CN104184725A - Engine detection data updating method and device of intrusion prevention system - Google Patents
Engine detection data updating method and device of intrusion prevention system Download PDFInfo
- Publication number
- CN104184725A CN104184725A CN201410369612.8A CN201410369612A CN104184725A CN 104184725 A CN104184725 A CN 104184725A CN 201410369612 A CN201410369612 A CN 201410369612A CN 104184725 A CN104184725 A CN 104184725A
- Authority
- CN
- China
- Prior art keywords
- engine
- data
- pointer
- detection data
- detect
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 69
- 230000002265 prevention Effects 0.000 title claims abstract description 29
- 238000000034 method Methods 0.000 title claims abstract description 22
- 238000007599 discharging Methods 0.000 claims description 10
- 230000008569 process Effects 0.000 abstract description 5
- 241000700605 Viruses Species 0.000 abstract description 4
- 230000006854 communication Effects 0.000 abstract description 3
- 238000004891 communication Methods 0.000 abstract description 2
- 230000005540 biological transmission Effects 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 2
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 230000003612 virological effect Effects 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an engine detection data updating method and device of an intrusion prevention system, belonging to the field of computer network communication safety. The method comprises that a rule base after update of the intrusion prevention system is analyzed, and new engine detection data is generated in a memory; and a global pointer which is directed to original engine detection data is modified to be directed to the new engine detection data, so that a detection engine uses the new engine detection data. According to the method, the new engine detection data is generated in the memory, the global pointer which is directed to the original engine detection data is directly modified to be directed to the new engine detection data, and a message of the detection engine therefore uses the new engine detection data, thereby realizing seamless switching of engine detection data update, avoiding pause in messages that pass the detection engine in the engine detection data updating process of the intrusion prevention system, and effectively preventing virus attack.
Description
Technical field
The invention belongs to computer network communication security fields, the engine that relates in particular to a kind of intrusion prevention system detects data-updating method and device.
Background technology
Constantly universal along with the extensive use of computer and network, also increasing from network internal and outside danger and crime.Nowadays, not only viral load increases severely, and quality improves, and by network fast propagation, in short several hours, just can spread throughout the world.Some virus also can change form in communication process, and antivirus software was lost efficacy.Traditional firewall adds the technology of intruding detection system (Intrusion Detection Systems is called for short IDS) cannot tackle some new Cyberthreats.In this case; intrusion prevention system (Intrusion Prevention System; abbreviation IPS) technology is arisen at the historic moment; IPS can depth perception and the flow through message of this IPS of active detecting; malice message is abandoned to block attack, abuse message is carried out to current limliting with protecting network bandwidth resources.
Intrusion prevention system mainly contains two parts and forms: detect engine and rule base, the former is the framework flow process of message depth detection, and the resolved loading of the latter generates engine and detects data, as plug-in unit, embeds and detects in engine.The attack discrimination of intrusion prevention system depends on the completeness of rule base, and rule base needs irregularly to upgrade upgrading according to the appearance of new leak.Current IPS is when engine detects Data Update, in need to detecting data updating process at the engine of intrusion prevention system, suspend message by detecting engine, after engine detects Data Update and completes, open again engine measuring ability, this will make equipment during this period of time in without defense attitude, likely during engine detects Data Update, let slip attack, cause invasion to attack.
Summary of the invention
In engine detection data updating process for solution intrusion prevention system, need to suspend message and by detecting engine, likely cause the problem of virus attack, the engine that the invention provides a kind of intrusion prevention system detects data-updating method, and described method comprises:
Rule base after intrusion prevention system is upgraded is resolved, and generates new engine and detect data in internal memory;
The global pointer that points to former engine detection data is revised as and points to described new engine detection data, make to detect engine and adopt described new engine to detect data.
Wherein, the global pointer that points to former engine detection data is revised as and is pointed to after described new engine detection data, also comprise:
Discharge described former engine and detect data.
Wherein, the global pointer that points to former engine detection data is revised as and is pointed to after described new engine detection data, also comprise:
First wait for Preset Time, then discharge described former engine detection data.
Wherein, in internal memory, generate new engine and detect after data, also comprise:
By engine new described in the first pointed, detect data;
The global pointer that points to former engine detection data is revised as to the described new engine detection of sensing data specifically to be comprised:
The value of described the first pointer is assigned to described global pointer.
Wherein, the value of described the first pointer is assigned to before described global pointer, also comprises:
The value of described global pointer is assigned to the second pointer;
Discharging described former engine detection data specifically comprises:
Discharge the data in described the second pointer address pointed.
The engine that the invention also discloses a kind of intrusion prevention system detects data update apparatus, and described device comprises:
Resolve generation module, for the rule base after intrusion prevention system is upgraded, resolve, in internal memory, generate new engine and detect data;
Point to modified module, for the global pointer that points to former engine detection data is revised as and points to described new engine detection data, make to detect engine and adopt described new engine to detect data.
Wherein, described sensing modified module, also detects data for discharging described former engine.
Wherein, described sensing modified module, also for first waiting for Preset Time, then discharges described former engine detection data.
Wherein, described parsing generation module, also detects data for the engine by new described in the first pointed;
Described sensing modified module comprises:
Pointer assignment submodule, for being assigned to described global pointer by the value of described the first pointer.
Wherein, described parsing generation module, also for being assigned to the second pointer by the value of described global pointer;
Described sensing modified module comprises:
Address discharges submodule, for discharging the data of described the second pointer address pointed.
The present invention first generates new engine and detects data in internal memory, then directly the global pointer that points to former engine detection data is revised as and points to described new engine detection data, just can realize by what detect that the message of engine adopts is that new engine detects data, thereby realized the seamless switching of engine detection Data Update, having avoided the engine of intrusion prevention system to detect in data updating process needs to suspend message by detecting engine, thereby effectively prevents virus attack.
Accompanying drawing explanation
By reference to accompanying drawing, can more clearly understand the features and advantages of the present invention, accompanying drawing is schematically to should not be construed as the present invention is carried out to any restriction, in the accompanying drawings:
Fig. 1 is the flow chart that the engine of one embodiment of the present invention detects data-updating method;
Fig. 2 points to schematic diagram before the global pointer of an embodiment of the present invention switches;
Fig. 3 points to schematic diagram after the global pointer of an embodiment of the present invention switches;
Fig. 4 is the structured flowchart that the engine of one embodiment of the present invention detects data update apparatus
Embodiment
Below in conjunction with drawings and Examples, the specific embodiment of the present invention is described in further detail.Following examples are used for illustrating the present invention, but are not used for limiting the scope of the invention.
Fig. 1 is the flow chart that the engine of one embodiment of the present invention detects data-updating method; With reference to Fig. 1, said method comprising the steps of:
101: the rule base after intrusion prevention system is upgraded is resolved, and generates new engine and detect data in internal memory;
In present embodiment, performing step at 101 o'clock, detecting engine and still adopt former engine detection data to detect message.
102: the global pointer that points to former engine detection data is revised as and points to described new engine detection data, make to detect engine and adopt described new engine to detect data.
For ease of the rule base after intrusion prevention system is upgraded, resolve, in the present embodiment, in step 101, before rule base after intrusion prevention system is upgraded is resolved, also comprise: receive rule file to be updated, and by described rule file to be updated, the rule base of intrusion prevention system is upgraded.
After detecting the described new engine detection of engine employing data, former engine detects data and is still present in internal memory, taken certain memory headroom, for improving memory usage, preferably, in step 101, the global pointer that points to former engine detection data is revised as and is pointed to after described new engine detection data, also comprise:
Discharge described former engine and detect data.
Especially, for the equipment of multicore architecture, before discharging described former engine detection data, need a period of time of sleeping, for example 1 second, to can allow global pointer be revised as to point to before described new engine detects data, started can detect completely by detecting the message of engine, thereby avoided accessing null pointer, caused message undetected, preferably, in step 101, the global pointer that points to former engine detection data is revised as and is pointed to after described new engine detection data, also comprise:
First wait for Preset Time, then discharge described former engine detection data.
For ease of realizing global pointer, be revised as the described new engine detection of sensing data, preferably,
In step 101, in internal memory, generate new engine and detect after data, also comprise:
By engine new described in the first pointed, detect data;
In step 102, the global pointer that points to former engine detection data is revised as to the described new engine detection of sensing data and specifically comprises:
The value of described the first pointer is assigned to described global pointer.
For ease of discharging described former engine, detect data, preferably, in step 102, the value of described the first pointer be assigned to before described global pointer, also comprise:
The value of described global pointer is assigned to the second pointer;
In step 102, discharge described former engine detection data and specifically comprise:
Discharge the data in described the second pointer address pointed.
Common, the regular agreement in rule base comprises TCP, UDP, ICMP and IP agreement etc.Accordingly, above-mentioned global pointer is also a plurality of global pointers of the regular agreement that correspondence is different.For example, the global pointer that Transmission Control Protocol is corresponding is that the global pointer that g_pstPrmTcpRTNX, udp protocol are corresponding is that global pointer corresponding to g_pstPrmUdpRTNX, ICMP agreement is that global pointer corresponding to g_pstPrmIcmpRTNX, IP agreement is g_pstPrmIpRTNX.Present embodiment only, for illustrating, does not limit it.
The Transmission Control Protocol of take below illustrates the present invention as example, but does not limit protection scope of the present invention.If the global pointer that Transmission Control Protocol is corresponding is g_pstPrmTcpRTNX, this global pointer g_pstPrmTcpRTNX points to the former engine that Transmission Control Protocol is corresponding and detects data.In rule base, the rule of all Transmission Control Protocol is all resolved in the engine detection data of global pointer g_pstPrmTcpRTNX sensing, described engine detects packet containing port set, port set comprises by rule base resolves rule tree node (the Rule Tree Node that the rule obtain comprising particular port information generates, RTN) and option tree node (Option Tree Node, OTN) structure.The internal memory that these engine detection data take is all dynamic assignment.
As shown in Figure 2, detecting engine adopts former engine detection data to detect message according to global pointer g_pstPrmTcpRTNX.If now the rule base of intrusion prevention system is updated, the database after upgrading is resolved, in internal memory, generate new engine and detect data, and by the first pointer g_pstPrmTcpRTNXNew, point to described new engine and detect data.
After new engine detects data generation, by following steps, global pointer g_pstPrmTcpRTNX is revised as and points to described new engine detection data, make to detect engine and adopt described new engine to detect data, wherein g_pstPrmTcpRTNXOld is temporary pointer variable:
1) value of described global pointer g_pstPrmTcpRTNX is assigned to the second pointer g_pstPrmTcpRTNXOld, that is:
g_pstPrmTcpRTNXOld=g_pstPrmTcpRTNX;
2) value of described the first pointer g_pstPrmTcpRTNXNew is assigned to described global pointer g_pstPrmTcpRTNX, that is:
g_pstPrmTcpRTNX=g_pstPrmTcpRTNXNew;
After global pointer g_pstPrmTcpRTNX is revised as to the described new engine detection of sensing data, pointed as shown in Figure 3, when message passes through the detection engine of intrusion prevention system, the engine that detection engine adopts detects data and has become the new engine detection data of being pointed to by g_pstPrmTcpRTNX.Finally, discharge the former engine being pointed in address by g_pstPrmTcpRTNXOld and detect data.
Other agreement as UDP, ICMP and IP identical with Transmission Control Protocol changing rules mode.
The engine that the invention also discloses a kind of intrusion prevention system detects data update apparatus, and with reference to Fig. 4, described device comprises:
Resolve generation module, for the rule base after intrusion prevention system is upgraded, resolve, in internal memory, generate new engine and detect data;
Point to modified module, for the global pointer that points to former engine detection data is revised as and points to described new engine detection data, make to detect engine and adopt described new engine to detect data.
Preferably, described sensing modified module, also detects data for discharging described former engine.
Preferably, described sensing modified module, also for first waiting for Preset Time, then discharges described former engine detection data.
Preferably, described parsing generation module, also detects data for the engine by new described in the first pointed;
Described sensing modified module comprises:
Pointer assignment submodule, for being assigned to described global pointer by the value of described the first pointer.
Preferably, described parsing generation module, also for being assigned to the second pointer by the value of described global pointer;
Described sensing modified module comprises:
Address discharges submodule, for discharging the data of described the second pointer address pointed.
Above execution mode is only for illustrating the present invention; and be not limitation of the present invention; the those of ordinary skill in relevant technologies field; without departing from the spirit and scope of the present invention; can also make a variety of changes and modification; therefore all technical schemes that are equal to also belong to category of the present invention, and scope of patent protection of the present invention should be defined by the claims.
Claims (10)
1. the engine of intrusion prevention system detects a data-updating method, it is characterized in that, described method comprises:
Rule base after intrusion prevention system is upgraded is resolved, and generates new engine and detect data in internal memory;
The global pointer that points to former engine detection data is revised as and points to described new engine detection data, make to detect engine and adopt described new engine to detect data.
2. method according to claim 1, is characterized in that, the global pointer that points to former engine and detect data is revised as and points to described new engine and detect after data, also comprises:
Discharge described former engine and detect data.
3. method according to claim 2, is characterized in that, the global pointer that points to former engine and detect data is revised as and points to described new engine and detect after data, also comprises:
First wait for Preset Time, then discharge described former engine detection data.
4. according to method described in claim 2 or 3, it is characterized in that, in internal memory, generate new engine and detect after data, also comprise:
By engine new described in the first pointed, detect data;
The global pointer that points to former engine detection data is revised as to the described new engine detection of sensing data specifically to be comprised:
The value of described the first pointer is assigned to described global pointer.
5. method according to claim 4, is characterized in that, the value of described the first pointer is assigned to before described global pointer, also comprises:
The value of described global pointer is assigned to the second pointer;
Discharging described former engine detection data specifically comprises:
Discharge the data in described the second pointer address pointed.
6. the engine of intrusion prevention system detects a data update apparatus, it is characterized in that, described device comprises:
Resolve generation module, for the rule base after intrusion prevention system is upgraded, resolve, in internal memory, generate new engine and detect data;
Point to modified module, for the global pointer that points to former engine detection data is revised as and points to described new engine detection data, make to detect engine and adopt described new engine to detect data.
7. install according to claim 6, it is characterized in that, described sensing modified module, also detects data for discharging described former engine.
8. install according to claim 7, it is characterized in that, described sensing modified module, also for first waiting for Preset Time, then discharges described former engine detection data.
9. according to device described in claim 7 or 8, it is characterized in that, described parsing generation module, also detects data for the engine by new described in the first pointed;
Described sensing modified module comprises:
Pointer assignment submodule, for being assigned to described global pointer by the value of described the first pointer.
10. install according to claim 9, it is characterized in that, described parsing generation module, also for being assigned to the second pointer by the value of described global pointer;
Described sensing modified module comprises:
Address discharges submodule, for discharging the data of described the second pointer address pointed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410369612.8A CN104184725A (en) | 2014-07-25 | 2014-07-25 | Engine detection data updating method and device of intrusion prevention system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410369612.8A CN104184725A (en) | 2014-07-25 | 2014-07-25 | Engine detection data updating method and device of intrusion prevention system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104184725A true CN104184725A (en) | 2014-12-03 |
Family
ID=51965467
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410369612.8A Pending CN104184725A (en) | 2014-07-25 | 2014-07-25 | Engine detection data updating method and device of intrusion prevention system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104184725A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107835177A (en) * | 2017-11-10 | 2018-03-23 | 上海携程商务有限公司 | Method, system, equipment and the storage medium of antivirus protection |
| CN109271193A (en) * | 2018-10-08 | 2019-01-25 | 广州市百果园信息技术有限公司 | A kind of data processing method, device, equipment and storage medium |
| CN112187552A (en) * | 2020-10-20 | 2021-01-05 | 西安工程大学 | IDS theoretical modeling method with high-priority detection power |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040123141A1 (en) * | 2002-12-18 | 2004-06-24 | Satyendra Yadav | Multi-tier intrusion detection system |
| CN1592223A (en) * | 2003-12-25 | 2005-03-09 | 珠海金山软件股份有限公司 | Device for preventing computer virus into inside network and realizing method thereof |
| US20080168561A1 (en) * | 2007-01-08 | 2008-07-10 | Durie Anthony Robert | Host intrusion prevention server |
| US20090217341A1 (en) * | 2008-02-22 | 2009-08-27 | Inventec Corporation | Method of updating intrusion detection rules through link data packet |
| CN101695031A (en) * | 2009-10-27 | 2010-04-14 | 成都市华为赛门铁克科技有限公司 | Upgrading method and device of intrusion prevention system |
| CN102118296A (en) * | 2009-12-30 | 2011-07-06 | 华为技术有限公司 | Rule base upgrading method and communication equipment |
| CN102790778A (en) * | 2012-08-22 | 2012-11-21 | 常州大学 | DDos (distributed denial of service) attack defensive system based on network trap |
| CN103475653A (en) * | 2013-09-05 | 2013-12-25 | 北京科能腾达信息技术股份有限公司 | Method for detecting network data package |
| CN104991528A (en) * | 2015-05-14 | 2015-10-21 | 福州福大自动化科技有限公司 | DCS information safety control method and control station |
| CN106888196A (en) * | 2015-12-16 | 2017-06-23 | 国家电网公司 | A kind of coordinated defense system of unknown threat detection |
-
2014
- 2014-07-25 CN CN201410369612.8A patent/CN104184725A/en active Pending
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040123141A1 (en) * | 2002-12-18 | 2004-06-24 | Satyendra Yadav | Multi-tier intrusion detection system |
| CN1592223A (en) * | 2003-12-25 | 2005-03-09 | 珠海金山软件股份有限公司 | Device for preventing computer virus into inside network and realizing method thereof |
| US20080168561A1 (en) * | 2007-01-08 | 2008-07-10 | Durie Anthony Robert | Host intrusion prevention server |
| US20090217341A1 (en) * | 2008-02-22 | 2009-08-27 | Inventec Corporation | Method of updating intrusion detection rules through link data packet |
| CN101695031A (en) * | 2009-10-27 | 2010-04-14 | 成都市华为赛门铁克科技有限公司 | Upgrading method and device of intrusion prevention system |
| CN102118296A (en) * | 2009-12-30 | 2011-07-06 | 华为技术有限公司 | Rule base upgrading method and communication equipment |
| CN102790778A (en) * | 2012-08-22 | 2012-11-21 | 常州大学 | DDos (distributed denial of service) attack defensive system based on network trap |
| CN103475653A (en) * | 2013-09-05 | 2013-12-25 | 北京科能腾达信息技术股份有限公司 | Method for detecting network data package |
| CN104991528A (en) * | 2015-05-14 | 2015-10-21 | 福州福大自动化科技有限公司 | DCS information safety control method and control station |
| CN106888196A (en) * | 2015-12-16 | 2017-06-23 | 国家电网公司 | A kind of coordinated defense system of unknown threat detection |
Non-Patent Citations (2)
| Title |
|---|
| TZU-FANG SHEU等: "A novel hierarchical matching algorithm for intrusion detection systems", 《GLOBECOM \'05. IEEE GLOBAL TELECOMMUNICATIONS CONFERENCE, 2005.》, 23 January 2006 (2006-01-23) * |
| 车明明: "入侵防御系统关键技术的研究", 《中国优秀硕士学位论文全文网》, 15 January 2014 (2014-01-15) * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107835177A (en) * | 2017-11-10 | 2018-03-23 | 上海携程商务有限公司 | Method, system, equipment and the storage medium of antivirus protection |
| CN107835177B (en) * | 2017-11-10 | 2020-04-21 | 上海携程商务有限公司 | Method, system, device and storage medium for virus protection |
| CN109271193A (en) * | 2018-10-08 | 2019-01-25 | 广州市百果园信息技术有限公司 | A kind of data processing method, device, equipment and storage medium |
| CN109271193B (en) * | 2018-10-08 | 2023-01-13 | 广州市百果园信息技术有限公司 | Data processing method, device, equipment and storage medium |
| CN112187552A (en) * | 2020-10-20 | 2021-01-05 | 西安工程大学 | IDS theoretical modeling method with high-priority detection power |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20200366694A1 (en) | Methods and systems for malware host correlation | |
| US11171985B1 (en) | System and method to detect lateral movement of ransomware by deploying a security appliance over a shared network to implement a default gateway with point-to-point links between endpoints | |
| US10733297B2 (en) | Real-time signatureless malware detection | |
| CN111737696A (en) | Method, system and equipment for detecting malicious file and readable storage medium | |
| US9747442B2 (en) | Preventing malicious instruction execution | |
| US11288090B1 (en) | Methods, systems, and media for injecting code into embedded devices | |
| US10193868B2 (en) | Safe security proxy | |
| JP6349244B2 (en) | In-vehicle network testing equipment | |
| CN111343176B (en) | Network attack countering device, method, storage medium and computer equipment | |
| CN111355686B (en) | Method, device, system and storage medium for defending flood attacks | |
| CN105678164A (en) | Method and device for detecting malicious software | |
| US10645107B2 (en) | System and method for detecting and classifying malware | |
| CN110941825B (en) | Application monitoring method and device | |
| CN104184725A (en) | Engine detection data updating method and device of intrusion prevention system | |
| EP3036880B1 (en) | Method and apparatus for monitoring and filtering universal serial bus network traffic | |
| CN113709129A (en) | White list generation method, device and system based on traffic learning | |
| US9881155B2 (en) | System and method for automatic use-after-free exploit detection | |
| EP3594841A1 (en) | Real-time signatureless malware detection | |
| CN113343221A (en) | Terminal early warning method and device | |
| CN116938605B (en) | Network attack protection method and device, electronic equipment and readable storage medium | |
| CN103220187A (en) | Method and device for detecting state of three-layer port | |
| KR20190074071A (en) | Sdn controller for resolving arp poisoning attack and method for managing the same | |
| CN110493228B (en) | Terminal illegal networking detection method and device | |
| Shouman et al. | Surviving cyber warfare with a hybrid multiagent-based intrusion prevention system | |
| CN108200088B (en) | Attack protection processing method and device for network traffic |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination |