CN107547533B - Feature rule opening method and device - Google Patents

Feature rule opening method and device Download PDF

Info

Publication number
CN107547533B
CN107547533B CN201710736834.2A CN201710736834A CN107547533B CN 107547533 B CN107547533 B CN 107547533B CN 201710736834 A CN201710736834 A CN 201710736834A CN 107547533 B CN107547533 B CN 107547533B
Authority
CN
China
Prior art keywords
rule
flow
feature
characteristic
traffic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710736834.2A
Other languages
Chinese (zh)
Other versions
CN107547533A (en
Inventor
岳炳词
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Security Technologies Co Ltd
Original Assignee
New H3C Security Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Security Technologies Co Ltd filed Critical New H3C Security Technologies Co Ltd
Priority to CN201710736834.2A priority Critical patent/CN107547533B/en
Publication of CN107547533A publication Critical patent/CN107547533A/en
Application granted granted Critical
Publication of CN107547533B publication Critical patent/CN107547533B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the application provides a method and a device for starting a feature rule, wherein the method comprises the following steps: the safety equipment receives the flow, and if the flow is not matched with the started characteristic rule of the safety equipment, the flow is mirrored to flow learning equipment; the flow learning equipment detects a first characteristic rule matched with the flow from the started characteristic rules of the flow learning equipment, and sends a starting instruction aiming at the first characteristic rule to the safety equipment, wherein the starting instruction is used for indicating the safety equipment to start the first characteristic rule; the safety equipment receives the opening instruction and opens the first characteristic rule according to the opening instruction. By applying the embodiment of the application, the influence on the processing of normal services is reduced, and the network security is improved.

Description

Feature rule opening method and device
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and an apparatus for opening feature rules.
Background
With the development of network technology, the variety of network applications and operating systems is increasing, and the updating speed of the network applications and operating systems is increasing, which results in an increasing number of system vulnerabilities.
In order to prevent various attack traffic generated by a system vulnerability and improve the security of a network, more and more feature rules matched with the attack traffic are configured on a security device, such as a Deep Packet Inspection (DPI) device, and are used for detecting the attack traffic.
With the increase of the feature rules configured on the security device, if all the configured feature rules are directly started, the service processing performance of the security device is reduced, and the processing of normal services is affected; if some feature rules are opened, some attack traffic may not be detected, and the security of the network is reduced.
Disclosure of Invention
An object of the embodiments of the present application is to provide a method and an apparatus for opening a feature rule, so as to reduce the influence on processing of a normal service and improve the security of a network. The specific technical scheme is as follows:
in one aspect, an embodiment of the present application provides a feature rule opening method, which is applied to a security device, and the method includes:
receiving flow;
if the traffic is not matched with the started feature rules of the safety equipment, mirroring the traffic to traffic learning equipment so that the traffic learning equipment detects a first feature rule matched with the traffic from the started feature rules of the traffic learning equipment;
receiving a starting instruction aiming at the first characteristic rule issued by the flow learning equipment;
and opening the first characteristic rule according to the opening instruction.
In a second aspect, an embodiment of the present application provides a feature rule starting method, which is applied to a traffic learning device, and the method includes:
receiving the flow of the safety equipment mirror image;
detecting a first feature rule matched with the flow from feature rules which are started by the flow learning equipment;
issuing an opening instruction aiming at the first characteristic rule to the safety equipment; the opening instruction is used for instructing the security device to open the first feature rule.
In another aspect, an embodiment of the present application provides a feature rule opening apparatus, which is applied to a security device, and the apparatus includes:
a first receiving unit for receiving traffic;
the mirroring unit is used for mirroring the flow to the flow learning equipment if the flow is not matched with the started feature rules of the safety equipment, so that the flow learning equipment detects a first feature rule matched with the flow from the started feature rules of the flow learning equipment;
a second receiving unit, configured to receive an opening instruction for the first feature rule issued by the traffic learning device;
and the starting unit is used for starting the first characteristic rule according to the starting instruction.
In a fourth aspect, an embodiment of the present application provides a feature rule opening apparatus, which is applied to a traffic learning device, and the apparatus includes:
the receiving unit is used for receiving the flow of the safety equipment mirror image;
the detection unit is used for detecting a first feature rule matched with the flow from feature rules of which the flow learning equipment is started;
the issuing unit is used for issuing an opening instruction aiming at the first characteristic rule to the safety equipment; the opening instruction is used for instructing the security device to open the first feature rule.
In a fifth aspect, embodiments of the present application provide an electronic device, including a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to: the steps of the above-described feature rule opening method applied to the security device are implemented.
In a sixth aspect, embodiments of the present application provide an electronic device comprising a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to: and realizing the steps of the characteristic rule starting method applied to the flow learning equipment.
In a seventh aspect, an embodiment of the present application provides a machine-readable storage medium storing machine-executable instructions that, when invoked and executed by a processor, cause the processor to: the steps of the above-described feature rule opening method applied to the security device are implemented.
In an eighth aspect, embodiments of the present application provide a machine-readable storage medium storing machine-executable instructions that, when invoked and executed by a processor, cause the processor to: and realizing the steps of the characteristic rule starting method applied to the flow learning equipment.
In the embodiment of the application, part of characteristic rules are opened on the safety equipment, so that the influence on the processing of normal services is reduced; when the flow received by the safety equipment is not matched with the characteristic rule of the opened part of the safety equipment, namely the characteristic rule corresponding to the flow is not opened on the safety equipment, the flow is mirrored to the flow learning equipment; the method comprises the steps that a plurality of characteristic rules are started on the flow learning equipment, when the flow learning equipment receives flow of a safety equipment mirror image, a first characteristic rule matched with the flow is detected from the started characteristic rules, and a starting instruction aiming at the first characteristic rule is issued to the safety equipment; after the security device receives the opening instruction, the first feature rule is opened according to the opening instruction, so that the security device can detect corresponding attack traffic according to the first feature rule, the problem that part of attack traffic cannot be detected due to the fact that part of feature rules are opened is avoided, and the security of the network is improved. Of course, it is not necessary for any product or method of the present application to achieve all of the above-described advantages at the same time.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a schematic diagram of a networking;
fig. 2 is a schematic diagram of a networking provided in an embodiment of the present application;
fig. 3 is a first flowchart of a feature rule opening method according to an embodiment of the present application;
fig. 4 is a second flowchart of a feature rule opening method according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of a first feature rule opening device according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of a second feature rule opening device according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of a first electronic device according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of a second electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
For the sake of understanding, the words appearing in the embodiments of the present application are explained below.
Characteristic rules: including correspondence of features to processing operations on the flow; if the traffic matches a feature in a feature rule, the traffic matches the feature rule.
Currently, networking, as shown in fig. 1, includes a client 101, a security device 102, and a server 103; in order to prevent various attack flows generated by system vulnerabilities and improve the security of the network, a large number of feature rules matched with the attack flows are configured on the security device 102, and if the configured large number of feature rules are directly started, the service processing performance of the security device 102 is reduced, and the processing of normal services is influenced; if some feature rules are opened, some attack traffic may not be detected, and the security of the network is reduced.
In order to reduce the influence on the processing of normal services and improve the security of a network, in the embodiment of the present application, the networking shown in fig. 2 includes, in addition to a client 101, a security device 102 and a server 103, a traffic learning device 104 connected to the security device 102; a large number of feature rules are started on the flow learning device 104, partial feature rules are started on the security device 102, and the feature rules started on the security device 102 are fewer, so that the influence on the processing of normal services is reduced; when the traffic received by the security device 102 cannot be matched with the opened feature rule, the traffic learning device 104 issues an opening instruction to open the feature rule corresponding to the traffic, so that the problem that part of attack traffic cannot be detected due to opening of part of the feature rule is solved, and the security of the network is improved.
Referring to fig. 3, fig. 3 is a first flowchart illustrating a feature rule opening method provided in an embodiment of the present application, applied to a security device, where the method includes:
s301: receiving flow;
s302: if the flow is not matched with the opened characteristic rule of the safety equipment, mirroring the flow to the flow learning equipment;
in order to reduce the influence on the processing of normal services, only a small part of feature rules are started in a large number of feature rules configured on the security device, or all the feature rules are not started, when the traffic received by the security device is not matched with the started feature rules of the security device, in order to improve the security of the network, the traffic is mirrored to the traffic learning device, that is, the traffic is copied, and the copied traffic is sent to the traffic learning device, so that the traffic learning device starts the feature rules corresponding to the traffic on the security device; the traffic learning device is also provided with a large number of feature rules which are all started, and after the traffic learning device acquires traffic mirrored from the security device, the traffic learning device detects a first feature rule matched with the traffic from the started feature rules of the traffic learning device.
In an embodiment of the present application, in order to increase the speed of processing a service by a security device, a part of feature rules may be started when the security device is started, where the part of started feature rules may be feature rules corresponding to attack traffic with a high receiving frequency, or feature rules considered by a user to be important, so as to ensure that the security device can perform a main security defense.
In order to ensure that the feature rules are turned on when the security device is started, the feature rules that need to be turned on when the security device is started can be set to the highest priority, so that the feature rules with the highest priority can be directly turned on when the security device is started.
In an embodiment of the present application, an ACL (access control List) for mirroring is pre-stored in the security device, where the ACL may include one or more of a network segment corresponding to a source address, a network segment corresponding to a destination address, a source port, a destination port, and other information. When the flow received by the safety equipment is not matched with the opened characteristic rule of the safety equipment, detecting whether a first ACL matched with the flow exists in the prestored ACL; if the first ACL is detected and indicates that the traffic is mirrored to the traffic learning equipment, determining that the traffic is possible to be attack traffic, and mirroring the traffic to the traffic learning equipment; if the first ACL is not detected, the flow can be determined not to be attack flow, and the flow is directly forwarded without mirroring the flow to the flow learning equipment, and then whether the flow is forwarded or not is determined, so that the forwarding speed of the flow is effectively improved.
S303: receiving a starting instruction aiming at a first characteristic rule issued by flow learning equipment;
the opening instruction is used for instructing the safety equipment to open the first characteristic rule.
If the flow learning equipment detects a first characteristic rule matched with the flow from the started characteristic rules of the flow learning equipment, issuing a starting instruction aiming at the first characteristic rule to the safety equipment; if the traffic learning device does not detect the first characteristic rule, the traffic learning device considers that the traffic is not attack traffic, and can not perform other processing, and the security device does not receive any instruction sent by the traffic learning device after a period of time and directly forwards the traffic; if the traffic learning device does not detect the first feature rule, a notification instruction may also be issued to the security device to notify the security device that the traffic is not an attack traffic, and instruct the security device to forward the traffic.
S304: and starting the first characteristic rule according to the starting instruction.
In this case, the security device may perform security defense according to the first feature rule to control forwarding of the traffic. For example, traffic matching the first feature rule is dropped, or the forwarding rate of traffic matching the first feature rule is limited, etc.
In an embodiment of the application, in order to ensure that the flow can be accurately detected and correctly processed, after issuing an opening instruction for a first feature rule, the flow learning device configures an aging time for the first feature rule, when the aging time is exceeded, it may be considered that a feature or a rule in the first feature rule needs to be updated at that time, and issues a closing instruction for the first feature rule to the security device, where the closing instruction is used to instruct the security device to close the first feature rule; the safety equipment closes the first characteristic rule after receiving the closing instruction, so that the characteristic rules opened on the safety equipment are reduced, and the influence on the normal service processing is reduced.
In an embodiment of the application, in order to reduce the influence on the processing of the normal service, after the security device opens the first feature rule according to the opening instruction, the security device configures an aging time for the first feature rule, and if other traffic matched with the first feature rule is received before the aging time is overtime, the aging time is reset; and if the other traffic matched with the first feature rule is not received all the time after the aging time is overtime, determining that the traffic matched with the first feature rule cannot be received, and closing the first feature rule.
For example, the aging time is 1 hour, the feature rule a is started according to the received traffic a at 10:00, the aging time is configured for the feature rule a, if other traffic matched with the feature rule a is received within 1 hour from 10:00 to 11:00, and if the traffic b matched with the feature rule a is received at 10:10, the aging time of the feature rule a is reset, and whether other traffic matched with the feature rule a is received within 1 hour from 10:10 to 11:10 is detected; if no other traffic matching the feature rule a is received within 1 hour of 10:00-11:00, i.e., no other traffic matching the feature rule a is received until 11:00, the feature rule a is deleted.
Here, the aging time configured for the first feature rule in the security device may be issued to the security device by the traffic learning device when issuing the opening instruction to the security device, or may be configured in the security device in advance by the user, which is not limited in this embodiment of the present application.
In an embodiment of the application, after configuring the aging time for the first feature rule, the security device may count a frequency of receiving traffic matched with the first feature rule, and when the counted frequency is greater than a frequency threshold, may determine that there is more traffic matched with the first feature rule, and to speed up processing of the traffic matched with the first feature rule, delete the aging time of the first feature rule, and turn off the first feature rule without aging.
For example, the frequency threshold is 5/1 hour, and if 6 pieces of traffic matching the feature rule a are received within 1 hour, the frequency of receiving the traffic matching the feature rule a is 6 pieces/1 hour, 6 pieces/1 hour >5 pieces/1 hour, and the aging time configured for the feature rule a is deleted.
In one embodiment of the present application, the feature rule of non-aging shutdown may also be preset by the user. Such as the above-mentioned feature rules that are considered important by the user to be turned on at device start-up.
After receiving the instruction issued by the traffic learning device, for example, after receiving the opening instruction or the closing instruction, the security device may also send a response message to the traffic learning device to notify the traffic learning device that the security device has successfully or unsuccessfully executed according to the instruction, for example, the opening feature rule has succeeded or failed, the closing feature rule has succeeded or failed, and the like.
The safety device and the flow learning device may be located on the same physical machine or may not be located on the same physical machine.
By applying the application embodiment, partial characteristic rules are opened on the safety equipment, so that the influence on the processing of normal services is reduced; when the flow received by the safety equipment is not matched with the characteristic rule of the opened part of the safety equipment, namely the characteristic rule corresponding to the flow is not opened on the safety equipment, the flow is mirrored to the flow learning equipment; the method comprises the steps that a plurality of characteristic rules are started on the flow learning equipment, when the flow learning equipment receives flow of a safety equipment mirror image, a first characteristic rule matched with the flow is detected from the started characteristic rules, and a starting instruction aiming at the first characteristic rule is issued to the safety equipment; after the security device receives the opening instruction, the first feature rule is opened according to the opening instruction, so that the security device can detect corresponding attack traffic according to the first feature rule, the problem that part of attack traffic cannot be detected due to the fact that part of feature rules are opened is avoided, and the security of the network is improved.
Referring to fig. 4, fig. 4 is a second flowchart of a feature rule opening method provided in the embodiment of the present application, and is applied to a traffic learning device, where the method includes:
s401: receiving the flow of the safety equipment mirror image;
only a small part of feature rules are started in a large number of feature rules configured on the security device, or all the feature rules are not started, after the security device receives the flow, if the received flow is not matched with the started feature rules of the security device, in order to improve the network security, the flow is mirrored to the flow learning device, so that the flow learning device starts the feature rules corresponding to the flow on the security device.
S402: detecting a first feature rule matched with the flow from feature rules which are started by the flow learning equipment;
s403: and issuing an opening instruction aiming at the first characteristic rule to the safety equipment.
The opening instruction is used for instructing the safety equipment to open the first characteristic rule.
If the flow learning equipment detects a first characteristic rule matched with the flow from the started characteristic rules of the flow learning equipment, issuing a starting instruction aiming at the first characteristic rule to the safety equipment; the safety equipment starts a first characteristic rule according to the starting instruction;
if the traffic learning device does not detect the first characteristic rule, the traffic learning device considers that the traffic is not attack traffic, and can not perform other processing, and the security device does not receive any instruction sent by the traffic learning device after a period of time and directly forwards the traffic; if the traffic learning device does not detect the first feature rule, a notification instruction may also be issued to the security device to notify the security device that the traffic is not an attack traffic, and instruct the security device to forward the traffic.
In an embodiment of the application, in order to ensure that the flow can be accurately detected and correctly processed, after issuing an opening instruction for a first feature rule, the flow learning device configures an aging time for the first feature rule, when the aging time is exceeded, it may be considered that a feature or a rule in the first feature rule needs to be updated at that time, and issues a closing instruction for the first feature rule to the security device, where the closing instruction is used to instruct the security device to close the first feature rule; the safety equipment closes the first characteristic rule after receiving the closing instruction, so that the characteristic rules opened on the safety equipment are reduced, and the influence on the normal service processing is reduced.
It should be noted that the security device and the traffic learning device may be located on the same physical machine, or may not be located on the same physical machine.
By applying the application embodiment, partial characteristic rules are opened on the safety equipment, so that the influence on the processing of normal services is reduced; when the flow received by the safety equipment is not matched with the characteristic rule of the opened part of the safety equipment, namely the characteristic rule corresponding to the flow is not opened on the safety equipment, the flow is mirrored to the flow learning equipment; the method comprises the steps that a plurality of characteristic rules are started on the flow learning equipment, when the flow learning equipment receives flow of a safety equipment mirror image, a first characteristic rule matched with the flow is detected from the started characteristic rules, and a starting instruction aiming at the first characteristic rule is issued to the safety equipment; after the security device receives the opening instruction, the first feature rule is opened according to the opening instruction, so that the security device can detect corresponding attack traffic according to the first feature rule, the problem that part of attack traffic cannot be detected due to the fact that part of feature rules are opened is avoided, and the security of the network is improved.
Referring to fig. 5, fig. 5 is a schematic structural diagram of a first structure of a feature rule opening device provided in an embodiment of the present application, applied to a security device, the device including:
a first receiving unit 501, configured to receive traffic;
a mirroring unit 502, configured to mirror traffic to a traffic learning device if the traffic is not matched with a feature rule that the security device has been turned on, so that the traffic learning device detects a first feature rule that is matched with the traffic from the feature rule that the traffic learning device has been turned on;
a second receiving unit 503, configured to receive an opening instruction for the first feature rule issued by the traffic learning device;
the opening unit 504 is configured to open the first feature rule according to an opening instruction.
Optionally, the mirroring unit 502 may be specifically configured to:
if the flow is not matched with the started characteristic rule of the safety equipment, detecting whether a first ACL matched with the flow exists in prestored ACLs;
and if the first ACL is detected and indicates that the traffic is mirrored to the traffic learning equipment, mirroring the traffic to the traffic learning equipment.
Optionally, the feature rule opening device may further include:
the third receiving unit is used for receiving a closing instruction aiming at the first characteristic rule issued by the flow learning equipment after the first characteristic rule is opened according to the opening instruction;
and the first closing unit is used for closing the first characteristic rule according to the closing instruction.
Optionally, the feature rule opening device may further include:
the configuration unit is used for configuring aging time for the first characteristic rule after the first characteristic rule is started according to the starting instruction;
the resetting unit is used for resetting the aging time if other flows matched with the first characteristic rule are received before the aging time is overtime;
and the second closing unit is used for closing the first characteristic rule if other flows matched with the first characteristic rule are not received after the aging time is overtime.
Optionally, the feature rule opening device may further include:
the statistical unit is used for counting the frequency of receiving the flow matched with the first characteristic rule after the aging time is configured for the first characteristic rule;
and the deleting unit is used for deleting the aging time of the first characteristic rule when the frequency is greater than the frequency threshold.
By applying the application embodiment, partial characteristic rules are opened on the safety equipment, so that the influence on the processing of normal services is reduced; when the flow received by the safety equipment is not matched with the characteristic rule of the opened part of the safety equipment, namely the characteristic rule corresponding to the flow is not opened on the safety equipment, the flow is mirrored to the flow learning equipment; the method comprises the steps that a plurality of characteristic rules are started on the flow learning equipment, when the flow learning equipment receives flow of a safety equipment mirror image, a first characteristic rule matched with the flow is detected from the started characteristic rules, and a starting instruction aiming at the first characteristic rule is issued to the safety equipment; after the security device receives the opening instruction, the first feature rule is opened according to the opening instruction, so that the security device can detect corresponding attack traffic according to the first feature rule, the problem that part of attack traffic cannot be detected due to the fact that part of feature rules are opened is avoided, and the security of the network is improved.
Referring to fig. 6, fig. 6 is a schematic structural diagram of a second structure of a feature rule opening device provided in the embodiment of the present application, applied to a flow learning device, where the device includes:
a receiving unit 601, configured to receive traffic of a security device image;
a detecting unit 602, configured to detect a first feature rule matching with traffic from feature rules of which traffic learning devices are already turned on;
an issuing unit 603, configured to issue an opening instruction for the first feature rule to the security device; the opening instruction is used for instructing the safety device to open the first characteristic rule.
Optionally, the feature rule opening device may further include: a configuration unit;
the configuration unit is used for configuring aging time for the first feature rule after issuing an opening instruction aiming at the first feature rule to the safety equipment;
the issuing unit 603 may be further configured to issue a closing instruction for the first feature rule to the security device when the aging time is exceeded; the shutdown instruction is to instruct the security device to shut down the first feature rule.
By applying the application embodiment, partial characteristic rules are opened on the safety equipment, so that the influence on the processing of normal services is reduced; when the flow received by the safety equipment is not matched with the characteristic rule of the opened part of the safety equipment, namely the characteristic rule corresponding to the flow is not opened on the safety equipment, the flow is mirrored to the flow learning equipment; the method comprises the steps that a plurality of characteristic rules are started on the flow learning equipment, when the flow learning equipment receives flow of a safety equipment mirror image, a first characteristic rule matched with the flow is detected from the started characteristic rules, and a starting instruction aiming at the first characteristic rule is issued to the safety equipment; after the security device receives the opening instruction, the first feature rule is opened according to the opening instruction, so that the security device can detect corresponding attack traffic according to the first feature rule, the problem that part of attack traffic cannot be detected due to the fact that part of feature rules are opened is avoided, and the security of the network is improved.
An electronic device is further provided in the embodiments of the present application, as shown in fig. 7, and includes a processor 701 and a machine-readable storage medium 702, where the machine-readable storage medium 702 stores machine-executable instructions that can be executed by the processor 701.
In addition, as shown in fig. 7, the electronic device may further include: a communication interface 703 and a communication bus 704; the processor 701, the machine-readable storage medium 702, and the communication interface 703 are configured to complete communication with each other through the communication bus 704, and the communication interface 703 is used for communication between the electronic device and other devices.
The processor 701 is caused by machine executable instructions to implement the above-described method of feature rule opening applied to a security device, the method comprising the steps of:
receiving flow;
if the flow is not matched with the started feature rules of the safety equipment, mirroring the flow to the flow learning equipment so that the flow learning equipment detects a first feature rule matched with the flow from the started feature rules of the safety equipment;
receiving a starting instruction aiming at a first characteristic rule issued by flow learning equipment; the opening instruction is used for indicating the safety equipment to open the first characteristic rule;
and starting the first characteristic rule according to the starting instruction.
By applying the application embodiment, partial characteristic rules are opened on the safety equipment, so that the influence on the processing of normal services is reduced; when the flow received by the safety equipment is not matched with the characteristic rule of the opened part of the safety equipment, namely the characteristic rule corresponding to the flow is not opened on the safety equipment, the flow is mirrored to the flow learning equipment; the method comprises the steps that a plurality of characteristic rules are started on the flow learning equipment, when the flow learning equipment receives flow of a safety equipment mirror image, a first characteristic rule matched with the flow is detected from the started characteristic rules, and a starting instruction aiming at the first characteristic rule is issued to the safety equipment; after the security device receives the opening instruction, the first feature rule is opened according to the opening instruction, so that the security device can detect corresponding attack traffic according to the first feature rule, the problem that part of attack traffic cannot be detected due to the fact that part of feature rules are opened is avoided, and the security of the network is improved.
The communication bus 704 may be a PCI (Peripheral Component Interconnect) bus, an EISA (Extended Industry Standard Architecture) bus, or the like. The communication bus 704 may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 7, but this is not intended to represent only one bus or type of bus.
The machine-readable storage medium 702 may include a RAM (Random Access Memory) and may also include a NVM (Non-Volatile Memory), such as at least one disk Memory. Additionally, the machine-readable storage medium 702 may also be at least one memory device located remotely from the aforementioned processor.
The Processor 701 may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also a DSP (Digital signal processing), an ASIC (Application Specific Integrated Circuit), an FPGA (Field Programmable Gate Array) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component.
An electronic device is further provided in the embodiments of the present application, as shown in fig. 8, and includes a processor 801 and a machine-readable storage medium 802, where the machine-readable storage medium 802 stores machine-executable instructions that can be executed by the processor 801.
In addition, as shown in fig. 8, the electronic device may further include: a communication interface 803 and a communication bus 804; the processor 801, the machine-readable storage medium 802, and the communication interface 803 complete communication with each other through the communication bus 804, and the communication interface 803 is used for communication between the electronic device and other devices.
The processor 801 is caused by machine executable instructions to implement the above-described feature rule opening method applied to a traffic learning device, the method comprising the steps of:
receiving the flow of the safety equipment mirror image;
detecting a first feature rule matched with the flow from feature rules which are started by the flow learning equipment;
issuing an opening instruction aiming at the first characteristic rule to the safety equipment; the opening instruction is used for instructing the safety device to open the first characteristic rule.
By applying the application embodiment, partial characteristic rules are opened on the safety equipment, so that the influence on the processing of normal services is reduced; when the flow received by the safety equipment is not matched with the characteristic rule of the opened part of the safety equipment, namely the characteristic rule corresponding to the flow is not opened on the safety equipment, the flow is mirrored to the flow learning equipment; the method comprises the steps that a plurality of characteristic rules are started on the flow learning equipment, when the flow learning equipment receives flow of a safety equipment mirror image, a first characteristic rule matched with the flow is detected from the started characteristic rules, and a starting instruction aiming at the first characteristic rule is issued to the safety equipment; after the security device receives the opening instruction, the first feature rule is opened according to the opening instruction, so that the security device can detect corresponding attack traffic according to the first feature rule, the problem that part of attack traffic cannot be detected due to the fact that part of feature rules are opened is avoided, and the security of the network is improved.
The communication bus 804 may be a PCI bus or an EISA bus, etc. The communication bus 804 may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 8, but this is not intended to represent only one bus or type of bus.
The machine-readable storage medium 802 may include RAM, and may also include NVM, such as at least one disk storage. Additionally, the machine-readable storage medium 802 may also be at least one memory device located remotely from the aforementioned processor.
The processor 801 may be a general-purpose processor including a CPU, an NP, and the like; but also DSPs, ASICs, FPGAs or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components.
An embodiment of the present application further provides a machine-readable storage medium storing machine-executable instructions, which, when invoked and executed by a processor, cause the processor to implement the above-mentioned feature rule opening method applied to a security device, the method including the following steps:
receiving flow;
if the flow is not matched with the started feature rules of the safety equipment, mirroring the flow to the flow learning equipment so that the flow learning equipment detects a first feature rule matched with the flow from the started feature rules of the flow learning equipment;
receiving a starting instruction aiming at a first characteristic rule issued by flow learning equipment; the opening instruction is used for indicating the safety equipment to open the first characteristic rule;
and starting the first characteristic rule according to the starting instruction.
By applying the application embodiment, partial characteristic rules are opened on the safety equipment, so that the influence on the processing of normal services is reduced; when the flow received by the safety equipment is not matched with the characteristic rule of the opened part of the safety equipment, namely the characteristic rule corresponding to the flow is not opened on the safety equipment, the flow is mirrored to the flow learning equipment; the method comprises the steps that a plurality of characteristic rules are started on the flow learning equipment, when the flow learning equipment receives flow of a safety equipment mirror image, a first characteristic rule matched with the flow is detected from the started characteristic rules, and a starting instruction aiming at the first characteristic rule is issued to the safety equipment; after the security device receives the opening instruction, the first feature rule is opened according to the opening instruction, so that the security device can detect corresponding attack traffic according to the first feature rule, the problem that part of attack traffic cannot be detected due to the fact that part of feature rules are opened is avoided, and the security of the network is improved.
The embodiment of the present application further provides a machine-readable storage medium, which stores machine-executable instructions, and when the machine-executable instructions are called and executed by a processor, the machine-executable instructions cause the processor to implement the above feature rule opening method applied to a traffic learning device, where the method includes the following steps:
receiving the flow of the safety equipment mirror image;
detecting a first feature rule matched with the flow from feature rules which are started by the flow learning equipment;
issuing an opening instruction aiming at the first characteristic rule to the safety equipment; the opening instruction is used for instructing the safety device to open the first characteristic rule.
By applying the application embodiment, partial characteristic rules are opened on the safety equipment, so that the influence on the processing of normal services is reduced; when the flow received by the safety equipment is not matched with the characteristic rule of the opened part of the safety equipment, namely the characteristic rule corresponding to the flow is not opened on the safety equipment, the flow is mirrored to the flow learning equipment; the method comprises the steps that a plurality of characteristic rules are started on the flow learning equipment, when the flow learning equipment receives flow of a safety equipment mirror image, a first characteristic rule matched with the flow is detected from the started characteristic rules, and a starting instruction aiming at the first characteristic rule is issued to the safety equipment; after the security device receives the opening instruction, the first feature rule is opened according to the opening instruction, so that the security device can detect corresponding attack traffic according to the first feature rule, the problem that part of attack traffic cannot be detected due to the fact that part of feature rules are opened is avoided, and the security of the network is improved.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the embodiment of the feature rule opening device, the electronic device, and the machine-readable storage medium, since they are substantially similar to the embodiment of the feature rule opening method, the description is relatively simple, and relevant points can be found by referring to the partial description of the embodiment of the feature rule opening method shown in fig. 1 to fig. 4.
The above description is only for the preferred embodiment of the present application, and is not intended to limit the scope of the present application. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application are included in the protection scope of the present application.

Claims (18)

1. A feature rule opening method is applied to a security device, wherein some or all feature rules configured on the security device are not opened, and the method comprises the following steps:
receiving flow;
if the traffic is not matched with the started feature rules of the safety equipment, mirroring the traffic to traffic learning equipment so that the traffic learning equipment detects a first feature rule matched with the traffic from the started feature rules of the traffic learning equipment;
receiving a starting instruction aiming at the first characteristic rule issued by the flow learning equipment;
and opening the first characteristic rule according to the opening instruction.
2. The method according to claim 1, wherein the step of mirroring the traffic to a traffic learning device if the traffic is not matched with the feature rule that the security device has been turned on comprises:
if the flow is not matched with the started characteristic rule of the safety equipment, detecting whether a first ACL matched with the flow exists in an access control list ACL stored in advance;
and if the first ACL is detected and the first ACL indicates that the flow is mirrored to the flow learning equipment, mirroring the flow to the flow learning equipment.
3. The method of claim 1, wherein after the first feature rule is turned on according to the turn-on command, the method further comprises:
receiving a closing instruction aiming at the first characteristic rule issued by the flow learning equipment;
and closing the first characteristic rule according to the closing instruction.
4. The method of claim 1, wherein after the first feature rule is turned on according to the turn-on command, the method further comprises:
configuring an aging time for the first feature rule;
if other flows matched with the first characteristic rule are received before the aging time is overtime, resetting the aging time;
and if other flows matched with the first characteristic rule are not received after the aging time is overtime, closing the first characteristic rule.
5. The method of claim 4, wherein after configuring the first feature rule with an aging time, the method further comprises:
counting the frequency of receiving the flow matched with the first characteristic rule;
deleting the aging time of the first feature rule when the frequency is greater than a frequency threshold.
6. A feature rule opening method is applied to a flow learning device, and comprises the following steps:
receiving the flow of a security device mirror image, wherein part or all of the feature rules configured on the security device are not opened;
detecting a first feature rule matched with the flow from feature rules which are started by the flow learning equipment;
issuing an opening instruction aiming at the first characteristic rule to the safety equipment; the opening instruction is used for instructing the security device to open the first feature rule.
7. The method of claim 6, wherein after issuing an open instruction for the first feature rule to a security device, the method further comprises:
configuring an aging time for the first feature rule;
when the aging time is overtime, issuing a closing instruction aiming at the first characteristic rule to the safety equipment; the shutdown instruction is used for instructing the security device to shut down the first feature rule.
8. A feature rule opening device is applied to a security device, wherein some or all feature rules configured on the security device are not opened, and the device comprises:
a first receiving unit for receiving traffic;
the mirroring unit is used for mirroring the flow to the flow learning equipment if the flow is not matched with the started feature rules of the safety equipment, so that the flow learning equipment detects a first feature rule matched with the flow from the started feature rules of the flow learning equipment;
a second receiving unit, configured to receive an opening instruction for the first feature rule issued by the traffic learning device;
and the starting unit is used for starting the first characteristic rule according to the starting instruction.
9. The apparatus according to claim 8, wherein the mirroring unit is specifically configured to:
if the flow is not matched with the started characteristic rule of the safety equipment, detecting whether a first ACL matched with the flow exists in an access control list ACL stored in advance;
and if the first ACL is detected and the first ACL indicates that the flow is mirrored to the flow learning equipment, mirroring the flow to the flow learning equipment.
10. The apparatus of claim 8, further comprising:
a third receiving unit, configured to receive, after the first feature rule is opened according to the opening instruction, a closing instruction for the first feature rule issued by the traffic learning device;
and the first closing unit is used for closing the first characteristic rule according to the closing instruction.
11. The apparatus of claim 8, further comprising:
the configuration unit is used for configuring aging time for the first feature rule after the first feature rule is started according to the starting instruction;
a resetting unit, configured to reset the aging time if other traffic matched with the first feature rule is received before the aging time is overtime;
and the second closing unit is used for closing the first characteristic rule if other flows matched with the first characteristic rule are not received after the aging time is overtime.
12. The apparatus of claim 11, further comprising:
the statistical unit is used for counting the frequency of receiving the flow matched with the first characteristic rule after the aging time is configured for the first characteristic rule;
a deleting unit configured to delete the aging time of the first feature rule when the frequency is greater than a frequency threshold.
13. A characteristic rule opening device is applied to flow learning equipment and comprises:
the receiving unit is used for receiving the flow of the mirror image of the safety equipment, wherein part or all of the characteristic rules configured on the safety equipment are not started;
the detection unit is used for detecting a first feature rule matched with the flow from feature rules of which the flow learning equipment is started;
the issuing unit is used for issuing an opening instruction aiming at the first characteristic rule to the safety equipment; the opening instruction is used for instructing the security device to open the first feature rule.
14. The apparatus of claim 13, further comprising: a configuration unit;
the configuration unit is used for configuring aging time for the first feature rule after issuing an opening instruction for the first feature rule to the security device;
the issuing unit is further configured to issue a closing instruction for the first feature rule to the security device when the aging time is out of date; the shutdown instruction is used for instructing the security device to shut down the first feature rule.
15. An electronic device comprising a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to: carrying out the method steps of any one of claims 1 to 5.
16. An electronic device comprising a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to: -carrying out the method steps of any one of claims 6 to 7.
17. A machine-readable storage medium having stored thereon machine-executable instructions that, when invoked and executed by a processor, cause the processor to: carrying out the method steps of any one of claims 1 to 5.
18. A machine-readable storage medium having stored thereon machine-executable instructions that, when invoked and executed by a processor, cause the processor to: -carrying out the method steps of any one of claims 6 to 7.
CN201710736834.2A 2017-08-24 2017-08-24 Feature rule opening method and device Active CN107547533B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710736834.2A CN107547533B (en) 2017-08-24 2017-08-24 Feature rule opening method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710736834.2A CN107547533B (en) 2017-08-24 2017-08-24 Feature rule opening method and device

Publications (2)

Publication Number Publication Date
CN107547533A CN107547533A (en) 2018-01-05
CN107547533B true CN107547533B (en) 2020-10-13

Family

ID=60958289

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710736834.2A Active CN107547533B (en) 2017-08-24 2017-08-24 Feature rule opening method and device

Country Status (1)

Country Link
CN (1) CN107547533B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110752996A (en) * 2019-10-24 2020-02-04 杭州迪普信息技术有限公司 Message forwarding method and device

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104852909A (en) * 2015-04-24 2015-08-19 杭州华三通信技术有限公司 Attack detection rule opening method, and equipment
CN105592061A (en) * 2015-10-27 2016-05-18 杭州华三通信技术有限公司 Attack rule closure method and device

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100561628B1 (en) * 2003-11-18 2006-03-20 한국전자통신연구원 Method for detecting abnormal traffic in network level using statistical analysis
CN100474819C (en) * 2007-05-17 2009-04-01 华为技术有限公司 A deep message detection method, network device and system
CN101707601B (en) * 2009-11-23 2012-09-05 成都市华为赛门铁克科技有限公司 Invasion defence detection method and device and gateway equipment
CN103227756B (en) * 2013-04-17 2017-07-14 华为技术有限公司 Online protocol optimization method and device
CN106911588B (en) * 2015-12-22 2020-03-20 中国电信股份有限公司 Method, device and system for realizing deep packet inspection optimization

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104852909A (en) * 2015-04-24 2015-08-19 杭州华三通信技术有限公司 Attack detection rule opening method, and equipment
CN105592061A (en) * 2015-10-27 2016-05-18 杭州华三通信技术有限公司 Attack rule closure method and device

Also Published As

Publication number Publication date
CN107547533A (en) 2018-01-05

Similar Documents

Publication Publication Date Title
US11876836B1 (en) System and method for automatically prioritizing rules for cyber-threat detection and mitigation
US10581898B1 (en) Malicious message analysis system
CN109889547B (en) Abnormal network equipment detection method and device
US10505953B2 (en) Proactive prediction and mitigation of cyber-threats
US9825989B1 (en) Cyber attack early warning system
US10284579B2 (en) Detection of email spoofing and spear phishing attacks
US9531746B2 (en) Generating accurate preemptive security device policy tuning recommendations
CN104468551B (en) A kind of method and device saving flow based on Ad blocking
US8646089B2 (en) System and method for transitioning to a whitelist mode during a malware attack in a network environment
CN106330944B (en) Malicious system vulnerability scanner identification method and device
US9900327B2 (en) Method for detecting an attack in a computer network
JP2019536144A5 (en)
CN107623687B (en) Anti-theft brushing method, operation detection method and device and electronic equipment
CA2616315A1 (en) System and method for remotely controlling device functionality
KR101972295B1 (en) The intrusion detection device and the intrusion detection program stored in the storage medium
JP2013191199A (en) Methods and systems for protecting network-connected device from intrusion
CN107547566B (en) Method and device for processing service message
WO2016201996A1 (en) Method of adaptively blocking network attack and device utilizing same
CN109547427B (en) Blacklist user identification method and device, computer equipment and storage medium
WO2020114059A1 (en) Alarm information sending method, device and electronic equipment
JP6904709B2 (en) Technology for detecting malicious electronic messages
US8839406B2 (en) Method and apparatus for controlling blocking of service attack by using access control list
CN107547533B (en) Feature rule opening method and device
CN108810233B (en) Malicious incoming call identification method and device
US8948188B1 (en) Method and apparatus for managing traffic through a network switch

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant