CN102255910B - Method and device for testing performance of intrusion prevention product - Google Patents

Method and device for testing performance of intrusion prevention product Download PDF

Info

Publication number
CN102255910B
CN102255910B CN201110193295.5A CN201110193295A CN102255910B CN 102255910 B CN102255910 B CN 102255910B CN 201110193295 A CN201110193295 A CN 201110193295A CN 102255910 B CN102255910 B CN 102255910B
Authority
CN
China
Prior art keywords
ips
application layer
products
product
attack message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201110193295.5A
Other languages
Chinese (zh)
Other versions
CN102255910A (en
Inventor
窦尧
张红学
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN201110193295.5A priority Critical patent/CN102255910B/en
Publication of CN102255910A publication Critical patent/CN102255910A/en
Application granted granted Critical
Publication of CN102255910B publication Critical patent/CN102255910B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method and device for testing the performance of an intrusion prevention product. The method comprises the following steps of: adding an attack message while forwarding pure application layer flow by an IPS (Information Processing System) product; and determining the current effective application layer throughput of the IPS product according to the forwarding situation of the pure application layer flow and the recognition situation of the attack message by the IPS product. The device comprises testing equipment, replay equipment and testing result determination equipment. Specific to the characteristics of the IPS product, the flow of an application layer protocol is used for producing higher pressure on a detection engine of the IPS product, and the real throughput performance of the type of product is verified at a flow close to the practical working environment of the type of product. According to the method and the device, a throughput performance value of a real application layer and an attack action denial capacity shown on the basis of ensuring a safety performance of the IPS product can be verified.

Description

A kind of method and apparatus of test intrusion prevention properties of product
Technical field
The present invention relates to technical field of network security, more particularly to a kind of method of test intrusion prevention properties of product and dress Put.
Background technology
High speed development of the Internet in worldwide has brought the information of great convenience and magnanimity.But It is that thing followed problem is exactly how the privacy of network and safety should ensure, that is, the problem of network security.
Originally, the thought of network security is exactly to allow some address Lawful access to specify resource, forbids the non-of other addresses Method is accessed.So, packet filter firewall arises at the historic moment, and this fire wall is operated in Internet, by IP (Internet Protocol, Internet protocol) address carries out attaching filtering.Then, as the agreement used in network becomes increasingly complex, bag Filter fire-proof wall cannot meet the needs for using, and then occur in that the fire wall based on state.Such fire wall In addition to IP address, to be also controlled according to protocol type and port numbers.Most functions of this class firewall are all Concentrate on transport layer.But, with the progress of attack technology, many attack meanses judge it is all to close in Internet and transport layer The access of method, but such as can complete to attack using the leak of some protocol stacks or system by the means of some application layers.For The attack of this application layer, either packet filter firewall or status firewall all cannot be competent at protected working, so IPS (Intrusion Prevention System, intrusion prevention system) product is occurred as soon as.
The attack type being directed to by intrusion prevention product, determines that such product is the network equipment for being operated in application layer. Also, the operating position of this kind of product is typically to connect the key position of outer net and Intranet, institute in the main communications line of user The safety of user is determined with the attack protective capacities of the product.The application layer handling capacity for also having the product of no less important, It determines the speed of user's proper network flow forwarding, has been largely fixed the availability of the network environment.
The current method phase to the universal method of testing of IPS product handling capacities and test mode firewall product handling capacity Together, test topology is as shown in figure 1, construct TCP (Transmission ControlProtocol, transmission control in test equipment Agreement processed) message communication flows, foundation per second has x TCP connection, and each TCP connection interaction data amount is y bytes, test Typically last for 60 seconds.If in this 60 seconds, the data volume in all of 60x TCP connections all passes through IPS products and forwards into Work(, then the handling capacity of IPS products is exactly (8xy) bps (bit per second).With such method of testing, test every time By increasing the quantity for setting up TCP connections per second, that is, the numerical value of x, increase IPS products need per second data to be processed Amount, until occurring in that TCP connection data retransmission failure, approaches the maximum throughput performance number of IPS products in this way.
The defect of prior art:
1st, test data on flows content excessively simple.Above-mentioned IPS product throughput testing approach is and firewall product Throughput testing approach identical, but introduced in the introduction, firewall product is substantially operated in transport layer, so Only the IP address in flow, agreement and port numbers are checked and judged, so the test side of this pure TCP flow amount handling capacity Formula is relatively more suitable for firewall product.But for IPS products, due to being operated in application layer, need to detect each agreement of application layer Whether field contents are safe to determine flow.And IPS products process this pure TCP flow amount when, due to flow content ratio It is relatively simple, so what pressure will not be produced to the detecting and alarm of IPS products substantially, cause this pure TCP flow to measure what is tried out The handling capacity that the handling capacity of IPS products can be processed in true environment with such product generally differs very big, so as to lose Reference value.
2nd, test result cannot prove that tested IP S product can also complete its safety guarantee task under such handling capacity. The most basic function of IPS products is exactly to detect and block aggressive behavior, on this basis, it is ensured that normal discharge quickly can turn Send out, but in existing testing scheme, due to using pure tcp data flow, even if tested IPS products normally can turn Send out, but cannot also ensure under such handling capacity, whether the equipment also has the ability is detected and block aggressive behavior.So existing The test result of testing scheme most cannot functionally make guarantee at all in IPS products, also just lose reference value.
The content of the invention
The technical problem to be solved in the present invention is to provide a kind of method and apparatus of test intrusion prevention properties of product, its Test result can reflect handling capacity of the IPS products in true environment.
The technical solution used in the present invention is, the method for the test intrusion prevention properties of product, including:
Step one, IPS products forward pure application layer traffic while add attack message;
Step 2, according to forwarding situation of the IPS products to pure application layer traffic and the identification situation to attack message, really Make the currently active application layer handling capacity of IPS products.
Further, the pure application layer traffic is:The theoretical maximum application layer handling capacity of IPS products.
Further, the addition attack message, specifically includes:
The attack message of Transmission Control Protocol used in crawl actual environment;
The attack message for grabbing is reset in IPS products, playback time guarantee the source IP address of each attack message with Purpose IP address are different from other attack messages.
Further, forwarding situation and the identification to attack message according to IPS products to pure application layer traffic Situation, determines the currently active application layer handling capacity of IPS products, specifically includes:
If it is successfully first condition that IPS products are all forwarded to pure application layer traffic, IPS products are to attack message all knowledges It is not successfully second condition;
Judge first condition and second condition whether while satisfaction, if so, then reads the current application layer of IPS product accountings The currently active application layer handling capacity of flow, i.e. IPS products;The numerical value of pure application layer traffic is cut down otherwise after, repeat step One, till first condition and second condition meet simultaneously.
Further, the method also includes:
Step 3, the identification situation according to IPS products to attack message, determine the attack message verification and measurement ratio of IPS products.
The present invention also provides a kind of device of test intrusion prevention properties of product, including following ingredient:
Test equipment, for constructing the pure application layer traffic forwarded in IPS products;
Reproducing device, for, while IPS products forward pure application layer traffic, sending attack message to IPS products;
Test result determines equipment, for according to IPS products to the forwarding situation of pure application layer traffic and to attack report The identification situation of text, determines the currently active application layer handling capacity of IPS products.
Further, the pure application layer traffic is:The theoretical maximum application layer handling capacity of IPS products.
Further, the reproducing device, specifically includes:
Packet capturing module, for capturing the attack message of Transmission Control Protocol used in actual environment;
Import modul, for the attack message for grabbing is reset in IPS products, playback time guarantees each attack message Source IP address it is different with other attack messages from purpose IP address.
Further, if it is successfully first condition that IPS products are all forwarded to pure application layer traffic, IPS products are to attacking Message all to recognize be successfully second condition;
The test result determines equipment, specifically includes:
Whether judge module, for judging first condition and second condition while satisfaction, if so, then calls read module; Adjusting module is called otherwise;
Adjusting module, for cutting down after the numerical value of pure application layer traffic, test equipment and reproducing device are called in repetition, until Till first condition and second condition meet simultaneously, read module is called;
Read module, for reading the current application laminar flow amount of IPS product accountings, the i.e. the currently active application layer of IPS products Handling capacity.
Further, described device also includes:
Verification and measurement ratio computing module, for the identification situation according to IPS products to attack message, determines attacking for IPS products Hit packet check rate.
Using above-mentioned technical proposal, the method and apparatus of test intrusion prevention properties of product of the present invention has following excellent Point:
1st, for intrusion prevention product the characteristics of, using detecting and alarm of the flow of application layer protocol to intrusion prevention product Larger pressure is produced, goes to verify the true handling capacity of such product with the flow for being close to such product actual working environment Energy.
2nd, appropriate attack traffic is also added into while application layer traffic is applied, to verify under such handling capacity Whether intrusion prevention product can also normally detect all attack messages, to ensure the normal execution of its security functions.This The normal use flow of sample more presses close to flow of the intrusion prevention product in actual working environment with reference to the situation of attack traffic Composition, is able to verify that out the true application layer showed on the basis of its security functions is ensured by intrusion prevention product Throughput performance value.
3rd, the ability of intrusion prevention product blocking aggressive behavior is tested out on the basis of certain application layer traffic.
Description of the drawings
Fig. 1 is test network topology schematic diagram in prior art;
Fig. 2 is the method flow diagram that first embodiment of the invention tests intrusion prevention properties of product;
Fig. 3 is the apparatus structure schematic diagram that second embodiment of the invention tests intrusion prevention properties of product;
Fig. 4 is third embodiment of the invention test network topology situation schematic diagram;
Fig. 5 is the survey of third embodiment of the invention test equipment and reproducing device to intrusion prevention products application layer handling capacity Examination process schematic.
Specific embodiment
For further illustrating the present invention for reaching technological means and effect that predetermined purpose is taken, below in conjunction with accompanying drawing And preferred embodiment, technical scheme is described in detail as after.
First embodiment of the invention, as shown in Fig. 2 a kind of method of test intrusion prevention properties of product, including following tool Body step:
Step S101, in test period, adds attack message while IPS products forward pure application layer traffic.It is preferred that , pure application layer traffic is:The theoretical maximum application layer handling capacity of IPS products.
Specifically, the process of attack message in step S101, is added, including:
A1, captures attack message in the attack process of use Transmission Control Protocol once complete from actual environment;
A2, the attack message for grabbing is reset in IPS products, and playback time guarantees the source IP address of each attack message It is different from other attack messages with purpose IP address.
Step S102, if it is successfully first condition that IPS products are all forwarded to pure application layer traffic, IPS products are to attacking Message all recognize successfully as second condition, whether judges first condition and second condition while satisfaction, if so, then execution step S104;Otherwise execution step S103;
Step S103, after cutting down the numerical value of pure application layer traffic, repeats step S101 and starts follow-up test period, Till first condition and second condition meet simultaneously, execution step S104;If the numerical value of pure application layer traffic be cut to 0 it Before, first condition and second condition still can not meet simultaneously, then illustrate that IPS products break down exception, unavailable.
Step S104, reads the current application laminar flow amount of IPS product accountings, i.e. the currently active application layer of IPS products is handled up Amount.
Step S105, the identification situation according to IPS products to attack message, determine the attack message detection of IPS products Rate.Specifically, on the basis of certain application layer traffic, the attack message quantity that IP available S products have been detected is divided by step The attack message quantity reset in S101, draws verification and measurement ratio of the IPS products to attack message.
Second embodiment of the invention, as shown in figure 3, a kind of device of test intrusion prevention properties of product, including such as the following group Into part:
Test equipment 10, within the test period, constructing the pure application layer traffic forwarded in IPS products.Preferably, Pure application layer traffic is:The theoretical maximum application layer handling capacity of IPS products.
Reproducing device 20, for, while IPS products forward pure application layer traffic, sending attack message to IPS products. Reproducing device 20, specifically includes:
Packet capturing module 21, attacks for crawl in the attack process of once complete use Transmission Control Protocol from actual environment Message;
Import modul 22, for the attack message for grabbing is reset in IPS products, playback time guarantees that each attacks report The source IP address of text is different with other attack messages from purpose IP address.
Test result determines equipment 30, for according to IPS products to the forwarding situation of pure application layer traffic and to attack The identification situation of message, determines the currently active application layer handling capacity of IPS products and the verification and measurement ratio to attack message.
Specifically, if it is successfully first condition that IPS products are all forwarded to pure application layer traffic, IPS products are to attacking report Literary all identification be successfully second condition.Test result determines equipment 30, specifically includes:
Whether judge module 31, for judging first condition and second condition while satisfaction, if so, then calls read module 33;Adjusting module 32 is called otherwise;
Adjusting module 32, for cutting down after the numerical value of pure application layer traffic, test equipment 10 and reproducing device are called in repetition Import modul 22 in 20 starts follow-up test period, till first condition and second condition meet simultaneously, calls reading Delivery block 33;If before the numerical value of pure application layer traffic is cut to 0, first condition and second condition still can not meet simultaneously, Then illustrate that IPS products break down exception, it is unavailable.
Read module 33, for reading the current application laminar flow amount of IPS product accountings, the i.e. the currently active application of IPS products Layer handling capacity.
Verification and measurement ratio computing module 34, for the identification situation according to IPS products to attack message, determines IPS products Attack message verification and measurement ratio.Specifically, judge first condition and second condition whether while when meeting in judge module 31, i.e. On the basis of certain application layer traffic, the attack message quantity that the IPS products of verification and measurement ratio computing module 34 have been detected is divided by leading Enter the attack message quantity of the playback of module 22, draw verification and measurement ratio of the IPS products to attack message.
Third embodiment of the invention, introduces a test IPS products application layer on the basis of first and second embodiment and handles up The example of amount and blocking attacking ability.
Network topology situation is as shown in figure 4, necessary hardware equipment:One or more is used for sending the test of application layer traffic Equipment, a playback PC (Personal Computer) for being used for Replay Attack message.If test equipment selects BPS testers Table, the then function can with Replay Attack message simultaneously need not adopt special reproducing device;If test equipment is selected AVALANCHE test instrumentations, then only have the function of sending application layer traffic, now can be using double netcard playback PC as weight Equipment is put, the flow of Replay Attack message is provided.Message playback software is installed, under LINUX system on reproducing device Tcpreplay softwares or other playback softwares etc., double netcard be for the interaction of the simulated strike both sides in message playback procedure, One network interface card sends the message of " attacker → by attacker ", and another network interface card sends the message " by attacker → attacker ". In test process, while test equipment is constructed and sends application layer traffic, start Replay Attack message on reproducing device, And playback software can all change source IP address and the purpose IP address in message every time, to ensure the attack process of each playback With other attack processes using source IP address and purpose IP address be different from.Also, message is controlled on reproducing device The speed of playback, it is ensured that how many times attack message process of resetting each second, and control the general offensive message weight of whole test process Put number of times.
Test topology is described:Using a pair of test interfaces of test equipment, should if desired for multiple stage test equipment co-manufactured Use laminar flow amount, then then need the interface of all simulant-clients in these test equipments is connected on switch 1, to collect All flows for simulant-client sent from these interfaces, by an interface connection of these flows by switch 1 To on an interface of IPS products.Meanwhile, the interface at these test equipments all emulating server ends is connected to into switch 2 On, to collect all flows for emulating server end sent from these interfaces, these flows are passed through into the one of switch 2 Individual interface is connected on another interface of IPS products.The position worked due to IPS products is generally in user's Intranet and outer net Between, so the overwhelming majority is accessed using transparent communication mode, in this test, also using transparent mode as communication pattern Tested.
The configuration of IPS products:IPS product neededs load default configuration, and the default configuration should be IPS product manufacturer's recommendeds To the basic configuration of user, the rule of the attack detecting comprising the recommendation for having loaded, that is, configuration is varied without, IPS products are Test can be started.
As shown in figure 5, test equipment and reproducing device are as follows to the test process of IPS products application layer handling capacities:
Step S1, test equipment is using pure HTTP (Hyper Text Transfer Protocol, Hyper text transfer association View) flow rate test goes out the theoretical maximum application layer handling capacity of IPS products.The purpose of this step test is, by the maximum for testing out Initial value X of the theoretical application layer handling capacity as follow-up test.
Step S2, within this test period, constructs HTTP flows in IPS products by handling capacity basic value of initial value X Upper forwarding, while add the attack message that reproducing device is captured from true attack process, the process of this addition attack message Can also be referred to as resetting, general offensive message playback number of times is recorded as A.
Preferred playback speed is 150~200 times per second, should not select too small, so can not make what pressure to IPS products Power;Should not also select excessive, because in generally normal network environment, not having too many attack each second and occurring, select In the range of this, compare to press close to the frequency of attack message generation in true environment.General offensive message playback number of times A is equal to per second heavy Put the time that number of times is multiplied by test period.The time span of test period is preferably 60 seconds.
Step S3, after the completion of the test of this test period, judges the HTTP flows squeezed into as index with initial value X whether All normally forwarded by IPS products, in this way, then execution step S4, otherwise execution step S6.
Specifically, can be judged according to the statistical information in test equipment, as the HTTP flows of application layer are bases In the TCP connection transmission set up, connect if all of TCP and all normally open, after transmission HTTP data, normally can close Close, then think with the HTTP flows that initial value X is squeezed into as index all successfully to forward;If seeing statistics letter in test equipment There is the TCP connections of failure in breath, then think with the HTTP flows that initial value X is squeezed into as index successfully to forward without whole.
Step S4, judges whether the whole A attack messages reset all are gone out by IPS Product checkings, if so, then proves On the basis of equipment under test successfully forwards whole HTTP flows, whole attack messages are have identified, execution step S8 is otherwise held Row step S5.
Specifically, watch on IPS products the same attack message that IPS Product checkings are arrived in this test period time Number, is recorded as A1 time.Judge whether the attack message number of times A1 that general offensive message playback number of times A and IPS Product checking goes out is equal, If equal, prove that IPS products, on the basis of successfully whole HTTP flows are forwarded, identify whole attack messages;Such as It is really unequal, then prove IPS products on the basis of current HTTP flows, it is impossible to the whole attack message of identification, occur in that missing inspection The phenomenon of attack message.
Step S5, the attack message number of times A1 gone out with IPS Product checkings are obtained divided by general offensive message playback number of times A In the case that forwarding HTTP flows are X, IPS products are to attacking packet check rate.
Whether step S6, the HTTP flows Y actually forwarded in judging current test period are more than the 10% of initial value X, if It is, then execution step S7, otherwise end of test.
Because whole testing scheme is to approach the true handling capacity being devices under by the way of step is near, set whenever tested When for whole HTTP flows cannot be forwarded or cannot detect that all attack causes test crash, it is required for test HTTP flow-reductions, so needing to judge, if Y more than X 10%, then can start to test next time;If Y is little If the 10% of X, then after illustrating to add attack traffic, the true application layer handling capacity of IPS products is less than initial value X's 10%, it is now it is believed that the IPS products have serious problems, substantially unavailable, record the tested intrusion prevention product and exist Serious problems, it is impossible to complete test, end of test.
Stepping 10% in the present invention can be flexibly selected according to the projected throughput of IPS products, such as, for design is gulped down IPS product of the amount of telling for gigabit, stepping can elect 10%~20%, preferably 10% as;For projected throughput is 100,000,000 IPS products, stepping can elect 5%~10%, preferably 5% as.
Step S7, initial value X is deducted the value obtained by the 10% of initial value X as new initial value X, step is re-executed Rapid S2 starts subsequent test cycles.
Step S8, it is the real application layer handling capacity of IPS products directly to record the initial value X used in this test period Performance number result.
The method and apparatus of test intrusion prevention properties of product of the present invention has following advantages:
1st, for intrusion prevention product the characteristics of, using detecting and alarm of the flow of application layer protocol to intrusion prevention product Larger pressure is produced, goes to verify the true handling capacity of such product with the flow for being close to such product actual working environment Energy.
2nd, appropriate attack traffic is also added into while application layer traffic is applied, to verify under such handling capacity Whether intrusion prevention product can also normally detect all attack messages, to ensure the normal execution of its security functions.This The normal use flow of sample more presses close to flow of the intrusion prevention product in actual working environment with reference to the situation of attack traffic Composition, is able to verify that out the true application layer showed on the basis of its security functions is ensured by intrusion prevention product Throughput performance value.
3rd, the ability of intrusion prevention product blocking aggressive behavior is tested out on the basis of certain application layer traffic.
By the explanation of specific embodiment, should to the present invention for reach technological means that predetermined purpose is taken and Effect is able to more go deep into and specific understanding, but appended diagram is only to provide reference and purposes of discussion, not for originally Invention is any limitation as.

Claims (6)

1. it is a kind of test intrusion prevention properties of product method, it is characterised in that include:
Step one, intrusion prevention system IPS products forward pure application layer traffic while add attack message;The addition is attacked Message is hit, is specifically included:
The attack message of transmission control protocol TCP used in crawl actual environment;
The attack message for grabbing is reset in IPS products, playback time guarantees the source IP address of each attack message and purpose IP address is different from other attack messages;
Step 2, according to forwarding situation of the IPS products to pure application layer traffic and the identification situation to attack message, determine The currently active application layer handling capacity of IPS products;
It is described according to forwarding situation of the IPS products to pure application layer traffic and the identification situation to attack message, determine IPS The currently active application layer handling capacity of product, specifically includes:
If it is successfully first condition that IPS products all forwards to pure application layer traffic, IPS products are all identified as to attack message Work(is second condition;
Judge first condition and second condition whether while satisfaction, if so, then reads the current application laminar flow of IPS product accountings Amount, the i.e. the currently active application layer handling capacity of IPS products;The numerical value of pure application layer traffic is cut down otherwise after, repeat step one, Till first condition and second condition meet simultaneously.
2. method according to claim 1, it is characterised in that the pure application layer traffic is:The theoretical maximum of IPS products Application layer handling capacity.
3. the method according to any claim in claim 1 to 2, it is characterised in that the method also includes:
Step 3, the identification situation according to IPS products to attack message, determine the attack message verification and measurement ratio of IPS products.
4. it is a kind of test intrusion prevention properties of product device, it is characterised in that including following ingredient:
Test equipment, for constructing the pure application layer traffic forwarded in IPS products;
Reproducing device, for, while IPS products forward pure application layer traffic, sending attack message to IPS products;
The reproducing device, specifically includes:
Packet capturing module, for capturing the attack message of Transmission Control Protocol used in actual environment;
Import modul, for the attack message for grabbing is reset in IPS products, playback time guarantees the source of each attack message IP address is different with other attack messages from purpose IP address;
Test result determines equipment, for according to IPS products to the forwarding situation of pure application layer traffic and to attack message Identification situation, determines the currently active application layer handling capacity of IPS products;
If it is successfully first condition that IPS products all forwards to pure application layer traffic, IPS products are all identified as to attack message Work(is second condition;
The test result determines equipment, specifically includes:
Whether judge module, for judging first condition and second condition while satisfaction, if so, then calls read module;Otherwise Call adjusting module;
Adjusting module, for cutting down after the numerical value of pure application layer traffic, test equipment and reproducing device are called in repetition, until first Till condition and second condition meet simultaneously, read module is called;
Read module, for reading the current application laminar flow amount of IPS product accountings, i.e. the currently active application layer of IPS products is handled up Amount.
5. device according to claim 4, it is characterised in that the pure application layer traffic is:The theoretical maximum of IPS products Application layer handling capacity.
6. the device according to any claim in claim 4 to 5, it is characterised in that described device also includes:
Verification and measurement ratio computing module, for the identification situation according to IPS products to attack message, determines the attack report of IPS products Literary verification and measurement ratio.
CN201110193295.5A 2011-07-11 2011-07-11 Method and device for testing performance of intrusion prevention product Active CN102255910B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201110193295.5A CN102255910B (en) 2011-07-11 2011-07-11 Method and device for testing performance of intrusion prevention product

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110193295.5A CN102255910B (en) 2011-07-11 2011-07-11 Method and device for testing performance of intrusion prevention product

Publications (2)

Publication Number Publication Date
CN102255910A CN102255910A (en) 2011-11-23
CN102255910B true CN102255910B (en) 2017-03-22

Family

ID=44982906

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110193295.5A Active CN102255910B (en) 2011-07-11 2011-07-11 Method and device for testing performance of intrusion prevention product

Country Status (1)

Country Link
CN (1) CN102255910B (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102970186B (en) * 2012-12-03 2019-01-25 网神信息技术(北京)股份有限公司 The method for testing performance and device of equipment
CN105245393B (en) * 2014-06-30 2018-11-02 中国移动通信集团公司 A kind of fire wall performance test method and device
CN105208584A (en) * 2015-10-19 2015-12-30 上海斐讯数据通信技术有限公司 Method and device for testing safety of WIFI equipment
CN106998323B (en) * 2017-03-06 2020-08-14 深信服科技股份有限公司 Application layer network attack simulation method, device and system
CN109150649B (en) * 2018-06-07 2021-04-23 武汉思普崚技术有限公司 Network performance test method and system
CN108683689B (en) * 2018-08-01 2021-01-29 公安部第三研究所 Improved test system and method for realizing NIDS and NIPS intrusion detection function
CN110245147B (en) * 2019-06-19 2021-08-13 腾讯科技(深圳)有限公司 Block chain data processing method and device, readable storage medium and computer equipment
CN111107083B (en) * 2019-12-18 2021-11-23 杭州迪普科技股份有限公司 White list specification testing method and device
CN114553551B (en) * 2022-02-24 2024-02-09 杭州迪普科技股份有限公司 Method and device for testing intrusion prevention system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101018156A (en) * 2007-02-16 2007-08-15 华为技术有限公司 Method, device and system for preventing the broadband rejection service attack
CN101035034A (en) * 2007-04-02 2007-09-12 华为技术有限公司 Method and device for detecting the message attack
CN102082707A (en) * 2010-12-24 2011-06-01 汉柏科技有限公司 Parallel processing performance test method for multinuclear firewall

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8443444B2 (en) * 2009-11-18 2013-05-14 At&T Intellectual Property I, L.P. Mitigating low-rate denial-of-service attacks in packet-switched networks

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101018156A (en) * 2007-02-16 2007-08-15 华为技术有限公司 Method, device and system for preventing the broadband rejection service attack
CN101035034A (en) * 2007-04-02 2007-09-12 华为技术有限公司 Method and device for detecting the message attack
CN102082707A (en) * 2010-12-24 2011-06-01 汉柏科技有限公司 Parallel processing performance test method for multinuclear firewall

Also Published As

Publication number Publication date
CN102255910A (en) 2011-11-23

Similar Documents

Publication Publication Date Title
CN102255910B (en) Method and device for testing performance of intrusion prevention product
US9350758B1 (en) Distributed denial of service (DDoS) honeypots
JP3968724B2 (en) Network security system and operation method thereof
CN101001242B (en) Method of network equipment invaded detection
CN105812200B (en) Anomaly detection method and device
CN108494672A (en) A kind of industrial communication gateway, industrial data security isolation system and method
Nyasore et al. Deep packet inspection in industrial automation control system to mitigate attacks exploiting modbus/TCP vulnerabilities
Saboor et al. Experimental evaluation of Snort against DDoS attacks under different hardware configurations
CN107122685A (en) A kind of big data method for secure storing and equipment
CN107241304A (en) A kind of detection method and device of DDos attacks
CN111510436A (en) Network security system
Buchanan et al. A methodology to evaluate rate-based intrusion prevention system against distributed denial-of-service (DDoS).
JP6233414B2 (en) Information processing apparatus, filtering system, filtering method, and filtering program
CN107454065A (en) A kind of means of defence and device of UDP Flood attacks
CN108040075B (en) APT attack detection system
CN102970186B (en) The method for testing performance and device of equipment
KR100772177B1 (en) Method and apparatus for generating intrusion detection event to test security function
CN108989275A (en) A kind of attack prevention method and device
JP4159814B2 (en) Interactive network intrusion detection system and interactive intrusion detection program
KR101551537B1 (en) Information spill prevention apparatus
CN111541706B (en) Method for detecting system anti-DDoS performance
CN109688088B (en) Method, device and tester for testing escape resistance of network intrusion protection system
JP2009169781A (en) Network quarantine system
CN112688938B (en) Network performance measurement system and method based on attack and defense modes
JP5402304B2 (en) Diagnostic program, diagnostic device, and diagnostic method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C53 Correction of patent for invention or patent application
CB02 Change of applicant information

Address after: 100085 Beijing East Road, No. 1, building No. 301, building on the north side of the floor, room 3, room 3

Applicant after: BEIJING TOPSEC TECHNOLOGY CO., LTD.

Address before: 100085 Beijing East Road, No. 1, building No. 301, building on the north side of the floor, room 3, room 3

Applicant before: Beijing heaven melts letter Science Technologies Co., Ltd.

COR Change of bibliographic data

Free format text: CORRECT: APPLICANT; FROM: BEIJING HEAVEN MELTS LETTER SCIENCE TECHNOLOGIES CO., LTD. TO: BEIJING TOPSEC TECHNOLOGY CO., LTD.

C53 Correction of patent for invention or patent application
CB02 Change of applicant information

Address after: 100085 Beijing East Road, No. 1, building No. 301, building on the north side of the floor, room 3, room 3

Applicant after: Beijing heaven melts letter Science Technologies Co., Ltd.

Address before: 100085 Beijing East Road, No. 1, building No. 301, building on the north side of the floor, room 3, room 3

Applicant before: BEIJING TOPSEC TECHNOLOGY CO., LTD.

COR Change of bibliographic data

Free format text: CORRECT: APPLICANT; FROM: BEIJING TOPSEC TECHNOLOGY CO., LTD. TO: BEIJING HEAVEN MELTS LETTER SCIENCE TECHNOLOGIES CO., LTD.

CB02 Change of applicant information

Address after: 100085 Beijing East Road, No. 1, building No. 301, building on the north side of the floor, room 3, room 3

Applicant after: BEIJING TOPSEC TECHNOLOGY CO., LTD.

Address before: 100085 Beijing East Road, No. 1, building No. 301, building on the north side of the floor, room 3, room 3

Applicant before: Beijing heaven melts letter Science Technologies Co., Ltd.

COR Change of bibliographic data
CB02 Change of applicant information

Address after: 100085 Beijing East Road, No. 1, building No. 301, building on the north side of the floor, room 3, room 3

Applicant after: Beijing heaven melts letter Science Technologies Co., Ltd.

Address before: 100085 Beijing East Road, No. 1, building No. 301, building on the north side of the floor, room 3, room 3

Applicant before: BEIJING TOPSEC TECHNOLOGY CO., LTD.

COR Change of bibliographic data
C14 Grant of patent or utility model
GR01 Patent grant