CN114567605A - Security engine scheduling method and device and readable storage medium - Google Patents

Security engine scheduling method and device and readable storage medium Download PDF

Info

Publication number
CN114567605A
CN114567605A CN202210191393.3A CN202210191393A CN114567605A CN 114567605 A CN114567605 A CN 114567605A CN 202210191393 A CN202210191393 A CN 202210191393A CN 114567605 A CN114567605 A CN 114567605A
Authority
CN
China
Prior art keywords
security engine
security
feature
cluster
traffic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210191393.3A
Other languages
Chinese (zh)
Other versions
CN114567605B (en
Inventor
刘紫千
马晨
常力元
崔乾
孙福兴
王琪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tianyi Safety Technology Co Ltd
Original Assignee
Tianyi Safety Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tianyi Safety Technology Co Ltd filed Critical Tianyi Safety Technology Co Ltd
Priority to CN202210191393.3A priority Critical patent/CN114567605B/en
Publication of CN114567605A publication Critical patent/CN114567605A/en
Application granted granted Critical
Publication of CN114567605B publication Critical patent/CN114567605B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/50Queue scheduling
    • H04L47/52Queue scheduling by attributing bandwidth to queues
    • H04L47/527Quantum based scheduling, e.g. credit or deficit based scheduling or token bank
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2441Traffic characterised by specific attributes, e.g. priority or QoS relying on flow classification, e.g. using integrated services [IntServ]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Abstract

The application discloses a scheduling method and device of a security engine and a readable storage medium, which are used for solving the problem that the security protection result is low in reliability when the security protection is performed on general traffic in the prior art. The method comprises the following steps: receiving a first general flow; extracting a first feature of the first universal traffic; wherein the first characteristic is indicative of a different characteristic exhibited by the first generic traffic when containing different attack traffic; determining a first security engine cluster corresponding to the first general traffic based on the first characteristic by using a scheduling model, and forwarding the first general traffic to the first security engine cluster; the scheduling model comprises a corresponding relation between a security engine cluster and general traffic, the security engine cluster comprises heterogeneous engines, and the heterogeneous engines indicate security engines with at least one different item of deployment form, detected attack type and application scene.

Description

Security engine scheduling method and device and readable storage medium
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and an apparatus for scheduling a security engine, and a readable storage medium.
Background
A security engine refers to a program/component that performs security checks on generic traffic in a network according to relevant rules and functions/codebases. The most common security engines include firewalls, WAF (webapplicatiantiona Firewall), IPS (Intrusion-prevention system), and the like. Generally, only a certain security engine cluster with the same characteristics is arranged in the system to provide security protection for general traffic. However, since only one security engine with the same characteristics is provided, the reliability of the detection result cannot be ensured in the face of different types of general traffic.
Therefore, the problem that the safety protection result is low in reliability exists when the general flow is subjected to safety protection in the prior art.
Disclosure of Invention
The application provides a scheduling method and device of a security engine and a readable storage medium, which are used for solving the problem that the security protection result is low in reliability when the security protection is performed on general traffic in the prior art.
In a first aspect, the present application provides a method for scheduling a security engine, where the method includes:
receiving a first general flow;
extracting a first feature of the first universal traffic; wherein the first characteristic is indicative of a different characteristic exhibited by the first generic traffic when it contains different attack traffic;
determining a first security engine cluster corresponding to the first general traffic based on the first characteristic by using a scheduling model, and forwarding the first general traffic to the first security engine cluster; the scheduling model comprises a corresponding relation between a security engine cluster and general traffic, the security engine cluster comprises heterogeneous engines, and the heterogeneous engines indicate security engines with at least one different item of deployment form, detected attack type and application scene.
According to the method for performing the security engine cluster decision scheduling according to the first general flow by using the scheduling model containing different security engines, the corresponding relation between the first security engine including the heterogeneous engine and the first general flow is set in the scheduling model, so that after the first general flow is received, the security protection can be performed in a targeted manner according to the first characteristic of the first general flow, and the reliability of a protection result is effectively improved when the security protection is performed on the first general flow.
In a possible implementation, the first feature is one of a traffic feature, a port feature, a public network egress feature, or a protocol feature.
One possible embodiment, where the determining, by using the scheduling model, the first security engine cluster corresponding to the first general traffic includes:
extracting a second feature of the security engine; wherein the second characteristic is indicative of a security characteristic of a security engine in securing generic traffic, the security engine comprising a homogeneous engine and a heterogeneous engine;
determining an adaptive security engine cluster which meets the protection requirement of the general flow by adopting an adaptive algorithm based on the protection relation between the first characteristic and the second characteristic; wherein the adaptation algorithm is used for determining the protection requirement of the first characteristic for each second characteristic and the protection capability of each second characteristic for the general traffic of the first characteristic; the protection requirement indicates that when only any one second feature is provided in each security engine, the common traffic has the minimum requirement on the protection capability of each security engine, and the number of security engines in the adapted security engine cluster is not lower than the number of the first features;
and based on a preset rule, extracting a security engine cluster from the adaptive security engine cluster, and recording the mapping relation between the general flow and the security engine cluster.
In a possible implementation manner, the second characteristic includes the detected attack category, the occupation condition of the hardware resource, the sending condition of the alarm log, and the traffic forwarding rate under different protocols.
One possible embodiment, said extracting, in the adapted security engine cluster, a security engine cluster based on a preset rule includes:
respectively determining the total score of each security engine in the adaptive security engine cluster based on the set weight of each second feature in the adaptive security engine cluster; wherein the total score indicates a protection capability of a security engine for the first generic traffic;
determining a feature security engine for which the total score is above a set threshold;
combining the feature security engines into a security engine cluster.
One possible implementation manner, where the determining, by using the scheduling model, the first security engine cluster corresponding to the first general traffic includes:
scheduling the first cluster of security engines;
determining the second feature with the largest setting weight and the second feature with the smallest setting weight in the first security engine cluster;
determining a first quantity and a second quantity based on the protection requirement of the first general flow;
in a first security engine cluster in the scheduling model, increasing the number of sub security engines corresponding to the second feature with the largest setting weight to a first number, and decreasing the number of sub security engines corresponding to the second feature with the smallest setting weight to a second number; wherein the child security engine is a security engine in the first security engine cluster.
One possible implementation, after forwarding the first generic traffic to the first security engine cluster, includes:
scheduling the first cluster of security engines;
determining at least one item of second characteristics corresponding to the protection requirement, wherein the first general flow protection requirement is in a set range;
in the scheduling model, according to the initial setting weight of the second feature and the number setting of the security engines corresponding to the second feature, the setting weight of the corresponding second feature in the first security engine cluster is increased.
In a second aspect, the present application provides a scheduling apparatus for a security engine, the apparatus comprising:
a receiving unit: for receiving a first generic traffic;
an extraction unit: extracting a first feature of the first generic traffic; wherein the first characteristic is indicative of a different characteristic exhibited by the first generic traffic when containing different attack traffic;
a model unit: the scheduling module is used for determining a first security engine cluster corresponding to the first general traffic based on the first characteristic, and forwarding the first general traffic to the first security engine cluster; the scheduling model comprises a corresponding relation between a security engine cluster and general traffic, the security engine cluster comprises heterogeneous engines, and the heterogeneous engines indicate security engines with at least one different item of deployment form, detected attack type and application scene.
In a possible embodiment, the apparatus further comprises a training unit for extracting a second feature of the security engine; wherein the second characteristic is indicative of a security characteristic of a security engine in securing generic traffic, the security engine comprising a homogeneous engine and a heterogeneous engine; determining an adaptive security engine cluster meeting the protection requirement of the general flow by adopting an adaptive algorithm based on the protection relation between the first characteristic and the second characteristic; wherein the adaptation algorithm is used for determining the protection requirement of the first characteristic for each second characteristic and the protection capability of each second characteristic for the general traffic of the first characteristic; the protection requirement indicates that when only any one second feature is provided in each security engine, the universal traffic has the minimum requirement on the protection capability of each security engine, and the number of security engines in the adapted security engine cluster is not lower than the number of the first features; and based on a preset rule, extracting a security engine cluster from the adaptive security engine cluster, and recording the mapping relation between the general flow and the security engine cluster.
In a possible embodiment, the training unit is further configured to determine, based on the set weight of each second feature in the adapted security engine cluster, an overall score of each security engine in the adapted security engine cluster; wherein the total score indicates a protection capability of a security engine for the first generic traffic; determining a feature security engine for which the total score is above a set threshold; combining the feature security engines into a security engine cluster.
In a possible embodiment, the apparatus further includes a quantity unit, configured to schedule the first security engine cluster; determining the second feature with the largest setting weight and the second feature with the smallest setting weight in the first security engine cluster; determining a first quantity and a second quantity based on the protection requirement of the first general flow; in a first security engine cluster in the scheduling model, increasing the number of sub security engines corresponding to the second feature with the largest setting weight to a first number, and decreasing the number of sub security engines corresponding to the second feature with the smallest setting weight to a second number, where the sub security engines are security engines in the first security engine cluster.
In a possible embodiment, the apparatus further includes a weighting unit, configured to schedule the first security engine cluster; determining at least one item of second characteristics corresponding to the protection requirement, wherein the first general flow protection requirement is in a set range; in the scheduling model, according to the initial setting weight of the second feature and the number setting of the security engines corresponding to the second feature, the setting weight of the corresponding second feature in the first security engine cluster is increased.
In a third aspect, the present application provides a readable storage medium comprising,
a memory for storing a plurality of data to be transmitted,
the memory is configured to store instructions that, when executed by the processor, cause an apparatus comprising the readable storage medium to perform the method according to the first aspect and any one of the possible embodiments.
Drawings
Fig. 1 is a flowchart of a scheduling method of a security engine provided in the present application;
FIG. 2 is a schematic diagram of a second feature of the security engine provided herein;
FIG. 3 is a schematic diagram of a cluster of adapted security engines determined during training of a scheduling model as provided herein;
FIG. 4 is a schematic diagram of the security protection of generic traffic using a method of security engine scheduling provided herein;
FIG. 5 is a schematic diagram of a training model in a method for security engine scheduling according to the present application;
fig. 6 is a schematic structural diagram of a scheduling apparatus of a security engine according to the present application.
Detailed Description
Aiming at the problem that the safety protection result obtained through a safety engine cluster is low in reliability in the prior art, the application provides a scheduling method of a safety engine, wherein heterogeneous engines are fused in a scheduling model, and after general traffic is received, engine scheduling is carried out according to traffic characteristics, so that the aim of safety protection on the general traffic is fulfilled, and the reliability of the safety protection result on the general traffic is improved.
In order to better understand the technical solutions of the present application, the following detailed descriptions of the technical solutions of the present application are provided with the accompanying drawings and the specific embodiments, and it should be understood that the specific features of the embodiments and the examples of the present application are detailed descriptions of the technical solutions of the present application, and are not limitations of the technical solutions of the present application, and the technical features of the embodiments and the examples of the present application may be combined with each other without conflict.
Referring to fig. 1, an embodiment of the present application provides a scheduling method for a security engine, so as to solve a problem in the prior art that security protection results are low in reliability when security protection is performed on general traffic, where the method specifically includes the following implementation steps:
step 101: a first generic traffic is received.
Specifically, the first general traffic is real traffic in the network. Such as data packets transmitted over the internet.
Step 102: a first feature of the first generic traffic is extracted.
Wherein the first characteristic is indicative of a different characteristic exhibited by the first generic traffic when it contains different attack traffic.
Specifically, the first general traffic may be differentiated according to different dimensions, and the differentiated dimensions are the first features. The first feature may then be one of a traffic feature, a port feature, a public network egress feature, or a protocol feature of the generic traffic. The aforementioned traffic characteristics may be traffic classes. Such as web site traffic. The port characteristic may be an identity of the port (e.g., port number) that uniquely identifies the port.
Step 103: and determining a first security engine cluster corresponding to the first general traffic based on the first characteristic by using a scheduling model, and forwarding the first general traffic to the first security engine cluster.
The scheduling model comprises a corresponding relation between a security engine cluster and general traffic, the security engine cluster comprises heterogeneous engines, and the heterogeneous engines indicate security engines with at least one different item of deployment form, detected attack type and application scene. The deployment modalities include, but are not limited to, cloud session deployment, hardware deployment, and software deployment.
The heterogeneous model in the embodiment of the present Application includes, but is not limited to, a Firewall, an internet behavior management, a WAF (Web Application Firewall), an IPS (Intrusion Prevention System), and an IDS (Intrusion Detection System).
In particular, before using the scheduling model for scheduling of a cluster of decision security engines, it is necessary to train the scheduling model, which is described below.
First, a second feature of the security engine is extracted. Wherein the second characteristic indicates a protection characteristic of the security engine when the security engine performs security protection on the general traffic, the security engine comprising a homogeneous engine. The second characteristics include, but are not limited to, the detected attack category, the occupation condition of hardware resources, the sending condition of alarm logs and the traffic forwarding rate under different protocols. Fig. 2 is a diagram illustrating a second feature of the security engine. In the second feature, the occupation situation of the hardware includes a Central Processing Unit (CPU), a hard disk, a memory, and the like; the detected attack types comprise Web attacks (application attacks), brute force cracking and the like; the flow forwarding rate under different protocols can be a general flow forwarding rate under a TCP protocol, a general flow forwarding rate under a UDP protocol, a general flow forwarding rate under an FTP protocol and the like; the sending condition of the alarm log may be a sending rate of the alarm log. That is, the second feature can distinguish not only heterogeneous engines but also homogeneous engines; that is, the second characteristics (the detected attack type, the occupation condition of the hardware resource, the sending condition of the alarm log, and the traffic forwarding rate under different protocols) of the homogeneous engines are not all the same. Moreover, it can be understood that the second feature is divided into a plurality of kinds, and the protection capability of the security engine on the general traffic in different aspects can be further elaborately and definitely embodied.
And then, based on the protection relation between the first characteristic and the second characteristic, determining an adaptive security engine cluster which meets the protection requirement of the general flow by adopting an adaptive algorithm. Wherein the adaptation algorithm is used for determining the protection requirement of the first characteristic for each second characteristic and the protection capability of each second characteristic for the general traffic of the first characteristic; the protection requirement indicates the minimum requirement of the universal traffic on the protection capability of each security engine when only any second feature is provided in each security engine; the number of security engines in the adapted security engine cluster is not less than the number of the first features.
It should be noted that in the embodiments of the present application, the protection capability of any security engine, and the protection requirement of any general traffic can be quantized into a specific score representation.
And finally, based on a preset rule, extracting a security engine cluster from the adaptive security engine cluster, and recording the mapping relation between the general flow and the security engine cluster. Specifically, firstly, the total score of each security engine in the adapted security engine cluster is respectively determined based on the set weight of each second feature in the adapted security engine cluster; wherein the total score indicates a protection capability of a security engine for the first generic traffic. Then, the feature security engine is determined that the total score is above a set threshold. Finally, the feature security engines may be combined into a security engine cluster.
The following is an example description of the adaptation algorithm, and the determination of the security engine cluster. As shown in fig. 3, the first security engine, the second security engine, the third security engine, and the fourth security engine … … are all security engines. The features 1, 2, 3 and 4 correspond to the second features of the security engine, namely, the detected attack category, the occupation situation of hardware resources, the sending situation of an alarm log and the traffic forwarding rate under different protocols. Then, based on fig. 3, when training the scheduling model, the general traffic input to the security engine is a plurality of known general traffic whose first characteristics are determined and whose first characteristics are different.
When the adaptive algorithm is used, firstly, a control variable method is adopted, and the protection capability of each characteristic of each security engine on the known general flow with the known first characteristic is utilized; the protection capability can be represented by a score, and a higher score represents a higher protection capability. That is, it may be set that the features 2, 3, and 4 of some security engines in fig. 3 (a) are consistent, that is, the protection capabilities corresponding to the features 2 to 4 of all security engines are consistent. Inputting the known general traffic into the first security engine, the second security engine, the third security engine, and the fourth security engine … … respectively tests the protection capability of feature 1 of each security engine against the known general traffic of the second feature. Similarly, the protection capability of the features 2-4 of each security engine on the known general traffic is tested by adopting the method, so that a matrix can be obtained. In the matrix, a column corresponds to a second feature (feature 1 to feature 4) of the security engine, a row corresponds to the security engine (the first security engine, the second security engine, the third security engine and the fourth security engine), and an element in the matrix is the protection capability of a certain second feature (feature 1, feature 2, feature 3 or feature 4) of the security engine on the known general traffic of the known first feature.
And acquiring the protection requirements of the known general flow of the first characteristic on each first characteristic, comparing with each protection capability in the matrix, and selecting each security engine with the protection capability meeting the protection requirements. As shown in part (a) of fig. 3, in the contents outlined by the ellipse, for the known generic traffic of the aforementioned known first feature, the security engines whose protection capability of the feature 1 meets the protection requirement corresponding to the known generic traffic are the first security engine and the second security engine. The security engines with the protection capability of the feature 2 meeting the protection requirement corresponding to the known general traffic are the first security engine and the third security engine. The security engine with the protection capability of the feature 3 meeting the protection requirement corresponding to the known general traffic is the first security engine. The security engines with the protection capability of the feature 4 meeting the protection requirement corresponding to the known general traffic are the second security engine and the third security engine.
According to the above operation, an adapted security engine cluster can be obtained, as shown in part (b) of fig. 3, where 0 represents the protection capability represented by the feature of the corresponding security engine, which cannot meet the known general traffic protection requirement. Here, the protection requirement can also be represented by a score, and a higher score represents a higher protection requirement for a certain second feature. Further, the set weight (A & s) of each second feature in the adapted security engine cluster may be usedD) Determining a total score of each security engine in the adapted security engine cluster; wherein the setting weights a-D set specific values based on a first characteristic of a known universal flow rate. That is, the total score (S) of the first security engine1) Comprises the following steps: s1X11 a + x 12B + x 13C + 0. For the same reason, the total score (S) of the second security engine2) Total score of the third security engine (S)3) Respectively as follows: s2=x21*A+0+0+x24*D;S 30+ x32 × B +0+ x34 × D. Adapting S in a cluster of security engines1、S2、S3Comparing with a set threshold value if S1And S2If the value is greater than the set threshold, determining each item (characteristic 1-4) of the second characteristic set, and if the protection capability of the third security engine cannot meet the protection requirement of the known general flow, the first security engine and the second security engine are both characteristic security engines, and the first security engine and the second security engine can be combined into a security engine cluster; namely, the security engine cluster composed of the first security engine and the second security engine can perform security protection on the known general traffic of the first characteristic from different aspects. And recording the mapping relation between the security engine cluster formed by the first security engine and the second security engine and the first characteristic of the known general traffic according to the result.
After the scheduling model is trained, after the first feature of the received first general traffic is determined, the scheduling model is used to determine a first security engine cluster corresponding to the first feature to schedule the security engine, so that the purpose of performing security protection on the first general traffic is achieved.
Further, after the scheduling model is used to determine the first security engine cluster corresponding to the first general traffic, the scheduling model may be adaptively adjusted according to the specific situation of the first general traffic received each time, so as to ensure the reliability of the scheduled first security engine cluster on the security protection result of the first general traffic, and two implementable manners are provided below for reference.
According to the protection requirement of the first general flow, the number of partial sub-security engines in the first security engine cluster is adjusted adaptively; wherein the child security engines are security engines in the first security engine cluster.
The method comprises the steps of firstly scheduling a first security engine cluster, and determining a second feature with the largest weight and a second feature with the smallest weight in the first security engine cluster.
The first quantity and the second quantity are then determined based on the protection requirements of the first generic traffic. Where the first number indicates an ideal number of security engines (i.e., a certain sub-security engine of the first security engine cluster) that are to secure the first generic traffic based on the second feature that sets the weight to be the greatest; the second number indicates an ideal number of security engines (i.e. a certain sub-security engine of the first cluster of security engines) that secure the first generic traffic based on setting the second feature with the smallest weight.
Finally, in a first security engine cluster in the scheduling model, the number of the sub security engines corresponding to the second feature with the largest setting weight is increased to a first number, and the number of the sub security engines corresponding to the second feature with the smallest setting weight is decreased to a second number; wherein the child security engines are security engines in the first security engine cluster.
And (II) adaptively adjusting the setting weight of each second feature in the first security engine cluster according to the protection requirement of the first general flow. First, the first generic traffic of any one of the first features has a protection requirement for each of the second features of the security engine, since the second features of the first security engine secure the first generic traffic from different angles (sides). Therefore, after the first security engine cluster is scheduled, it may be determined that the first generic traffic protection requirement is located in the second characteristic corresponding to the at least one protection requirement of the set range. And then, in a scheduling model, according to the setting weight of the initial second feature and the number setting of the security engines corresponding to the second feature, the setting weight of the corresponding second feature in the first security engine cluster is increased.
It should be noted that, in the process of using the security engine scheduling method, the update adjustment of the scheduling model is not limited to the two possible embodiments; moreover, the two possible embodiments can also be combined to achieve more reliable protection results.
To sum up, in the scheduling method of the security engine provided in the embodiment of the present application, after determining the first feature of the received first general traffic, the first security engine cluster that is scheduled using the scheduling model to make a decision includes not only the homogeneous engine but also the heterogeneous engine, and performs security protection on the first general traffic under the first feature from different angles and different dimensions, so as to avoid a problem that the homogeneous engine cluster has a single protection effect on the first general traffic, which results in a low reliability of a protection result. Fig. 4 is a schematic diagram illustrating security protection of general traffic using a security engine scheduling method. Firstly, feature learning is carried out on the general flow to determine a first feature of the general flow. After the general traffic with known first characteristics is input into the model for training (training the model), after the general traffic is received, the model determines a homogeneous engine and a heterogeneous engine for performing security protection on the received general traffic, and schedules the homogeneous engine and the heterogeneous engine. And after the received general flow is subjected to safety protection, information feedback is carried out to update the model in time. Here, the feedback mode may be real-time feedback or feedback at set time intervals.
Further, the training model in fig. 4 can be described, as shown in fig. 5. In the model training process, data preprocessing is required first. I.e. to determine the protection requirement of the generic flow of the previously known first characteristic for each second characteristic in the model. Then, since the determination of the second features of the security engines is obtained by dividing from different dimensions, the training of each second feature actually corresponds to the training of the model in one dimension, that is, the above control variable method can be used to perform multiple single-dimensional training on the model to determine the protection capability of the second feature of each dimension of each security engine on the general traffic of the first feature, so that the protection requirement of the general traffic of the first feature and the protection capability of the security engine corresponding to the second feature can be compared. Then, based on the first feature, a weight is determined for the second feature of each dimension in the model, and the weight of the second feature of each dimension may be set to be the same at the beginning of model training. Therefore, a multidimensional (multiple second characteristics) model can be constructed for scheduling different security engines so as to perform more effective security protection on different general flows.
Based on the same inventive concept, an embodiment of the present application provides a scheduling apparatus for a security engine, where the apparatus corresponds to the scheduling method for a security engine shown in fig. 1, and a specific implementation of the apparatus may refer to the description of the foregoing method embodiment, and repeated details are not repeated, referring to fig. 6, and the apparatus includes:
the receiving unit 601: for receiving a first generic traffic.
Specifically, the first generic traffic refers to real traffic in the network.
The extraction unit 602: for extracting a first feature of the first generic traffic.
Wherein the first characteristic is indicative of a different characteristic exhibited by the first generic traffic when it contains different attack traffic.
Specifically, the first feature is one of a traffic feature, a port feature, a public network egress feature, or a protocol feature.
Model unit 603: the second security engine cluster is used for determining a first security engine cluster corresponding to the first general traffic based on the first characteristic by using a scheduling model, and forwarding the first general traffic to the first security engine cluster.
The scheduling model comprises a corresponding relation between a security engine cluster and general traffic, the security engine cluster comprises heterogeneous engines, and the heterogeneous engines indicate security engines with at least one different item of deployment form, detected attack type and application scene.
The scheduling device of the security engine further comprises a training unit, which is specifically used for extracting the second characteristics of the security engine; wherein the second characteristic is indicative of a security characteristic of a security engine in securing generic traffic, the security engine comprising a homogeneous engine and a heterogeneous engine; determining an adaptive security engine cluster meeting the protection requirement of the general flow by adopting an adaptive algorithm based on the protection relation between the first characteristic and the second characteristic; wherein the adaptation algorithm is used for determining the protection requirement of the first characteristic for each second characteristic and the protection capability of each second characteristic for the general traffic of the first characteristic; the protection requirement indicates that when only any one second feature is provided in each security engine, the universal traffic has the minimum requirement on the protection capability of each security engine, and the number of security engines in the adapted security engine cluster is not lower than the number of the first features; and based on a preset rule, extracting a security engine cluster from the adaptive security engine cluster, and recording the mapping relation between the general flow and the security engine cluster.
The training unit is further configured to determine a total score of each security engine in the adapted security engine cluster based on the setting weight of each second feature in the adapted security engine cluster; wherein the total score indicates a protection capability of a security engine for the first generic traffic; determining a feature security engine for which the total score is above a set threshold; combining the feature security engines into a security engine cluster.
The scheduling device of the security engine further comprises a quantity unit, which is specifically used for scheduling the first security engine cluster; determining the second feature with the largest setting weight and the second feature with the smallest setting weight in the first security engine cluster; determining a first quantity and a second quantity based on the protection requirement of the first general flow; in a first security engine cluster in the scheduling model, increasing the number of sub security engines corresponding to the second feature with the largest setting weight to a first number, and decreasing the number of sub security engines corresponding to the second feature with the smallest setting weight to a second number, where the sub security engines are security engines in the first security engine cluster.
The scheduling device of the security engine further comprises a weighting unit, which is specifically used for scheduling the first security engine cluster; determining at least one item of second characteristics corresponding to the protection requirement, wherein the first general flow protection requirement is in a set range; in the scheduling model, according to the initial setting weight of the second feature and the number setting of the security engines corresponding to the second feature, the setting weight of the corresponding second feature in the first security engine cluster is increased.
Based on the same inventive concept, an embodiment of the present application further provides a readable storage medium, including:
a memory for storing a plurality of data to be transmitted,
the memory is configured to store instructions that, when executed by the processor, cause an apparatus comprising the readable storage medium to perform a method of scheduling a security engine as described above.
It will be clear to those skilled in the art that, for convenience and simplicity of description, the foregoing division of the functional modules is merely used as an example, and in practical applications, the above function distribution may be performed by different functional modules according to needs, that is, the internal structure of the device is divided into different functional modules to perform all or part of the above described functions. For the specific working processes of the system, the apparatus and the unit described above, reference may be made to the corresponding processes in the foregoing method embodiments, and details are not described here again.
In the several embodiments provided in the present invention, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the modules or units is only one logical division, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one position, or may be distributed on multiple network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit may be implemented in the form of hardware, or may also be implemented in the form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, a network device, or the like) or a processor (processor) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a Universal Serial Bus flash disk (usb flash disk), a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, and an optical disk.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims (13)

1. A method for scheduling a security engine, the method comprising:
receiving a first general flow;
extracting a first feature of the first universal traffic; wherein the first characteristic is indicative of a different characteristic exhibited by the first generic traffic when containing different attack traffic;
determining a first security engine cluster corresponding to the first general traffic based on the first characteristic by using a scheduling model, and forwarding the first general traffic to the first security engine cluster; the scheduling model comprises a corresponding relation between a security engine cluster and general traffic, the security engine cluster comprises heterogeneous engines, and the heterogeneous engines indicate security engines with at least one different item of deployment form, detected attack type and application scene.
2. The method of claim 1, wherein the first characteristic is one of a traffic characteristic, a port characteristic, a public network egress characteristic, or a protocol characteristic.
3. The method of claim 1 or 2, wherein the determining, using the scheduling model, the first security engine cluster to which the first generic traffic corresponds is preceded by:
extracting a second feature of the security engine; wherein the second characteristic is indicative of a security characteristic of a security engine in securing generic traffic, the security engine comprising a homogeneous engine and a heterogeneous engine;
determining an adaptive security engine cluster which meets the protection requirement of the general flow by adopting an adaptive algorithm based on the protection relation between the first characteristic and the second characteristic; wherein the adaptation algorithm is used for determining the protection requirement of the first characteristic for each second characteristic and the protection capability of each second characteristic for the general traffic of the first characteristic; the protection requirement indicates that when only any one second feature is provided in each security engine, the universal traffic has the minimum requirement on the protection capability of each security engine, and the number of security engines in the adapted security engine cluster is not lower than the number of the first features;
and based on a preset rule, extracting a security engine cluster from the adaptive security engine cluster, and recording the mapping relation between the general flow and the security engine cluster.
4. The method of claim 3, wherein the second characteristics comprise detected attack categories, occupancy of hardware resources, sending of alarm logs, and traffic forwarding rates under different protocols.
5. The method of claim 3, wherein the extracting, in the adapted security engine cluster, a security engine cluster based on a preset rule comprises:
respectively determining the total score of each security engine in the adaptive security engine cluster based on the set weight of each second feature in the adaptive security engine cluster; wherein the total score indicates a protection capability of a security engine for the first generic traffic;
determining a feature security engine for which the total score is above a set threshold;
the feature security engines are combined into a cluster of security engines.
6. The method of claim 5, wherein the using the scheduling model after determining the first cluster of security engines corresponding to the first generic traffic comprises:
scheduling the first cluster of security engines;
determining the second feature with the largest setting weight and the second feature with the smallest setting weight in the first security engine cluster;
determining a first quantity and a second quantity based on the protection requirement of the first general flow;
in a first security engine cluster in the scheduling model, increasing the number of sub security engines corresponding to the second feature with the largest setting weight to a first number, and decreasing the number of sub security engines corresponding to the second feature with the smallest setting weight to a second number; wherein the child security engine is a security engine in the first security engine cluster.
7. The method of claim 5, wherein after forwarding the first generic traffic to the first cluster of security engines, comprising:
scheduling the first cluster of security engines;
determining at least one item of second characteristics corresponding to the protection requirement, wherein the first general flow protection requirement is in a set range;
in the scheduling model, according to the initial setting weight of the second feature and the number setting of the security engines corresponding to the second feature, the setting weight of the corresponding second feature in the first security engine cluster is increased.
8. An apparatus for scheduling a security engine, the apparatus comprising:
a receiving unit: for receiving a first generic traffic;
an extraction unit: extracting a first feature of the first generic traffic; wherein the first characteristic is indicative of a different characteristic exhibited by the first generic traffic when it contains different attack traffic;
a model unit: the scheduling module is used for determining a first security engine cluster corresponding to the first general traffic based on the first characteristic, and forwarding the first general traffic to the first security engine cluster; the scheduling model comprises a corresponding relation between a security engine cluster and general flow, the security engine cluster comprises heterogeneous engines, and the heterogeneous engines indicate the security engines with at least one different item of deployment form, detected attack type and application scene.
9. The apparatus of claim 8, further comprising a training unit to extract a second feature of a security engine; wherein the second characteristic indicates a protection characteristic of a security engine when the security engine performs security protection on general traffic, and the security engine comprises a homogeneous engine and a heterogeneous engine; determining an adaptive security engine cluster which meets the protection requirement of the general flow by adopting an adaptive algorithm based on the protection relation between the first characteristic and the second characteristic; wherein the adaptation algorithm is used for determining the protection requirement of the first characteristic for each second characteristic and the protection capability of each second characteristic for the general traffic of the first characteristic; the protection requirement indicates that when only any one second feature is provided in each security engine, the universal traffic has the minimum requirement on the protection capability of each security engine, and the number of security engines in the adapted security engine cluster is not lower than the number of the first features; and based on a preset rule, extracting a security engine cluster from the adaptive security engine cluster, and recording the mapping relation between the general flow and the security engine cluster.
10. The apparatus of claim 9, wherein the training unit is further configured to determine a total score for each security engine in the adapted security engine cluster based on a set weight of each second feature in the adapted security engine cluster; wherein the total score indicates a protection capability of a security engine for the first generic traffic; determining a feature security engine for which the total score is above a set threshold; combining the feature security engines into a security engine cluster.
11. The apparatus of claim 10, wherein the apparatus further comprises a quantity unit to schedule the first cluster of security engines; determining the second feature with the largest setting weight and the second feature with the smallest setting weight in the first security engine cluster; determining a first quantity and a second quantity based on the protection requirement of the first general flow; in a first security engine cluster in the scheduling model, increasing the number of sub security engines corresponding to the second feature with the largest setting weight to a first number, and decreasing the number of sub security engines corresponding to the second feature with the smallest setting weight to a second number, where the sub security engines are security engines in the first security engine cluster.
12. The apparatus of claim 10, wherein the apparatus further comprises a weighting unit to schedule the first cluster of security engines; determining at least one item of second characteristics corresponding to the protection requirement, wherein the first general flow protection requirement is in a set range; in the scheduling model, according to the initial setting weight of the second feature and the number setting of the security engines corresponding to the second feature, the setting weight of the corresponding second feature in the first security engine cluster is increased.
13. A readable storage medium, comprising,
a memory for storing a plurality of data to be transmitted,
the memory is for storing instructions that, when executed by the processor, cause an apparatus comprising the readable storage medium to perform the method of any of claims 1-7.
CN202210191393.3A 2022-02-28 2022-02-28 Scheduling method and device of security engine and readable storage medium Active CN114567605B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210191393.3A CN114567605B (en) 2022-02-28 2022-02-28 Scheduling method and device of security engine and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210191393.3A CN114567605B (en) 2022-02-28 2022-02-28 Scheduling method and device of security engine and readable storage medium

Publications (2)

Publication Number Publication Date
CN114567605A true CN114567605A (en) 2022-05-31
CN114567605B CN114567605B (en) 2023-12-01

Family

ID=81716433

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210191393.3A Active CN114567605B (en) 2022-02-28 2022-02-28 Scheduling method and device of security engine and readable storage medium

Country Status (1)

Country Link
CN (1) CN114567605B (en)

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103516727A (en) * 2013-09-30 2014-01-15 重庆电子工程职业学院 Network active defense system and updating method thereof
WO2017041656A1 (en) * 2015-09-09 2017-03-16 阿里巴巴集团控股有限公司 Traffic processing method, device and system
US20180152475A1 (en) * 2016-11-30 2018-05-31 Foundation Of Soongsil University-Industry Cooperation Ddos attack detection system based on svm-som combination and method thereof
CN109413016A (en) * 2018-04-28 2019-03-01 武汉思普崚技术有限公司 A kind of rule-based message detecting method and device
CN110445770A (en) * 2019-07-18 2019-11-12 平安科技(深圳)有限公司 Attack Source positioning and means of defence, electronic equipment and computer storage medium
CN111181910A (en) * 2019-08-12 2020-05-19 腾讯科技(深圳)有限公司 Protection method and related device for distributed denial of service attack
CN112437083A (en) * 2020-11-20 2021-03-02 北京金山云网络技术有限公司 Method and system for preventing cloud resources from being attacked by network and electronic equipment
CN112653697A (en) * 2020-12-22 2021-04-13 李兆峰 Access request processing method based on cloud computing and block chain and cloud service center
CN113194058A (en) * 2020-01-14 2021-07-30 深信服科技股份有限公司 WEB attack detection method, equipment, website application layer firewall and medium
CN113301017A (en) * 2021-04-22 2021-08-24 西安电子科技大学 Attack detection and defense method and device based on federal learning and storage medium
CN113315782A (en) * 2021-06-11 2021-08-27 广州敏捷大数据科技有限公司 Security protection configuration method based on big information security data and cloud computing system
CN113472721A (en) * 2020-03-31 2021-10-01 华为技术有限公司 Network attack detection method and device

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103516727A (en) * 2013-09-30 2014-01-15 重庆电子工程职业学院 Network active defense system and updating method thereof
WO2017041656A1 (en) * 2015-09-09 2017-03-16 阿里巴巴集团控股有限公司 Traffic processing method, device and system
US20180152475A1 (en) * 2016-11-30 2018-05-31 Foundation Of Soongsil University-Industry Cooperation Ddos attack detection system based on svm-som combination and method thereof
CN109413016A (en) * 2018-04-28 2019-03-01 武汉思普崚技术有限公司 A kind of rule-based message detecting method and device
CN110445770A (en) * 2019-07-18 2019-11-12 平安科技(深圳)有限公司 Attack Source positioning and means of defence, electronic equipment and computer storage medium
CN111181910A (en) * 2019-08-12 2020-05-19 腾讯科技(深圳)有限公司 Protection method and related device for distributed denial of service attack
CN113194058A (en) * 2020-01-14 2021-07-30 深信服科技股份有限公司 WEB attack detection method, equipment, website application layer firewall and medium
CN113472721A (en) * 2020-03-31 2021-10-01 华为技术有限公司 Network attack detection method and device
CN112437083A (en) * 2020-11-20 2021-03-02 北京金山云网络技术有限公司 Method and system for preventing cloud resources from being attacked by network and electronic equipment
CN112653697A (en) * 2020-12-22 2021-04-13 李兆峰 Access request processing method based on cloud computing and block chain and cloud service center
CN113301017A (en) * 2021-04-22 2021-08-24 西安电子科技大学 Attack detection and defense method and device based on federal learning and storage medium
CN113315782A (en) * 2021-06-11 2021-08-27 广州敏捷大数据科技有限公司 Security protection configuration method based on big information security data and cloud computing system

Also Published As

Publication number Publication date
CN114567605B (en) 2023-12-01

Similar Documents

Publication Publication Date Title
Almasoudy et al. Differential evolution wrapper feature selection for intrusion detection system
CN102291390B (en) Method for defending against denial of service attack based on cloud computation platform
EP2545680B1 (en) Behavior-based security system
Gianvecchio et al. Humans and bots in internet chat: measurement, analysis, and automated classification
CN104901971B (en) The method and apparatus that safety analysis is carried out to network behavior
Norouzian et al. Classifying attacks in a network intrusion detection system based on artificial neural networks
Siracusano et al. Detection of LDDoS attacks based on TCP connection parameters
US11838319B2 (en) Hardware acceleration device for denial-of-service attack identification and mitigation
CN103457909A (en) Botnet detection method and device
US11489857B2 (en) System and method for developing a risk profile for an internet resource
CN116647411A (en) Game platform network security monitoring and early warning method
CN113779563A (en) Method and device for defending against backdoor attack of federal learning
CN107231383B (en) CC attack detection method and device
CN111131309A (en) Distributed denial of service detection method and device and model creation method and device
CN113518064A (en) Defense method and device for challenging black hole attack, computer equipment and storage medium
CN111680167A (en) Service request response method and server
CN110290110B (en) Encrypted malicious traffic identification method and system based on redundancy detection architecture
Ogawa et al. Malware originated http traffic detection utilizing cluster appearance ratio
Gangula et al. A comprehence study of DDoS attack detecting algorithm using GRU-BWFA classifier
CN114567605B (en) Scheduling method and device of security engine and readable storage medium
US11544123B1 (en) Systems and methods for detecting partitioned and aggregated novel network, user, device and application behaviors
CN112702349B (en) Network attack defense method and device and electronic bidding transaction platform
Sharma et al. Recent trend in Intrusion detection using Fuzzy-Genetic algorithm
Chen et al. An autonomic detection and protection system for denial of service attack
CN116743406A (en) Network security early warning method and device, storage medium and computer equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant