CN109474623A

CN109474623A - Network safety prevention and its parameter determination method, device and equipment, medium

Info

Publication number: CN109474623A
Application number: CN201811592528.7A
Authority: CN
Inventors: 童奇
Original assignee: Hangzhou DPTech Technologies Co Ltd
Current assignee: Hangzhou DPTech Technologies Co Ltd
Priority date: 2018-12-25
Filing date: 2018-12-25
Publication date: 2019-03-15
Anticipated expiration: 2038-12-25
Also published as: CN109474623B

Abstract

The application provides a kind of network safety prevention and its parameter determination method, device and equipment, readable storage medium storing program for executing, and the parameter determination method includes: at least partly flow in the network flow obtained wait enter target device；The characteristic information of each session in the acquired flow of identification；The characteristic information includes at least one in source address and application protocol；Scheduled standard detection quantity is adjusted according to the characteristic information of identification, obtains the data packet amount detection of each session.Implement the embodiment of the present application, scheduled standard detection quantity can be adjusted according to the characteristic information of session each in the flow of acquisition, obtain the data packet amount detection of each session, it is not necessary that the quantity for the data packet being detected in each session is all fixed on the standard detection quantity, therefore, the quantity of the data packet of detection is not fixed, and can effectively reduce the probability of happening of escape attack.

Description

Network safety prevention and its parameter determination method, device and equipment, medium

Technical field

This application involves technical field of network security more particularly to a kind of network safety prevention and its parameter determination method, Device and equipment, medium.

Background technique

With the development of network security technology, Attack Defence is further fierce.Hacker as attacker can be to as defence The target device of side initiates lasting, high-intensitive attack detection, and target device would generally select deployment IPS (Intrusion Prevention System, intrusion prevention system), that the Network Security Devices such as WAF (Web application guard system) carry out attack is anti- Shield.

Wherein, the Network Security Devices such as IPS, WAF can be by network of relation safety protecting method, to transmission over networks Data volume (abbreviation network flow, the data packet including at least one session) carries out attack detecting.In network flow, use The single session of HTTP, HTTPS, SMB, MySQL, self-defined application agreement or other application agreement may include a large amount of number According to packet, if detected to each data packet in this kind of session, performance is consumed very much.So in the mesh of super-flow The Network Security Device disposed at marking device will be detected usually in accordance with the performance factor of equipment in the session of every class agreement Data packet be fixed on certain amount, with balancing equipment performance and security protection effect.

But after the quantity of fixed detected data packet, attacker can use this point, establishing includes very most evidences Attack load is placed in the data packet of position rearward, to hide detection, carries out escape attack by the session of packet.

Summary of the invention

In view of this, the embodiment of the present application provide a kind of network safety prevention and its parameter determination method, device and equipment, Easily there is escape attack after the quantity to solve the problem of fixed detected data in readable storage medium storing program for executing.

According to a first aspect of the present application, a kind of parameter determination method of network safety prevention is provided, comprising steps of

Obtain at least partly flow in the network flow wait enter target device；

The characteristic information of each session in the acquired flow of identification；The characteristic information includes in source address and application protocol At least one of；

Scheduled standard detection quantity is adjusted according to the characteristic information of identification, obtains the data packet detection of each session Quantity.

In one embodiment, the characteristic information includes application protocol；According to the characteristic information of identification to scheduled mark Quasi- amount detection is adjusted, comprising:

According to the application protocol in the characteristic information of identification, determine that the flow of various application protocols in acquired flow accounts for Than；

The standard detection quantity is tuned up according to the corresponding amplitude that tunes up, the flow accounting for the agreement that is applied meets predetermined The session for tuning up condition data packet amount detection；

The standard detection quantity is turned down according to corresponding amplitude of turning down, and the flow accounting for the agreement that is applied meets predetermined The session for turning condition down data packet amount detection.

In one embodiment, the characteristic information includes source address；According to the characteristic information of identification to scheduled standard Amount detection is adjusted, comprising:

According to the source address in the characteristic information of identification, the flow accounting of each source address in acquired flow is determined:

In at least partly session for meeting scheduled selective examination condition to the flow accounting of source address, each data packet is attacked Hit Data Detection；

If any data band of detection attacks data, the standard detection number is tuned up according to the corresponding amplitude that tunes up Amount, obtain source address flow accounting meet the selective examination condition session data packet amount detection.

In one embodiment, the characteristic information includes source address and application protocol；According to the characteristic information pair of identification Scheduled standard detection quantity is adjusted, comprising:

According to the application protocol and source address in the characteristic information of identification, each application protocol in acquired flow is determined The flow accounting of flow accounting and each source address；

The standard detection quantity is turned down according to corresponding amplitude of turning down, and the flow accounting for the agreement that is applied meets predetermined The session for turning condition down data packet amount detection；

Each data packet in the partial session of scheduled selective examination condition is met to the flow accounting of source address and carries out attack number According to detection；

In one embodiment, it before acquiring the network flow wait enter target device, the described method comprises the following steps:

Obtain the processing parameter for describing the data processing performance of Network Security Device；The Network Security Device and institute Target device association is stated, for treating the network flow progress attack detecting into the target device；

Obtain the configured transmission for describing the data transmission performance of the Network Security Device；

Determine standard detection quantity corresponding with the processing parameter and the configured transmission.

In one embodiment, scheduled standard detection quantity is adjusted according to the characteristic information of identification, is obtained each After the data packet amount detection of session, the method also includes following steps:

Obtain the real-time Transmission parameter for describing the real-time data transmission performance of the Network Security Device；

Referring to the real-time process parameter and the real-time Transmission parameter, the data packet amount detection of each session is adjusted.

According to a second aspect of the present application, a kind of network safety protection method is provided, Network Security Device is applied to, including Step:

Obtain at least partly flow in the network flow wait enter target device；

Scheduled standard detection quantity is adjusted according to the characteristic information of identification, obtains the data packet detection of each session Quantity；

According to obtained data packet amount detection, the network flow treated into the target device carries out attack detecting.

In the partial session for meeting scheduled selective examination condition to the flow accounting of source address, each data packet carries out attack number According to detection；

Obtain the processing parameter for describing the data processing performance of Network Security Device；

Obtain the real-time process parameter for describing the real-time data processing performance of Network Security Device；

According to the third aspect of the application, a kind of parameter determining device of network safety prevention is provided, comprising:

Flow obtains module, for obtaining at least partly flow in the network flow wait enter target device；

Information identification module, for identification in acquired flow each session characteristic information；The characteristic information includes At least one of in source address and application protocol；

Quantity adjustment module is obtained for being adjusted according to the characteristic information of identification to scheduled standard detection quantity The data packet amount detection of each session.

According to the fourth aspect of the application, a kind of network safety prevention device is provided, is applied to Network Security Device, packet It includes:

Quantity adjustment module is obtained for being adjusted according to the characteristic information of identification to scheduled standard detection quantity The data packet amount detection of each session；The standard detection quantity by the Network Security Device data processing performance and data Transmission performance determines；

Attack detection module, for treating the network into the target device according to obtained data packet amount detection Flow carries out attack detecting.

According to the 5th of the application the aspect, a kind of computer equipment is provided, comprising:

Processor；

The memory of storage processor executable instruction；

Wherein, the processor is coupled in the memory, for reading the program instruction of the memory storage, and makees For response, the operation in method as described above is executed.

According to the 6th of the application the aspect, one or more machine readable storage mediums are provided, instruction is stored thereon with, when When being performed by one or more processors, so that processor executes the operation in method as described above.

Implement embodiment provided by the present application, is at least partly flowed in the available network flow wait enter target device Amount；And identify the characteristic information of each session in acquired flow；According to the feature letter for including application protocol and/or source address Breath, is adjusted scheduled standard detection quantity, obtains the data packet amount detection of each session.It is therefore not necessary to by each session The quantity of interior detected data packet is all fixed on the standard detection quantity, and the detected quantity of data packet is not solid in session It is fixed, but be adjusted according to the characteristic information of session each in the flow of acquisition, after operating in this way, attacker is difficult to determine session The quantity of middle measured data packet, and then it is difficult to the fixed this point of measured data packet, escape attack is carried out, escape can be effectively reduced The probability of happening of attack.

In turn, according to the data packet amount detection obtained after adjustment, treat network flow into the target device into Row attack detecting can effectively improve the probability for detecting escape attack, reinforce protection effect.

Detailed description of the invention

Fig. 1 is the schematic diagram of the network environment shown in an exemplary embodiment of the invention；

Fig. 2 is the schematic diagram of the parameter determination method of the network safety prevention shown in an exemplary embodiment of the invention；

Fig. 3 is the schematic diagram of the parameter determination method of the network safety prevention shown in another exemplary embodiment of the present invention；

Fig. 4 is the schematic diagram of the network safety protection method shown in an exemplary embodiment of the invention；

Fig. 5 is the block diagram of the parameter determining device of the network safety prevention shown in an exemplary embodiment of the invention；

Fig. 6 is the block diagram of the network safety prevention device shown in an exemplary embodiment of the invention；

Fig. 7 is the hardware structure diagram of the computer equipment shown in an exemplary embodiment of the invention.

Specific embodiment

Example embodiments are described in detail here, and the example is illustrated in the accompanying drawings.Following description is related to When attached drawing, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements.Following exemplary embodiment Described in embodiment do not represent all embodiments consistent with the application.On the contrary, they be only with it is such as appended The example of the consistent device and method of some aspects be described in detail in claims, the application.

It is only to be not intended to be limiting the application merely for for the purpose of describing particular embodiments in term used in this application. It is also intended in the application and the "an" of singular used in the attached claims, " described " and "the" including majority Form, unless the context clearly indicates other meaning.It is also understood that term "and/or" used herein refers to and wraps It may be combined containing one or more associated any or all of project listed.

It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the application A little information should not necessarily be limited by these terms.These terms are only used to for same type of information being distinguished from each other out.For example, not departing from In the case where the application range, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as One information.Depending on context, word as used in this " if " can be construed to " ... when " or " when ... When " or " in response to determination ".

The invention relates to network safety prevention and its parameter determination method can apply in some scenarios In network environment as shown in Figure 1.Equipment in the network environment be realized as the application network safety prevention and its Equipment in the system of parameter determination method.

Network environment shown in Fig. 1 includes target device 130, Network Security Device 120, terminal 111, terminal 112 and terminal 11n.By network connection, terminal 111, terminal 112 and terminal 11n pass through network for Network Security Device 120 and target device 130 It is connect respectively with Network Security Device 120, network mentioned herein can be wired or wireless network.

Wherein, target device 130 is the computer equipment for needing to protect, and can be server, such as application server, data Library server, shared server etc.；Correspondingly, terminal 111, terminal 112 and terminal 11n can interact for needs with server Ustomer premises access equipment, such as smart phone, laptop computer, desktop computer, tablet computer, personal digital assistant (PDA), intelligent interaction At least one of computer equipments such as plate.

In other examples, target device 130 is also possible to the subscriber terminal equipment for needing to interact with certain server, such as intelligence The computer equipments such as energy mobile phone, laptop computer, desktop computer, tablet computer, personal digital assistant (PDA), intelligent interaction plate At least one of, correspondingly, terminal 111, terminal 112 and terminal 11n can be server, such as application server, database Server, shared server etc..

Network Security Device 120 interconnects for realizing between target device 130 and terminal 111, terminal 112 and terminal 11n, It can be the gateway for being deployed with network safety system or application, router or other network interconnection apparatus, network interconnections.Wherein, target Call between 111,112 or 11n of equipment 130 and any terminal, by source address (such as IP address), source port, destination address (such as IP Address), destination port, communication protocol composition five-tuple as its unique identification.It is convenient in order to count, first pass through the network equipment Side label be (request), rear by the side label of the network equipment is (response).In the embodiment of the present application, mesh The primary call of marking device 130 and 111,112 or 11n of any terminal are referred to as a session.

In order to avoid the hacker as attacker as far as possible, pass through target device 130 and 111,112 or 11n of any terminal Between session, lasting, high-intensitive attack is initiated to target device 130 and is detected, Network Security Device 120 can choose deployment IPS (Intrusion Prevention System, intrusion prevention system), WAF (Web Application Firewall, Web application guard system) etc. network safety systems carry out attack protection.

When practical protection, Network Security Device 120 can be by network of relation safety protecting method, to target device 130 The network flow that session between each 111,112 and 11n of terminal is constituted carries out attack detecting, attacks data, anti-eye protection with identification Marking device 130.But network of relation safety protecting method being answered under scene what single session detected on the application layer: for adopting It, may be comprising a large amount of with the single session of HTTP, HTTPS, SMB, MySQL, self-defined application agreement or other application agreement Data packet consumes equipment performance if detected to each data packet in this kind of session very much.Therefore, network of relation Safety protecting method is in order to balance the performance of Network Security Device 120 and to the protection effect of target device 130, certain situations Under, the data packet being detected in the communication session of every class agreement can be fixed according to the performance factor of Network Security Device 130 In certain amount, which is properly termed as scheduled standard detection quantity, for balancing Network Security Device performance and to target The security protection effect of equipment.In the case of other, it can also be intended for balancing Network Security Device 120 according to other factors The standard detection quantity of performance and the protection effect to target device 130, details are not described herein.

And the attackers such as hacker often can use the fixed this point of quantity of detected data packet, establish comprising very Attack load is placed in data packet rearward, to hide the detection of equipment, carries out escape attack by the session of more data packets.This In the performance factor mentioned can refer to data processing performance and data transmission performance, wherein data processing performance can be made by CPU It is described with rate, CPU idleness or other indexs that can embody the data processing performance of Network Security Device；Data transmission performance Can by network bandwidth utilization factor, network bandwidth space rate or other can embody Network Security Device in target device and terminal The index of the performance of equipment room transmitted data amount describes.

After quantity in view of fixed detected data packet, easily there is the case where escape attack, the designer of the application A kind of parameter determination method of network safety prevention is proposed, in such as network environment shown in Fig. 1, the network security of the application The parameter determination method of protection can be applied to Network Security Device 120, by obtaining the network flow wait enter target device 130 At least partly flow in amount identifies the characteristic information of each session in acquired flow；According to including application protocol and/or source The characteristic information of location is adjusted the standard detection quantity of decision, obtains the data packet amount detection of each session.Therefore, nothing The quantity for the data packet being detected in each session need to be all fixed on the standard detection quantity, data packet is detected in session Quantity is not fixed, but is adjusted according to the characteristic information of session each in the flow of acquisition, and after operating in this way, attacker is difficult to It determines the quantity of measured data packet in session, and then is difficult to the fixed this point of measured data packet, carry out escape attack, it can be effective Reduce the probability of happening of escape attack.

In turn, network safety protection method can be treated according to the data packet amount detection obtained after adjustment into target The network flow of equipment 130 carries out attack detecting, can effectively improve the probability for detecting escape attack, reinforces protection effect.

The invention relates to network safety prevention and its parameter determination method, the network environment that can be applied to is simultaneously It is not limited to network environment shown in FIG. 1, under other scenes, other network environments can also be applied to according to actual needs, Such as the network environment that Network Security Device and target device are integrated.

Below in conjunction with attached drawing, the realization of the parameter determination method of the network safety prevention of lower the embodiment of the present application is described in detail Journey:

It, can be with as shown in Fig. 2, the parameter determination method of the network safety prevention of the application can be applied to computer equipment Include the following steps S201-S203:

Step S201, at least partly flow in the network flow wait enter target device is obtained.

Step S202, in the flow acquired in identification each session characteristic information；The characteristic information include source address with At least one of in application protocol.

Step S203, scheduled standard detection quantity is adjusted according to the characteristic information of identification, obtains each session Data packet amount detection.

The computer equipment of the embodiment of the present application application can be under scene as shown in Figure 1 independently of target device Network Security Device 120 existing for 110；Under other scenes, if target device and Network Security Device are integrated, the application The computer equipment of embodiment application can be target device；Under other scenes, such as: the parameter of network safety prevention determines Method and network safety protection method are two independent application programs, the former provides the data packet testing number of each session for the latter Amount, the computer equipment of the embodiment of the present application application can be the association of Network Security Device, target device, Network Security Device The associate device of equipment or target device；Under other scenes, the computer equipment of the embodiment of the present application application can also be it His equipment, herein with no restrictions.

In practical application, in order to avoid the escape occurred due to the detected quantity of data packet in session is fixed to attack as far as possible It hits, the embodiment of the present application needs to adjust scheduled standard referring at least partly flow in the network flow wait enter target device Amount detection.

Wherein, it to the network flow into target device, can be received for the previous stage network access device of target device Destination address be target device flow, network access device mentioned herein can be for router, gateway or other are straight Connect the network interconnection apparatus, network interconnection connecting with target device.It, can be from the previous stage of target device when obtaining at least partly flow It acquires or receives at network access device.In one example, the method for the embodiment of the present application is applied to network security as shown in Figure 1 Equipment 120 can directly acquire the subnetwork flow wait enter target device, obtain at least partly flow.When acquisition Data packet can be grabbed from the network interface card of Network Security Device 120 by the data acquisition module of Network Security Device 120, such as may be used To be realized using pcap technology or acquisition network interface card.In other examples, other modes can also be used according to concrete scene, herein not It repeats again.

Referring to the flow obtained, the application implements in the performance of balance Network Security Device and to prevent target device While protecting effect, the generation of escape attack is reduced as far as possible, is selected from application protocol dimension and/or source address dimension, adjustment Scheduled standard detection quantity.The standard detection quantity mentioned herein can be as described in the embodiment that Fig. 1 is related to, for putting down The Network Security Device performance that weighs and protection effect to target device can be according to the performances of Network Security Device in one example The data packet being detected in the communication session of every class agreement is fixed on certain amount by factor, and the quantity is referred to as scheduled Standard detection quantity.

In practical application, the embodiment of the present application can be before acquiring the network flow wait enter target device, by following Operation obtains standard detection quantity:

Obtain the processing parameter for describing the data processing performance of the Network Security Device；

In other embodiments, balance Network Security Device performance can also be intended for according to other factors and set with to target The standard detection quantity of standby protection effect, details are not described herein.

For scheduled standard detection quantity, the embodiment of the present application is adjusted from application protocol dimension and/or source address dimension It before scheduled standard detection quantity, needs to identify adjustment foundation, that is, includes the characteristic information of application protocol and/or source address.One It, can be by data packet in each session in the flow acquired in parsing, with obtaining application protocol and/or the source of session in example Location, such as: application protocol can identify that source address can be known in the data basis of network layer in the data basis of transport layer Not.In other examples, other modes can also be taken to identify, such as check history identification record, herein with no restrictions.

It should be noted that application protocol mentioned herein is determined by specific application scenarios with application program.Source address It can be source IP address.If needing the case where distinguishing different sessions there are multiple sessions between same IP address and target device Under, different sessions can be distinguished with source IP address and source port.In other examples, it can also be adopted according to actual application scenarios With other source addresses, details are not described herein.

Practical application protocol and/or source address according in the characteristic information of identification adjusts scheduled standard detection quantity When, the content that specifically can include according to characteristic information selects corresponding adjustment mode, introduced below several:

The first: characteristic information includes application protocol, can adjust scheduled standard detection quantity according to application protocol, obtain To the data packet amount detection of each session.After adjustment, under some cases, the relatively described mark of the data packet amount detection of all sessions Quasi- amount detection is changed and (is increased or reduced).In the case of other, the data packet amount detection of partial session is relatively described Standard detection quantity is changed and (is increased or reduced), the data packet amount detection relatively no change of partial session.

Specifically whether change and how to change, can be determined according to the flow accounting of application protocol, it, can in an example Be adjusted to scheduled standard detection quantity according to the characteristic information of identification by following operation:

Wherein, the identical session of application protocol can be divided into same class session, then calculated by the flow accounting of application protocol The ratio of data packet total quantity in the data packet total quantity and network flow that the identical session of application protocol includes.Certain situations Under, if data packet number is identical in each session, gap is within a predetermined range or in the case of other, application protocol phase can be calculated The ratio of total sessions amount, the flow accounting for the agreement that is applied in the quantity and network flow of same session.

In addition, scheduled tune up condition/turn condition down, can be set according to actual application demand.For example, setting application The flow accounting of agreement is up to the condition of turning down, and the flow accounting of application protocol is minimum to tune up condition；For another example, setting application The flow accounting of agreement is greater than threshold value or is condition of turning down in the scheduled range that tunes up, and the flow accounting of application protocol is less than threshold value Or it is scheduled turn down range be tune up condition；In this way equipment can be improved while being not fixed data packet amount detection Data processing performance.In other embodiments, other conditions can also be set to tune up condition/turn condition down, details are not described herein.

It correspondingly, tuning up amplitude and turning amplitude down, can also be set according to application demand, or be set in balance network security It is set on the basis of standby performance and the protection effect to target device.Increase data packet total amount in the session for example, can set 20 percent to tune up amplitude, reduce 20 percent of data packet total amount in the session to turn amplitude down.Other are implemented In example, increase/reducing several data packet numbers to increase/can also be set and turn amplitude down, details are not described herein.

And it is corresponding tune up/turn down amplitude, can refer to the flow accounting of application protocol meet it is scheduled tune up/turn item down The session of part is corresponding to be tuned up/turn amplitude down, it can also refer to the application protocol for meeting the scheduled session for tuning up/turning down condition Flow accounting is corresponding to be tuned up/turn amplitude down, be also can correspond to applied by computer equipment tune up/turn down amplitude, tool The corresponding relationship of body can be set according to actual application demand, these corresponding relationships are stored in memory block after can presetting Domain.

In this example, in addition to tuning up scheduled standard detection quantity, scheduled standard detection quantity can be also turned down, but certain In a little examples, in order to guarantee the protection effect to target device, scheduled standard detection quantity can not also be turned down, executed as follows Adjustment operation to scheduled standard detection quantity:

The flow accounting of application protocol is met and scheduled tunes up item by the case where according to the flow accounting of various application protocols The standard detection quantity of the session of part tunes up, and obtains the data packet amount detection of the session.

It can be the session of target application agreement for application protocol to guarantee security protection effect in other examples, Minimum data packet amount detection is set, after adjusting standard detection quantity, if it is target application agreement, it can be determined that adjustment Whether standard detection quantity afterwards is lower than minimum data packet amount detection, if be lower than, with minimum data packet testing number Amount is using the data packet amount detection of the session of target application agreement.Target application agreement mentioned herein can be scheduled heavy Want application protocol, or the maximum application protocol of flow accounting or other, can be according to should actually there is demand setting.

In other examples, scheduled standard detection quantity can also be adjusted according to application protocol using other modes, obtained To the data packet amount detection of each session, the application is without limitation.

Second: characteristic information includes source address, can adjust scheduled standard detection quantity according to source address, obtain each The data packet amount detection of session.After adjustment, under some cases, the relatively described standard inspection of the data packet amount detection of all sessions Quantitation is changed and (is increased or reduced).In the case of other, the relatively described standard of the data packet amount detection of partial session Amount detection is changed and (is increased or reduced), and the relatively scheduled standard detection quantity of the data packet amount detection of partial session is kept It is constant.

Specifically whether change and how to change, can be determined according to the flow accounting of source address, it, can be in an example By following operation, scheduled standard detection quantity is adjusted according to the characteristic information of identification:

In at least partly session for meeting scheduled selective examination condition to the flow accounting of source address, each data packet is attacked Hit Data Detection；Here detection attack data can detecte the feature whether data in data packet have attack data.

Wherein, the identical session of source address can be divided into same class session by the flow accounting of source address, then with calculating source The ratio of data packet total quantity in the data packet total quantity and network flow that the identical session in location includes.In some cases, if Data packet number is identical in each session, gap is within a predetermined range or in the case of other, can calculate the identical session of source address Quantity and network flow in total sessions amount ratio, the flow accounting for the agreement that is applied.

In addition, scheduled selective examination condition, can set according to actual application demand.For example, the flow of setting source address Accounting is up to selective examination condition；For another example, set source address flow accounting be greater than threshold value, scheduled extent of tests be spot-check Condition is ordered as N, and N is greater than 1；In other embodiments, other conditions can also be set as selective examination condition, no longer gone to live in the household of one's in-laws on getting married herein It states.

Wherein, at least partly session for meeting scheduled selective examination condition can be meet scheduled selective examination condition certain The session of ratio in one example, randomly selects a certain proportion of session from all sessions for meeting scheduled selective examination condition, A certain proportion of session can be extracted according to the sequencing of session time of origin, specific extraction ratio can be answered according to actual It is determined with the data-handling capacity of demand or applied computer equipment.

In addition, tuning up amplitude can set according to application demand, or in balance Network Security Device performance and to target It is set on the basis of the protection effect of equipment.For example, can set increase data packet total amount in the session 20 percent be Tune up amplitude.In this case, can also identify the data packet amount of session when identification feature information.In other embodiments, may be used also To set increase/reduce several data packet numbers as increase amplitude, details are not described herein.

And it is corresponding tune up amplitude, can refer to corresponding with the session that the flow accounting of source address meets scheduled selective examination condition Tune up amplitude, can also refer to that the flow accounting for the session for meeting scheduled selective examination condition is corresponding and tune up amplitude, can also be right Computer equipment applied by Ying Yu tunes up amplitude, can be set according to actual application demand specific corresponding to relationship, this A little corresponding relationships are stored in storage region after can presetting.

It is certain if any data band attack data of detection can tune up scheduled standard detection quantity in this example In example, if detection all data packets without attack data, the application can using scheduled standard detection quantity as The flow accounting of source address meets the data packet amount detection of the session of the selective examination condition, can also turn width down according to corresponding Degree turns the standard detection quantity down, and the data packet for the session that the flow accounting for obtaining source address meets the selective examination condition detects Quantity.Amplitude mentioned herein of turning down can be set according to application demand, or in balance Network Security Device performance and to mesh It is set on the basis of the protection effect of marking device.Reduce 20 percent of data packet total amount in the session for example, can set To turn amplitude down.In other examples, it can also set and reduce several data packet numbers as reduction amplitude, no longer go to live in the household of one's in-laws on getting married herein It states.In addition, it is corresponding turn down amplitude may refer to it is aforementioned it is corresponding tune up amplitude set, details are not described herein.

In other examples, scheduled standard detection quantity can also be adjusted according to source address using other modes, obtained The data packet amount detection of each session, the application are without limitation.

The third: characteristic information includes application protocol and source address, can be adjusted according to application protocol and source address predetermined Standard detection quantity, obtain the data packet amount detection of each session.After adjustment, under some cases, the data packet of all sessions The relatively described standard detection quantity of amount detection is changed and (is increased or reduced).In the case of other, the data of partial session The relatively described standard detection quantity of packet amount detection is changed and (is increased or reduced), and the data packet amount detection of partial session is opposite The standard detection quantity does not change.

Specifically whether change and how to change, can be determined according to the flow accounting of application protocol and source address.One In example, scheduled standard detection quantity can be adjusted according to the characteristic information of identification by following operation:

In addition, if detection all data packets without attack data, can not adjust the standard detection quantity or It reduces the standard detection quantity and obtains the data packet amount detection of session.

The technology contents that this example is related to are referred to the example that aforementioned two kinds of characteristic informations are related to, and details are not described herein.

In addition, if some session has obtained data in application protocol dimension by adjusting scheduled standard detection quantity Packet amount detection, in source address dimension, it is also desirable to tune up standard detection quantity, the embodiment of the present application, in an example, Ke Yi Again according to the corresponding data packet for tuning up and being obtained before amplitude tunes up the data packet amount detection adjusted before on the basis of Amount detection obtains the final data packet amount detection of the session.In another example, amplitude tune can also be tuned up according to corresponding The big standard detection quantity, with the adjustment of the adjustment result alternate application agreement dimension of source address dimension as a result, selection Adjusting biggish numerical value in result twice is the final data packet amount detection of the session.

In other examples, attack detecting can also be carried out to the data packet in partial session using other selective examination conditions, Such as: the flow accounting of application protocol is most, and the flow accounting of source address is up to selective examination condition.Under one scene, target is set For HTTP server, http protocol is in the majority in the application protocol that each session uses in network flow, then the flow of http protocol Accounting is maximum, and after the embodiment of the present application can adjust down the standard detection quantity, the agreement that is applied is the session of http protocol Data packet amount detection, then according to application protocol dimension, to which reduce detection depth.Then source IP address dimension (source Address) on when adjusting, the flow accounting of a source IP address under http protocol is most, and the embodiment of the present application can be again from source Random inspection partial session carries out attack Data Detection in the most session of IP address flow accounting.

Three cases above is only used for enumerating and illustrate how according to the characteristic information of identification to scheduled standard detection quantity It is adjusted, is not intended to be defined, other modes can also be taken in other embodiments, details are not described herein.

After adjustment standard detection quantity obtains the data packet amount detection of each session for a period of time, if network security is set It is varied widely when standby data processing performance or data transmission performance is with respect to preassigned amount detection, such as CPU usage Increasing causes plus 20%, if the data packet amount detection for adjusting each session not in time, network detection device when handling data very It is possible that exception or bypass, and then influence the use of network stabilization and Network Security Device itself function.In view of This, the embodiment of the present application is adjusted scheduled standard detection quantity according to the characteristic information of identification, obtains each session After data packet amount detection, it can be adjusted again by following operation:

Wherein, the embodiment of the present application can make a reservation for different real-time process parameters adjustment number corresponding with real-time Transmission parameter Value adjusts the data packet amount detection of each session according to adjustment numerical value.

In addition, the embodiment of the present application is also referred to the real-time process parameter and the real-time Transmission parameter, obtain new Standard detection quantity, replace old standard detection quantity, circulation executes step S201 to S203.

Below in conjunction with the parameter determination method of the network safety prevention of the application under specific application example introduction.

In this example, source address is source IP address, needs to distinguish different sessions, characteristic information packet with source IP address and port Include application protocol, source IP address, port and data packet number.

It, can be with as shown in figure 3, the parameter determination method of the network safety prevention of the application can be applied to computer equipment Include the following steps S301-S307:

Step S301, at least partly flow in the network flow wait enter target device is obtained.

Step S302, in the flow acquired in identification each session application protocol, source IP address, source port and number-of-packet Amount.

Step S303, it according to application protocol, source IP address, source port and the data packet number of each session of identification, determines The flow accounting of each application protocol and the flow accounting of each source IP address in acquired flow.

Step S304, the standard detection quantity is tuned up according to the corresponding amplitude that tunes up, the flow for the agreement that is applied accounts for Than the data packet amount detection for meeting the scheduled session for tuning up condition.

Step S305, the standard detection quantity is turned down according to corresponding amplitude of turning down, the flow for the agreement that is applied accounts for Than the data packet amount detection for meeting the scheduled session for turning condition down.

Step S306, meet each data packet in the partial session of scheduled selective examination condition to the flow accounting of source IP address Carry out attack Data Detection.

If step S307, any data band detected attacks data, the mark is tuned up according to the corresponding amplitude that tunes up Quasi- amount detection, obtain source IP address flow accounting meet the selective examination condition session data packet amount detection.

The technology contents that the present embodiment is related to are referred to the embodiment that Fig. 1 to Fig. 2 is related to, and details are not described herein, in addition, The specifying information of the present embodiment, if source address is source IP address, characteristic information includes application protocol, source IP address, port and number It according to packet quantity, is not intended to limit this application, is given for example only, other source addresses and characteristic information are also applied for the present embodiment.

The application can send the data packet amount detection of each session after determining the data packet amount detection of each session It is treated to security protection program by security protection program according to obtained data packet amount detection into the target device Network flow carries out attack detecting.The parameter determination method of this expression network safety prevention is from safety protecting method by different journeys Sequence executes.

In other embodiments, the parameter determination method of the network safety prevention of the application and safety protecting method can also be by Same program execute, after obtaining the data packet amount detection of each session, immediately according to obtained data packet amount detection, treat into The network flow for entering the target device carries out attack detecting, is specifically referred to safety protecting method shown in Fig. 4.

As shown in figure 4, the network safety protection method of the application can be applied to Network Security Device, it may include as follows Step S401-S404:

Step S401, at least partly flow in the network flow wait enter target device is obtained.

Step S402, in the flow acquired in identification each session characteristic information；The characteristic information include source address with At least one of in application protocol.

Step S403, scheduled standard detection quantity is adjusted according to the characteristic information of identification, obtains each session Data packet amount detection.

Step S404, according to obtained data packet amount detection, the network flow treated into the target device is carried out Attack detecting.

The Network Security Device of the embodiment of the present application application can be under scene as shown in Figure 1 independently of target device Network Security Device 120 existing for 110；Under other scenes, if target device and Network Security Device are integrated, the application The Network Security Device of embodiment application can be target device.

The invention relates to step S401 to S403, technology contents phase in the embodiment being related to Fig. 1 to Fig. 3 It answers, details are not described herein, in addition, in some cases, the method for the embodiment of the present application can also include the reality that Fig. 1 to Fig. 3 is related to Other steps in example are applied, details are not described herein.

For step S404, the attack detecting of progress when detecting the data packet of session, obtains corresponding according to step S403 The data packet amount detection of session, detects the data packet of respective numbers.The specific means taken can be with application demand or application The difference of scene and it is different, in an example, attack detecting means that the application can take IPS, WAF etc. to be related to.Another example In, the data characteristics of improper network flow can also be collected in advance, establishes behavioural characteristic library, when monitoring and behavioural characteristic library In matched network flow when, this kind of network flow is just defined as attack traffic or doubtful attack traffic.

When detecting attack traffic or doubtful attack traffic from network flow, corresponding flow can be blocked, Even alert.

In some cases, if after step S401-S403 step, the data packet amount detection of certain sessions is adjustment Afterwards, then data packet amount detection relative standard's amount detection of each session changes, then the data packet inspection to obtain after adjustment It take standard detection quantity as the data packet amount detection of corresponding session if do not changed subject to quantitation.

As can be seen from the above embodiments, it is at least partly flowed in the available network flow wait enter target device of the application Amount；And identify the characteristic information of each session in acquired flow；According to the feature letter for including application protocol and/or source address Breath, is adjusted scheduled standard detection quantity, obtains the data packet amount detection of each session.It is therefore not necessary to by each session The quantity of interior detected data packet is all fixed on the standard detection quantity, and the detected quantity of data packet is not solid in session It is fixed, but be adjusted according to the characteristic information of session each in the flow of acquisition, after operating in this way, attacker is difficult to determine session The quantity of middle measured data packet, and then it is difficult to the fixed this point of measured data packet, escape attack is carried out, escape can be effectively reduced The probability of happening of attack.

Corresponding with the embodiment of preceding method, the present invention also provides the embodiments of device.

It is the frame of the parameter determining device of the network safety prevention shown in an exemplary embodiment of the invention referring to Fig. 5, Fig. 5 Figure, the parameter determining device of the network safety prevention can be applied to computer equipment, comprising: flow obtains module 510, letter It ceases identification module 520 and quantity adjusts module 530.

Wherein, flow obtains module 510, for obtaining at least partly flow in the network flow wait enter target device.

Information identification module 520, for identification in acquired flow each session characteristic information；The characteristic information packet Include at least one in source address and application protocol.

Quantity adjustment module 530 is obtained for being adjusted according to the characteristic information of identification to scheduled standard detection quantity To the data packet amount detection of each session.

The technology contents that present apparatus embodiment is related to are corresponding to the technology contents that preceding method embodiment is related to, herein no longer It repeats.

In one example, the characteristic information includes application protocol；Information identification module 520 is configured as:

In another example, the characteristic information includes source address；Information identification module 520 is configured as:

In another example, the characteristic information includes source address and application protocol；Information identification module 520 is configured as:

In another example, the parameter determining device of the network safety prevention of the embodiment of the present application can also include:

First parameter acquisition module, for obtaining for describing net before acquiring the network flow wait enter target device The processing parameter of the data processing performance of network safety equipment；The Network Security Device is associated with the target device, for pair Network flow wait enter the target device carries out attack detecting；

Second parameter acquisition module, for obtaining the transmission of the data transmission performance for describing the Network Security Device Parameter；

Standard number determining module, for determining standard detection number corresponding with the processing parameter and the configured transmission Amount.

In one embodiment, the parameter determining device of network safety prevention, further includes:

Third parameter acquisition module, for being adjusted according to the characteristic information of identification to scheduled standard detection quantity It is whole, after obtaining the data packet amount detection of each session, obtain the processing for describing the data processing performance of Network Security Device Parameter；The Network Security Device is associated with the target device, for treat the network flow into the target device into Row attack detecting；

4th parameter acquisition module, for obtaining for describing the real-time data transmission performance of the Network Security Device Real-time Transmission parameter；

Quantity correction module, for adjusting each session referring to the real-time process parameter and the real-time Transmission parameter Data packet amount detection.

It is the frame of the parameter determining device of the network safety prevention shown in an exemplary embodiment of the invention referring to Fig. 6, Fig. 6 Figure, the network safety prevention device can be applied to Network Security Device, comprising: flow obtains module 610, information identifies mould Block 620, quantity adjustment module 630 and attack detection module 640.

Wherein, flow obtains module 610, for obtaining at least partly flow in the network flow wait enter target device.

Information identification module 620, for identification in acquired flow each session characteristic information；The characteristic information packet Include at least one in source address and application protocol.

Quantity adjustment module 630 is obtained for being adjusted according to the characteristic information of identification to scheduled standard detection quantity To the data packet amount detection of each session.

Attack detection module 640, for treating the net into the target device according to obtained data packet amount detection Network flow carries out attack detecting.

The technology contents that present apparatus embodiment is related to are corresponding with the technology contents that Installation practice is related to preceding method, This is repeated no more.

For device embodiment, since it corresponds essentially to embodiment of the method, so related place is referring to method reality Apply the part explanation of example.The apparatus embodiments described above are merely exemplary, wherein described be used as separation unit The unit or module of explanation may or may not be physically separated, and the component shown as unit or module can be with It is or may not be physical unit or module, it can it is in one place, or may be distributed over multiple network lists In member or module.Some or all of the modules therein can be selected to realize the mesh of application scheme according to the actual needs 's.Those of ordinary skill in the art can understand and implement without creative efforts.

The embodiment of the application network safety prevention device/network safety prevention parameter determining device, which can be applied, to be counted It calculates on machine equipment.It can specifically be realized by computer chip or entity, or be realized by the product with certain function.It is a kind of Typical to realize, computer equipment is computer, and the concrete form of computer can be server, intelligent interaction plate, a People's computer, laptop computer, desktop computer, tablet computer, personal digital assistant (PDA), mobile terminal device, game station, At least one of computer equipments such as mail transmission/reception equipment, navigation equipment, smart home device or several combinations.

Installation practice can also be realized by software realization by way of hardware or software and hardware combining.With For software realization, as the device on a logical meaning, being will be non-volatile by the processor of computer equipment where it Property the readable storage medium storing program for executing such as memory in corresponding computer program instructions be read into memory what operation was formed.From hardware view For, as shown in fig. 7, the terminal where the application network safety prevention device/network safety prevention parameter determining device is set A kind of standby hardware structure diagram, other than processor shown in Fig. 7, memory, network interface and nonvolatile memory, Computer equipment in embodiment where device can also include that other are hard generally according to the actual functional capability of the computer equipment Part repeats no more this.Wherein, memory and nonvolatile memory are computer-readable memory, the storage of terminal device Device can store the executable program instruction of processor；Processor can be deposited with coupled memory for reading the storage medium The program instruction of storage, and in response, execute network safety protection method/network safety prevention ginseng in any of the above embodiment Number determines the operation in method.

In other embodiments, operation performed by processor can be with reference to network safety protection method/net described above Relevant description in the embodiment of the parameter determination method of network security protection, it will not be described here.

In addition, the embodiment of the present application also provides a kind of machine readable storage medium (memory of computer equipment), it is described Program instruction is stored in readable storage medium storing program for executing, described program instruction includes network safety protection method described above/network peace The corresponding instruction of each step of the parameter determination method of full protection.When executed by one or more processors, so that processor Execute the operation in the parameter determination method of network safety protection method/network safety prevention described above.

The embodiment of the present application can be used one or more wherein include program code readable storage medium storing program for executing (including but Be not limited to magnetic disk storage, CD-ROM, optical memory etc.) on the form of computer program product implemented.Computer is available Readable storage medium storing program for executing includes permanent and non-permanent, removable and non-removable media, can by any method or technique Lai Realize information storage.Information can be computer readable instructions, data structure, the module of program or other data.It is machine readable The example of storage medium includes but is not limited to: phase change memory (PRAM), static random access memory (SRAM), dynamic random are deposited Access to memory (DRAM), other kinds of random access memory (RAM), read-only memory (ROM), electrically erasable are only Read memory (EEPROM), flash memory or other memory techniques, read-only disc read only memory (CD-ROM) (CD-ROM), the more function of number Can CD (DVD) other optical storage, magnetic cassettes, tape magnetic disk storage or other magnetic storage devices or it is any its His non-transmission medium, can be used for storing and can be accessed by a computing device information.

The foregoing is merely the preferred embodiments of the application, not to limit the application, all essences in the application Within mind and principle, any modification, equivalent substitution, improvement and etc. done be should be included within the scope of the application protection.

Claims

1. a kind of parameter determination method of network safety prevention, which is characterized in that comprising steps of

Obtain at least partly flow in the network flow wait enter target device；

The characteristic information of each session in the acquired flow of identification；The characteristic information include in source address and application protocol extremely One item missing；

Scheduled standard detection quantity is adjusted according to the characteristic information of identification, obtains the data packet testing number of each session Amount.

2. the method according to claim 1, wherein the characteristic information includes application protocol；According to identification Characteristic information is adjusted scheduled standard detection quantity, comprising:

According to the application protocol in the characteristic information of identification, the flow accounting of various application protocols in acquired flow is determined；

The standard detection quantity is tuned up according to the corresponding amplitude that tunes up, the flow accounting for the agreement that is applied meets scheduled tune The data packet amount detection of the session of big condition；

The standard detection quantity is turned down according to corresponding amplitude of turning down, and the flow accounting for the agreement that is applied meets scheduled tune The data packet amount detection of the session of small condition.

3. the method according to claim 1, wherein the characteristic information includes source address；According to the spy of identification Reference breath is adjusted scheduled standard detection quantity, comprising:

In at least partly session for meeting scheduled selective examination condition to the flow accounting of source address, each data packet carries out attack number According to detection；

If any data band of detection attacks data, the standard detection quantity is tuned up according to the corresponding amplitude that tunes up, is obtained To source address flow accounting meet the selective examination condition session data packet amount detection.

4. the method according to claim 1, wherein the characteristic information includes source address and application protocol；Root Scheduled standard detection quantity is adjusted according to the characteristic information of identification, comprising:

According to the application protocol and source address in the characteristic information of identification, the flow of each application protocol in acquired flow is determined The flow accounting of accounting and each source address；

The standard detection quantity is turned down according to corresponding amplitude of turning down, and the flow accounting for the agreement that is applied meets scheduled tune The data packet amount detection of the session of small condition；

Each data packet in the partial session of scheduled selective examination condition is met to the flow accounting of source address and carries out attack data inspection It surveys；

5. method according to claim 1 to 4, which is characterized in that according to the characteristic information of identification to predetermined Standard detection quantity be adjusted, after obtaining the data packet amount detection of each session, the method also includes following steps:

Obtain the real-time process parameter for describing the real-time data processing performance of Network Security Device；The Network Security Device It is associated with the target device, for treating the network flow progress attack detecting into the target device；

6. a kind of network safety protection method, which is characterized in that it is applied to Network Security Device, comprising steps of

Obtain at least partly flow in the network flow wait enter target device；

Scheduled standard detection quantity is adjusted according to the characteristic information of identification, obtains the data packet testing number of each session Amount；

7. a kind of parameter determining device of network safety prevention characterized by comprising

Information identification module, for identification in acquired flow each session characteristic information；The characteristic information includes source At least one of in location and application protocol；

Quantity adjusts module and obtains each meeting for being adjusted according to the characteristic information of identification to scheduled standard detection quantity The data packet amount detection of words.

8. a kind of network safety prevention device, which is characterized in that be applied to Network Security Device, comprising:

Quantity adjusts module and obtains each meeting for being adjusted according to the characteristic information of identification to scheduled standard detection quantity The data packet amount detection of words；

Attack detection module, for treating the network flow into the target device according to obtained data packet amount detection Carry out attack detecting.

9. a kind of computer equipment characterized by comprising

Processor；

The memory of storage processor executable instruction；

Wherein, the processor is coupled in the memory, for reading the program instruction of the memory storage, and as sound It answers, executes such as the operation in any one of claim 1-6 the method.

10. one or more machine readable storage mediums, which is characterized in that instruction is stored thereon with, when by one or more When managing device execution, so that processor is executed such as the operation in any one of claim 1-6 the method.