CN118101225A - Intrusion detection method, intrusion detection device, electronic equipment and storage medium - Google Patents

Intrusion detection method, intrusion detection device, electronic equipment and storage medium Download PDF

Info

Publication number
CN118101225A
CN118101225A CN202211460333.3A CN202211460333A CN118101225A CN 118101225 A CN118101225 A CN 118101225A CN 202211460333 A CN202211460333 A CN 202211460333A CN 118101225 A CN118101225 A CN 118101225A
Authority
CN
China
Prior art keywords
message
level
security
security level
intrusion detection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211460333.3A
Other languages
Chinese (zh)
Inventor
申炜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ruijie Networks Co Ltd
Original Assignee
Ruijie Networks Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ruijie Networks Co Ltd filed Critical Ruijie Networks Co Ltd
Priority to CN202211460333.3A priority Critical patent/CN118101225A/en
Publication of CN118101225A publication Critical patent/CN118101225A/en
Pending legal-status Critical Current

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses an intrusion detection method, an intrusion detection device, electronic equipment and a storage medium, belonging to the technical field of communication, wherein the intrusion detection method comprises the following steps: and carrying out security level analysis on the received message to obtain the security level of the message, carrying out intrusion detection on the message if the security level of the message is contained in a preset level set, and processing the message based on the intrusion detection result. Therefore, whether the message is subjected to intrusion detection is selected based on the security level of the message, and when system resources, namely resources occupied by the intrusion detection are tense, the limited system resources are more quickly and more put into the message detection with lower security, so that the probability of missing the intrusion event when the system resources are tense is reduced.

Description

Intrusion detection method, intrusion detection device, electronic equipment and storage medium
Technical Field
The present application relates to the field of communications technologies, and in particular, to an intrusion detection method, an intrusion detection device, an electronic device, and a storage medium.
Background
The intrusion prevention system (Intrusion Prevention System, IPS) is one of the key functions of a firewall, which by monitoring can interrupt, adjust or isolate some abnormal or damaging network behavior in time.
However, with the rapid increase of the network scale and the transmission speed, the requirements on the IPS processing speed are also higher, and the manner of improving the IPS processing speed by means of improving hardware and detection algorithm cannot adapt to the linear processing requirement of the traffic above 10 Gb/s. Therefore, when a large number of messages need to be processed, as each message needs to be subjected to a series of detection processes such as vulnerability attack, virus, behavior analysis and the like, a large amount of system resources need to be occupied, and when the system resources are tense, a release (BYPASS) strategy can only be adopted for the subsequent messages, so that the attack or virus cannot be detected, and the condition that the intrusion event leaks messages occurs.
Disclosure of Invention
The embodiment of the application provides an intrusion detection method, an intrusion detection device, electronic equipment and a storage medium, which are used for solving the problem that the probability of missing an intrusion event is high when system resources are tense in the related technology.
In a first aspect, an embodiment of the present application provides an intrusion detection method, including:
Receiving a message;
carrying out security level analysis on the message to obtain the security level of the message;
If the security level of the message is contained in a preset level set, performing intrusion detection on the message;
and processing the message based on the intrusion detection result.
In some embodiments, performing security level analysis on the message to obtain a security level of the message includes:
Acquiring dimension values of the message in different dimensions; inquiring a security value corresponding to a dimension value of the message in each dimension from a pre-established security value table of each dimension; carrying out weighted summation on the safety values corresponding to the dimension values of the message in different dimensions; determining the security level of the message based on the weighted summation result; or alternatively
Based on the pre-established corresponding relation between the IP address of the Internet protocol and the security level, determining the security level corresponding to the IP address of the message, and determining the security level corresponding to the IP address of the message as the security level of the message.
In some embodiments, after performing intrusion detection on the packet, the method further includes:
And updating the security value corresponding to the dimension value of the message in different dimensions according to the intrusion detection result.
In some embodiments, further comprising:
If the security level of the message is higher than the highest level in the preset level set, the intrusion detection is not carried out on the message, and the message is forwarded;
if the security level of the message is lower than the lowest level in the preset level set, the intrusion detection is not carried out on the message, and the message is discarded.
In some embodiments, performing intrusion detection on the message includes:
obtaining the analysis result of the message according to the message analysis mode corresponding to the security level of the message;
And determining whether the message is an intrusion message or not based on the analysis result of the message.
In some embodiments, according to a message parsing manner corresponding to the security level of the message, obtaining a parsing result of the message includes:
if the security level of the message is the highest level in the preset level set, acquiring an analysis result of the message by adopting a single message analysis mode;
And if the security level of the message is the lowest level in the preset level set, acquiring an analysis result of the message by adopting a multi-message analysis mode.
In a second aspect, an embodiment of the present application provides an intrusion detection device, including:
The receiving module is used for receiving the message;
the analysis module is used for carrying out security level analysis on the message to obtain the security level of the message;
The detection module is used for carrying out intrusion detection on the message if the security level of the message is contained in a preset level set;
and the processing module is used for processing the message based on the intrusion detection result.
In some embodiments, the analysis module is specifically configured to:
Acquiring dimension values of the message in different dimensions; inquiring a security value corresponding to a dimension value of the message in each dimension from a pre-established security value table of each dimension; carrying out weighted summation on the safety values corresponding to the dimension values of the message in different dimensions; determining the security level of the message based on the weighted summation result; or alternatively
Based on the pre-established corresponding relation between the IP address of the Internet protocol and the security level, determining the security level corresponding to the IP address of the message, and determining the security level corresponding to the IP address of the message as the security level of the message.
In some embodiments, the system further comprises an update module for:
After the intrusion detection is carried out on the message, updating the security values corresponding to the dimension values of the message in different dimensions according to the intrusion detection result.
In some embodiments, the processing module is further to:
If the security level of the message is higher than the highest level in the preset level set, the intrusion detection is not carried out on the message, and the message is forwarded;
if the security level of the message is lower than the lowest level in the preset level set, the intrusion detection is not carried out on the message, and the message is discarded.
In some embodiments, the detection module is specifically configured to:
obtaining the analysis result of the message according to the message analysis mode corresponding to the security level of the message;
And determining whether the message is an intrusion message or not based on the analysis result of the message.
In some embodiments, the detection module is specifically configured to:
if the security level of the message is the highest level in the preset level set, acquiring an analysis result of the message by adopting a single message analysis mode;
And if the security level of the message is the lowest level in the preset level set, acquiring an analysis result of the message by adopting a multi-message analysis mode.
In a third aspect, an embodiment of the present application provides an electronic device, including: at least one processor, and a memory communicatively coupled to the at least one processor, wherein:
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the intrusion detection method described above.
In a fourth aspect, an embodiment of the present application provides a storage medium, which when executed by a processor of an electronic device, is capable of performing the above-described intrusion detection method.
In the embodiment of the application, security level analysis is performed on the received message to obtain the security level of the message, if the security level of the message is contained in a preset level set, intrusion detection is performed on the message, and the message is processed based on the intrusion detection result. Therefore, whether the message is subjected to intrusion detection is selected based on the security level of the message, and when system resources, namely resources occupied by the intrusion detection are tense, the limited system resources are more quickly and more put into the message detection with lower security, so that the probability of missing the intrusion event when the system resources are tense is reduced.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute a limitation on the application. In the drawings:
FIG. 1 is a schematic diagram of an intrusion detection process according to an embodiment of the present application;
FIG. 2 is a flowchart of an intrusion detection method according to an embodiment of the present application;
FIG. 3 is a schematic diagram of a message processing procedure according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of an intrusion detection device according to an embodiment of the present application;
Fig. 5 is a schematic hardware structure of an electronic device for implementing an intrusion detection method according to an embodiment of the present application.
Detailed Description
In order to solve the problem of high probability of intrusion event missing report when system resources are tense in the related art, the embodiment of the application provides an intrusion detection method, an intrusion detection device, electronic equipment and a storage medium.
The preferred embodiments of the present application will be described below with reference to the accompanying drawings of the specification, it being understood that the preferred embodiments described herein are for illustration and explanation only, and not for limitation of the present application, and embodiments of the present application and features of the embodiments may be combined with each other without conflict.
In the related art, when a large number of messages need to be subjected to intrusion detection, since each message needs to be subjected to a series of detection processes such as vulnerability attack, virus, behavior analysis and the like, a large amount of system resources need to be occupied, and therefore, when the system resources are tense, a BYPASS strategy can only be adopted for the subsequent messages. Referring to fig. 1, black arrows indicate intrusion messages (i.e., messages with attack behaviors), dark gray arrows indicate normal messages, and light gray arrows indicate messages processed by using a BYPASS policy, and since the messages processed by using the BYPASS policy may be intrusion messages or normal messages, an attack or a virus cannot be detected, so that an intrusion event is missed.
Therefore, the inventor can divide the security level of the message, reduce unnecessary intrusion detection for the message with high security, and apply the system resource to the intrusion detection for the message with lower security level to the greatest extent, thereby reducing the missing report probability of intrusion detection when the system resource is tense.
Having described the inventive concepts of the embodiments of the present application, the intrusion detection method proposed by the present application is described below with specific embodiments.
Fig. 2 is a flowchart of an intrusion detection method according to an embodiment of the present application, including the following steps.
In step 201, a message is received.
The message may be any received message. Typically, this message belongs to a streaming session.
In step 202, a security level analysis is performed on the message to obtain a security level of the message.
In some embodiments, the dimension values of the message in different dimensions can be obtained, the security value corresponding to the dimension value of the message in each dimension is queried from a pre-established security value table of each dimension, then the security values corresponding to the dimension values of the message in different dimensions are weighted and summed, and the security level of the message is determined based on the weighted and summed result.
Assuming that there are three dimensions of a user, an application and a uniform resource locator (Uniform Resource Locator, URL), a security value table of the user dimension, a security value table of the application dimension and a security value table of the URL dimension may be established in advance, wherein security values of different users are stored in the security value table of the user dimension, security values of different applications are stored in the security value table of the application dimension, and security values of different URLs are stored in the security value table of the URL.
For the user dimension, the streaming session to which the message belongs can be determined, the user to which the streaming session belongs is determined as the dimension value of the message in the user dimension, and then the security value corresponding to the dimension value inquired from the security value table in the user dimension is used as the security value of the message in the user dimension; aiming at the application dimension, the application identification can be carried out on the message, if the identification is successful, the application to which the message belongs can be obtained, and then the security value corresponding to the dimension value inquired from the security value table of the application dimension is used as the security value of the message in the application dimension; for the URL dimension, if the URL is obtained from the message, the security value corresponding to the dimension value queried from the security value table of the URL dimension can be used as the security value of the message in the URL dimension.
Further, the security value of the message in the user dimension, the security value of the application dimension and the security value of the URL dimension are weighted and averaged to obtain the comprehensive security value of the message, and the security level corresponding to the comprehensive security value of the message is determined according to the corresponding relation between the pre-established comprehensive security value and the security level, wherein the security level is the security level of the message. The weight of the message in each dimension may be predetermined by a technician according to the actual requirement, which is not described herein.
Thus, the safety value tables with different dimensions are established in advance, after the dimension values of the message in different dimensions are obtained, the corresponding safety values are directly inquired from the tables, the determining speed of the safety level of the message can be improved, and the message processing speed is improved.
It should be noted that, when the dimension value of the message in a certain dimension cannot be determined, the dimension value of the message in the dimension may be set to a preset value, such as zero.
In other embodiments, a correspondence between the IP address of the internet protocol and the security level may be established in advance, and the security level corresponding to the IP address of the message is determined based on the correspondence, so as to determine the security level corresponding to the IP address of the message as the security level of the message.
The method is simple, and the determination speed of the message security level is high, so that the message processing speed can be improved.
In step 203, if the security level of the message is included in the preset level set, intrusion detection is performed on the message.
Assume that the security class of the message is divided into: the first level, the second level, the third level, and the fourth level, and the security of the several levels decreases in order. Then the set of preset levels may be { second level, third level }.
In order to improve the reasonability of intrusion detection, different message parsing modes can be set for different security levels in the preset level set, in consideration of that the security levels in the preset level set are different in practice. For example, if the security level of the message is the highest level (i.e., the second level) in the preset level set, the parsing result of the message may be obtained by adopting a single message parsing method, and if the security level of the message is the lowest level (i.e., the third level) in the preset level set, the parsing result of the message may be obtained by adopting a multi-message parsing method. And finally, determining whether the message is an intrusion message or not based on the analysis result of the message.
The single message analysis mode refers to that only a single message is analyzed, intrusion detection is carried out after the single message is analyzed, and the mode can not detect the condition that virus/attack characteristics are split in two different messages; the multi-message parsing mode refers to parsing a plurality of messages, merging relevant contents in the plurality of messages into complete contents, and then performing intrusion detection.
Thus, when the security level of the message is the highest level in the preset level set, the intrusion detection can be performed based on the analysis result of the current message only so as to improve the intrusion detection speed, and when the security level of the message is the lowest level in the preset level set, the intrusion detection can be performed based on the analysis results of the current message and the subsequent message so as to improve the intrusion detection accuracy, and the speed and the accuracy of the intrusion detection can be better considered.
In step 204, the message is processed based on the intrusion detection result.
For example, when the intrusion detection result is that the message is a normal message, the message can be forwarded normally; when the intrusion detection result is that the message is an intrusion message, the message can be discarded.
In step 205, if the security level of the message is higher than the highest level in the preset level set, the intrusion detection is not performed on the message, and the message is directly forwarded.
That is, when the security level of the message is the first level, the message can be directly forwarded by skipping the intrusion detection process. The method is suitable for determining the condition that the message is a normal message.
In step 206, if the security level of the message is lower than the lowest level in the preset level set, the intrusion detection is not performed on the message, and the message is directly discarded.
That is, when the security level of the message is the fourth level, the message can be directly discarded by skipping the intrusion detection process. The method is suitable for determining the condition that the message is an intrusion message.
In addition, after the intrusion detection is performed on the message, the security values corresponding to the dimension values of the message in different dimensions can be updated according to the intrusion detection result, so that the accuracy of each security value table is improved.
Fig. 3 is a schematic diagram of a message processing process according to an embodiment of the present application, where a processing procedure when a message passes through a firewall system is as follows:
1. the message passes through the application identification module to identify the application to which the message belongs, and the message and the application to which the message belongs are sent to the local security processing module.
2. The local security processing module determines a user corresponding to the message based on the streaming session to which the message belongs, acquires the URL from the message, and then sends the user, the application and the URL information to the local security center.
3. The local security center queries the security value of the message in the user dimension from the security value table in the user dimension, queries the security value of the message in the application dimension from the security value table in the application dimension, queries the security value of the message in the URL dimension from the security value table in the URL dimension, and then sends the security values of the message in the user, the application and the URL dimension to the local security processing module.
4. The local security processing module performs weighted summation on the security values of the message in the dimensions of the user, the application and the URL to obtain the comprehensive security value of the message, and determines the security level of the message based on the comprehensive security value of the message and the pre-established correspondence between the comprehensive security value and the security. And finally, sending the message and the security level of the message to a protocol analysis module.
5. The security levels are assumed to include a first level, a second level, a third level, and a fourth level, and the security levels of the first level, the second level, the third level, and the fourth level are sequentially reduced, and the preset level set is assumed to be { second level, third level }.
Then, when the protocol analysis module determines that the security level of the message is higher than the highest level in the preset level set, namely the security level of the message is the first level, the protocol analysis module can directly inform the message forwarding engine to forward the message; when the security level of the message is determined to be lower than the lowest level in the preset level set, namely the security level of the message is the fourth level, the message can be directly blocked (such as the message is discarded); when the security level of the message is determined to be included in the preset level set, that is, the security level of the message is the second level or the third level, different message parsing modes can be adopted to parse the message, for example, when the security level of the message is the second level, a single message parsing mode is adopted to parse the message, when the security level of the message is the third level, a multi-message parsing mode is adopted to obtain a parsing result of the message, and then the message parsing result is sent to the security protection module and the security protection module is notified to perform intrusion detection.
6. The safety protection module performs intrusion detection according to the message analysis result, and notifies the message forwarding engine to forward the message when the detection result is normal, and blocks the message when the detection result is abnormal. And finally, feeding back the detection result to the local security center.
7. And the message forwarding engine forwards the message.
8. The local security center updates security values of different dimensions according to the detection result, and can also age the security values of each dimension periodically.
For example, when the detection result of the message is normal, the security value of the message in the user dimension, the application dimension and the URL dimension may be increased by 1, and for example, when the detection result of the message is abnormal, the security value of the message in the user dimension, the application dimension and the URL dimension may be decreased by 1.
The aging mechanism is as follows: the security value in each dimension is restored to the initial value of each dimension every 30 seconds. Thus, the messages belonging to the first level or the fourth level have the opportunity to be re-belonged to other security levels, one type of messages cannot be in one security level for a long time, and the situation that the messages belonging to the first level cannot be tested or the messages belonging to the fourth level are not directly blocked by non-attack is prevented.
In the embodiment of the application, the security level of the message is analyzed, so that unnecessary intrusion detection is reduced for the message with high security, the system resource is more quickly and more put into the message detection with low security, and the missing report probability of an intrusion event can be effectively reduced when the system resource is insufficient.
In addition, the scheme of the embodiment of the application can be popularized to other security detection functions of the firewall, such as virus prevention (AntiVirus) and the like; and can also be applied to a switch, a router and other network devices with IPS.
Based on the same technical concept, the embodiment of the application also provides an intrusion detection device, and the principle of the intrusion detection device for solving the problem is similar to that of the intrusion detection method, so that the implementation of the intrusion detection device can be referred to the implementation of the intrusion detection method, and the repetition is omitted.
Fig. 4 is a schematic structural diagram of an intrusion detection device according to an embodiment of the present application, which includes a receiving module 401, an analyzing module 402, a detecting module 403, and a processing module 404.
A receiving module 401, configured to receive a packet;
An analysis module 402, configured to perform security level analysis on the message, to obtain a security level of the message;
a detection module 403, configured to perform intrusion detection on the message if the security level of the message is included in a preset level set;
And a processing module 404, configured to process the packet based on the intrusion detection result.
In some embodiments, the analysis module 402 is specifically configured to:
acquiring dimension values of the message in different dimensions;
Inquiring a security value corresponding to a dimension value of the message in each dimension from a pre-established security value table of each dimension;
carrying out weighted summation on the safety values corresponding to the dimension values of the message in different dimensions;
and determining the security level of the message based on the weighted summation result.
In some embodiments, the apparatus further comprises an update module 405 for:
After the intrusion detection is carried out on the message, updating the security values corresponding to the dimension values of the message in different dimensions according to the intrusion detection result.
In some embodiments, the processing module 404 is further configured to:
If the security level of the message is higher than the highest level in the preset level set, the intrusion detection is not carried out on the message, and the message is forwarded;
if the security level of the message is lower than the lowest level in the preset level set, the intrusion detection is not carried out on the message, and the message is discarded.
In some embodiments, the detection module 403 is specifically configured to:
obtaining the analysis result of the message according to the message analysis mode corresponding to the security level of the message;
And determining whether the message is an intrusion message or not based on the analysis result of the message.
In some embodiments, the detection module 403 is specifically configured to:
if the security level of the message is the highest level in the preset level set, acquiring an analysis result of the message by adopting a single message analysis mode;
And if the security level of the message is the lowest level in the preset level set, acquiring an analysis result of the message by adopting a multi-message analysis mode.
The division of the modules in the embodiments of the present application is schematically only one logic function division, and there may be another division manner in actual implementation, and in addition, each functional module in each embodiment of the present application may be integrated in one processor, or may exist separately and physically, or two or more modules may be integrated in one module. The coupling of the individual modules to each other may be achieved by means of interfaces which are typically electrical communication interfaces, but it is not excluded that they may be mechanical interfaces or other forms of interfaces. Thus, the modules illustrated as separate components may or may not be physically separate, may be located in one place, or may be distributed in different locations on the same or different devices. The integrated modules may be implemented in hardware or in software functional modules.
Having described the intrusion detection method and apparatus of an exemplary embodiment of the present application, next, an electronic device according to another exemplary embodiment of the present application is described.
An electronic device 130 implemented according to such an embodiment of the present application is described below with reference to fig. 5. The electronic device 130 shown in fig. 5 is merely an example and should not be construed as limiting the functionality and scope of use of embodiments of the present application.
As shown in fig. 5, the electronic device 130 is in the form of a general-purpose electronic device. Components of electronic device 130 may include, but are not limited to: the at least one processor 131, the at least one memory 132, and a bus 133 connecting the various system components, including the memory 132 and the processor 131.
Bus 133 represents one or more of several types of bus structures, including a memory bus or memory controller, a peripheral bus, a processor, and a local bus using any of a variety of bus architectures.
Memory 132 may include readable media in the form of volatile memory such as Random Access Memory (RAM) 1321 and/or cache memory 1322, and may further include Read Only Memory (ROM) 1323.
Memory 132 may also include a program/utility 1325 having a set (at least one) of program modules 1324, such program modules 1324 include, but are not limited to: an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment.
The electronic device 130 may also communicate with one or more external devices 134 (e.g., keyboard, pointing device, etc.), one or more devices that enable a user to interact with the electronic device 130, and/or any device (e.g., router, modem, etc.) that enables the electronic device 130 to communicate with one or more other electronic devices. Such communication may occur through an input/output (I/O) interface 135. Also, electronic device 130 may communicate with one or more networks such as a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the Internet, through network adapter 136. As shown, network adapter 136 communicates with other modules for electronic device 130 over bus 133. It should be appreciated that although not shown, other hardware and/or software modules may be used in connection with electronic device 130, including, but not limited to: microcode, device drivers, redundant processors, external disk drive arrays, RAID systems, tape drives, data backup storage systems, and the like.
In an exemplary embodiment, a storage medium is also provided, which is capable of performing the above-described intrusion detection method when a computer program in the storage medium is executed by a processor of an electronic device. Alternatively, the storage medium may be a non-transitory computer readable storage medium, which may be, for example, ROM, random Access Memory (RAM), CD-ROM, magnetic tape, floppy disk, optical data storage device, and the like.
In an exemplary embodiment, the electronic device of the present application may include at least one processor, and a memory communicatively coupled to the at least one processor, wherein the memory stores a computer program executable by the at least one processor, which when executed by the at least one processor, causes the at least one processor to perform the steps of any of the intrusion detection methods provided by the embodiments of the present application.
In an exemplary embodiment, a computer program product is also provided, which, when executed by an electronic device, is capable of carrying out any one of the exemplary methods provided by the application.
Also, a computer program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium can be, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, a RAM, a ROM, an erasable programmable read-Only Memory (EPROM), flash Memory, optical fiber, compact disc read-Only Memory (Compact Disk Read Only Memory, CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The program product for intrusion detection in embodiments of the present application may take the form of a CD-ROM and include program code that can run on a computing device. However, the program product of the present application is not limited thereto, and in this document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The readable signal medium may include a data signal propagated in baseband or as part of a carrier wave with readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, radio Frequency (RF), etc., or any suitable combination of the foregoing.
Program code for carrying out operations of the present application may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, such as a local area network (Local Area Network, LAN) or wide area network (Wide Area Network, WAN), or may be connected to an external computing device (e.g., connected over the internet using an internet service provider).
It should be noted that although several units or sub-units of the apparatus are mentioned in the above detailed description, such a division is merely exemplary and not mandatory. Indeed, the features and functions of two or more of the elements described above may be embodied in one element in accordance with embodiments of the present application. Conversely, the features and functions of one unit described above may be further divided into a plurality of units to be embodied.
Furthermore, although the operations of the methods of the present application are depicted in the drawings in a particular order, this is not required or suggested that these operations must be performed in this particular order or that all of the illustrated operations must be performed in order to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step to perform, and/or one step decomposed into multiple steps to perform.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiments and all such alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present application without departing from the spirit or scope of the application. Thus, the present application also includes such modifications and variations provided they come within the scope of the claims and their equivalents.

Claims (14)

1. An intrusion detection method, comprising:
Receiving a message;
carrying out security level analysis on the message to obtain the security level of the message;
If the security level of the message is contained in a preset level set, performing intrusion detection on the message;
and processing the message based on the intrusion detection result.
2. The method of claim 1, wherein performing a security level analysis on the message to obtain a security level of the message comprises:
Acquiring dimension values of the message in different dimensions; inquiring a security value corresponding to a dimension value of the message in each dimension from a pre-established security value table of each dimension; carrying out weighted summation on the safety values corresponding to the dimension values of the message in different dimensions; determining the security level of the message based on the weighted summation result; or alternatively
Based on the pre-established corresponding relation between the IP address of the Internet protocol and the security level, determining the security level corresponding to the IP address of the message, and determining the security level corresponding to the IP address of the message as the security level of the message.
3. The method of claim 1, further comprising, after intrusion detection of the message:
And updating the security value corresponding to the dimension value of the message in different dimensions according to the intrusion detection result.
4. The method as recited in claim 1, further comprising:
If the security level of the message is higher than the highest level in the preset level set, the intrusion detection is not carried out on the message, and the message is forwarded;
if the security level of the message is lower than the lowest level in the preset level set, the intrusion detection is not carried out on the message, and the message is discarded.
5. The method according to any of claims 1-4, wherein performing intrusion detection on the message comprises:
obtaining the analysis result of the message according to the message analysis mode corresponding to the security level of the message;
And determining whether the message is an intrusion message or not based on the analysis result of the message.
6. The method of claim 5, wherein obtaining the parsing result of the message according to the message parsing mode corresponding to the security level of the message comprises:
if the security level of the message is the highest level in the preset level set, acquiring an analysis result of the message by adopting a single message analysis mode;
And if the security level of the message is the lowest level in the preset level set, acquiring an analysis result of the message by adopting a multi-message analysis mode.
7. An intrusion detection device, comprising:
The receiving module is used for receiving the message;
the analysis module is used for carrying out security level analysis on the message to obtain the security level of the message;
The detection module is used for carrying out intrusion detection on the message if the security level of the message is contained in a preset level set;
and the processing module is used for processing the message based on the intrusion detection result.
8. The apparatus of claim 7, wherein the analysis module is specifically configured to:
Acquiring dimension values of the message in different dimensions; inquiring a security value corresponding to a dimension value of the message in each dimension from a pre-established security value table of each dimension; carrying out weighted summation on the safety values corresponding to the dimension values of the message in different dimensions; determining the security level of the message based on the weighted summation result; or alternatively
Based on the pre-established corresponding relation between the IP address of the Internet protocol and the security level, determining the security level corresponding to the IP address of the message, and determining the security level corresponding to the IP address of the message as the security level of the message.
9. The apparatus of claim 7, further comprising an update module to:
After the intrusion detection is carried out on the message, updating the security values corresponding to the dimension values of the message in different dimensions according to the intrusion detection result.
10. The apparatus of claim 7, wherein the processing module is further to:
If the security level of the message is higher than the highest level in the preset level set, the intrusion detection is not carried out on the message, and the message is forwarded;
if the security level of the message is lower than the lowest level in the preset level set, the intrusion detection is not carried out on the message, and the message is discarded.
11. The apparatus according to any one of claims 7-10, wherein the detection module is specifically configured to:
obtaining the analysis result of the message according to the message analysis mode corresponding to the security level of the message;
And determining whether the message is an intrusion message or not based on the analysis result of the message.
12. The apparatus of claim 11, wherein the detection module is specifically configured to:
if the security level of the message is the highest level in the preset level set, acquiring an analysis result of the message by adopting a single message analysis mode;
And if the security level of the message is the lowest level in the preset level set, acquiring an analysis result of the message by adopting a multi-message analysis mode.
13. An electronic device, comprising: at least one processor, and a memory communicatively coupled to the at least one processor, wherein:
The memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-6.
14. A storage medium, characterized in that a computer program in the storage medium, when executed by a processor of an electronic device, is capable of performing the method of any of claims 1-6.
CN202211460333.3A 2022-11-17 2022-11-17 Intrusion detection method, intrusion detection device, electronic equipment and storage medium Pending CN118101225A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211460333.3A CN118101225A (en) 2022-11-17 2022-11-17 Intrusion detection method, intrusion detection device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211460333.3A CN118101225A (en) 2022-11-17 2022-11-17 Intrusion detection method, intrusion detection device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN118101225A true CN118101225A (en) 2024-05-28

Family

ID=91163656

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211460333.3A Pending CN118101225A (en) 2022-11-17 2022-11-17 Intrusion detection method, intrusion detection device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN118101225A (en)

Similar Documents

Publication Publication Date Title
US11075945B2 (en) System, apparatus and method for reconfiguring virtual machines
US9432389B1 (en) System, apparatus and method for detecting a malicious attack based on static analysis of a multi-flow object
US10192052B1 (en) System, apparatus and method for classifying a file as malicious using static scanning
US9824216B1 (en) Susceptible environment detection system
US10581874B1 (en) Malware detection system with contextual analysis
US10432650B2 (en) System and method to protect a webserver against application exploits and attacks
US9584541B1 (en) Cyber threat identification and analytics apparatuses, methods and systems
EP4060958A1 (en) Attack behavior detection method and apparatus, and attack detection device
CN112534432A (en) Real-time mitigation of unfamiliar threat scenarios
US8826437B2 (en) Intelligent system and method for mitigating cyber attacks in critical systems through controlling latency of messages in a communications network
KR20070099201A (en) Method of security management for mobile wireless device and apparatus for security management using the same
CN113228585A (en) Network security system with feedback loop based enhanced traffic analysis
US11856011B1 (en) Multi-vector malware detection data sharing system for improved detection
US7716527B2 (en) Repair system
CN113268399B (en) Alarm processing method and device and electronic equipment
CN108280346B (en) Application protection monitoring method, device and system
WO2013185483A1 (en) Method for processing a signature rule, server and intrusion prevention system
EP3188442A1 (en) Detection, prevention, and/or mitigation of dos attacks in publish/subscribe infrastructure
CN111314328A (en) Network attack protection method and device, storage medium and electronic equipment
CN114301659A (en) Network attack early warning method, system, device and storage medium
US11985149B1 (en) System and method for automated system for triage of cybersecurity threats
US10893090B2 (en) Monitoring a process on an IoT device
CN118101225A (en) Intrusion detection method, intrusion detection device, electronic equipment and storage medium
US11636198B1 (en) System and method for cybersecurity analyzer update and concurrent management system
CN115174192A (en) Application security protection method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination