodiment.
  • any detection device can transmit the excess data to other detection devices through the second drainage tunnel for case detection. Therefore, it can adapt to the dynamic change of the traffic, so that the scheduled detection device can always meet the traffic detection requirements of the device to be processed (one or more of the access devices), and the detection efficiency is improved.
  • FIG. 4 is a schematic diagram 1 of signaling interaction of a network security detection method provided by an embodiment of this application. As shown in FIG. 4, the method in this embodiment may include:
  • the detection device reports the safety detection performance to the controller.
  • the controller generates a first-level drainage strategy according to the safety detection performance of the detection equipment in the network.
  • the controller issues a first-level diversion strategy to the access device.
  • the access device establishes a drainage tunnel with at least one detection device according to the first-level drainage strategy.
  • the access device sends the traffic to the detection device through the drainage tunnel.
  • the detection device performs safety detection on the flow.
  • the detection device feeds back the detection result to the access device.
  • the access device performs traffic blocking according to the detection result.
  • the controller issues a secondary drainage strategy to the detection device.
  • the detection device establishes a drainage tunnel with other detection devices according to the secondary drainage strategy.
  • the inspection device sends the traffic exceeding the inspection capability to other inspection devices.
  • the other detection device forwards the detection result to the access device through the detection device.
  • the access device performs traffic blocking according to the detection result.
  • the controller generates a first-level diversion strategy according to the safety detection performance of the detection device in the network, and then the access device establishes a diversion tunnel with the detection device according to the first-level diversion strategy.
  • the controller issues a secondary drainage strategy to the detection device so that the detection device sends the traffic beyond the detection capability to Other testing equipment, assisted by other testing equipment for flow detection.
  • the detection device feeds back the traffic detection result to the access device.
  • the access device blocks the corresponding traffic, thereby maintaining the security of the entire network.
  • the number of drainage tunnels is not limited.
  • any detection device can transmit the excess data to other detection devices through the second drainage tunnel for safety detection. Therefore, it can adapt to the dynamic change of the traffic, so that the scheduled detection device can always meet the traffic detection requirements of the device to be processed (one or more of the access devices), and the detection efficiency is improved.
  • Figure 5 is a second schematic diagram of signaling interaction of a network security detection method provided by an embodiment of this application. As shown in Figure 5, the method in this embodiment may include:
  • the detection device reports the safety detection performance to the controller.
  • the controller generates a first-level drainage strategy according to the safety detection performance of the detection equipment in the network.
  • S403 The controller issues a first-level diversion strategy to the access device.
  • the access device establishes a drainage tunnel with at least one detection device according to the first-level drainage strategy.
  • the access device sends the traffic to the detection device through the drainage tunnel.
  • the detection device performs safety detection on the flow.
  • the detection device feeds back the detection result to the access device.
  • the access device performs traffic blocking according to the detection result.
  • the controller issues a secondary drainage strategy to the access device.
  • the access device establishes a drainage tunnel with other detection devices according to the secondary drainage strategy.
  • the access device sends the traffic exceeding the detection capability of the detection device to other detection devices.
  • the other detection equipment sends the detection result to the access device.
  • the access device performs traffic blocking according to the detection result.
  • the controller generates a first-level diversion strategy according to the safety detection performance of the detection device in the network, and then the access device establishes a diversion tunnel with the detection device according to the first-level diversion strategy.
  • the controller issues a secondary drainage strategy to the access device so that the access device will exceed the detection device's detection
  • the capacity of the flow is sent to other detection equipment, and the other detection equipment assists in the flow detection.
  • the detection device feeds back the traffic detection result to the access device.
  • the access device blocks the corresponding traffic, thereby maintaining the security of the entire network.
  • the number of established drainage tunnels is not limited in this embodiment.
  • the access device can transmit the excess data to other detection devices through the second drainage tunnel for safety detection. Therefore, it can adapt to the dynamic change of the traffic, so that the scheduled detection device can always meet the traffic detection requirements of the device to be processed (one or more of the access devices), and the detection efficiency is improved.
  • FIG. 6 is a first structural diagram of a controller provided by an embodiment of the application. As shown in FIG. 6, the controller may include:
  • the receiving module 61 is used to receive the security detection performance of multiple detection devices in the network;
  • the processing module 62 is configured to issue a first drainage strategy to the device to be processed in the access device according to the security detection performance of the multiple detection devices; wherein the first drainage strategy is used to instruct the device to be processed and the multiple detection devices At least one of the detection devices establishes a drainage tunnel.
  • the first diversion strategy further includes: the correspondence between the data type and the detection device capable of detecting the data type; the first diversion strategy is also used to instruct the detection device to send traffic belonging to the data type to the Testing equipment capable of detecting data types.
  • the processing module 62 is further configured to: determine at least one detection device according to the amount of data passed on the device to be processed and the safety detection capabilities of multiple detection devices, where the sum of the safety detection capabilities of the at least one detection device meets the requirements for the processing Detection of data passed on the device.
  • the processing module 62 is further configured to: when the amount of data passing on the device to be processed increases, so that the sum of the safety detection capabilities of the at least one detection device cannot meet the detection of the data passing on the device to be processed, to at least one detection device
  • One or more detection devices in the device send a second diversion strategy; the second diversion strategy is used to instruct one or more detection devices to establish a diversion tunnel with at least one detection device other than the at least one detection device.
  • the controller in this embodiment can execute the methods shown in Figs. 2 to 5, and for the specific implementation process and implementation principles, refer to the content of the method descriptions shown in Figs. 2 to 5, which will not be repeated here.
  • FIG. 7 is a schematic structural diagram of an access device provided by an embodiment of the application. As shown in FIG. 7, the access device may include:
  • the sending module 71 is used to send the data type and/or data amount to the controller;
  • the receiving module 72 is configured to receive the first drainage strategy from the controller; where the first drainage strategy is related to the data type and/or the data volume;
  • the processing module 73 is configured to establish a drainage tunnel with at least one detection device according to the first drainage strategy
  • the sending module 71 is used to send data to the detection device through the drainage tunnel.
  • the controller in this embodiment can execute the methods shown in Figs. 2 to 5, and for the specific implementation process and implementation principles, refer to the content of the method descriptions shown in Figs. 2 to 5, which will not be repeated here.
  • FIG. 8 is a schematic structural diagram of a detection device provided by an embodiment of the application. As shown in FIG. 8, the detection device may include:
  • the receiving module 81 is configured to receive the drainage strategy sent by the controller when the detection capability of the detection device does not meet the detection requirement for the data from the first drainage tunnel;
  • the processing module 82 is configured to establish a second drainage tunnel with another detection device according to the drainage strategy, and send data beyond the detection capability of the detection device to another detection device through the second drainage tunnel.
  • the controller in this embodiment can execute the methods shown in FIGS. 2 to 5, and for the specific implementation process and implementation principles, please refer to the description of the method shown in FIGS. 3 to 5, which will not be repeated here.
  • FIG. 9 is a schematic structural diagram of a switch device provided by an embodiment of the application.
  • the switch device in this embodiment may include: a network interface 91, a processor 92, a memory 93, and a network forwarding chip 94.
  • the switch device When the switch device has data security detection performance, it can be used as a detection device. When the switch device does not have data security detection performance, or its own data security detection performance cannot meet its own data detection requirements, the switch device can be used as an access device. It should be noted that this embodiment does not limit the specific internal architecture of the switch device, and some switch devices may not be provided with a network forwarding chip, but the processor directly performs data forwarding.
  • Fig. 10 is a second structural schematic diagram of a controller provided by an embodiment of the application.
  • the controller in this embodiment may include: a processor 1001, a memory 1002, an input device 1003, and an output device 1004.
  • the device 1001 communicates with the memory 1002, the input device 1003, and the output device 1004 through a bus 1005.
  • the controller can also be deployed in the form of a physical server or a virtual machine, and this embodiment does not limit the architecture of the controller.
  • An embodiment of the present application also provides a network security detection system, which includes: a controller, an access device, and a detection device; wherein: the controller is used to execute the method shown in FIG. 2; the access device is used to execute the method shown in FIG. The method shown; the detection device is used to perform the method shown in Figure 3.
  • a network security detection system which includes: a controller, an access device, and a detection device; wherein: the controller is used to execute the method shown in FIG. 2; the access device is used to execute the method shown in FIG. The method shown; the detection device is used to perform the method shown in Figure 3.
  • the embodiment of the present application provides a computer-readable storage medium, and the computer-readable storage medium stores instructions.
  • the computer executes the method performed by the terminal device in the foregoing embodiment of the present application.
  • the embodiment of the present application provides a computer-readable storage medium, and the computer-readable storage medium stores instructions.
  • the computer executes the method performed by the network device in the foregoing embodiment of the present application.
  • the disclosed device and method can be implemented in other ways.
  • the device embodiments described above are merely illustrative, for example, the division of units is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components can be combined or integrated. To another system, or some features can be ignored, or not implemented.
  • the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separate, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
  • the functional units in the various embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.
  • the above-mentioned integrated unit may be implemented in the form of hardware, or may be implemented in the form of hardware plus software functional units.
  • modules in the embodiments of the present application is illustrative, and is only a logical function division, and there may be other division methods in actual implementation.
  • the functional modules in the embodiments of the present application may be integrated into one processing module, or each module may exist alone physically, or two or more modules may be integrated into one module.
  • the above-mentioned integrated modules can be implemented in the form of hardware or software function modules.
  • the integrated module is implemented in the form of a software function module and sold or used as an independent product, it can be stored in a computer readable storage medium.
  • the computer software product is stored in a storage medium and includes several instructions to enable a computer device (which can A personal computer, a server, or a network device, etc.) or a processor (processor) executes all or part of the steps of the methods in the embodiments of the present application.
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disk and other media that can store program code .
  • the computer can be implemented in whole or in part by software, hardware, firmware, or any combination thereof.
  • software it can be implemented in the form of a computer program product in whole or in part.
  • the computer program product includes one or more computer instructions.
  • the computer program instructions When the computer program instructions are loaded and executed on the computer, the processes or functions according to the embodiments of the present application are generated in whole or in part.
  • the computer can be a general-purpose computer, a special-purpose computer, a computer network, or other programmable devices.
  • Computer instructions can be stored in a computer-readable storage medium, or transmitted from one computer-readable storage medium to another computer-readable storage medium.
  • computer instructions can be transmitted from a website, computer, server, or data center through a cable (such as Coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (such as infrared, wireless, microwave, etc.) to transmit to another website site, computer, server or data center.
  • the computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server or data center integrated with one or more available media.
  • the usable medium may be a magnetic medium (for example, a floppy disk, a hard disk, a magnetic tape), an optical medium (for example, an optical disc), or a semiconductor medium (for example, a solid state drive (SSD)), and the like.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Disclosed are a network security detection method and system, and a device and a controller, wherein same are for improving network security and belong to the technical field of communications. The method comprises: a controller receiving the security detection performance of a plurality of detection devices in a network; and according to the security detection performance of the plurality of detection devices, issuing a first traffic guiding policy to a device, to be processed, in an access device, wherein the first traffic guiding policy is used for instructing the device to be processed to establish a traffic guiding tunnel with at least one of the plurality of detection devices. According to the security detection performance of a detection device in a network, a controller guides, by means of a traffic guiding policy, traffic of an access device to the detection device so as to perform detection, such that security resources in the entire network can be automatically allocated, thereby preventing missing traffic detection caused by the service degradation of a network device.

Description

网络安全检测方法、系统、设备及控制器Network security detection method, system, equipment and controller
本申请要求于2020年6月17日提交的申请号为202010553314.X、申请名称为“网络安全检测方法、系统、设备及控制器”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed on June 17, 2020 with the application number 202010553314.X and the application title "Network security detection method, system, equipment and controller", the entire content of which is incorporated by reference In this application.
技术领域Technical field
本申请涉及通信技术领域,尤其涉及一种网络安全检测方法、系统、设备及控制器。This application relates to the field of communication technology, and in particular to a network security detection method, system, device, and controller.
背景技术Background technique
随着网络技术的发展,网络攻击的技术也是日新月异,对网络中传输的流量进行安全检测是提高网络防御能力的重要手段。With the development of network technology, the technology of network attacks is also changing with each passing day. Security detection of traffic transmitted in the network is an important means to improve network defense capabilities.
一般采用两种方式进行安全检测,第一种是在出口区域部署具备安全功能的防火墙设备,通过将流量从核心交换机引流到防火墙进行安全检测,然后将检测完毕的流量从防火墙回注到核心交换机。第二种是在全网部署网络安全功能的交换机设备,来进行全网防护。Generally, two methods are used for security detection. The first is to deploy a firewall device with security functions in the egress area. The security detection is performed by diverting traffic from the core switch to the firewall, and then the detected traffic is injected back from the firewall to the core switch. . The second is to deploy switch equipment with network security functions across the entire network to protect the entire network.
但是,上述第一种方式受限于防火墙的处理性能,第二种方式受限于交换机的处理性能;当流量较大时,只有部分流量被输送至防火墙或者交换机进行检测,从而导致未检测的流量在网络中传播,威胁网络安全。However, the first method above is limited by the processing performance of the firewall, and the second method is limited by the processing performance of the switch; when the traffic is large, only part of the traffic is transmitted to the firewall or switch for detection, resulting in undetected Traffic spreads in the network, threatening network security.
发明内容Summary of the invention
本申请提供一种网络安全检测方法、系统、设备及控制器,以自动调配全网安全资源,避免网络设备服务降级导致的流量漏检。This application provides a network security detection method, system, equipment, and controller to automatically allocate security resources of the entire network to avoid traffic missed detection caused by service degradation of network equipment.
第一方面,本申请提供一种网络安全检测方法,包括:控制器接收网络中多个检测设备的安全检测性能;根据所述检测设备的安全检测性能,向接入设备中的待处理设备下发第一引流策略;其中,所述第一引流策略用于指示所述待处理设备与所述多个检测设备中的至少一个检测设备建立引流隧道。In the first aspect, this application provides a network security detection method, including: a controller receives the security detection performance of multiple detection devices in the network; Send a first diversion strategy; wherein, the first diversion strategy is used to instruct the device to be processed and at least one detection device of the plurality of detection devices to establish a drainage tunnel.
在第一方面中,企业网络架构中一般包括:出口防火墙、核心层、汇聚层、接入层,分别在出口防火墙、核心层、汇聚层、接入层设置威胁防御点,使得全网具备安全防御功能。进一步地,将出口防火墙、核心层、汇聚层、接入层中具备安全检测性能的网元设备作为检测设备,将出口防火墙、核心层、汇聚层、接入层中不具备安全检测性能的网元设备作为接入设备。所有的检测设备和接入设备均与控制器通信连接,控制器接收网络中多个检测设备的安全检测性能。该安全检测性能用于表征检测设备对数据进行安全检测的能力,包括数据处理量和处理的数据类型。控制器根据检测设备的安全检测性能,向接入设备中的待处理设备下发第一引流策略,以使得接入设备中的待处理设备与至少一个检测设备建立引流隧道。待处理设备输出的数据通过引流隧道发送给至少一个检测设备进行安全检测。从而充分利用了控制器的调配功能,使得控制器能够根据网络中检测设备的安全检测性能,通过引流策略将接入设备的流量引流至检测设备进行检测,实现全网安全资源的自动调 配,避免网络设备服务降级导致的流量漏检。In the first aspect, the enterprise network architecture generally includes: egress firewall, core layer, convergence layer, and access layer. Threat defense points are set at the egress firewall, core layer, convergence layer, and access layer respectively, so that the entire network is safe. Defense function. Furthermore, network element devices with security detection performance in the egress firewall, core layer, convergence layer, and access layer are used as detection equipment, and network elements that do not have security detection performance in the egress firewall, core layer, convergence layer, and access layer are used as detection equipment. The meta device serves as the access device. All detection devices and access devices are in communication with the controller, and the controller receives the safety detection performance of multiple detection devices in the network. The security detection performance is used to characterize the ability of the detection device to perform security detection on data, including the amount of data processed and the type of data processed. The controller issues the first drainage strategy to the device to be processed in the access device according to the safety detection performance of the detection device, so that the device to be processed in the access device establishes a drainage tunnel with at least one detection device. The data output by the device to be processed is sent through the drainage tunnel to at least one detection device for safety detection. This makes full use of the deployment function of the controller, so that the controller can divert the traffic of the access device to the detection device for detection according to the security detection performance of the detection device in the network, and realize the automatic deployment of the security resources of the entire network to avoid Missed traffic detection due to service degradation of network equipment.
可选地,本申请提供的网络安全检测方法中所述第一引流策略还包括:数据类型和具备检测所述数据类型的能力的检测设备间的对应关系;所述第一引流策略还用于指示所述待处理设备将属于所述数据类型的流量经由所述引流隧道发往所述具备检测所述数据类型的能力的检测设备。Optionally, the first drainage strategy in the network security detection method provided by this application further includes: a correspondence between a data type and a detection device capable of detecting the data type; the first drainage strategy is also used for Instruct the device to be processed to send traffic belonging to the data type to the detection device capable of detecting the data type via the drainage tunnel.
在第一方面的一种可能的实现方式中,由于网络中不同的检测设备能够检测的数据类型不同,因此,控制器首先需要获取待处理设备中数据的类型,然后查找到具备检测该数据类型的能力的检测设备。最后生成第一引流策略,以指示待处理设备将该数据类型的流量经由引流隧道发往具备检测对应数据类型的能力的检测设备进行安全检测。从而能够按照数据类型对待处理设备的流量进行引流检测,充分利用网络中不同检测设备的检测性能,满足更多数据类型的检测需求。In a possible implementation of the first aspect, because different detection devices in the network can detect different data types, the controller first needs to obtain the type of data in the device to be processed, and then finds that it is capable of detecting the data type The ability of testing equipment. Finally, the first diversion strategy is generated to instruct the device to be processed to send the data type traffic to the detection device capable of detecting the corresponding data type via the diversion tunnel for security detection. In this way, the flow of the device to be processed can be drained and detected according to the data type, and the detection performance of different detection devices in the network can be fully utilized to meet the detection requirements of more data types.
可选地,本申请提供的网络安全检测方法还包括:根据所述待处理设备上通过的数据量和多个检测设备的安全检测能力确定所述至少一个检测设备,其中所述至少一个检测设备的安全检测能力的总和满足对所述待处理设备上通过的数据的检测。Optionally, the network security detection method provided by the present application further includes: determining the at least one detection device according to the amount of data passed on the device to be processed and the security detection capabilities of multiple detection devices, wherein the at least one detection device The sum of the security detection capabilities meets the detection of the data passed on the device to be processed.
在第一方面的一种可能的实现方式中,由于网络中不同的检测设备能够检测的数据量不同,当待处理设备的流量较大时,可能需要调配多个检测设备对待处理设备的流量进行安全检测。此时,控制器根据待处理设备上通过的数据量和多个检测设备的安全检测能力确定与待处理设备建立引流隧道的检测设备。从而能够按照待处理的数据量对待处理设备的流量进行引流检测,充分利用网络中不同检测设备的检测性能,满足更高数据量的检测需求。In a possible implementation of the first aspect, since different detection devices in the network can detect different amounts of data, when the traffic of the device to be processed is large, it may be necessary to deploy multiple detection devices to perform the traffic of the device to be processed. Safety inspection. At this time, the controller determines the detection device that establishes a drainage tunnel with the device to be processed based on the amount of data passed on the device to be processed and the safety detection capabilities of the multiple detection devices. Therefore, it is possible to perform drainage detection on the traffic of the device to be processed according to the amount of data to be processed, and make full use of the detection performance of different detection devices in the network to meet the detection requirements of higher data volume.
可选地,本申请提供的网络安全检测方法还包括:当所述待处理设备上通过的数据量上升,从而所述至少一个检测设备的安全检测能力的总和无法满足对所述待处理设备上通过的数据的检测时,向所述至少一个检测设备中的一个或多个检测设备发送第二引流策略;所述第二引流策略用于指示一个或多个检测设备与所述至少一个检测设备之外的其他检测设备建立引流隧道。Optionally, the network security detection method provided by the present application further includes: when the amount of data passing on the device to be processed increases, so that the sum of the security detection capabilities of the at least one detection device cannot meet the requirements on the device to be processed. When the passed data is detected, a second drainage strategy is sent to one or more detection devices in the at least one detection device; the second drainage strategy is used to instruct one or more detection devices and the at least one detection device Establish a drainage tunnel with other detection equipment.
在第一方面的一种可能的实现方式中,待处理设备输出的流量是一个变化值,当待处理设备上通过的数据量上升,且当前建立引流隧道的检测设备的安全检测能力的总和无法满足对待处理设备上通过的数据的检测时,控制器会向已经与待处理设备建立引流隧道的检测设备,和/或剩余的未与待处理设备建立引流隧道的检测设备发送第二引流策略,以使得流量被送往更多的检测设备进行安全检测。从而能够适应于流量的动态变化,使得调度的检测设备能够一直满足待处理设备的流量检测需求,提升了检测效率。In a possible implementation of the first aspect, the traffic output by the device to be processed is a variable value. When the amount of data passing on the device to be processed increases, and the total amount of security detection capabilities of the detection devices currently established for the drainage tunnel cannot be When the detection of data passing on the device to be processed is satisfied, the controller will send the second drainage strategy to the detection device that has established a drainage tunnel with the device to be processed, and/or the remaining detection devices that have not established a drainage tunnel with the device to be processed, So that the traffic is sent to more testing equipment for safety testing. Therefore, it can adapt to the dynamic change of the flow, so that the scheduled detection device can always meet the flow detection requirements of the device to be processed, and the detection efficiency is improved.
第二方面,本申请提供一种网络安全检测方法,所述方法包括:接入设备向控制器发送数据类型和/或数据量;接收来自所述控制器的第一引流策略;其中,所述第一引流策略与所述数据类型和/或数据量相关;根据所述第一引流策略,与至少一个检测设备建立引流隧道;通过所述引流隧道,向所述检测设备发送数据。In a second aspect, the present application provides a network security detection method, the method includes: an access device sends a data type and/or a data amount to a controller; receiving a first drainage strategy from the controller; wherein, the The first drainage strategy is related to the data type and/or data volume; according to the first drainage strategy, a drainage tunnel is established with at least one detection device; and data is sent to the detection device through the drainage tunnel.
在第二方面中,企业网络架构中一般包括:出口防火墙、核心层、汇聚层、接入层,分别在出口防火墙、核心层、汇聚层、接入层设置威胁防御点,使得全网具备安全防御功能。进一步地,将出口防火墙、核心层、汇聚层、接入层中具备安全检测性能的网元设备作为检测设备,将出口防火墙、核心层、汇聚层、接入层中不具备安全检测性能的网元设备作为接入设备。所有的检测设备和接入设备均与控制器通信连接,接入设备向控制器发送数据类型 和/或数据量,并根据控制器发送的第一引流策略,将接入设备中的待处理设备与至少一个检测设备建立引流隧道。待处理设备输出的数据通过引流隧道发送给至少一个检测设备进行安全检测。从而充分利用了控制器的调配功能,使得控制器能够根据数据类型和/或数据量,通过引流策略将接入设备的流量引流至检测设备进行检测,实现全网安全资源的自动调配,避免网络设备服务降级导致的流量漏检。In the second aspect, the enterprise network architecture generally includes: egress firewall, core layer, convergence layer, and access layer. Threat defense points are set at the egress firewall, core layer, convergence layer, and access layer respectively, so that the entire network is safe. Defense function. Furthermore, network element devices with security detection performance in the egress firewall, core layer, convergence layer, and access layer are used as detection equipment, and network elements that do not have security detection performance in the egress firewall, core layer, convergence layer, and access layer are used as detection equipment. The meta device serves as the access device. All detection equipment and access equipment are in communication connection with the controller, and the access equipment sends the data type and/or data volume to the controller, and according to the first drainage strategy sent by the controller, connects the equipment to be processed in the equipment Establish a drainage tunnel with at least one detection device. The data output by the device to be processed is sent through the drainage tunnel to at least one detection device for safety detection. This makes full use of the deployment function of the controller, so that the controller can divert the traffic of the access device to the detection device for detection according to the data type and/or data volume through a drainage strategy, so as to realize the automatic deployment of the security resources of the entire network and avoid the network Missed traffic detection caused by equipment service degradation.
第三方面,本申请提供一种网络安全检测方法,所述方法包括:当检测设备的检测能力不满足对来自第一引流隧道的数据的检测需求时,所述检测设备接收控制器发送的引流策略;所述检测设备根据所述引流策略,与另一检测设备建立第二引流隧道,并将超出所述检测设备检测能力的数据用所述第二引流隧道发往所述另一检测设备。In a third aspect, the present application provides a network security detection method, the method includes: when the detection capability of the detection device does not meet the detection requirement for the data from the first drainage tunnel, the detection device receives the drainage flow sent by the controller Strategy; The detection device establishes a second drainage tunnel with another detection device according to the drainage strategy, and sends data beyond the detection capability of the detection device to the other detection device using the second drainage tunnel.
在第三方面中,企业网络架构中一般包括:出口防火墙、核心层、汇聚层、接入层,分别在出口防火墙、核心层、汇聚层、接入层设置威胁防御点,使得全网具备安全防御功能。进一步地,将出口防火墙、核心层、汇聚层、接入层中具备安全检测性能的网元设备作为检测设备,将出口防火墙、核心层、汇聚层、接入层中不具备安全检测性能的网元设备作为接入设备。所有的检测设备和接入设备均与控制器通信连接,当检测设备的检测能力不满足对来自第一引流隧道的数据的检测需求时,检测设备接收控制器发送的引流策略,与另一检测设备建立第二引流隧道,使得超出检测设备性能的流量经由第二引流隧道传输至另一检测设备进行检测。从而能够适应于流量的动态变化,使得调度的检测设备能够一直满足待处理设备的流量检测需求,提升了检测效率。In the third aspect, the enterprise network architecture generally includes: egress firewall, core layer, convergence layer, and access layer. Threat defense points are set at the egress firewall, core layer, convergence layer, and access layer respectively, so that the entire network is safe. Defense function. Furthermore, network element devices with security detection performance in the egress firewall, core layer, convergence layer, and access layer are used as detection equipment, and network elements that do not have security detection performance in the egress firewall, core layer, convergence layer, and access layer are used as detection equipment. The meta device serves as the access device. All detection devices and access devices are in communication with the controller. When the detection capability of the detection device does not meet the detection requirements for the data from the first drainage tunnel, the detection device receives the drainage strategy sent by the controller and communicates with another detection device. The device establishes a second drainage tunnel, so that traffic that exceeds the performance of the detection device is transmitted to another detection device for detection via the second drainage tunnel. Therefore, it can adapt to the dynamic change of the flow, so that the scheduled detection device can always meet the flow detection requirements of the device to be processed, and the detection efficiency is improved.
第四方面,本申请提供一种控制器,包括:In a fourth aspect, the present application provides a controller, including:
接收模块,用于接收网络中多个检测设备的安全检测性能;The receiving module is used to receive the security detection performance of multiple detection devices in the network;
处理模块,用于根据所述检测设备的安全检测性能,向接入设备中的待处理设备下发第一引流策略;其中,所述第一引流策略用于指示所述待处理设备与所述多个检测设备中的至少一个检测设备建立引流隧道。The processing module is configured to issue a first drainage strategy to the device to be processed in the access device according to the security detection performance of the detection device; wherein, the first drainage strategy is used to instruct the device to be processed and the device to be processed At least one of the multiple detection devices establishes a drainage tunnel.
可选地,所述第一引流策略还包括:数据类型和具备检测所述数据类型的能力的检测设备间的对应关系;Optionally, the first drainage strategy further includes: a correspondence between a data type and a detection device capable of detecting the data type;
所述第一引流策略还用于指示所述检测设备将属于所述数据类型的流量经由所述引流隧道发往所述具备检测所述数据类型的能力的检测设备。The first diversion strategy is also used to instruct the detection device to send traffic belonging to the data type to the detection device capable of detecting the data type via the diversion tunnel.
可选地,所述处理模块,还用于:Optionally, the processing module is further used for:
根据所述待处理设备上通过的数据量和多个检测设备的安全检测能力确定所述至少一个检测设备,其中所述至少一个检测设备的安全检测能力的总和满足对所述待处理设备上通过的数据的检测。The at least one detection device is determined according to the amount of data passed on the device to be processed and the security detection capabilities of multiple detection devices, where the sum of the security detection capabilities of the at least one detection device meets the requirements for passing on the device to be processed Data detection.
可选地,所述处理模块还用于:Optionally, the processing module is further used for:
当所述待处理设备上通过的数据量上升,从而所述至少一个检测设备的安全检测能力的总和无法满足对所述待处理设备上通过的数据的检测时,向所述至少一个检测设备中的一个或多个检测设备发送第二引流策略;所述第二引流策略用于指示一个或多个检测设备与所述至少一个检测设备之外的其他检测设备建立引流隧道。When the amount of data passing on the device to be processed increases, so that the sum of the security detection capabilities of the at least one detection device cannot meet the detection of the data passing on the device to be processed, send the data to the at least one detection device One or more detection devices in the send a second diversion strategy; the second diversion strategy is used to instruct one or more detection devices to establish a diversion tunnel with other detection devices other than the at least one detection device.
第五方面,本申请提供一种接入设备,包括:In a fifth aspect, this application provides an access device, including:
发送模块,用于向控制器发送数据类型和/或数据量;The sending module is used to send the data type and/or data amount to the controller;
接收模块,用于接收来自所述控制器的第一引流策略;其中,所述第一引流策略与所述数据类型和/或数据量相关;A receiving module, configured to receive a first drainage strategy from the controller; wherein the first drainage strategy is related to the data type and/or data volume;
处理模块,用于根据所述第一引流策略,与至少一个检测设备建立引流隧道;A processing module, configured to establish a drainage tunnel with at least one detection device according to the first drainage strategy;
发送模块,用于通过所述引流隧道,向所述检测设备发送数据。The sending module is configured to send data to the detection device through the drainage tunnel.
第六方面,本申请提供一种检测设备,包括:In a sixth aspect, this application provides a detection device, including:
接收模块,用于当检测设备的检测能力不满足对来自第一引流隧道的数据的检测需求时,接收控制器发送的引流策略;The receiving module is used to receive the drainage strategy sent by the controller when the detection capability of the detection device does not meet the detection requirement for the data from the first drainage tunnel;
处理模块,用于根据所述引流策略,与另一检测设备建立第二引流隧道,并将超出所述检测设备检测能力的数据用所述第二引流隧道发往所述另一检测设备。The processing module is configured to establish a second drainage tunnel with another detection device according to the drainage strategy, and send data beyond the detection capability of the detection device to the another detection device using the second drainage tunnel.
第七方面,本申请提供一种网络安全检测系统,所述系统包括:控制器、接入设备、检测设备;其中:In a seventh aspect, the present application provides a network security detection system, the system includes: a controller, an access device, and a detection device; wherein:
所述控制器用以执行如第一方面中任一项所述的方法;The controller is configured to execute the method according to any one of the first aspect;
所述接入设备用以执行如第二方面所述的方法;The access device is used to execute the method described in the second aspect;
所述检测设备用以执行如第三方面所述的方法。The detection device is used to perform the method as described in the third aspect.
第八方面,本申请提供一种可读存储介质,所述可读存储介质上存储有计算机程序;所述计算机程序在被执行时,实现第一方面本申请所述的方法。In an eighth aspect, the present application provides a readable storage medium on which a computer program is stored; when the computer program is executed, the method described in the present application in the first aspect is implemented.
第九方面,本申请提供一种程序产品,所述程序产品包括计算机程序,所述计算机程序存储在可读存储介质中,通信装置的至少一个处理器可以从所述可读存储介质读取所述计算机程序,所述至少一个处理器执行所述计算机程序使得装置实施第一方面本申请任一所述的方法。In a ninth aspect, the present application provides a program product, the program product includes a computer program, the computer program is stored in a readable storage medium, and at least one processor of a communication device can read all data from the readable storage medium. The computer program is executed by the at least one processor to enable the device to implement any of the methods described in the present application in the first aspect.
本申请提供的网络安全检测方法、系统、设备及控制器,控制器接收网络中多个检测设备的安全检测性能;根据所述检测设备的安全检测性能,向接入设备中的待处理设备下发第一引流策略;其中,所述第一引流策略用于指示所述待处理设备与所述多个检测设备中的至少一个检测设备建立引流隧道。控制器根据网络中检测设备的安全检测性能,通过引流策略将接入设备的流量引流至检测设备进行检测,从而能够自动调配全网安全资源,避免网络设备服务降级导致的流量漏检。The network security detection method, system, device, and controller provided in this application, the controller receives the security detection performance of multiple detection devices in the network; according to the security detection performance of the detection device, downloads the device to be processed in the access device Send a first diversion strategy; wherein, the first diversion strategy is used to instruct the device to be processed and at least one detection device of the plurality of detection devices to establish a drainage tunnel. According to the security detection performance of the detection equipment in the network, the controller diverts the traffic of the access device to the detection device for detection through a diversion strategy, so that it can automatically allocate the security resources of the entire network to avoid traffic missed detection caused by the degradation of network equipment services.
附图说明Description of the drawings
图1为本申请实施例提供的一种网络安全防御的架构示意图;FIG. 1 is a schematic diagram of a network security defense architecture provided by an embodiment of this application;
图2为本申请实施例提供的一种网络安全检测方法的流程示意图一;FIG. 2 is a first schematic flowchart of a network security detection method provided by an embodiment of this application;
图3为本申请实施例提供的一种网络安全检测方法的流程示意图二;FIG. 3 is a second schematic flowchart of a network security detection method provided by an embodiment of this application;
图4为本申请实施例提供的一种网络安全检测方法的信令交互示意图一;4 is a schematic diagram 1 of signaling interaction of a network security detection method provided by an embodiment of this application;
图5为本申请实施例提供的一种网络安全检测方法的信令交互示意图二;FIG. 5 is a second schematic diagram of signaling interaction of a network security detection method provided by an embodiment of this application;
图6为本申请实施例提供的一种控制器的结构示意图一;FIG. 6 is a first structural diagram of a controller provided by an embodiment of the application;
图7为本申请实施例提供的一种接入设备的结构示意图;FIG. 7 is a schematic structural diagram of an access device provided by an embodiment of this application;
图8为本申请实施例提供的一种检测设备的结构示意图;FIG. 8 is a schematic structural diagram of a detection device provided by an embodiment of the application;
图9为本申请实施例提供的一种交换机设备的结构示意图;FIG. 9 is a schematic structural diagram of a switch device provided by an embodiment of this application;
图10为本申请实施例提供的一种控制器的结构示意图二。FIG. 10 is a second structural diagram of a controller provided by an embodiment of this application.
具体实施方式detailed description
下面将结合附图,对本申请中的技术方案进行描述。The technical solution in this application will be described below in conjunction with the accompanying drawings.
图1为本申请实施例提供的一种网络安全防御的架构示意图;如图1所示,包括:出口 防火墙、核心层、汇聚层、接入层,分别在出口防火墙、核心层、汇聚层、接入层设置威胁防御点,使得全网具备安全防御功能。进一步地,将出口防火墙、核心层、汇聚层、接入层中具备安全检测性能的网元设备作为检测设备,将出口防火墙、核心层、汇聚层、接入层中不具备安全检测性能的网元设备作为接入设备。所有的检测设备和接入设备均与控制器通信连接,控制器接收网络中多个检测设备的安全检测性能。该安全检测性能用于表征检测设备对数据进行安全检测的能力,包括数据处理量和处理的数据类型。控制器根据检测设备的安全检测性能,向接入设备中的待处理设备下发第一引流策略,以使得接入设备中的待处理设备与至少一个检测设备建立引流隧道。待处理设备输出的数据通过引流隧道发送给至少一个检测设备进行安全检测。从而充分利用了控制器的调配功能,使得控制器能够根据网络中检测设备的安全检测性能,通过引流策略将接入设备的流量引流至检测设备进行检测,实现全网安全资源的自动调配,避免网络设备服务降级导致的流量漏检。Figure 1 is a schematic diagram of a network security defense architecture provided by an embodiment of this application; as shown in Figure 1, it includes: egress firewall, core layer, convergence layer, and access layer, which are respectively located at the egress firewall, core layer, convergence layer, and Threat defense points are set at the access layer to enable the entire network to have security defense functions. Furthermore, network element devices with security detection performance in the egress firewall, core layer, convergence layer, and access layer are used as detection equipment, and network elements that do not have security detection performance in the egress firewall, core layer, convergence layer, and access layer are used as detection equipment. The meta device serves as the access device. All detection devices and access devices are in communication with the controller, and the controller receives the safety detection performance of multiple detection devices in the network. The security detection performance is used to characterize the ability of the detection device to perform security detection on data, including the amount of data processed and the type of data processed. The controller issues the first drainage strategy to the device to be processed in the access device according to the safety detection performance of the detection device, so that the device to be processed in the access device establishes a drainage tunnel with at least one detection device. The data output by the device to be processed is sent through the drainage tunnel to at least one detection device for safety detection. This makes full use of the deployment function of the controller, so that the controller can divert the traffic of the access device to the detection device for detection according to the security detection performance of the detection device in the network, and realize the automatic deployment of the security resources of the entire network to avoid Missed traffic detection due to service degradation of network equipment.
图2为本申请实施例提供的一种网络安全检测方法的流程示意图一;如图2所示,本实施例中的方法可以包括:FIG. 2 is a schematic flowchart 1 of a network security detection method provided by an embodiment of this application; as shown in FIG. 2, the method in this embodiment may include:
S101、控制器接收网络中多个检测设备的安全检测性能。S101. The controller receives the safety detection performance of multiple detection devices in the network.
示例性的,本实施例中的网络安全检测方法适用于工业园区网络,或者企业网络等等局域网场景。以企业网络为例,在企业网络中包括多个网元设备,这些网元设备可以是交换机、防火墙等等。为了便于区分,将自身具备安全检测能力的网元设备称为检测设备,将不具备安全检测能力,或者安全检测能力有限需要依赖其他检测设备进行安全检测的网元设备称为接入设备。网络中所有的接入设备和检测设备均与控制器通信连接。在步骤S101中,控制器接收网络中多个检测设备的安全检测性能。例如,表1给出了名称为xxx和名称为yyy的检测设备的安全检测性能;表2给出了不同数据类型的安全检测性能。Exemplarily, the network security detection method in this embodiment is applicable to a local area network scenario such as an industrial park network or an enterprise network. Taking an enterprise network as an example, the enterprise network includes multiple network element devices, and these network element devices may be switches, firewalls, and so on. In order to facilitate the distinction, the network element device with its own security detection capability is called the detection device, and the network element device that does not have the security detection capability or has limited security detection capability and needs to rely on other detection devices for security detection is called the access device. All access devices and detection devices in the network are connected to the controller in communication. In step S101, the controller receives the safety detection performance of multiple detection devices in the network. For example, Table 1 shows the safety detection performance of the detection equipment named xxx and yyy; Table 2 shows the safety detection performance of different data types.
表1Table 1
检测设备Testing Equipment 安全检测性能Safety detection performance
xxxxxx 40Gbps40Gbps
yyyyyy 10Gbps10Gbps
表2Table 2
Figure PCTCN2021100383-appb-000001
Figure PCTCN2021100383-appb-000001
参见表1、表2所示,网络中不同检测设备的安全检测性能不同,因此,在建网之后,控制器需要先获取网络中各个检测设备的安全检测性能,以便于后续进行检查设备的调配。As shown in Table 1 and Table 2, the safety detection performance of different detection equipment in the network is different. Therefore, after the network is built, the controller needs to obtain the safety detection performance of each detection equipment in the network to facilitate subsequent deployment of the inspection equipment .
S102、根据多个检测设备的安全检测性能,向接入设备中的待处理设备下发第一引流策略。S102: According to the safety detection performance of the multiple detection devices, issue a first drainage strategy to the device to be processed in the access device.
示例性的,在步骤S102中,第一引流策略用于指示待处理设备与多个检测设备中的 至少一个检测设备建立引流隧道。控制器根据检测设备的安全检测性能,向接入设备中的待处理设备下发第一引流策略,以使得接入设备中的待处理设备与至少一个检测设备建立引流隧道。待处理设备输出的数据通过引流隧道发送给至少一个检测设备进行安全检测。从而充分利用了控制器的调配功能,使得控制器能够根据网络中检测设备的安全检测性能,通过引流策略将接入设备的流量引流至检测设备进行检测,实现全网安全资源的自动调配,避免网络设备服务降级导致的流量漏检。Exemplarily, in step S102, the first diversion strategy is used to instruct the device to be processed to establish a diversion tunnel with at least one detection device among the multiple detection devices. The controller issues the first drainage strategy to the device to be processed in the access device according to the safety detection performance of the detection device, so that the device to be processed in the access device establishes a drainage tunnel with at least one detection device. The data output by the device to be processed is sent through the drainage tunnel to at least one detection device for safety detection. This makes full use of the deployment function of the controller, so that the controller can divert the traffic of the access device to the detection device for detection according to the security detection performance of the detection device in the network, and realize the automatic deployment of the security resources of the entire network to avoid Missed traffic detection due to service degradation of network equipment.
需要说明的是,本实施例中不限定与待处理设备建立引流隧道的检测设备的数量。It should be noted that the number of detection devices that establish drainage tunnels with the device to be processed is not limited in this embodiment.
在一种可选的实施方式中,控制器向待处理设备下发的第一引流策略可以包括数据类型和具备检测数据类型的能力的检测设备间的对应关系。待处理设备根据第一引流策略,将不同的数据类型的数据引流至具备检测数据类型的能力的检测设备进行安全检测。In an optional implementation manner, the first drainage strategy issued by the controller to the device to be processed may include a correspondence between a data type and a detection device capable of detecting the data type. According to the first drainage strategy, the to-be-processed device diverts data of different data types to a detection device capable of detecting data types for safety detection.
示例性的,参见表1,当待处理设备输出的数据只有一种通用类型的数据,即任何检测设备均可以进行检测时,可以根据待处理设备上通过的数据量和多个检测设备的安全检测能力确定至少一个检测设备,其中至少一个检测设备的安全检测能力的总和满足对待处理设备上通过的数据的检测。Exemplarily, referring to Table 1, when the data output by the device to be processed has only one general type of data, that is, any detection device can perform detection, it can be based on the amount of data passed on the device to be processed and the safety of multiple detection devices. The detection capability determines at least one detection device, wherein the sum of the safety detection capabilities of the at least one detection device meets the detection of the data passed on the device to be processed.
示例性的,参见表2,当待处理设备输出的数据包括不同类型的数据,此时,需要按照数据类型选择多个检测设备对待处理设备输出的数据进行安全检测。Exemplarily, referring to Table 2, when the data output by the device to be processed includes different types of data, at this time, it is necessary to select multiple detection devices according to the data type to perform safety detection on the data output by the device to be processed.
在另一种可选的实施方式中,当待处理设备上通过的数据量上升,从而至少一个检测设备的安全检测能力的总和无法满足对待处理设备上通过的数据的检测时,向至少一个检测设备中的一个或多个检测设备发送第二引流策略;第二引流策略用于指示一个或多个检测设备与至少一个检测设备之外的其他检测设备建立引流隧道。In another optional implementation manner, when the amount of data passing on the device to be processed increases, so that the sum of the safety detection capabilities of at least one detection device cannot meet the detection of the data passing on the device to be processed, the at least one detection device One or more detection devices in the device send a second diversion strategy; the second diversion strategy is used to instruct one or more detection devices to establish a diversion tunnel with at least one detection device other than the at least one detection device.
本实施例中,待处理设备输出的流量是一个变化值,当待处理设备上通过的数据量上升,且当前建立引流隧道的检测设备的安全检测能力的总和无法满足对待处理设备上通过的数据的检测时,控制器会向已经与待处理设备建立引流隧道的检测设备,和/或剩余的未与待处理设备建立引流隧道的检测设备发送第二引流策略,以使得流量被送往更多的检测设备进行安全检测。从而能够适应于流量的动态变化,使得调度的检测设备能够一直满足待处理设备的流量检测需求,提升了检测效率。In this embodiment, the traffic output by the device to be processed is a variable value. When the amount of data passing on the device to be processed increases, and the sum of the security detection capabilities of the detection devices currently establishing drainage tunnels cannot meet the requirements of the data passing on the device to be processed During the detection, the controller will send the second diversion strategy to the detection devices that have established a drainage tunnel with the device to be processed, and/or the remaining detection devices that have not established a drainage tunnel with the device to be processed, so that the traffic is sent to more The testing equipment for safety testing. Therefore, it can adapt to the dynamic change of the flow, so that the scheduled detection device can always meet the flow detection requirements of the device to be processed, and the detection efficiency is improved.
图3为本申请实施例提供的一种网络安全检测方法的流程示意图二;如图3所示,本实施例中的方法可以包括:FIG. 3 is a schematic diagram of the second flow of a network security detection method provided by an embodiment of this application; as shown in FIG. 3, the method in this embodiment may include:
S201、控制器接收网络中多个检测设备的安全检测性能。S201. The controller receives the safety detection performance of multiple detection devices in the network.
示例性的,本实施例中的网络安全检测方法适用于工业园区网络,或者企业网络等等局域网场景。以企业网络为例,在企业网络中包括多个网元设备,这些网元设备可以是交换机、防火墙等等。为了便于区分,将自身具备安全检测能力的网元设备称为检测设备,将不具备安全检测能力,或者安全检测能力有限需要依赖其他检测设备进行安全检测的网元设备称为接入设备。网络中所有的接入设备和检测设备均与控制器通信连接。在步骤S201中,控制器接收网络中多个检测设备的安全检测性能。Exemplarily, the network security detection method in this embodiment is applicable to a local area network scenario such as an industrial park network or an enterprise network. Taking an enterprise network as an example, the enterprise network includes multiple network element devices, and these network element devices may be switches, firewalls, and so on. In order to facilitate the distinction, the network element device with its own security detection capability is called the detection device, and the network element device that does not have the security detection capability or has limited security detection capability and needs to rely on other detection devices for security detection is called the access device. All access devices and detection devices in the network are connected to the controller in communication. In step S201, the controller receives the safety detection performance of multiple detection devices in the network.
S202、接入设备向控制器发送数据类型和/或数据量。S202. The access device sends the data type and/or data amount to the controller.
示例性的,在步骤S202中,接入设备向控制器发送数据类型和/或数据量,从而便于控制器根据数据类型和/或数据量制定第一引流策略。该第一引流策略用于指示待处理设备与多个检测设备中的至少一个检测设备建立引流隧道。Exemplarily, in step S202, the access device sends the data type and/or data amount to the controller, so as to facilitate the controller to formulate the first drainage strategy according to the data type and/or data amount. The first diversion strategy is used to instruct the device to be processed to establish a diversion tunnel with at least one of the multiple detection devices.
S203、控制器根据多个检测设备的安全检测性能,向接入设备中的待处理设备下发 第一引流策略。S203. The controller issues a first drainage strategy to the device to be processed in the access device according to the safety detection performance of the multiple detection devices.
示例性的,在步骤S203中,控制器根据检测设备的安全检测性能,向接入设备中的待处理设备下发第一引流策略,以使得接入设备中的待处理设备与至少一个检测设备建立引流隧道。待处理设备输出的数据通过引流隧道发送给至少一个检测设备进行安全检测。Exemplarily, in step S203, the controller issues a first drainage strategy to the device to be processed in the access device according to the safety detection performance of the detection device, so that the device to be processed in the access device and at least one detection device Establish drainage tunnels. The data output by the device to be processed is sent through the drainage tunnel to at least one detection device for safety detection.
S204、接入设备接收来自控制器的第一引流策略。S204. The access device receives the first diversion strategy from the controller.
