CN109474623B

CN109474623B - Network security protection and parameter determination method, device, equipment and medium thereof

Info

Publication number: CN109474623B
Application number: CN201811592528.7A
Authority: CN
Inventors: 童奇
Original assignee: Hangzhou DPTech Technologies Co Ltd
Current assignee: Hangzhou DPTech Technologies Co Ltd
Priority date: 2018-12-25
Filing date: 2018-12-25
Publication date: 2022-03-01
Anticipated expiration: 2038-12-25
Also published as: CN109474623A

Abstract

The application provides a network security protection and a method, a device and equipment for determining parameters thereof, and a readable storage medium, wherein the parameter determining method comprises the following steps: acquiring at least part of network traffic to enter target equipment; identifying the characteristic information of each session in the acquired flow; the characteristic information comprises at least one of a source address and an application protocol; and adjusting the preset standard detection quantity according to the identified characteristic information to obtain the data packet detection quantity of each session. By implementing the embodiment of the application, the preset standard detection number can be adjusted according to the feature information of each session in the acquired flow, so that the detection number of the data packets of each session is obtained, and the number of the detected data packets in each session does not need to be fixed at the standard detection number, so that the number of the detected data packets is not fixed, and the occurrence probability of the escape attack can be effectively reduced.

Description

Network security protection and parameter determination method, device, equipment and medium thereof

Technical Field

The present application relates to the field of network security technologies, and in particular, to a method, an apparatus, a device, and a medium for network security protection and parameter determination.

Background

With the development of network security technology, the defense and attack confrontation is increasingly intense. A hacker as an attacker may initiate continuous and high-strength attack detection on a target device as a defense party, and the target device usually chooses to deploy a network security device such as an IPS (Intrusion Prevention System) or a WAF (Web application protection System) for attack protection.

The network security devices such as IPS and WAF may perform attack detection on data volume (network traffic for short, including data packets of at least one session) transmitted on the network by using a related network security protection method. In network traffic, a single session using HTTP, HTTPs, SMB, MySQL, custom application protocol, or other application protocol may contain a large number of packets, which is very performance consuming if each packet in such a session is detected. Therefore, the network security device deployed at the target device with the ultra-large traffic usually fixes the detected packets in the session of each type of protocol at a certain number according to the performance factor of the device, so as to balance the device performance and the security protection effect.

However, after fixing the number of detected packets, the attacker can use this to establish a session containing very many packets, and place the attack load in the later packets to avoid detection and carry out escape attacks.

Disclosure of Invention

In view of this, embodiments of the present application provide a network security protection method, a network security protection device, a network security protection parameter determining method, a network security protection device, and a readable storage medium, so as to solve a problem that an escape attack is likely to occur after the number of detected data is fixed.

According to a first aspect of the present application, a method for determining parameters of network security protection is provided, which includes the steps of:

acquiring at least part of network traffic to enter target equipment;

identifying the characteristic information of each session in the acquired flow; the characteristic information comprises at least one of a source address and an application protocol;

and adjusting the preset standard detection quantity according to the identified characteristic information to obtain the data packet detection quantity of each session.

In one embodiment, the characteristic information includes an application protocol; adjusting the predetermined standard detection number according to the identified characteristic information, comprising:

determining the flow rate ratio of various application protocols in the acquired flow rate according to the application protocols in the identified characteristic information;

increasing the standard detection quantity according to the corresponding increase amplitude to obtain the data packet detection quantity of the session with the flow ratio of the application protocol meeting the preset increase condition;

and reducing the standard detection quantity according to the corresponding reduction amplitude to obtain the data packet detection quantity of the session with the flow ratio of the application protocol meeting the preset reduction condition.

In one embodiment, the characteristic information includes a source address; adjusting the predetermined standard detection number according to the identified characteristic information, comprising:

determining the flow rate of each source address in the obtained flow rate according to the source address in the identified characteristic information:

carrying out attack data detection on each data packet in at least part of sessions in which the traffic ratio of the source address meets a predetermined spot check condition;

and if any detected data packet attack data is detected, the standard detection quantity is greatly increased according to the corresponding adjustment, and the detection quantity of the data packets of the session with the flow ratio of the source address meeting the spot check condition is obtained.

In one embodiment, the characteristic information includes a source address and an application protocol; adjusting the predetermined standard detection number according to the identified characteristic information, comprising:

determining the flow rate ratio of each application protocol and the flow rate ratio of each source address in the obtained flow rate according to the application protocol and the source address in the identified characteristic information;

reducing the standard detection quantity according to the corresponding reduction amplitude to obtain the data packet detection quantity of the session with the flow ratio of the application protocol meeting the preset reduction condition;

carrying out attack data detection on each data packet in a part of sessions in which the traffic ratio of a source address meets a preset spot check condition;

In one embodiment, before collecting network traffic to enter a target device, the method comprises the steps of:

acquiring processing parameters for describing the data processing performance of the network security equipment; the network security device is associated with the target device and is used for carrying out attack detection on network traffic to be entered into the target device;

acquiring transmission parameters for describing data transmission performance of the network security equipment;

determining a standard detection number corresponding to the processing parameter and the transmission parameter.

In one embodiment, after adjusting the predetermined standard detection number according to the identified feature information to obtain the packet detection number of each session, the method further includes the following steps:

acquiring real-time transmission parameters for describing real-time data transmission performance of the network security equipment;

and adjusting the detection quantity of the data packets of each session according to the real-time processing parameters and the real-time transmission parameters.

According to a second aspect of the present application, there is provided a network security protection method applied to a network security device, including the steps of:

acquiring at least part of network traffic to enter target equipment;

adjusting the preset standard detection quantity according to the identified characteristic information to obtain the data packet detection quantity of each session;

and according to the obtained detection number of the data packets, carrying out attack detection on the network flow to be entered into the target equipment.

carrying out attack data detection on each data packet in partial session in which the traffic ratio of the source address meets a predetermined spot check condition;

acquiring processing parameters for describing the data processing performance of the network security equipment;

acquiring real-time processing parameters for describing real-time data processing performance of the network security equipment;

According to a third aspect of the present application, there is provided a network security protection parameter determination apparatus, including:

the traffic acquisition module is used for acquiring at least part of traffic in network traffic to enter the target equipment;

the information identification module is used for identifying the characteristic information of each session in the acquired flow; the characteristic information comprises at least one of a source address and an application protocol;

and the quantity adjusting module is used for adjusting the preset standard detection quantity according to the identified characteristic information to obtain the data packet detection quantity of each session.

According to a fourth aspect of the present application, there is provided a network security protection apparatus applied to a network security device, including:

the quantity adjusting module is used for adjusting the preset standard detection quantity according to the identified characteristic information to obtain the data packet detection quantity of each session; the standard detection quantity is determined by the data processing performance and the data transmission performance of the network security equipment;

and the attack detection module is used for carrying out attack detection on the network flow to be entered into the target equipment according to the obtained detection number of the data packets.

According to a fifth aspect of the present application, there is provided a computer device comprising:

a processor;

a memory storing processor-executable instructions;

wherein the processor is coupled to the memory for reading program instructions stored by the memory and, in response, performing operations in the method as described above.

According to a sixth aspect of the present application, one or more machine-readable storage media are provided having instructions stored thereon, which, when executed by one or more processors, cause the processors to perform the operations in the methods as described above.

By implementing the embodiment provided by the application, at least part of the network traffic to enter the target device can be obtained; identifying the characteristic information of each session in the acquired flow; and adjusting the preset standard detection quantity according to the characteristic information comprising the application protocol and/or the source address to obtain the data packet detection quantity of each session. Therefore, the number of the detected data packets in each session does not need to be fixed at the standard detection number, the detected number of the data packets in each session is not fixed, but is adjusted according to the feature information of each session in the acquired flow, and after the operation, an attacker is difficult to determine the number of the detected data packets in the session and further difficult to fix the detected data packets, so that the escape attack is performed, and the occurrence probability of the escape attack can be effectively reduced.

Furthermore, according to the number of the detected data packets obtained after adjustment, attack detection is carried out on the network flow to be entered into the target equipment, so that the probability of detecting escape attacks can be effectively improved, and the protection effect is enhanced.

Drawings

FIG. 1 is a schematic diagram of a network environment shown in an exemplary embodiment of the invention;

fig. 2 is a schematic diagram illustrating a method for determining parameters of network security protection according to an exemplary embodiment of the present invention;

fig. 3 is a schematic diagram illustrating a method for determining parameters of network security protection according to another exemplary embodiment of the present invention;

FIG. 4 is a diagram illustrating a network security defense method in accordance with an exemplary embodiment of the present invention;

FIG. 5 is a block diagram illustrating a parameter determination apparatus for network security protection according to an exemplary embodiment of the present invention;

FIG. 6 is a block diagram illustrating a network security guard in accordance with an exemplary embodiment of the present invention;

fig. 7 is a hardware configuration diagram of a computer device according to an exemplary embodiment of the present invention.

Detailed Description

Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.

It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.

The network security protection and the parameter determination method thereof related to the embodiment of the application can be applied to the network environment shown in fig. 1 in some scenes. The device in the network environment can be used as a device in a system for realizing the network security protection and the parameter determination method thereof.

The network environment shown in fig. 1 includes a target device 130, a network security device 120, a terminal 111, a terminal 112, and a terminal 11 n. The network security device 120 is connected to the target device 130 through a network, and the terminal 111, the terminal 112, and the terminal 11n are respectively connected to the network security device 120 through a network, which may be a wired or wireless network.

The target device 130 is a computer device that needs to be protected, and may be a server, such as an application server, a database server, a shared server, or the like; accordingly, the

terminals

111, 112 and 11n may be client devices that need to interact with the server, such as at least one of computer devices, such as a smart phone, a portable computer, a desktop computer, a tablet computer, a Personal Digital Assistant (PDA), a smart interactive tablet, and the like.

In other examples, the target device 130 may also be a user terminal device that needs to interact with some server, such as at least one of a computer device, such as a smart phone, a laptop computer, a desktop computer, a tablet computer, a Personal Digital Assistant (PDA), a smart interactive tablet, and the like, and accordingly, the terminal 111, the terminal 112, and the terminal 11n may be a server, such as an application server, a database server, a shared server, and the like.

The network security device 120 is configured to interconnect the target device 130 with the terminal 111, the terminal 112, and the terminal 11n, and may be a gateway, a router, or other network interconnection device deployed with a network security system or an application. The call between the destination device 130 and any of the

terminals

111, 112, or 11n uses a quintuple consisting of a source address (e.g., IP address), a source port, a destination address (e.g., IP address), a destination port, and a communication protocol as its unique identifier. For statistical convenience, one party through the network device is marked as forward (request) and the other party through the network device is marked as reverse (answer). In the embodiment of the present application, a call of the target device 130 with any one of the

terminals

111, 112, or 11n is referred to as a session.

In order to avoid a hacker as an attacker as much as possible, the network security device 120 may choose to deploy a network security System such as an IPS (Intrusion Prevention System) or a WAF (Web Application defense System) to perform attack protection by initiating a continuous and high-strength attack detection on the target device 130 through a session between the target device 130 and any one of the

terminals

111, 112, or 11 n.

In actual protection, the network security device 120 may perform attack detection on network traffic formed by sessions between the target device 130 and each of the

terminals

111, 112, and 11n by using a related network security protection method, so as to identify attack data and protect the target device 130. However, the related network security protection method is under the application scene of single session detection on the application layer: for a single session using HTTP, HTTPs, SMB, MySQL, custom application protocol, or other application protocol, a large number of packets may be involved, which consumes significant device performance if each packet in such a session is detected. Therefore, in order to balance the performance of the network security device 120 and the protection effect on the target device 130, in some cases, the number of detected packets in the communication session of each type of protocol may be fixed according to the performance factor of the network security device 130, and may be referred to as a predetermined standard detection number, so as to balance the performance of the network security device and the protection effect on the target device. In other cases, the number of standard detections for balancing the performance of the network security device 120 and the protection effect on the target device 130 may also be predetermined according to other factors, and will not be described herein again.

An attacker such as a hacker can often establish a session containing a plurality of data packets by utilizing the fixed number of the detected data packets, and place an attack load in a later data packet to avoid the detection of equipment and perform escape attack. The performance factor mentioned here may refer to data processing performance and data transmission performance, where the data processing performance may be described by CPU utilization, CPU idle, or other indexes capable of embodying the data processing performance of the network security device; the data transmission performance can be described by network bandwidth utilization rate, network bandwidth spatial rate, or other indexes capable of representing the performance of the network security device in transmitting data quantity between the target device and the terminal device.

In view of the fact that after the number of detected data packets is fixed, an escape attack is likely to occur, designers of the present application propose a parameter determination method for network security protection, for example, in the network environment shown in fig. 1, the parameter determination method for network security protection of the present application may be applied to the network security device 120, and identify feature information of each session in the obtained traffic by obtaining at least part of the traffic in the network traffic to enter the target device 130; and adjusting the determined standard detection quantity according to the characteristic information comprising the application protocol and/or the source address to obtain the data packet detection quantity of each session. Therefore, the number of the detected data packets in each session does not need to be fixed at the standard detection number, the detected number of the data packets in each session is not fixed, but is adjusted according to the feature information of each session in the acquired flow, and after the operation, an attacker is difficult to determine the number of the detected data packets in the session and further difficult to fix the detected data packets, so that the escape attack is performed, and the occurrence probability of the escape attack can be effectively reduced.

Furthermore, the network security protection method can perform attack detection on the network traffic to enter the target device 130 according to the number of detected data packets obtained after adjustment, so that the probability of detecting escape attacks can be effectively improved, and the protection effect is enhanced.

The network security protection and the parameter determination method thereof related to the embodiment of the application are not limited to the network environment shown in fig. 1, and may be applied to other network environments according to actual requirements in other scenarios, for example, a network environment in which a network security device and a target device are integrated.

The following describes an implementation process of a parameter determination method for network security protection according to an embodiment of the present application in detail with reference to the accompanying drawings:

as shown in fig. 2, the method for determining parameters of network security protection according to the present application may be applied to a computer device, and may include the following steps S201 to S203:

step S201, at least part of the network traffic to enter the target device is acquired.

Step S202, identifying the characteristic information of each session in the acquired flow; the characteristic information includes at least one of a source address and an application protocol.

Step S203, adjusting the preset standard detection quantity according to the identified characteristic information to obtain the data packet detection quantity of each session.

The computer device applied in the embodiment of the present application, in the scenario shown in fig. 1, may be a network security device 120 existing independently of the target device 110; in other scenarios, if the target device is integrated with the network security device, the computer device applied in the embodiment of the present application may be the target device; in other scenarios, such as: the method for determining the parameters of the network security protection and the method for the network security protection are two independent application programs, the former provides the number of detected data packets of each session for the latter, and the computer device applied in the embodiment of the application can be a network security device, a target device, a device associated with the network security device, or a device associated with the target device; in other scenarios, the computer device applied in the embodiment of the present application may also be other devices, which is not limited herein.

In practical applications, in order to avoid as much as possible an escape attack that occurs due to a fixed number of detected packets in a session, the embodiment of the present application needs to adjust a predetermined standard detection number with reference to at least a part of network traffic to enter a target device.

The network traffic to enter the target device may be the traffic of the target device at a destination address received by a previous-stage network connection device of the target device, and the network connection device mentioned here may be a router, a gateway, or other network interconnection device directly connected to the target device. The at least part of the traffic may be collected or received from a previous network connection device of the target device when the at least part of the traffic is acquired. In an example, the method of the embodiment of the present application is applied to the network security device 120 shown in fig. 1, and may directly collect a part of network traffic to enter the target device, so as to obtain the at least part of traffic. During the collection, the data packet may be captured from the network card of the network security device 120 through the data collection module of the network security device 120, for example, the pcap technology or the collection network card may be used to implement the data packet. In other examples, other modes may be adopted according to specific scenarios, which are not described herein again.

With reference to the acquired traffic, the present application implements that in order to reduce the occurrence of escape attacks as much as possible while balancing the performance of the network security device and the protection effect on the target device, the dimension of the slave application protocol and/or the dimension of the source address is selected, and the predetermined standard detection number is adjusted. The standard detection number mentioned herein can be used as described in the embodiment related to fig. 1 to balance the network security device performance and the protection effect on the target device, in one example, the number of detected data packets in the communication session of each type of protocol can be fixed according to the performance factor of the network security device, and is referred to as the predetermined standard detection number.

In practical application, the embodiment of the application can obtain the standard detection quantity by the following operations before collecting the network traffic to enter the target device:

In other embodiments, the number of standard detections used for balancing the performance of the network security device and the protection effect on the target device may also be predetermined according to other factors, which is not described herein again.

For the predetermined standard detection amount, before the predetermined standard detection amount is adjusted from the application protocol dimension and/or the source address dimension, the embodiment of the present application needs to identify an adjustment basis, that is, feature information including the application protocol and/or the source address. In one example, the application protocol and/or source address of the session may be obtained by parsing each intra-session data packet in the obtained traffic, such as: the application protocol may be identified on a transport layer data basis and the source address may be identified on a network layer data basis. In other examples, the identification may be performed in other manners, such as viewing a history identification record, which is not limited herein.

It should be noted that the application protocol mentioned herein is determined by the specific application scenario and application program. The source address may be a source IP address. If there are multiple sessions between the same IP address and the target device, different sessions can be distinguished by using the source IP address and the source port if different sessions need to be distinguished. In other examples, other source addresses may also be adopted according to an actual application scenario, which is not described herein again.

When the predetermined standard detection number is actually adjusted according to the application protocol and/or the source address in the identified feature information, a corresponding adjustment mode can be selected according to the content specifically contained in the feature information, and several methods are introduced as follows:

the first method comprises the following steps: the characteristic information comprises an application protocol, and the detection number of the data packets of each session can be obtained by adjusting the preset standard detection number according to the application protocol. After adjustment, in some cases, the number of packet detections for all sessions changes (increases or decreases) from the standard number of detections. In other cases, the number of packet detections for a partial session is changed (increased or decreased) from the standard number of detections, and the number of packet detections for a partial session is relatively unchanged.

Whether and how to change the detection parameters can be determined according to the traffic ratio of the application protocol, and in one example, the predetermined standard detection quantity can be adjusted according to the identified characteristic information by the following operations:

The sessions with the same application protocol can be divided into the same type of sessions, and then the ratio of the total number of data packets contained in the sessions with the same application protocol to the total number of data packets in the network traffic is calculated. In some cases, if the number of packets in each session is the same, the gap is within a predetermined range, or other cases, the ratio of the number of sessions with the same application protocol to the total number of sessions in the network traffic may be calculated to obtain the traffic ratio of the application protocol.

In addition, the preset turn-up condition/turn-down condition can be set according to the actual application requirement. For example, the maximum flow ratio of the application protocol is set as a turn-down condition, and the minimum flow ratio of the application protocol is set as a turn-up condition; for another example, the traffic ratio of the application protocol is set to be greater than the threshold or to be the turn-down condition in the predetermined turn-down range, and the traffic ratio of the application protocol is set to be less than the threshold or to be the turn-up condition in the predetermined turn-down range; therefore, the data processing performance of the equipment can be improved while the detection number of the data packets is not fixed. In other embodiments, other conditions may also be set as the increase condition/decrease condition, which is not described herein again.

Correspondingly, the adjustment range and the adjustment range can be set according to application requirements, or set on the basis of balancing the performance of the network security equipment and the protection effect on the target equipment. For example, twenty percent of the total amount of packets in the session may be increased by a pitch margin, and twenty percent of the total amount of packets in the session may be decreased by a pitch margin. In other embodiments, the number of the plurality of data packets may be increased/decreased to increase/decrease, which is not described herein again.

The corresponding increase/decrease amplitude may refer to an increase/decrease amplitude corresponding to a session in which the traffic duty ratio of the application protocol satisfies a predetermined increase/decrease condition, may also refer to an increase/decrease amplitude corresponding to a traffic duty ratio of the application protocol of a session satisfying a predetermined increase/decrease condition, and may also correspond to an increase/decrease amplitude of the applied computer device, and the specific corresponding relationship may be set according to an actual application requirement, and may be stored in a storage area after being set in advance.

In this example, the predetermined standard detection number is also reduced in addition to the increase of the predetermined standard detection number, but in some examples, in order to ensure the protection effect on the target device, the predetermined standard detection number may not be reduced, and the following operation of adjusting the predetermined standard detection number is performed:

according to the situation of the traffic ratio of various application protocols, the traffic ratio of the application protocols is increased compared with the standard detection quantity of the session meeting the preset increase condition, and the detection quantity of the data packets of the session is obtained.

In other examples, to ensure the security protection effect, the lowest packet detection number may be set for the session with the application protocol being the target application protocol, after the standard detection number is adjusted, if the session is the target application protocol, it may be determined whether the adjusted standard detection number is lower than the lowest packet detection number, and if the adjusted standard detection number is lower than the lowest packet detection number, the lowest packet detection number is used as the packet detection number of the session with the target application protocol. The target application protocol mentioned here may be a predetermined important application protocol, an application protocol with a maximum traffic ratio, or other protocols, and may be set according to actual requirements.

In other examples, the predetermined standard detection number may also be adjusted according to the application protocol in other manners to obtain the detection number of the data packets of each session, which is not limited in this application.

And the second method comprises the following steps: the characteristic information comprises a source address, and the detection number of the data packets of each session can be obtained by adjusting the preset standard detection number according to the source address. After adjustment, in some cases, the number of packet detections for all sessions changes (increases or decreases) from the standard number of detections. In other cases, the number of packet detections for a partial session is changed (increased or decreased) from the standard number of detections, and the number of packet detections for a partial session is kept unchanged from the predetermined standard number of detections.

Whether and how to change the detection number may be determined according to the traffic ratio of the source address, and in one example, the predetermined standard detection number may be adjusted according to the identified feature information by:

carrying out attack data detection on each data packet in at least part of sessions in which the traffic ratio of the source address meets a predetermined spot check condition; here, the attack data is detected to detect whether the data in the data packet has the characteristics of the attack data.

The sessions with the same source address can be divided into the same type of sessions, and then the ratio of the total number of data packets contained in the sessions with the same source address to the total number of data packets in the network traffic is calculated. In some cases, if the number of packets in each session is the same, the difference is within a predetermined range, or other cases, the ratio of the number of sessions with the same source address to the total number of sessions in the network traffic may be calculated to obtain the traffic ratio of the application protocol.

In addition, the predetermined spot check condition can be set according to the actual application requirement. For example, the maximum traffic ratio of the source address is set as a spot check condition; for another example, the traffic ratio of the source address is set to be greater than a threshold value, the source address is set as a spot check condition in a preset spot check range or is sorted to be an Nth bit, and N is greater than 1; in other embodiments, other conditions may also be set as spot check conditions, which are not described herein again.

In an example, the sessions in a certain proportion meeting the predetermined spot check condition may be randomly extracted from all sessions meeting the predetermined spot check condition, or the sessions in a certain proportion may be extracted according to the sequence of the session occurrence time, and the specific extraction proportion may be determined according to the actual application requirement or the data processing capability of the applied computer device.

In addition, the adjustment range can be set according to application requirements, or set on the basis of balancing the performance of the network security equipment and the protection effect on the target equipment. For example, a pitch magnitude of twenty percent increase in the total number of packets in the session may be set. In this case, the packet size of the session can be identified when identifying the feature information. In other embodiments, the number of the plurality of data packets may be increased/decreased to an increased extent, which is not described herein again.

The corresponding modulation range may refer to a modulation range corresponding to a session in which the traffic ratio of the source address meets a predetermined spot check condition, may also refer to a modulation range corresponding to a traffic ratio of a session in which a predetermined spot check condition is met, and may also correspond to a modulation range of the applied computer device, and the specific corresponding relationship may be set according to an actual application requirement, and the corresponding relationship may be stored in a storage area after being set in advance.

In this example, if any detected data packet attack data is larger than a predetermined standard detection number, in some examples, if all detected data packets do not carry attack data, the application may use the predetermined standard detection number as the detection number of data packets of a session in which the traffic ratio of the source address satisfies the selective examination condition, or may reduce the standard detection number according to the corresponding reduction range, to obtain the detection number of data packets of a session in which the traffic ratio of the source address satisfies the selective examination condition. The reduction range mentioned here can be set according to application requirements, or set on the basis of balancing the performance of the network security device with the protection effect on the target device. For example, a twentieth percent reduction in the total number of packets in the session may be set to a downscaling magnitude. In other examples, the number of the data packets may be reduced to a reduced value, which is not described herein again. In addition, the corresponding amplitude setting may be referred to in the foregoing description, and is not described herein again.

In other examples, the predetermined standard detection number may also be adjusted according to the source address in other manners to obtain the detection number of the data packets of each session, which is not limited in this application.

And the third is that: the characteristic information comprises an application protocol and a source address, and the preset standard detection number can be adjusted according to the application protocol and the source address to obtain the data packet detection number of each session. After adjustment, in some cases, the number of packet detections for all sessions changes (increases or decreases) from the standard number of detections. In other cases, the number of packet detections for a partial session is changed (increased or decreased) from the standard number of detections, and the number of packet detections for a partial session is unchanged from the standard number of detections.

Whether and how to change may be determined based on the application protocol and the traffic ratio of the source address. In one example, the predetermined number of standard detections may be adjusted based on the identified characteristic information by:

In addition, if all the detected data packets do not carry attack data, the number of the standard detections may not be adjusted or reduced to obtain the number of the detected data packets of the session.

The technical content related to the present example can refer to the examples related to the foregoing two kinds of characteristic information, and will not be described herein again.

In addition, if a session is in the application protocol dimension, the packet detection number is already obtained by adjusting the predetermined standard detection number, and the standard detection number also needs to be increased in the source address dimension. In another example, the standard detection number may be increased according to the corresponding adjustment range, the adjustment result of the source address dimension replaces the adjustment result of the application protocol dimension, or the larger value of the two adjustment results is selected as the final detection number of the data packets of the session.

In other examples, other spot check conditions may be used to perform attack detection on the data packet in the partial session, for example: the traffic proportion of the application protocol is the most, and the traffic proportion of the source address is the most of the spot check condition. In one scenario, the target device HTTP server has many HTTP protocols in application protocols adopted by each session in network traffic, and then the traffic of the HTTP protocols is the largest. Then, when the dimension (source address) of the source IP address is adjusted, the traffic proportion of one source IP address under the HTTP protocol is the largest, and in the embodiment of the present application, part of sessions can be randomly spot-checked to perform attack data detection from the sessions with the largest traffic proportion of the source IP address.

The above three cases are only used to illustrate how to adjust the predetermined standard detection number according to the identified feature information, and are not limited, and other manners may be adopted in other embodiments, which are not described herein again.

After the standard detection quantity is adjusted to obtain the data packet detection quantity of each session for a period of time, if the data processing performance or the data transmission performance of the network security equipment is greatly changed relative to the preset standard detection quantity, for example, the CPU utilization rate is increased by 20%, if the data packet detection quantity of each session is not adjusted in time, the network detection equipment is likely to have abnormality or bypass when processing data, thereby affecting the network stability and the use of the functions of the network security equipment. In view of this, in the embodiment of the present application, after the predetermined standard detection number is adjusted according to the identified feature information to obtain the packet detection number of each session, the adjustment may be performed again by:

According to the embodiment of the application, different adjustment values corresponding to the real-time processing parameters and the real-time transmission parameters can be preset, and the detection number of the data packets of each session is adjusted according to the adjustment values.

In addition, in the embodiment of the present application, the real-time processing parameter and the real-time transmission parameter may also be referred to obtain a new standard detection number, replace an old standard detection number, and execute steps S201 to S203 in a loop.

The following describes a method for determining parameters of network security protection according to the present application with reference to specific application examples.

In this example, the source address is a source IP address, different sessions need to be distinguished by the source IP address and a port, and the feature information includes an application protocol, the source IP address, the port, and the number of data packets.

As shown in fig. 3, the method for determining parameters of network security protection according to the present application may be applied to a computer device, and may include the following steps S301 to S307:

step S301, at least part of network traffic to enter the target device is obtained.

Step S302, identify the application protocol, source IP address, source port, and number of packets of each session in the acquired traffic.

Step S303, determining a traffic ratio of each application protocol and a traffic ratio of each source IP address in the obtained traffic according to the identified application protocol, source IP address, source port, and number of packets of each session.

And step S304, the standard detection quantity is increased according to the corresponding increase, and the detection quantity of the data packets of the conversation with the flow ratio of the application protocol meeting the preset increase condition is obtained.

And S305, reducing the standard detection quantity according to the corresponding reduction amplitude to obtain the data packet detection quantity of the session with the flow ratio of the application protocol meeting the preset reduction condition.

Step S306, attack data detection is carried out on each data packet in the partial session of which the traffic ratio of the source IP address meets the preset spot check condition.

And step S307, if any detected data packet attack data is detected, the standard detection quantity is greatly increased according to the corresponding adjustment, and the detection quantity of the data packets of the session with the flow ratio of the source IP address meeting the spot check condition is obtained.

Technical content related to this embodiment may refer to the embodiments related to fig. 1 to fig. 2, and details are not described herein, and in addition, specific information of this embodiment, for example, a source address is a source IP address, and characteristic information includes an application protocol, the source IP address, a port, and a number of data packets, which are not used to limit the present application and are used only for an example, and other source addresses and characteristic information are also applicable to this embodiment.

After the detection quantity of the data packets of each session is determined, the detection quantity of the data packets of each session can be sent to a security protection program, and the security protection program carries out attack detection on the network traffic to be entered into the target equipment according to the obtained detection quantity of the data packets. This means that the parameter determination method of network security protection and the security protection method are executed by different programs.

In other embodiments, the parameter determining method and the security protection method for network security protection according to the present application may also be executed by the same program, and after the number of detected data packets of each session is obtained, attack detection is immediately performed on network traffic to be entered into the target device according to the obtained number of detected data packets, which may specifically refer to the security protection method shown in fig. 4.

As shown in fig. 4, the network security protection method of the present application may be applied to a network security device, and may include the following steps S401 to S404:

step S401, at least part of the network traffic to enter the target device is obtained.

Step S402, identifying the characteristic information of each session in the acquired flow; the characteristic information includes at least one of a source address and an application protocol.

Step S403, adjusting the predetermined standard detection number according to the identified feature information, to obtain the data packet detection number of each session.

And S404, according to the obtained detection number of the data packets, carrying out attack detection on the network traffic to be entered into the target equipment.

The network security device applied in the embodiment of the present application, in the scenario shown in fig. 1, may be the network security device 120 existing independently of the target device 110; in other scenarios, if the target device is integrated with the network security device, the network security device applied in the embodiment of the present application may be the target device.

Steps S401 to S403 related to this embodiment correspond to technical contents in the embodiments related to fig. 1 to fig. 3, and are not described herein again, and in addition, in some cases, the method of this embodiment may further include other steps in the embodiments related to fig. 1 to fig. 3, and are not described herein again.

For the attack detection performed in step S404, when detecting the data packets of the session, the data packets of the corresponding number are detected according to the number of detected data packets of the corresponding session obtained in step S403. The specific measures adopted can be different according to different application requirements or application scenes, and in one example, the attack detection measures related to IPS, WAF and the like can be adopted. In another example, data characteristics of abnormal network traffic may be collected in advance, a behavior characteristic library is established, and when network traffic matched with the behavior characteristic library is monitored, the network traffic is defined as attack traffic or suspected attack traffic.

When the attack traffic or suspected attack traffic is detected from the network traffic, the corresponding traffic can be blocked, even alarmed.

In some cases, if the packet inspection number of some sessions is adjusted after steps S401 to S403, the packet inspection number of each session changes from the standard inspection number, and the adjusted packet inspection number is used as the standard inspection number, and if the packet inspection number of each session does not change, the standard inspection number is used as the packet inspection number of the corresponding session.

According to the embodiment, at least part of network traffic to enter the target device can be obtained; identifying the characteristic information of each session in the acquired flow; and adjusting the preset standard detection quantity according to the characteristic information comprising the application protocol and/or the source address to obtain the data packet detection quantity of each session. Therefore, the number of the detected data packets in each session does not need to be fixed at the standard detection number, the detected number of the data packets in each session is not fixed, but is adjusted according to the feature information of each session in the acquired flow, and after the operation, an attacker is difficult to determine the number of the detected data packets in the session and further difficult to fix the detected data packets, so that the escape attack is performed, and the occurrence probability of the escape attack can be effectively reduced.

Corresponding to the embodiments of the method described above, the invention also provides embodiments of the apparatus.

Referring to fig. 5, fig. 5 is a block diagram of a network security protection parameter determining apparatus according to an exemplary embodiment of the present invention, where the network security protection parameter determining apparatus may be applied to a computer device, and includes: a traffic acquiring module 510, an information identifying module 520 and a quantity adjusting module 530.

The traffic obtaining module 510 is configured to obtain at least part of traffic in network traffic that is to enter the target device.

An information identification module 520, configured to identify feature information of each session in the acquired traffic; the characteristic information includes at least one of a source address and an application protocol.

A quantity adjusting module 530, configured to adjust the predetermined standard detection quantity according to the identified feature information, so as to obtain the detection quantity of the data packets of each session.

The technical content related to the embodiment of the apparatus corresponds to the technical content related to the embodiment of the method, and is not described herein again.

In one example, the characteristic information includes an application protocol; the information identification module 520 is configured to:

In another example, the characteristic information includes a source address; the information identification module 520 is configured to:

In another example, the characteristic information includes a source address and an application protocol; the information identification module 520 is configured to:

In another example, the device for determining parameters of network security protection according to the embodiment of the present application may further include:

the first parameter acquisition module is used for acquiring processing parameters for describing the data processing performance of the network security equipment before acquiring the network traffic of the target equipment to be accessed; the network security device is associated with the target device and is used for carrying out attack detection on network traffic to be entered into the target device;

the second parameter acquisition module is used for acquiring transmission parameters for describing the data transmission performance of the network security equipment;

and the standard quantity determining module is used for determining the standard detection quantity corresponding to the processing parameters and the transmission parameters.

In one embodiment, the device for determining parameters of network security protection further includes:

the third parameter acquisition module is used for adjusting the preset standard detection quantity according to the identified characteristic information to obtain the data packet detection quantity of each session and then acquiring the processing parameters for describing the data processing performance of the network security equipment; the network security device is associated with the target device and is used for carrying out attack detection on network traffic to be entered into the target device;

the fourth parameter acquisition module is used for acquiring real-time transmission parameters for describing real-time data transmission performance of the network security equipment;

and the quantity correction module is used for adjusting the detection quantity of the data packets of each session according to the real-time processing parameters and the real-time transmission parameters.

Referring to fig. 6, fig. 6 is a block diagram of a parameter determining apparatus for network security protection according to an exemplary embodiment of the present invention, where the apparatus for network security protection may be applied to a network security device, and the apparatus includes: a traffic obtaining module 610, an information identifying module 620, a quantity adjusting module 630 and an attack detecting module 640.

The traffic obtaining module 610 is configured to obtain at least part of traffic in network traffic that is to enter the target device.

An information identification module 620, configured to identify feature information of each session in the acquired traffic; the characteristic information includes at least one of a source address and an application protocol.

The quantity adjusting module 630 is configured to adjust the predetermined standard detection quantity according to the identified feature information, so as to obtain the detection quantity of the data packets of each session.

And the attack detection module 640 is configured to perform attack detection on the network traffic to be sent to the target device according to the obtained detection number of the data packets.

The technical content related to the embodiment of the apparatus corresponds to the technical content related to the method and the embodiment of the apparatus, and is not described herein again.

For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units or modules described as separate parts may or may not be physically separate, and the parts displayed as the units or modules may or may not be physical units or modules, may be located in one place, or may be distributed on a plurality of network units or modules. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.

The embodiment of the network security protection device/the parameter determination device for network security protection can be applied to computer equipment. In particular, it may be implemented by a computer chip or entity, or by an article of manufacture having some functionality. In a typical implementation, the computer device is a computer, and the specific form of the computer may be at least one or a combination of several computer devices, such as a server, an intelligent interactive tablet, a personal computer, a laptop computer, a desktop computer, a tablet computer, a Personal Digital Assistant (PDA), a mobile terminal device, a game device, a mail receiving and sending device, a navigation device, and an intelligent home device.

The device embodiments may be implemented by software, or by hardware, or by a combination of hardware and software. The software implementation is taken as an example, and is formed by reading corresponding computer program instructions in a readable storage medium such as a nonvolatile memory into a memory for running through a processor of a computer device in which the software implementation is located. In terms of hardware, as shown in fig. 7, a hardware structure diagram of a terminal device where a network security apparatus/a parameter determination apparatus of network security protection is located in the present application is shown, except for the processor, the memory, the network interface, and the nonvolatile memory shown in fig. 7, a computer device where the apparatus is located in the embodiment may also include other hardware according to an actual function of the computer device, which is not described again. Wherein the memory and the non-volatile memory are computer readable memories, and the memory of the terminal device can store program instructions executable by the processor; the processor may be coupled to the memory for reading the program instructions stored in the storage medium and in response, performing the operations of the network security defending method/the network security defending parameter determining method in any of the above embodiments.

In other embodiments, the operations executed by the processor may refer to the description related to the above embodiments of the network security protection method/network security protection parameter determination method, which is not described herein again.

In addition, an embodiment of the present application further provides a machine-readable storage medium (a memory of a computer device), where the machine-readable storage medium stores program instructions, where the program instructions include instructions corresponding to the steps of the network security protection method/the network security protection parameter determination method described above. When executed by one or more processors, cause the processors to perform the operations of the network security defending method/network security defending parameter determining method described above.

Embodiments of the present application may take the form of a computer program product embodied on one or more readable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having program code embodied therein. Computer-usable readable storage media, including both permanent and non-permanent, removable and non-removable media, may implement the information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of machine-readable storage media include, but are not limited to: phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technologies, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic tape storage or other magnetic storage devices, or any other non-transmission medium, may be used to store information that may be accessed by a computing device.

The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.

Claims

1. A method for determining parameters of network security protection is characterized by comprising the following steps:

acquiring at least part of network traffic to enter target equipment;

identifying the characteristic information of each session in the acquired flow;

determining the traffic ratio of the traffic corresponding to the characteristic information in the acquired traffic according to the identified characteristic information;

based on the traffic ratio, adjusting the preset standard detection quantity to obtain the data packet detection quantity of each session;

when the feature information includes an application protocol, the adjusting the predetermined standard detection number includes:

the increase condition is that the flow ratio of the application protocol is minimum, the flow ratio of the application protocol is smaller than a threshold value or in a preset decrease range; the turn-down condition is that the traffic proportion of the application protocol is maximum, the traffic proportion of the application protocol is greater than a threshold value or in a preset turn-down range.

2. The method of claim 1, wherein the characteristic information comprises a source address; adjusting the predetermined standard detection number according to the identified characteristic information, comprising:

3. The method of claim 1, wherein the characteristic information comprises a source address and an application protocol; adjusting the predetermined standard detection number according to the identified characteristic information, comprising:

4. The method according to any one of claims 1 to 3, wherein the predetermined standard detection number is adjusted according to the identified characteristic information, and after the detection number of the data packets of each session is obtained, the method further comprises the following steps:

acquiring real-time processing parameters for describing real-time data processing performance of the network security equipment; the network security device is associated with the target device and is used for carrying out attack detection on network traffic to be entered into the target device;

5. A network security protection method is applied to network security equipment and comprises the following steps:

acquiring at least part of network traffic to enter target equipment;

according to the obtained detection number of the data packets, carrying out attack detection on the network flow to be entered into the target equipment;

6. A network security protected parameter determination apparatus, comprising:

the information identification module is used for identifying the characteristic information of each session in the acquired flow;

the quantity adjusting module is used for determining the flow rate ratio of the flow rate corresponding to the characteristic information in the acquired flow rate according to the identified characteristic information;

when the feature information includes an application protocol, the quantity adjustment module is configured to:

7. A network safety protection device is applied to network safety equipment and comprises:

the attack detection module is used for carrying out attack detection on the network flow to be entered into the target equipment according to the obtained detection number of the data packets;

8. A computer device, comprising:

a processor;

a memory storing processor-executable instructions;

wherein the processor is coupled to the memory for reading program instructions stored by the memory and, in response, performing operations in the method of any of claims 1-5.

9. One or more machine-readable storage media having instructions stored thereon, which when executed by one or more processors, cause the processors to perform the operations of the method of any one of claims 1-5.