CN102857486A - Next-generation application firewall system and defense method - Google Patents
Next-generation application firewall system and defense method Download PDFInfo
- Publication number
- CN102857486A CN102857486A CN2012100932651A CN201210093265A CN102857486A CN 102857486 A CN102857486 A CN 102857486A CN 2012100932651 A CN2012100932651 A CN 2012100932651A CN 201210093265 A CN201210093265 A CN 201210093265A CN 102857486 A CN102857486 A CN 102857486A
- Authority
- CN
- China
- Prior art keywords
- application
- packet
- future generation
- application firewall
- identification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a next-generation application firewall system and a defense method. The defense method can comprise the following steps of: acquiring a data package in a data stream; carrying out analyzing and verifying on the data in the data package; and collecting and analyzing verified results, and carrying out processing according to a corresponding preset strategy. According to the next-generation application firewall system and the defense method, the shortages of traditional safety devices are holistically solved, and meanwhile, the performances of the devices can not degrade after all functions are started.
Description
Technical field
The present invention relates to application firewall technology of future generation, specially refer to a kind of application firewall system of future generation and defence method.
Background technology
Current network is used high speed development, network configuration is day by day complicated, the limitation of traditional firewall is embodied significantly: traditional fire compartment wall is based on IP (Internet Protocol, the agreement that interconnects between the network)/port, access control policy (Access Control List is provided, ACL) and unusual packet filtering function, but its mode of operation has determined that it can't tackle attack from application layer, as: worm, virus and wooden horse etc.Traditional firewall also can't be differentiated application concrete in the flow and content thereof, can't distinguish the user, behavior that more can't the analytic record user, namely can't distinguish use and content will cause can't refinement network traffics attribute, so low to the control ability of network, preferably service quality can not be provided; Its can't the analytic record user behavior can not satisfy safety requirements.
Because the disappearance on the traditional firewall function, so that enterprise need to take for existing diversified attack type the equipment overlaying scheme of patch installing formula at Network Security Construction, " string sugarcoated haws " formula that formed is disposed.Usually we see the Network security planning scheme time all can be with the form of fire compartment wall, intrusion prevention system, gateway virus killing and miscellaneous equipment stack.As if this mode can remedy the defective of traditional firewall function singleness to a certain extent, and all kinds of attacks that exist in the network have been formed comprehensively protection.But in this environment, administrative staff can run into following difficulty usually:
(1), efficient is low: same packet is repeated to unpack through the various kinds of equipment of series connection, and repeated resolution becomes lowly the efficient of whole network, and it is very slow that the speed of service becomes;
(2), maintenance cost is high: numerous equipment need to provide enough space and Environmental Support, have greatly improved maintenance cost;
(3), complex management: autonomous device, complex management need to cultivate the senior executive who is familiar with various kinds of equipment, each vendor equipment; Simultaneously also can't carry out unified security risk analysis.
For defects, industry is rectified and improved the concept of rear release UTM (Unified Threat Management, UTM).The theory of UTM be a plurality of functional modules are concentrated as: FW (fire wall), IPS (Intrusion Prevention System, intrusion prevention system) and AV (Anti Virus, anti-viral software), join together to reach the purpose of unified protection, centralized management.Also obtained user's approval after the UTM product is released, market-share growth is rapid, and the trend but the in recent years data of each side demonstration UTM product growth rate significantly decreases on year-on-year basis may be to be caused by following defective:
(1), UTM equipment only simply integrates FW, IPS, AV, to using and the control ability of content, and still has problem on the traditional firewall Safety and Manage, such as shortage to effective protection of WEB server etc.;
(2), the safety means that are connected in series among the UTM need to be through the filtration of a plurality of security modules, but fight separately between a plurality of module security module, passive protection, can't cooperation, cause performance and efficient lower;
(3), when business requires when high security strategy, UTM security protection strategy is too complicated, and is visual poor, so that the keeper is difficult to maintenance.
Summary of the invention
Main purpose of the present invention has solved the deficiency of conventional safety apparatus for a kind of application firewall of future generation system is provided, open simultaneously all functions after equipment performance can not decline to a great extent.
The present invention proposes a kind of application firewall of future generation system defence method, comprises step:
Obtain the packet in the data flow;
To data analysis in the packet and checking;
The result who collects and analyze described checking, and process according to the preset strategy of correspondence.
Preferably, also comprise after the described step to data analysis in the packet and checking:
According to the market demand type configuration processing policy that has been identified in the packet.
Preferably, the step of the corresponding preset strategy configuration process of the described application type that has been identified according to data in packet strategy specifically comprises:
According to application type and the corresponding preset strategy of packet, the interception of executing data bag, clearance, redirected or traffic shaping action.
Preferably, described step to data analysis in the packet and checking specifically comprises:
Set up the mapping relations of user and session, interception disabled user packet;
The concrete application of recognition data bag; Described identification specifically comprises: based on the detection of agreement and port, based on the identification of application characteristic code, based on the identification of traffic characteristic, based on the identification of application content and/or detect the unusual of application interaction process;
Detect threat and/or critical data in the packet content.
Preferably, described collection and the result who analyzes described checking, and the step of processing according to the preset strategy of correspondence specifically comprises:
There is the action that threatens in packet in the recording conversation, calculates threat value threshold and threatens Sample Storehouse to mate according to standard according to record, and identification is unknown to be threatened.
Preferably, described method also comprises:
The pre-configured preset strategy that event may occur.
Preferably, described method also comprises:
Daily record and auditing result that register system produces.
Preferably, described method also comprises:
Analysis and result, daily record and the rear demonstration of auditing result arrangement with system.
The present invention also proposes a kind of application firewall of future generation system, comprising:
The packet acquiring unit is for the packet that obtains data flow;
The analysis verification unit is used for packet data analysis and checking;
The association analysis unit, the result who be used for to collect and analyze described checking, and process according to the preset strategy of correspondence.
Preferably, described system also comprises:
The application controls unit is used for the market demand type configuration processing policy that has been identified according to packet.
Preferably, described application controls unit specifically is used for:
According to application type and the corresponding preset strategy of packet, the interception of executing data bag, clearance, redirected or traffic shaping action.
Preferably, described analysis verification unit specifically comprises:
User's detection module is used for setting up the mapping relations of user and session, by application controls unit interception disabled user packet;
Use detection module, be used for the concrete application of recognition data bag; Described identification specifically comprises: based on the detection of agreement and port, based on the identification of application characteristic code, based on the identification of traffic characteristic, based on the identification of application content and/or detect the unusual of application interaction process;
The content safety module is for detection of the threat in the packet content and/or critical data.
Preferably, described association analysis unit specifically is used for:
There is the action that threatens in packet in the recording conversation, calculates threat value threshold and threatens Sample Storehouse to mate according to standard according to record, and identification is unknown to be threatened.
Preferably, described system also comprises:
The strategy control unit is used for the pre-configured preset strategy that event may occur.
Preferably, described system also comprises:
Daily record and auditable unit are used for daily record and auditing result that register system produces.
Preferably, described system also comprises:
Visualization is used for analysis and result, daily record and the rear demonstration of auditing result arrangement with system.
The present invention is good to the control ability of user's application and content, can accomplish effective, safe protection; Interactive between a plurality of application modules, related, cooperation have promoted overall performance and the efficient of firewall system; Strengthen visualization function, be conducive to management and maintenance; Solved on the whole the deficiency of conventional safety apparatus, open simultaneously all functions after equipment performance can not decline to a great extent.
Description of drawings
Fig. 1 is steps flow chart schematic diagram among the present invention application firewall defence method one embodiment of system of future generation;
Fig. 2 is another steps flow chart schematic diagram among the present invention application firewall defence method one embodiment of system of future generation;
Fig. 3 analyzes and the verification step schematic flow sheet among the present invention application firewall defence method one embodiment of system of future generation;
Fig. 4 is that gray scale threatens the association analysis schematic diagram among the present invention application firewall defence method one embodiment of system of future generation;
Fig. 5 is structural representation among the present invention application firewall one embodiment of system of future generation;
Fig. 6 is analysis verification cellular construction schematic diagram among the present invention application firewall one embodiment of system of future generation;
Fig. 7 is structural representation among the present invention application firewall another embodiment of system of future generation.
The realization of the object of the invention, functional characteristics and advantage are described further with reference to accompanying drawing in connection with embodiment.
Embodiment
Should be appreciated that specific embodiment described herein only in order to explain the present invention, is not intended to limit the present invention.
With reference to Fig. 1, an embodiment of a kind of application firewall of future generation of the present invention system defence method is proposed.The method can comprise:
Step S10, obtain the packet in the data flow;
Step S11, to data analysis in the packet and checking;
Step S13, collection and the result who analyzes described checking, and process according to the preset strategy of correspondence.
With reference to Fig. 2, also can comprise after the above-mentioned steps S11:
Step S12, according to the market demand type configuration processing policy that has been identified in the packet.
Formation for application firewall system body framework of future generation mainly comprises: based on the security control of user, application and content, the content-level security protection, performance application layer disposal ability, general safety protection, and the aspect such as security strategy and Security Report be visual.
Should mainly comprise based on the security control of user, application and content: application identification, user's identification, the integral application access control policy, and based on the traffic management of using; This content-level security protection mainly comprises: gray scale threatens the association analysis technology, based on the server protection of attack process, and WEB security protection and client secure protection; This performance application layer disposal ability mainly comprises: single Analytical framework and multi-core parallel concurrent treatment technology; This general safety protection mainly comprises: support static routing, RIP (dynamic routing protocol) v1/2, OSPF (Open Shortest Path First, ospf), multiple Routing Protocol and NAT (the Network Address Translation such as strategy route, network address translation), support VPN (Virtual Private Network, VPN (virtual private network)), the protection of L4 network attack, packet filtering and state-detection, based on the user, use, the threat analysis of content and flow control, and threaten flow cleaning and shaping.Above-mentioned application firewall of future generation system has the basic network function, comprises the function of the traditional firewalls such as package forward, Packet Filtering, QoS (Quality of Service, service quality), status monitoring, NAT and VPN.
With reference to Fig. 3, above-mentioned steps S11 can specifically comprise:
Step S111, set up the mapping relations of user and session, interception disabled user packet;
The concrete application of step S112, recognition data bag; Described identification specifically comprises: based on the detection of agreement and port, based on the identification of application characteristic code, based on the identification of traffic characteristic, based on the identification of application content and/or detect the unusual of application interaction process;
Threat and/or critical data in step S113, the detection packet content.
In the detection of above-mentioned steps S111 based on the user, can be according to the access rights handle packet of user in the preset strategy, do not have disabled user's a packet of access rights such as tackling.
Above-mentioned steps S112 can set up packet to the mapping relations of using based in the detection of using, and can be according to application permission handle packet in the preset strategy.This processing can comprise with flow classify, with the grouped data bag put into specified queue, for specified queue distribute bandwidth value and priority level, according to bandwidth value adjust the grouped data bag transmission rate, according to priority determine the grouped data bag sending order, based on the Intelligent Recognition of the intelligent flow management of applications/website/file type and/or P2P (Peer-to-Peer, point-to-point) with control flexibly.
In the content-based safe detection of above-mentioned steps S113, can detect the content of bidirectional traffics, and the context of understanding content and semanteme; Its function comprises the threat in the Detection of content, and the carrying of carrying in the content critical data etc. of economic worth.This threat can be the WEB security protection, comprise that SQL (Structured Query Language, SQL) injects that defence, XSS attack that (cross-site scripting attack) defence, order inject that defence, application message are hidden, password Brute Force and/or Webshell defence etc.
Above-mentioned based on using detection and content-based safe detection in can use single Analytical framework (engine), comprise the restructuring of single message, unified " virus, leak, Web invasion, malicious code " threat characteristics and unification matching engine etc.
Above-mentioned steps S12 can specifically comprise: according to application type and the corresponding preset strategy of packet, and the interception of executing data bag, clearance, redirected or traffic shaping action.Above-mentioned application firewall of future generation system at first needs the application type of specified data bag, can be according to the corresponding basic network strategy of this application type in the preset strategy, the interception of executing data bag, clearance, be redirected or the action such as traffic shaping.Determining of this application type can be by mating data in the packet and default application type storehouse, thereby can determine the application type of this packet.This application type can comprise the types such as ICMP (Internet Control MessageProtocol, Internet Control Message Protocol) data, P2P data and/or WEB data.
The execution of the not unique representative said method flow process of above-mentioned steps ordering is smooth, only for for example so that explanation, concrete execution sequence can be adjusted according to actual conditions; Such as step S11 and the step S12 cross processing that can walk abreast.
Above-mentioned steps S13 can specifically comprise: there is the action that threatens in packet in the recording conversation, calculates threat value threshold and threatens Sample Storehouse to mate according to standard according to record, and identification is unknown to be threatened.This step can be gray scale and threatens association analysis, comprises the threat behavior modeling, detects user's attack, sets up user behavior gray scale threat Sample Storehouse, threatens Sample Storehouse to calculate the user behavior threat value threshold based on standard.The detailed process of this calculating user behavior threat value threshold can comprise: have the action that threatens in all sessions of recording user, then record is carried out association and calculates threat value threshold, threaten Sample Storehouse to mate threat value threshold and standard, can identify various known and unknown threats.Below lift the calculating of simple examples explanation threat value threshold, threat value threshold such as default individual part, threat value threshold addition with the individual part of recording obtains whole threat value threshold again, the threat value threshold of integral body is carried out matching judgment with standard threat Sample Storehouse whether have threat.
With reference to Fig. 4, gray scale threatens the concrete running of association analysis can be in the present embodiment: the gray scale threat Sample Storehouse that the analysis result of single parsing is constantly fed back to gray scale association analysis engine by the single analytics engine, based on the continuous merger of information, arrangements such as attack, IP, users, then calculate threat value threshold and judge whether to exist threat; Do not find to threaten then further correlation behavior, depth analysis; The discovery degree of depth threatens, and then carries out respective handling for this threat, and can be warned.
Above-mentioned application firewall of future generation system, the before use pre-configured preset strategy that event may occur.Such as based on the package forward strategy of application type, the strategy etc. that threatens association analysis based on the strategy of user's detection, based on the strategy of the detection of using, content-based safe detection and/or intensity-based.This strategy configuration can make up GUI (Graphical User Interface, graphic user interface) subsystem at user browser, provides easy-to-use tactful configuration interface, the tactical management of What You See Is What You Get and control.Simultaneously, daily record and auditing result that register system produces are such as the result of various detections and analysis; And will show and tactful visual configuration after the analysis of system and result, daily record and the auditing result arrangement.
Above-mentioned application firewall of future generation system defence method, to the user use and the control ability of content good, can accomplish effective, safe protection; Interactive between a plurality of application modules, related, cooperation have promoted overall performance and the efficient of firewall system; Strengthen visualization function, be conducive to management and maintenance; Solved on the whole the deficiency of conventional safety apparatus, open simultaneously all functions after equipment performance can not decline to a great extent.
With reference to Fig. 5, an embodiment of a kind of application firewall of future generation of the present invention system is proposed.This system can comprise: packet acquiring unit 22, application controls unit 23, analysis verification unit 24 and association analysis unit 25; This packet acquiring unit 22 is for the packet that obtains data flow; This application controls unit 23 is used for the market demand type configuration processing policy that has been identified according to packet; This analysis verification unit 24 is used for packet data analysis and checking; This association analysis unit 25, the result who be used for to collect and analyze described checking, and process according to the preset strategy of correspondence.
Formation for application firewall system body framework of future generation mainly comprises: based on the security control of user, application and content, the content-level security protection, performance application layer disposal ability, general safety protection, and the aspect such as security strategy and Security Report be visual.
Should mainly comprise based on the security control of user, application and content: application identification, user's identification, the integral application access control policy, and based on the traffic management of using; This content-level security protection mainly comprises: gray scale threatens the association analysis technology, based on the server protection of attack process, and WEB security protection and client secure protection; This performance application layer disposal ability mainly comprises: single Analytical framework and multi-core parallel concurrent treatment technology; This general safety protection mainly comprises: support multiple Routing Protocol and the NAT such as static routing, RIPv1/2, OSPF, tactful route, support VPN, the protection of L4 network attack, packet filtering and state-detection, based on threat analysis and the flow control of user, application, content, and threaten flow cleaning and shaping.Above-mentioned application firewall of future generation system is provided with basic network unit 21, has the basic network function, comprises the function of the traditional firewalls such as package forward, Packet Filtering, QoS, status monitoring, NAT and VPN.
Above-mentioned application controls unit 23 specifically is used for: according to application type and the corresponding preset strategy of packet, and the interception of executing data bag, clearance, redirected or traffic shaping action.Above-mentioned application controls unit 23 at first needs the application type of specified data bag, can be according to the corresponding basic network strategy of this application type in the preset strategy, the interception of executing data bag, clearance, be redirected or the action such as traffic shaping.Determining of this application type can be by mating data in the packet and default application type storehouse, thereby can determine the application type of this packet.This application type can comprise the types such as ICMP data, P2P data and/or WEB data.
With reference to Fig. 6, above-mentioned analysis verification unit 24 specifically comprises: user's detection module 241, application detection module 242 and content safety module 243; This user's detection module 241 is used for setting up the mapping relations of user and session, by application controls unit 23 interception disabled user packets; This uses detection module 242, is used for the concrete application of recognition data bag; Described identification specifically comprises: based on the detection of agreement and port, based on the identification of application characteristic code, based on the identification of traffic characteristic, based on the identification of application content and/or detect the unusual of application interaction process; This content safety module 243 is for detection of the threat in the packet content and/or critical data.
In the detection of above-mentioned user's detection module 241 based on the user, can be according to the access rights handle packet of user in the preset strategy, do not have disabled user's a packet of access rights such as tackling.
Above-mentioned application detection module 242 can be set up packet to the mapping relations of using based in the detection of using, and can be according to application permission handle packet in the preset strategy.This processing can comprise with flow classify, with the grouped data bag put into specified queue, for specified queue distribute bandwidth value and priority level, according to bandwidth value adjust the grouped data bag transmission rate, according to priority determine the grouped data bag sending order, based on the Intelligent Recognition of the intelligent flow management of applications/website/file type and/or P2P (Peer-to-Peer, point-to-point) with control flexibly.
In the 243 content-based safe detections of foregoing security module, can detect the content of bidirectional traffics, and the context of understanding content and semanteme; Its function comprises the threat in the Detection of content, and the carrying of carrying in the content critical data etc. of economic worth.This threat can be the WEB security protection, comprises that SQL injects that defence, XSS attack defending, order inject that defence, application message are hidden, password Brute Force and/or Webshell defend etc.
Above-mentioned based on using detection and content-based safe detection in can use single Analytical framework (engine), comprise the restructuring of single message, unified " virus, leak, Web invasion, malicious code " threat characteristics and unification matching engine etc.
Above-mentioned association analysis unit 25 specifically is used for: there is the action that threatens in the recording conversation packet, and calculates threat value threshold and threatens Sample Storehouse to mate according to standard according to record, and identification is unknown to be threatened.This association analysis unit 25 can carry out gray scale and threaten association analysis, comprises the threat behavior modeling, detects user's attack, sets up user behavior gray scale threat Sample Storehouse, threatens Sample Storehouse to calculate the user behavior threat value threshold based on standard.The detailed process of this calculating user behavior threat value threshold can comprise: have the action that threatens in all sessions of recording user, then record is carried out association and calculates threat value threshold, threaten Sample Storehouse to mate threat value threshold and standard, can identify various known and unknown threats.Below lift the calculating of simple examples explanation threat value threshold, threat value threshold such as default individual part, threat value threshold addition with the individual part of recording obtains whole threat value threshold again, the threat value threshold of integral body is carried out matching judgment with standard threat Sample Storehouse whether have threat.
With reference to Fig. 4, gray scale threatens the concrete running of association analysis can be in the present embodiment: the gray scale threat Sample Storehouse that the analysis result of single parsing is constantly fed back to gray scale association analysis engine by the single analytics engine, based on the continuous merger of information, arrangements such as attack, IP, users, then calculate threat value threshold and judge whether to exist threat; Do not find to threaten then further correlation behavior, depth analysis; The discovery degree of depth threatens, and then carries out respective handling for this threat, and can be warned.
With reference to Fig. 7, in the present embodiment, above-mentioned application firewall of future generation system also can comprise: tactful control unit 26 is used for the pre-configured preset strategy that event may occur.This strategy control unit 26 is the pre-configured preset strategy that event may occur before use.Such as based on the package forward strategy of application type, the strategy etc. that threatens association analysis based on the strategy of user's detection, based on the strategy of the detection of using, content-based safe detection and/or intensity-based.This strategy configuration can make up GUI (Graphical User Interface, graphic user interface) subsystem at user browser, provides easy-to-use tactful configuration interface, the tactical management of What You See Is What You Get and control.
Above-mentioned application firewall of future generation system also can comprise: daily record and auditable unit 27 and visualization 28; This daily record and auditable unit 27 are used for daily record and auditing result that register system produces; This visualization 28 is used for analysis and result, daily record and the rear demonstration of auditing result arrangement with system.Can be by daily record and the auditing result of daily record and the generation of auditable unit 27 register systems, such as the result of various detections and analysis; And by analysis and result, daily record and auditing result arrangement rear demonstration and the tactful visual configuration of visualization 28 with system.
Above-mentioned application firewall of future generation system, to the user use and the control ability of content good, can accomplish effective, safe protection; Interactive between a plurality of application modules, related, cooperation have promoted overall performance and the efficient of firewall system; Strengthen visualization function, be conducive to management and maintenance; Solved on the whole the deficiency of conventional safety apparatus, open simultaneously all functions after equipment performance can not decline to a great extent.The above only is the preferred embodiments of the present invention; be not so limit claim of the present invention; every equivalent structure or equivalent flow process conversion that utilizes specification of the present invention and accompanying drawing content to do; or directly or indirectly be used in other relevant technical fields, all in like manner be included in the scope of patent protection of the present invention.
Claims (16)
1. an application firewall of future generation system defence method is characterized in that, comprises step:
Obtain the packet in the data flow;
To data analysis in the packet and checking;
The result who collects and analyze described checking, and process according to the preset strategy of correspondence.
2. application firewall of future generation according to claim 1 system defence method is characterized in that, also comprises after the described step to data analysis in the packet and checking:
According to the market demand type configuration processing policy that has been identified in the packet.
3. application firewall of future generation according to claim 2 system defence method is characterized in that, the step of described market demand type configuration processing policy according to being identified in the packet specifically comprises:
According to application type and the corresponding preset strategy of packet, the interception of executing data bag, clearance, redirected or traffic shaping action.
4. application firewall of future generation according to claim 2 system defence method is characterized in that, described step to data analysis in the packet and checking specifically comprises:
Set up the mapping relations of user and session, interception disabled user packet;
The concrete application of recognition data bag; Described identification specifically comprises: based on the detection of agreement and port, based on the identification of application characteristic code, based on the identification of traffic characteristic, based on the identification of application content and/or detect the unusual of application interaction process;
Detect threat and/or critical data in the packet content.
5. application firewall of future generation according to claim 1 system defence method is characterized in that, described collection and the result who analyzes described checking, and the step of processing according to the preset strategy of correspondence specifically comprises:
There is the action that threatens in packet in the recording conversation, calculates threat value threshold and threatens Sample Storehouse to mate according to standard according to record, and identification is unknown to be threatened.
6. each described application firewall of future generation system defence method in 5 according to claim 1 is characterized in that, described method also comprises:
The pre-configured preset strategy that event may occur.
7. each described application firewall of future generation system defence method in 5 according to claim 1 is characterized in that, described method also comprises:
Daily record and auditing result that register system produces.
8. application firewall of future generation according to claim 7 system defence method is characterized in that, described method also comprises:
Analysis and result, daily record and the rear demonstration of auditing result arrangement with system.
9. an application firewall of future generation system is characterized in that, comprising:
The packet acquiring unit is for the packet that obtains data flow;
The analysis verification unit is used for packet data analysis and checking;
The association analysis unit, the result who be used for to collect and analyze described checking, and process according to the preset strategy of correspondence.
10. application firewall of future generation according to claim 9 system is characterized in that, also comprises:
The application controls unit is used for the market demand type configuration processing policy that has been identified according to packet.
11. application firewall of future generation according to claim 10 system is characterized in that, described application controls unit specifically is used for:
According to application type and the corresponding preset strategy of packet, the interception of executing data bag, clearance, redirected or traffic shaping action.
12. application firewall of future generation according to claim 10 system is characterized in that, described analysis verification unit specifically comprises:
User's detection module is used for setting up the mapping relations of user and session, by application controls unit interception disabled user packet;
Use detection module, be used for the concrete application of recognition data bag; Described identification specifically comprises: based on the detection of agreement and port, based on the identification of application characteristic code, based on the identification of traffic characteristic, based on the identification of application content and/or detect the unusual of application interaction process;
The content safety module is for detection of the threat in the packet content and/or critical data.
13. application firewall of future generation according to claim 9 system is characterized in that, described association analysis unit specifically is used for:
There is the action that threatens in packet in the recording conversation, calculates threat value threshold and threatens Sample Storehouse to mate according to standard according to record, and identification is unknown to be threatened.
14. each described application firewall of future generation system in 12 is characterized in that according to claim 9, described system also comprises:
The strategy control unit is used for the pre-configured preset strategy that event may occur.
15. each described application firewall of future generation system in 12 is characterized in that according to claim 9, described system also comprises:
Daily record and auditable unit are used for daily record and auditing result that register system produces.
16. each described application firewall of future generation system is characterized in that according to claim 15, described system also comprises:
Visualization is used for analysis and result, daily record and the rear demonstration of auditing result arrangement with system.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210093265.1A CN102857486B (en) | 2012-04-01 | 2012-04-01 | Application firewall system of future generation and defence method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210093265.1A CN102857486B (en) | 2012-04-01 | 2012-04-01 | Application firewall system of future generation and defence method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102857486A true CN102857486A (en) | 2013-01-02 |
| CN102857486B CN102857486B (en) | 2015-10-21 |
Family
ID=47403684
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210093265.1A Active CN102857486B (en) | 2012-04-01 | 2012-04-01 | Application firewall system of future generation and defence method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102857486B (en) |
Cited By (28)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103414724A (en) * | 2013-08-20 | 2013-11-27 | 曙光信息产业(北京)有限公司 | Method and device for displaying system information of firewall device |
| CN103685320A (en) * | 2013-12-31 | 2014-03-26 | 北京网康科技有限公司 | Feature matching method and device of network data package |
| CN103957185A (en) * | 2013-12-16 | 2014-07-30 | 汉柏科技有限公司 | Firewall control method for realizing traffic monitoring of application layer |
| CN104105124A (en) * | 2013-04-08 | 2014-10-15 | 南京理工大学常熟研究院有限公司 | Traffic monitoring system based on Android intelligent mobile terminal |
| CN104252584A (en) * | 2013-06-28 | 2014-12-31 | 华为数字技术(苏州)有限公司 | Method and device for protecting website content |
| CN104394176A (en) * | 2014-12-17 | 2015-03-04 | 中国人民解放军国防科学技术大学 | Webshell prevention method based on mandatory access control mechanism |
| CN104579730A (en) * | 2013-10-18 | 2015-04-29 | 宁夏先锋软件有限公司 | Network attack protective system capable of effectively preventing threats |
| CN104702424A (en) * | 2013-12-05 | 2015-06-10 | 中国联合网络通信集团有限公司 | Network behavior monitoring method and device |
| CN105553958A (en) * | 2015-12-10 | 2016-05-04 | 国网四川省电力公司信息通信公司 | Novel network security linkage system and method |
| CN105991587A (en) * | 2015-02-13 | 2016-10-05 | 中国移动通信集团山西有限公司 | Intrusion detection method and system |
| CN106603471A (en) * | 2015-10-16 | 2017-04-26 | 北京启明星辰信息安全技术有限公司 | Firewall policy detection method and device |
| CN106992981A (en) * | 2017-03-31 | 2017-07-28 | 北京知道创宇信息技术有限公司 | A kind of website back door detection method, device and computing device |
| CN107360153A (en) * | 2017-07-07 | 2017-11-17 | 国家电网公司 | A kind of network security protection system on big data |
| CN107395593A (en) * | 2017-07-19 | 2017-11-24 | 深信服科技股份有限公司 | A kind of leak automation means of defence, fire wall and storage medium |
| CN107623700A (en) * | 2017-10-25 | 2018-01-23 | 成都视达科信息技术有限公司 | A kind of method and system of fire wall |
| CN107770164A (en) * | 2017-09-30 | 2018-03-06 | 广东欧珀移动通信有限公司 | The method and apparatus of data renewal, computer equipment, readable storage medium storing program for executing |
| CN107872456A (en) * | 2017-11-09 | 2018-04-03 | 深圳市利谱信息技术有限公司 | Network intrusion prevention method, apparatus, system and computer-readable recording medium |
| CN108270730A (en) * | 2016-12-30 | 2018-07-10 | 北京飞利信电子技术有限公司 | A kind of application layer detection method, device and electronic equipment for extending fire wall |
| CN108650257A (en) * | 2018-05-09 | 2018-10-12 | 腾讯音乐娱乐科技(深圳)有限公司 | Safety detection setting method, device and storage medium based on web site contents |
| CN108881145A (en) * | 2017-12-26 | 2018-11-23 | 北京安天网络安全技术有限公司 | Inbreak detection rule optimization method, device, electronic equipment and storage medium |
| CN109525558A (en) * | 2018-10-22 | 2019-03-26 | 深信服科技股份有限公司 | Leaking data detection method, system, device and storage medium |
| CN109728989A (en) * | 2017-10-31 | 2019-05-07 | 中国电信股份有限公司 | For realizing the methods, devices and systems of secure accessing |
| CN109831452A (en) * | 2019-03-07 | 2019-05-31 | 北京华安普特网络科技有限公司 | A kind of distributed fire wall |
| CN110532753A (en) * | 2019-07-01 | 2019-12-03 | 武汉船舶通信研究所(中国船舶重工集团公司第七二二研究所) | The safety protecting method and equipment of train operation monitoring and recording device business data flow |
| CN111083011A (en) * | 2019-12-18 | 2020-04-28 | 北京网太科技发展有限公司 | Automatic testing method and device for routing security firewall and management platform |
| CN111371750A (en) * | 2020-02-21 | 2020-07-03 | 浙江德迅网络安全技术有限公司 | Intrusion prevention system and intrusion prevention method based on computer network |
| CN114338087A (en) * | 2021-12-03 | 2022-04-12 | 成都安恒信息技术有限公司 | Directional operation and maintenance auditing method and system based on firewall |
| CN115065552A (en) * | 2022-07-27 | 2022-09-16 | 北京六方云信息技术有限公司 | Industrial communication protection method, device, terminal equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1838592A (en) * | 2006-04-26 | 2006-09-27 | 南京大学 | Firewall method and system based on high-speed network data processing platform |
| CN101350781A (en) * | 2008-07-31 | 2009-01-21 | 成都市华为赛门铁克科技有限公司 | Method, equipment and system for monitoring flux |
| CN101610264A (en) * | 2009-07-24 | 2009-12-23 | 深圳市永达电子股份有限公司 | The management method of a kind of firewall system, safety service platform and firewall system |
| CN101964804A (en) * | 2010-10-22 | 2011-02-02 | 北京工业大学 | Attack defense system under IPv6 protocol and implementation method thereof |
-
2012
- 2012-04-01 CN CN201210093265.1A patent/CN102857486B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1838592A (en) * | 2006-04-26 | 2006-09-27 | 南京大学 | Firewall method and system based on high-speed network data processing platform |
| CN101350781A (en) * | 2008-07-31 | 2009-01-21 | 成都市华为赛门铁克科技有限公司 | Method, equipment and system for monitoring flux |
| CN101610264A (en) * | 2009-07-24 | 2009-12-23 | 深圳市永达电子股份有限公司 | The management method of a kind of firewall system, safety service platform and firewall system |
| CN101964804A (en) * | 2010-10-22 | 2011-02-02 | 北京工业大学 | Attack defense system under IPv6 protocol and implementation method thereof |
Cited By (39)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104105124A (en) * | 2013-04-08 | 2014-10-15 | 南京理工大学常熟研究院有限公司 | Traffic monitoring system based on Android intelligent mobile terminal |
| CN104252584B (en) * | 2013-06-28 | 2018-03-09 | 华为数字技术(苏州)有限公司 | The method and apparatus of guarding website content |
| CN104252584A (en) * | 2013-06-28 | 2014-12-31 | 华为数字技术(苏州)有限公司 | Method and device for protecting website content |
| CN103414724A (en) * | 2013-08-20 | 2013-11-27 | 曙光信息产业(北京)有限公司 | Method and device for displaying system information of firewall device |
| CN104579730A (en) * | 2013-10-18 | 2015-04-29 | 宁夏先锋软件有限公司 | Network attack protective system capable of effectively preventing threats |
| CN104702424A (en) * | 2013-12-05 | 2015-06-10 | 中国联合网络通信集团有限公司 | Network behavior monitoring method and device |
| CN103957185A (en) * | 2013-12-16 | 2014-07-30 | 汉柏科技有限公司 | Firewall control method for realizing traffic monitoring of application layer |
| CN103685320A (en) * | 2013-12-31 | 2014-03-26 | 北京网康科技有限公司 | Feature matching method and device of network data package |
| CN104394176A (en) * | 2014-12-17 | 2015-03-04 | 中国人民解放军国防科学技术大学 | Webshell prevention method based on mandatory access control mechanism |
| CN104394176B (en) * | 2014-12-17 | 2018-05-08 | 中国人民解放军国防科学技术大学 | A kind of webshell prevention methods based on mandatory Access Control Mechanism |
| CN105991587A (en) * | 2015-02-13 | 2016-10-05 | 中国移动通信集团山西有限公司 | Intrusion detection method and system |
| CN105991587B (en) * | 2015-02-13 | 2019-10-15 | 中国移动通信集团山西有限公司 | A kind of intrusion detection method and system |
| CN106603471A (en) * | 2015-10-16 | 2017-04-26 | 北京启明星辰信息安全技术有限公司 | Firewall policy detection method and device |
| CN106603471B (en) * | 2015-10-16 | 2019-09-13 | 北京启明星辰信息安全技术有限公司 | A kind of firewall policy detection method and device |
| CN105553958A (en) * | 2015-12-10 | 2016-05-04 | 国网四川省电力公司信息通信公司 | Novel network security linkage system and method |
| CN108270730A (en) * | 2016-12-30 | 2018-07-10 | 北京飞利信电子技术有限公司 | A kind of application layer detection method, device and electronic equipment for extending fire wall |
| CN106992981A (en) * | 2017-03-31 | 2017-07-28 | 北京知道创宇信息技术有限公司 | A kind of website back door detection method, device and computing device |
| CN106992981B (en) * | 2017-03-31 | 2020-04-07 | 北京知道创宇信息技术股份有限公司 | Website backdoor detection method and device and computing equipment |
| CN107360153B (en) * | 2017-07-07 | 2020-11-24 | 国家电网公司 | Network security protection system about big data |
| CN107360153A (en) * | 2017-07-07 | 2017-11-17 | 国家电网公司 | A kind of network security protection system on big data |
| CN107395593A (en) * | 2017-07-19 | 2017-11-24 | 深信服科技股份有限公司 | A kind of leak automation means of defence, fire wall and storage medium |
| CN107770164A (en) * | 2017-09-30 | 2018-03-06 | 广东欧珀移动通信有限公司 | The method and apparatus of data renewal, computer equipment, readable storage medium storing program for executing |
| CN107770164B (en) * | 2017-09-30 | 2020-05-12 | Oppo广东移动通信有限公司 | Data updating method and device, computer equipment and readable storage medium |
| CN107623700A (en) * | 2017-10-25 | 2018-01-23 | 成都视达科信息技术有限公司 | A kind of method and system of fire wall |
| CN109728989B (en) * | 2017-10-31 | 2021-06-11 | 中国电信股份有限公司 | Method, device and system for realizing secure access |
| CN109728989A (en) * | 2017-10-31 | 2019-05-07 | 中国电信股份有限公司 | For realizing the methods, devices and systems of secure accessing |
| CN107872456A (en) * | 2017-11-09 | 2018-04-03 | 深圳市利谱信息技术有限公司 | Network intrusion prevention method, apparatus, system and computer-readable recording medium |
| CN108881145A (en) * | 2017-12-26 | 2018-11-23 | 北京安天网络安全技术有限公司 | Inbreak detection rule optimization method, device, electronic equipment and storage medium |
| CN108650257B (en) * | 2018-05-09 | 2021-02-02 | 腾讯音乐娱乐科技(深圳)有限公司 | Security detection setting method and device based on website content and storage medium |
| CN108650257A (en) * | 2018-05-09 | 2018-10-12 | 腾讯音乐娱乐科技(深圳)有限公司 | Safety detection setting method, device and storage medium based on web site contents |
| CN109525558A (en) * | 2018-10-22 | 2019-03-26 | 深信服科技股份有限公司 | Leaking data detection method, system, device and storage medium |
| CN109831452A (en) * | 2019-03-07 | 2019-05-31 | 北京华安普特网络科技有限公司 | A kind of distributed fire wall |
| CN110532753A (en) * | 2019-07-01 | 2019-12-03 | 武汉船舶通信研究所(中国船舶重工集团公司第七二二研究所) | The safety protecting method and equipment of train operation monitoring and recording device business data flow |
| CN111083011A (en) * | 2019-12-18 | 2020-04-28 | 北京网太科技发展有限公司 | Automatic testing method and device for routing security firewall and management platform |
| CN111371750A (en) * | 2020-02-21 | 2020-07-03 | 浙江德迅网络安全技术有限公司 | Intrusion prevention system and intrusion prevention method based on computer network |
| CN114338087A (en) * | 2021-12-03 | 2022-04-12 | 成都安恒信息技术有限公司 | Directional operation and maintenance auditing method and system based on firewall |
| CN114338087B (en) * | 2021-12-03 | 2024-03-15 | 成都安恒信息技术有限公司 | Directional operation and maintenance auditing method and system based on firewall |
| CN115065552A (en) * | 2022-07-27 | 2022-09-16 | 北京六方云信息技术有限公司 | Industrial communication protection method, device, terminal equipment and storage medium |
| CN115065552B (en) * | 2022-07-27 | 2023-01-10 | 北京六方云信息技术有限公司 | Industrial communication protection method, device, terminal equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102857486B (en) | 2015-10-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102857486B (en) | Application firewall system of future generation and defence method | |
| CN109962903B (en) | Home gateway security monitoring method, device, system and medium | |
| US10091167B2 (en) | Network traffic analysis to enhance rule-based network security | |
| EP2767056B1 (en) | A method and a system to detect malicious software | |
| CN103561004B (en) | Cooperating type Active Defending System Against based on honey net | |
| CN101924757B (en) | Method and system for reviewing Botnet | |
| CN108494746A (en) | A kind of network port Traffic anomaly detection method and system | |
| CN103607399A (en) | Special IP network safety monitor system and method based on hidden network | |
| Alsafi et al. | Idps: An integrated intrusion handling model for cloud | |
| KR20120065727A (en) | Apparatus and method for defending ddos attack | |
| CN101567884A (en) | Method for detecting network theft Trojan | |
| CN103532957A (en) | Device and method for detecting trojan remote shell behavior | |
| CN102130920A (en) | Botnet discovery method and system thereof | |
| KR20110022141A (en) | Apparatus for detecting and preventing application layer distribute denial of service attack and method | |
| CN115766235A (en) | Network security early warning system and early warning method | |
| Chen et al. | Effective allied network security system based on designed scheme with conditional legitimate probability against distributed network attacks and intrusions | |
| KR20020072618A (en) | Network based intrusion detection system | |
| CN117375942A (en) | Method and device for preventing DDoS attack based on node cleaning | |
| Dhangar et al. | Analysis of proposed intrusion detection system | |
| Garg et al. | Identifying anomalies in network traffic using hybrid Intrusion Detection System | |
| Han et al. | A collaborative botnets suppression system based on overlay network | |
| CN105516096A (en) | Botnet network discovery technology and apparatus | |
| Mishra et al. | Artificial intelligent firewall | |
| CN109495470A (en) | A kind of network information risk safe early warning method and server and system | |
| Leu et al. | A DoS/DDoS attack detection system using chi-square statistic approach |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20200611 Address after: Nanshan District Xueyuan Road in Shenzhen city of Guangdong province 518000 No. 1001 Nanshan Chi Park building A1 layer Patentee after: SANGFOR TECHNOLOGIES Inc. Address before: 518000 Nanshan Science and Technology Pioneering service center, No. 1 Qilin Road, Guangdong, Shenzhen 418, 419, Patentee before: Shenxin network technology (Shenzhen) Co.,Ltd. |