示例性的,在步骤S204中,待处理设备(接入设备中的一个或多个)接收控制器发送的第一引流策略,该第一引流策略包括:数据类型和具备检测数据类型的能力的检测设备间的对应关系。该第一引流策略还用于指示待处理设备将属于数据类型的流量经由引流隧道发往具备检测数据类型的能力的检测设备。Exemplarily, in step S204, the device to be processed (one or more of the access devices) receives a first drainage strategy sent by the controller, and the first drainage strategy includes: a data type and a data type capable of detecting the data type. Correspondence between testing equipment. The first diversion strategy is also used to instruct the device to be processed to send traffic belonging to the data type to the detection device capable of detecting the data type via the diversion tunnel.
S205、接入设备根据第一引流策略,与至少一个检测设备建立引流隧道。S205. The access device establishes a diversion tunnel with at least one detection device according to the first diversion strategy.
示例性的,在步骤S205中,待处理设备根据第一引流策略,与至少一个检测设备建立引流隧道。其中,待处理设备上通过的数据量与建立引流隧道的检测设备的安全监测性能相匹配。即检测设备的安全检测能力的总和满足对待处理设备上通过的数据的检测。Exemplarily, in step S205, the device to be processed establishes a drainage tunnel with at least one detection device according to the first drainage strategy. Among them, the amount of data passing through the device to be processed matches the safety monitoring performance of the detection device that establishes the drainage tunnel. That is, the sum of the safety detection capabilities of the detection equipment meets the detection of the data passed on the processing equipment.
S206、接入设备通过引流隧道,向检测设备发送数据。S206. The access device sends data to the detection device through the drainage tunnel.
示例性的,在步骤S206中,待处理设备通过引流隧道将对应的数据发送给检测设备进行安全检测。从而充分利用了控制器的调配功能,使得控制器能够根据数据类型和/或数据量,通过引流策略将接入设备的流量引流至检测设备进行检测,实现全网安全资源的自动调配,避免网络设备服务降级导致的流量漏检。Exemplarily, in step S206, the device to be processed sends the corresponding data to the detection device through the drainage tunnel for safety detection. This makes full use of the deployment function of the controller, so that the controller can divert the traffic of the access device to the detection device for detection according to the data type and/or data volume through a drainage strategy, so as to realize the automatic deployment of the security resources of the entire network and avoid the network Missed traffic detection caused by equipment service degradation.
可选地,本实施例中的方法还可以包括:Optionally, the method in this embodiment may further include:
S207、当检测设备的检测能力不满足对来自第一引流隧道的数据的检测需求时,检测设备接收控制器发送的引流策略。S207: When the detection capability of the detection device does not meet the detection requirement for the data from the first drainage tunnel, the detection device receives the drainage strategy sent by the controller.
示例性的,当检测设备的检测能力不满足对来自第一引流隧道的数据的检测需求时,检测设备接收控制器发送的引流策略,与另一检测设备建立第二引流隧道,使得超出检测设备性能的流量经由第二引流隧道传输至另一检测设备进行检测。Exemplarily, when the detection capability of the detection device does not meet the detection requirements for data from the first drainage tunnel, the detection device receives the drainage strategy sent by the controller, and establishes a second drainage tunnel with another detection device, so that the detection device exceeds the detection device. The performance traffic is transmitted to another detection device for detection through the second drainage tunnel.
S208、检测设备根据引流策略,与另一检测设备建立第二引流隧道,并将超出检测设备检测能力的数据用第二引流隧道发往另一检测设备。S208. The detection device establishes a second drainage tunnel with another detection device according to the drainage strategy, and sends data beyond the detection capability of the detection device to the other detection device through the second drainage tunnel.
示例性的,本实施例中不限定建立引流隧道的数量,任一检测设备在数据承载量超出预设阈值时,均可以将超出的数据通过第二引流隧道传输给其他检测设备进行案件检测。从而能够适应于流量的动态变化,使得调度的检测设备能够一直满足待处理设备(接入设备中的一个或多个)的流量检测需求,提升了检测效率。Exemplarily, the number of established drainage tunnels is not limited in this embodiment. When the data carrying capacity exceeds a preset threshold, any detection device can transmit the excess data to other detection devices through the second drainage tunnel for case detection. Therefore, it can adapt to the dynamic change of the traffic, so that the scheduled detection device can always meet the traffic detection requirements of the device to be processed (one or more of the access devices), and the detection efficiency is improved.
图4为本申请实施例提供的一种网络安全检测方法的信令交互示意图一,如图4所示,本实施例中的方法可以包括:FIG. 4 is a schematic diagram 1 of signaling interaction of a network security detection method provided by an embodiment of this application. As shown in FIG. 4, the method in this embodiment may include:
S301、检测设备向控制器上报安全检测性能。S301. The detection device reports the safety detection performance to the controller.
S302、控制器根据网络中检测设备的安全检测性能,生成一级引流策略。S302. The controller generates a first-level drainage strategy according to the safety detection performance of the detection equipment in the network.
S303、控制器向接入设备下发一级引流策略。S303. The controller issues a first-level diversion strategy to the access device.
S304、接入设备根据一级引流策略,与至少一个检测设备建立引流隧道。S304. The access device establishes a drainage tunnel with at least one detection device according to the first-level drainage strategy.
S305、接入设备通过引流隧道将流量发送给检测设备。S305. The access device sends the traffic to the detection device through the drainage tunnel.
S306、检测设备对流量进行安全检测。S306. The detection device performs safety detection on the flow.
S307、检测设备向接入设备反馈检测结果。S307. The detection device feeds back the detection result to the access device.
S308、接入设备根据检测结果进行流量阻断。S308. The access device performs traffic blocking according to the detection result.
S309、当接入设备的流量上升,检测设备无法满足当前检测需求时,控制器向检测设备下发二级引流策略。S309. When the traffic of the access device increases and the detection device cannot meet the current detection requirement, the controller issues a secondary drainage strategy to the detection device.
S310、检测设备根据二级引流策略与其他检测设备建立引流隧道。S310. The detection device establishes a drainage tunnel with other detection devices according to the secondary drainage strategy.
S311、检查设备将超出检测能力的流量发送给其他检测设备。S311. The inspection device sends the traffic exceeding the inspection capability to other inspection devices.
S312、其他检测设备对流量进行安全检测。S312. Other detection devices perform security detection on the traffic.
S313、其他检测设备将检测结果通过检测设备转发给接入设备。S313. The other detection device forwards the detection result to the access device through the detection device.
S314、接入设备根据检测结果进行流量阻断。S314. The access device performs traffic blocking according to the detection result.
本实施例中,控制器根据网络中检测设备的安全检测性能,生成一级引流策略,然后接入设备按照该一级引流策略与检测设备建立引流隧道。当接入设备的流量上升,已经建立引流隧道的检测设备无法满足接入设备的当前检测需求时,控制器向检测设备下发二级引流策略,以使得检测设备将超出检测能力的流量发送给其他检测设备,由其他检测设备辅助进行流量检测。检测设备将流量检测结果反馈给接入设备,当检测结果为存在威胁时,接入设备对对应流量进行阻断,从而维护全网安全。In this embodiment, the controller generates a first-level diversion strategy according to the safety detection performance of the detection device in the network, and then the access device establishes a diversion tunnel with the detection device according to the first-level diversion strategy. When the traffic of the access device rises and the detection device that has established a drainage tunnel cannot meet the current detection requirements of the access device, the controller issues a secondary drainage strategy to the detection device so that the detection device sends the traffic beyond the detection capability to Other testing equipment, assisted by other testing equipment for flow detection. The detection device feeds back the traffic detection result to the access device. When the detection result is a threat, the access device blocks the corresponding traffic, thereby maintaining the security of the entire network.
本实施例中不限定建立引流隧道的数量,任一检测设备在数据承载量超出预设阈值时,均可以将超出的数据通过第二引流隧道传输给其他检测设备进行安全检测。从而能够适应于流量的动态变化,使得调度的检测设备能够一直满足待处理设备(接入设备中的一个或多个)的流量检测需求,提升了检测效率。In this embodiment, the number of drainage tunnels is not limited. When the data carrying capacity exceeds the preset threshold, any detection device can transmit the excess data to other detection devices through the second drainage tunnel for safety detection. Therefore, it can adapt to the dynamic change of the traffic, so that the scheduled detection device can always meet the traffic detection requirements of the device to be processed (one or more of the access devices), and the detection efficiency is improved.
图5为本申请实施例提供的一种网络安全检测方法的信令交互示意图二,如图5所示,本实施例中的方法可以包括:Figure 5 is a second schematic diagram of signaling interaction of a network security detection method provided by an embodiment of this application. As shown in Figure 5, the method in this embodiment may include:
S401、检测设备向控制器上报安全检测性能。S401. The detection device reports the safety detection performance to the controller.
S402、控制器根据网络中检测设备的安全检测性能,生成一级引流策略。S402. The controller generates a first-level drainage strategy according to the safety detection performance of the detection equipment in the network.
S403、控制器向接入设备下发一级引流策略。S403: The controller issues a first-level diversion strategy to the access device.
S404、接入设备根据一级引流策略,与至少一个检测设备建立引流隧道。S404. The access device establishes a drainage tunnel with at least one detection device according to the first-level drainage strategy.
S405、接入设备通过引流隧道将流量发送给检测设备。S405. The access device sends the traffic to the detection device through the drainage tunnel.
S406、检测设备对流量进行安全检测。S406. The detection device performs safety detection on the flow.
S407、检测设备向接入设备反馈检测结果。S407. The detection device feeds back the detection result to the access device.
S408、接入设备根据检测结果进行流量阻断。S408. The access device performs traffic blocking according to the detection result.
S409、当接入设备的流量上升,检测设备无法满足当前检测需求时,控制器向接入设备下发二级引流策略。S409. When the traffic of the access device increases and the detection device cannot meet the current detection requirement, the controller issues a secondary drainage strategy to the access device.
S410、接入设备根据二级引流策略与其他检测设备建立引流隧道。S410. The access device establishes a drainage tunnel with other detection devices according to the secondary drainage strategy.
S411、接入设备将超出检测设备的检测能力的流量发送给其他检测设备。S411. The access device sends the traffic exceeding the detection capability of the detection device to other detection devices.
S412、其他检测设备对流量进行安全检测。S412. Other detection devices perform security detection on the traffic.
S413、其他检测设备将检测结果发送给接入设备。S413. The other detection equipment sends the detection result to the access device.
S414、接入设备根据检测结果进行流量阻断。S414. The access device performs traffic blocking according to the detection result.
本实施例中,控制器根据网络中检测设备的安全检测性能,生成一级引流策略,然后接入设备按照该一级引流策略与检测设备建立引流隧道。当接入设备的流量上升,已经建立引流隧道的检测设备无法满足接入设备的当前检测需求时,控制器向接入设备下发二级引流策略,以使得接入设备将超出检测设备的检测能力的流量发送给其他检测设备,由其他检测设备辅助进行流量检测。检测设备将流量检测结果反馈给接入设备,当检测结果为存在威胁时, 接入设备对对应流量进行阻断,从而维护全网安全。In this embodiment, the controller generates a first-level diversion strategy according to the safety detection performance of the detection device in the network, and then the access device establishes a diversion tunnel with the detection device according to the first-level diversion strategy. When the traffic of the access device increases and the detection device that has established a drainage tunnel cannot meet the current detection requirements of the access device, the controller issues a secondary drainage strategy to the access device so that the access device will exceed the detection device's detection The capacity of the flow is sent to other detection equipment, and the other detection equipment assists in the flow detection. The detection device feeds back the traffic detection result to the access device. When the detection result is a threat, the access device blocks the corresponding traffic, thereby maintaining the security of the entire network.
本实施例中不限定建立引流隧道的数量,当检测设备在数据承载量超出预设阈值时,接入设备可以将超出的数据通过第二引流隧道传输给其他检测设备进行安全检测。从而能够适应于流量的动态变化,使得调度的检测设备能够一直满足待处理设备(接入设备中的一个或多个)的流量检测需求,提升了检测效率。The number of established drainage tunnels is not limited in this embodiment. When the data carrying capacity of the detection device exceeds a preset threshold, the access device can transmit the excess data to other detection devices through the second drainage tunnel for safety detection. Therefore, it can adapt to the dynamic change of the traffic, so that the scheduled detection device can always meet the traffic detection requirements of the device to be processed (one or more of the access devices), and the detection efficiency is improved.
图6为本申请实施例提供的一种控制器的结构示意图一,如图6所示,控制器可以包括:FIG. 6 is a first structural diagram of a controller provided by an embodiment of the application. As shown in FIG. 6, the controller may include:
接收模块61,用于接收网络中多个检测设备的安全检测性能;The receiving module 61 is used to receive the security detection performance of multiple detection devices in the network;
处理模块62,用于根据多个检测设备的安全检测性能,向接入设备中的待处理设备下发第一引流策略;其中,第一引流策略用于指示待处理设备与多个检测设备中的至少一个检测设备建立引流隧道。The processing module 62 is configured to issue a first drainage strategy to the device to be processed in the access device according to the security detection performance of the multiple detection devices; wherein the first drainage strategy is used to instruct the device to be processed and the multiple detection devices At least one of the detection devices establishes a drainage tunnel.
可选地,第一引流策略还包括:数据类型和具备检测数据类型的能力的检测设备间的对应关系;第一引流策略还用于指示检测设备将属于数据类型的流量经由引流隧道发往具备检测数据类型的能力的检测设备。Optionally, the first diversion strategy further includes: the correspondence between the data type and the detection device capable of detecting the data type; the first diversion strategy is also used to instruct the detection device to send traffic belonging to the data type to the Testing equipment capable of detecting data types.
可选地,处理模块62,还用于:根据待处理设备上通过的数据量和多个检测设备的安全检测能力确定至少一个检测设备,其中至少一个检测设备的安全检测能力的总和满足对待处理设备上通过的数据的检测。Optionally, the processing module 62 is further configured to: determine at least one detection device according to the amount of data passed on the device to be processed and the safety detection capabilities of multiple detection devices, where the sum of the safety detection capabilities of the at least one detection device meets the requirements for the processing Detection of data passed on the device.
可选地,处理模块62还用于:当待处理设备上通过的数据量上升,从而至少一个检测设备的安全检测能力的总和无法满足对待处理设备上通过的数据的检测时,向至少一个检测设备中的一个或多个检测设备发送第二引流策略;第二引流策略用于指示一个或多个检测设备与至少一个检测设备之外的其他检测设备建立引流隧道。Optionally, the processing module 62 is further configured to: when the amount of data passing on the device to be processed increases, so that the sum of the safety detection capabilities of the at least one detection device cannot meet the detection of the data passing on the device to be processed, to at least one detection device One or more detection devices in the device send a second diversion strategy; the second diversion strategy is used to instruct one or more detection devices to establish a diversion tunnel with at least one detection device other than the at least one detection device.
本实施例中的控制器可以执行如图2~图5所示的方法,其具体实现过程和实现原理,参见图2~图5所示的方法描述的内容,此处不再赘述。The controller in this embodiment can execute the methods shown in Figs. 2 to 5, and for the specific implementation process and implementation principles, refer to the content of the method descriptions shown in Figs. 2 to 5, which will not be repeated here.
图7为本申请实施例提供的一种接入设备的结构示意图,如图7所示,接入设备可以包括:FIG. 7 is a schematic structural diagram of an access device provided by an embodiment of the application. As shown in FIG. 7, the access device may include:
发送模块71,用于向控制器发送数据类型和/或数据量;The sending module 71 is used to send the data type and/or data amount to the controller;
接收模块72,用于接收来自控制器的第一引流策略;其中,第一引流策略与数据类型和/或数据量相关;The receiving module 72 is configured to receive the first drainage strategy from the controller; where the first drainage strategy is related to the data type and/or the data volume;
处理模块73,用于根据第一引流策略,与至少一个检测设备建立引流隧道;The processing module 73 is configured to establish a drainage tunnel with at least one detection device according to the first drainage strategy;
发送模块71,用于通过引流隧道,向检测设备发送数据。The sending module 71 is used to send data to the detection device through the drainage tunnel.
本实施例中的控制器可以执行如图2~图5所示的方法,其具体实现过程和实现原理,参见图2~图5所示的方法描述的内容,此处不再赘述。The controller in this embodiment can execute the methods shown in Figs. 2 to 5, and for the specific implementation process and implementation principles, refer to the content of the method descriptions shown in Figs. 2 to 5, which will not be repeated here.
图8为本申请实施例提供的一种检测设备的结构示意图,如图8所示,检测设备可以包括:FIG. 8 is a schematic structural diagram of a detection device provided by an embodiment of the application. As shown in FIG. 8, the detection device may include:
接收模块81,用于当检测设备的检测能力不满足对来自第一引流隧道的数据的检测需求时,接收控制器发送的引流策略;The receiving module 81 is configured to receive the drainage strategy sent by the controller when the detection capability of the detection device does not meet the detection requirement for the data from the first drainage tunnel;
处理模块82,用于根据引流策略,与另一检测设备建立第二引流隧道,并将超出检测设备检测能力的数据用第二引流隧道发往另一检测设备。The processing module 82 is configured to establish a second drainage tunnel with another detection device according to the drainage strategy, and send data beyond the detection capability of the detection device to another detection device through the second drainage tunnel.
本实施例中的控制器可以执行如图2~图5所示的方法,其具体实现过程和实现原理,参见图3~图5所示的方法描述的内容,此处不再赘述。The controller in this embodiment can execute the methods shown in FIGS. 2 to 5, and for the specific implementation process and implementation principles, please refer to the description of the method shown in FIGS. 3 to 5, which will not be repeated here.
图9为本申请实施例提供的一种交换机设备的结构示意图,如图9所示,本实施例中的 交换机设备可以包括:网络接口91、处理器92、存储器93、网络转发芯片94。交换机设备中具备数据安全检测性能时,可以作为检测设备使用。当交换机设备不具备数据安全检测性能,或者其自身的数据安全检测性能不能满足自身数据检测需求时,交换机设备可以作为接入设备使用。需要说明的是,本是实施例不限定交换机设备的具体内部架构,一些交换机设备也可以不设置网络转发芯片,而是直接由处理器来执行数据转发。FIG. 9 is a schematic structural diagram of a switch device provided by an embodiment of the application. As shown in FIG. 9, the switch device in this embodiment may include: a network interface 91, a processor 92, a memory 93, and a network forwarding chip 94. When the switch device has data security detection performance, it can be used as a detection device. When the switch device does not have data security detection performance, or its own data security detection performance cannot meet its own data detection requirements, the switch device can be used as an access device. It should be noted that this embodiment does not limit the specific internal architecture of the switch device, and some switch devices may not be provided with a network forwarding chip, but the processor directly performs data forwarding.
图10为本申请实施例提供的一种控制器的结构示意图二,如图10所示,本实施例中的控制器可以包括:处理器1001、存储器1002、输入设备1003、输出设备1004,处理器1001通过总线1005与存储器1002、输入设备1003、输出设备1004通信连接。此外,控制器还可以采用物理服务器或者虚拟机的方式进行部署,本实施例对控制器的架构不做限定。Fig. 10 is a second structural schematic diagram of a controller provided by an embodiment of the application. As shown in Fig. 10, the controller in this embodiment may include: a processor 1001, a memory 1002, an input device 1003, and an output device 1004. The device 1001 communicates with the memory 1002, the input device 1003, and the output device 1004 through a bus 1005. In addition, the controller can also be deployed in the form of a physical server or a virtual machine, and this embodiment does not limit the architecture of the controller.
本申请实施例还提供一种网络安全检测系统,该系统包括:控制器、接入设备、检测设备;其中:控制器用以执行如图2所示的方法;接入设备用以执行如图3所示的方法;检测设备用以执行如图3所示的方法。其具体实现过程和实现原理,参见图2~图5所示的方法描述的内容,此处不再赘述。An embodiment of the present application also provides a network security detection system, which includes: a controller, an access device, and a detection device; wherein: the controller is used to execute the method shown in FIG. 2; the access device is used to execute the method shown in FIG. The method shown; the detection device is used to perform the method shown in Figure 3. For its specific implementation process and implementation principle, please refer to the content of the method description shown in Figures 2 to 5, which will not be repeated here.
本申请实施例提供一种计算机可读存储介质,计算机可读存储介质存储有指令,当指令被执行时,使得计算机执行如本申请上述实施例中终端设备执行的方法。The embodiment of the present application provides a computer-readable storage medium, and the computer-readable storage medium stores instructions. When the instructions are executed, the computer executes the method performed by the terminal device in the foregoing embodiment of the present application.
本申请实施例提供一种计算机可读存储介质,计算机可读存储介质存储有指令,当指令被执行时,使得计算机执行如本申请上述实施例中网络设备执行的方法。The embodiment of the present application provides a computer-readable storage medium, and the computer-readable storage medium stores instructions. When the instructions are executed, the computer executes the method performed by the network device in the foregoing embodiment of the present application.
在本申请所提供的几个实施例中,应该理解到,所揭露的装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed device and method can be implemented in other ways. For example, the device embodiments described above are merely illustrative, for example, the division of units is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components can be combined or integrated. To another system, or some features can be ignored, or not implemented. In addition, the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.
作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separate, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用硬件加软件功能单元的形式实现。In addition, the functional units in the various embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit. The above-mentioned integrated unit may be implemented in the form of hardware, or may be implemented in the form of hardware plus software functional units.
需要说明的是,本申请实施例中对模块的划分是示意性的,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式。在本申请的实施例中的各功能模块可以集成在一个处理模块中,也可以是各个模块单独物理存在,也可以两个或两个以上模块集成在一个模块中。上述集成的模块既可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。It should be noted that the division of modules in the embodiments of the present application is illustrative, and is only a logical function division, and there may be other division methods in actual implementation. The functional modules in the embodiments of the present application may be integrated into one processing module, or each module may exist alone physically, or two or more modules may be integrated into one module. The above-mentioned integrated modules can be implemented in the form of hardware or software function modules.
集成的模块如果以软件功能模块的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)或处理器(processor)执行本申请各个实施例方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(Read-Only Memory,ROM)、随机存取存储器(Random Access Memory, RAM)、磁碟或者光盘等各种可以存储程序代码的介质。If the integrated module is implemented in the form of a software function module and sold or used as an independent product, it can be stored in a computer readable storage medium. Based on this understanding, the technical solution of the present application or all or part of the technical solution can be embodied in the form of a software product. The computer software product is stored in a storage medium and includes several instructions to enable a computer device (which can A personal computer, a server, or a network device, etc.) or a processor (processor) executes all or part of the steps of the methods in the embodiments of the present application. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disk and other media that can store program code .
在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行计算机程序指令时,全部或部分地产生按照本申请实施例的流程或功能。计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。可用介质可以是磁性介质,(例如,软盘、硬盘、磁带)、光介质(例如,光盘)、或者半导体介质(例如固态硬盘(SSD))等。In the foregoing embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented by software, it can be implemented in the form of a computer program product in whole or in part. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on the computer, the processes or functions according to the embodiments of the present application are generated in whole or in part. The computer can be a general-purpose computer, a special-purpose computer, a computer network, or other programmable devices. Computer instructions can be stored in a computer-readable storage medium, or transmitted from one computer-readable storage medium to another computer-readable storage medium. For example, computer instructions can be transmitted from a website, computer, server, or data center through a cable (such as Coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (such as infrared, wireless, microwave, etc.) to transmit to another website site, computer, server or data center. The computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server or data center integrated with one or more available media. The usable medium may be a magnetic medium (for example, a floppy disk, a hard disk, a magnetic tape), an optical medium (for example, an optical disc), or a semiconductor medium (for example, a solid state drive (SSD)), and the like.

Claims (13)

  1. 一种网络安全检测方法,其特征在于,所述方法包括:A network security detection method, characterized in that the method includes:
    控制器接收网络中多个检测设备的安全检测性能;The controller receives the safety detection performance of multiple detection devices in the network;
    根据所述多个检测设备的安全检测性能,向接入设备中的待处理设备下发第一引流策略;其中,所述第一引流策略用于指示所述待处理设备与所述多个检测设备中的至少一个检测设备建立引流隧道。According to the security detection performance of the multiple detection devices, a first drainage strategy is issued to the device to be processed in the access device; wherein, the first drainage strategy is used to instruct the device to be processed and the multiple detection devices At least one detection device in the device establishes a drainage tunnel.
  2. 根据权利要求1所述的方法,其特征在于,The method of claim 1, wherein:
    所述第一引流策略还包括:数据类型和具备检测所述数据类型的能力的检测设备间的对应关系;The first drainage strategy further includes: a correspondence between a data type and a detection device capable of detecting the data type;
    所述第一引流策略还用于指示所述待处理设备将属于所述数据类型的流量经由所述引流隧道发往所述具备检测所述数据类型的能力的检测设备。The first diversion strategy is also used to instruct the device to be processed to send traffic belonging to the data type to the detection device capable of detecting the data type via the diversion tunnel.
  3. 根据权利要求1或2所述的方法,其特征在于,所述方法还包括:The method according to claim 1 or 2, wherein the method further comprises:
    根据所述待处理设备上通过的数据量和多个检测设备的安全检测能力确定所述至少一个检测设备,其中所述至少一个检测设备的安全检测能力的总和满足对所述待处理设备上通过的数据的检测。The at least one detection device is determined according to the amount of data passed on the device to be processed and the security detection capabilities of multiple detection devices, where the sum of the security detection capabilities of the at least one detection device meets the requirements for passing on the device to be processed Data detection.
  4. 根据权利要求3所述的方法,其特征在于,所述方法还包括:The method according to claim 3, wherein the method further comprises:
    当所述待处理设备上通过的数据量上升,从而所述至少一个检测设备的安全检测能力的总和无法满足对所述待处理设备上通过的数据的检测时,向所述至少一个检测设备中的一个或多个检测设备发送第二引流策略;所述第二引流策略用于指示一个或多个检测设备与所述至少一个检测设备之外的其他检测设备建立引流隧道。When the amount of data passing on the device to be processed increases, so that the sum of the security detection capabilities of the at least one detection device cannot meet the detection of the data passing on the device to be processed, send the data to the at least one detection device One or more detection devices in the send a second diversion strategy; the second diversion strategy is used to instruct one or more detection devices to establish a diversion tunnel with other detection devices other than the at least one detection device.
  5. 一种网络安全检测方法,其特征在于,所述方法包括:A network security detection method, characterized in that the method includes:
    接入设备向控制器发送数据类型和/或数据量;The access device sends the data type and/or data volume to the controller;
    接收来自所述控制器的第一引流策略;其中,所述第一引流策略与所述数据类型和/或数据量相关;Receiving a first drainage strategy from the controller; wherein the first drainage strategy is related to the data type and/or data volume;
    根据所述第一引流策略,与至少一个检测设备建立引流隧道;Establishing a drainage tunnel with at least one detection device according to the first drainage strategy;
    通过所述引流隧道,向所述检测设备发送数据。Send data to the detection device through the drainage tunnel.
  6. 一种网络安全检测方法,其特征在于,所述方法包括:A network security detection method, characterized in that the method includes:
    当检测设备的检测能力不满足对来自第一引流隧道的数据的检测需求时,所述检测设备接收控制器发送的引流策略;When the detection capability of the detection device does not meet the detection requirement for the data from the first drainage tunnel, the detection device receives the drainage strategy sent by the controller;
    所述检测设备根据所述引流策略,与另一检测设备建立第二引流隧道,并将超出所述检测设备检测能力的数据用所述第二引流隧道发往所述另一检测设备。The detection device establishes a second drainage tunnel with another detection device according to the drainage strategy, and sends data beyond the detection capability of the detection device to the another detection device through the second drainage tunnel.
  7. 一种控制器,其特征在于,包括:A controller, characterized in that it comprises:
    接收模块,用于接收网络中多个检测设备的安全检测性能;The receiving module is used to receive the security detection performance of multiple detection devices in the network;
    处理模块,用于根据所述多个检测设备的安全检测性能,向接入设备中的待处理设备下发第一引流策略;其中,所述第一引流策略用于指示所述待处理设备与所述多个检测设备中的至少一个检测设备建立引流隧道。The processing module is configured to issue a first drainage strategy to the device to be processed in the access device according to the security detection performance of the multiple detection devices; wherein, the first drainage strategy is used to instruct the device to be processed and the device to be processed At least one detection device of the plurality of detection devices establishes a drainage tunnel.
  8. 根据权利要求7所述的控制器,其特征在于,所述第一引流策略还包括:数 据类型和具备检测所述数据类型的能力的检测设备间的对应关系;The controller according to claim 7, wherein the first drainage strategy further comprises: a correspondence between a data type and a detection device capable of detecting the data type;
    所述第一引流策略还用于指示所述检测设备将属于所述数据类型的流量经由所述引流隧道发往所述具备检测所述数据类型的能力的检测设备。The first diversion strategy is also used to instruct the detection device to send traffic belonging to the data type to the detection device capable of detecting the data type via the diversion tunnel.
  9. 根据权利要求7或8所述的控制器,其特征在于,所述处理模块,还用于:The controller according to claim 7 or 8, wherein the processing module is further configured to:
    根据所述待处理设备上通过的数据量和多个检测设备的安全检测能力确定所述至少一个检测设备,其中所述至少一个检测设备的安全检测能力的总和满足对所述待处理设备上通过的数据的检测。The at least one detection device is determined according to the amount of data passed on the device to be processed and the security detection capabilities of multiple detection devices, where the sum of the security detection capabilities of the at least one detection device meets the requirements for passing on the device to be processed Data detection.
  10. 根据权利要求9所述的控制器,其特征在于,所述处理模块还用于:The controller according to claim 9, wherein the processing module is further configured to:
    当所述待处理设备上通过的数据量上升,从而所述至少一个检测设备的安全检测能力的总和无法满足对所述待处理设备上通过的数据的检测时,向所述至少一个检测设备中的一个或多个检测设备发送第二引流策略;所述第二引流策略用于指示一个或多个检测设备与所述至少一个检测设备之外的其他检测设备建立引流隧道。When the amount of data passing on the device to be processed increases, so that the sum of the security detection capabilities of the at least one detection device cannot meet the detection of the data passing on the device to be processed, send the data to the at least one detection device One or more detection devices in the send a second diversion strategy; the second diversion strategy is used to instruct one or more detection devices to establish a diversion tunnel with other detection devices other than the at least one detection device.
  11. 一种接入设备,其特征在于,包括:An access device, characterized in that it comprises:
    发送模块,用于向控制器发送数据类型和/或数据量;The sending module is used to send the data type and/or data amount to the controller;
    接收模块,用于接收来自所述控制器的第一引流策略;其中,所述第一引流策略与所述数据类型和/或数据量相关;A receiving module, configured to receive a first drainage strategy from the controller; wherein the first drainage strategy is related to the data type and/or data volume;
    处理模块,用于根据所述第一引流策略,与至少一个检测设备建立引流隧道;A processing module, configured to establish a drainage tunnel with at least one detection device according to the first drainage strategy;
    发送模块,用于通过所述引流隧道,向所述检测设备发送数据。The sending module is configured to send data to the detection device through the drainage tunnel.
  12. 一种检测设备,其特征在于,包括:A detection device, characterized in that it comprises:
    接收模块,用于当检测设备的检测能力不满足对来自第一引流隧道的数据的检测需求时,接收控制器发送的引流策略;The receiving module is used to receive the drainage strategy sent by the controller when the detection capability of the detection device does not meet the detection requirement for the data from the first drainage tunnel;
    处理模块,用于根据所述引流策略,与另一检测设备建立第二引流隧道,并将超出所述检测设备检测能力的数据用所述第二引流隧道发往所述另一检测设备。The processing module is configured to establish a second drainage tunnel with another detection device according to the drainage strategy, and send data beyond the detection capability of the detection device to the another detection device using the second drainage tunnel.
  13. 一种网络安全检测系统,其特征在于,所述系统包括:控制器、接入设备、检测设备;其中:A network security detection system, characterized in that the system includes: a controller, an access device, and a detection device; wherein:
    所述控制器用以执行如权利要求1-4中任一项所述的方法;The controller is configured to execute the method according to any one of claims 1-4;
    所述接入设备用以执行如权利要求5所述的方法;The access device is used to execute the method according to claim 5;
    所述检测设备用以执行如权利要求6所述的方法。The detection device is used to execute the method according to claim 6.
PCT/CN2021/100383 2020-06-17 2021-06-16 Network security detection method and system, and device and controller WO2021254397A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010553314.X 2020-06-17
CN202010553314.XA CN113810348B (en) 2020-06-17 2020-06-17 Network security detection method, system, equipment and controller

Publications (1)

Publication Number Publication Date
WO2021254397A1 true WO2021254397A1 (en) 2021-12-23

Family

ID=78892667

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/100383 WO2021254397A1 (en) 2020-06-17 2021-06-16 Network security detection method and system, and device and controller

Country Status (2)

Country Link
CN (1) CN113810348B (en)
WO (1) WO2021254397A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130283373A1 (en) * 2012-04-18 2013-10-24 Radware, Ltd. Techniques for separating the processing of clients' traffic to different zones
CN104601482A (en) * 2013-10-30 2015-05-06 中兴通讯股份有限公司 Traffic cleaning method and device
CN105100026A (en) * 2014-05-22 2015-11-25 杭州华三通信技术有限公司 Safe message forwarding method and safe message forwarding device
CN109831390A (en) * 2019-01-21 2019-05-31 新华三云计算技术有限公司 Message transmission control method and device

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3036863A1 (en) * 2013-08-19 2016-06-29 Hewlett Packard Enterprise Development LP Adaptive network security policies
CN104753951A (en) * 2015-04-13 2015-07-01 成都双奥阳科技有限公司 Network security traffic platform based on software definition
CN106911588B (en) * 2015-12-22 2020-03-20 中国电信股份有限公司 Method, device and system for realizing deep packet inspection optimization
CN109922021B (en) * 2017-12-12 2022-03-08 中国电信股份有限公司 Safety protection system and safety protection method
CN107979614A (en) * 2017-12-30 2018-05-01 杭州华为数字技术有限公司 Data packet detection method and device
CN111221619B (en) * 2018-11-27 2023-09-08 中国移动通信集团江西有限公司 Method, device and equipment for opening and arranging business
CN109981355A (en) * 2019-03-11 2019-07-05 北京网御星云信息技术有限公司 Security defend method and system, computer readable storage medium for cloud environment
CN110113435B (en) * 2019-05-27 2022-01-14 绿盟科技集团股份有限公司 Method and equipment for cleaning flow
CN110798459B (en) * 2019-10-23 2022-08-02 国网江苏省电力有限公司信息通信分公司 Multi-safety-node linkage defense method based on safety function virtualization
CN111131319A (en) * 2019-12-30 2020-05-08 北京天融信网络安全技术有限公司 Security capability expansion method and device, electronic equipment and storage medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130283373A1 (en) * 2012-04-18 2013-10-24 Radware, Ltd. Techniques for separating the processing of clients' traffic to different zones
CN104601482A (en) * 2013-10-30 2015-05-06 中兴通讯股份有限公司 Traffic cleaning method and device
CN105100026A (en) * 2014-05-22 2015-11-25 杭州华三通信技术有限公司 Safe message forwarding method and safe message forwarding device
CN109831390A (en) * 2019-01-21 2019-05-31 新华三云计算技术有限公司 Message transmission control method and device

Also Published As

Publication number Publication date
CN113810348A (en) 2021-12-17
CN113810348B (en) 2023-04-07

Similar Documents

Publication Publication Date Title
US11671402B2 (en) Service resource scheduling method and apparatus
EP2985961B1 (en) Packet traffic control method and device based on multi-path transmission
CN101873269B (en) Data retransmission device and method for distributing buffer to ports
CN107172171B (en) Service request processing method and device and computer readable storage medium
CN102257848B (en) Main and secondary apparatuses conversion method betwenn communication equipment, communication equipment and system, and request equipment of system and service
CN106656989B (en) Flow monitoring method and terminal
US20150049640A1 (en) Data transmission controlling device and method for controlling data transmission
WO2017035717A1 (en) Distributed denial of service attack detection method and associated device
CN110659151A (en) Data verification method and device and storage medium
US20190319923A1 (en) Network data control method, system and security protection device
CN106790299B (en) Wireless attack defense method and device applied to wireless Access Point (AP)
CN106341270A (en) Fault processing method and device
CN108920339A (en) A kind of system exception report method and device
CN105897766A (en) Virtual network flow security control method and device
CN106059806A (en) CAN message sending method and device
CN105337970A (en) Router, server and router-server-cooperative network access control method
KR102584833B1 (en) Access control information transmission method, apparatus, and network side device
WO2021254397A1 (en) Network security detection method and system, and device and controller
CN107872846A (en) A kind of data transmission method and device
CN112804230B (en) Monitoring method, system, equipment and storage medium for distributed denial of service attack
CN109787790A (en) Communication means, equipment and storage medium based on dual link management mouth
CN105656855B (en) The control method and device that resource accesses
CN108882296B (en) Method and device for processing message
US20210004308A1 (en) Data processing method and system
CN101674584A (en) Method for detecting virus and system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21825745

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21825745

Country of ref document: EP

Kind code of ref document: A1