CN114567605B - Scheduling method and device of security engine and readable storage medium - Google Patents
Scheduling method and device of security engine and readable storage medium Download PDFInfo
- Publication number
- CN114567605B CN114567605B CN202210191393.3A CN202210191393A CN114567605B CN 114567605 B CN114567605 B CN 114567605B CN 202210191393 A CN202210191393 A CN 202210191393A CN 114567605 B CN114567605 B CN 114567605B
- Authority
- CN
- China
- Prior art keywords
- security engine
- security
- feature
- traffic
- cluster
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 44
- 230000006978 adaptation Effects 0.000 claims description 20
- 230000003044 adaptive effect Effects 0.000 claims description 20
- 238000012549 training Methods 0.000 claims description 19
- 238000013507 mapping Methods 0.000 claims description 7
- 238000000605 extraction Methods 0.000 claims description 3
- 230000005540 biological transmission Effects 0.000 claims description 2
- 238000010586 diagram Methods 0.000 description 7
- 239000011159 matrix material Substances 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000001514 detection method Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000007781 pre-processing Methods 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/50—Queue scheduling
- H04L47/52—Queue scheduling by attributing bandwidth to queues
- H04L47/527—Quantum based scheduling, e.g. credit or deficit based scheduling or token bank
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/24—Traffic characterised by specific attributes, e.g. priority or QoS
- H04L47/2441—Traffic characterised by specific attributes, e.g. priority or QoS relying on flow classification, e.g. using integrated services [IntServ]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a scheduling method and device of a security engine and a readable storage medium, which are used for solving the problem that the security protection result is low in reliability when general traffic is subjected to security protection in the prior art. The method comprises the following steps: receiving a first generic flow; extracting a first characteristic of the first general flow; wherein the first characteristic is indicative of different characteristics exhibited by the first generic traffic when it includes different attack traffic; determining a first security engine cluster corresponding to the first general traffic based on the first feature by using a scheduling model, and forwarding the first general traffic to the first security engine cluster; the scheduling model comprises a corresponding relation between a security engine cluster and general traffic, wherein the security engine cluster comprises heterogeneous engines, and the heterogeneous engines indicate at least one security engine with different deployment forms, detected attack types and application scenes.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and apparatus for scheduling a security engine, and a readable storage medium.
Background
The security engine refers to a program/component that performs security checks on generic traffic in the network according to the relevant rules and functions/code libraries. Common security engines include firewalls, WAFs (WebapplicAtiona Firewall, application firewalls), IPS (Intrusion-prevention system), and the like. Generally, only a security engine cluster with the same characteristics is arranged in the system to provide security protection for general traffic. However, since only a security engine with the same characteristics is provided, the reliability of the detection result cannot be ensured in the face of different types of general traffic.
Therefore, the problem of low reliability of safety protection results exists when the universal flow is subjected to safety protection in the prior art.
Disclosure of Invention
The application provides a scheduling method and device of a security engine and a readable storage medium, which are used for solving the problem that the security protection result is low in reliability when general traffic is subjected to security protection in the prior art.
In a first aspect, the present application provides a method for scheduling a security engine, the method comprising:
receiving a first generic flow;
extracting a first characteristic of the first general flow; wherein the first characteristic is indicative of different characteristics exhibited by the first generic traffic when it includes different attack traffic;
determining a first security engine cluster corresponding to the first general traffic based on the first feature by using a scheduling model, and forwarding the first general traffic to the first security engine cluster; the scheduling model comprises a corresponding relation between a security engine cluster and general traffic, wherein the security engine cluster comprises heterogeneous engines, and the heterogeneous engines indicate at least one security engine with different deployment forms, detected attack types and application scenes.
According to the method for carrying out security engine cluster decision scheduling according to the first general flow by using the scheduling model comprising different security engines, by setting the corresponding relation between the first security engines including heterogeneous engines and the first general flow in the scheduling model, the security protection can be carried out in a targeted manner according to the first characteristic of the first general flow after the first general flow is received, and the reliability of the protection result is effectively improved when the security protection is carried out on the first general flow.
In one possible implementation, the first feature is one of a service feature, a port feature, a public network egress feature, or a protocol feature.
In one possible implementation manner, before determining the first security engine cluster corresponding to the first generic traffic by using a scheduling model, the method includes:
extracting a second feature of the security engine; the second characteristic indicates the protection characteristic of the security engine when the security engine carries out security protection on the general traffic, and the security engine comprises a isomorphic engine and a heterogeneous engine;
based on the protection relation between the first feature and the second feature, adopting an adaptation algorithm to determine an adaptation security engine cluster meeting the protection requirement of the general flow; wherein the adaptation algorithm is configured to determine a protection requirement of the first feature for each of the second features, and a protection capability of each of the second features for a common flow of the first feature; the protection requirement indicates that when each security engine only has any one of the second features, the general flow is corresponding to the minimum requirement of the protection capability of each security engine, and the number of security engines in the adaptive security engine cluster is not lower than the number of the first features;
and extracting a security engine cluster from the adaptive security engine cluster based on a preset rule, and recording the mapping relation between the general traffic and the security engine cluster.
A possible implementation manner, the second feature includes a detected attack category, an occupation condition of hardware resources, a sending condition of an alarm log, and a traffic forwarding rate under different protocols.
A possible implementation manner, the extracting the security engine cluster from the adapting security engine cluster based on the preset rule includes:
based on the setting weight of each second feature in the adaptive security engine cluster, determining the total score of each security engine in the adaptive security engine cluster; wherein the total score indicates a security engine's protection capability for the first generic traffic;
determining that the total score is above a set threshold;
the feature security engines are combined into a security engine cluster.
In one possible implementation manner, after the determining, using a scheduling model, the first security engine cluster corresponding to the first generic traffic includes:
scheduling the first security engine cluster;
determining the second feature with the largest set weight and the second feature with the smallest set weight in the first security engine cluster;
determining a first number and a second number based on the protection requirement of the first generic flow;
in a first security engine cluster in the scheduling model, increasing the number of sub security engines corresponding to the second feature with the largest setting weight to be a first number, and reducing the number of sub security engines corresponding to the second feature with the smallest setting weight to be a second number; wherein the child security engines are security engines in the first security engine cluster.
A possible implementation manner, after forwarding the first generic traffic to the first security engine cluster, includes:
scheduling the first security engine cluster;
determining a second characteristic corresponding to at least one protection requirement of which the first universal flow protection requirement is located in a set range;
and in the scheduling model, according to the initial setting weight of the second feature and the setting of the number of security engines corresponding to the second feature, the setting weight of the corresponding second feature in the first security engine cluster is improved.
In a second aspect, the present application provides a scheduling apparatus for a security engine, the apparatus comprising:
a receiving unit: for receiving a first generic traffic;
extraction unit: extracting a first feature of a first generic flow; wherein the first characteristic is indicative of different characteristics exhibited by the first generic traffic when it includes different attack traffic;
model unit: the method comprises the steps of determining a first security engine cluster corresponding to the first general traffic based on the first characteristic by using a scheduling model, and forwarding the first general traffic to the first security engine cluster; the scheduling model comprises a corresponding relation between a security engine cluster and general traffic, wherein the security engine cluster comprises heterogeneous engines, and the heterogeneous engines indicate at least one security engine with different deployment forms, detected attack types and application scenes.
A possible implementation manner, the device further comprises a training unit, wherein the training unit is used for extracting a second feature of the security engine; the second characteristic indicates the protection characteristic of the security engine when the security engine carries out security protection on the general traffic, and the security engine comprises a isomorphic engine and a heterogeneous engine; based on the protection relation between the first feature and the second feature, adopting an adaptation algorithm to determine an adaptation security engine cluster meeting the protection requirement of the general flow; wherein the adaptation algorithm is configured to determine a protection requirement of the first feature for each of the second features, and a protection capability of each of the second features for a common flow of the first feature; the protection requirement indicates that when each security engine only has any one of the second features, the general flow is corresponding to the minimum requirement of the protection capability of each security engine, and the number of security engines in the adaptive security engine cluster is not lower than the number of the first features; and extracting a security engine cluster from the adaptive security engine cluster based on a preset rule, and recording the mapping relation between the general traffic and the security engine cluster.
In a possible implementation manner, the training unit is further configured to determine a total score of each security engine in the adapted security engine cluster based on the set weight of each second feature in the adapted security engine cluster; wherein the total score indicates a security engine's protection capability for the first generic traffic; determining that the total score is above a set threshold; the feature security engines are combined into a security engine cluster.
A possible implementation manner, the apparatus further includes a quantity unit, configured to schedule the first security engine cluster; determining the second feature with the largest set weight and the second feature with the smallest set weight in the first security engine cluster; determining a first number and a second number based on the protection requirement of the first generic flow; and in the first security engine cluster in the scheduling model, increasing the number of the sub security engines corresponding to the second feature with the largest setting weight to be a first number, and reducing the number of the sub security engines corresponding to the second feature with the smallest setting weight to be a second number, wherein the sub security engines are security engines in the first security engine cluster.
A possible implementation manner, the apparatus further includes a weight unit, configured to schedule the first security engine cluster; determining a second characteristic corresponding to at least one protection requirement of which the first universal flow protection requirement is located in a set range; and in the scheduling model, according to the initial setting weight of the second feature and the setting of the number of security engines corresponding to the second feature, the setting weight of the corresponding second feature in the first security engine cluster is improved.
In a third aspect, the present application provides a readable storage medium comprising,
the memory device is used for storing the data,
the memory is configured to store instructions that, when executed by a processor, cause an apparatus comprising the readable storage medium to perform the method of the first aspect and any one of the possible implementations.
Drawings
FIG. 1 is a flow chart of a method for scheduling a security engine according to the present application;
FIG. 2 is a schematic diagram of a second feature of the security engine provided by the present application;
FIG. 3 is a schematic diagram of an adaptive security engine cluster determined during training of a scheduling model according to the present application;
FIG. 4 is a schematic diagram of security protection for generic traffic using a security engine scheduling method provided by the present application;
FIG. 5 is a schematic diagram of a training model in a method of security engine scheduling according to the present application;
fig. 6 is a schematic structural diagram of a scheduling device of a security engine according to the present application.
Detailed Description
Aiming at the problem of low reliability of a safety protection result obtained through a safety engine cluster in the prior art, the application provides a dispatching method of a safety engine, which fuses heterogeneous engines into a dispatching model and dispatches the engines according to flow characteristics after receiving general flows, thereby achieving the purpose of carrying out safety protection on the general flows in a targeted manner, namely improving the reliability of the safety protection result of the general flows.
In order to better understand the above technical solutions, the following detailed description of the technical solutions of the present application is made by using the accompanying drawings and specific embodiments, and it should be understood that the specific features of the embodiments and the embodiments of the present application are detailed descriptions of the technical solutions of the present application, and not limiting the technical solutions of the present application, and the embodiments and the technical features of the embodiments of the present application may be combined with each other without conflict.
Referring to fig. 1, an embodiment of the present application provides a method for scheduling a security engine, which is used for solving the problem of low reliability of security protection results in the prior art when security protection is performed on general traffic, and the method specifically includes the following implementation steps:
step 101: a first generic traffic is received.
Specifically, the first general traffic is the real traffic in the network. Such as data packets transmitted in the internet.
Step 102: a first feature of the first generic flow is extracted.
Wherein the first characteristic is indicative of different characteristics exhibited by the first generic traffic when it includes different attack traffic.
Specifically, the first generic traffic may be differentiated according to different dimensions, where the differentiating dimension is the first feature. The first feature may then be one of a traffic feature, a port feature, a public network egress feature, or a protocol feature of the generic traffic. The aforementioned traffic characteristics may be traffic categories. Such as web site traffic. The port characteristic may be an identity (e.g., port number) of the port that uniquely identifies the port.
Step 103: and determining a first security engine cluster corresponding to the first general traffic based on the first characteristic by using a scheduling model, and forwarding the first general traffic to the first security engine cluster.
The scheduling model comprises a corresponding relation between a security engine cluster and general traffic, wherein the security engine cluster comprises heterogeneous engines, and the heterogeneous engines indicate at least one security engine with different deployment forms, detected attack types and application scenes. The deployment mode comprises, but is not limited to, cloud phone deployment, hardware deployment and software deployment.
Heterogeneous models in embodiments of the present application include, but are not limited to, firewalls, internet surfing behavior management, WAFs (Web Application Firewall, application firewalls), IPS (Intrusion Prevention System ), IDS (Intrusion Detection System, intrusion detection system).
In particular, before using the scheduling model for scheduling of a decision security engine cluster, it is necessary to train the scheduling model, as described below.
First, a second feature of the security engine is extracted. The second characteristic indicates a protection characteristic of the security engine when the security engine performs security protection on the general traffic, and the security engine comprises an isomorphic engine. The second feature includes, but is not limited to, the detected attack category, occupancy for hardware resources, transmission of alarm logs, and traffic forwarding rates under different protocols. As shown in fig. 2, is a schematic diagram of a second feature of the security engine. In a second feature, the occupation situation for hardware includes a CPU (central processing unit ), a hard disk, a memory, and the like; the detected attack category comprises Web attack (application attack), brute force cracking and the like; the traffic forwarding rate under different protocols can be a general traffic forwarding rate under TCP protocol, a general traffic forwarding rate under UDP protocol, a general traffic forwarding rate under FTP protocol, etc.; the sending condition of the alarm log may be a sending rate of the alarm log. That is, the second feature can distinguish not only heterogeneous engines but also isomorphic engines; that is, the second features of the isomorphic engine (detected attack category, occupancy for hardware resources, sending of alarm logs, traffic forwarding rate under different protocols) are not all the same. And, it can be understood that the second characteristic is divided into a plurality of types, so that the protection capability of the security engine for the general traffic in different aspects can be further and clearly embodied.
And then, based on the protection relation between the first feature and the second feature, adopting an adaptation algorithm to determine an adaptation security engine cluster meeting the protection requirement of the universal flow. Wherein the adaptation algorithm is used for determining the protection requirement of the first feature for each second feature and the protection capability of each second feature for the general flow of the first feature; the protection requirement indicates the minimum requirement of the general flow on the protection capability of each security engine when each security engine only has any one of the second characteristics; the number of security engines in the adapted security engine cluster is not lower than the number of first features.
It should be noted that, in the embodiment of the present application, the protection capability of any security engine and the protection requirement of any general traffic can be quantified as a specific score.
And finally, extracting a security engine cluster from the adaptive security engine cluster based on a preset rule, and recording the mapping relation between the general traffic and the security engine cluster. Specifically, firstly, based on the set weight of each second feature in the adaptive security engine cluster, determining the total score of each security engine in the adaptive security engine cluster; wherein the total score indicates a security engine's protection capability for the first generic traffic. Then, a feature security engine is determined for which the total score is above a set threshold. Finally, the feature security engines may be combined into a security engine cluster.
The following is an example description of the adaptation algorithm, as well as the determination of the security engine cluster. As shown in fig. 3, the first security engine, the second security engine, the third security engine, and the fourth security engine … … are all security engines. The feature 1, the feature 2, the feature 3 and the feature 4 correspond to the second feature of the security engine, namely the detected attack category, the occupation condition of hardware resources, the sending condition of alarm logs and the traffic forwarding rate under different protocols. Then, based on fig. 3, when training the scheduling model, the common traffic input to the security engine is a plurality of known common traffic for which the first characteristic is determined and the first characteristic is different.
When an adaptation algorithm is used, firstly, a control variable method is adopted, and the protection capability of each feature of each safety engine on the known universal flow of the known first feature is utilized; the protection capability may be represented by a score, with higher scores representing higher protection capability. That is, it may be first set that the features 2, 3, and 4 of all the security engines in part (a) in fig. 3 are identical, that is, the protection capacities corresponding to the features 2 to 4 of all the security engines are identical. The known generic traffic is input into the first security engine, the second security engine, the third security engine, and the fourth security engine … …, respectively, and the protection capability of the feature 1 of each security engine against the known generic traffic of the second feature is tested, respectively. Similarly, the protection capability of the features 2-4 of each security engine against the known universal traffic is tested separately by the method described above, so that a matrix can be obtained. In the matrix, the columns correspond to the second features (feature 1-feature 4) of the security engines, the rows correspond to the security engines (first security engine, second security engine, third security engine, fourth security engine), and the elements in the matrix are the protection capability of a certain second feature (feature 1, feature 2, feature 3 or feature 4) of the security engines to the known general traffic of the known first feature.
The protection requirements of the known universal traffic of the first features for each first feature are obtained and compared with each protection capability in the matrix, and a security engine with each protection capability meeting the protection requirements is selected. As shown in part (a) of fig. 3, the content outlined by the ellipse is a first security engine and a second security engine, which are the security engines whose security capability of feature 1 meets the security requirement corresponding to the known general traffic, for the known general traffic of the known first feature. The security engines with the protection capability of the feature 2 meeting the protection requirements corresponding to the known general traffic are a first security engine and a third security engine. The security engine whose protection capability meets the protection requirement corresponding to the known general traffic is the first security engine. The security engines with the protection capability of the feature 4 meeting the protection requirements corresponding to the known general traffic are a second security engine and a third security engine.
According to the above operation, an adapted security engine cluster is obtained, as shown in part (b) of fig. 3, where 0 represents the protection capability represented by the feature of the corresponding security engine, and the known generic traffic protection requirement cannot be satisfied. Here again, the protection requirement may be represented by a score, with higher scores representing higher protection requirements for a second feature. Further, the set weights (A-D) of each second feature in the adapted security engine cluster can be used to determine a total score for each security engine in the adapted security engine cluster; wherein the weights a-D are set to specific values based on a first characteristic of the known generic flow. That is, the total score of the first security engine (S 1 ) The method comprises the following steps: s is S 1 =x11×a+x12×b+x13×c+0. Similarly, the total score of the second security engine (S 2 ) Total score of third security engine (S 3 ) The method comprises the following steps of: s is S 2 =x21*A+0+0+x24*D;S 3 =0+x32×b+0+x34×d. Will adapt S in a security engine cluster 1 、S 2 、S 3 Comparing with the set threshold, if S 1 And S is 2 Above this set threshold, it is possible to determine each of the items (features 1 to 4) of the second feature set, and the protection capability of the third security engine as a whole cannot satisfy the known general trafficThe first security engine and the second security engine are both feature security engines, and the first security engine and the second security engine can be combined into a security engine cluster; that is, the security engine cluster formed by the first security engine and the second security engine can secure the known universal traffic of the first feature from different aspects. At this time, according to the foregoing result, the mapping relationship between the security engine cluster formed by the first security engine and the second security engine and the first feature of the known universal traffic may be recorded.
After the training of the scheduling model is completed, the scheduling model is used for determining the first security engine cluster corresponding to the first feature to schedule the security engine after determining the first feature of the received first general flow, so that the purpose of carrying out security protection on the first general flow is achieved.
Further, after the first security engine cluster corresponding to the first general traffic is determined by using the scheduling model, the scheduling model may be adaptively adjusted according to the specific situation of the first general traffic received each time, so as to ensure the reliability of the scheduled first security engine cluster on the security protection result of the first general traffic, and the following two embodiments are provided for reference.
Firstly, adaptively adjusting the number of molecular security engines in the middle part of a first security engine cluster according to the protection requirement of the first general flow; the sub-security engines are security engines in the first security engine cluster.
First, a first security engine cluster is scheduled, and a second feature with the largest weight and a second feature with the smallest weight are set in the first security engine cluster are determined.
The first number and the second number are then determined based on the protection requirements of the first generic traffic. The first number here indicates the ideal number of security engines (i.e. a certain sub-security engine in the first security engine cluster) that secure the first generic traffic based on the second feature with the greatest set weight; the second number indicates an ideal number of security engines (i.e., a certain sub-security engine in the first security engine cluster) that secure the first generic traffic based on the second feature that sets the minimum weight.
Finally, in a first security engine cluster in the scheduling model, increasing the number of sub-security engines corresponding to the second feature with the largest set weight to be a first number, and reducing the number of sub-security engines corresponding to the second feature with the smallest set weight to be a second number; the sub-security engines are security engines in the first security engine cluster.
And secondly, adaptively adjusting the setting weight of each second characteristic in the first security engine cluster according to the protection requirement of the first general flow. First, since the second features of the first security engine secure first universal traffic from different angles (sides), the first universal traffic of any one first feature has a need for protection for each second feature of the security engine. Thus, after the first security engine cluster is scheduled, a second feature corresponding to at least one protection requirement of the first universal traffic protection requirement within the set range may be determined. And then, setting the setting weight of the corresponding second feature in the first security engine cluster according to the setting weight of the initial second feature and the number of security engines corresponding to the second feature in the scheduling model.
It should be noted that, in the process of using the above-mentioned security engine scheduling method, the update adjustment of the scheduling model is not limited to the above two embodiments; furthermore, the two embodiments can be combined to obtain more reliable protection results.
In summary, after determining the first feature of the received first general traffic, the scheduling method for the security engine provided in the embodiment of the present application uses the scheduling model to make a decision to schedule the first security engine cluster, which includes not only the isomorphic engine but also the heterogeneous engine, and performs security protection on the first general traffic under the first feature from different angles and different dimensions, so that the problem that the reliability of the protection result is low due to the single protection effect of the isomorphic engine cluster on the first general traffic is avoided. As shown in fig. 4, a schematic diagram of security protection for general traffic using a security engine scheduling method is shown. First, feature learning is performed on the universal flow to determine a first feature of the universal flow. After training (training) the general traffic input model with the known first feature, the isomorphic engine and the heterogeneous engine for protecting the security of the received general traffic can be determined and scheduled by the model after the general traffic is received. And after the received universal traffic is subjected to safety protection, information feedback is carried out to update the model in time. The feedback mode can be real-time feedback or feedback at intervals of set time.
Further, the training model of fig. 4 may be described as shown in fig. 5. In the model training process, data preprocessing is first required. I.e. determining the protection requirements of the aforementioned generic flow of the known first feature for each second feature in the model. Then, since the determination of the second features of the security engines is divided from different dimensions, the training of each second feature actually corresponds to the training of the model in one dimension, that is, the control variable method can be used for carrying out multi-time single-dimensional training on the model to determine the protection capability of the second feature of each dimension of each security engine on the universal flow of the first feature, so that the protection requirement of the universal flow of the first feature and the protection capability of the security engine corresponding to the second feature can be compared. Then, based on the first feature, a weight is determined for the second feature of each dimension in the model, and the weight of the second feature of each dimension may be set to be the same at the beginning of model training. Thus, a multidimensional (a plurality of second characteristics) model can be constructed for scheduling of different security engines to perform more effective security protection on different general flows.
Based on the same inventive concept, the embodiment of the present application provides a scheduling device for a security engine, where the device corresponds to the scheduling method for a security engine shown in fig. 1, and a specific implementation manner of the device may refer to a description of an embodiment portion of the foregoing method, and details are not repeated, and reference is made to fig. 6, where the device includes:
the receiving unit 601: for receiving a first generic traffic.
Specifically, the first generic traffic refers to real traffic in the network.
Extraction unit 602: for extracting a first feature of the first generic flow.
Wherein the first characteristic is indicative of different characteristics exhibited by the first generic traffic when it includes different attack traffic.
Specifically, the first feature is one of a traffic feature, a port feature, a public network egress feature, or a protocol feature.
Model unit 603: and the method is used for determining a first security engine cluster corresponding to the first general traffic based on the first characteristic by using a scheduling model, and forwarding the first general traffic to the first security engine cluster.
The scheduling model comprises a corresponding relation between a security engine cluster and general traffic, wherein the security engine cluster comprises heterogeneous engines, and the heterogeneous engines indicate at least one security engine with different deployment forms, detected attack types and application scenes.
The scheduling device of the security engine further comprises a training unit, and the training unit is specifically used for extracting second characteristics of the security engine; the second characteristic indicates the protection characteristic of the security engine when the security engine carries out security protection on the general traffic, and the security engine comprises a isomorphic engine and a heterogeneous engine; based on the protection relation between the first feature and the second feature, adopting an adaptation algorithm to determine an adaptation security engine cluster meeting the protection requirement of the general flow; wherein the adaptation algorithm is configured to determine a protection requirement of the first feature for each of the second features, and a protection capability of each of the second features for a common flow of the first feature; the protection requirement indicates that when each security engine only has any one of the second features, the general flow is corresponding to the minimum requirement of the protection capability of each security engine, and the number of security engines in the adaptive security engine cluster is not lower than the number of the first features; and extracting a security engine cluster from the adaptive security engine cluster based on a preset rule, and recording the mapping relation between the general traffic and the security engine cluster.
The training unit is further configured to determine a total score of each security engine in the adaptive security engine cluster based on the set weight of each second feature in the adaptive security engine cluster; wherein the total score indicates a security engine's protection capability for the first generic traffic; determining that the total score is above a set threshold; the feature security engines are combined into a security engine cluster.
The scheduling device of the security engine further comprises a quantity unit, which is specifically used for scheduling the first security engine cluster; determining the second feature with the largest set weight and the second feature with the smallest set weight in the first security engine cluster; determining a first number and a second number based on the protection requirement of the first generic flow; and in the first security engine cluster in the scheduling model, increasing the number of the sub security engines corresponding to the second feature with the largest setting weight to be a first number, and reducing the number of the sub security engines corresponding to the second feature with the smallest setting weight to be a second number, wherein the sub security engines are security engines in the first security engine cluster.
The dispatching device of the security engine further comprises a weight unit, which is specifically used for dispatching the first security engine cluster; determining a second characteristic corresponding to at least one protection requirement of which the first universal flow protection requirement is located in a set range; and in the scheduling model, according to the initial setting weight of the second feature and the setting of the number of security engines corresponding to the second feature, the setting weight of the corresponding second feature in the first security engine cluster is improved.
Based on the same inventive concept, an embodiment of the present application also provides a readable storage medium including:
the memory device is used for storing the data,
the memory is for storing instructions that, when executed by the processor, cause an apparatus comprising the readable storage medium to perform the method of scheduling a security engine as described above.
It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-described division of the functional modules is illustrated, and in practical application, the above-described functional allocation may be performed by different functional modules according to needs, i.e. the internal structure of the apparatus is divided into different functional modules to perform all or part of the functions described above. The specific working processes of the above-described systems, devices and units may refer to the corresponding processes in the foregoing method embodiments, which are not described herein.
In the several embodiments provided by the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the modules or units is merely a logical functional division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) or a processor (processor) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a universal serial bus flash disk (Universal Serial Bus flash disk), a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk or an optical disk, or other various media capable of storing program codes.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present application without departing from the spirit or scope of the application. Thus, it is intended that the present application also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.
Claims (7)
1. A method for scheduling a security engine, the method comprising:
extracting a second feature of the security engine; the second characteristic indicates the protection characteristic of the security engine when the security engine carries out security protection on the general traffic, and the security engine comprises a isomorphic engine and a heterogeneous engine;
based on the protection relation between the first feature and the second feature of the universal flow, adopting an adaptation algorithm to determine an adaptation security engine cluster meeting the protection requirement of the universal flow; wherein the adaptation algorithm is configured to determine a protection requirement of a first feature of the generic flow for each of the second features, and a protection capability of each of the second features for the generic flow; the protection requirement indicates that the general flow is corresponding to the minimum requirement of the protection capability of each security engine when each security engine only has any one of the second features, and the number of security engines in the adaptive security engine cluster is not lower than the number of the first features of the general flow;
based on the setting weight of each second feature in the adaptive security engine cluster, determining the total score of each security engine in the adaptive security engine cluster; wherein the total score indicates a security engine's protection capability for the first generic traffic; determining that the total score is above a set threshold; combining the characteristic security engines into a security engine cluster, and recording the mapping relation between the general traffic and the security engine cluster to obtain a scheduling model;
receiving a first generic flow;
extracting a first characteristic of the first general flow; wherein a first characteristic of the first generic traffic indicates different characteristics that the first generic traffic exhibits when containing different attack traffic;
determining a first security engine cluster corresponding to the first general traffic based on the first characteristic of the first general traffic by using the scheduling model, and forwarding the first general traffic to the first security engine cluster; the scheduling model comprises a corresponding relation between a security engine cluster and general traffic, wherein the security engine cluster comprises heterogeneous engines, and the heterogeneous engines indicate at least one security engine with different deployment forms, detected attack types and application scenes;
scheduling the first security engine cluster; determining a second characteristic corresponding to at least one protection requirement of which the first universal flow protection requirement is located in a set range; and in the scheduling model, according to the initial setting weight of the second feature and the setting of the number of security engines corresponding to the second feature, the setting weight of the corresponding second feature in the first security engine cluster is improved.
2. The method of claim 1, wherein the first feature is one of a traffic feature, a port feature, a public network egress feature, or a protocol feature.
3. The method of claim 1, wherein the second characteristic comprises a detected attack category, occupancy for hardware resources, transmission of an alert log, and traffic forwarding rates under different protocols.
4. The method of claim 1, wherein after determining the first security engine cluster corresponding to the first generic traffic using a scheduling model, comprising:
scheduling the first security engine cluster;
determining the second feature with the largest set weight and the second feature with the smallest set weight in the first security engine cluster;
determining a first number and a second number based on the protection requirement of the first generic flow;
in a first security engine cluster in the scheduling model, increasing the number of sub security engines corresponding to the second feature with the largest setting weight to be a first number, and reducing the number of sub security engines corresponding to the second feature with the smallest setting weight to be a second number; wherein the child security engines are security engines in the first security engine cluster.
5. A scheduling apparatus for a security engine, the apparatus comprising:
the training unit is used for extracting second characteristics of the security engine; the second characteristic indicates the protection characteristic of the security engine when the security engine carries out security protection on the general traffic, and the security engine comprises a isomorphic engine and a heterogeneous engine; based on the protection relation between the first feature and the second feature of the universal flow, adopting an adaptation algorithm to determine an adaptation security engine cluster meeting the protection requirement of the universal flow; wherein the adaptation algorithm is configured to determine a protection requirement of a first feature of the generic flow for each of the second features, and a protection capability of each of the second features for the generic flow; the protection requirement indicates that the general flow is corresponding to the minimum requirement of the protection capability of each security engine when each security engine only has any one of the second features, and the number of security engines in the adaptive security engine cluster is not lower than the number of the first features of the general flow; based on the setting weight of each second feature in the adaptive security engine cluster, determining the total score of each security engine in the adaptive security engine cluster; wherein the total score indicates a security engine's protection capability for the first generic traffic; determining that the total score is above a set threshold; combining the characteristic security engines into a security engine cluster, and recording the mapping relation between the general traffic and the security engine cluster to obtain a scheduling model;
a receiving unit: for receiving a first generic traffic;
extraction unit: extracting a first feature of a first generic flow; wherein a first characteristic of the first generic traffic indicates different characteristics that the first generic traffic exhibits when containing different attack traffic;
model unit: the method comprises the steps of determining a first security engine cluster corresponding to the first general traffic based on first characteristics of the first general traffic by using the scheduling model, and forwarding the first general traffic to the first security engine cluster; the scheduling model comprises a corresponding relation between a security engine cluster and general traffic, wherein the security engine cluster comprises heterogeneous engines, and the heterogeneous engines indicate at least one security engine with different deployment forms, detected attack types and application scenes;
a weight unit for scheduling the first security engine cluster; determining a second characteristic corresponding to at least one protection requirement of which the first universal flow protection requirement is located in a set range; and in the scheduling model, according to the initial setting weight of the second feature and the setting of the number of security engines corresponding to the second feature, the setting weight of the corresponding second feature in the first security engine cluster is improved.
6. The apparatus of claim 5, further comprising a quantity unit to schedule the first security engine cluster; determining the second feature with the largest set weight and the second feature with the smallest set weight in the first security engine cluster; determining a first number and a second number based on the protection requirement of the first generic flow; and in the first security engine cluster in the scheduling model, increasing the number of the sub security engines corresponding to the second feature with the largest setting weight to be a first number, and reducing the number of the sub security engines corresponding to the second feature with the smallest setting weight to be a second number, wherein the sub security engines are security engines in the first security engine cluster.
7. A readable storage medium comprising,
the memory device is used for storing the data,
the memory is configured to store instructions that, when executed by a processor, cause an apparatus comprising the readable storage medium to perform the method of any of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210191393.3A CN114567605B (en) | 2022-02-28 | 2022-02-28 | Scheduling method and device of security engine and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210191393.3A CN114567605B (en) | 2022-02-28 | 2022-02-28 | Scheduling method and device of security engine and readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114567605A CN114567605A (en) | 2022-05-31 |
| CN114567605B true CN114567605B (en) | 2023-12-01 |
Family
ID=81716433
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210191393.3A Active CN114567605B (en) | 2022-02-28 | 2022-02-28 | Scheduling method and device of security engine and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114567605B (en) |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103516727A (en) * | 2013-09-30 | 2014-01-15 | 重庆电子工程职业学院 | Network active defense system and updating method thereof |
| WO2017041656A1 (en) * | 2015-09-09 | 2017-03-16 | 阿里巴巴集团控股有限公司 | Traffic processing method, device and system |
| CN109413016A (en) * | 2018-04-28 | 2019-03-01 | 武汉思普崚技术有限公司 | A kind of rule-based message detecting method and device |
| CN110445770A (en) * | 2019-07-18 | 2019-11-12 | 平安科技(深圳)有限公司 | Attack Source positioning and means of defence, electronic equipment and computer storage medium |
| CN111181910A (en) * | 2019-08-12 | 2020-05-19 | 腾讯科技(深圳)有限公司 | Protection method and related device for distributed denial of service attack |
| CN112437083A (en) * | 2020-11-20 | 2021-03-02 | 北京金山云网络技术有限公司 | Method and system for preventing cloud resources from being attacked by network and electronic equipment |
| CN112653697A (en) * | 2020-12-22 | 2021-04-13 | 李兆峰 | Access request processing method based on cloud computing and block chain and cloud service center |
| CN113194058A (en) * | 2020-01-14 | 2021-07-30 | 深信服科技股份有限公司 | WEB attack detection method, equipment, website application layer firewall and medium |
| CN113301017A (en) * | 2021-04-22 | 2021-08-24 | 西安电子科技大学 | Attack detection and defense method and device based on federal learning and storage medium |
| CN113315782A (en) * | 2021-06-11 | 2021-08-27 | 广州敏捷大数据科技有限公司 | Security protection configuration method based on big information security data and cloud computing system |
| CN113472721A (en) * | 2020-03-31 | 2021-10-01 | 华为技术有限公司 | Network attack detection method and device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180152475A1 (en) * | 2016-11-30 | 2018-05-31 | Foundation Of Soongsil University-Industry Cooperation | Ddos attack detection system based on svm-som combination and method thereof |
-
2022
- 2022-02-28 CN CN202210191393.3A patent/CN114567605B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103516727A (en) * | 2013-09-30 | 2014-01-15 | 重庆电子工程职业学院 | Network active defense system and updating method thereof |
| WO2017041656A1 (en) * | 2015-09-09 | 2017-03-16 | 阿里巴巴集团控股有限公司 | Traffic processing method, device and system |
| CN109413016A (en) * | 2018-04-28 | 2019-03-01 | 武汉思普崚技术有限公司 | A kind of rule-based message detecting method and device |
| CN110445770A (en) * | 2019-07-18 | 2019-11-12 | 平安科技(深圳)有限公司 | Attack Source positioning and means of defence, electronic equipment and computer storage medium |
| CN111181910A (en) * | 2019-08-12 | 2020-05-19 | 腾讯科技(深圳)有限公司 | Protection method and related device for distributed denial of service attack |
| CN113194058A (en) * | 2020-01-14 | 2021-07-30 | 深信服科技股份有限公司 | WEB attack detection method, equipment, website application layer firewall and medium |
| CN113472721A (en) * | 2020-03-31 | 2021-10-01 | 华为技术有限公司 | Network attack detection method and device |
| CN112437083A (en) * | 2020-11-20 | 2021-03-02 | 北京金山云网络技术有限公司 | Method and system for preventing cloud resources from being attacked by network and electronic equipment |
| CN112653697A (en) * | 2020-12-22 | 2021-04-13 | 李兆峰 | Access request processing method based on cloud computing and block chain and cloud service center |
| CN113301017A (en) * | 2021-04-22 | 2021-08-24 | 西安电子科技大学 | Attack detection and defense method and device based on federal learning and storage medium |
| CN113315782A (en) * | 2021-06-11 | 2021-08-27 | 广州敏捷大数据科技有限公司 | Security protection configuration method based on big information security data and cloud computing system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114567605A (en) | 2022-05-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11411681B2 (en) | In-vehicle information processing for unauthorized data | |
| Chen et al. | An efficient network intrusion detection | |
| EP3544250B1 (en) | Method and device for detecting dos/ddos attack, server, and storage medium | |
| US20210092132A1 (en) | Systems and methods for securing industrial networks | |
| CN105577670B (en) | A kind of warning system hitting library attack | |
| Siracusano et al. | Detection of LDDoS attacks based on TCP connection parameters | |
| EP3684025B1 (en) | Web page request identification | |
| CN107517200B (en) | Malicious crawler defense strategy selection method for Web server | |
| CN116647411A (en) | Game platform network security monitoring and early warning method | |
| US11838319B2 (en) | Hardware acceleration device for denial-of-service attack identification and mitigation | |
| CN113067804A (en) | Network attack detection method and device, electronic equipment and storage medium | |
| CN103457909A (en) | Botnet detection method and device | |
| CN115001812B (en) | Internet-based data center online supervision safety early warning system | |
| CN110944016A (en) | DDoS attack detection method, device, network equipment and storage medium | |
| CN111131309A (en) | Distributed denial of service detection method and device and model creation method and device | |
| CN111680167A (en) | Service request response method and server | |
| CN114567605B (en) | Scheduling method and device of security engine and readable storage medium | |
| Purohit et al. | ML-based anomaly detection for intra-vehicular CAN-bus networks | |
| RU2647616C1 (en) | Method of detecting brute force attack on web service | |
| CN111478860A (en) | Network control method, device, equipment and machine readable storage medium | |
| CN109600361B (en) | Hash algorithm-based verification code anti-attack method and device, electronic equipment and non-transitory computer readable storage medium | |
| CN107528859B (en) | Defense method and device for DDoS attack | |
| CN115296855B (en) | User behavior baseline generation method and related device | |
| CN116112229A (en) | Flow cleaning method, system, storage medium and intelligent terminal | |
| CN116743406A (en) | Network security early warning method and device, storage medium and computer equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |