CN102209006B - Rule test equipment and method - Google Patents
Rule test equipment and method Download PDFInfo
- Publication number
- CN102209006B CN102209006B CN201110052045.XA CN201110052045A CN102209006B CN 102209006 B CN102209006 B CN 102209006B CN 201110052045 A CN201110052045 A CN 201110052045A CN 102209006 B CN102209006 B CN 102209006B
- Authority
- CN
- China
- Prior art keywords
- tested
- warning information
- equipment
- rule
- regular testing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The invention discloses rule test equipment (100) and is used to test equipment to be tested which carries out a network communication with the rule test equipment. The rule test equipment comprises a rule memory (110), a playback device (120), a monitor (130) and a determining device (140), wherein the rule memory (110) is used to store rules and expectation alarm information corresponding to the rules, the rules define a specific network data mode, the playback device (120) is used to read the rules from the rule memory (110), generate a network data packet set corresponding to the rules and play back the network data packet set to the equipment to be tested, the monitor (130) is used to monitor the alarm information triggered by the equipment to be tested in a predetermined time-delay period, the determining device (140) is used to read the expectation alarm information form the rule memory (110), receive the monitored alarm information from the monitor (130) and produce a test result on whether the equipment to be tested successfully uses the rules or not based on whether the monitored alarm information comprises the expectation alarm information or not.
Description
Technical field
The present invention relates to network safety filed, more specifically, the present invention relates to a kind of regular testing Apparatus for () and method therefor for Network Security Device is tested.
Background technology
In recent years, carry out the rapidly growth of security threat of automatic network.Such as worm, virus, spyware, ddos attack, spam, Internet resources abuses (P2P download, instant messaging, online game, Online Video etc.) etc., the network user is greatly being perplexed in network security threats or their combination, and causes serious destruction to network enterprise information system.Such as IDS(intruding detection system) and IPS(intrusion prevention system) etc. Network Security Device be enterprise network safety provides guarantee.In these Network Security Devices, store the rule of various define grid data patterns, in the time of regular network data that network safety prevention equipment Inspection is stored to coupling, just assert that these network datas exist network security problem.Along with the continuous increase of threat event and user's internet behavior, also rapid growth thereupon of the rule that Network Security Device such as IDS and IPS need to be supported, the tester of these Network Security Devices needs test network safety means whether successfully to adopt these rules.
Normally, for Network Security Device is tested, Network Security Device is placed in to real network environment, and Network Security Device is processed normal network packet and abnormal network packet.When the abnormal network packet corresponding with certain rule processed and triggered certain rule in this Network Security Device by Network Security Device, can produce the event corresponding with this rule and corresponding action (permission or blocking-up packet pass through).
But in such scheme, test macro need to build real network environment and carry out the rule in trigger network safety means, this wastes time and energy.If there is a large amount of rule entries to detect, need to carry out manually generation and the playback of network packet collection, this causes time and human cost very high.
Summary of the invention
In view of the above problems, a kind of regular testing Apparatus and method for that overcomes above-mentioned technological deficiency or solve the problems of the technologies described above has at least in part been proposed.
Accordingly, according to an aspect of the present invention, a kind of regular testing equipment is provided, be used for carrying out with it the testing equipment to be tested of network service, described regular testing equipment comprises: rule memory, for storage rule and the expection warning information corresponding with rule, described rule definition specific network data pattern; Playback device, for reading described rule from described rule memory, generates the network packet collection corresponding with described rule, and to network packet collection described in described played back to be tested; Monitor, for monitoring the warning information of described device trigger to be tested between a predetermined time delay; And determining device, for reading described expection warning information from described rule memory, receive the warning information of monitoring from described monitor, and whether comprise described expection warning information according to monitored warning information and produce the test result of whether successfully utilizing described rule about described equipment to be tested.
Alternatively, if the warning information of monitoring comprises described expection warning information, the described equipment to be tested of described determining device generation successfully utilizes the test result of described rule; If the warning information of monitoring does not comprise described expection warning information, described determining device produces the unsuccessful test result of utilizing described rule of described equipment to be tested.
Alternatively, described predetermined time delay from described playback device to network packet collection described in described played back to be tested.
Alternatively, described predetermined time delay is according to the value and and carry out corresponding time deviation value of required time of transfer of data arrange between described regular testing equipment and described equipment to be tested time of delay of answering with described network packet set pair.
Alternatively, described regular testing equipment also comprises network packet collection memory, for network packet collection pre-stored and that described expection warning information is corresponding, and wherein said playback device generates the network packet collection corresponding with described rule by read pre-stored, corresponding with described expection warning information network packet collection from described network packet collection memory.
