CN102752275A - Matching route generation method and related device for signature library - Google Patents
Matching route generation method and related device for signature library Download PDFInfo
- Publication number
- CN102752275A CN102752275A CN201110461977XA CN201110461977A CN102752275A CN 102752275 A CN102752275 A CN 102752275A CN 201110461977X A CN201110461977X A CN 201110461977XA CN 201110461977 A CN201110461977 A CN 201110461977A CN 102752275 A CN102752275 A CN 102752275A
- Authority
- CN
- China
- Prior art keywords
- network data
- storehouse
- ips
- signatures match
- coupling path
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
An embodiment of the invention discloses a matching route generation method and a related device for a signature library. The method and the related device are used for improving the efficiency of signature matching of an intrusion prevention system (IPS). The method includes layering and classifying the IPS signature library to obtain N signature sub-libraries; obtaining application statistical information which is obtained through statistics after network data are subjected to feature identification; selecting M signature sub-libraries which are adaptive to a user group and correspond to the application statistical information according to the application statistical information in the N signature sub-libraries, wherein M is an integer which is larger than 1 and smaller than N; and generating a first matching route which corresponds to the user group according to the M signature sub-libraries so that according to the IPS signature matching device, by means of the first matching route, the network data of the user group are subjected to IPS signature matching.
Description
Technical field
The present invention relates to the communications field, relate in particular to a kind of coupling path generating method and relevant apparatus of the storehouse of signing.
Background technology
Along with Internet development, network attack becomes fast rise situation, is having a strong impact on enterprise customer's data security, and the personal information security to the personal user also constitutes a serious threat simultaneously.Intrusion prevention system (IPS, Intrusion Prevention System) can be discerned the data of various illegal invasions, and the data of these illegal invasions are cleaned, and makes the user avoid the threat of network attack, has guaranteed user's data safety; Therefore, IPS is detected as the main preventive means that ensures secure user data for network side.
In practical application, owing to the network data that the user is constituted Cyberthreat is numerous, as; Virus, Trojan Horse, backdoor programs; Rogue software (comprising spyware, ad ware, Browser Hijack etc.), phishing program (network defraud) and spam etc., therefore; The signature storehouse of IPS (being the property data base of Cyberthreat) is very huge, and is general all in the rank of 10K byte, and the coupling target location is distributed in two layers to seven layers; Therefore IPS protects the resource of labor, and the performance of operation is low.And the bigger enterprise customer of network traffics is sayed the performance of existing IPS obviously can't satisfy this enterprise customer's actual demand, so the performance boost of IPS is extremely urgent.
Summary of the invention
The embodiment of the invention provides a kind of coupling path generating method and relevant apparatus of the storehouse of signing, and is used to improve the efficient that IPS carries out signatures match.
The coupling path generating method in signature provided by the invention storehouse comprises: layering is carried out in intrusion prevention system IPS signature storehouse sorted out, obtain N son signature storehouse, said N is the integer greater than 1; Obtain applied statistics information, said applied statistics information is carried out adding up after the Characteristic Recognition to network data and is obtained; , in said N son signature storehouse, select to organize suitable M the sub storehouse of signing with the corresponding user of said applied statistics information according to said applied statistics information, said M is greater than 1 and less than the integer of N; Generate said user according to said M son signature storehouse and organize the first corresponding coupling path; Make IPS signatures match device use the said first coupling path that the network data of said user's group is carried out the IPS signatures match, the said first coupling path is the memory address mapping relations in said M son signature storehouse.
Optional, said applied statistics information comprises:
ID, application type and application message that said ID is corresponding;
Said according to applied statistics information in said N son signature storehouse, M the sub storehouse of selecting the user corresponding with said applied statistics information to organize to be complementary of signing comprises:
Search the corresponding user's group of said ID; According to presetting rule in said N son signature storehouse, the son of selecting application type corresponding and application message the to be complementary storehouse of signing with said ID; Statistics obtains a said user and organizes M corresponding son signature storehouse of interior all ID.
Optional, said applied statistics information also comprises:
The usage ratio that said application type is corresponding;
Saidly generate said user based on M son signature storehouse and organize the first corresponding coupling path, comprising:
According to the corresponding usage ratio of each application type is said M son signature lab setting coupling priority; Dispose matched node successively according to said coupling priority; Obtain the user and organize the first corresponding coupling path, said matched node is corresponding one by one with the memory address in said son signature storehouse.
Optional, said method also comprises: whenever upgrade said applied statistics information at a distance from presetting duration; Use the applied statistics information calculations second coupling path after upgrading; Judge whether IPS signatures match device is using the said first coupling path to carry out the IPS signatures match, if not, then use the said second coupling path to replace the said first coupling path; If; Ongoing IPS signatures match still uses the said first coupling path to mate; Newly-established IPS signatures match task then uses the said second coupling path to mate; After the IPS signatures match task termination of using the said first coupling path, use the said second coupling path to replace the said first coupling path.
The signatures match method of intrusion prevention system provided by the invention comprises: obtain network data, inquire about the ID of said network data; Search the corresponding user's group of said ID, and obtain with said user with the mapping relations of mating the path according to said user's group and to organize corresponding coupling path; Use said coupling path that said network data is carried out the IPS signatures match; Said coupling path is M the sub storehouse generation of signing according to IPS signature storehouse; Said M son signature storehouse is in all N the son signature storehouses in said IPS signature storehouse, to choose according to the applied statistics information of network data; Said N is the integer greater than 1, and said M is greater than 1 and less than the integer of N, and said coupling path is the memory address mapping relations in said M son signature storehouse.
Optional, the IPS signatures match is carried out to said network data in the corresponding coupling path of said use ID, comprising: use the son signature storehouse of matched node correspondence in the coupling path that said network data is carried out the IPS signatures match successively; If arbitrary signature and said network data in the said son signature storehouse are mated successfully, then said IPS signatures match finishes, the output matching result; Institute if said M son signed in the storehouse bears the signature and all matees failure, and then said IPS signatures match finishes.
Optional, said obtaining after the network data comprises: said network data is carried out Characteristic Recognition; Use the result of said Characteristic Recognition to upgrade the applied statistics information that IPS signatures match device is stored.
Path provided by the invention generating apparatus comprises: sort out the unit, be used for that layering is carried out in IPS signature storehouse and sort out, obtain N son signature storehouse, said N is the integer greater than 1; Information acquisition unit is used to obtain applied statistics information, and said applied statistics information is carried out adding up after the Characteristic Recognition to network data and obtained; The unit is chosen in the signature storehouse, is used for according to said applied statistics information selecting to organize suitable M the sub storehouse of signing with the corresponding user of said applied statistics information in said N son signature storehouse, and said M is greater than 1 and less than the integer of N; The path generation unit; Be used for generating said user and organize the first corresponding coupling path according to said M son signature storehouse; Make IPS signatures match device use the said first coupling path that the network data of said user's group is carried out the IPS signatures match, the said first coupling path is the memory address mapping relations in said M son signature storehouse.
Optional, said signature storehouse is chosen the unit and comprised: user's group is searched module, is used to search the corresponding user's group of ID of said applied statistics information; Module is chosen in the signature storehouse, is used for according to presetting rule in said N son signature storehouse the son of selecting application type corresponding with said ID and application message the to be complementary storehouse of signing; Signature storehouse statistical module, be used to add up obtain a said user organize in M corresponding son of all ID storehouse of signing.
Optional, said path generation unit comprises: priority is provided with module, and being used for according to the corresponding usage ratio of each application type is said M son signature lab setting coupling priority; Coupling path generation module is used for disposing matched node successively according to said coupling priority, obtains the user and organizes the first corresponding coupling path, and said matched node is corresponding one by one with the memory address in said son signature storehouse.
IPS signatures match device provided by the invention comprises: data capture unit is used to obtain network data, and inquires about the ID of said network data; The path acquiring unit is used to search the corresponding user's group of said ID, and obtains with said user with the mapping relations of mating the path according to said user's group and to organize corresponding coupling path; The signatures match unit; Be used to use said coupling path that said network data is carried out the IPS signatures match; Said coupling path is that M son signature storehouse according to IPS signature storehouse generates, and said M son signature storehouse is in all N the sub storehouses of signing in said IPS signature storehouse, to choose according to the applied statistics information of network data, and said N is the integer greater than 1; Said M is greater than 1 and less than the integer of N, and said coupling path is the memory address mapping relations in said M son signature storehouse.
Intrusion prevention system provided by the invention comprises: path generating apparatus and IPS signatures match device;
Said path generating apparatus is used for that layering is carried out in IPS signature storehouse and sorts out, and obtains N son signature storehouse, and said N is the integer greater than 1; Obtain applied statistics information, said applied statistics information is carried out adding up after the Characteristic Recognition to network data and is obtained; , in said N son signature storehouse, select to organize suitable M the sub storehouse of signing with the corresponding user of said applied statistics information according to said applied statistics information, said M is greater than 1 and less than the integer of N; Generate said user according to said M son signature storehouse and organize corresponding coupling path; Make IPS signatures match device use said coupling path that the network data of said user's group is carried out the IPS signatures match, said coupling path is the memory address mapping relations in said M son signature storehouse;
Said IPS signatures match device is used to obtain network data, searches the corresponding user's group of said ID, and obtains with said user with the mapping relations of mating the path according to said user's group and to organize corresponding coupling path; Obtain the coupling path corresponding according to said ID with said ID; Use said coupling path that said network data is carried out the IPS signatures match.
Can find out that from above technical scheme the embodiment of the invention has the following advantages:
In embodiments of the present invention; Layering is carried out in IPS signature storehouse to be sorted out; Obtain N son signature storehouse; In said N son signature storehouse, select M son signature storehouse to generate the coupling path according to applied statistics information again, make IPS signatures match device use said coupling path that network data is carried out the IPS signatures match; Because carrying out adding up after the Characteristic Recognition to network data, applied statistics information obtains; Therefore, the coupling path of generation and the application characteristic of relative users group are complementary, when the network data of this user's group is carried out the IPS signatures match; Only need M (M is less than N) the signature storehouse in the coupling corresponding matched path; Can effectively accomplish the identification of threat characteristics, avoid coupling entire I PS signature storehouse, improve the efficient of carrying out the IPS signatures match.
Description of drawings
Fig. 1 is a schematic flow sheet of the coupling path generating method in signature storehouse in the embodiment of the invention;
Fig. 2 is another schematic flow sheet of the coupling path generating method in signature storehouse in the embodiment of the invention;
Fig. 3 is a schematic flow sheet of IPS signatures match method in the embodiment of the invention;
Fig. 4 is another schematic flow sheet of IPS signatures match method in the embodiment of the invention;
Fig. 5 is another schematic flow sheet of IPS signatures match method in the embodiment of the invention;
Fig. 6 is a logical construction sketch map of path generating apparatus in the embodiment of the invention;
Fig. 7 is a logical construction sketch map of IPS signatures match device in the embodiment of the invention;
Fig. 8 is a logical construction sketch map of intrusion prevention system in the embodiment of the invention;
Fig. 9 is an application sketch map of intrusion prevention system in the embodiment of the invention;
Figure 10 is the Another application sketch map of intrusion prevention system in the embodiment of the invention;
Figure 11 is the Another application sketch map of intrusion prevention system in the embodiment of the invention.
Embodiment
The embodiment of the invention provides a kind of coupling path generating method and relevant apparatus of the storehouse of signing, and is used to improve the efficient that IPS carries out signatures match.
See also Fig. 1; An embodiment of the coupling path generating method in signature storehouse in the embodiment of the invention; Should be understood that the executive agent of the method for the embodiment of the invention can be the path generating apparatus, should be understood that; Said path generating apparatus can be physical unit independently, connects or the equipment of network ways of connecting and said realization signatures match function communicates through data wire; Said path generating apparatus also can be software equipment, and the form of strengthening with function is installed on the existing network element device in the intrusion prevention system, such as being installed on the gateway device of realizing the signatures match function.Should be understood that path generating apparatus support is independent external, also can be built on the network element device of existing network, this method can comprise:
101, layering being carried out in intrusion prevention system signature storehouse sorts out;
The path generating apparatus carries out layering to IPS signature storehouse to be sorted out, and obtains N son signature storehouse, and said N is the integer greater than 1.Wherein, the signature in IPS signature storehouse is the threat characteristics of network data, and some that specifically can show as network data are word string or behavioural characteristic fixedly; And the threat characteristics of network data can be virus, Trojan Horse, backdoor programs, rogue software (comprising spyware, ad ware, Browser Hijack etc.), the characteristic of phishing program (network defraud) or spam.
Concrete, the path generating apparatus can carry out the layering classification with attribute to IPS signature storehouse according to the IPS application of each signature of signing in the storehouse; As, IPS signature storehouse can be divided into three layers son signature storehouse, is respectively basal layer signature storehouse, operating system layer signature storehouse and application layer signature storehouse; Wherein, Consist predominantly of common signature such as protocol stack in the basal layer signature storehouse; Consist predominantly of the signature storehouse relevant with operating system (for example windows shock wave leak signature) in the operating system layer signature storehouse, application layer signature storehouse consists predominantly of uses the relevant signature storehouse of leak (the for example Overflow Vulnerability of Server-U signature storehouse).
102, obtain applied statistics information;
The path generating apparatus obtains applied statistics information, and said applied statistics information is carried out adding up after the Characteristic Recognition to network data and obtained.Concrete, the path generating apparatus can obtain this applied statistics information from the staqtistical data base of IPS.
In practical application; IPS signatures match device is when carrying out signatures match to network data; Also can carry out Characteristic Recognition, and the result of this Characteristic Recognition is write down and adds up, according to the said applied statistics information of real-time update as a result of statistics this network data; Optional, include ID in this applied statistics information, and corresponding application type and the application message of said ID; Wherein, this ID can be user name or five-tuple information (source Internet Protocol (IP, Internet Protocol) address, purpose IP address, source port, destination interface and transport layer protocol number); This application message can be this application type relative operation system information and service provider's information.
103, selection is organized suitable son signature storehouse with the corresponding user of said applied statistics information;
The path generating apparatus, is selected to organize suitable M the sub storehouse of signing with the corresponding user of said applied statistics information according to said applied statistics information in said N son signature storehouse, and said M is greater than 1 and less than the integer of N.
In actual applications; The coupling path is to be provided with to dissimilar users; There is the user of same characteristic features will classify as same user's group; Difference according to the feature that sets; The number of users that is comprised in a kind of user's group is also uncertain; Like user's group is to divide according to the scope of activities of mobile phone users, and then each area (can be provincial, city-level or at county level) is to there being user's group; Optionally, also can only include a user in user's group.
When being a coupling Path selection signature storehouse, need to consider all users' in the pairing user's group in this coupling path applied statistics information; As, obtain the application type that this user uses always based on applied statistics information, be respectively this application type and in application layer signature storehouse, select corresponding son signature storehouse.
During matched node in the configurations match path; Basal layer signature storehouse is essential (promptly being applicable to all users); Operating system layer signature storehouse is then according to the difference of the employed operating system of user and difference (user who is the same operation system is mated same set of signature storehouse); Application layer signature storehouse then according to user's use habit match (as; The always unused Server-U of user in a certain user group, then can to this user's group for the coupling path in the son signature storehouse that Server-U uses then can not appear).
104, generate said user based on said M son signature storehouse and organize the first corresponding coupling path.
The path generating apparatus generates said user according to said M son signature storehouse and organizes the first corresponding coupling path; Make IPS signatures match device use the said first coupling path that the network data of said user's group is carried out the IPS signatures match; The first coupling path is the memory address mapping relations in said M son signature storehouse; Concrete, these memory address mapping relations can use the form of memory address mapping table to realize.
In practical application; Each matched node in the coupling path corresponds respectively to the memory address in said M son signature storehouse; M the son signature storehouse of promptly mating the required coupling of network data of having set the corresponding user's group in said coupling path in the path; When carrying out the IPS signatures match, the IPS signatures match uses the son signature storehouse in the first coupling path that said network data is carried out the IPS signatures match.
In embodiments of the present invention; Layering is carried out in IPS signature storehouse to be sorted out; Obtain N son signature storehouse; In said N son signature storehouse, select M son signature storehouse to generate the coupling path according to applied statistics information again, make IPS signatures match device use said coupling path that network data is carried out the IPS signatures match; Because carrying out adding up after the Characteristic Recognition to network data, applied statistics information obtains; Therefore, the coupling path of generation and the application characteristic of relative users group are complementary, when the network data of this user's group is carried out the IPS signatures match; Only need M (M is less than N) the signature storehouse in the coupling corresponding matched path; Can effectively accomplish the identification of threat characteristics, avoid coupling entire I PS signature storehouse, improve the efficient of carrying out the IPS signatures match.
In the face of how generating the coupling path being described in detail down, seeing also Fig. 2, another embodiment of the coupling path generating method in signature storehouse comprises in the embodiment of the invention:
201, layering being carried out in intrusion prevention system signature storehouse sorts out;
The path generating apparatus carries out layering to IPS signature storehouse to be sorted out, and obtains N son signature storehouse, and said N is the integer greater than 1.Wherein, the signature in IPS signature storehouse is the threat characteristics of network data, and some that specifically can show as network data are word string or behavioural characteristic fixedly; And the threat characteristics of network data can be virus, Trojan Horse, backdoor programs, rogue software (comprising spyware, ad ware, Browser Hijack etc.), the characteristic of phishing program (network defraud) or spam.
Concrete, the path generating apparatus can carry out the layering classification with attribute to IPS signature storehouse according to the IPS application of each signature of signing in the storehouse; As, IPS signature storehouse can be divided into three layers son signature storehouse, is respectively basal layer signature storehouse, operating system layer signature storehouse and application layer signature storehouse; Wherein, Consist predominantly of common signature such as protocol stack in the basal layer signature storehouse; Consist predominantly of the signature storehouse relevant with operating system (for example windows shock wave leak signature) in the operating system layer signature storehouse, application layer signature storehouse consists predominantly of uses the relevant signature storehouse of leak (the for example Overflow Vulnerability of Server-U signature storehouse).
202, obtain applied statistics information;
The path generating apparatus obtains applied statistics information from the staqtistical data base of IPS, said applied statistics information is carried out adding up after the Characteristic Recognition to network data and obtained.Said applied statistics information comprises useful family sign, application type and application message that said ID is corresponding, and the corresponding usage ratio of said application type; Wherein, said applied statistics information comprises said ID, application type, application message and the usage ratio of many groups.
In practical application; IPS signatures match device is when carrying out signatures match to network data; Also can carry out Characteristic Recognition, and the result of this Characteristic Recognition is write down and adds up, according to the said applied statistics information of real-time update as a result of statistics this network data.Concrete, IPS signatures match device carries out agreement identification to said network data earlier, obtains the corresponding information such as ID, application protocol and application type of said network data; Further, IPS signatures match device can also earlier carry out deep analysis to the network data after the agreement identification, obtains information such as said network data relative operation system information service provider; At last, the result of agreement identification and deep analysis is committed to statistical module adds up, obtain ID, application type and application message that said ID is corresponding, and the usage ratio of said application type correspondence; Optional, said usage ratio can obtain according to message number statistics, also can obtain according to traffic statistics, specifically need decide according to the Cyberthreat of being defendd, and does not limit here.
Wherein, according to the actual requirements, the parameter type of last applied statistics information output can also comprise information such as application protocol, flow or message number except above-mentioned ID, application type, application message and usage ratio, specifically do not limit here.
203, selection is organized suitable son signature storehouse with the corresponding user of said applied statistics information;
The path generating apparatus, is selected to organize suitable M the sub storehouse of signing with the corresponding user of said applied statistics information according to said applied statistics information in said N son signature storehouse, and said M is greater than 1 and less than the integer of N.
Concrete because the coupling path is to be provided with to different user's group (user's group is divided in advance according to the actual requirements and accomplished), therefore, when choosing this user and organize the son signature storehouse of required coupling, need to consider this user organize in all users' relevant information; After getting access to applied statistics information; The path generating apparatus is searched the respectively corresponding user's group of ID in the said applied statistics information earlier, and this ID can be source IP address, purpose IP address, source port, destination interface and transport layer protocol number etc.; Again according to presetting rule in said N son signature storehouse, the son of selecting application type corresponding and application message (can be operation system information) the to be complementary storehouse of signing with said ID; This presetting rule can for: when the frequency of utilization of a certain application type reaches preset value, then choose the son signature storehouse that this application type is complementary (son signature storehouse in step 201 with according to the application type classification); At last; Statistics obtains a said user and organizes M corresponding son signature storehouse of interior all ID; Overlapping adding, are gone in the son signature storehouse that is about to choose according to the related data (application type and application message) of each ID, obtain said user and organize M corresponding son signature storehouse.
When choosing son signature storehouse; Basal layer signature storehouse is essential (promptly being applicable to all users); Operating system layer signature storehouse is then according to the difference of the employed operating system of user and difference (user who is the same operation system is mated same set of signature storehouse), and application layer signature storehouse then can be chosen (the existing description of concrete the preceding paragraph) according to user's related application information.
204, generate said user based on said M son signature storehouse and organize the first corresponding coupling path.
The path generating apparatus generates said user according to said M son signature storehouse and organizes the first corresponding coupling path, makes IPS signatures match device use the said first coupling path that the network data of said user's group is carried out the IPS signatures match.
Concrete; After getting access to said M son signature storehouse, because said M corresponding different respectively application type and or the application message (operation system information) in son signature storehouse, therefore; Can obtain the frequency of utilization in each height signature storehouse based on the corresponding usage ratio of each application type; Thereby can mate priority (wherein, because basal layer signature storehouse is applicable to said user, therefore for said M son signature lab setting; Frequency of utilization need not confirmed based on said usage ratio in the son signature storehouse that belongs to basal layer signature storehouse, and the sign coupling priority in storehouse of the son that belongs to basal layer signature storehouse can be the highest); The path generating apparatus can obtain the user and organize the first corresponding coupling path based on disposing matched node successively based on said coupling priority, and said matched node is corresponding one by one with the memory address in said son signature storehouse.
When carrying out the IPS signatures match; IPS signatures match device can carry out the coupling in each height signature storehouse successively according to the matched node in the said coupling path; Make IPS signatures match assembly first mate the high son signature storehouse of frequency of utilization, thereby improved the efficient of match hit.
205, whenever upgrade said applied statistics information at a distance from presetting duration;
In practical application, because the ambiguity of network, IPS signatures match device maybe be different with frequency in the type of the network data that difference is received constantly; IPS signatures match device in the embodiment of the invention can be real-time upgrade applied statistics information according to the said network data received; And path of the present invention generating apparatus also can whenever obtain the applied statistics information that statistics obtains in the IPS signatures match device at a distance from presetting duration, with the employed applied statistics information in more newly-generated coupling path.
206, the applied statistics information calculations second coupling path after use is upgraded;
The generative process in the concrete second coupling path is similar with 204 with aforementioned 203, repeats no more here.
207, upgrade the coupling path.
After the path generating apparatus confirms that second newly-generated coupling path and the first coupling path before are different, then trigger the more new technological process in coupling path, be specially:
The path generating apparatus judges whether IPS signatures match device is using the said first coupling path to carry out the IPS signatures match, if not, then use the said second coupling path to replace the said first coupling path; If; Ongoing IPS signatures match still uses the said first coupling path to mate; Newly-established IPS signatures match task then uses the said second coupling path to mate; After the IPS signatures match task termination in the said first coupling path to be used, use the said second coupling path to replace the said first coupling path.
Describe in the face of the signatures match method of using above-mentioned coupling path to carry out the intrusion prevention system of the present invention of IPS signatures match down; See also Fig. 3, an embodiment of the signatures match method of intrusion prevention system should be understood that in the embodiment of the invention; The executive agent of the method for the embodiment of the invention can be an IPS signatures match device; Should be understood that said IPS signatures match device can be physical unit independently, its product form can be a router; Gateway device, network firewall equipment or the like; Said IPS signatures match device also can be software equipment, and the form of strengthening with function is installed on the existing network element device in the intrusion prevention system.Should be understood that the support of IPS signatures match device is independent external, also can be built on the network element device of existing network, this method can comprise:
301, obtain network data;
IPS signatures match device obtains the network data that need carry out signatures match; Optional, IPS signatures match device can be used to handle all networking data, also can only handle wherein a part of.For example, network data is not directly to see through IPS equipment road, but can on intelligent exchange, select for use a branch to carry out the IPS signatures match selectively.Intelligent exchange can be according to the observation to some unusual networking behaviors, and the networking data pilot that will have unusual networking behavioural characteristic is to IPS equipment road, thereby has the networking data of unusual networking behavioural characteristic to carry out the IPS signatures match to this.
302, the ID of the said network data of inquiry;
In embodiments of the present invention,, therefore, before carrying out the IPS signatures match, need ID, find the corresponding coupling path of this ID through the said network data of inquiry because the coupling path is to be provided with to dissimilar users.
Concrete, after obtaining the corresponding ID of said network data, can search the user's group under the said ID based on said ID, thereby organize the coupling path of correspondence to this user based on the mapping relationship searching in said user's group and coupling path.
303, use the corresponding coupling path of said ID that said network data is carried out the IPS signatures match.
After finding the corresponding coupling path of said ID, IPS signatures match device uses the corresponding coupling path of said ID that said network data is carried out the IPS signatures match.
Said coupling path is M the sub storehouse generation of signing according to IPS signature storehouse; Said M son signature storehouse is in all N the son signature storehouses in said IPS signature storehouse, to choose according to the applied statistics information of network data; Said N is the integer greater than 1, and said M is greater than 1 and less than the integer of N.
Concrete; Each matched node in the coupling path corresponds respectively to said M son signature storehouse; IPS signatures match device is according to the order of each matched node; The son signature storehouse of mating the said correspondence of each matched node successively; When the signatures match success in any one son signature storehouse; Illustrate that then said network data has threat characteristics, IPS defends to handle to said network data accordingly; If after all mated in M all son signature storehouses, none signatures match success illustrated that then said network data is not a Cyberthreat, can allow said network data by the IPS router.
In practical application, some fixedly word string or behavioural characteristics that said threat characteristics specifically can show as network data; And the threat characteristics of network data can be virus, Trojan Horse, backdoor programs, rogue software (comprising spyware, ad ware, Browser Hijack etc.), the characteristic of phishing program (network defraud) or spam.
In embodiments of the present invention; Because said coupling path is M the sub storehouse generation of signing according to IPS signature storehouse; Said M son signature storehouse is in all N the son signature storehouses in IPS signature storehouse, to choose according to the applied statistics information of network data; Said N is the integer greater than 1, and said M is greater than 1 and less than the integer of N; Therefore; When the network data of this user's group is carried out the IPS signatures match, only need M (M is less than N) the signature storehouse in the coupling corresponding matched path, can effectively accomplish the identification of threat characteristics; Avoid coupling entire I PS signature storehouse, improved the efficient of carrying out the IPS signatures match.
In the face of how carrying out the IPS signatures match being described in detail down, seeing also Fig. 4, another embodiment of the signatures match method of intrusion prevention system comprises in the embodiment of the invention:
401, obtain network data;
The content of the step 401 in the present embodiment is identical with the content of step 301 among the aforementioned embodiment shown in Figure 3, repeats no more here.
402, the ID of the said network data of inquiry;
In embodiments of the present invention,, therefore, before carrying out the IPS signatures match, need ID, find the corresponding coupling path of this ID through the said network data of inquiry because the coupling path is to be provided with to dissimilar users.
Concrete, after obtaining the corresponding ID of said network data, can search the user's group under the said ID based on said ID, thereby organize the coupling path of correspondence to this user based on the mapping relationship searching in said user's group and coupling path.
403, obtain signature in the son signature storehouse;
After finding the corresponding coupling path of said ID, IPS signatures match device extracts the corresponding son signature storehouse of first matched node in the said coupling path, and obtains the signature in the said son signature storehouse one by one, triggers step 404 and matees.
After the signature in the corresponding son signature storehouse of first matched node has all obtained; IPS signatures match device extracts second son signature storehouse that matched node is corresponding in the said coupling path; Continue to obtain new signature and trigger step 404 and mate; Signature up to all son signature storehouses all mated; If the match is successful for arbitrary signature in the said son signature storehouse and said network data; Then said IPS signatures match finishes, the output matching result; Institute if said M son signed in the storehouse bears the signature all, and it fails to match, and then said IPS signatures match finishes; Or step 404 no longer to trigger step 403(be signatures match success) coupling, the flow process of then obtaining signature finishes.
404, use said signature that said network data is mated.
IPS signatures match device uses said signature that said network data is mated, if mate successfully, then said IPS signatures match finishes, the output matching result; If the coupling failure then triggers step 403 and continues to obtain the signature that all the other mate.
In actual applications; Because the deployment of matched node can be considered the frequency of utilization in each height signature storehouse in the coupling path; Preferential that frequency of utilization is high son signature storehouse is deployed in the front in coupling path; Therefore, in the process of carrying out signatures match, signature hits the high son signature storehouse of (being the signatures match success) probability and preferentially mates; In case signature hits; Then mate flow process and finish, need not coupling is proceeded in remaining son signature storehouse, thereby further improved the efficient of IPS signatures match.
In embodiments of the present invention, when network data is carried out signatures match, can also add up the relevant information of network data, specifically see also Fig. 5, another embodiment of the signatures match method of intrusion prevention system comprises in the embodiment of the invention:
501, obtain network data;
After network data arrives; IPS router (can be the mirror image switch) is copied into two parts with said network data; A network data is carried out like above-mentioned Fig. 3 or the described signatures match flow process of Fig. 4 embodiment (repeating no more) here, and another part is then carried out data statistics and handled.
502, said network data is carried out agreement identification;
IPS signatures match device carries out agreement identification to said network data, obtains information such as ID, protocol type and application type; Wherein, Said ID can be user name or five-tuple information (source IP address, purpose IP address, source port, destination interface and transport layer protocol number); Said protocol type can be the corresponding employed agreement of application of said network data, and said application type can be the corresponding application of said network data.Concrete, agreement identification can use characteristic string coupling or recognition methods such as checking algorithm, and the result of agreement identification can use tabulation to write down storage, and is as shown in table 1:
Table 1
503, IPS signatures match device judges whether and need carry out deep analysis to said network data;
IPS signatures match device judges whether that according to the result of said agreement identification needs carry out deep analysis to said network data, if, then trigger step 504, said network data is carried out deep analysis; If not, then directly trigger step 505, confirm the result of Characteristic Recognition.
Concrete; In practical application; The threat characteristics of some application maybe not need be judged through application messages such as operation system information, ISP or flows; Therefore, IPS signatures match device can be preset the tabulation that needs carry out the application protocol or the application type of deep analysis, and IPS signatures match device can be judged network data with the tabulation that should preset according to the agreement recognition result of network data, and whether needs carry out deep analysis.
504, said network data is carried out deep analysis;
After definite said network data need be carried out deep analysis; IPS signatures match device carries out deep analysis based on result's (deep analysis need be known the protocol type or the application type of said network data) of agreement identification to said network data, obtains the result of deep analysis; Concrete, the result of said deep analysis can comprise following dimension: operation system information, service provider etc.
Concrete, the result who further carries out deep analysis is as shown in table 2:
Table 2
505, confirm the result of Characteristic Recognition;
Concrete, above-mentioned steps 502 to step 504 is the Characteristic Recognition flow process of network data, after IPS signatures match device confirms need not carry out deep analysis to said network data, then confirms the result of the result of said agreement identification for Characteristic Recognition; After the affirmation of IPS signatures match device need be carried out deep analysis to said network data, then confirm the result of the result of said agreement identification and said deep analysis for Characteristic Recognition.
506, generation or renewal applied statistics information.
After the Characteristic Recognition result who confirms said network data; IPS signatures match device can carry out statistical analysis according to the said Characteristic Recognition result of application demand; As above-mentioned table 2 being carried out cluster operation according to presetting rule, concrete, presetting rule can for: if operating system, application protocol (or application type), service provider are all identical; Then its message number and flow are added up respectively, obtain the data in the table 3:
Table 3
In practical application; The rule of cluster can change according to application demand; Target like IPS defence is a spam, and then the rule of cluster is paid close attention to is the flow of the source IP address network data of sending, and then can be provided with the identical network data of source IP address is carried out cluster; And for example, the target of IPS defence is a virus, then can be provided with operating system, network data that application protocol (or application type) is identical with the service provider are carried out cluster, and concrete clustering rule is decided according to the application demand of reality, does not limit here.
Optional, if when the coupling path is set, need further contemplate the priority order in coupling signature storehouse, then in embodiments of the present invention, can be according to the usage ratio of message number or this application type of flow rate calculation of application type; Concrete, if the target of IPS defence is a spam, then can be according to the usage ratio of this application type of flow rate calculation; If the target of IPS defence is a virus, then can calculate the usage ratio of this application type according to the message number, shown in table 4 (according to the message number):
Table 4
IPS signatures match device uses above-mentioned The result of statistics to generate the applied statistics information of network data or upgrades the applied statistics information of storing in the IPS signatures match device; Concrete, can use the parameter information of above-mentioned as table 3 or table 4 to generate the applied statistics information of storing in applied statistics information or the renewal IPS signatures match device of network data.
Only the example through some data lists is illustrated the application scenarios in the embodiment of the invention above, it is understandable that in practical application, the more applications scene to be arranged, and does not specifically limit here.
Down the embodiment in the face of the path of the present invention generating apparatus of the coupling path generating method that is used for carrying out above-mentioned signature storehouse describes, and its logical construction please refer to Fig. 6, one embodiment comprises of path generating apparatus in the embodiment of the invention:
Sort out unit 601, be used for that layering is carried out in IPS signature storehouse and sort out, obtain N son signature storehouse, said N is the integer greater than 1;
Information acquisition unit 602 is used to obtain applied statistics information, and said applied statistics information is carried out adding up after the Characteristic Recognition to network data and obtained;
Unit 603 is chosen in the signature storehouse, is used for according to said applied statistics information selecting to organize suitable M the sub storehouse of signing with the corresponding user of said applied statistics information in said N son signature storehouse, and said M is greater than 1 and less than the integer of N;
Path generation unit 604 is used for generating said user according to said M son signature storehouse and organizes the first corresponding coupling path, makes IPS signatures match device use the said first coupling path that the network data of said user's group is carried out the IPS signatures match.
Optional, the signature storehouse in the embodiment of the invention is chosen unit 603 and can be comprised:
User's group is searched module 6031, is used to search the corresponding user's group of ID of said applied statistics information;
Module 6032 is chosen in the signature storehouse, is used for according to presetting rule in said N son signature storehouse the son of selecting application type corresponding with said ID and application message the to be complementary storehouse of signing;
Signature storehouse statistical module 6033, be used to add up obtain a said user organize in M corresponding son of all ID storehouse of signing.
Optional, the path generation unit 604 in the embodiment of the invention can comprise:
Priority is provided with module 6041, and being used for according to the corresponding usage ratio of each application type is said M son signature lab setting coupling priority;
Coupling path generation module 6042 is used for disposing matched node successively according to said coupling priority, obtains the user and organizes the first corresponding coupling path, and said matched node is corresponding one by one with the memory address in said son signature storehouse.
The concrete reciprocal process in each unit is following in the generating apparatus of embodiment of the invention path:
Sort out 601 pairs of IPS signatures storehouse, unit and carry out the layering classification, obtain N son signature storehouse, said N is the integer greater than 1.Wherein, the signature in IPS signature storehouse is the threat characteristics of network data, and some that specifically can show as network data are word string or behavioural characteristic fixedly; And the threat characteristics of network data can be virus, Trojan Horse, backdoor programs, rogue software (comprising spyware, ad ware, Browser Hijack etc.), the characteristic of phishing program (network defraud) or spam.
Concrete, can carry out the layering classification with attribute to IPS signature storehouse according to the IPS application of each signature of signing in the storehouse; As, IPS signature storehouse can be divided into three layers son signature storehouse, is respectively basal layer signature storehouse, operating system layer signature storehouse and application layer signature storehouse; Wherein, Consist predominantly of common signature such as protocol stack in the basal layer signature storehouse; Consist predominantly of the signature storehouse relevant with operating system (for example windows shock wave leak signature) in the operating system layer signature storehouse, application layer signature storehouse consists predominantly of uses the relevant signature storehouse of leak (the for example Overflow Vulnerability of Server-U signature storehouse).
Information acquisition unit 602 is obtained the applied statistics information that IPS signatures match device provides, and said applied statistics information is carried out adding up after the Characteristic Recognition to network data and obtained.In practical application; IPS signatures match device is when carrying out signatures match to network data; Also can carry out Characteristic Recognition, and the result of this Characteristic Recognition is write down and adds up, according to the said applied statistics information of real-time update as a result of statistics this network data; Optional, include ID in this applied statistics information, and corresponding application type and the application message of said ID; Wherein, this ID can be user name or five-tuple information (source Internet Protocol (IP, Internet Protocol) address, purpose IP address, source port, destination interface and transport layer protocol number); This application message can be this application type relative operation system information and service provider's information.
In practical application; IPS signatures match device is when carrying out signatures match to network data; Also can carry out Characteristic Recognition, and the result of this Characteristic Recognition is write down and adds up, according to the said applied statistics information of real-time update as a result of statistics this network data.Concrete, IPS signatures match device carries out agreement identification to said network data earlier, obtains the corresponding information such as ID, application protocol and application type of said network data; Further, IPS signatures match device can also earlier carry out deep analysis to the network data after the agreement identification, obtains information such as said network data relative operation system information service provider; At last, the result of agreement identification and deep analysis is committed to statistical module adds up, obtain ID, application type and application message that said ID is corresponding, and the usage ratio of said application type correspondence; Optional, said usage ratio can obtain according to message number statistics, also can obtain according to traffic statistics, specifically need decide according to the Cyberthreat of being defendd, and does not limit here.
Wherein, according to the actual requirements, the parameter type of last applied statistics information output can also comprise information such as application protocol, flow or message number except above-mentioned ID, application type, application message and usage ratio, specifically do not limit here.
After getting access to said applied statistics information; The signature storehouse choose unit 603 according to said applied statistics information in said N son signed the storehouse; Select to organize suitable M the sub storehouse of signing with the corresponding user of said applied statistics information, said M is greater than 1 and less than the integer of N.In actual applications; The coupling path is to be provided with to dissimilar users; There is the user of same characteristic features will classify as same user's group; Difference according to the feature that sets; The number of users that is comprised in a kind of user's group is also uncertain; Like user's group is to divide according to the scope of activities of mobile phone users, and then each area (can be provincial, city-level or at county level) is to there being user's group; Optionally, also can only include a user in user's group.Therefore, can search the corresponding user's group of ID that module 6031 is searched said applied statistics information by user's group that unit 603 is chosen in first signature storehouse; Again by the signature storehouse choose module 6032 according to presetting rule in said N son signature storehouse, the son of selecting application type corresponding and application message the to be complementary storehouse of signing with said ID; When being a coupling Path selection signature storehouse, need to consider all users' in the pairing user's group in this coupling path applied statistics information; As, obtain the application type that this user uses always according to applied statistics information, be respectively this application type and in application layer signature storehouse, select corresponding son signature storehouse.At last, obtain a said user by signature storehouse statistical module 6033 statistics and organize M corresponding son signature storehouse of interior all ID; During matched node in the configurations match path; Basal layer signature storehouse is essential (promptly being applicable to all users); Operating system layer signature storehouse is then according to the difference of the employed operating system of user and difference (user who is the same operation system is mated same set of signature storehouse), and the application layer storehouse of signing is then matched according to user's use habit.
After having obtained said M son signature storehouse; Path generation unit 604 generates said user according to said M son signature storehouse and organizes the first corresponding coupling path, makes IPS signatures match device use the said first coupling path that the network data of said user's group is carried out the IPS signatures match.
Concrete, it is said M son signature lab setting coupling priority according to the corresponding usage ratio of each application type that the priority of path generation unit 604 is provided with module; Because said M corresponding different respectively application type and or application message (operation system information) in son signature storehouse; Therefore; Can obtain the frequency of utilization in each height signature storehouse according to the corresponding usage ratio of each application type; Thereby can mate priority (wherein, because basal layer signature storehouse is applicable to said user, therefore for said M son signature lab setting; Frequency of utilization need not confirmed according to said usage ratio in the son signature storehouse that belongs to basal layer signature storehouse, and the sign coupling priority in storehouse of the son that belongs to basal layer signature storehouse can be the highest); Dispose matched node by coupling path generation module 6042 successively according to said coupling priority again, obtain the user and organize the first corresponding coupling path, the sign memory address in storehouse of said matched node and said son is corresponding one by one.When carrying out the IPS signatures match; IPS signatures match device can carry out the coupling in each height signature storehouse successively according to the matched node in the said coupling path; Make IPS signatures match assembly first mate the high son signature storehouse of frequency of utilization, thereby improved the efficient of match hit.
In embodiments of the present invention; Layering is carried out in IPS signature storehouse to be sorted out; Obtain N son signature storehouse; In said N son signature storehouse, select M son signature storehouse to generate the coupling path according to applied statistics information again, make IPS signatures match device use said coupling path that network data is carried out the IPS signatures match; Because carrying out adding up after the Characteristic Recognition to network data, applied statistics information obtains; Therefore, the coupling path of generation and the application characteristic of relative users group are complementary, when the network data of this user's group is carried out the IPS signatures match; Only need M (M is less than N) the signature storehouse in the coupling corresponding matched path; Can effectively accomplish the identification of threat characteristics, avoid coupling entire I PS signature storehouse, improve the efficient of carrying out the IPS signatures match.
Down the embodiment in the face of the IPS signatures match device of the present invention that is used to carry out above-mentioned IP S signatures match method describes, and its logical construction please refer to Fig. 7, one embodiment comprises of IPS signatures match device in the embodiment of the invention:
Signatures match unit 703; Be used to use said coupling path that said network data is carried out the IPS signatures match; Said coupling path is M the sub storehouse generation of signing according to IPS signature storehouse; Said M son signature storehouse is in all N the sons in said IPS signature storehouse are signed storehouses, to choose according to the applied statistics information of network data, and said N is the integer greater than 1, and said M is greater than 1 and less than the integer of N.
Optional, the signatures match unit 703 in the embodiment of the invention can comprise:
Signatures match module 7031 is used for using successively the corresponding son signature storehouse of coupling path matched node that said network data is carried out the IPS signatures match;
Coupling stops module 7032, is used for if the match is successful for arbitrary signature in said son signature storehouse and said network data, and then said IPS signatures match finishes, the output matching result; Coupling stops module 7032, is used for also that it fails to match if the institute in said M son signature storehouse bears the signature all, then said IPS signatures match end.
Optional, the IPS signatures match device in the embodiment of the invention can further include:
Optional, the feature identification unit 704 in the embodiment of the invention can comprise:
The concrete reciprocal process in each unit is following in the embodiment of the invention IPS signatures match device:
After getting access to said network data, query unit 702 can be searched the user's group under the said ID according to said ID, thereby organizes the coupling path of correspondence to this user according to the mapping relationship searching in said user's group and coupling path.Because the coupling path is to be provided with to dissimilar users, therefore, before carrying out the IPS signatures match, need ID through the said network data of inquiry, find the corresponding coupling path of this ID.
After finding said coupling path, signatures match unit 703 uses the corresponding coupling path of said ID that said network data is carried out the IPS signatures match; Concrete, can extract the corresponding son signature storehouse of first matched node in the said coupling path by the signatures match module 7031 of signatures match unit 703, and the signature that obtains one by one in the said son signature storehouse matees to said network data; If mate successfully, then trigger coupling and stop the said IPS signatures match flow process of module 7032 end, and the output matching result; If the coupling failure, then continuation uses other corresponding in said coupling path son signature storehouses to mate, and the signature up to all sub-signature storehouses all mated, then trigger coupling and stop the said IPS signatures match flow process of module 7032 end, and the output matching result.
In actual applications; Because the deployment of matched node can be considered the frequency of utilization in each height signature storehouse in the coupling path; Preferential that frequency of utilization is high son signature storehouse is deployed in the front in coupling path; Therefore, in the process of carrying out signatures match, signature hits the high son signature storehouse of (being the signatures match success) probability and preferentially mates; In case signature hits; Then mate flow process and finish, need not coupling is proceeded in remaining son signature storehouse, thereby further improved the efficient of IPS signatures match.
Optional, after network data arrived, IPS router (can be the mirror image switch) was copied into two parts with said network data, and a network data is carried out IPS signatures match flow process, and another part is then carried out data statistics and is handled.
After getting access to network data; 704 pairs of said network datas of feature identification unit are carried out Characteristic Recognition; Concrete, the agreement identification module 7041 of feature identification unit 704 can carry out agreement identification earlier, obtains information such as ID, protocol type and application type; Wherein, Said ID can be user name or five-tuple information (source IP address, purpose IP address, source port, destination interface and transport layer protocol number); Said protocol type can be the corresponding employed agreement of application of said network data, and said application type can be the corresponding application of said network data.Concrete, agreement identification can use characteristic string coupling or recognition methods such as checking algorithm, and the result of agreement identification can use tabulation to write down storage;
Further; The judge module 7042 of feature identification unit 704 can also judge whether that needs carry out deep analysis to said network data according to the result of said agreement identification; If, then trigger deep analysis module 7043, said network data is carried out deep analysis; If not, then directly confirm the result of Characteristic Recognition.In practical application; The threat characteristics of some application maybe not need be judged through application messages such as operation system information, ISP or flows; Therefore; IPS signatures match device can be preset the tabulation that needs carry out the application protocol or the application type of deep analysis, and IPS signatures match device can be judged network data with the tabulation that should preset according to the agreement recognition result of network data, and whether needs carry out deep analysis.After definite said network data need be carried out deep analysis; IPS signatures match device carries out deep analysis based on result's (deep analysis need be known the protocol type or the application type of said network data) of agreement identification to said network data, obtains the result of deep analysis; Concrete, the result of said deep analysis can comprise following dimension: operation system information, service provider etc.After IPS signatures match device confirms need not carry out deep analysis to said network data, then confirm the result of the result of said agreement identification for Characteristic Recognition; After the affirmation of IPS signatures match device need be carried out deep analysis to said network data, then confirm the result of the result of said agreement identification and said deep analysis for Characteristic Recognition.
After the Characteristic Recognition of accomplishing network data, information updating unit 705 uses the result of said Characteristic Recognition to upgrade the applied statistics information of IPS signatures match device storage.Concrete; Information updating unit 705 can carry out statistical analysis according to the said Characteristic Recognition result of application demand; As above-mentioned table 2 being carried out cluster operation according to presetting rule; Concrete, presetting rule can for: if operating system, application protocol (or application type), service provider are all identical, then its message number and flow are added up respectively.
In practical application; The rule of cluster can change according to application demand; Target like IPS defence is a spam, and then the rule of cluster is paid close attention to is the flow of the source IP address network data of sending, and then can be provided with the identical network data of source IP address is carried out cluster; And for example, the target of IPS defence is a virus, then can be provided with operating system, network data that application protocol (or application type) is identical with the service provider are carried out cluster, and concrete clustering rule is decided according to the application demand of reality, does not limit here.Optional, if when the coupling path is set, need further contemplate the priority order in coupling signature storehouse, then in embodiments of the present invention, can be according to the usage ratio of message number or this application type of flow rate calculation of application type; Concrete, if the target of IPS defence is a spam, then can be according to the usage ratio of this application type of flow rate calculation; If the target of IPS defence is a virus, then can calculate the usage ratio of this application type according to the message number.
In embodiments of the present invention; Because said coupling path is M the sub storehouse generation of signing according to IPS signature storehouse; Said M son signature storehouse is in all N the son signature storehouses in IPS signature storehouse, to choose according to the applied statistics information of network data; Said N is the integer greater than 1, and said M is greater than 1 and less than the integer of N; Therefore; When the network data of this user's group is carried out the IPS signatures match, only need M (M is less than N) the signature storehouse in the coupling corresponding matched path, can effectively accomplish the identification of threat characteristics; Avoid coupling entire I PS signature storehouse, improved the efficient of carrying out the IPS signatures match.
Down the embodiment in the face of the intrusion prevention system of the present invention that is used to carry out above-mentioned IP S signatures match method describes; Its logical construction please refer to Fig. 8, one embodiment comprises of intrusion prevention system in the embodiment of the invention: path generating apparatus 801 and IPS signatures match device 802;
Said path generating apparatus is used for that layering is carried out in IPS signature storehouse and sorts out, and obtains N son signature storehouse, and said N is the integer greater than 1; Obtain applied statistics information, said applied statistics information is carried out adding up after the Characteristic Recognition to network data and is obtained; , in said N son signature storehouse, select to organize suitable M the sub storehouse of signing with the corresponding user of said applied statistics information according to said applied statistics information, said M is greater than 1 and less than the integer of N; Generate said user according to said M son signature storehouse and organize corresponding coupling path; Make IPS signatures match device use said coupling path that the network data of said user's group is carried out the IPS signatures match, said coupling path is the memory address mapping relations in said M son signature storehouse;
Said IPS signatures match device is used to obtain network data, inquires about the ID of said network data; Obtain the coupling path corresponding according to said ID with said ID; Use said coupling path that said network data is carried out the IPS signatures match.
In practical application, said IPS signatures match device can be for realizing the server of signatures match function in the intrusion prevention system; Said path generating apparatus can be physical unit independently, connects or the server of network ways of connecting and said realization signatures match function communicates through data wire; Said path generating apparatus also can be software equipment, and the form of strengthening with function is installed on any station server (can serve as the server of realizing the signatures match function) of intrusion prevention system; Said path generating apparatus is that said IPS signatures match device provides the coupling path, and said IPS signatures match device then provides statistics required network data for said path generating apparatus.
In practical application, the intrusion prevention system in the embodiment of the invention can the gateway or router of layout in network in.Online application scenarios as shown in Figure 9 is sent to internet (Internet) at subscriber equipment (UE, User Experience) with network data and need passes through gateway before, and intrusion prevention system of the present invention can be deployed on the gateway between UE and the Internet; Enterprise application scene and for example shown in Figure 10; The local area network (LAN) of enterprise distribution two places need carry out transfer of data; The local area network (LAN) of two places passes through gateway and VPN (VPN separately; Virtual Private Network) establish a communications link, intrusion prevention system of the present invention can be disposed on the local area network (LAN) gateway separately of two places.
Only be illustrated above, it is understandable that, in practical application, the more applications scene can also be arranged, specifically do not limit here through the application scenarios of some concrete instances to intrusion prevention system in the embodiment of the invention.
Optional; In the intrusion prevention system of the embodiment of the invention, IPS signatures match device and path generating apparatus can separately be disposed, and be shown in figure 11; Gateway device among the corresponding Figure 11 of IPS signatures match device; In other words, the gateway device among Figure 11 also has the function of IPS signatures match except general gateway device function; Server (it is understandable that the server of extra deployment in network, also can be the server that utilizes in the existing network) among the corresponding Figure 11 of path generating apparatus.
Should be understood that the intrusion prevention system of the embodiment of the invention has different physics to dispose implementation, under a kind of implementation, path generating apparatus 801 can be two modules that are deployed on the individual node equipment with IPS signatures match device 802; Under another kind of implementation, path generating apparatus 801 also can be to be deployed in respectively on two node devices with IPS signatures match device 802.
In several embodiment that the application provided, should be understood that the apparatus and method that disclosed can realize through other mode.For example, device embodiment described above only is schematically, for example; The division of said unit; Only be that a kind of logic function is divided, during actual the realization other dividing mode can be arranged, for example a plurality of unit or assembly can combine or can be integrated into another system; Or some characteristics can ignore, or do not carry out.Another point, the coupling each other that shows or discuss or directly coupling or communication to connect can be through some interfaces, the INDIRECT COUPLING of device or unit or communication connect, and can be electrically, machinery or other form.
Said unit as separating component explanation can or can not be physically to separate also, and the parts that show as the unit can be or can not be physical locations also, promptly can be positioned at a place, perhaps also can be distributed on a plurality of NEs.Can select wherein some or all of unit to realize the purpose of present embodiment scheme according to the actual needs.
In addition, each functional unit in each embodiment of the present invention can be integrated in the processing unit, also can be that the independent physics in each unit exists, and also can be integrated in the unit two or more unit.Above-mentioned integrated unit both can adopt the form of hardware to realize, also can adopt the form of SFU software functional unit to realize.
If said integrated unit is realized with the form of SFU software functional unit and during as independently production marketing or use, can be stored in the computer read/write memory medium.Based on such understanding; Part or all or part of of this technical scheme that technical scheme of the present invention contributes to prior art in essence in other words can come out with the embodied of software product; This computer software product is stored in the storage medium; Comprise some instructions with so that computer equipment (can be personal computer, server, the perhaps network equipment etc.) carry out all or part of step of the said method of each embodiment of the present invention.And aforesaid storage medium comprises: and USB flash disk, portable hard drive, read-only memory (ROM, Read-OnlyMemory), various media that can be program code stored such as random access memory (RAM, Random Access Memory), magnetic disc or CD.
The above; Be merely embodiment of the present invention, but protection scope of the present invention is not limited thereto, any technical staff who is familiar with the present technique field is in the technical scope that the present invention discloses; Can expect easily changing or replacement, all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion by said protection range with claim.
Claims (18)
1. the coupling path generating method in the storehouse of signing is characterized in that, comprising:
Layering is carried out in intrusion prevention system IPS signature storehouse sorted out, obtain N son signature storehouse, said N is the integer greater than 1;
Obtain applied statistics information, said applied statistics information is carried out adding up after the Characteristic Recognition to network data and is obtained;
, in said N son signature storehouse, select to organize suitable M the sub storehouse of signing with the corresponding user of said applied statistics information according to said applied statistics information, said M is greater than 1 and less than the integer of N;
Generate said user according to said M son signature storehouse and organize the first corresponding coupling path; Make IPS signatures match device use the said first coupling path that the network data of said user's group is carried out the IPS signatures match, the said first coupling path is the memory address mapping relations in said M son signature storehouse.
2. method according to claim 1 is characterized in that, said applied statistics information comprises:
ID, application type and application message that said ID is corresponding;
Said according to applied statistics information in said N son signature storehouse, M the sub storehouse of selecting the user corresponding with said applied statistics information to organize to be complementary of signing comprises:
Search the corresponding user's group of said ID;
Based on presetting rule in said N son signature storehouse, the son of selecting application type corresponding and application message the to be complementary storehouse of signing with said ID;
Statistics obtains a said user and organizes M corresponding son signature storehouse of interior all ID.
3. method according to claim 2 is characterized in that, said applied statistics information also comprises:
The usage ratio that said application type is corresponding;
Saidly generate said user based on M son signature storehouse and organize the first corresponding coupling path, comprising:
According to the corresponding usage ratio of each application type is said M son signature lab setting coupling priority; Dispose matched node successively according to said coupling priority; Obtain the user and organize the first corresponding coupling path, said matched node is corresponding one by one with the memory address in said son signature storehouse.
4. according to any described method of claim 1 to 3, it is characterized in that said method also comprises:
Whenever upgrade said applied statistics information at a distance from presetting duration;
Use the applied statistics information calculations second coupling path after upgrading;
Judge whether IPS signatures match device is using the said first coupling path to carry out the IPS signatures match, if not, then use the said second coupling path to replace the said first coupling path; If; Ongoing IPS signatures match still uses the said first coupling path to mate; Newly-established IPS signatures match task then uses the said second coupling path to mate; After the IPS signatures match task termination of using the said first coupling path, use the said second coupling path to replace the said first coupling path.
5. the signatures match method of an intrusion prevention system is characterized in that, comprising:
Obtain network data, inquire about the ID of said network data;
Search the corresponding user's group of said ID, and obtain with said user with the mapping relations of mating the path based on said user's group and to organize corresponding coupling path;
Use said coupling path that said network data is carried out the IPS signatures match; Said coupling path is M the sub storehouse generation of signing according to IPS signature storehouse; Said M son signature storehouse is in all N the son signature storehouses in said IPS signature storehouse, to choose according to the applied statistics information of network data; Said N is the integer greater than 1, and said M is greater than 1 and less than the integer of N, and said coupling path is the memory address mapping relations in said M son signature storehouse.
6. method according to claim 5 is characterized in that, the IPS signatures match is carried out to said network data in the corresponding coupling path of said use ID, comprising:
Use the son signature storehouse of matched node correspondence in the coupling path that said network data is carried out the IPS signatures match successively;
If arbitrary signature and said network data in the said son signature storehouse are mated successfully, then said IPS signatures match finishes, the output matching result.
7. method according to claim 5 is characterized in that, said obtaining after the network data comprises:
Said network data is carried out Characteristic Recognition;
Use the result of said Characteristic Recognition to upgrade the applied statistics information that IPS signatures match device is stored.
8. method according to claim 7 is characterized in that, said network data is carried out Characteristic Recognition, comprising:
Said network data is carried out agreement identification;
Result according to said agreement identification judges whether that needs carry out deep analysis to said network data, if then said network data is carried out deep analysis, and confirm that the result of said agreement identification and said deep analysis is the result of said Characteristic Recognition; If not, confirm that then the result that said agreement is discerned is the result of said Characteristic Recognition.
9. a path generating apparatus is characterized in that, comprising:
Sort out the unit, be used for that layering is carried out in IPS signature storehouse and sort out, obtain N son signature storehouse, said N is the integer greater than 1;
Information acquisition unit is used to obtain applied statistics information, and said applied statistics information is carried out adding up after the Characteristic Recognition to network data and obtained;
The unit is chosen in the signature storehouse, is used for according to said applied statistics information selecting to organize suitable M the sub storehouse of signing with the corresponding user of said applied statistics information in said N son signature storehouse, and said M is greater than 1 and less than the integer of N;
The path generation unit; Be used for generating said user and organize the first corresponding coupling path according to said M son signature storehouse; Make IPS signatures match device use the said first coupling path that the network data of said user's group is carried out the IPS signatures match, the said first coupling path is the memory address mapping relations in said M son signature storehouse.
10. device according to claim 7 is characterized in that, said signature storehouse is chosen the unit and comprised:
User's group is searched module, is used to search the corresponding user's group of ID of said applied statistics information;
Module is chosen in the signature storehouse, is used for according to presetting rule in said N son signature storehouse the son of selecting application type corresponding with said ID and application message the to be complementary storehouse of signing;
Signature storehouse statistical module, be used to add up obtain a said user organize in M corresponding son of all ID storehouse of signing.
11. device according to claim 7 is characterized in that, said path generation unit comprises:
Priority is provided with module, and being used for according to the corresponding usage ratio of each application type is said M son signature lab setting coupling priority;
Coupling path generation module is used for disposing matched node successively according to said coupling priority, obtains the user and organizes the first corresponding coupling path, and said matched node is corresponding one by one with the memory address in said son signature storehouse.
12. an IPS signatures match device is characterized in that, comprising:
Data capture unit is used to obtain network data, and inquires about the ID of said network data;
The path acquiring unit is used to search the corresponding user's group of said ID, and obtains with said user with the mapping relations of mating the path according to said user's group and to organize corresponding coupling path;
The signatures match unit; Be used to use said coupling path that said network data is carried out the IPS signatures match; Said coupling path is that M son signature storehouse according to IPS signature storehouse generates, and said M son signature storehouse is in all N the sub storehouses of signing in said IPS signature storehouse, to choose according to the applied statistics information of network data, and said N is the integer greater than 1; Said M is greater than 1 and less than the integer of N, and said coupling path is the memory address mapping relations in said M son signature storehouse.
13. device according to claim 12 is characterized in that, said signatures match unit comprises:
The signatures match module is used for using successively the corresponding son signature storehouse of coupling path matched node that said network data is carried out the IPS signatures match;
Coupling stops module, is used for if the match is successful for arbitrary signature in said son signature storehouse and said network data, and then said IPS signatures match finishes, the output matching result.
14. device according to claim 12 is characterized in that, said IPS signatures match device also comprises:
Feature identification unit is used for said network data is carried out Characteristic Recognition;
Information updating unit is used to use the result of said Characteristic Recognition to upgrade the applied statistics information that IPS signatures match device is stored.
15. device according to claim 12 is characterized in that, said feature identification unit comprises:
The agreement identification module is used for said network data is carried out agreement identification;
Judge module is used for judging whether that according to the result of said agreement identification needs carry out deep analysis to said network data, if then trigger the deep analysis module; If not, confirm that then the result that said agreement is discerned is the result of said Characteristic Recognition;
The deep analysis module is used for said network data is carried out deep analysis, and confirms that the result of said agreement identification and said deep analysis is the result of said Characteristic Recognition.
16. an intrusion prevention system is characterized in that, comprising: path generating apparatus and IPS signatures match device;
Said path generating apparatus is used for that layering is carried out in IPS signature storehouse and sorts out, and obtains N son signature storehouse, and said N is the integer greater than 1; Obtain applied statistics information, said applied statistics information is carried out adding up after the Characteristic Recognition to network data and is obtained; , in said N son signature storehouse, select to organize suitable M the sub storehouse of signing with the corresponding user of said applied statistics information according to said applied statistics information, said M is greater than 1 and less than the integer of N; Generate said user according to said M son signature storehouse and organize corresponding coupling path; Make IPS signatures match device use said coupling path that the network data of said user's group is carried out the IPS signatures match, said coupling path is the memory address mapping relations in said M son signature storehouse;
Said IPS signatures match device is used to obtain network data, searches the corresponding user's group of said ID, and obtains with said user with the mapping relations of mating the path according to said user's group and to organize corresponding coupling path; Obtain the coupling path corresponding according to said ID with said ID; Use said coupling path that said network data is carried out the IPS signatures match.
17. system according to claim 16 is characterized in that,
It is said M son signature lab setting coupling priority that said path generating apparatus also is used for based on the corresponding usage ratio of each application type of said applied statistics information; Dispose matched node successively based on said coupling priority; Obtain the user and organize corresponding coupling path, said matched node is corresponding one by one with the memory address in said son signature storehouse;
Said IPS signatures match device uses said coupling path that said network data is carried out the IPS signatures match, comprising:
Said IPS signatures match device uses the son signature storehouse of matched node correspondence in the coupling path that said network data is carried out the IPS signatures match successively; If arbitrary signature and said network data in the said son signature storehouse are mated successfully, then said IPS signatures match finishes, the output matching result.
18. system according to claim 16 is characterized in that, said IPS signatures match device also is used for said network data is carried out Characteristic Recognition, uses the result of said Characteristic Recognition to upgrade the applied statistics information that IPS signatures match device is stored.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110461977.XA CN102752275B (en) | 2011-12-31 | 2011-12-31 | Matching route generation method and related device for signature library |
| PCT/CN2012/086346 WO2013097600A1 (en) | 2011-12-31 | 2012-12-11 | Matching route generation method and related device for signature library |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110461977.XA CN102752275B (en) | 2011-12-31 | 2011-12-31 | Matching route generation method and related device for signature library |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102752275A true CN102752275A (en) | 2012-10-24 |
| CN102752275B CN102752275B (en) | 2015-05-13 |
Family
ID=47032176
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110461977.XA Active CN102752275B (en) | 2011-12-31 | 2011-12-31 | Matching route generation method and related device for signature library |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN102752275B (en) |
| WO (1) | WO2013097600A1 (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2013097600A1 (en) * | 2011-12-31 | 2013-07-04 | 华为技术有限公司 | Matching route generation method and related device for signature library |
| WO2017148346A1 (en) * | 2016-03-02 | 2017-09-08 | 新华三技术有限公司 | Signature rule loading |
| CN108052281A (en) * | 2017-11-30 | 2018-05-18 | 平安科技(深圳)有限公司 | Business Information storage method, application server and computer storage media |
| CN109614121A (en) * | 2018-12-06 | 2019-04-12 | 郑州云海信息技术有限公司 | A kind of dorsulum SAS address burning realization method and system |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106921628B (en) * | 2015-12-25 | 2021-10-08 | 阿里巴巴集团控股有限公司 | Method and device for identifying network access source based on network address |
| CN117675212A (en) * | 2022-08-26 | 2024-03-08 | 维沃移动通信有限公司 | Signature information transmission method, signature information transmission device and readable storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1752888A (en) * | 2005-11-08 | 2006-03-29 | 朱林 | Virus characteristics extraction and detection system and method for mobile/intelligent terminal |
| US20070280222A1 (en) * | 2006-05-30 | 2007-12-06 | 3Com Corporation | Intrusion prevention system edge controller |
| CN102075365A (en) * | 2011-02-15 | 2011-05-25 | 中国工商银行股份有限公司 | Method and device for locating and protecting network attack source |
| CN102209032A (en) * | 2011-05-24 | 2011-10-05 | 北京网康科技有限公司 | Application identification method and equipment for user definition |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102752275B (en) * | 2011-12-31 | 2015-05-13 | 华为技术有限公司 | Matching route generation method and related device for signature library |
-
2011
- 2011-12-31 CN CN201110461977.XA patent/CN102752275B/en active Active
-
2012
- 2012-12-11 WO PCT/CN2012/086346 patent/WO2013097600A1/en active Application Filing
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1752888A (en) * | 2005-11-08 | 2006-03-29 | 朱林 | Virus characteristics extraction and detection system and method for mobile/intelligent terminal |
| US20070280222A1 (en) * | 2006-05-30 | 2007-12-06 | 3Com Corporation | Intrusion prevention system edge controller |
| CN102075365A (en) * | 2011-02-15 | 2011-05-25 | 中国工商银行股份有限公司 | Method and device for locating and protecting network attack source |
| CN102209032A (en) * | 2011-05-24 | 2011-10-05 | 北京网康科技有限公司 | Application identification method and equipment for user definition |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2013097600A1 (en) * | 2011-12-31 | 2013-07-04 | 华为技术有限公司 | Matching route generation method and related device for signature library |
| WO2017148346A1 (en) * | 2016-03-02 | 2017-09-08 | 新华三技术有限公司 | Signature rule loading |
| US11831493B2 (en) | 2016-03-02 | 2023-11-28 | New H3C Technologies Co., Ltd. | Signature rule loading |
| CN108052281A (en) * | 2017-11-30 | 2018-05-18 | 平安科技(深圳)有限公司 | Business Information storage method, application server and computer storage media |
| CN109614121A (en) * | 2018-12-06 | 2019-04-12 | 郑州云海信息技术有限公司 | A kind of dorsulum SAS address burning realization method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102752275B (en) | 2015-05-13 |
| WO2013097600A1 (en) | 2013-07-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11611577B2 (en) | Threat mitigation system and method | |
| Song et al. | Toward a more practical unsupervised anomaly detection system | |
| CN102752275A (en) | Matching route generation method and related device for signature library | |
| KR101703446B1 (en) | Network capable of detection DoS attacks and Method for controlling thereof, Gateway and Managing server comprising the network | |
| CN111565205B (en) | Network attack identification method and device, computer equipment and storage medium | |
| JP2020530638A (en) | Malware Host NetFlow Analysis System and Method | |
| US9171151B2 (en) | Reputation-based in-network filtering of client event information | |
| EP3507960B1 (en) | Clustering approach for detecting ddos botnets on the cloud from ipfix data | |
| US8561188B1 (en) | Command and control channel detection with query string signature | |
| CN101018121B (en) | Log convergence processing method and convergence processing device | |
| KR20120112696A (en) | Malware detection via reputation system | |
| CN104901971A (en) | Method and device for carrying out safety analysis on network behaviors | |
| CN101364237A (en) | Multi-keyword matching method and device | |
| CN102737119A (en) | Searching method, filtering method and related equipment and systems of uniform resource locator | |
| US11861001B2 (en) | Threat mitigation system and method | |
| Liu et al. | Detecting malicious clients in isp networks using http connectivity graph and flow information | |
| WO2021021733A1 (en) | Threat mitigation system and method | |
| Ko et al. | Unsupervised learning with hierarchical feature selection for DDoS mitigation within the ISP domain | |
| CN110233821B (en) | Detection and safety scanning system and method for network space of intelligent equipment | |
| US10897483B2 (en) | Intrusion detection system for automated determination of IP addresses | |
| CN102281189A (en) | Service implementation method and device based on private attribute of third-party equipment | |
| CN104954415A (en) | Method and apparatus for carrying out processing on HTTP request | |
| Raj et al. | Iot botnet detection using various one-class classifiers | |
| CN114205152B (en) | Method for deploying backtracking heterogeneous resources and planning optimal path | |
| Zhao et al. | K-core-based attack to the internet: Is it more malicious than degree-based attack? |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |