CN101695031A

CN101695031A - Upgrading method and device of intrusion prevention system

Info

Publication number: CN101695031A
Application number: CN200910207056A
Authority: CN
Inventors: 廉莲
Original assignee: Huawei Symantec Technologies Co Ltd
Current assignee: Huawei Digital Technologies Chengdu Co Ltd
Priority date: 2009-10-27
Filing date: 2009-10-27
Publication date: 2010-04-14
Anticipated expiration: 2029-10-27
Also published as: CN101695031B

Abstract

The embodiment of the invention discloses an upgrading method and a device of an intrusion prevention system. The upgrading method of the intrusion prevention system comprises the following steps: process is created, and an upgrade package which conducts upgrading to the intrusion prevention system is loaded in the created process; in the process, an engine in the upgrade packet is loaded, and identification of the loaded engine is set and recorded; and a characteristic repository in the upgrade packet is loaded and compiled by the loaded engine to generate a state machine, thus upgrading the intrusion prevention system. The embodiment of the invention successfully realizes the loading of a plurality of engines in the upgrading process of the intrusion prevention system, compiles a plurality of groups of state machines which work simultaneously, and realizes that message detection service of a data flow before upgrading operation is not interrupted to the maximum extent simultaneously when upgrading the intrusion prevention system.

Description

The upgrade method of intrusion prevention system and device

Technical field

The embodiment of the invention relates to communication technical field, particularly a kind of upgrade method of intrusion prevention system and device.

Background technology

Along with the continuous discovery with cyberspace vulnerability of improving constantly of cyber-attack techniques, traditional fire compartment wall adds invasion detection system (Intrusion Detection System; Hereinafter to be referred as: technology IDS), can't tackle some security threats.In this case, intrusion prevention system (Intrusion PreventionSystem; Hereinafter to be referred as: IPS) technology is arisen at the historic moment, and IPS can depth perception and detected the message of this IPS that flows through, the malice message is abandoned with blocking-up attack, and the abuse message is carried out current limliting with the protecting network bandwidth resources.

The IPS that is deployed on the message forwarding path can be according to predefined security strategy, and each message of this IPS that flows through is carried out depth detection; Wherein, message being carried out depth detection comprises: message is carried out protocal analysis tracking, characteristic matching, traffic statistics analysis and event correlation analysis etc.When message was detected, in case discovery is hidden in the network attack in the message, IPS can take to resist measure immediately according to the threat level of this network attack, and this is resisted measure and comprises: alarm to administrative center; Abandon this message; Cut off this utility cession; Cutting off this TCP connects.After security strategy configured, IPS need carry out process of compilation to security strategy, to the corresponding cover state machine that generates of each security strategy, used when detecting for message; If security strategy is modified, then IPS need recompilate and generate new state machine, uses when detecting for message.

The upgrading of IPS comprises two kinds of situations: engine and feature database are together upgraded and a upgrade feature storehouse.The upgrading engine can upgrade the dynamic link library of engine interface; The content in signature storehouse can be upgraded in the upgrade feature storehouse, for example: add, revise or the deletion signature.After the IPS upgrading, the security strategy that disposes before the upgrading can correspondingly be revised according to the content that the upgrading back is upgraded, and recompilates the new state machine of generation.When IPS detected the message of a data flow, to the message of same data stream, IPS used identical state machine to detect.Article one, the message of data flow must send into engine in order and not overlappingly and detect, otherwise IPS may produce omission and wrong report from the literary composition of reporting for the first time.

In the prior art, the message processing mode after IPS upgrades successfully is: if current message still belongs to the data flow that detects before the IPS upgrading, then do not detect this message, directly let slip; If current message belongs to the newly-built data flow in upgrading back, then this message is sent into engine and detect processing.

In realizing process of the present invention, after the inventor finds that prior art exists following problem: IPS to upgrade successfully at least, existing message processing mode can only scan the message of the newly-built data flow in back of upgrading, if the data flow before the upgrading still will continue the long period, still conversational list is also unaged though perhaps the data flow before the upgrading is through with, initiated new identical connection again, then IPS can not detect the message that belongs to the data flow before the above-mentioned upgrading, causes the omission of message to survey.

Summary of the invention

The embodiment of the invention provides a kind of upgrade method and device of intrusion prevention system, to realize loading a plurality of engines, compile out many group state machines and work simultaneously, be implemented in the message that does not interrupt the data flow before the updating operation when intrusion prevention system upgraded to greatest extent and detect professional.

The embodiment of the invention provides a kind of upgrade method of intrusion prevention system, comprising:

The establishment process is downloaded the AKU that intrusion prevention system is upgraded in the process of creating;

In described process, load the engine in the described AKU, be provided with and write down the sign of the engine that loads; Engine by described loading loads and compiles the feature database in the described AKU, generates state machine, the described intrusion prevention system of upgrading.

The embodiment of the invention also provides a kind of update device of intrusion prevention system, comprising:

Creation module is used for the establishment process;

Download module, the process that is used for creating in described creation module is downloaded the AKU that intrusion prevention system is upgraded;

Load-on module is used for the process created in described creation module, loads the engine in the AKU that described download module downloads, and is provided with and the sign of the engine that record loads;

Collector is used for the process created in described creation module, and the engine that loads by described load-on module loads and compile the feature database in the AKU that described download module downloads, and generates state machine, the described intrusion prevention system of upgrading.

The embodiment of the invention is by the establishment process, and the AKU that download is upgraded to intrusion prevention system in the process of creating, in the process of this establishment, load the engine in this AKU, be provided with and write down the sign of the engine that loads, and load and compile feature database in this AKU by the engine that loads, generate state machine, this intrusion prevention system of upgrading.The embodiment of the invention not only can all be created a new process at every turn when needing the upgrading engine, load an engine in a process; Also can only create a process, in same process, load a plurality of engines, thereby a plurality of engines have been realized in the escalation process of intrusion prevention system, loading, compile out many group state machines and work simultaneously, the message of the data flow before having realized not interrupting updating operation to greatest extent in to the intrusion prevention system upgrading detects professional.

Description of drawings

In order to be illustrated more clearly in the technical scheme in the embodiment of the invention, to do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art below, apparently, accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.

Fig. 1 is the flow chart of an embodiment of upgrade method of intrusion prevention system of the present invention;

The flow chart of the embodiment that Fig. 2 detects message for the present invention;

Fig. 3 is the flow chart of another embodiment of upgrade method of intrusion prevention system of the present invention;

Fig. 4 is the flow chart of another embodiment of upgrade method of intrusion prevention system of the present invention;

The flow chart of another embodiment that Fig. 5 detects message for the present invention;

Fig. 6 is the flow chart of another embodiment of upgrade method of intrusion prevention system of the present invention;

Fig. 7 is the structural representation of an embodiment of update device of intrusion prevention system of the present invention;

Fig. 8 is the structural representation of another embodiment of update device of intrusion prevention system of the present invention;

Fig. 9 is the structural representation of another embodiment of update device of intrusion prevention system of the present invention;

Figure 10 is the structural representation of another embodiment of update device of intrusion prevention system of the present invention.

Embodiment

Below in conjunction with the accompanying drawing among the present invention, the technical scheme among the present invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, the every other embodiment that those of ordinary skills are obtained under the prerequisite of not making creative work belongs to the scope of protection of the invention.

Fig. 1 is the flow chart of an embodiment of upgrade method of intrusion prevention system of the present invention, and as shown in Figure 1, this embodiment comprises:

Step 101, the establishment process is downloaded the AKU that intrusion prevention system is upgraded in the process of creating.

In the present embodiment, in the time of need upgrading to intrusion prevention system, all create a new process at every turn; Particularly, can be when each engine and feature database be together upgraded, perhaps, during upgrade feature storehouse, all create a new process; In the process of creating, download the AKU that intrusion prevention system is upgraded then.

Step 102 in above-mentioned process, loads the engine in this AKU, is provided with and writes down the sign of the engine that loads.

Particularly, the sign of the engine of loading can be according to the priority setting of load time, for example: according to the load time by earlier to after order, the sign of engine is made as 1,2 respectively ..., n, promptly being designated 1 engine is the engine that loads at first.A kind of mode of the sign of engine below just is set, and present embodiment is not limited in this, and the sign of engine also can be set by other modes, as long as the sign of the engine that is provided with can be distinguished the sequencing that engine loads.

Step 103 in above-mentioned process, loads and compiles feature database in this AKU by the engine that loads, and generates state machine, this intrusion prevention system of upgrading.

In the present embodiment, in the time of need upgrading to intrusion prevention system, execution in step 101～step 103 is finished the upgrading to intrusion prevention system at every turn.Particularly, can be when each engine and feature database be together upgraded, perhaps, during upgrade feature storehouse, all create a new process, execution in step 101～step 103.Wherein, when upgrade feature storehouse, the sign of engine that can be by record, determine the engine of current up-to-date loading, and in the new process of creating, reload the engine of current up-to-date loading, the sign of a new engine is set for this engine that reloads then.Therefore in the present embodiment, engine and state machine are corresponding one by one.

After receiving message, can determine engine that message is detected according to the sign of the engine of information in the heading of the message that receives and record, the state machine by the engine calling of determining generates detects message.

Below in conjunction with Fig. 2, the mode that in the present embodiment message is detected is described in detail.

The flow chart of the embodiment that Fig. 2 detects message for the present invention, as shown in Figure 2, present embodiment comprises the flow process that message detects:

Step 201 receives message.

Step 202 judges according to the information in the heading of this message whether this message is the literary composition of reporting for the first time of data flow.If this message is the literary composition of reporting for the first time of data flow, then execution in step 203; If this message is not the literary composition of reporting for the first time of data flow, then execution in step 204.

Particularly, judge that whether message is that the literary composition of reporting for the first time of data flow can be the heading of analytic message, determines the host-host protocol that this message adopts; When this message adopts transmission control protocol (TransmissionControl Protocol; Hereinafter to be referred as: when TCP) transmitting, if comprise the literary composition sign of reporting for the first time in the heading of this message, then this message is the literary composition of reporting for the first time of data flow; If do not comprise the literary composition sign of reporting for the first time in the heading of this message, then this message is not the literary composition of reporting for the first time of data flow.When this message adopts User Datagram Protoco (UDP) (UserDatagram Protocol; Hereinafter to be referred as: when UDP) transmitting, then need five-tuple information according to this message, in intrusion prevention system, search whether this five-tuple recording of information is arranged, if do not find this five-tuple recording of information, can determine that then this message is the literary composition of reporting for the first time of data flow, write down the five-tuple information of the literary composition of reporting for the first time; If find this five-tuple recording of information, illustrate that then this message is not the literary composition of reporting for the first time of data flow.Wherein, the five-tuple information of message comprises: source Internet Protocol (the Internet Protocol of message; Hereinafter to be referred as: IP) address, purpose IP address, host-host protocol that source port, destination interface and message adopted; The message that belongs to same data flow has identical five-tuple information.

Step 203 is determined the engine of up-to-date loading, the engine of the engine of this up-to-date loading for this message is detected according to the sign of engine of record; And write down five-tuple information in the heading of described message, set up the corresponding relation of five-tuple information and the sign of the engine that this message is detected, execution in step 205.

Particularly, after the message of determining to receive is the literary composition of reporting for the first time of a data flow, the sign of engine that can be by searching record is determined the engine of up-to-date loading, with the engine of this up-to-date loading as the engine that the literary composition of reporting for the first time is detected, write down the five-tuple information in the heading of this message then, set up the corresponding relation of five-tuple information and the sign of the engine that this message is detected.Because the message of same data flow has identical five-tuple information, therefore when receiving the subsequent packet of this data flow, can be according to the five-tuple information of subsequent packet, and the corresponding relation of the sign of the engine of this five-tuple information and record, determine the sign of the engine corresponding with above-mentioned five-tuple information, thereby can determine engine that subsequent packet is detected, and can guarantee to adopt same engine to detect the message of same data flow.

Step 204, according to the five-tuple information in the heading of this message, the corresponding relation of the five-tuple information that utilization is set up during literary composition reporting for the first time of data flow and the sign of engine, the sign of in the sign of the engine that writes down, searching the engine corresponding with this five-tuple information, determine the engine of the corresponding engine of this sign, execution in step 205 for this message is detected.

Step 205, the state machine by this engine of engine calling of determining generates detects this message.

In the present embodiment, engine is corresponding one by one with state machine, and after the engine of therefore determining message is detected, this engine just can call the state machine that this engine generates, and the message that receives is detected.

Step 206 after detection is passed through, sends this message.

Particularly, if intrusion prevention system determines not find network attack that in this message then detection is passed through, and sends this message; If intrusion prevention system has found to be hidden in the network attack in the message in this message, this intrusion prevention system can take to resist measure immediately according to the threat level of this network attack, and this is resisted measure and comprises: to administrative center alarm, abandon this message, cut off this utility cession and cut off and one of this time is connected or makes up.

In the present embodiment, do not start as yet at intrusion prevention system, perhaps, this intrusion prevention system just starts, the engine of this intrusion prevention system does not load when finishing as yet, do not detect for the message that flows through this intrusion prevention system, and the subsequent packet of data flow under this message is not all detected, directly send.

The foregoing description is by the establishment process, in the process of creating, download the AKU that intrusion prevention system is upgraded, and load engine in this AKU, be provided with and write down the sign of the engine that loads, and load and compile feature database in this AKU by the engine that loads, generate state machine, this intrusion prevention system of upgrading.Present embodiment is together upgraded at each engine and feature database, perhaps, during upgrade feature storehouse, all create a new process, thereby a plurality of engines have been realized in the escalation process of intrusion prevention system, loading, compile out many group state machines and work simultaneously, the message of the data flow before having realized not interrupting updating operation to greatest extent in to the intrusion prevention system upgrading detects professional.

Fig. 3 is the flow chart of another embodiment of upgrade method of intrusion prevention system of the present invention, and as shown in Figure 3, this embodiment comprises:

Step 301, the establishment process is downloaded the AKU that intrusion prevention system is upgraded in the process of creating.

In the present embodiment, in the time of need upgrading to intrusion prevention system, all create a new process at every turn; Particularly, can be when each engine and feature database be together upgraded, perhaps, during upgrade feature storehouse, all create a new process.

Step 302 according to the time of the process of establishment, is provided with and writes down the sign of the process of creating.

Particularly, the sign of the process of establishment can be according to the priority setting of creation-time, for example: according to creation-time by earlier to after order, the sign of the process created is made as a respectively ₁, a ₂..., a _n, promptly be designated a ₁Process be the process of creating at first.A kind of mode of sign of the process of establishment below just is set, and present embodiment is not limited in this, and the sign of the process of establishment also can be set by other modes, as long as the sign of the process that is provided with can be distinguished the sequencing of process creation.

Step 303 in above-mentioned process, loads the engine in this AKU, is provided with and writes down the sign of the engine that loads.

Particularly, the sign of the engine of loading can be according to the priority setting of load time, for example: according to the load time by earlier to after order, the sign of engine is made as b respectively ₁, b ₂..., b _n, promptly be designated b ₁Engine be the engine that loads at first.A kind of mode of the sign of engine below just is set, and present embodiment is not limited in this, and the sign of engine also can be set by other modes, as long as the sign of the engine that is provided with can be distinguished the sequencing that engine loads.

Step 304 in above-mentioned process, loads and compiles feature database in this AKU by the engine that loads, and generates state machine, this intrusion prevention system of upgrading.

In the present embodiment, in the time of need upgrading to intrusion prevention system, execution in step 301～step 304 is finished the upgrading to intrusion prevention system at every turn.Particularly, can be when each engine and feature database be together upgraded, perhaps, during upgrade feature storehouse, all create a new process, execution in step 301～step 304.Wherein, when upgrade feature storehouse, the sign of engine that can be by record, determine the engine of current up-to-date loading, and in the new process of creating, reload the engine of current up-to-date loading, the sign of a new engine is set for this engine that reloads then.Therefore in the present embodiment, engine and state machine are corresponding one by one.

After receiving message, can determine engine that message is detected according to the sign of the engine of information in the heading of the message that receives and record, the state machine by the engine calling of determining generates detects message.Particularly, after receiving message, when message is detected, the method that can adopt the present invention to provide in embodiment illustrated in fig. 2.

Step 305 when needs are upgraded once more to intrusion prevention system, judges whether the number of the process of having created reaches presetting first threshold.If the number of the process of having created reaches presetting first threshold, then execution in step 306; If the number of the process of having created is less than presetting first threshold, then execution in step 301.

In the present embodiment, in the process of constantly upgrading, can limit according to the concrete condition of the internal memory of intrusion prevention system number to the process created, particularly, can first threshold be made as n according to the concrete condition of the internal memory of intrusion prevention system, n is a positive integer, can get n=2.

Step 306 is determined the process of establishment at first according to the sign of the process that writes down, and the engine in the process that unloading is created at first discharges the resource that this engine takies, execution in step 307.

When needs are upgraded once more to intrusion prevention system, if the number of the process of having created reaches n, then can determine the process created at first according to the sign of the process of step 302 record, in the present embodiment, this process of creating at first is for being designated a ₁Process; Unloading is designated a then ₁Process in engine, discharge the resource that this engine takies.

Step 307 is downloaded the AKU that intrusion prevention system is upgraded in the process of creating at first, and execution in step 302 and subsequent step thereof.

Be designated a in unloading ₁Process in engine, discharge after the resource that this engine takies, be designated a at this ₁Process in download the AKU that intrusion prevention system is upgraded, and execution in step 302 and subsequent step thereof; Be designated a ₁Process in download after the AKU that intrusion prevention system is upgraded, need be for being designated a ₁Process reset a new sign, be up-to-date process to represent this process.

After upgrading is finished, if receive the message of a new data flow, then by the former a that is designated ₁Process in the engine of up-to-date loading the message of this data flow is detected; And before the upgrading, at the former a that is designated ₁Process in the subsequent packet of the data flow that detects, will directly be sent, do not continue to detect.

The foregoing description is by the establishment process, in the process of creating, download the AKU that intrusion prevention system is upgraded, and load engine in this AKU, be provided with and write down the sign of the engine that loads, and load and compile feature database in this AKU by the engine that loads, generate state machine, this intrusion prevention system of upgrading.Present embodiment is together upgraded at each engine and feature database, perhaps, during upgrade feature storehouse, all create a new process, thereby a plurality of engines have been realized in the escalation process of intrusion prevention system, loading, compile out many group state machines and work simultaneously, the message of the data flow before having realized not interrupting updating operation to greatest extent in to the intrusion prevention system upgrading detects professional; And present embodiment is limited the number of the process of establishment, has guaranteed that the process of creating can not take too many internal memory, has guaranteed the normal operation of intrusion prevention system.

Fig. 4 is the flow chart of another embodiment of upgrade method of intrusion prevention system of the present invention, and as shown in Figure 4, this embodiment comprises:

Step 401, the establishment process is downloaded the AKU that intrusion prevention system is upgraded in the process of creating.

Step 402 according to the time of the process of establishment, is provided with and writes down the sign of the process of creating.

Step 403 in above-mentioned process, loads the engine in this AKU, is provided with and writes down the sign of the engine that loads.

Step 404 in above-mentioned process, loads and compiles feature database in this AKU by the engine that loads, and generates state machine, this intrusion prevention system of upgrading; Be provided with and write down the sign of the state machine that generates, set up the corresponding relation of sign with the sign of the engine that generates state machine of this state machine.

In the present embodiment, in the time of need upgrading to intrusion prevention system, execution in step 401～step 404 is finished the upgrading to intrusion prevention system at every turn.Particularly, can when engine and feature database are together upgraded at every turn, create a new process, execution in step 401～step 404; During upgrade feature storehouse, no longer create new process, at this moment, can determine the process of up-to-date establishment according to the sign of the process of record in the step 402, in the process of up-to-date establishment, download the AKU that described feature database is upgraded, and the engine that loads in the process by up-to-date establishment, load and compile the feature database in the above-mentioned AKU, generate state machine, finish upgrading feature database.Therefore in the present embodiment, process and engine are corresponding one by one, but the corresponding a plurality of state machines of engine possibility, after generating state machine, need to be provided with and to write down the sign of the state machine that generates, set up the corresponding relation of sign with the sign of the engine that generates state machine of state machine.

Particularly, the sign of state machine can be provided with according to the priority of rise time, for example: according to the rise time by earlier to after order, the sign of state machine is made as c respectively ₁, c ₂..., c _n, promptly be designated c ₁State machine be the state machine that generates at first.A kind of mode of the sign of state machine below just is set, and present embodiment is not limited in this, and the sign of state machine also can be set by other modes, as long as the sign of the state machine that is provided with can be distinguished the sequencing that state machine generates.

Step 405 when needs are upgraded once more to intrusion prevention system, judges whether that engine and feature database together upgrade.If engine and feature database are together upgraded, execution in step 406～step 409 then; If only upgrade feature storehouse, then execution in step 410～step 413.

Step 406 judges whether the number of the process of having created reaches presetting first threshold.If the number of the process of having created reaches presetting first threshold, execution in step 408～step 409 then; If the number of the process of having created is less than presetting first threshold, then execution in step 407.

Step 407 judges whether the quantity of the state machine that has generated reaches the second default threshold value.If the quantity of the state machine that has generated reaches the second default threshold value, then execution in step 408～step 409; If the quantity of the state machine that has generated is less than the second default threshold value, then execution in step 401.

In the present embodiment, in the process of constantly upgrading, can limit according to the concrete condition of the internal memory of intrusion prevention system number to the state machine that generates, particularly, can second threshold value be made as m according to the concrete condition of the internal memory of intrusion prevention system, m is a positive integer, can get m=4.

Step 408 is determined the process of establishment at first, the engine in the process that unloading is created at first according to the sign of the process that writes down.

When needs are upgraded once more to intrusion prevention system, if the number of the process of having created reaches n, then can determine the process created at first according to the sign of the process of step 402 record, in the present embodiment, this process of creating at first is for being designated a ₁Process; Unloading is designated a then ₁Process in engine, discharge the resource that this engine takies.

Less than presetting first threshold, but the quantity of the state machine that has generated reaches the situation of default second threshold value, can unload a state machine in the process of creating at first for the number of the process of having created; Particularly, can discharge the state machine that generates at first in this process of creating at first then according to the state machine that generates at first in the definite process of creating at first of the sign of the state machine of record in the step 404.

Step 409 is downloaded the AKU that intrusion prevention system is upgraded in the process of creating at first, and execution in step 402 and subsequent step thereof.

Be designated a in unloading ₁Process in engine, discharge after the resource that this engine takies, be designated a at this ₁Process in download the AKU that intrusion prevention system is upgraded, and execution in step 402 and subsequent step thereof; Be designated a ₁Process in download after the AKU that intrusion prevention system is upgraded, need be for being designated a ₁Process reset a new sign, be up-to-date process to represent this process.

Step 410 judges whether the quantity of the state machine that has generated reaches the second default threshold value.If the quantity of the state machine that has generated reaches the second default threshold value, then execution in step 411; If the quantity of the state machine that has generated is less than the second default threshold value, then execution in step 412～step 413.

Step 411 is determined the process of establishment at first according to the sign of the process that writes down, and discharges a state machine in the process of creating at first; Perhaps, the engine in the process that unloading is created at first discharges the resource that this engine takies, execution in step 412.

Particularly, during state machine in discharging the process of creating at first, can discharge the state machine that generates at first in this process of creating at first then according to the state machine that generates at first in the definite process of creating at first of the sign of the state machine of record in the step 404.

Step 412 is determined the process of up-to-date establishment according to the sign of process of record, downloads the AKU that feature database is upgraded in the process of up-to-date establishment.

Step 413, the engine that loads in the process by up-to-date establishment, load and compile the feature database in the AKU, generate new state machine, equally, after generating state machine, the sign of the state machine of generation need be set, set up the corresponding relation of sign with the sign of the engine that generates this state machine of this state machine; And execution in step 405 and subsequent step thereof.

In the present embodiment, process and engine are corresponding one by one, but an engine may corresponding a plurality of state machines.Below in conjunction with Fig. 5, the mode that in the present embodiment message is detected is described in detail.

The flow chart of another embodiment that Fig. 5 detects message for the present invention, as shown in Figure 5, present embodiment comprises the flow process that message detects:

Step 501 receives message.

Step 502 judges according to the information in the heading of this message whether this message is the literary composition of reporting for the first time of data flow.If this message is the literary composition of reporting for the first time of data flow, then execution in step 503; If this message is not the literary composition of reporting for the first time of data flow, then execution in step 504.

Particularly, judge that whether message is that the literary composition of reporting for the first time of data flow can be the heading of analytic message, determines the host-host protocol that this message adopts; When this message adopted the TCP transmission, if comprise the literary composition sign of reporting for the first time in the heading of this message, then this message was the literary composition of reporting for the first time of data flow; If do not comprise the literary composition sign of reporting for the first time in the heading of this message, then this message is not the literary composition of reporting for the first time of data flow.When this message adopts the UDP transmission, then need five-tuple information according to this message, in intrusion prevention system, search whether this five-tuple recording of information is arranged, if do not find this five-tuple recording of information, can determine that then this message is the literary composition of reporting for the first time of data flow, write down the five-tuple information of the literary composition of reporting for the first time; If find this five-tuple recording of information, illustrate that then this message is not the literary composition of reporting for the first time of data flow.Wherein, the five-tuple information of message comprises: the source IP address of message, purpose IP address, the host-host protocol that source port, destination interface and message adopted; The message that belongs to same data flow has identical five-tuple information.

Step 503 is determined the engine of up-to-date loading according to the sign of engine of record, and the state machine of the up-to-date generation of engine calling by up-to-date loading detects message; And write down five-tuple information in the heading of this message, set up the sign of the engine of this five-tuple information and up-to-date loading, and the sign corresponding relation of the state machine of above-mentioned up-to-date generation.

Particularly, after the message of determining to receive was the literary composition of reporting for the first time of a data flow, the sign of engine that can be by searching record was determined the engine of up-to-date loading, with the engine of this up-to-date loading as the engine that the literary composition of reporting for the first time is detected; Because the engine of up-to-date loading may corresponding one or more state machines, according to the sign of the engine of up-to-date loading, can determine the sign of the state machine corresponding with the engine of this up-to-date loading, can determine the state machine of up-to-date generation according to the sign of this state machine.In the present embodiment, the state machine of the up-to-date generation of engine calling by up-to-date loading, the literary composition of reporting for the first time to data flow detects, and write down this report for the first time the literary composition heading in five-tuple information, set up the sign of the engine of this five-tuple information and up-to-date loading, and the corresponding relation of the sign of the state machine of above-mentioned up-to-date generation.Because the message of same data flow has identical five-tuple information, therefore when receiving the subsequent packet of this data flow, can be according to the five-tuple information of subsequent packet, and the corresponding relation of the sign of the sign of the engine of this five-tuple information, record and state machine, the sign of the sign of determining the engine corresponding and corresponding state machine with this five-tuple information, thereby can determine engine and state machine that subsequent packet is detected, can guarantee to adopt same engine and same state machine to detect the message of same data flow.

Step 504, according to the five-tuple information in the heading of message, the corresponding relation of the sign of the five-tuple information that utilization is set up during literary composition reporting for the first time of data flow, the sign of engine and state machine, the sign of in the sign of the engine that writes down, searching the engine corresponding with this five-tuple information, the sign of in the sign of the state machine that writes down, searching the state machine corresponding with this five-tuple information; By the pairing engine of sign of the engine that finds, call the pairing state machine of sign of the state machine that finds, message is detected.

The foregoing description is by the establishment process, in the process of creating, download the AKU that intrusion prevention system is upgraded, and load engine in this AKU, be provided with and write down the sign of the engine that loads, by the engine loading of loading and the feature database in the compiling AKU, generate state machine, this intrusion prevention system of upgrading.Present embodiment is only when engine and feature database are together upgraded at every turn, create a new process, a plurality of engines have been realized in the escalation process of intrusion prevention system, loading, compile out many group state machines and work simultaneously, the message of the data flow before having realized not interrupting updating operation to greatest extent in to the intrusion prevention system upgrading detects professional; And present embodiment is limited the number of the process of establishment, number to the state machine that generates is limited simultaneously, guaranteed that process, the engine of loading and the state machine of generation created can not take too many internal memory, have guaranteed the normal operation of intrusion prevention system.

Fig. 6 is the flow chart of another embodiment of upgrade method of intrusion prevention system of the present invention, and as shown in Figure 6, this embodiment comprises:

Step 601, when intrusion prevention system is carried out upgrading the first time, the establishment process, and in the process of creating, download the AKU that this intrusion prevention system is upgraded.

Step 602 in above-mentioned process, loads the engine in this AKU, is provided with and writes down the sign of the engine that loads.

Step 603 in above-mentioned process, loads and compiles feature database in this AKU by the engine that loads, and generates state machine, this intrusion prevention system of upgrading; Be provided with and write down the sign of the state machine that generates, set up the corresponding relation of sign with the sign of the engine that generates state machine of this state machine.

Present embodiment is only when carrying out upgrading the first time to the engine of intrusion prevention system and feature database, create a process, follow-up when again this intrusion prevention system being upgraded, all in this process of creating, download the AKU that intrusion prevention system is upgraded, execution in step 602～step 603 is finished the upgrading to intrusion prevention system.Therefore in the present embodiment, loaded a plurality of engines in the process, the corresponding a plurality of state machines of each engine possibility are after generating state machine, need to be provided with and to write down the sign of the state machine that generates, set up the corresponding relation of sign with the sign of the engine that generates state machine of state machine.

After receiving message, can determine engine that message is detected according to the sign of the engine of information in the heading of the message that receives and record, the state machine by the engine calling of determining generates detects message.Particularly, in the present embodiment, when the message that receives is detected, the method that can adopt the present invention to provide in embodiment illustrated in fig. 5.

Step 604 when needs are upgraded once more to intrusion prevention system, judges whether that engine and feature database together upgrade.If engine and feature database are together upgraded, execution in step 605～step 608 then; If only upgrade feature storehouse, then execution in step 609～step 612.

Step 605 judges whether the number of the engine that has loaded reaches the 3rd default threshold value.If the number of the engine that has loaded reaches the 3rd default threshold value, then execution in step 607; If the number of the engine that has loaded is less than the 3rd default threshold value, then execution in step 606.

In the present embodiment, in the process of constantly upgrading, can limit, set in advance the 3rd threshold value, make the number of the engine of loading can not surpass the 3rd threshold value according to the concrete condition of the internal memory of intrusion prevention system number to the engine that loads; The 3rd threshold value is a positive integer, and can establish the 3rd threshold value is 2.

Step 606 judges whether the quantity of the state machine that has generated reaches the second default threshold value.If the quantity of the state machine that has generated reaches the second default threshold value, then execution in step 607; If the quantity of the state machine that has generated is less than the second default threshold value, then execution in step 608.

Step 607 is determined the engine of loading at first according to the sign of the engine that writes down, and unloads this engine, discharges the resource that this engine takies, and execution in step 608 then.

When needs are upgraded once more to intrusion prevention system, if the number of the engine that has loaded reaches the 3rd default threshold value, then can determine the engine that loads at first according to the sign of the engine of step 602 record, in the present embodiment, this engine that loads at first is for being designated b ₁Engine; Unloading is designated b then ₁Engine, discharge the resource that this engine takies.

Less than the 3rd default threshold value, but the quantity of the state machine that has generated reaches the situation of default second threshold value, can unload a state machine of the engine that loads at first for the number of the engine that has loaded; Particularly, can determine the state machine that generates at first in the state machine of the engine correspondence that loads at first to discharge the state machine that this generates at first then according to the sign of the state machine of record in the step 603.

Step 608 is downloaded the AKU that engine and feature database are upgraded, execution in step 602 in the same process of creating.

Step 609 judges whether the quantity of the state machine that has generated reaches the second default threshold value.If the quantity of the state machine that has generated reaches the second default threshold value, then execution in step 610; If the quantity of the state machine that has generated is less than the second default threshold value, then execution in step 611～step 612.

Step 610 is determined the engine of loading at first according to the sign of the engine that writes down, and unloads the engine that this loads at first, discharges the resource that this engine takies; Perhaps, discharge a state machine in the state machine of the engine correspondence that loads at first; Execution in step 611.

Particularly, during state machine in the state machine that discharges the engine correspondence that loads at first, can determine the state machine that generates at first in the state machine of the engine correspondence that loads at first to discharge the state machine that this generates at first then according to the sign of the state machine of record in the step 603.

Step 611 is downloaded the AKU that feature database is upgraded in the same process of creating.

Step 612, determine the engine of up-to-date loading according to the sign of the engine that writes down, by the engine loading of up-to-date loading and the feature database in the compiling AKU, generate one group of new state machine, equally, after generating state machine, the sign of the state machine of generation need be set, set up the corresponding relation of sign with the sign of the engine that generates this state machine of this state machine, and execution in step 604 and subsequent step thereof.

The foregoing description is when carrying out upgrading the first time to intrusion prevention system, the establishment process, in the process of creating, download the AKU that intrusion prevention system is upgraded, load the engine in this AKU, be provided with and write down the sign of the engine that loads, and engine loading and compiling feature database by loading, generate state machine, this intrusion prevention system of upgrading.Present embodiment is only when carrying out upgrading the first time to intrusion prevention system, create a process, follow-up escalation process all loads engine, compiling feature database and generates state machine in same process, a plurality of engines have been realized in the escalation process of intrusion prevention system, loading, compile out many group state machines and work simultaneously, the message of the data flow before having realized not interrupting updating operation to greatest extent in to the intrusion prevention system upgrading detects professional; And present embodiment is limited the number of the engine that loads, and the number to the state machine that generates is limited simultaneously, has guaranteed that the engine that loads and the state machine of generation can not take too many internal memory, have guaranteed the normal operation of intrusion prevention system.

One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can be finished by the relevant hardware of program command, aforesaid program can be stored in the computer read/write memory medium, this program is carried out the step that comprises said method embodiment when carrying out; And aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CD.

Fig. 7 is the structural representation of an embodiment of update device of intrusion prevention system of the present invention, and the update device of this intrusion prevention system can be arranged in intrusion prevention system, realizes the present invention's flow process embodiment illustrated in fig. 1.As shown in Figure 7, the update device of this intrusion prevention system can comprise: creation module 71, download module 72, load-on module 73 and collector 74.

Particularly, creation module 71 is used for the establishment process;

Download module 72 can be downloaded the AKU that intrusion prevention system is upgraded in the process that creation module 71 is created;

Load-on module 73 can be in the process that creation module 71 is created, the engine in the AKU that loading download module 72 is downloaded, the sign of the engine that setting and record load; Particularly, the sign of the engine of loading can be according to the priority setting of load time, for example: according to the load time by earlier to after order, the sign of engine is made as 1,2 respectively ..., n, promptly being designated 1 engine is the engine that loads at first.A kind of mode of the sign of engine below just is set, and present embodiment is not limited in this, and the sign of engine also can be set by other modes, as long as the sign of the engine that is provided with can be distinguished the sequencing that engine loads.

Collector 74 can be in the process that creation module 71 is created, and the feature database by in the AKU that engine loads and compiling download module 72 is downloaded of load-on module 73 loadings generates state machine, this intrusion prevention system of upgrading.

In the foregoing description, creation module 71 establishment processes, download module 72 is downloaded the AKU that intrusion prevention system is upgraded in the process that creation module 71 is created, load-on module 73 loads the engine in the AKU that download module 72 downloads in above-mentioned process, be provided with and write down the sign of the engine that loads, and, generate state machine, this intrusion prevention system of upgrading by the engine loading and the compiling feature database of collector 74 by loading.Present embodiment is together upgraded at each engine and feature database, perhaps, during upgrade feature storehouse, all create a new process, thereby a plurality of engines have been realized in the escalation process of intrusion prevention system, loading, compile out many group state machines and work simultaneously, the message of the data flow before having realized not interrupting updating operation to greatest extent in to the intrusion prevention system upgrading detects professional.

Fig. 8 is the structural representation of another embodiment of update device of intrusion prevention system of the present invention, and the update device of this intrusion prevention system can be arranged in intrusion prevention system, realizes the present invention's flow process embodiment illustrated in fig. 3.As shown in Figure 8, the update device of this intrusion prevention system can comprise: creation module 81, download module 82, load-on module 83, collector 84, detection module 85 and process identification (PID) logging modle 86.

Particularly, creation module 81 is used for the establishment process, and particularly, creation module 81 can be when upgrading to intrusion prevention system at every turn, the establishment process; Download module 82 can be downloaded the AKU that intrusion prevention system is upgraded in the process that creation module 81 is created.

Load-on module 83 can load the engine in the AKU that download module 82 downloads in the process that creation module 81 is created, be provided with and the sign of the engine that record loads; Particularly, the sign of the engine of loading can be according to the priority setting of load time, for example: according to the load time by earlier to after order, the sign of engine is made as b respectively ₁, b ₂..., b _n, promptly be designated b ₁Engine be the engine that loads at first.A kind of mode of the sign of engine below just is set, and present embodiment is not limited in this, and the sign of engine also can be set by other modes, as long as the sign of the engine that is provided with can be distinguished the sequencing that engine loads.

Collector 84 can be in the process that creation module 81 is created, and the feature database by in the AKU that engine loads and compiling download module 82 is downloaded of load-on module 83 loadings generates state machine, this intrusion prevention system of upgrading; Detection module 85 can be determined engine that message is detected according to the sign of the engine of information in the heading of the message that receives and record, and the state machine by the engine calling of determining generates detects this message.Particularly, the method that detection module 85 can adopt the present invention to provide in embodiment illustrated in fig. 2 detects the message that receives.

Wherein, detection module 85 can comprise: judge submodule 851, first definite submodule 852, second definite submodule 853 and message detection sub-module 854.Particularly, judge that submodule 851 can judge whether this message is the literary composition of reporting for the first time of data flow according to the information in the heading of the message that receives; Particularly, judge that whether message is that the literary composition of reporting for the first time of data flow can be the heading of analytic message, determines the host-host protocol that this message adopts; When this message adopted the TCP transmission, if comprise the literary composition sign of reporting for the first time in the heading of this message, then this message was the literary composition of reporting for the first time of data flow; If do not comprise the literary composition sign of reporting for the first time in the heading of this message, then this message is not the literary composition of reporting for the first time of data flow.When this message adopts the UDP transmission, then need five-tuple information according to this message, in intrusion prevention system, search whether this five-tuple recording of information is arranged, if do not find this five-tuple recording of information, can determine that then this message is the literary composition of reporting for the first time of data flow, write down the five-tuple information of the literary composition of reporting for the first time; If find this five-tuple recording of information, illustrate that then this message is not the literary composition of reporting for the first time of data flow.Wherein, the five-tuple information of message comprises: the source IP address of message, purpose IP address, the host-host protocol that source port, destination interface and message adopted; The message that belongs to same data flow has identical five-tuple information.

First determines that submodule 852 can work as judges that submodule 851 determines that the message that receives is reporting for the first time during literary composition of data flow, determines the engine of up-to-date loading according to the sign of the engine of record, and the engine of this up-to-date loading is the engine that message is detected; And write down five-tuple information in the heading of this message, set up the corresponding relation of this five-tuple information and the sign of the engine that this message is detected; Because the message of same data flow has identical five-tuple information, therefore when receiving the subsequent packet of this data flow, second determines that submodule 853 can be according to the five-tuple information of subsequent packet, and the corresponding relation of the sign of the engine of this five-tuple information and record, determine the sign of the engine corresponding with this five-tuple information, and then can determine engine that subsequent packet is detected, and can guarantee to adopt same engine to detect to the message of same data flow.

Second determines that submodule 853 can work as judgement submodule 851 and determine that the message that receives is not reporting for the first time during literary composition of data flow, according to the five-tuple information in the heading of this message, the corresponding relation of the five-tuple information that utilization is set up during literary composition reporting for the first time of data flow and the sign of engine, the sign of searching the engine corresponding with this five-tuple information in the sign of the engine that writes down is determined the engine of the corresponding engine of this sign for this message is detected;

Message detection sub-module 854 can be determined the state machine of engine calling collectors 84 generations that submodule 853 is determined by first definite submodule 852 or second, and message is detected.

In the present embodiment, together upgrade at each engine and feature database, perhaps, during upgrade feature storehouse, creation module 81 is all created a new process, and carries out subsequent steps by download module 82, load-on module 83 and collector 84.Wherein, when upgrade feature storehouse, creation module 81 is created after the new process, load-on module 83 can pass through the sign of the engine of record, determine the engine of current up-to-date loading, and in the creation module 81 new processes of creating, reload the engine of current up-to-date loading, the sign of a new engine is set for this engine that reloads then.Therefore in the present embodiment, engine and state machine are corresponding one by one, therefore after the engine that first definite submodule 852 or second definite submodule 853 are determined message is detected, message detection sub-module 854 just can detect the message that receives by the state machine of this engine generation of this engine calling.

In the present embodiment, process identification (PID) logging modle 86 can be provided with and write down the sign of the process of creating according to the time of the process of establishment; Particularly, the sign of the process of establishment can be according to the priority setting of creation-time, for example: according to creation-time by earlier to after order, the sign of the process created is made as a respectively ₁, a ₂..., a _n, promptly be designated a ₁Process be the process of creating at first.A kind of mode of sign of the process of establishment below just is set, and present embodiment is not limited in this, and the sign of the process of establishment also can be set by other modes, as long as the sign of the process that is provided with can be distinguished the sequencing of process creation.

In the present embodiment, download module 82 can comprise: process is determined submodule 821, unloading submodule 822 and AKU download submodule 823.Wherein, when process determines that the number of the process that submodule 821 can have been created in creation module 81 reaches presetting first threshold, determine the process of creating at first according to the sign of the process of process identification (PID) logging modle 86 records; In the present embodiment, in the process of constantly upgrading, can limit according to the concrete condition of the internal memory of intrusion prevention system number to the process created, particularly, can first threshold be made as n according to the concrete condition of the internal memory of intrusion prevention system, n is a positive integer, can get n=2;

Unloading submodule 822 can unload the engine in the process of creating at first that this process determines that submodule 821 determines, discharges the resource that this engine takies; At this moment, AKU is downloaded submodule 823 can be after unloading submodule 822 unloading processes be determined engine in the process of creating at first that submodule 821 determines, download the AKU that intrusion prevention system is upgraded in process is determined the process of creating at first that submodule 821 determines.

In the foregoing description, creation module 81 establishment processes, download module 82 is downloaded the AKU that intrusion prevention system is upgraded in the process that creation module 81 is created, load-on module 83 loads the engine in this AKU in the process that creation module 81 is created, be provided with and write down the sign of the engine that loads, and load and compile feature database in this AKU in the process that creation module 81 is created by the engine that collector 84 loads by load-on module 83, generate state machine, this intrusion prevention system of upgrading, after receiving message, detection module 85 is according to the definite engine that message is detected of the sign of the engine of information in the heading of this message and record, the state machine that generates by the engine calling of determining detects this message then.Present embodiment is together upgraded at each engine and feature database, perhaps, during upgrade feature storehouse, all create a new process, thereby a plurality of engines have been realized in the escalation process of intrusion prevention system, loading, compile out many group state machines and work simultaneously, the message of the data flow before having realized not interrupting updating operation to greatest extent in to the intrusion prevention system upgrading detects professional; And present embodiment is limited the number of the process of establishment, has guaranteed that the process of creating can not take too many internal memory, has guaranteed the normal operation of intrusion prevention system.

Fig. 9 is the structural representation of another embodiment of update device of intrusion prevention system of the present invention, and the update device of this intrusion prevention system can be arranged in intrusion prevention system, realizes the present invention's flow process embodiment illustrated in fig. 4.As shown in Figure 9, the update device of this intrusion prevention system can comprise: creation module 91, download module 92, load-on module 93, collector 94, detection module 95, process identification (PID) logging modle 96 and state machine identification record module 97.

Particularly, creation module 91 can be created process, and particularly, creation module 91 can be created a new process when engine and feature database are together upgraded at every turn; Download module 92 can be downloaded the AKU that intrusion prevention system is upgraded in the process that creation module 91 is created.

Load-on module 93 can load the engine in the AKU that download module 92 downloads in the process that creation module 91 is created, be provided with and the sign of the engine that record loads; Particularly, the sign of the engine of loading can be according to the priority setting of load time, for example: according to the load time by earlier to after order, the sign of engine is made as b respectively ₁, b ₂..., b _n, promptly be designated b ₁Engine be the engine that loads at first.A kind of mode of the sign of engine below just is set, and present embodiment is not limited in this, and the sign of engine also can be set by other modes, as long as the sign of the engine that is provided with can be distinguished the sequencing that engine loads.

Collector 94 can be in the process that creation module 91 is created, and the feature database by in the AKU that engine loads and compiling download module 92 is downloaded of load-on module 93 loadings generates state machine; After collector 94 generated a group state machine, state machine identification record module 97 can be provided with and write down the sign of the state machine of generation, set up the corresponding relation of sign with the sign of the engine that generates this state machine of this state machine.

Detection module 95 can be determined engine that message is detected according to the sign of the engine of the information in the heading of the message that receives and load-on module 93 records, and the state machine by the engine calling collector of determining 94 generates detects this message.

In the present embodiment, when engine and feature database were together upgraded at every turn, creation module 91 was created a new process, and carried out subsequent steps by download module 92, load-on module 93 and collector 94.Therefore in the present embodiment, process and engine are corresponding one by one, and an engine may corresponding a plurality of state machines.

In the present embodiment, detection module 95 can comprise: submodule 951, the first message detection sub-module 952 and the second message detection sub-module 953 judged in the literary composition of reporting for the first time.

Particularly, the literary composition of reporting for the first time judges that submodule 951 can judge whether described message is the literary composition of reporting for the first time of data flow according to the information in the heading of the message that receives; Particularly, judge that whether message is that the literary composition of reporting for the first time of data flow can be the heading of analytic message, determines the host-host protocol that this message adopts; When this message adopted the TCP transmission, if comprise the literary composition sign of reporting for the first time in the heading of this message, then this message was the literary composition of reporting for the first time of data flow; If do not comprise the literary composition sign of reporting for the first time in the heading of this message, then this message is not the literary composition of reporting for the first time of data flow.When this message adopts the UDP transmission, then need five-tuple information according to this message, in intrusion prevention system, search whether this five-tuple recording of information is arranged, if do not find this five-tuple recording of information, can determine that then this message is the literary composition of reporting for the first time of data flow, write down the five-tuple information of the literary composition of reporting for the first time; If find this five-tuple recording of information, illustrate that then this message is not the literary composition of reporting for the first time of data flow.Wherein, the five-tuple information of message comprises: the source IP address of message, purpose IP address, the host-host protocol that source port, destination interface and message adopted; The message that belongs to same data flow has identical five-tuple information.

The first message detection sub-module 952 can be worked as the literary composition of reporting for the first time and judge that submodule 951 determines that the message that receives is reporting for the first time during literary composition of data flow, determine the engine of up-to-date loading, the engine of the engine of this up-to-date loading according to the sign of the engine of load-on module 93 record for this message is detected; The new state machine that engine calling collector 94 by up-to-date loading generates detects this message; And the five-tuple information in the heading of recorded message, set up the sign of the engine of this five-tuple information and up-to-date loading and the sign corresponding relation of new state machine.

The second message detection sub-module 953 can be worked as the literary composition of reporting for the first time and judge that submodule 951 determines that the message that receives is not reporting for the first time during literary composition of data flow, according to the five-tuple information in the heading of this message, the corresponding relation of the sign of the five-tuple information that utilization is set up during literary composition reporting for the first time of this data flow, the sign of engine and state machine, the sign of in the sign of the engine that load-on module 93 writes down, searching the engine corresponding with this five-tuple information, the sign of in the sign of the state machine that state machine identification record module 97 writes down, searching the state machine corresponding with this five-tuple information; By the pairing engine of sign of the engine that finds, call the pairing state machine of sign of the state machine that finds, the message that receives is detected.

In the present embodiment, process identification (PID) logging modle 96 can be provided with and write down the sign of the process of creating according to the time of the process of establishment; Particularly, the sign of the process of establishment can be according to the priority setting of creation-time, for example: according to creation-time by earlier to after order, the sign of the process created is made as a respectively ₁, a ₂..., a _n, promptly be designated a ₁Process be the process of creating at first.A kind of mode of sign of the process of establishment below just is set, and present embodiment is not limited in this, and the sign of the process of establishment also can be set by other modes, as long as the sign of the process that is provided with can be distinguished the sequencing of process creation.

In the present embodiment, download module 92 can comprise: process is determined submodule 921, unloading submodule 922 and AKU download submodule 923.Wherein, when process determines that the number of the process that submodule 921 can have been created in creation module 91 reaches presetting first threshold, determine the process of creating at first according to the sign of the process of process identification (PID) logging modle 96 records; In the present embodiment, in the process of constantly upgrading, can limit according to the concrete condition of the internal memory of intrusion prevention system number to the process created, particularly, can first threshold be made as n according to the concrete condition of the internal memory of intrusion prevention system, n is a positive integer, can get n=2;

Unloading submodule 922 can unload the engine in the process of creating at first that this process determines that submodule 921 determines, discharges the resource that this engine takies; At this moment, AKU is downloaded submodule 923 can be after unloading submodule 922 unloading processes be determined engine in the process of creating at first that submodule 921 determines, download the AKU that intrusion prevention system is upgraded in process is determined the process of creating at first that submodule 921 determines.

If follow-up only the need be upgraded to the feature database of intrusion prevention system, then process determines that submodule 921 can determine the process of up-to-date establishment according to the sign of the process of process identification (PID) logging modle 96 records; At this moment, AKU is downloaded submodule 923 and can be downloaded the AKU that feature database is upgraded in process is determined the process of the up-to-date establishment that submodule 921 is determined; Then,, load and compile the feature database in the AKU, generate state machine by the engine that loads in the process of collector 94 by up-to-date establishment.

The update device of the intrusion prevention system in the foregoing description, a plurality of engines have been realized in the escalation process of intrusion prevention system, loading, compile out many group state machines and work simultaneously, the message of the data flow before having realized not interrupting updating operation to greatest extent in to the intrusion prevention system upgrading detects professional; And the update device of the intrusion prevention system in the present embodiment is limited the number of the process of establishment, number to the state machine that generates is limited simultaneously, guaranteed that process, the engine of loading and the state machine of generation created can not take too many internal memory, have guaranteed the normal operation of intrusion prevention system.

Figure 10 is the structural representation of another embodiment of update device of intrusion prevention system of the present invention, and the update device of this intrusion prevention system can be arranged in intrusion prevention system, realizes the present invention's flow process embodiment illustrated in fig. 6.As shown in figure 10, the update device of this intrusion prevention system can comprise: creation module 1001, download module 1002, load-on module 1003, collector 1004, detection module 1005 and Unload module 1006.

Wherein, creation module 1001 can be when carrying out upgrading the first time to intrusion prevention system, the establishment process; Download module 1002 can be downloaded the AKU that intrusion prevention system is upgraded in the process that creation module 1001 is created; Load-on module 1003 can be in the process that creation module 1001 is created, the engine in the AKU that loading download module 1002 is downloaded, the sign of the engine that setting and record load; Collector 1004 can be in the process that creation module 1001 is created, and the feature database by in the AKU that engine loads and compiling download module 1002 is downloaded of load-on module 1003 loadings generates state machine; Detection module 1005 can be determined engine that message is detected according to the sign of the engine of the information in the heading of the message that receives and load-on module 1003 records, state machine by the engine calling collector of determining 1004 generates detects this message; Particularly, detection module 1005 when the message that receives is detected, the method that can adopt the present invention to provide in embodiment illustrated in fig. 5.

In the present embodiment, when only needing upgrade to the feature database of intrusion prevention system, download module 1002 specifically can be downloaded the AKU that feature database is upgraded in the process that creation module 1001 is created when follow-up; At this moment, collector 1004 specifically can be determined the engine of up-to-date loading according to the sign of the engine of load-on module 1003 record, and the engine by this up-to-date loading loads and compile the feature database in this AKU, generates new state machine.

When the number of the engine that Unload module 1006 can load at load-on module 1003 reaches default the 3rd threshold value, determine the engine that loads at first according to the sign of the engine of record, the engine that unloading loads at first discharges the resource that this engine takies; When the quantity of the state machine that Unload module 1006 can also generate in collector 1004 reaches default second threshold value, determine the engine that loads at first according to the sign of the engine of record, discharge a state machine in the state machine of this engine correspondence that loads at first.

Particularly, can second threshold value and the 3rd threshold value be set according to the concrete condition of the internal memory of intrusion prevention system, second threshold value and the 3rd threshold value are positive integer, the 3rd threshold value can be made as 2, and second threshold value is made as 4.

The update device of the intrusion prevention system in the foregoing description, a plurality of engines have been realized in the escalation process of intrusion prevention system, loading, compile out many group state machines and work simultaneously, the message of the data flow before having realized not interrupting updating operation to greatest extent in to the intrusion prevention system upgrading detects professional; And the update device of the intrusion prevention system in the present embodiment is limited the number of the engine of loading, number to the state machine that generates is limited simultaneously, guaranteed that process, the engine of loading and the state machine of generation created can not take too many internal memory, have guaranteed the normal operation of intrusion prevention system.

It will be appreciated by those skilled in the art that accompanying drawing is the schematic diagram of a preferred embodiment, module in the accompanying drawing or flow process might not be that enforcement the present invention is necessary.

It will be appreciated by those skilled in the art that the module in the device among the embodiment can be distributed in the device of embodiment according to the embodiment description, also can carry out respective change and be arranged in the one or more devices that are different from present embodiment.The module of the foregoing description can be merged into a module, also can further split into a plurality of submodules.

It should be noted that at last: above embodiment is only in order to technical scheme of the present invention to be described but not limit it, although the present invention is had been described in detail with reference to preferred embodiment, those of ordinary skill in the art is to be understood that: it still can make amendment or be equal to replacement technical scheme of the present invention, and these modifications or be equal to replacement and also can not make amended technical scheme break away from the spirit and scope of technical solution of the present invention.

Claims

1. the upgrade method of an intrusion prevention system is characterized in that, comprising:

2. method according to claim 1 is characterized in that, also comprises:

Determine engine that described message is detected according to the sign of the engine of information in the heading of the message that receives and described record, the state machine by the engine calling of determining generates detects described message.

3. method according to claim 2 is characterized in that, the sign of described engine according to information in the heading of described message and described record determines that the engine that described message is detected comprises:

Judge according to the information in the heading of described message whether described message is the literary composition of reporting for the first time of data flow;

When described message is reporting for the first time during literary composition of data flow, determine the engine of up-to-date loading, the engine of the engine of described up-to-date loading for described message is detected according to the sign of the engine of described record; Write down the five-tuple information in the heading of described message, set up the corresponding relation of described five-tuple information and the sign of the engine that described message is detected;

When described message is not reporting for the first time during literary composition of data flow, according to the five-tuple information in the heading of described message, the corresponding relation of the five-tuple information that utilization is set up during literary composition reporting for the first time of described data flow and the sign of engine, the sign of searching the engine corresponding with described five-tuple information in the sign of the engine of described record is determined the engine of engine for described message is detected that described sign is corresponding.

4. method according to claim 1 is characterized in that, also comprises: according to the time of the process of establishment, be provided with and write down the sign of the process of creating;

The described AKU that intrusion prevention system is upgraded of downloading in the process of creating comprises:

When the number of the process of having created reaches presetting first threshold, determine the process of establishment at first according to the sign of the process that writes down, unload the engine in the described process of creating at first; In the described process of creating at first, download the AKU that described intrusion prevention system is upgraded.

5. method according to claim 4 is characterized in that, loads and compile feature database in the described AKU at described engine by described loading, generates before the state machine, also comprises:

When the quantity of the state machine that has generated reaches default second threshold value, determine the process created at first according to the sign of the process of record, discharges a state machine in the process of described establishment at first; Perhaps, the engine in the described process of creating at first of unloading.

6. method according to claim 4, it is characterized in that, also comprise: the feature database of described intrusion prevention system is upgraded if only need, then determine the process of up-to-date establishment, in the process of described up-to-date establishment, download the AKU that described feature database is upgraded according to the sign of the process that writes down; The engine that loads in the process by described up-to-date establishment loads and compiles the feature database in the described AKU, generates state machine.

7. the update device of an intrusion prevention system is characterized in that, comprising:

Creation module is used for the establishment process;

8. device according to claim 7 is characterized in that, also comprises:

Detection module, be used for determining engine that described message is detected according to the sign of the engine of the information of the heading of the message that receives and described load-on module record, state machine by the described collector of the engine calling of determining generates detects described message.

9. device according to claim 8 is characterized in that, described detection module comprises:

Judge submodule, be used for judging according to the information of the heading of described message whether described message is the literary composition of reporting for the first time of data flow;

First determines submodule, and being used for determining described message when described judgement submodule is reporting for the first time during literary composition of data flow, determines the engine of up-to-date loading according to the sign of the engine of record, and the engine of described up-to-date loading is the engine that described message is detected; And write down five-tuple information in the heading of described message, set up the corresponding relation of described five-tuple information and the sign of the engine that described message is detected;

Second determines submodule, being used for determining described message when described judgement submodule is not reporting for the first time during literary composition of data flow, according to the five-tuple information in the heading of described message, the corresponding relation of the five-tuple information that utilization is set up during literary composition reporting for the first time of described data flow and the sign of engine, the sign of searching the engine corresponding with described five-tuple information in the sign of the engine of described record is determined the engine of engine for described message is detected that described sign is corresponding;

The message detection sub-module is used for determining the state machine that the described collector of the definite engine calling of submodule generates by described first definite submodule or described second, and described message is detected.

10. device according to claim 7 is characterized in that, also comprises:

The process identification (PID) logging modle is used for the time according to the process of establishment, is provided with and writes down the sign of the process of creating;

Described download module comprises:

Process is determined submodule, when the number that is used for the process created when described creation module reaches presetting first threshold, determines the process of creating at first according to the sign of the process of described process identification (PID) logging modle record;

The unloading submodule is used for unloading the engine that described process is determined the process of creating at first that submodule is determined;

AKU is downloaded submodule, be used for unloading after described process determines the engine of the process of creating at first that submodule is determined, in described process is determined the process of creating at first that submodule determines, download the AKU that described intrusion prevention system is upgraded at described unloading submodule.

11. device according to claim 10, it is characterized in that, if only need to upgrade to the feature database of described intrusion prevention system, then described process determines that submodule determines the process of up-to-date establishment according to the sign of the process of described process identification (PID) logging modle record; Described AKU is downloaded submodule and download the AKU that described feature database is upgraded in described process is determined the process of the up-to-date establishment that submodule is determined; The engine that loads in the process of described collector by described up-to-date establishment loads and compiles described AKU and downloads feature database in the AKU that submodule downloads, generates state machine.