Alternatively, described rule memory storage exceedes a rule, and described playback device, monitor and determining device are one by one regularly to described testing equipment to be tested.
Alternatively, described regular testing equipment also comprises: manager, for receiving described test result and generating test report according to described test result; And display, it is connected with described manager, for showing described test result.
Alternatively, described test report comprises the event ID of the warning information receiving from described monitor and event description information, corresponding network packet collection information, IP address and the test result of described equipment to be tested.
Alternatively, described warning information is Simple Network Management Protocol (SNMP) trap warning information.
Alternatively, described warning information is Syslog warning information.
According to a further aspect in the invention, a kind of regular testing method is provided, be used for carrying out the testing equipment to be tested of network service, described method comprises step: read the rule that has defined particular network data pattern, generate the network packet collection corresponding with described rule, and to network packet collection described in described played back to be tested; Between a predetermined time delay, monitor the warning information of described device trigger to be tested; And whether comprise the expection warning information corresponding with described rule according to monitored warning information and produce the test result of whether successfully utilizing described rule about described equipment to be tested.
According to another aspect of the invention, provide a kind of regular testing system, having comprised: at least one equipment to be tested; And regular testing equipment as above, it arrives described at least one equipment to be tested via network-coupled, to described at least one testing equipment to be tested.
Alternatively, described regular testing system also comprises network access device, wherein said at least one equipment to be tested and described regular testing equipment are all connected to described network access device, so that described regular testing equipment can be simultaneously each in described at least one equipment to be tested is tested.
As described above, in regular testing work, often need to treat the rule of the continuous upgrading of testing equipment tests, and every rule to be all certain network event trigger, if each network event is real network event, test is the most effective, but the energy that can cost a lot of money like this.Therefore, the present invention, by make it trigger warning information to played back network packet collection to be tested, has also reached the effect of test order validity.But, for thousands of rules, every manual test all, such workload is very large.Therefore, in order to reduce manual repeated work and raising testing efficiency in test, the work of playback network packet collection and statistical test result is realized automation by the present invention, utilize the regular testing means of automation to the played back network packet collection to be tested of specifying, produced test result is compared with expected results, with the success and failure of statistical test simultaneously.This has been avoided artificial execution network packet collection to send and data strip object is investigated acknowledging time one by one, has greatly reduced workload, has improved operating efficiency.
These and other aspect of the present invention is apparent from the embodiment hereinafter describing, and illustrated with reference to the embodiment hereinafter describing.
Brief description of the drawings
By reading below for the detailed description of the preferred embodiment of the present invention, various other advantage and benefits of the present invention will become cheer and bright for those of ordinary skill in the art.Accompanying drawing is only for the object of preferred implementation is shown, and should not be regarded as for restriction of the present invention.In each accompanying drawing, use similar reference symbol to represent similar element/step.In the accompanying drawings:
Fig. 1 schematically shows the block diagram of regular testing equipment according to an embodiment of the invention;
Fig. 2 schematically shows the flow chart of regular testing method according to an embodiment of the invention; And
Fig. 3 schematically shows the block diagram of regular testing system according to an embodiment of the invention.
Embodiment
Below in conjunction with accompanying drawing and preferred implementation, the invention will be further described.
Fig. 1 schematically shows the block diagram of regular testing equipment 100 according to an embodiment of the invention.Regular testing equipment 100 can for example, for to the equipment to be tested that carries out with it network service (, diverse network safety means such as IPS and IDS) (not shown) tests, to determine whether successfully utilized one or more rule in equipment to be tested.Rule definition specific network data pattern.Conventionally there is abnormal or specific data content or data characteristics owing to thering are the data of network security problem; and rule definition the specific network data pattern of extracting from these data contents or feature; therefore, whether equipment to be tested can mate the rule adopting in this equipment to be tested according to handled network data and determine whether handled network data exists network security threats.
As shown in Figure 1, regular testing equipment 100 comprises rule memory 110, playback device 120, monitor 130 and determining device 140.
Rule memory 110 is for storage rule and the expection warning information corresponding with rule.Due to rule definition specific network data pattern, therefore, in the time that equipment to be tested has correctly adopted this rule and have the abnormal network data corresponding with this rule to flow through this equipment to be tested, equipment to be tested should trigger the expection warning information corresponding with this rule.In rule memory 110, store explicitly rule and the expection warning information corresponding with rule, thereby be convenient to judge whether equipment to be tested has triggered expection warning information rightly.
In rule memory 110, can store many rules and the corresponding expection warning information of rule.For a rule, also can there be many corresponding expection warning information.All these is within protection scope of the present invention.
Playback device 120 is suitable for reading rule from rule memory 110, generates the network packet collection corresponding with rule, and to network packet collection described in played back to be tested.Playback device 120, after obtaining the rule that will test, can be concentrated and obtain the network packet corresponding with read rule in the network packet crawling out from real network environment, to manufacture attack traffic.
Alternatively, regular testing equipment 100 according to the present invention can also comprise network packet collection memory (not shown), for the pre-stored network packet collection corresponding with expection warning information.Now, the network packet collection that playback device 120 can be pre-stored by reading from network packet collection memory, corresponding with expection warning information generates the network packet collection corresponding with rule.
Although provided several implementations by the rule-based generating network packet of playback device 120 collection above; but it will be understood by those of skill in the art that all modes that can rule-basedly generate the network packet collection corresponding with this rule are all within protection scope of the present invention.
Then, playback device 120 obtains the IP address of equipment to be tested, and to equipment to be tested these network packet of playback one by one.In the time of each network packet of playback, all record the current time.Object is to be convenient to investigation problem, and such as the situations such as abnormal appear in equipment, recording more information can be so that the follow-up of problem and solution.Specify network packet all playback complete after, playback device 120 is automatically out of service, to carry out follow-up test process.
Then, device trigger warning information to be tested.This warning information is SNMP trap(simple network management protocol trap alternatively) warning information.SNMP is series of protocols group and specification, and they provide the method for collection network management information in a kind of equipment from network.SNMP is also for equipment Reports a Problem and provides a kind of method with mistake to network management workstation.SNMP trap information sends based on event, only have after event occurs and just can send, in the time that it is applied in the regular alarm of equipment, once the event of triggering rule alarm occurs, will send SNMP trap warning information, for the real-time condition of manager's delivery rules alarm, so that manager knows the real-time protection situation of equipment quickly.And SNMP trap message has oid field, can distinguish well various types of warning information, so that confirm each alarm entry.Therefore,, under the prerequisite of workflow that does not affect network monitoring device, the synchronization mechanism that can provide device events to be tested to trigger, can ensure that equipment to be tested in real time, accurately there is no omission and triggers SNMP trap warning information.
Alternatively, this warning information can be also Syslog warning information.Syslog is a kind of agreement of industrial standard, can be used for the daily record of recording equipment.Syslog agreement provides a kind of transfer mode, and its permission equipment passes to event information receiver (being also referred to as log server) by network by event information.Under normal conditions, by Syslog agreement, log information is sent to the log server of far-end in the mode of User Datagram Protoco (UDP) (UDP), the log server of this far-end need to be monitored udp port 514 by syslogd, and process log information according to the configuration in syslog.conf, by allocate event filing, for the use of background data base and response.Because each process, application program and operating system are independently operated more or less, in the Syslog information content, have inconsistent place, now, can need to carry out self-defined according to configuration.In an embodiment according to the present invention, in the time that the event of triggering rule alarm occurs, device trigger warning information to be tested, and by Syslog agreement, the warning information of triggering is converted to Syslog warning information.
But the present invention is not limited in this warning information of two types, can adopt equally the mode of the generation warning information of other type.
Monitor 130 is monitored the warning information of device trigger to be tested between a predetermined time delay, and warning information is outputed to determining device 140.Wherein this predetermined time delay from playback device 120 to network packet collection described in played back to be tested, it can comprise corresponding with network packet time of delay of value and and carry out time deviation value corresponding to required time of transfer of data between regular testing equipment 100 and equipment to be tested.Alternatively, this predetermined time delay can also comprise the needed time of device trigger warning information to be tested.Time delay design herein, to consider that all network packet of playback need the time, network packet arrives equipment to be tested needs the time, and device trigger alarm to be tested needs the time, and the monitor 130 that warning information arrives in regular testing equipment 100 also needs the time.
In addition, described time deviation value is set to adjustable, and this just can adapt to the needs of different network environments well, once network environment changes, can adjust this time deviation value according to actual test result: when network delay is larger, the value of this time deviation value is strengthened; Network delay hour, reduces this time deviation value.
According to the present invention, the design of above-mentioned time delay is in order to make test result more accurate, therefore should consider that actual conditions reasonably arrange delay value, because if time delay is arranged longly, just do not embody the advantage of automation rule test, if and time delay is arranged too shortly, will cause the inaccuracy of regular testing result.
Alternatively, in the situation that warning information is SNMP trap warning information, monitor 130 is opened SNMP trap session, the SNMP trap warning information of real-time listening device trigger to be tested, and the now effect of monitor 130 is equivalent to the client of SNMP trap warning information; Monitor 130 often receives a SNMP trap warning information, just be converted into following information bar row: send the IP address of the equipment to be tested of SNMP trap warning information, event ID (event_id) and the current time of the current warning information receiving, for the judgement of carrying out in determining device 140.
Alternatively, in the situation that warning information is Syslog warning information, monitor 130 serves as log server as above to receive Syslog warning information, often receive a Syslog warning information, just be converted into following information bar row: send the IP address of the equipment to be tested of Syslog warning information, event ID (event_id) and the current time of the current warning information receiving, for the judgement of carrying out in determining device 140.
Determining device 140 reads expection warning information from rule memory 110, receive monitored warning information from monitor 130, and whether comprise described expection warning information according to monitored warning information and produce the test result of whether successfully utilizing described rule about described equipment to be tested.
Wherein, expect the event ID of warning information if comprised in the event ID (event_id) of each warning information of monitoring of judgement, determining device 140 produces described equipment to be tested and successfully utilizes the test result (pass) of described rule; If do not comprise in the event ID of each warning information of monitoring (event_id) and expect the event ID of warning information, determining device 140 produces the unsuccessful test result (fail) of utilizing described rule of described equipment to be tested.
As mentioned above, in the event ID of each warning information of monitoring of judgement, whether " comprise " and expect the event ID of warning information, instead of be described as simply judging whether expecting exactly warning information from monitored warning information, reason is that the network packet collection that playback device 120 is that generate and described rule is corresponding may trigger many relevant warning information, for example, the feature of an attack is to be mixed in the bag of downloading by http, now equipment to be tested can trigger the warning information of attack, also can trigger the warning information that http downloads simultaneously, these warning information are all correct warning information.But the warning information that whether has attack that we are concerned about, so will emphasize the relation of this " comprising ".
Alternatively, in the case of will testing the many rules in rule memory 110, playback device 120, monitor 130 and determining device 140 can be treated regularly one by one testing equipment and test.And this test can be carried out in the mode of automation, that is, treat for a rule at playback device 120, monitor 130 and determining device 140 testing equipment 199 carried out test after, can also automatically read next rule and test.
Alternatively, regular testing equipment 100 according to the present invention also comprises manager, for receiving test result and generating test report according to test result; And display, it is connected with described manager, for showing described test result.
No matter test result is success or failure, all test result is recorded in manager, and generating corresponding test report, this test report comprises the information of the event ID of the warning information receiving from monitor 130 and event description information, corresponding network packet, IP address and the test result of equipment to be tested.Produce test report and can help after regular testing finishes the quantity of the test success and failure to each equipment to be tested easily to add up, also facilitate the follow-up inquiry of the tracking to historical test result simultaneously.
In addition, the display being equipped with in regular testing equipment 100 can be realized the real time inspection that whether meets expection for current alarm information.So more be conducive to control law test process.If find that the part starting is failed entry with regard to there being a large amount of test results, so just can suspend current regular testing, investigate possible reason, to ensure accuracy and the validity of test result.
Fig. 2 shows the flow chart of regular testing method 200 according to an embodiment of the invention.
Described regular testing method 200 starts with step 201, in step 201, read the rule that has defined particular network data pattern, described rule and expection warning information corresponding thereto can be stored in the rule memory 110 in the embodiment describing with reference to Fig. 1.Be similar to the embodiment describing with reference to Fig. 1, alternatively, described rule can be many rules, for a rule, also can have many corresponding expection warning information.
Then,, in step 202, generate the network packet collection corresponding with read rule.The corresponding network packet collection of described and read rule can be that network packet from crawling out from real network environment is concentrated and obtained, and its purposes is to manufacture attack traffic.
Alternatively, regular testing method 200 can also be after step 201, comprise the step (not shown) of the corresponding network packet collection of pre-stored and described expection warning information before step 202.Wherein, described network packet collection can be stored in advance in the network packet collection memory in the embodiment describing with reference to Fig. 1.In the case, the step 202 of the described generation network packet collection corresponding with described rule comprise read pre-stored, generate the network packet collection corresponding with described rule with the corresponding network packet collection of described expection warning information.
Equally; although provided several implementations of rule-based generating network packet collection above; but it will be understood by those of skill in the art that all modes that can rule-basedly generate the network packet collection corresponding with this rule are all within protection scope of the present invention.
Subsequently, in step 203, the network packet collection corresponding with rule generating in step 202 to described played back to be tested, to manufacture attack traffic.Be similar to the embodiment describing with reference to Fig. 1, in the time of each network packet of playback, all record the current time.Object is to be convenient to investigation problem, and such as the situations such as abnormal appear in equipment, recording more information can be so that the follow-up of problem and solution.Specify network packet all playback complete after, carry out follow-up test process.
Above-described step 201,202 and 203 is suitable for being carried out by the playback device 120 in the embodiment describing with reference to Fig. 1.
Subsequently, device trigger warning information to be tested.Be similar to the embodiment describing with reference to Fig. 1, described warning information can be the applicable information of SNMP trap warning information, Syslog warning information and other type.
Afterwards, in step 204, between a predetermined time delay, monitor the warning information of described device trigger to be tested.Equally, this predetermined time delay also has such setting in the embodiment describing with reference to Fig. 1,, this predetermined time delay is to network packet collection described in described played back to be tested, can comprise corresponding with network packet time of delay of value and carry out time deviation value corresponding to required time of transfer of data with equipment to be tested.Equally, described time deviation value is set to adjustable, and this just can adapt to the needs of different network environments well, once network environment changes, can adjust this time deviation value according to actual test result.Above-mentioned steps 204 is suitable for being carried out by the monitor 130 in the embodiment describing with reference to Fig. 1.
Subsequently, in step 205, whether comprise the expection warning information corresponding with described rule according to monitored warning information and produce the test result of whether successfully utilizing described rule about described equipment to be tested.Step 205 is suitable for being carried out by the determining device 140 in the embodiment describing with reference to Fig. 1.
Wherein, alternatively, be similar to the embodiment describing with reference to Fig. 1, expect the event ID of warning information if comprised in the event ID (event_id) of each warning information of monitoring of judgement, produce described equipment to be tested and successfully utilize the test result (pass) of described rule; Expect and the event ID of warning information produce the unsuccessful test result (fail) of utilizing described rule of described equipment to be tested if do not comprised in the event ID of each warning information of monitoring (event_id).
Alternatively, in the situation that will testing many rules, can be according to above-mentioned steps 201,202,203,204 and 205, treat regularly one by one testing equipment and test.And this test can be carried out in the mode of automation, that is, treat for a rule according to above-mentioned steps 201-205 testing equipment carried out test after, can also automatically read next rule and test.
Alternatively, regular testing method 200 can also comprise the following steps after step 205: receive described test result and generate test report according to described test result; And show described test result.Be similar to the embodiment describing with reference to Fig. 1, the object of these steps is to help after regular testing finishes the quantity of the test success and failure to each equipment to be tested easily to add up, and also facilitates the follow-up inquiry of the tracking to historical test result simultaneously; And realize the real time inspection that whether meets expection for current alarm information, to be more conducive to control law test process.
Fig. 3 shows the block diagram of regular testing system 500 according to an embodiment of the invention.Regular testing system 500 comprises at least one testing equipment 400 and regular testing equipment 100.
Regular testing equipment 100 can be the regular testing equipment in the embodiment describing with reference to Fig. 1, and it arrives at least one equipment 400 to be tested via network-coupled, at least one equipment 400 to be tested is tested.Wherein, the equipment to be tested 400 in regular testing system 500 and regular testing equipment 100 can operate as in the embodiment describing with reference to Fig. 1.
Alternatively, regular testing system 500 also comprises network access device 300, wherein at least one equipment 400 to be tested and regular testing equipment 100 are all connected to network access device 300, so that regular testing equipment 100 can be simultaneously each at least one equipment 400 to be tested is tested.
Wherein, alternatively, network access device 300 can be hub (Hub), router or similar devices.In addition, alternatively, regular testing equipment 100 is selected two network interface cards at this, and a network interface card connects Intranet, and another network interface card is connected with this network access device 300.
The feature of utilizing network access device 300 to broadcast is test when realizing many equipment to be tested 400.Regular testing equipment 100 sends to network packet collection one end of network access device 300, with each interface to through network access device 300 other ends, broadcasts to each equipment 400 to be tested.
Equipment 400 to be tested can have multiple network interfaces, and one of them network interface is connected in Intranet, and object has two: one, convenient control; The 2nd, in order normally to communicate by letter with regular testing equipment 100, so that warning information mode is sent in regular testing equipment 100.In addition, alternatively, equipment 400 to be tested is that the mode equipment 300 connected to the network of disposing by bypass connects.
In addition, owing to being the validity of rule in many equipment 400 to be tested of mass simultaneous test, the IP address of therefore recording every equipment 400 to be tested.And, in order to watch targetedly test result, in the test report in the end generating, to go out respectively different reports for different equipment to be tested 400.
The present invention uses regular testing equipment and the method for automation, and the efficiency of network protection series products regular testing is improved greatly, and this can see from the following aspects:
First, the deployment of applied environment of the present invention is simple, supports batch equipment to be tested to test simultaneously.This compare Di – that adds into that participates in the equipment to be tested of regular testing provides the network access device port suitable with number of devices to be tested can (equipment to be tested also can cascade).Will listening port being set to equipment connected to the network for device just to be tested is connected; For regular testing equipment, only need to set up web services, than build (wherein building of each attack context expended a large amount of manpowers and resource possibly) to live network attack context in above-mentioned prior art, the present invention has very large advantage.The present invention, by make it trigger warning information to played back network packet collection to be tested, has reached the effect of test order validity equally.
In addition, in order to reduce manual repeated work and raising testing efficiency in test, the work of playback network packet collection and statistical test result is realized automation by the present invention, utilize the regular testing means of automation to the played back network packet collection to be tested of specifying, produced test result is compared with expected results, with the success and failure of statistical test simultaneously.This has been avoided artificial execution network packet collection to send and data strip object is investigated acknowledging time one by one, has greatly reduced workload, has improved operating efficiency.
In addition, the present invention uses the SNMP trap warning information that triggers based on event or Syslog warning information etc., thereby realize the synchronization mechanism that device events to be tested triggers, can ensure that equipment to be tested in real time, accurately there is no omission and triggers warning information.
In addition, the present invention has the good applicability for network environment.It is effective that the present invention proposes after played back network packet collection to be tested, in a predetermined time delay, to arrive the warning information of monitor, the warning information that arrives determining device after this predetermined time delay is invalid, this predetermined time delay equal corresponding with packet time of delay value and and between regular testing equipment and equipment to be tested, carry out time deviation value sum corresponding to required time of transfer of data, and this time deviation value is set to adjustable.The delay that the present invention has got rid of equipment itself and transmitted between equipment, reduces the requirement of network environment, can adapt to well the needs of different network environments, has increased flexibility.
All parts embodiment of the present invention can realize with hardware, or realizes with the software module of moving on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that and can use in practice microprocessor or digital signal processor (DSP) to realize according to the some or all functions of the some or all parts in the regular testing equipment of the embodiment of the present invention.The present invention can also be implemented as part or all equipment or the device program (for example, computer program and computer program) for carrying out method as described herein.Realizing program of the present invention and can be stored on computer-readable medium like this, or can there is the form of one or more signal.Such signal can be downloaded and obtain from internet website, or provides on carrier signal, or provides with any other form.
It should be noted above-described embodiment the present invention will be described instead of limit the invention, and those skilled in the art can design alternative embodiment in the case of not departing from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and is not listed as element or step in the claims.Being positioned at word " " before element or " one " does not get rid of and has multiple such elements.The present invention can be by means of including the hardware of some different elements and realizing by means of the computer of suitably programming.In the unit claim of having enumerated some devices, several in these devices can be to carry out imbody by same hardware branch.The use of word first, second and C grade does not represent any order.Can be title by these word explanations.
Claims (22)
1. a regular testing equipment (100), for to the testing equipment to be tested that carries out with it network service, described regular testing equipment (100) comprising:
Rule memory (110), for storage rule and the expection warning information corresponding with rule, described rule is for generating the rule for the particular network data of described equipment to be tested;
Playback device (120), for reading described rule from described rule memory (110), generates the network packet collection corresponding with described rule, and to network packet collection described in described played back to be tested;
Monitor (130), for monitoring the warning information of described device trigger to be tested between a predetermined time delay; And
Determining device (140), for reading described expection warning information from described rule memory (110), receive the warning information of monitoring from described monitor (130), and whether comprise described expection warning information according to monitored warning information and produce the test result of whether successfully utilizing described rule about described equipment to be tested.
2. regular testing equipment as claimed in claim 1, if the warning information of wherein monitoring comprises described expection warning information, described determining device (140) produces described equipment to be tested and successfully utilizes the test result of described rule; If the warning information of monitoring does not comprise described expection warning information, described determining device (140) produces the unsuccessful test result of utilizing described rule of described equipment to be tested.
3. regular testing equipment as claimed in claim 1, described predetermined time delay from described playback device (120) to network packet collection described in described played back to be tested.
4. according to the regular testing equipment described in any in claim 1-3, wherein said predetermined time delay is according to the value and and carry out corresponding time deviation value of required time of transfer of data arrange between described regular testing equipment (100) and described equipment to be tested time of delay of answering with described network packet set pair.
5. according to the regular testing equipment described in any in claim 1-3, also comprise network packet collection memory, for network packet collection pre-stored and that described expection warning information is corresponding, and wherein said playback device (120) generates the network packet collection corresponding with described rule by read pre-stored, corresponding with described expection warning information network packet collection from described network packet collection memory.
6. according to the regular testing equipment described in any one in claim 1-3, wherein said rule memory (110) storage exceedes a rule, and described playback device (120), monitor (130) and determining device (140) are one by one regularly to described testing equipment to be tested.
7. according to the regular testing equipment described in any one in claim 1-3, wherein said regular testing equipment (100) also comprises:
Manager, for receiving described test result and generating test report according to described test result; And
Display, it is connected with described manager, for showing described test result.
8. regular testing equipment according to claim 7, wherein said test report comprises the event ID of the warning information receiving from described monitor (130) and event description information, corresponding network packet collection information, IP address and the test result of described equipment to be tested.
9. the regular testing equipment as described in any in claim 1-3, wherein said warning information is simple network management protocol trap warning information.
10. the regular testing equipment as described in any in claim 1-3, wherein said warning information is Syslog warning information.
11. 1 kinds of regular testing methods (200), for to the testing equipment to be tested that carries out network service, described method (200) comprises step:
Read for generating the rule (201) for the particular network data of described equipment to be tested, generate the network packet collection (202) corresponding with described rule, and to network packet collection (203) described in described played back to be tested;
Between a predetermined time delay, monitor the warning information (204) of described device trigger to be tested; And
Whether comprise the expection warning information corresponding with described rule according to monitored warning information and produce the test result (205) of whether successfully utilizing described rule about described equipment to be tested.
12. regular testing methods as claimed in claim 11, if the warning information of wherein monitoring comprises described expection warning information, produce described equipment to be tested and successfully utilize the test result of described rule; If the warning information of monitoring does not comprise described expection warning information, produce the unsuccessful test result of utilizing described rule of described equipment to be tested.
13. regular testing methods as claimed in claim 11, described predetermined time delay is to network packet collection described in described played back to be tested.
14. according to the regular testing method described in any in claim 11-13, wherein said predetermined time delay is according to the value and and carry out corresponding time deviation value of required time of transfer of data arrange between described regular testing equipment (100) and described equipment to be tested time of delay of answering with described network packet set pair.
15. according to the regular testing method described in any in claim 11-13, also comprise the step of the corresponding network packet collection of pre-stored and described expection warning information, and the wherein said generation network packet collection corresponding with described rule comprise read pre-stored, generate the network packet collection corresponding with described rule with the corresponding network packet collection of described expection warning information.
16. according to the regular testing method described in any one in claim 11-13, and wherein said rule comprises and exceed a rule, and described regular testing method (200) is one by one regularly to described testing equipment to be tested.
17. according to the regular testing method described in any one in claim 11-13, and described method (200) also comprises step:
Receive described test result and generate test report according to described test result; And
Show described test result.
18. according to the regular testing method described in claim 17, and wherein said test report comprises the event ID of monitored warning information and event description information, corresponding network packet collection information, IP address and the test result of described equipment to be tested.
19. regular testing methods as described in any in claim 11-13, wherein said warning information is simple network management protocol trap warning information.
20. regular testing methods as described in any in claim 11-13, wherein said warning information is Syslog warning information.
21. 1 kinds of regular testing systems (500), comprising:
At least one equipment to be tested (400); And
Regular testing equipment (100) as described in any one in claim 1-9, arrives described at least one equipment to be tested (400) via network-coupled, to described at least one equipment to be tested (400) is tested.
22. regular testing systems as claimed in claim 21, also comprise network access device (300), wherein said at least one equipment to be tested (400) and described regular testing equipment (100) are all connected to described network access device (300), so that described regular testing equipment (100) can be simultaneously each in described at least one equipment to be tested (400) is tested.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110052045.XA CN102209006B (en) | 2011-03-04 | 2011-03-04 | Rule test equipment and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110052045.XA CN102209006B (en) | 2011-03-04 | 2011-03-04 | Rule test equipment and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102209006A CN102209006A (en) | 2011-10-05 |
| CN102209006B true CN102209006B (en) | 2014-09-03 |
Family
ID=44697677
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110052045.XA Active CN102209006B (en) | 2011-03-04 | 2011-03-04 | Rule test equipment and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102209006B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106301994B (en) * | 2015-06-24 | 2023-11-03 | 北京京东尚科信息技术有限公司 | Network communication abnormity testing method and device |
| CN110380924A (en) * | 2019-06-13 | 2019-10-25 | 深圳市星火原智能科技有限公司 | A kind of apparatus testing method and device |
| CN110445691B (en) * | 2019-08-16 | 2020-03-24 | 上海锵戈科技有限公司 | Method and device for testing network service transmission performance by combining customization and playback |
| CN110543409B (en) * | 2019-08-29 | 2020-06-02 | 南方电网数字电网研究院有限公司 | Hardware data acquisition method and device, computer equipment and storage medium |
| CN113726779B (en) * | 2021-08-31 | 2023-07-07 | 北京天融信网络安全技术有限公司 | Rule false alarm testing method and device, electronic equipment and computer storage medium |
| CN113992438B (en) * | 2021-12-27 | 2022-03-22 | 北京微步在线科技有限公司 | Network security detection method and device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1744524A (en) * | 2005-09-02 | 2006-03-08 | 杭州华为三康技术有限公司 | Invasion detecting device and invasion detecting system |
| CN101184003A (en) * | 2007-12-03 | 2008-05-21 | 中兴通讯股份有限公司 | NMP based front and background alarm management system and management method thereof |
| CN101227327A (en) * | 2008-02-02 | 2008-07-23 | 中兴通讯股份有限公司 | Method for concentrating network managing system and uploading lower level alarm information |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7657497B2 (en) * | 2006-11-07 | 2010-02-02 | Ebay Inc. | Online fraud prevention using genetic algorithm solution |
-
2011
- 2011-03-04 CN CN201110052045.XA patent/CN102209006B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1744524A (en) * | 2005-09-02 | 2006-03-08 | 杭州华为三康技术有限公司 | Invasion detecting device and invasion detecting system |
| CN101184003A (en) * | 2007-12-03 | 2008-05-21 | 中兴通讯股份有限公司 | NMP based front and background alarm management system and management method thereof |
| CN101227327A (en) * | 2008-02-02 | 2008-07-23 | 中兴通讯股份有限公司 | Method for concentrating network managing system and uploading lower level alarm information |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102209006A (en) | 2011-10-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Lippmann et al. | The 1999 DARPA off-line intrusion detection evaluation | |
| CN102209006B (en) | Rule test equipment and method | |
| Vollmer et al. | Cyber-physical system security with deceptive virtual hosts for industrial control networks | |
| Barbosa et al. | Towards periodicity based anomaly detection in SCADA networks | |
| US20100031093A1 (en) | Internal tracing method for network attack detection | |
| US10135862B1 (en) | Testing security incident response through automated injection of known indicators of compromise | |
| CN106537872B (en) | Method for detecting attacks in a computer network | |
| CN111935172A (en) | Network abnormal behavior detection method based on network topology, computer device and computer readable storage medium | |
| CN109639733A (en) | Safety detection and monitoring system suitable for industrial control system | |
| Zheng et al. | Safeguarding building automation networks: The-driven anomaly detector based on traffic analysis | |
| JP2004030286A (en) | Intrusion detection system and intrusion detection program | |
| CN111314276A (en) | Method, device and system for detecting multiple attack behaviors | |
| CN110351237B (en) | Honeypot method and device for numerical control machine tool | |
| CN102075508A (en) | Vulnerability disclosure system and method aiming at network protocol | |
| CN110210213A (en) | The method and device of filtering fallacious sample, storage medium, electronic device | |
| CN107995066A (en) | A kind of method and apparatus of automatic test network interface card | |
| CN112073381B (en) | Detection method for connecting internet equipment to access intranet | |
| CN110149319A (en) | The method for tracing and device, storage medium, electronic device of APT tissue | |
| CN107168844B (en) | Performance monitoring method and device | |
| Rowe et al. | Creating effective industrial-control-system honeypots | |
| US20080072321A1 (en) | System and method for automating network intrusion training | |
| CN115208678B (en) | Intelligent network security protection method, system, equipment and medium | |
| CN114301796B (en) | Verification method, device and system for prediction situation awareness | |
| CN113596037B (en) | APT attack detection method based on event relation directed graph in network full flow | |
| CN114374838A (en) | Network camera monitoring method, device, equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Owner name: NSFOCUS TECHNOLOGY CO., LTD. Effective date: 20140619 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20140619 Address after: 100089, Haidian District Road, Beijing, No. 1, green business district, block A, 10 floor Applicant after: NSFOCUS INFORMATION TECHNOLOGY Co.,Ltd. Applicant after: NSFOCUS TECHNOLOGIES Inc. Address before: 100089 Beijing city Haidian District Road No. 4 North wa Yitai five storey building Applicant before: NSFOCUS INFORMATION TECHNOLOGY Co.,Ltd. |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100089 10th floor, block a, Qingdong business district, No.1 Landao Gou, Haidian District, Beijing Patentee after: NSFOCUS Technologies Group Co.,Ltd. Patentee after: NSFOCUS TECHNOLOGIES Inc. Address before: 100089 10th floor, block a, Qingdong business district, No.1 Landao Gou, Haidian District, Beijing Patentee before: NSFOCUS INFORMATION TECHNOLOGY Co.,Ltd. Patentee before: NSFOCUS TECHNOLOGIES Inc. |
|
| CP01 | Change in the name or title of a patent holder |