CN116827698B

CN116827698B - Network gateway flow security situation awareness system and method

Info

Publication number: CN116827698B
Application number: CN202311111229.8A
Authority: CN
Inventors: 王骞; 邓湘勤; 倪瑞; 丁朋鹏; 马雯阳
Original assignee: Guoneng Daduhe Big Data Service Co ltd
Current assignee: Guoneng Daduhe Big Data Service Co ltd
Priority date: 2023-08-31
Filing date: 2023-08-31
Publication date: 2023-12-05
Anticipated expiration: 2043-08-31
Also published as: CN116827698A

Abstract

The application discloses a network gateway flow security situation awareness system and method, and relates to the technical field of network security. The system comprises a data acquisition layer, an attack detection layer and a data distribution layer, wherein the data acquisition layer is used for capturing a network data packet based on PCAP and distributing the network data packet to the attack detection layer; the attack detection layer is used for carrying out protocol analysis and rule matching according to the network data packet and combining with a preset blacklist library, monitoring and analyzing network attack behaviors in real time and displaying attack behavior data; and the operation and maintenance management layer is used for carrying out detection algorithm, equalizer tuning and rule and offline packet management. According to the application, network protocol and application characteristics are analyzed on line by acquiring backbone network gateway flow, network security attack behaviors are detected in real time by combining a massive blacklist library, all analysis results are imported into a big data processing platform, network malicious behaviors such as hidden APT attack and the like are further analyzed, and tracing of attack sources are performed, so that guarantees such as perception, discovery, analysis and early warning are provided for network security in jurisdictions.

Description

Network gateway flow security situation awareness system and method

Technical Field

The application relates to the technical field of network security, in particular to a network gateway flow security situation awareness system and method.

Background

How to perform real-time security detection on gateway traffic and provide a safer, manageable and controllable network mainly faces three challenges:

1. and (3) mass data acquisition: for network space safety real-time monitoring, the acquisition of line speed data is fundamental. The current common data acquisition methods are three, namely, data acquisition is carried out on a terminal, such as 360 and Kabaski, and the method has the advantages that the data acquisition is accurate and detailed, but the information of the terminal without software is not acquired, and the comprehensiveness is lacking; secondly, network scanning is carried out, and an active packet sending scanning method is used for sniffing the address, the model, the firmware version and the like of the network equipment, so that a security risk analysis report is obtained. The method has the advantages of full network scanning without regional limitation, and has the defects of certain risks in laws and regulations, poor real-time performance and difficult guarantee of accuracy. In addition, the network architecture of China heavily uses NAT, and for devices hidden inside the NAT gateway (mainly including residential communities, the Internet of things and enterprise internal devices), the corresponding security information is difficult to find and acquire through network scanning; thirdly, based on IDS analysis of the communication link, network attack behaviors can be found and early warned. The method has the advantages of strong real-time performance, no influence of equipment such as NAT gateway and the like, and capability of comprehensively covering all equipment and network communication data using the link; however, because the backbone network has larger communication bandwidth, belongs to mass data processing, the performance of the traditional single IDS is usually about 20Gbps, the number of deployment is huge, the cost is high, and the construction period is long.

2. Mass data storage and analysis: the multiple, heterogeneous and massive nature of the data collected on the operator gateway presents a significant challenge for storage and analysis.

3. Visual presentation of safety indexes and situations: as a big data safety analysis platform, a humanized, simple and practical display interface is provided on the basis of analysis capability, the analysis result of the platform needs to be presented in the form of a quantitative index, the key safety monitoring indexes for identifying and perceiving DDoS, WEB, stiff wood worms, CC, DNS and APT attacks at present are intuitively displayed, and when high threat attacks occur, the analysis platform can display the important safety monitoring indexes through a real-time attack map and simultaneously display the safety situation and development trend of jurisdictions by combining with historical data analysis.

Disclosure of Invention

In order to overcome the problems or at least partially solve the problems, the application provides a network gateway flow security situation sensing system and a network gateway flow security situation sensing method, which are used for acquiring backbone network gateway flow, analyzing network protocols and application characteristics on line, combining a massive blacklist library, detecting network security attack behaviors in real time, finding botnet and a C & C server with data back transmission, importing all analysis results into a big data processing platform, further analyzing hidden network malicious behaviors such as APT attack and the like, tracking and tracing attack sources, and providing security assurance such as sensing, discovery, analysis early warning and the like for network security in jurisdictions.

In order to solve the technical problems, the application adopts the following technical scheme:

in a first aspect, the present application provides a network gateway traffic security situation awareness system, including a data acquisition layer, an attack detection layer, and an operation and maintenance management layer, where:

the data acquisition layer is used for capturing a network data packet based on PCAP and distributing the network data packet to the attack detection layer;

the attack detection layer is used for carrying out protocol analysis and rule matching according to the network data packet and combining with a preset blacklist library, monitoring and analyzing network attack behaviors in real time and displaying attack behavior data;

and the operation and maintenance management layer is used for carrying out detection algorithm, equalizer tuning and rule and offline packet management.

The system adopts a layered design, and comprises a data acquisition layer, an attack detection layer and an operation and maintenance management layer. The method takes real-time traffic as a drive, can analyze network protocols and application characteristics online and offline, utilizes a self-research massive blacklist library to detect and analyze network attack behaviors, and can detect various hacking attacks and malicious traffic such as traditional buffer overflow, SQL injection, botnet servers, junk mails, anonymous communication behaviors, DDOS attacks, scanning detection, worm viruses, trojan backdoors, spyware and the like in real time. On the basis, the method and the device are used for carrying out intensified detection on the industrial Internet attack behaviors, and can find out malicious behaviors such as network reconnaissance, port scanning, authority enumeration, code penetration, vulnerability exploitation, data leakage, protocol forging, protocol non-compliance use and the like initiated by an industrial network. The detection result can be further converged into a big data processing platform to further analyze network malicious behaviors such as deep hidden APT attacks and the like, trace and trace the attacks, and provide guarantees in aspects such as perception, discovery, analysis and early warning for network security.

Based on the first aspect, the attack detection layer further comprises a protocol level equalizer subsystem, a quick lookup engine subsystem, a rule association analysis engine subsystem, a rule management subsystem and an event distribution subscription subsystem.

Based on the first aspect, further, the data acquisition layer includes a PCAP packet automatic storage and pushing subsystem and a stream distribution and equalization subsystem, wherein:

the PCAP packet automatic storage and pushing subsystem is used for capturing and storing network data packets based on PCAP and pushing the network data packets to the stream distribution and equalization subsystem;

and the stream distribution and equalization subsystem is used for carrying out equalization and distribution on the received network data packet and distributing the network data packet to the protocol level equalizer subsystem and the quick lookup engine subsystem.

Based on the first aspect, the operation and maintenance management layer further comprises a detection algorithm tuning subsystem, an equalizer tuning subsystem, a rule management subsystem and an offline packet management subsystem.

Based on the first aspect, further, the attack detection layer inner decoder supports identification and analysis of MPLS, IP, TCP, UDP, ICMP, HTTP, HTTPS, DNS, FTP, TELNET, TLS multiple network base protocols based on Ethernet, and is used for detecting various hacking attacks and malicious traffic in real time.

Based on the first aspect, the attack detection layer further supports deep analysis based on various industrial control protocols/protocols of DNP3, MODBUS, ENIP, S, OPC DA and OPC UA, and is used for detecting malicious behaviors using various technical means such as network reconnaissance, port scanning, authority enumeration, code penetration, vulnerability exploitation, data leakage, protocol forging and protocol non-compliance in real time.

Based on the first aspect, the attack detection layer further supports a combination rule of multiple forms and cross protocol stacks, and performs fixed rule matching, including matching of multiple keywords of full packet floating, and matching of a compound rule formed by random combination of five-tuple, TCP (transmission control protocol) flag bit, packet load length, characteristic character strings, statistical rules and packet load length sequence rules.

Based on the first aspect, the operation and maintenance management layer further supports interaction of three protocols, namely hTTps, snmp v2c and ssh, wherein the hTTps is used for providing Web operation for configuration maintenance, and the snmp v2c and ssh are used for directly reading and writing states from an engine and performing bottom-layer operation of forwarding control and flow monitoring.

Based on the first aspect, further, the operation and maintenance management layer adopts a B/S architecture.

In a second aspect, the present application provides a network gateway traffic security situation awareness method, including the following steps:

capturing a network data packet based on PCAP through a data acquisition layer, and distributing the network data packet to an attack detection layer;

according to the network data packet, the attack detection layer is combined with a preset blacklist library to perform protocol analysis and rule matching, monitor and analyze network attack behaviors in real time, and display attack behavior data;

detection algorithms, equalizer tuning, and rule and offline packet management are performed by the operation and maintenance management layer.

The application has at least the following advantages or beneficial effects:

the application provides a network gateway flow security situation sensing system and method, which are used for acquiring backbone network gateway flow, analyzing network protocols and application characteristics on line, combining a massive blacklist library, detecting network security attack behaviors in real time, finding a botnet and a C & C server with data back transmission, importing all analysis results into a big data processing platform, further analyzing hidden network malicious behaviors such as APT attack and the like, tracking and tracing attack sources, and providing security assurance such as sensing, finding, analysis and early warning for network security in jurisdictions.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments will be briefly described below, it being understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

Fig. 1 is a schematic architecture diagram of a network gateway traffic security situation awareness system according to an embodiment of the present application;

FIG. 2 is a diagram of a hardware interface relationship in an embodiment of the present application;

FIG. 3 is a diagram illustrating the interface relationships of software modules in an embodiment of the present application.

Detailed Description

For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments of the present application. The components of the embodiments of the present application generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.

Thus, the following detailed description of the embodiments of the application, as presented in the figures, is not intended to limit the scope of the application, as claimed, but is merely representative of selected embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.

It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.

It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

Examples

As shown in fig. 1, in a first aspect, an embodiment of the present application provides a network gateway traffic security situation awareness system, which includes a data acquisition layer, an attack detection layer, and an operation and maintenance management layer, where:

and the operation and maintenance management layer is used for carrying out detection algorithm, equalizer tuning and rule and offline packet management. The operation and maintenance management layer adopts a B/S architecture. The operation and maintenance management layer is equivalent to a system configuration management layer and is mainly responsible for regulating system operation parameters. The method is mainly used for situation awareness system and subsystem tuning, and comprises the steps of parameter optimization on system operation configuration from the aspects of detection algorithm tuning, equalizer tuning, rule management and the like, and the management system upgrades an offline package to ensure that the used rules are up to date.

The system adopts a layered design, and comprises a data acquisition layer, an attack detection layer and an operation and maintenance management layer. The method takes real-time traffic as a drive, can analyze network protocols and application characteristics online and offline, utilizes a self-research massive blacklist library to detect and analyze network attack behaviors, and can detect various hacking attacks and malicious traffic such as traditional buffer overflow, SQL injection, botnet servers, junk mails, anonymous communication behaviors, DDOS attacks, scanning detection, worm viruses, trojan backdoors, spyware and the like in real time. On the basis, the method and the device are used for carrying out intensified detection on the industrial Internet attack behaviors, and can find out malicious behaviors such as network reconnaissance, port scanning, authority enumeration, code penetration, vulnerability exploitation, data leakage, protocol forging, protocol non-compliance use and the like initiated by an industrial network. The detection result can be further converged into a big data processing platform to further analyze network malicious behaviors such as deep hidden APT attacks and the like, trace and trace the attacks, and provide guarantees in aspects such as perception, discovery, analysis and early warning for network security. The method is suitable for large-scale network environments such as ISP backbone networks, metropolitan area networks, data centers and the like.

The system comprehensively considers the access control mode of operators, combines the management characteristics of each domain, recommends to use the access control mode of the existing terminal and adopts hierarchical deployment, and if only the flow of a provincial gateway is concerned, a centralized deployment mode can be adopted without a two-stage distributed deployment mode. If a two-stage deployment mode is adopted, a primary management platform can be deployed at a headquarter (company), a unified identity authentication center and a strategy control center are constructed, and a 'dual-machine hot standby' working mode is adopted to provide strategy control service; and deploying a secondary management platform in each region to detect the network threat in real time, receiving a management and control strategy issued by the primary management platform, and carrying out security management on the network domain access terminal.

For example: the system is generally of a distributed architecture, a secondary security management platform is respectively built in the A market and the B market, traffic is detected in real time at the gateway of the Internet, threat is found based on configured rules, and generated security events are reported to a primary management platform of the province company for aggregation analysis and risk study and judgment.

The system comprises two large blocks of hardware and software, and relates to a hardware interface and a software module interface. The hardware interface relation is shown in figure 2, and the data is accessed to a QSFP+/SFP+ interface of the secondary detection platform from the current divider for processing; the event and the log are sent to a full-flow situation awareness server of the primary security management platform through the VPN; the operation and maintenance workstation can be combined with the control terminal or can be an independent module and is managed through the GE interface of the exchange card. The software modules are decoupling designs, and are not limited by hardware interfaces, and the internal logic interface relationships are shown in fig. 3.

The system has the capability of analyzing the basic protocol, and based on the capability, the system can detect various hacking attacks such as buffer overflow, SQL injection, botnet servers, junk mails, anonymous communication behaviors, DDOS attacks, scanning detection, worm viruses, trojan backdoors, spyware and the like and traditional attacks such as malicious traffic and the like in real time.

The system supports deep analysis based on more than ten common industrial control protocols (protocols) such as DNP3, MODBUS, ENIP, S7, OPC DA, OPC UA and the like, and can be customized and expanded. The method can detect malicious behaviors in real time by adopting technical means such as network reconnaissance, port scanning, authority enumeration, code penetration, vulnerability exploitation, data leakage, protocol forging, protocol non-compliance use and the like. Under the conditions of no exceeding the performance design range, complete flow and known vulnerability of non-0-Day, the false alarm rate of high-risk and super-risk events is lower than 5%, and the false alarm rate is lower than 5%.

The fixed rule matching realizes multidimensional and flexible network data screening by supporting combination rules of various forms and cross protocol stacks, and comprises matching of multiple keywords of full packet floating, matching of coincidence rules formed by random combination of five-tuple, TCP (transmission control protocol) zone bits, packet load length, characteristic character strings, statistical rules and packet load length sequence rules, and the like. Based on the technology, various hacking attacks and malicious traffic such as buffer overflow, SQL injection, violent guessing, DDOS attack, scanning detection, worm viruses, trojan backdoors, spyware and the like can be detected and alarmed in real time. Abnormal flow can be monitored and early warned, and the false alarm rate is not higher than 1%.

The system presets a rule base containing more than 40 attack modes, and the total effective rule number is not less than 50000. Wherein, the number of rules for identifying the protocols of DNS, FTP, ICMP, POP, IMAP, SMTP, SNMP, TELNET, TFTP, NETBIOS, P2P and the like is not less than 500, and the number of relevant attack behavior detection rules is not less than 35000; the rule for identifying the SCADA industrial Internet protocol is not less than 200, and the related attack behavior detection rule is not less than 10000.

To facilitate expansion, the system supports custom rules in the SNORT grammar format and provides a friendly rule editing interface. The generated rule and the preset fixed rule base have the same detection capability. The user or the third party safety operation and maintenance team can manually add relevant safety monitoring rules according to the actual condition of the network, so that the long-term effectiveness of the system is further improved.

The system also supports function operation matching, which supports numerical computation for data flow. The operation relation comprises, but is not limited to, conventional four-rule operation, modular operation, logical operation, basic mathematical operation and the like, and the user-defined operation rule is supported to realize detection and identification of the data stream with specific characteristics. The plug-in is written by a standard programming language, the encapsulated API function is called to realize various detection logics, any part of any message can be sampled, and a plurality of plug-ins can work cooperatively, so that a depth detection function more complex than a snort rule is realized. The execution main body of the plug-in is a dynamic object file (shared object) in ELF format, and the plug-in is secondarily packaged by a self-grinding compiler and can be loaded into a memory for shared execution by a plurality of detection streams at the same time, so that resources are saved and the performance is improved.

Because the hTTps service is used for supporting the operation Web interface, the required running resource amount is large, and in order not to influence the performance, a special server is arranged outside. The snmp service and the ssh service are built in the server and can respond in real time according to the command. The services all work in out-of-band mode, and the traffic is received and transmitted through the independent 1GE interface on the CPU of the exchange card, so that the service channel is not occupied. In order to ensure the safety, the snmp uses the v2c version, ssh is reinforced on the basis of opensh 7.8p1, the known CVE loophole is repaired, and redundant information possibly detected by an attacker in the protocol interaction process is removed. The functions are as follows: state monitoring, service card management, traffic monitoring, VLAN management and forwarding control.

In some embodiments of the present application, the system further has evidence collection and preservation functions, including evidence collection and redirection and file restoration.

Evidence collection and redirection: leaving evidence of attacks is a fundamental requirement for network security detection and protection. Evidence has the characteristics of accuracy, completeness, confidentiality, non-repudiation and the like. Users can flexibly customize the evidence obtaining strategy according to the field requirement, and the messages of 'only hit', 'N packets after hit' or 'all after hit' are reserved. The message carries data source information and rule hit information, can be stored according to time stamp and flow characteristic classification, and can be extracted to the local place through a configuration management interface in an operation and maintenance management layer. The product also supports stream filter redirection, and the streams matching the rules may be redirected to a designated physical port of the switch card (or chassis) for further processing by other devices. Wherein, the software filter supports complex snort rule combination and functional plug-in, and the detail of redirection can be inquired through the configuration management interface.

The function is realized by a detection engine of the attack detection layer. Firstly, the message is analyzed by a decoder of an engine and then distributed to a correct protocol processing module, and the protocol processing module reorganizes the subsequent message of the five-tuple to establish stream information. If the message is a TCP stream, a three-way handshake message needs to be received, and if the message is a UDP stream, at least one response message needs to be received. After the flow is established, the flow information is registered to a detection module, a rule takes effect on each message, and if the evidence obtaining zone bit is enabled for the rule, the message of the flow is stored to a database of a service card through an internal bus according to the evidence obtaining type, namely 'only hit', 'N packets after hit', or 'all after hit'; if a redirect flag is enabled for the rule and a redirect port is available, the messages for this flow will be all copied to the designated port for transmission.

File restoration: the capability of restoring files carried in protocol streams such as HTTP, SMTP, FTP is supported. First, the engine tracks and reassembles the stream through the protocol analyzer, which then decompresses the data as the case may be. The restored data files can be imported into a sandbox system in batches for further analysis and evidence collection and retention.

In some embodiments of the present application, the system further has a correlation analysis function, where the correlation analysis function is a background and user plane core content, and is divided into two interaction subsystems and a core algorithm aggregation module. The operation and maintenance subsystem supports the operation and maintenance management of users through friendly interfaces, and performs configuration maintenance on control surface functions related to software. The service subsystem in the operation and maintenance management layer supports the functions of users in terms of safety services such as rule editing, event processing, log backup, evidence dump, online analysis, report generation and the like. The situation awareness algorithm set relies on intelligent analysis, and effective safety problems can be analyzed from a large amount of data. The algorithm comprises flow characteristics, behavior analysis modeling, various supervised learning algorithms, machine learning, big data association and other technologies, can detect and analyze the flow, solves the problem that unknown threats are unknown due to safety detection based on static and dynamic characteristic libraries, has the capability of detecting low-probability threats without depending on rules, effectively detects APT attacks and the unknown threats hidden in the network, and improves the overall network security capability.

The method can display the attack summary details in China/worldwide by real-time association analysis and event distribution subscription service, list detailed attack source targets (cities, countries) TOP5, scroll and display the latest threat data and rank, and can perform rule rules and search and the like. The data support xml, yaml, json and other interfaces with various formats can be developed secondarily.

In the embodiments provided in the present application, it should be understood that the disclosed method and system may be implemented in other manners. The above-described method and system embodiments are merely illustrative, for example, flow charts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of methods and systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

In addition, functional modules in the embodiments of the present application may be integrated together to form a single part, or each module may exist alone, or two or more modules may be integrated to form a single part.

The above is only a preferred embodiment of the present application, and is not intended to limit the present application, but various modifications and variations can be made to the present application by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the protection scope of the present application.

It will be evident to those skilled in the art that the application is not limited to the details of the foregoing illustrative embodiments, and that the present application may be embodied in other specific forms without departing from the spirit or essential characteristics thereof. The present embodiments are, therefore, to be considered in all respects as illustrative and not restrictive, the scope of the application being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned.

Claims

1. The network gateway flow security situation awareness system is characterized by comprising a data acquisition layer, an attack detection layer and an operation and maintenance management layer; adopting a two-stage distributed deployment mode, deploying a first-stage management platform at a headquarter, constructing a unified identity authentication center and a strategy control center, and adopting a dual-machine hot standby working mode to provide strategy control service; deploying a secondary management platform in each region to detect network threats in real time, receiving a management and control strategy issued by the primary management platform, and carrying out security management on network domain access terminals; wherein:

2. The network gateway traffic security posture awareness system of claim 1, wherein the attack detection layer comprises a protocol level equalizer subsystem, a fast look-up table engine subsystem, a rule association analysis engine subsystem, a rule management subsystem, and an event distribution subscription subsystem.

3. The network gateway traffic security posture awareness system of claim 2, wherein the data acquisition layer comprises a PCAP packet automatic storage and push subsystem and a stream distribution and equalization subsystem, wherein:

4. The network gateway traffic security posture awareness system of claim 2, wherein the operation and maintenance management layer comprises a detection algorithm tuning subsystem, an equalizer tuning subsystem, a rule management subsystem, and an offline packet management subsystem.

5. The network gateway traffic security posture awareness system of claim 1, wherein the attack detection layer inner decoder supports identification and parsing of MPLS, IP, TCP, UDP, ICMP, HTTP, HTTPS, DNS, FTP, TELNET, TLS ethernet-based network base protocols for real-time detection of various hacking attacks and malicious traffic.

6. The network gateway traffic security posture awareness system of claim 1, wherein the attack detection layer further supports deep parsing based on DNP3, MODBUS, ENIP, S7, OPC DA, OPC UA, for real-time detection of malicious behavior using various technical means, such as network reconnaissance, port scanning, rights enumeration, code penetration, exploit, data leakage, protocol forgery, protocol non-compliance.

7. The network gateway traffic security posture sensing system of claim 1, wherein the attack detection layer supports multiple forms and combination rules across protocol stacks for fixed rule matching, including multi-key word and matching of full packet floating, five-tuple, TCP flag bit, packet load length, character string, statistics rules, and composite rule matching of arbitrary combination of packet load length sequence rules.

8. The network gateway traffic security posture awareness system of claim 1, wherein the operation and maintenance management layer supports interactions of hTTps, snmp v2c, and ssh protocols, wherein hTTps is used for providing Web operations for configuration maintenance, snmp v2c, and ssh are used for directly reading and writing states from an engine, performing forwarding control, and performing a bottom layer operation for traffic monitoring.

9. The network gateway traffic security posture awareness system of claim 1, wherein said operation and maintenance management layer employs a B/S architecture.

10. The network gateway flow security situation awareness method is characterized by comprising the following steps of:

adopting a two-stage distributed deployment mode, deploying a first-stage management platform at a headquarter, constructing a unified identity authentication center and a strategy control center, and adopting a dual-machine hot standby working mode to provide strategy control service; deploying a secondary management platform in each region to detect network threats in real time, receiving a management and control strategy issued by the primary management platform, and carrying out security management on network domain access terminals;