CN115955347A - Intrusion prevention rule processing method, device, equipment and medium - Google Patents
Intrusion prevention rule processing method, device, equipment and medium Download PDFInfo
- Publication number
- CN115955347A CN115955347A CN202211649796.4A CN202211649796A CN115955347A CN 115955347 A CN115955347 A CN 115955347A CN 202211649796 A CN202211649796 A CN 202211649796A CN 115955347 A CN115955347 A CN 115955347A
- Authority
- CN
- China
- Prior art keywords
- rule
- matching
- target
- weight
- intrusion prevention
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The embodiment of the disclosure relates to an intrusion prevention rule processing method, device, equipment and medium, wherein the method comprises the following steps: acquiring a message to be processed, sequentially matching the message to be processed with a preset intrusion prevention rule base to obtain a target rule, and marking the matching times of the target rule; and the rules in the intrusion prevention rule base are sorted according to the matching weights, the matching weights of the target rules are updated when the matching times are larger than a preset time threshold, the current danger level of the target rules is obtained, the weight threshold corresponding to the current danger level is obtained, the danger level of the target rules is adjusted according to the matching weights and the weight threshold of the target rules, and the message to be processed is processed. By adopting the technical scheme, the rule matching sequence can be dynamically adjusted according to the matching times in the operation process, the matching weight of the hot spot rule is improved, the matching efficiency is effectively improved, in addition, the attack risk level can be dynamically adjusted to effectively judge and protect, and the data security is further improved.
Description
Technical Field
The present disclosure relates to the field of data security technologies, and in particular, to a method, an apparatus, a device, and a medium for processing intrusion prevention rules.
Background
With the increasing technology of network attacks and the continuous discovery of network security vulnerabilities, the technology of traditional firewall technology plus traditional IDS (intrusion detection system) has been unable to deal with some security threats. In this case, the intrusion prevention technology is developed. An Intrusion Prevention System (IPS) is used to identify malicious traffic in real time and actively intercept and block network attacks, so as to avoid network paralysis caused by the network attacks and avoid unnecessary loss of personal and property.
In the related art, the existing intrusion prevention technology can deeply sense and detect the flowing data traffic, discard malicious messages to block attacks, and limit the flow of malicious websites to protect network bandwidth resources and the like. Aiming at the commonly applied intrusion prevention and protection mode, an intrusion prevention rule base is used, rule fields of attack messages need to be predefined in advance in the intrusion prevention rule base to be sequentially matched, and a message processing mode (discarding or forwarding) is determined.
Disclosure of Invention
In order to solve the technical problems or at least partially solve the technical problems, the disclosure provides an intrusion prevention rule processing method, an intrusion prevention rule processing device, an intrusion prevention rule processing apparatus, and a medium.
The embodiment of the disclosure provides an intrusion prevention rule processing method, which comprises the following steps:
acquiring a message to be processed;
sequentially matching the message to be processed with a preset intrusion prevention rule base to obtain a target rule, and marking the matching times of the target rule; wherein the rules in the intrusion prevention rule base are sorted according to the matching weight;
when the matching times are larger than a preset time threshold value, updating the matching weight of the target rule;
and acquiring the current danger level of the target rule, acquiring a weight threshold corresponding to the current danger level, adjusting the danger level of the target rule according to the matching weight of the target rule and the weight threshold, and processing the message to be processed.
The embodiment of the present disclosure further provides an intrusion prevention rule processing apparatus, where the apparatus includes:
the message acquisition module is used for acquiring a message to be processed;
the matching marking module is used for sequentially matching the message to be processed with a preset intrusion prevention rule base to obtain a target rule and marking the matching times of the target rule; wherein the rules in the intrusion prevention rule base are sorted according to the matching weight;
the updating module is used for updating the matching weight of the target rule when the matching times are larger than a preset time threshold;
the rule information acquisition module is used for acquiring the current danger level of the target rule and acquiring a weight threshold corresponding to the current danger level;
and the message processing module is used for adjusting the danger level of the target rule according to the matching weight of the target rule and the weight threshold value.
An embodiment of the present disclosure further provides an electronic device, which includes: a processor; a memory for storing the processor-executable instructions; the processor is used for reading the executable instructions from the memory and executing the instructions to realize the intrusion prevention rule processing method provided by the embodiment of the disclosure.
The embodiment of the present disclosure also provides a computer-readable storage medium, where the storage medium stores a computer program, and the computer program is used to execute the intrusion prevention rule processing method provided by the embodiment of the present disclosure.
Compared with the prior art, the technical scheme provided by the embodiment of the disclosure has the following advantages: according to the intrusion prevention rule processing scheme provided by the embodiment of the disclosure, a message to be processed is obtained, the message to be processed is sequentially matched with a preset intrusion prevention rule base to obtain a target rule, and the matching times of the target rule are marked; the rules in the intrusion defense rule base are sorted according to the matching weights, when the matching times are larger than a preset time threshold, the matching weights of the target rules are updated, the current danger levels of the target rules are obtained, the weight thresholds corresponding to the current danger levels are obtained, the danger levels of the target rules are adjusted according to the matching weights and the weight thresholds of the target rules, and the messages to be processed are processed. By adopting the technical scheme, the rule matching sequence can be dynamically adjusted according to the matching times in the operation process, and the matching weight of the hot point rule is improved, so that the matching efficiency is effectively improved, and in addition, the attack risk level can be dynamically adjusted to effectively judge and protect, and the data security is further improved.
Drawings
The above and other features, advantages, and aspects of embodiments of the present disclosure will become more apparent by referring to the following detailed description when taken in conjunction with the accompanying drawings. Throughout the drawings, the same or similar reference numbers refer to the same or similar elements. It should be understood that the drawings are schematic and that elements and features are not necessarily drawn to scale.
Fig. 1 is a schematic flowchart of an intrusion prevention rule processing method according to an embodiment of the present disclosure;
fig. 2 is a schematic flowchart of another intrusion prevention rule processing method according to an embodiment of the present disclosure;
fig. 3 is a schematic structural diagram of an intrusion prevention rule processing apparatus according to an embodiment of the present disclosure;
fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure.
Detailed Description
Embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While certain embodiments of the present disclosure are shown in the drawings, it is to be understood that the present disclosure may be embodied in various forms and should not be construed as limited to the embodiments set forth herein, but rather are provided for a more thorough and complete understanding of the present disclosure. It should be understood that the drawings and embodiments of the disclosure are for illustration purposes only and are not intended to limit the scope of the disclosure.
It should be understood that the various steps recited in the method embodiments of the present disclosure may be performed in a different order, and/or performed in parallel. Moreover, method embodiments may include additional steps and/or omit performing the illustrated steps. The scope of the present disclosure is not limited in this respect.
The term "include" and variations thereof as used herein are open-ended, i.e., "including but not limited to". The term "based on" is "based, at least in part, on". The term "one embodiment" means "at least one embodiment"; the term "another embodiment" means "at least one additional embodiment"; the term "some embodiments" means "at least some embodiments". Relevant definitions for other terms will be given in the following description.
It should be noted that the terms "first", "second", and the like in the present disclosure are only used for distinguishing different devices, modules or units, and are not used for limiting the order or interdependence of the functions performed by the devices, modules or units.
It is noted that references to "a", "an", and "the" modifications in this disclosure are intended to be illustrative rather than limiting, and that those skilled in the art will recognize that "one or more" may be used unless the context clearly dictates otherwise.
The names of messages or information exchanged between devices in the embodiments of the present disclosure are for illustrative purposes only, and are not intended to limit the scope of the messages or information.
Aiming at the technical problem that the sequential matching based on a set rule in the traditional intrusion detection mode has low real-time performance or insufficient performance in certain scenes with high requirements on real-time performance or performance, the embodiment of the disclosure provides an intrusion prevention rule processing method, which can input a training rule base according to actual flow, dynamically judge and record information according to rule matching conditions, find hot rules (namely rules which are frequently matched or triggered), dynamically adjust rule matching sequence in the operation process, improve the matching weight of the hot rules, effectively improve matching efficiency, and effectively judge and protect by combining attack danger levels (the attack danger levels are defined and assigned in the rules) in the process.
Fig. 1 is a flowchart illustrating an intrusion prevention rule processing method according to an embodiment of the present disclosure, where the method may be executed by an intrusion prevention rule processing apparatus, where the apparatus may be implemented by software and/or hardware, and may be generally integrated in an electronic device. As shown in fig. 1, the method includes:
In the embodiment of the present disclosure, the message to be processed refers to a message to be subjected to rule matching, and may be selected according to an actual application scenario.
In the embodiment of the present disclosure, the rules in the intrusion prevention rule base are sorted according to the corresponding matching weights, that is, the higher the matching weight is, the higher the sorting is, so that when the messages to be processed are sequentially matched with the preset intrusion prevention rule base, the messages to be processed and the messages with the larger matching weight are preferentially matched, thereby improving the matching efficiency.
In the embodiment of the present disclosure, after sequentially matching the message to be processed with the preset intrusion prevention rule base, the matched target rule is obtained, and the matching times of the target rule are marked, that is, the matching times are increased once for each matching of the last message to be processed by the target rule.
And 103, updating the matching weight of the target rule when the matching times are larger than a preset time threshold.
In the embodiment of the present disclosure, the time threshold may be selectively set according to application context requirements, and when the matching time is greater than the preset time threshold, it indicates that the target rule is a hot rule, that is, a rule that is frequently matched or frequently triggered, so as to further improve matching efficiency, the matching weight of the target rule may be updated, that is, the matching weight of the target rule is improved, so that the messages to be processed are ranked further ahead, and matching is preferentially performed when the messages to be processed are sequentially matched with the preset intrusion prevention rule base.
And 104, acquiring the current danger level of the target rule, acquiring a weight threshold corresponding to the current danger level, adjusting the danger level of the target rule according to the matching weight of the target rule and the weight threshold, and processing the message to be processed.
In the embodiment of the present disclosure, the rule has a corresponding risk level, and a rule with a higher risk level generally needs to be processed in time when a message to be processed is matched, so that the current risk level of the target rule is obtained, a weight threshold corresponding to the current risk level is obtained, the risk level of the target rule is adjusted according to the matching weight of the target rule and the weight threshold, and the message to be processed is processed.
In the embodiment of the present disclosure, when the matching weight of the target rule is greater than the weight threshold, it indicates that the actual risk level of the target rule should be higher than the current risk level, and therefore, the risk level of the target rule needs to be adjusted, for example, the current risk level of the a rule is low, and the matching weight threshold is 0.05, if the matching weight of the a rule exceeds 0.05, it indicates that the attack occurrence frequency of the a rule is high, the attack is frequent, and further warning or warning is needed, so that the risk level reported in the record attack log is raised to medium.
In an embodiment of the present disclosure, processing a packet to be processed includes: and when the current danger level of the target rule is a low danger level, generating prompt information and sending the prompt information to the target equipment, and when the current danger level of the target rule is a medium danger level or a high danger level, discarding the message to be processed, generating the prompt information and sending the prompt information to the target equipment.
According to the intrusion prevention rule processing scheme provided by the embodiment of the disclosure, a message to be processed is obtained, the message to be processed is sequentially matched with a preset intrusion prevention rule base to obtain a target rule, and the matching times of the target rule are marked; the rules in the intrusion prevention rule base are sorted according to the matching weights, when the matching times are larger than a preset time threshold, the matching weights of the target rules are updated, the current danger level of the target rules is obtained, the weight threshold corresponding to the current danger level is obtained, the danger level of the target rules is adjusted according to the matching weights and the weight threshold of the target rules, and the message to be processed is processed. By adopting the technical scheme, the rule matching sequence can be dynamically adjusted according to the matching times in the operation process, and the matching weight of the hot point rule is improved, so that the matching efficiency is effectively improved, and in addition, the attack risk level can be dynamically adjusted to effectively judge and protect, and the data security is further improved.
Fig. 2 is a schematic flow chart of another intrusion prevention rule processing method according to an embodiment of the present disclosure, and the embodiment further optimizes the intrusion prevention rule processing method based on the above embodiment. As shown in fig. 2, the method includes:
In an embodiment of the present disclosure, calculating the current matching weight of the hotspot rule includes: and acquiring the testing matching times of the hot spot rule, acquiring the total matching times corresponding to all the rules, and calculating based on the testing matching times and the total matching times to obtain the current matching weight of the hot spot rule.
In the embodiment of the present disclosure, a rule identifier corresponding to each rule is determined, and a matching weight corresponding to each rule identifier is set.
Specifically, the matching sequence and the weight of the rules are dynamically adjusted by analyzing the actual matching condition and the real use scene of the user, so that the interception mechanism of the intrusion prevention is prevented from being in an unchanged state for a long time, and the performance problem and the timeliness problem caused by an increasingly huge intrusion prevention rule base are solved.
Specifically, the intrusion prevention rules are read, and intrusion prevention rule matching is executed according to a predefined sequence; matching rules and recording matching conditions, counting and accumulating by the matched rules and marking the rules, finding hot spot rules (namely rules which are matched frequently or triggered frequently), and adjusting the weight of the hot spot rules.
Specifically, each rule has a unique rule identifier, the rule identifiers are not repeated and not multiplexed, and the corresponding rule can be found according to the rule identifier of the rule. In the rule matching process, if the flow is input, a rule is matched, and the matching value of the rule is increased by counting. According to the size of the matching value of each rule, the rule exceeding the matching value threshold predefined in the rule base is marked as a hot rule. The matching value threshold is a matching value determined in advance according to the input flow when the intrusion prevention rule base is generated. And calibrating the hot spot rules according to the matching condition, and calculating the matching weight of each hot spot rule according to the matching value and the matching value threshold. For example, the matching weight formula is the matching weight of a single hotspot rule = the matching value/total matching value of a single hotspot rule, and the total matching value is the sum of the matching values of all hotspot rules.
For example: the matching value of the rule A is 5, the matching value of the rule B is 2, the matching value of the rule C is 8, the total matching value is 12, the matching weight of the rule A is 0.33 (rounded, two bits after decimal point are reserved by default, the selection mode can be defined by self), the matching weight of the rule B is 0.13, and the matching weight of the rule C is 0.53.
Further, the rule matching sequence can be really and dynamically adjusted only after accumulating and matching for a certain time and inputting enough flow in the intrusion prevention detection library, and the rule matching sequence can be higher and more targeted according to the degree of engagement of the user scene.
Since there are situations where the traffic is too small or the matching value is small, or there is an unexpected traffic that causes the validity of the matching value to be low, it may be counterproductive to falsely adjust the matching order of the rules. Therefore, after a certain time is accumulated and matched and enough flow is input, the matching sequence of the rules is really and dynamically adjusted (the matching time and the flow size can be configured and defined by a user).
And finally, acquiring rule identifications and matching weights of all rules, arranging the rules from large to small according to the matching weights, and sequentially matching the messages to be processed from large to small according to the matching weights (specifically, the matching weights can be adjusted by pointer pointing conversion) when the messages to be processed are matched with the rules, wherein the rules with the consistent matching weights are unchanged according to the set positions, and the positions of the rules with the matching weights of 0 are also unchanged.
And step 206, when the current danger level of the target rule is a low danger level, generating prompt information and sending the prompt information to the target equipment.
And step 207, when the current danger level of the target rule is a medium danger level or a high danger level, discarding the message to be processed, generating prompt information and sending the prompt information to the target equipment.
Specifically, after the hot spot rule is recorded, the hot spot rule is utilized, so that the interception mechanism of the firewall is prevented from being in an unchanged state for a long time, and the real-time performance and the protection performance of protection are effectively improved.
Specifically, an intrusion prevention system is started, and an intrusion prevention rule base is loaded; continuously inputting flow, and simulating a user scene; presetting the sequence condition of the rule and the default value of the rule weight in advance; in the operation process, inputting the actual flow into a training rule base, dynamically judging and recording matching information according to rule matching conditions, and finding hot point rules; recording hotspot rule information, dynamically adjusting rule matching sequence and adjusting rule matching weight (improving the matching weight of the hotspot rule, namely leading the hotspot rule to be matched as early as possible). The hot spot rule is calibrated by means of the matching value, the matching weight is calculated according to the matching value, and then the matching sequence is adjusted according to the matching weight; and judging the danger level of the rule on the match. The initial danger level of the rule is predefined by an intrusion defense rule base, the danger levels are divided into low danger levels, medium danger levels and high danger levels (the low danger level, the medium danger level and the high danger level), whether the danger levels need to be improved or not is judged according to the matching weight threshold value (if the danger levels of the matched rule are already the high danger levels, the log is continuously reported with the high danger levels, the flow is blocked, and the danger levels are not improved any more). The matching weight threshold is predefined by a rule base and can also be customized by a user.
By way of example: the initial danger level of the rule A is low, the matching weight threshold is 0.05, if the matching weight of the rule A exceeds 0.05, the attack occurrence frequency of the rule A is high, the attack is frequent, and further reminding or warning is needed, so that the danger level reported in the recorded attack log is raised to be middle. After the matching of the rule and the flow is completed, effective judgment is made: if matching occurs, the message is discarded, and if the rule is not matched, the message is forwarded, so that defense protection is realized.
Therefore, as time goes on, in the process of continuously carrying out intrusion defense, the user scene can be more effectively attached, the interception mechanism of the firewall is prevented from being in an unchangeable state for a long time, and the intrusion defense performance of the network security equipment can be improved.
The intrusion prevention rule processing scheme provided by the embodiment of the disclosure acquires all rules in an intrusion prevention rule base, sets corresponding matching weights for each rule, sorts all rules according to the set matching weights, sequentially matches a plurality of test messages with the intrusion prevention rule base within a preset time period to acquire the test matching times of each rule, marks the rule corresponding to the test matching times as a hot spot rule when the test matching times are greater than a preset test threshold value, calculates the current matching weight of the hot spot rule, adjusts the sorting of the hot spot rule according to the current matching weight of the hot spot rule after the time period to acquire a message to be processed, sequentially matches the message to be processed with the preset intrusion prevention rule base to acquire a target rule, and marks the matching times of the target rule; the rules in the intrusion prevention rule base are sorted according to the matching weights, when the matching times are larger than a preset time threshold value, the target matching weight of the target rule is determined based on the matching times, and the current matching weight of the target rule is updated to be the target matching weight; the method comprises the steps that a target matching weight is larger than a current matching weight, the current danger level of a target rule is obtained, a weight threshold corresponding to the current danger level is obtained, when the matching weight of the target rule is larger than the weight threshold, the target danger level is determined, the current danger level of the target rule is replaced by the target danger level, when the current danger level of the target rule is a low danger level, prompt information is generated and sent to target equipment, when the current danger level of the target rule is a medium danger level or a high danger level, a message to be processed is discarded, and the prompt information is generated and sent to the target equipment. By adopting the technical scheme, the hotspot rules can be recorded in the message detection process, the probability condition of rule matching is found, the use scene of a user can be better fitted, the matching sequence and the matching weights of different rules can be dynamically adjusted, and the matching efficiency is effectively improved.
Fig. 3 is a schematic structural diagram of an intrusion prevention rule processing apparatus provided in an embodiment of the present disclosure, where the apparatus may be implemented by software and/or hardware, and may be generally integrated in an electronic device. As shown in fig. 3, the apparatus 300 includes:
a message obtaining module 301, configured to obtain a message to be processed;
a matching and marking module 302, configured to sequentially match the to-be-processed packet with a preset intrusion prevention rule base to obtain a target rule, and mark the matching times of the target rule; wherein the rules in the intrusion prevention rule base are sorted according to the matching weight;
an updating module 303, configured to update the matching weight of the target rule when the matching frequency is greater than a preset frequency threshold;
a rule information obtaining module 304, configured to obtain a current risk level of the target rule, and obtain a weight threshold corresponding to the current risk level;
the message processing module 305 is configured to adjust the risk level of the target rule according to the matching weight of the target rule and the weight threshold, and process the message to be processed.
Optionally, the apparatus further includes:
the acquisition module is used for acquiring all the rules in the intrusion prevention rule base, setting corresponding matching weight for each rule and sequencing all the rules according to the set matching weight;
the matching module is used for sequentially matching a plurality of test messages with the intrusion prevention rule base within a preset time period to obtain the test matching times of each rule;
the calculation module is used for marking the rule corresponding to the test matching times as a hot spot rule and calculating the current matching weight of the hot spot rule when the test matching times are larger than a preset test threshold;
and the ordering module is used for adjusting the ordering of the hot spot rules according to the current matching weight of the hot spot rules after the time period.
Optionally, the calculation module is specifically configured to:
acquiring the testing matching times of the hotspot rule;
acquiring the total matching times corresponding to all the rules;
and calculating based on the test matching times and the total matching times to obtain the current matching weight of the hotspot rule.
Optionally, determining a rule identifier corresponding to each rule; and setting the matching weight corresponding to each rule identifier.
Optionally, the updating module 303 is specifically configured to:
when the matching times are greater than a preset time threshold, updating the matching weight of the target rule, including:
when the matching times are larger than a preset time threshold value, determining the target matching weight of the target rule based on the matching times;
updating the current matching weight of the target rule to the target matching weight; wherein the target matching weight is greater than the current matching weight.
Optionally, the message processing module 305 is specifically configured to:
when the matching weight of the target rule is larger than the weight threshold value, determining a target danger level;
and replacing the current danger level of the target rule with a target danger level.
Optionally, the message processing module 305 is further specifically configured to:
the generating module is used for generating prompt information and sending the prompt information to the target equipment when the current danger level of the target rule is a low danger level;
and the processing module is used for discarding the message to be processed when the current danger level of the target rule is a medium danger level or a high danger level, generating prompt information and sending the prompt information to the target equipment.
The intrusion prevention rule processing device provided by the embodiment of the disclosure can execute the intrusion prevention rule processing method provided by any embodiment of the disclosure, and has the corresponding functional modules and beneficial effects of the execution method.
Embodiments of the present disclosure also provide a computer program product, which includes a computer program/instruction, and when executed by a processor, the computer program/instruction implements the intrusion prevention rule processing method provided in any embodiment of the present disclosure.
Fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure. Referring now specifically to fig. 4, a schematic diagram of an electronic device 400 suitable for use in implementing embodiments of the present disclosure is shown. The electronic device 400 in the embodiments of the present disclosure may include, but is not limited to, mobile terminals such as a mobile phone, a notebook computer, a digital broadcast receiver, a PDA (personal digital assistant), a PAD (tablet computer), a PMP (portable multimedia player), a vehicle-mounted terminal (e.g., a car navigation terminal), and the like, and fixed terminals such as a digital TV, a desktop computer, and the like. The electronic device shown in fig. 4 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 4, electronic device 400 may include a processing device (e.g., central processing unit, graphics processor, etc.) 401 that may perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM) 402 or a program loaded from a storage device 408 into a Random Access Memory (RAM) 403. In the RAM403, various programs and data necessary for the operation of the electronic apparatus 400 are also stored. The processing device 401, the ROM 402, and the RAM403 are connected to each other via a bus 404. An input/output (I/O) interface 405 is also connected to bus 404.
Generally, the following devices may be connected to the I/O interface 405: input devices 406 including, for example, a touch screen, touch pad, keyboard, mouse, camera, microphone, accelerometer, gyroscope, etc.; an output device 407 including, for example, a Liquid Crystal Display (LCD), a speaker, a vibrator, and the like; storage devices 408 including, for example, magnetic tape, hard disk, etc.; and a communication device 409. The communication means 409 may allow the electronic device 400 to communicate wirelessly or by wire with other devices to exchange data. While fig. 4 illustrates an electronic device 400 having various means, it is to be understood that not all illustrated means are required to be implemented or provided. More or fewer devices may alternatively be implemented or provided.
In particular, the processes described above with reference to the flow diagrams may be implemented as computer software programs, according to embodiments of the present disclosure. For example, embodiments of the present disclosure include a computer program product comprising a computer program carried on a non-transitory computer readable medium, the computer program containing program code for performing the method illustrated by the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network via the communication device 409, or from the storage device 408, or from the ROM 402. The computer program performs the above-described functions defined in the intrusion prevention rule processing method of the embodiment of the present disclosure when executed by the processing device 401.
It should be noted that the computer readable medium in the present disclosure can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In contrast, in the present disclosure, a computer readable signal medium may comprise a propagated data signal with computer readable program code embodied therein, either in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, optical cables, RF (radio frequency), etc., or any suitable combination of the foregoing.
In some embodiments, the clients, servers may communicate using any currently known or future developed network Protocol, such as HTTP (Hyper Text Transfer Protocol), and may be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include a local area network ("LAN"), a wide area network ("WAN"), the Internet (e.g., the Internet), and peer-to-peer networks (e.g., ad hoc peer-to-peer networks), as well as any currently known or future developed network.
The computer readable medium may be embodied in the electronic device; or may exist separately without being assembled into the electronic device.
The computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to: acquiring a message to be processed, sequentially matching the message to be processed with a preset intrusion prevention rule base to obtain a target rule, and marking the matching times of the target rule; the rules in the intrusion prevention rule base are sorted according to the matching weights, when the matching times are larger than a preset time threshold, the matching weights of the target rules are updated, the current danger level of the target rules is obtained, the weight threshold corresponding to the current danger level is obtained, the danger level of the target rules is adjusted according to the matching weights and the weight threshold of the target rules, and the message to be processed is processed.
Computer program code for carrying out operations for aspects of the present disclosure may be written in any combination of one or more programming languages, including but not limited to an object oriented programming language such as Java, smalltalk, C + +, including conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in the embodiments of the present disclosure may be implemented by software or hardware. Where the name of an element does not in some cases constitute a limitation on the element itself.
The functions described herein above may be performed, at least in part, by one or more hardware logic components. For example, without limitation, exemplary types of hardware logic components that may be used include: field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), system on a chip (SOCs), complex Programmable Logic Devices (CPLDs), and the like.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
In accordance with one or more embodiments of the present disclosure, there is provided an electronic device including:
a processor;
a memory for storing the processor-executable instructions;
the processor is used for reading the executable instructions from the memory and executing the instructions to realize the intrusion prevention rule processing method provided by the disclosure.
According to one or more embodiments of the present disclosure, there is provided a computer-readable storage medium storing a computer program for executing any of the intrusion prevention rule processing methods provided by the present disclosure.
The foregoing description is only exemplary of the preferred embodiments of the disclosure and is illustrative of the principles of the technology employed. It will be appreciated by those skilled in the art that the scope of the disclosure herein is not limited to the particular combination of features described above, but also encompasses other embodiments in which any combination of the features described above or their equivalents does not depart from the spirit of the disclosure. For example, the above features and (but not limited to) the features disclosed in this disclosure having similar functions are replaced with each other to form the technical solution.
Further, while operations are depicted in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order. Under certain circumstances, multitasking and parallel processing may be advantageous. Likewise, while several specific implementation details are included in the above discussion, these should not be construed as limitations on the scope of the disclosure. Certain features that are described in the context of separate embodiments can also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment can also be implemented in multiple embodiments separately or in any suitable subcombination.
Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims.
Claims (10)
1. An intrusion prevention rule processing method, comprising:
acquiring a message to be processed;
sequentially matching the message to be processed with a preset intrusion prevention rule base to obtain a target rule, and marking the matching times of the target rule; wherein the rules in the intrusion prevention rule base are sorted according to the matching weight;
when the matching times are larger than a preset time threshold value, updating the matching weight of the target rule;
and acquiring the current danger level of the target rule, acquiring a weight threshold corresponding to the current danger level, adjusting the danger level of the target rule according to the matching weight of the target rule and the weight threshold, and processing the message to be processed.
2. The intrusion prevention rule processing method according to claim 1, further comprising:
acquiring all rules in the intrusion prevention rule base, setting corresponding matching weight for each rule, and sequencing all rules according to the set matching weight;
sequentially matching a plurality of test messages with the intrusion prevention rule base within a preset time period to obtain the test matching times of each rule;
when the test matching times are larger than a preset test threshold value, marking the rule corresponding to the test matching times as a hot spot rule, and calculating the current matching weight of the hot spot rule;
and after the time period, adjusting the ordering of the hot spot rules according to the current matching weight of the hot spot rules.
3. The intrusion prevention rule processing method according to claim 2, wherein the calculating of the current matching weight of the hotspot rule comprises:
acquiring the testing matching times of the hot spot rule;
acquiring total matching times corresponding to all rules;
and calculating based on the testing matching times and the total matching times to obtain the current matching weight of the hotspot rule.
4. The intrusion prevention rule processing method according to claim 2,
acquiring a rule identifier corresponding to each rule;
and setting the matching weight corresponding to each rule identifier.
5. The intrusion prevention rule processing method according to claim 1, wherein the updating the matching weight of the target rule when the matching number is greater than a preset number threshold comprises:
when the matching times are larger than a preset time threshold value, determining the target matching weight of the target rule based on the matching times;
updating the current matching weight of the target rule to the target matching weight; wherein the target matching weight is greater than the current matching weight.
6. The intrusion prevention rule processing method according to claim 1, wherein the adjusting the risk level of the target rule according to the matching weight of the target rule and the weight threshold comprises:
when the matching weight of the target rule is larger than the weight threshold value, determining a target danger level;
and replacing the current danger level of the target rule with a target danger level.
7. The intrusion prevention rule processing method according to any one of claims 1 to 6, wherein the processing the message to be processed includes:
when the current danger level of the target rule is a low danger level, generating prompt information and sending the prompt information to target equipment;
and when the current danger level of the target rule is a medium danger level or a high danger level, discarding the message to be processed, generating prompt information and sending the prompt information to the target equipment.
8. An intrusion prevention rule processing apparatus, comprising:
the message acquisition module is used for acquiring a message to be processed;
the matching marking module is used for sequentially matching the message to be processed with a preset intrusion prevention rule base to obtain a target rule and marking the matching times of the target rule; wherein the rules in the intrusion prevention rule base are sorted according to the matching weight;
the updating module is used for updating the matching weight of the target rule when the matching times are larger than a preset time threshold;
the rule information acquisition module is used for acquiring the current danger level of the target rule and acquiring a weight threshold corresponding to the current danger level;
and the message processing module is used for adjusting the danger level of the target rule according to the matching weight of the target rule and the weight threshold value and processing the message to be processed.
9. An electronic device, characterized in that the electronic device comprises:
a processor;
a memory for storing the processor-executable instructions;
the processor is configured to read the executable instructions from the memory and execute the instructions to implement the intrusion prevention rule processing method according to any one of claims 1 to 7.
10. A computer-readable storage medium, characterized in that the storage medium stores a computer program for executing the intrusion prevention rule processing method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211649796.4A CN115955347A (en) | 2022-12-21 | 2022-12-21 | Intrusion prevention rule processing method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211649796.4A CN115955347A (en) | 2022-12-21 | 2022-12-21 | Intrusion prevention rule processing method, device, equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115955347A true CN115955347A (en) | 2023-04-11 |
Family
ID=87296714
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211649796.4A Pending CN115955347A (en) | 2022-12-21 | 2022-12-21 | Intrusion prevention rule processing method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115955347A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116633695A (en) * | 2023-07-24 | 2023-08-22 | 中国电信股份有限公司 | Security rule base management method, device, computer equipment and storage medium |
| CN117439898A (en) * | 2023-12-22 | 2024-01-23 | 深圳万物安全科技有限公司 | Network device identification method, network device identification device, and storage medium |
-
2022
- 2022-12-21 CN CN202211649796.4A patent/CN115955347A/en active Pending
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116633695A (en) * | 2023-07-24 | 2023-08-22 | 中国电信股份有限公司 | Security rule base management method, device, computer equipment and storage medium |
| CN116633695B (en) * | 2023-07-24 | 2023-11-03 | 中国电信股份有限公司 | Security rule base management method, device, computer equipment and storage medium |
| CN117439898A (en) * | 2023-12-22 | 2024-01-23 | 深圳万物安全科技有限公司 | Network device identification method, network device identification device, and storage medium |
| CN117439898B (en) * | 2023-12-22 | 2024-03-12 | 深圳万物安全科技有限公司 | Network device identification method, network device identification device, and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11509534B2 (en) | Collection of error packet information for network policy enforcement | |
| CN115955347A (en) | Intrusion prevention rule processing method, device, equipment and medium | |
| US10122746B1 (en) | Correlation and consolidation of analytic data for holistic view of malware attack | |
| US10924503B1 (en) | Identifying false positives in malicious domain data using network traffic data logs | |
| US20230224232A1 (en) | System and method for extracting identifiers from traffic of an unknown protocol | |
| US11537751B2 (en) | Using machine learning algorithm to ascertain network devices used with anonymous identifiers | |
| US10158733B2 (en) | Automated DPI process | |
| CN114422267B (en) | Flow detection method, device, equipment and medium | |
| CN111314328A (en) | Network attack protection method and device, storage medium and electronic equipment | |
| WO2011076984A1 (en) | Apparatus, method and computer-readable storage medium for determining application protocol elements as different types of lawful interception content | |
| CN112836218A (en) | Risk identification method and device and electronic equipment | |
| CN114598530A (en) | Industrial control firewall white list rule matching method and device and related equipment | |
| CN115017502A (en) | Flow processing method and protection system | |
| CN111478861B (en) | Traffic identification method and device, electronic equipment and storage medium | |
| CN113298573A (en) | Content delivery strategy comparison method and device, readable medium and electronic equipment | |
| CN110781066B (en) | User behavior analysis method, device, equipment and storage medium | |
| CN116743785A (en) | Cloud network data storage method, device, equipment and medium based on fog calculation | |
| CN114422277B (en) | Method, device, electronic equipment and computer readable medium for defending network attack | |
| KR20140126633A (en) | Method and appratus for detecting malicious message | |
| US10762238B2 (en) | Ascertaining network devices used with anonymous identifiers | |
| CN112839049B (en) | Web application firewall protection method and device, storage medium and electronic equipment | |
| CN107819761B (en) | Data processing method and device and readable storage medium | |
| US11895090B2 (en) | Privacy preserving malicious network activity detection and mitigation | |
| CN110868410B (en) | Method and device for acquiring webpage Trojan horse connection password, electronic equipment and storage medium | |
| CN111382233A (en) | Similar text detection method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |