CN106375278A - Method, device and system for IPS (Intrusion Prevention System) to actively recognize and close misrecognition feature item - Google Patents
Method, device and system for IPS (Intrusion Prevention System) to actively recognize and close misrecognition feature item Download PDFInfo
- Publication number
- CN106375278A CN106375278A CN201610705052.8A CN201610705052A CN106375278A CN 106375278 A CN106375278 A CN 106375278A CN 201610705052 A CN201610705052 A CN 201610705052A CN 106375278 A CN106375278 A CN 106375278A
- Authority
- CN
- China
- Prior art keywords
- intrusion
- misrecognition
- array
- overall situation
- intrusion event
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Alarm Systems (AREA)
Abstract
The invention provides a method, a device and a system for an IPS (Intrusion Prevention System) to actively recognize and close a misrecognition feature item. The method comprises the following steps of the intrusion prevention system utilizes two global arrays to monitor an intrusion event alternatively, and the time for each global array to monitor the intrusion event is a preset time bucket; and when the intrusion prevention system utilizes one in the two global arrays to monitor the intrusion event, the intrusion prevention system utilizes data obtained by monitoring of the other one in the two global arrays to recognize whether the intrusion event is the misrecognition feature item and closes a detection switch of the recognized misrecognition feature item. According to the method, the device and the system, when the misrecognition feature item occurs, the misrecognition feature item can be effectively recognized and the misrecognition feature item is closed.
Description
Technical field
The present invention relates to field of computer technology, more particularly, to a kind of intrusion prevention system automatic identification simultaneously closes misrecognition
The method of characteristic item, apparatus and system.
Background technology
Intrusion prevention system (intrusion prevention system, abbreviation ips) is to ensure that Network Security Environment
Main tool, is the supplement to anti-virus software and fire wall, and it can effectively intercept hiding in a network environment a large amount of
Attack traffic.
But, because intrusion prevention system identifies the limited in one's ability of attack, and the feature database quantity of intrusion prevention system
Limited, intrusion prevention system can be led to there is certain probability that misrecognition occurs, then misrecognition is once occur, its impact
It is very big, the traffic interception of some normal health in network environment may be fallen by it, and this seriously reduces normal net
The study and work efficiency of network user, or even economic loss can be caused to business unit.
Prior art is simply by the continuous identification quality safeguarded and improve intrusion prevention system, and intrusion prevention of enriching constantly
The means in system features storehouse, to reduce the appearance of misrecognition, are not timely and effectively identified when misrecognition occurs and are closed
The effective scheme closing.
In consideration of it, how effectively to be identified when misrecognition characteristic item occurs, and characteristic item will be misidentified
Close to fall to become the current technical issues that need to address.
Content of the invention
For solving above-mentioned technical problem, the present invention provides a kind of intrusion prevention system automatic identification and closes misrecognition spy
Levy method, the apparatus and system of item, effectively identified when can occurring misidentifying characteristic item, and will misidentify
Characteristic item closes.
In a first aspect, the present invention provides a kind of intrusion prevention system automatic identification the method closing misrecognition characteristic item,
Including:
Intrusion prevention system is alternately monitored to intrusion event using two overall arrays, and each overall situation array is to invasion
The time that event is monitored is preset time period;
Intrusion prevention system is same be monitored to intrusion event using an overall array in described two overall situation arrays
When, whether the data identification intrusion event having monitored acquisition using another overall situation array in described two overall situation arrays is to know by mistake
Other characteristic item, and will identify that misrecognition characteristic item detection switch close fall.
Alternatively, described using an overall array in described two overall situation arrays, intrusion event is monitored, comprising:
Intrusion prevention system, when producing and identify intrusion event, makes in an overall array in described two overall situation arrays
Comprise the feature number of described intrusion event, and generation number m of described intrusion event is added one.
Alternatively, described intrusion prevention system, when producing and identify intrusion event, makes in described two overall situation arrays
Comprise the feature number of described intrusion event in one overall array, and generation number m of described intrusion event added one, comprising:
Intrusion prevention system, when producing and identify intrusion event, judges an overall array in described two overall situation arrays
In whether with the addition of the feature number of described intrusion event;
If added, update t2 deadline of the feature number of described intrusion event, and by described intrusion event
Generation number m add one;
If being not added with, when the number of elements that comprises in this overall array is less than preset first threshold value, by described invasion
The feature number of event is added in this overall array, and adds initial time t1 of the feature number of described intrusion event, and
Generation number m of described intrusion event is set to 1.
Alternatively, for a certain intrusion event in the described another overall situation array preset time period of monitoring, described profit
Whether the data identification intrusion event having monitored acquisition with another overall situation array in described two overall situation arrays is that misrecognition is special
Levy item, and the detection switch of the misrecognition characteristic item that will identify that close, comprising:
By the feature number of this intrusion event in another overall situation array in described two overall situation arrays added
Deadline, t2 was multiplied by default Second Threshold with the difference of initial time t1, obtained numerical value n, wherein, described default Second Threshold
For the misrecognition characteristic item threshold value producing event number per second;
By described numerical value n generation in the described another overall situation array preset time period of monitoring with this intrusion event
Number m is compared;
If n is less than m it is determined that this intrusion event is misrecognition characteristic item, and the detection switch of this intrusion event is closed
Fall.
Alternatively, described default Second Threshold is 20.
Alternatively, described by described numerical value n and this intrusion event described another overall situation array monitoring default when
Between after generation number m in section is compared, described monitored using another overall situation array in described two overall situation arrays
Whether the data identification intrusion event obtaining is misrecognition characteristic item, also includes:
If n is more than or equal to m it is determined that this intrusion event is the attack of normal identification.
Alternatively, methods described also includes:
Intrusion prevention system is known in the data having monitored acquisition using another overall situation array in described two overall situation arrays
Do not go out all of misrecognition characteristic item, and after closing the detection switch of all of misrecognition characteristic item identifying, by institute
State another overall situation array initialization, make the number of elements comprising in described another overall situation array be 0.
Alternatively, methods described also includes:
If intrusion prevention system receives the detection for opening a certain misrecognition characteristic item closed and of user input
The instruction of switch, then open the detection switch of the misrecognition characteristic item that this closing is fallen.
Second aspect, the present invention provides a kind of intrusion prevention system automatic identification and closes the device of misrecognition characteristic item,
Including:
Monitoring module, is alternately monitored to intrusion event using two overall arrays for intrusion prevention system, each
Overall array is preset time period to the time that intrusion event is monitored;
Identification module, for intrusion prevention system in using described two overall situation arrays an overall array to intrusion event
The data identification invasion thing of acquisition while being monitored, has been monitored using another overall situation array in described two overall situation arrays
Whether part is misrecognition characteristic item, and the detection switch of the misrecognition characteristic item that will identify that closes.
The third aspect, the present invention provides a kind of intrusion prevention system, comprising: above-mentioned intrusion prevention system automatic identification is simultaneously closed
Close the device of misrecognition characteristic item.
As shown from the above technical solution, the intrusion prevention system automatic identification of the present invention and close misrecognition characteristic item side
Method, apparatus and system, are alternately monitored to intrusion event using two overall arrays by intrusion prevention system, each overall situation
Array is preset time period to the time that intrusion event is monitored;Intrusion prevention system is using described two overall situation arrays
In overall array while intrusion event is monitored, supervised using another overall situation array in described two overall situation arrays
Whether the data identification intrusion event that control obtains is misrecognition characteristic item, and the detection switch of the misrecognition characteristic item that will identify that
Closing is fallen, and thereby, it is possible to effectively be identified when misrecognition characteristic item occurs, and will misidentify characteristic item closing
Fall, effectively avoid network failure and the economic dispatch loss that current intrusion prevention system brings when occurring and misidentifying.
Brief description
A kind of intrusion prevention system automatic identification that Fig. 1 provides for one embodiment of the invention simultaneously closes misrecognition characteristic item
The schematic flow sheet of method;
Fig. 2 for a kind of intrusion prevention system automatic identification described in embodiment illustrated in fig. 1 and closes misrecognition characteristic item
A kind of specific schematic flow sheet of method
A kind of intrusion prevention system automatic identification that Fig. 3 provides for one embodiment of the invention simultaneously closes misrecognition characteristic item
The structural representation of device;
A kind of structural representation of intrusion prevention system that Fig. 4 provides for one embodiment of the invention.
Specific embodiment
Purpose, technical scheme and advantage for making the embodiment of the present invention are clearer, below in conjunction with the embodiment of the present invention
In accompanying drawing, the technical scheme in the embodiment of the present invention is carried out with clear, complete description it is clear that described embodiment only
It is only a part of embodiment of the present invention, rather than whole embodiments.Based on embodiments of the invention, ordinary skill people
The every other embodiment that member is obtained under the premise of not making creative work, broadly falls into the scope of protection of the invention.
Fig. 1 shows the intrusion prevention system automatic identification of one embodiment of the invention offer and closes misrecognition characteristic item
The schematic flow sheet of method, as shown in figure 1, the intrusion prevention system automatic identification of the present embodiment close misrecognition characteristic item
Method is as described below.
101st, intrusion prevention system is alternately monitored to intrusion event using two overall arrays, each overall situation array pair
The time that intrusion event is monitored is preset time period.
In a particular application, it is possible to use intervalometer is arranging described preset time period.For example, described Preset Time
Section could be arranged to 180 seconds it is also possible to specifically arrange according to practical situation.
102nd, intrusion prevention system is being monitored to intrusion event using an overall array in described two overall situation arrays
While, using the data identification intrusion event that another overall situation array in described two overall situation arrays has monitored acquisition it is whether
Misidentify characteristic item, and the detection switch of the misrecognition characteristic item that will identify that closes.
In a particular application, in described step 102 " using an overall array in described two overall situation arrays to invasion thing
Part is monitored ", may include that
Intrusion prevention system, when producing and identify intrusion event, makes in an overall array in described two overall situation arrays
Comprise feature number sid of described intrusion event, and generation number m of described intrusion event is added one.
Further, described intrusion prevention system, when producing and identify intrusion event, makes described two overall situation arrays
In comprise feature number sid of described intrusion event in an overall array, and generation number m of described intrusion event is added one,
Can specifically include:
Intrusion prevention system, when producing and identify intrusion event, judges an overall array in described two overall situation arrays
In whether with the addition of feature number sid of described intrusion event;
If added, update t2 deadline of the feature number of described intrusion event, and by described intrusion event
Generation number m add one;
If being not added with, when the number of elements that comprises in this overall array is less than preset first threshold value, by described invasion
The feature number of event is added in this overall array, and adds initial time t1 of the feature number of described intrusion event, and
Generation number m of described intrusion event is set to 1 (initial value of m is 0).
In a particular application, described default Second Threshold can be preferably 256, is at best able to add in overall array
256 sid, the present embodiment is not limited it is also possible to specifically arrange according to according to practical situation.
In a particular application, for a certain intrusion event in the described another overall situation array preset time period of monitoring,
" being invaded using the data identification that another overall situation array in described two overall situation arrays has monitored acquisition in described step 102
Whether event is misrecognition characteristic item, and the detection switch of the misrecognition characteristic item that will identify that closes ", can specifically wrap
Include:
By the feature number of this intrusion event in another overall situation array in described two overall situation arrays added
Deadline, t2 was multiplied by default Second Threshold with the difference of initial time t1, obtained numerical value n, wherein, described default Second Threshold
For the misrecognition characteristic item threshold value producing event number per second;
By described numerical value n generation in the described another overall situation array preset time period of monitoring with this intrusion event
Number m is compared;
If n is less than m it is determined that this intrusion event is misrecognition characteristic item, and the detection switch of this intrusion event is closed
Fall;
If n is more than or equal to m it is determined that this intrusion event is the attack of normal identification.
In a particular application, for example, described default Second Threshold can be preferably 20 it is also possible to according to practical situation
Concrete setting.
In a particular application, the present embodiment methods described can also include:
Intrusion prevention system is known in the data having monitored acquisition using another overall situation array in described two overall situation arrays
Do not go out all of misrecognition characteristic item, and after closing the detection switch of all of misrecognition characteristic item identifying, by institute
State another overall situation array initialization, make the number of elements comprising in described another overall situation array be 0.
In a particular application, the present embodiment methods described can also include:
If intrusion prevention system receives the detection for opening a certain misrecognition characteristic item closed and of user input
The instruction of switch, then open the detection switch of the misrecognition characteristic item that this closing is fallen.
It is understood that in the present embodiment, intrusion prevention system utilizes two overall arrays to replace to intrusion event
It is monitored, and while an overall array is monitored to intrusion event, another overall array obtains according to monitoring
Whether the data identification intrusion event obtaining is misrecognition characteristic item, can effectively improve work efficiency.Referring to Fig. 2, Fig. 2 illustrates
A kind of specific flow process of the intrusion prevention system automatic identification of the present embodiment the method closing misrecognition characteristic item is illustrated
Figure.
The intrusion prevention system automatic identification of the present embodiment the method closing misrecognition characteristic item, by intrusion prevention system
System is alternately monitored to intrusion event using two overall arrays, the time that each overall situation array is monitored to intrusion event
It is preset time period;Intrusion prevention system is being supervised to intrusion event using an overall array in described two overall situation arrays
While control, whether identify intrusion event using the data that another overall situation array in described two overall situation arrays has monitored acquisition
For misidentifying characteristic item, and the detection switch of the misrecognition characteristic item that will identify that closes.Thereby, it is possible in misrecognition feature
Item is effectively identified when appearance, and misrecognition characteristic item is closed, and effectively avoids current intrusion prevention
Network failure and economic dispatch loss that system is brought when occurring and misidentifying.
Fig. 3 shows a kind of intrusion prevention system automatic identification of one embodiment of the invention offer and closes misrecognition feature
Device structural representation, as shown in figure 3, the intrusion prevention system automatic identification of the present embodiment close misrecognition feature
The device of item, comprising: monitoring module 31 and identification module 32;Wherein:
Described monitoring module 31, is alternately supervised to intrusion event using two overall arrays for intrusion prevention system
Control, each overall situation array is preset time period to the time that intrusion event is monitored;
Described identification module 32, for intrusion prevention system in using described two overall situation arrays an overall array to entering
The data identification of acquisition while the event of invading is monitored, has been monitored using another overall situation array in described two overall situation arrays
Whether intrusion event is misrecognition characteristic item, and the detection switch of the misrecognition characteristic item that will identify that closes.
The intrusion prevention system automatic identification of the present embodiment simultaneously closes the device misidentifying characteristic item, before can be used for execution
State the technical scheme of embodiment of the method shown in Fig. 1 or Fig. 2, it is realized, and principle is similar with technique effect, and here is omitted.
The intrusion prevention system automatic identification of the present embodiment simultaneously closes the device misidentifying characteristic item, can be special in misrecognition
Levy when item occurs and effectively identified, and misrecognition characteristic item is closed, effectively avoid current invasion and prevent
Network failure and economic dispatch loss that imperial system is brought when occurring and misidentifying.
Fig. 4 shows a kind of structural representation of intrusion prevention system that one embodiment of the invention provides, as shown in figure 4,
The intrusion prevention system of the present embodiment, comprising: the intrusion prevention system automatic identification shown in Fig. 3 embodiment simultaneously closes misrecognition spy
Levy the device 3 of item.
The intrusion prevention system of the present embodiment, is effectively identified when can occurring misidentifying characteristic item,
And close by misrecognition characteristic item, effectively avoid the network event that current intrusion prevention system brings when occurring and misidentifying
Barrier and economic dispatch loss.
Those skilled in the art are it should be appreciated that embodiments herein can be provided as method, system or computer program
Product.Therefore, the application can be using complete hardware embodiment, complete software embodiment or the reality combining software and hardware aspect
Apply the form of example.And, the application can be using in one or more computers wherein including computer usable program code
The upper computer program implemented of usable storage medium (including but not limited to disk memory, cd-rom, optical memory etc.) produces
The form of product.
The application is the flow process with reference to method, equipment (system) and computer program according to the embodiment of the present application
Figure and/or block diagram are describing.It should be understood that can be by each stream in computer program instructions flowchart and/or block diagram
Flow process in journey and/or square frame and flow chart and/or block diagram and/or the combination of square frame.These computer programs can be provided
The processor instructing general purpose computer, special-purpose computer, Embedded Processor or other programmable data processing device is to produce
A raw machine is so that produced for reality by the instruction of computer or the computing device of other programmable data processing device
The device of the function of specifying in present one flow process of flow chart or multiple flow process and/or one square frame of block diagram or multiple square frame.
These computer program instructions may be alternatively stored in and can guide computer or other programmable data processing device with spy
Determine in the computer-readable memory that mode works so that the instruction generation inclusion being stored in this computer-readable memory refers to
Make the manufacture of device, this command device realize in one flow process of flow chart or multiple flow process and/or one square frame of block diagram or
The function of specifying in multiple square frames.
These computer program instructions also can be loaded in computer or other programmable data processing device so that counting
On calculation machine or other programmable devices, execution series of operation steps to be to produce computer implemented process, thus in computer or
On other programmable devices, the instruction of execution is provided for realizing in one flow process of flow chart or multiple flow process and/or block diagram one
The step of the function of specifying in individual square frame or multiple square frame.
It should be noted that herein, such as first and second or the like relational terms are used merely to a reality
Body or operation are made a distinction with another entity or operation, and not necessarily require or imply these entities or deposit between operating
In any this actual relation or order.And, term " inclusion ", "comprising" or its any other variant are intended to
Comprising of nonexcludability, wants so that including a series of process of key elements, method, article or equipment and not only including those
Element, but also include other key elements being not expressly set out, or also include for this process, method, article or equipment
Intrinsic key element.In the absence of more restrictions, the key element that limited by sentence "including a ..." it is not excluded that
Also there is other identical element including in the process of described key element, method, article or equipment.Term " on ", D score etc. refers to
The orientation showing or position relationship are based on orientation shown in the drawings or position relationship, are for only for ease of the description present invention and simplification
Description, rather than indicate or imply that the device of indication or element must have specific orientation, with specific azimuth configuration and behaviour
Make, be therefore not considered as limiting the invention.Unless otherwise clearly defined and limited, term " installation ", " being connected ",
" connection " should be interpreted broadly, for example, it may be being fixedly connected or being detachably connected, or is integrally connected;Can be
It is mechanically connected or electrically connect;Can be to be joined directly together it is also possible to be indirectly connected to by intermediary, can be two
The connection of element internal.For the ordinary skill in the art, above-mentioned term can be understood as the case may be at this
Concrete meaning in invention.
In the description of the present invention, illustrate a large amount of details.Although it is understood that, embodiments of the invention can
To put into practice in the case of there is no these details.In some instances, known method, structure and skill are not been shown in detail
Art, so as not to obscure the understanding of this description.Similarly it will be appreciated that disclosing and help understand respectively to simplify the present invention
One or more of individual inventive aspect, in the description to the exemplary embodiment of the present invention above, each of the present invention is special
Levy and be sometimes grouped together in single embodiment, figure or descriptions thereof.However, should not be by the method solution of the disclosure
Release is in reflect an intention that i.e. the present invention for required protection requires than the feature being expressly recited in each claim more
Many features.More precisely, as the following claims reflect, inventive aspect is less than single reality disclosed above
Apply all features of example.Therefore, it then follows claims of specific embodiment are thus expressly incorporated in this specific embodiment,
Wherein each claim itself is as the separate embodiments of the present invention.It should be noted that in the case of not conflicting, this
Embodiment in application and the feature in embodiment can be mutually combined.The invention is not limited in any single aspect,
It is not limited to any single embodiment, be also not limited to combination in any and/or the displacement of these aspects and/or embodiment.And
And, can be used alone each aspect of the present invention and/or embodiment or with other aspects one or more and/or its enforcement
Example is used in combination.
Finally it is noted that various embodiments above, only in order to technical scheme to be described, is not intended to limit;To the greatest extent
Pipe has been described in detail to the present invention with reference to foregoing embodiments, it will be understood by those within the art that: its according to
So the technical scheme described in foregoing embodiments can be modified, or wherein some or all of technical characteristic is entered
Row equivalent;And these modifications or replacement, do not make the essence of appropriate technical solution depart from various embodiments of the present invention technology
The scope of scheme, it all should be covered in the middle of the claim of the present invention and the scope of description.
Claims (10)
1. a kind of intrusion prevention system automatic identification and close misrecognition characteristic item method it is characterised in that include:
Intrusion prevention system is alternately monitored to intrusion event using two overall arrays, and each overall situation array is to intrusion event
The time being monitored is preset time period;
Intrusion prevention system is while intrusion event being monitored using an overall array in described two overall situation arrays, sharp
Whether the data identification intrusion event having monitored acquisition with another overall situation array in described two overall situation arrays is that misrecognition is special
Levy item, and the detection switch of the misrecognition characteristic item that will identify that closes.
2. method according to claim 1 it is characterised in that described using an overall array in described two overall situation arrays
Intrusion event is monitored, comprising:
Intrusion prevention system, when producing and identify intrusion event, makes to comprise in an overall array in described two overall situation arrays
The feature number of described intrusion event, and generation number m of described intrusion event is added one.
3. method according to claim 2 is it is characterised in that described intrusion prevention system is producing and identifying invasion thing
During part, make the feature number comprising described intrusion event in an overall array in described two overall situation arrays, and by described invasion
Generation number m of event adds one, comprising:
Intrusion prevention system when producing and identify intrusion event, judge in described two overall situation arrays in an overall array be
The no feature number that with the addition of described intrusion event;
If added, update t2 deadline of the feature number of described intrusion event, and the product by described intrusion event
Raw number m adds one;
If being not added with, when the number of elements that comprises in this overall array is less than preset first threshold value, by described intrusion event
Feature number be added in this overall array, and add initial time t1 of the feature number of described intrusion event, and by institute
Generation number m stating intrusion event is set to 1.
4. method according to claim 3 is it is characterised in that be directed to the Preset Time of described another overall situation array monitoring
A certain intrusion event in section, the described data knowledge having monitored acquisition using another overall situation array in described two overall situation arrays
Whether other intrusion event is misrecognition characteristic item, and the detection switch of the misrecognition characteristic item that will identify that closes, comprising:
Cut-off by the feature number of this intrusion event in another overall situation array in described two overall situation arrays added
Time t2 is multiplied by default Second Threshold with the difference of initial time t1, obtains numerical value n, and wherein, described default Second Threshold is by mistake
The identification feature item threshold value producing event number per second;
By described numerical value n and this intrusion event generation number m in the described another overall situation array preset time period of monitoring
It is compared;
If n is less than m it is determined that this intrusion event is misrecognition characteristic item, and the detection switch of this intrusion event is closed.
5. method according to claim 4 is it is characterised in that described default Second Threshold is 20.
6. method according to claim 4 it is characterised in that described by described numerical value n with this intrusion event described
After generation number m in the preset time period of monitoring for another overall situation array is compared, described using described two overall situations
Whether the data identification intrusion event that another overall situation array in array has monitored acquisition is misrecognition characteristic item, also includes:
If n is more than or equal to m it is determined that this intrusion event is the attack of normal identification.
7. method according to claim 1 is it is characterised in that methods described also includes:
Intrusion prevention system identifies in the data having monitored acquisition using another overall situation array in described two overall situation arrays
All of misrecognition characteristic item, and after closing the detection switch of all of misrecognition characteristic item identifying, will be described another
One overall array initialization, makes the number of elements comprising in described another overall situation array be 0.
8. method according to claim 1 is it is characterised in that methods described also includes:
If intrusion prevention system receives the detection switch for opening a certain misrecognition characteristic item closed and of user input
Instruction, then open the detection switch of the misrecognition characteristic item that this closing falls.
9. a kind of intrusion prevention system automatic identification and close misrecognition characteristic item device it is characterised in that include:
Monitoring module, is alternately monitored to intrusion event using two overall arrays for intrusion prevention system, each overall situation
Array is preset time period to the time that intrusion event is monitored;
Identification module, is being carried out to intrusion event using an overall array in described two overall situation arrays for intrusion prevention system
While monitoring, using the data identification intrusion event that another overall situation array in described two overall situation arrays has monitored acquisition it is
No for misidentify characteristic item, and will identify that misrecognition characteristic item detection switch close fall.
10. a kind of intrusion prevention system is it is characterised in that include: the intrusion prevention system automatic identification described in claim 9 is simultaneously
Close the device of misrecognition characteristic item.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610705052.8A CN106375278A (en) | 2016-08-22 | 2016-08-22 | Method, device and system for IPS (Intrusion Prevention System) to actively recognize and close misrecognition feature item |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610705052.8A CN106375278A (en) | 2016-08-22 | 2016-08-22 | Method, device and system for IPS (Intrusion Prevention System) to actively recognize and close misrecognition feature item |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106375278A true CN106375278A (en) | 2017-02-01 |
Family
ID=57878091
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610705052.8A Pending CN106375278A (en) | 2016-08-22 | 2016-08-22 | Method, device and system for IPS (Intrusion Prevention System) to actively recognize and close misrecognition feature item |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106375278A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106960535A (en) * | 2017-05-19 | 2017-07-18 | 龙岩学院 | Scope biotic intrusion early warning system based on infrared sensor |
CN115664869A (en) * | 2022-12-28 | 2023-01-31 | 北京六方云信息技术有限公司 | Intrusion prevention system error identification processing method, device and storage medium |
-
2016
- 2016-08-22 CN CN201610705052.8A patent/CN106375278A/en active Pending
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106960535A (en) * | 2017-05-19 | 2017-07-18 | 龙岩学院 | Scope biotic intrusion early warning system based on infrared sensor |
CN115664869A (en) * | 2022-12-28 | 2023-01-31 | 北京六方云信息技术有限公司 | Intrusion prevention system error identification processing method, device and storage medium |
CN115664869B (en) * | 2022-12-28 | 2023-05-16 | 北京六方云信息技术有限公司 | Method, device and storage medium for processing false identification of intrusion prevention system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106341414B (en) | A kind of multi-step attack safety situation evaluation method based on Bayesian network | |
CN107239707A (en) | A kind of threat data processing method for information system | |
CN108200030A (en) | Detection method, system, device and the computer readable storage medium of malicious traffic stream | |
US8621629B2 (en) | System, method, and computer software code for detecting a computer network intrusion in an infrastructure element of a high value target | |
CN109995793A (en) | Network dynamic threatens tracking quantization method and system | |
JP6532106B2 (en) | Monitoring device, monitoring method and program for monitoring | |
CN109478216A (en) | Knowledge infers and the parallelization and n-layer grade of statistical correlation system | |
CN102768638B (en) | Software behavior credibility detecting method based on state transition diagram | |
CN110474878B (en) | DDoS attack situation early warning method and server based on dynamic threshold | |
CN105573291B (en) | A kind of threat detection method and safety device based on key parameter fusion verification | |
CN110213226A (en) | Associated cyber attack scenarios method for reconstructing and system are recognized based on risk total factor | |
CN101902481B (en) | Real-time monitoring method and device for webpage Trojan horse | |
CN105681274B (en) | A kind of method and device of original alarm information processing | |
CN105959316A (en) | Network security authentication system | |
CN107517214A (en) | System and method for providing computer network security | |
Chiu et al. | Frequent pattern based user behavior anomaly detection for cloud system | |
EP4022405A1 (en) | Systems and methods for enhancing data provenance by logging kernel-level events | |
CN104392573A (en) | Video-based intelligent theft detection method | |
CN110147762A (en) | A kind of embedded type fire control wrong report elimination system | |
CN106375278A (en) | Method, device and system for IPS (Intrusion Prevention System) to actively recognize and close misrecognition feature item | |
CN104468545A (en) | Network security correlation analysis method based on complex event processing | |
JP2012208793A (en) | Security system | |
CN107688547A (en) | A kind of method and system of controller active-standby switch | |
CN103605597B (en) | Configurable computer protection system and method | |
CN106652393A (en) | Method for determining false alarm |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |