WO2021254397A1 - Procédé et système de détection de sécurité de réseau, et dispositif et contrôleur - Google Patents

Procédé et système de détection de sécurité de réseau, et dispositif et contrôleur Download PDF

Info

Publication number
WO2021254397A1
WO2021254397A1 PCT/CN2021/100383 CN2021100383W WO2021254397A1 WO 2021254397 A1 WO2021254397 A1 WO 2021254397A1 CN 2021100383 W CN2021100383 W CN 2021100383W WO 2021254397 A1 WO2021254397 A1 WO 2021254397A1
Authority
WO
WIPO (PCT)
Prior art keywords
detection
drainage
data
detection device
strategy
Prior art date
Application number
PCT/CN2021/100383
Other languages
English (en)
Chinese (zh)
Inventor
张镇伟
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2021254397A1 publication Critical patent/WO2021254397A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/12Network monitoring probes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0894Policy-based network configuration management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks

Definitions

  • This application relates to the field of communication technology, and in particular to a network security detection method, system, device, and controller.
  • the first is to deploy a firewall device with security functions in the egress area.
  • the security detection is performed by diverting traffic from the core switch to the firewall, and then the detected traffic is injected back from the firewall to the core switch.
  • the second is to deploy switch equipment with network security functions across the entire network to protect the entire network.
  • the first method above is limited by the processing performance of the firewall
  • the second method is limited by the processing performance of the switch; when the traffic is large, only part of the traffic is transmitted to the firewall or switch for detection, resulting in undetected Traffic spreads in the network, threatening network security.
  • This application provides a network security detection method, system, equipment, and controller to automatically allocate security resources of the entire network to avoid traffic missed detection caused by service degradation of network equipment.
  • this application provides a network security detection method, including: a controller receives the security detection performance of multiple detection devices in the network; Send a first diversion strategy; wherein, the first diversion strategy is used to instruct the device to be processed and at least one detection device of the plurality of detection devices to establish a drainage tunnel.
  • the enterprise network architecture generally includes: egress firewall, core layer, convergence layer, and access layer.
  • Threat defense points are set at the egress firewall, core layer, convergence layer, and access layer respectively, so that the entire network is safe. Defense function.
  • network element devices with security detection performance in the egress firewall, core layer, convergence layer, and access layer are used as detection equipment, and network elements that do not have security detection performance in the egress firewall, core layer, convergence layer, and access layer are used as detection equipment.
  • the meta device serves as the access device. All detection devices and access devices are in communication with the controller, and the controller receives the safety detection performance of multiple detection devices in the network.
  • the security detection performance is used to characterize the ability of the detection device to perform security detection on data, including the amount of data processed and the type of data processed.
  • the controller issues the first drainage strategy to the device to be processed in the access device according to the safety detection performance of the detection device, so that the device to be processed in the access device establishes a drainage tunnel with at least one detection device.
  • the data output by the device to be processed is sent through the drainage tunnel to at least one detection device for safety detection.
  • the first drainage strategy in the network security detection method provided by this application further includes: a correspondence between a data type and a detection device capable of detecting the data type; the first drainage strategy is also used for Instruct the device to be processed to send traffic belonging to the data type to the detection device capable of detecting the data type via the drainage tunnel.
  • the controller first needs to obtain the type of data in the device to be processed, and then finds that it is capable of detecting the data type The ability of testing equipment. Finally, the first diversion strategy is generated to instruct the device to be processed to send the data type traffic to the detection device capable of detecting the corresponding data type via the diversion tunnel for security detection. In this way, the flow of the device to be processed can be drained and detected according to the data type, and the detection performance of different detection devices in the network can be fully utilized to meet the detection requirements of more data types.
  • the network security detection method provided by the present application further includes: determining the at least one detection device according to the amount of data passed on the device to be processed and the security detection capabilities of multiple detection devices, wherein the at least one detection device The sum of the security detection capabilities meets the detection of the data passed on the device to be processed.
  • the controller determines the detection device that establishes a drainage tunnel with the device to be processed based on the amount of data passed on the device to be processed and the safety detection capabilities of the multiple detection devices. Therefore, it is possible to perform drainage detection on the traffic of the device to be processed according to the amount of data to be processed, and make full use of the detection performance of different detection devices in the network to meet the detection requirements of higher data volume.
  • the network security detection method provided by the present application further includes: when the amount of data passing on the device to be processed increases, so that the sum of the security detection capabilities of the at least one detection device cannot meet the requirements on the device to be processed.
  • a second drainage strategy is sent to one or more detection devices in the at least one detection device; the second drainage strategy is used to instruct one or more detection devices and the at least one detection device Establish a drainage tunnel with other detection equipment.
  • the traffic output by the device to be processed is a variable value.
  • the controller will send the second drainage strategy to the detection device that has established a drainage tunnel with the device to be processed, and/or the remaining detection devices that have not established a drainage tunnel with the device to be processed, So that the traffic is sent to more testing equipment for safety testing. Therefore, it can adapt to the dynamic change of the flow, so that the scheduled detection device can always meet the flow detection requirements of the device to be processed, and the detection efficiency is improved.
  • the present application provides a network security detection method, the method includes: an access device sends a data type and/or a data amount to a controller; receiving a first drainage strategy from the controller; wherein, the The first drainage strategy is related to the data type and/or data volume; according to the first drainage strategy, a drainage tunnel is established with at least one detection device; and data is sent to the detection device through the drainage tunnel.
  • the enterprise network architecture generally includes: egress firewall, core layer, convergence layer, and access layer.
  • Threat defense points are set at the egress firewall, core layer, convergence layer, and access layer respectively, so that the entire network is safe. Defense function.
  • network element devices with security detection performance in the egress firewall, core layer, convergence layer, and access layer are used as detection equipment, and network elements that do not have security detection performance in the egress firewall, core layer, convergence layer, and access layer are used as detection equipment.
  • the meta device serves as the access device.
  • All detection equipment and access equipment are in communication connection with the controller, and the access equipment sends the data type and/or data volume to the controller, and according to the first drainage strategy sent by the controller, connects the equipment to be processed in the equipment Establish a drainage tunnel with at least one detection device.
  • the data output by the device to be processed is sent through the drainage tunnel to at least one detection device for safety detection.
  • the present application provides a network security detection method, the method includes: when the detection capability of the detection device does not meet the detection requirement for the data from the first drainage tunnel, the detection device receives the drainage flow sent by the controller Strategy; The detection device establishes a second drainage tunnel with another detection device according to the drainage strategy, and sends data beyond the detection capability of the detection device to the other detection device using the second drainage tunnel.
  • the enterprise network architecture generally includes: egress firewall, core layer, convergence layer, and access layer.
  • Threat defense points are set at the egress firewall, core layer, convergence layer, and access layer respectively, so that the entire network is safe. Defense function.
  • network element devices with security detection performance in the egress firewall, core layer, convergence layer, and access layer are used as detection equipment, and network elements that do not have security detection performance in the egress firewall, core layer, convergence layer, and access layer are used as detection equipment.
  • the meta device serves as the access device. All detection devices and access devices are in communication with the controller. When the detection capability of the detection device does not meet the detection requirements for the data from the first drainage tunnel, the detection device receives the drainage strategy sent by the controller and communicates with another detection device.
  • the device establishes a second drainage tunnel, so that traffic that exceeds the performance of the detection device is transmitted to another detection device for detection via the second drainage tunnel. Therefore, it can adapt to the dynamic change of the flow, so that the scheduled detection device can always meet the flow detection requirements of the device to be processed, and the detection efficiency is improved.
  • the present application provides a controller, including:
  • the receiving module is used to receive the security detection performance of multiple detection devices in the network
  • the processing module is configured to issue a first drainage strategy to the device to be processed in the access device according to the security detection performance of the detection device; wherein, the first drainage strategy is used to instruct the device to be processed and the device to be processed At least one of the multiple detection devices establishes a drainage tunnel.
  • the first drainage strategy further includes: a correspondence between a data type and a detection device capable of detecting the data type;
  • the first diversion strategy is also used to instruct the detection device to send traffic belonging to the data type to the detection device capable of detecting the data type via the diversion tunnel.
  • processing module is further used for:
  • the at least one detection device is determined according to the amount of data passed on the device to be processed and the security detection capabilities of multiple detection devices, where the sum of the security detection capabilities of the at least one detection device meets the requirements for passing on the device to be processed Data detection.
  • processing module is further used for:
  • the second diversion strategy is used to instruct one or more detection devices to establish a diversion tunnel with other detection devices other than the at least one detection device.
  • this application provides an access device, including:
  • the sending module is used to send the data type and/or data amount to the controller
  • a receiving module configured to receive a first drainage strategy from the controller; wherein the first drainage strategy is related to the data type and/or data volume;
  • a processing module configured to establish a drainage tunnel with at least one detection device according to the first drainage strategy
  • the sending module is configured to send data to the detection device through the drainage tunnel.
  • this application provides a detection device, including:
  • the receiving module is used to receive the drainage strategy sent by the controller when the detection capability of the detection device does not meet the detection requirement for the data from the first drainage tunnel;
  • the processing module is configured to establish a second drainage tunnel with another detection device according to the drainage strategy, and send data beyond the detection capability of the detection device to the another detection device using the second drainage tunnel.
  • the present application provides a network security detection system, the system includes: a controller, an access device, and a detection device; wherein:
  • the controller is configured to execute the method according to any one of the first aspect
  • the access device is used to execute the method described in the second aspect
  • the detection device is used to perform the method as described in the third aspect.
  • the present application provides a readable storage medium on which a computer program is stored; when the computer program is executed, the method described in the present application in the first aspect is implemented.
  • the present application provides a program product, the program product includes a computer program, the computer program is stored in a readable storage medium, and at least one processor of a communication device can read all data from the readable storage medium.
  • the computer program is executed by the at least one processor to enable the device to implement any of the methods described in the present application in the first aspect.
  • the network security detection method, system, device, and controller provided in this application, the controller receives the security detection performance of multiple detection devices in the network; according to the security detection performance of the detection device, downloads the device to be processed in the access device Send a first diversion strategy; wherein, the first diversion strategy is used to instruct the device to be processed and at least one detection device of the plurality of detection devices to establish a drainage tunnel.
  • the controller diverts the traffic of the access device to the detection device for detection through a diversion strategy, so that it can automatically allocate the security resources of the entire network to avoid traffic missed detection caused by the degradation of network equipment services.
  • FIG. 1 is a schematic diagram of a network security defense architecture provided by an embodiment of this application.
  • FIG. 2 is a first schematic flowchart of a network security detection method provided by an embodiment of this application
  • FIG. 3 is a second schematic flowchart of a network security detection method provided by an embodiment of this application.
  • FIG. 4 is a schematic diagram 1 of signaling interaction of a network security detection method provided by an embodiment of this application;
  • FIG. 5 is a second schematic diagram of signaling interaction of a network security detection method provided by an embodiment of this application.
  • FIG. 6 is a first structural diagram of a controller provided by an embodiment of the application.
  • FIG. 7 is a schematic structural diagram of an access device provided by an embodiment of this application.
  • FIG. 8 is a schematic structural diagram of a detection device provided by an embodiment of the application.
  • FIG. 9 is a schematic structural diagram of a switch device provided by an embodiment of this application.
  • FIG. 10 is a second structural diagram of a controller provided by an embodiment of this application.
  • Figure 1 is a schematic diagram of a network security defense architecture provided by an embodiment of this application; as shown in Figure 1, it includes: egress firewall, core layer, convergence layer, and access layer, which are respectively located at the egress firewall, core layer, convergence layer, and Threat defense points are set at the access layer to enable the entire network to have security defense functions. Furthermore, network element devices with security detection performance in the egress firewall, core layer, convergence layer, and access layer are used as detection equipment, and network elements that do not have security detection performance in the egress firewall, core layer, convergence layer, and access layer are used as detection equipment.
  • the meta device serves as the access device. All detection devices and access devices are in communication with the controller, and the controller receives the safety detection performance of multiple detection devices in the network.
  • the security detection performance is used to characterize the ability of the detection device to perform security detection on data, including the amount of data processed and the type of data processed.
  • the controller issues the first drainage strategy to the device to be processed in the access device according to the safety detection performance of the detection device, so that the device to be processed in the access device establishes a drainage tunnel with at least one detection device.
  • the data output by the device to be processed is sent through the drainage tunnel to at least one detection device for safety detection.
  • FIG. 2 is a schematic flowchart 1 of a network security detection method provided by an embodiment of this application; as shown in FIG. 2, the method in this embodiment may include:
  • the controller receives the safety detection performance of multiple detection devices in the network.
  • the network security detection method in this embodiment is applicable to a local area network scenario such as an industrial park network or an enterprise network.
  • the enterprise network includes multiple network element devices, and these network element devices may be switches, firewalls, and so on.
  • the network element device with its own security detection capability is called the detection device
  • the network element device that does not have the security detection capability or has limited security detection capability and needs to rely on other detection devices for security detection is called the access device. All access devices and detection devices in the network are connected to the controller in communication.
  • the controller receives the safety detection performance of multiple detection devices in the network.
  • Table 1 shows the safety detection performance of the detection equipment named xxx and yyy
  • Table 2 shows the safety detection performance of different data types.
  • the safety detection performance of different detection equipment in the network is different. Therefore, after the network is built, the controller needs to obtain the safety detection performance of each detection equipment in the network to facilitate subsequent deployment of the inspection equipment .
  • S102 According to the safety detection performance of the multiple detection devices, issue a first drainage strategy to the device to be processed in the access device.
  • the first diversion strategy is used to instruct the device to be processed to establish a diversion tunnel with at least one detection device among the multiple detection devices.
  • the controller issues the first drainage strategy to the device to be processed in the access device according to the safety detection performance of the detection device, so that the device to be processed in the access device establishes a drainage tunnel with at least one detection device.
  • the data output by the device to be processed is sent through the drainage tunnel to at least one detection device for safety detection.
  • the first drainage strategy issued by the controller to the device to be processed may include a correspondence between a data type and a detection device capable of detecting the data type.
  • the to-be-processed device diverts data of different data types to a detection device capable of detecting data types for safety detection.
  • the data output by the device to be processed has only one general type of data, that is, any detection device can perform detection, it can be based on the amount of data passed on the device to be processed and the safety of multiple detection devices.
  • the detection capability determines at least one detection device, wherein the sum of the safety detection capabilities of the at least one detection device meets the detection of the data passed on the device to be processed.
  • the at least one detection device when the amount of data passing on the device to be processed increases, so that the sum of the safety detection capabilities of at least one detection device cannot meet the detection of the data passing on the device to be processed, the at least one detection device One or more detection devices in the device send a second diversion strategy; the second diversion strategy is used to instruct one or more detection devices to establish a diversion tunnel with at least one detection device other than the at least one detection device.
  • the traffic output by the device to be processed is a variable value.
  • the controller will send the second diversion strategy to the detection devices that have established a drainage tunnel with the device to be processed, and/or the remaining detection devices that have not established a drainage tunnel with the device to be processed, so that the traffic is sent to more The testing equipment for safety testing. Therefore, it can adapt to the dynamic change of the flow, so that the scheduled detection device can always meet the flow detection requirements of the device to be processed, and the detection efficiency is improved.
  • FIG. 3 is a schematic diagram of the second flow of a network security detection method provided by an embodiment of this application; as shown in FIG. 3, the method in this embodiment may include:
  • the controller receives the safety detection performance of multiple detection devices in the network.
  • the network security detection method in this embodiment is applicable to a local area network scenario such as an industrial park network or an enterprise network.
  • the enterprise network includes multiple network element devices, and these network element devices may be switches, firewalls, and so on.
  • the network element device with its own security detection capability is called the detection device
  • the network element device that does not have the security detection capability or has limited security detection capability and needs to rely on other detection devices for security detection is called the access device. All access devices and detection devices in the network are connected to the controller in communication.
  • the controller receives the safety detection performance of multiple detection devices in the network.
  • the access device sends the data type and/or data amount to the controller.
  • the access device sends the data type and/or data amount to the controller, so as to facilitate the controller to formulate the first drainage strategy according to the data type and/or data amount.
  • the first diversion strategy is used to instruct the device to be processed to establish a diversion tunnel with at least one of the multiple detection devices.
  • the controller issues a first drainage strategy to the device to be processed in the access device according to the safety detection performance of the multiple detection devices.
  • step S203 the controller issues a first drainage strategy to the device to be processed in the access device according to the safety detection performance of the detection device, so that the device to be processed in the access device and at least one detection device Establish drainage tunnels.
  • the data output by the device to be processed is sent through the drainage tunnel to at least one detection device for safety detection.
  • the access device receives the first diversion strategy from the controller.
  • the device to be processed receives a first drainage strategy sent by the controller, and the first drainage strategy includes: a data type and a data type capable of detecting the data type. Correspondence between testing equipment.
  • the first diversion strategy is also used to instruct the device to be processed to send traffic belonging to the data type to the detection device capable of detecting the data type via the diversion tunnel.
  • the access device establishes a diversion tunnel with at least one detection device according to the first diversion strategy.
  • the device to be processed establishes a drainage tunnel with at least one detection device according to the first drainage strategy.
  • the amount of data passing through the device to be processed matches the safety monitoring performance of the detection device that establishes the drainage tunnel. That is, the sum of the safety detection capabilities of the detection equipment meets the detection of the data passed on the processing equipment.
  • the access device sends data to the detection device through the drainage tunnel.
  • step S206 the device to be processed sends the corresponding data to the detection device through the drainage tunnel for safety detection.
  • This makes full use of the deployment function of the controller, so that the controller can divert the traffic of the access device to the detection device for detection according to the data type and/or data volume through a drainage strategy, so as to realize the automatic deployment of the security resources of the entire network and avoid the network Missed traffic detection caused by equipment service degradation.
  • the method in this embodiment may further include:
  • the detection device when the detection capability of the detection device does not meet the detection requirements for data from the first drainage tunnel, the detection device receives the drainage strategy sent by the controller, and establishes a second drainage tunnel with another detection device, so that the detection device exceeds the detection device. The performance traffic is transmitted to another detection device for detection through the second drainage tunnel.
  • the detection device establishes a second drainage tunnel with another detection device according to the drainage strategy, and sends data beyond the detection capability of the detection device to the other detection device through the second drainage tunnel.
  • the number of established drainage tunnels is not limited in this embodiment.
  • any detection device can transmit the excess data to other detection devices through the second drainage tunnel for case detection. Therefore, it can adapt to the dynamic change of the traffic, so that the scheduled detection device can always meet the traffic detection requirements of the device to be processed (one or more of the access devices), and the detection efficiency is improved.
  • FIG. 4 is a schematic diagram 1 of signaling interaction of a network security detection method provided by an embodiment of this application. As shown in FIG. 4, the method in this embodiment may include:
  • the detection device reports the safety detection performance to the controller.
  • the controller generates a first-level drainage strategy according to the safety detection performance of the detection equipment in the network.
  • the controller issues a first-level diversion strategy to the access device.
  • the access device establishes a drainage tunnel with at least one detection device according to the first-level drainage strategy.
  • the access device sends the traffic to the detection device through the drainage tunnel.
  • the detection device performs safety detection on the flow.
  • the detection device feeds back the detection result to the access device.
  • the access device performs traffic blocking according to the detection result.
  • the controller issues a secondary drainage strategy to the detection device.
  • the detection device establishes a drainage tunnel with other detection devices according to the secondary drainage strategy.
  • the inspection device sends the traffic exceeding the inspection capability to other inspection devices.
  • the other detection device forwards the detection result to the access device through the detection device.
  • the access device performs traffic blocking according to the detection result.
  • the controller generates a first-level diversion strategy according to the safety detection performance of the detection device in the network, and then the access device establishes a diversion tunnel with the detection device according to the first-level diversion strategy.
  • the controller issues a secondary drainage strategy to the detection device so that the detection device sends the traffic beyond the detection capability to Other testing equipment, assisted by other testing equipment for flow detection.
  • the detection device feeds back the traffic detection result to the access device.
  • the access device blocks the corresponding traffic, thereby maintaining the security of the entire network.
  • the number of drainage tunnels is not limited.
  • any detection device can transmit the excess data to other detection devices through the second drainage tunnel for safety detection. Therefore, it can adapt to the dynamic change of the traffic, so that the scheduled detection device can always meet the traffic detection requirements of the device to be processed (one or more of the access devices), and the detection efficiency is improved.
  • Figure 5 is a second schematic diagram of signaling interaction of a network security detection method provided by an embodiment of this application. As shown in Figure 5, the method in this embodiment may include:
  • the detection device reports the safety detection performance to the controller.
  • the controller generates a first-level drainage strategy according to the safety detection performance of the detection equipment in the network.
  • S403 The controller issues a first-level diversion strategy to the access device.
  • the access device establishes a drainage tunnel with at least one detection device according to the first-level drainage strategy.
  • the access device sends the traffic to the detection device through the drainage tunnel.
  • the detection device performs safety detection on the flow.
  • the detection device feeds back the detection result to the access device.
  • the access device performs traffic blocking according to the detection result.
  • the controller issues a secondary drainage strategy to the access device.
  • the access device establishes a drainage tunnel with other detection devices according to the secondary drainage strategy.
  • the access device sends the traffic exceeding the detection capability of the detection device to other detection devices.
  • the other detection equipment sends the detection result to the access device.
  • the access device performs traffic blocking according to the detection result.
  • the controller generates a first-level diversion strategy according to the safety detection performance of the detection device in the network, and then the access device establishes a diversion tunnel with the detection device according to the first-level diversion strategy.
  • the controller issues a secondary drainage strategy to the access device so that the access device will exceed the detection device's detection
  • the capacity of the flow is sent to other detection equipment, and the other detection equipment assists in the flow detection.
  • the detection device feeds back the traffic detection result to the access device.
  • the access device blocks the corresponding traffic, thereby maintaining the security of the entire network.
  • the number of established drainage tunnels is not limited in this embodiment.
  • the access device can transmit the excess data to other detection devices through the second drainage tunnel for safety detection. Therefore, it can adapt to the dynamic change of the traffic, so that the scheduled detection device can always meet the traffic detection requirements of the device to be processed (one or more of the access devices), and the detection efficiency is improved.
  • FIG. 6 is a first structural diagram of a controller provided by an embodiment of the application. As shown in FIG. 6, the controller may include:
  • the receiving module 61 is used to receive the security detection performance of multiple detection devices in the network;
  • the processing module 62 is configured to issue a first drainage strategy to the device to be processed in the access device according to the security detection performance of the multiple detection devices; wherein the first drainage strategy is used to instruct the device to be processed and the multiple detection devices At least one of the detection devices establishes a drainage tunnel.
  • the first diversion strategy further includes: the correspondence between the data type and the detection device capable of detecting the data type; the first diversion strategy is also used to instruct the detection device to send traffic belonging to the data type to the Testing equipment capable of detecting data types.
  • the processing module 62 is further configured to: determine at least one detection device according to the amount of data passed on the device to be processed and the safety detection capabilities of multiple detection devices, where the sum of the safety detection capabilities of the at least one detection device meets the requirements for the processing Detection of data passed on the device.
  • the processing module 62 is further configured to: when the amount of data passing on the device to be processed increases, so that the sum of the safety detection capabilities of the at least one detection device cannot meet the detection of the data passing on the device to be processed, to at least one detection device
  • One or more detection devices in the device send a second diversion strategy; the second diversion strategy is used to instruct one or more detection devices to establish a diversion tunnel with at least one detection device other than the at least one detection device.
  • the controller in this embodiment can execute the methods shown in Figs. 2 to 5, and for the specific implementation process and implementation principles, refer to the content of the method descriptions shown in Figs. 2 to 5, which will not be repeated here.
  • FIG. 7 is a schematic structural diagram of an access device provided by an embodiment of the application. As shown in FIG. 7, the access device may include:
  • the sending module 71 is used to send the data type and/or data amount to the controller;
  • the receiving module 72 is configured to receive the first drainage strategy from the controller; where the first drainage strategy is related to the data type and/or the data volume;
  • the processing module 73 is configured to establish a drainage tunnel with at least one detection device according to the first drainage strategy
  • the sending module 71 is used to send data to the detection device through the drainage tunnel.
  • the controller in this embodiment can execute the methods shown in Figs. 2 to 5, and for the specific implementation process and implementation principles, refer to the content of the method descriptions shown in Figs. 2 to 5, which will not be repeated here.
  • FIG. 8 is a schematic structural diagram of a detection device provided by an embodiment of the application. As shown in FIG. 8, the detection device may include:
  • the receiving module 81 is configured to receive the drainage strategy sent by the controller when the detection capability of the detection device does not meet the detection requirement for the data from the first drainage tunnel;
  • the processing module 82 is configured to establish a second drainage tunnel with another detection device according to the drainage strategy, and send data beyond the detection capability of the detection device to another detection device through the second drainage tunnel.
  • the controller in this embodiment can execute the methods shown in FIGS. 2 to 5, and for the specific implementation process and implementation principles, please refer to the description of the method shown in FIGS. 3 to 5, which will not be repeated here.
  • FIG. 9 is a schematic structural diagram of a switch device provided by an embodiment of the application.
  • the switch device in this embodiment may include: a network interface 91, a processor 92, a memory 93, and a network forwarding chip 94.
  • the switch device When the switch device has data security detection performance, it can be used as a detection device. When the switch device does not have data security detection performance, or its own data security detection performance cannot meet its own data detection requirements, the switch device can be used as an access device. It should be noted that this embodiment does not limit the specific internal architecture of the switch device, and some switch devices may not be provided with a network forwarding chip, but the processor directly performs data forwarding.
  • Fig. 10 is a second structural schematic diagram of a controller provided by an embodiment of the application.
  • the controller in this embodiment may include: a processor 1001, a memory 1002, an input device 1003, and an output device 1004.
  • the device 1001 communicates with the memory 1002, the input device 1003, and the output device 1004 through a bus 1005.
  • the controller can also be deployed in the form of a physical server or a virtual machine, and this embodiment does not limit the architecture of the controller.
  • An embodiment of the present application also provides a network security detection system, which includes: a controller, an access device, and a detection device; wherein: the controller is used to execute the method shown in FIG. 2; the access device is used to execute the method shown in FIG. The method shown; the detection device is used to perform the method shown in Figure 3.
  • a network security detection system which includes: a controller, an access device, and a detection device; wherein: the controller is used to execute the method shown in FIG. 2; the access device is used to execute the method shown in FIG. The method shown; the detection device is used to perform the method shown in Figure 3.
  • the embodiment of the present application provides a computer-readable storage medium, and the computer-readable storage medium stores instructions.
  • the computer executes the method performed by the terminal device in the foregoing embodiment of the present application.
  • the embodiment of the present application provides a computer-readable storage medium, and the computer-readable storage medium stores instructions.
  • the computer executes the method performed by the network device in the foregoing embodiment of the present application.
  • the disclosed device and method can be implemented in other ways.
  • the device embodiments described above are merely illustrative, for example, the division of units is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components can be combined or integrated. To another system, or some features can be ignored, or not implemented.
  • the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separate, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
  • the functional units in the various embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.
  • the above-mentioned integrated unit may be implemented in the form of hardware, or may be implemented in the form of hardware plus software functional units.
  • modules in the embodiments of the present application is illustrative, and is only a logical function division, and there may be other division methods in actual implementation.
  • the functional modules in the embodiments of the present application may be integrated into one processing module, or each module may exist alone physically, or two or more modules may be integrated into one module.
  • the above-mentioned integrated modules can be implemented in the form of hardware or software function modules.
  • the integrated module is implemented in the form of a software function module and sold or used as an independent product, it can be stored in a computer readable storage medium.
  • the computer software product is stored in a storage medium and includes several instructions to enable a computer device (which can A personal computer, a server, or a network device, etc.) or a processor (processor) executes all or part of the steps of the methods in the embodiments of the present application.
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disk and other media that can store program code .
  • the computer can be implemented in whole or in part by software, hardware, firmware, or any combination thereof.
  • software it can be implemented in the form of a computer program product in whole or in part.
  • the computer program product includes one or more computer instructions.
  • the computer program instructions When the computer program instructions are loaded and executed on the computer, the processes or functions according to the embodiments of the present application are generated in whole or in part.
  • the computer can be a general-purpose computer, a special-purpose computer, a computer network, or other programmable devices.
  • Computer instructions can be stored in a computer-readable storage medium, or transmitted from one computer-readable storage medium to another computer-readable storage medium.
  • computer instructions can be transmitted from a website, computer, server, or data center through a cable (such as Coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (such as infrared, wireless, microwave, etc.) to transmit to another website site, computer, server or data center.
  • the computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server or data center integrated with one or more available media.
  • the usable medium may be a magnetic medium (for example, a floppy disk, a hard disk, a magnetic tape), an optical medium (for example, an optical disc), or a semiconductor medium (for example, a solid state drive (SSD)), and the like.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne un procédé et un système de détection de sécurité de réseau, et un dispositif et un contrôleur, ceux-ci étant destinés à améliorer la sécurité du réseau et se rapportant au domaine technique des communications. Le procédé comprend les étapes suivantes : recevoir, par un contrôleur, la performance de détection de sécurité d'une pluralité de dispositifs de détection dans un réseau ; et selon la performance de détection de sécurité de la pluralité de dispositifs de détection, émettre une première politique de guidage de trafic vers un dispositif, à traiter, dans un dispositif d'accès, la première politique de guidage de trafic étant utilisée pour donner l'instruction au dispositif d'être traité pour établir un tunnel de guidage de trafic avec au moins un dispositif de la pluralité de dispositifs de détection. Selon la performance de détection de sécurité d'un dispositif de détection dans un réseau, un contrôleur guide, au moyen d'une politique de guidage de trafic, du trafic d'un dispositif d'accès au dispositif de détection de façon à effectuer une détection, de sorte que des ressources de sécurité dans tout le réseau puissent être attribuées automatiquement, ce qui évite une détection de trafic manquante provoquée par la dégradation de service d'un dispositif de réseau.
PCT/CN2021/100383 2020-06-17 2021-06-16 Procédé et système de détection de sécurité de réseau, et dispositif et contrôleur WO2021254397A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010553314.XA CN113810348B (zh) 2020-06-17 2020-06-17 网络安全检测方法、系统、设备及控制器
CN202010553314.X 2020-06-17

Publications (1)

Publication Number Publication Date
WO2021254397A1 true WO2021254397A1 (fr) 2021-12-23

Family

ID=78892667

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/100383 WO2021254397A1 (fr) 2020-06-17 2021-06-16 Procédé et système de détection de sécurité de réseau, et dispositif et contrôleur

Country Status (2)

Country Link
CN (1) CN113810348B (fr)
WO (1) WO2021254397A1 (fr)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130283373A1 (en) * 2012-04-18 2013-10-24 Radware, Ltd. Techniques for separating the processing of clients' traffic to different zones
CN104601482A (zh) * 2013-10-30 2015-05-06 中兴通讯股份有限公司 流量清洗方法和装置
CN105100026A (zh) * 2014-05-22 2015-11-25 杭州华三通信技术有限公司 一种报文安全转发方法及装置
CN109831390A (zh) * 2019-01-21 2019-05-31 新华三云计算技术有限公司 报文转发控制方法及装置

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10389760B2 (en) * 2013-08-19 2019-08-20 Trend Micro Incorporated Adaptive network security policies
CN104753951A (zh) * 2015-04-13 2015-07-01 成都双奥阳科技有限公司 一种基于软件定义的网络安全流安全平台
CN106911588B (zh) * 2015-12-22 2020-03-20 中国电信股份有限公司 用于实现深度包检测优化的方法、装置和系统
CN109922021B (zh) * 2017-12-12 2022-03-08 中国电信股份有限公司 安全防护系统以及安全防护方法
CN107979614A (zh) * 2017-12-30 2018-05-01 杭州华为数字技术有限公司 数据包检测方法及装置
CN111221619B (zh) * 2018-11-27 2023-09-08 中国移动通信集团江西有限公司 一种业务开通和编排的方法、装置及设备
CN109981355A (zh) * 2019-03-11 2019-07-05 北京网御星云信息技术有限公司 用于云环境的安全防御方法及系统、计算机可读存储介质
CN110113435B (zh) * 2019-05-27 2022-01-14 绿盟科技集团股份有限公司 一种流量清洗的方法和设备
CN110798459B (zh) * 2019-10-23 2022-08-02 国网江苏省电力有限公司信息通信分公司 一种基于安全功能虚拟化的多安全节点联动防御方法
CN111131319A (zh) * 2019-12-30 2020-05-08 北京天融信网络安全技术有限公司 安全能力扩展方法、装置、电子设备及存储介质

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130283373A1 (en) * 2012-04-18 2013-10-24 Radware, Ltd. Techniques for separating the processing of clients' traffic to different zones
CN104601482A (zh) * 2013-10-30 2015-05-06 中兴通讯股份有限公司 流量清洗方法和装置
CN105100026A (zh) * 2014-05-22 2015-11-25 杭州华三通信技术有限公司 一种报文安全转发方法及装置
CN109831390A (zh) * 2019-01-21 2019-05-31 新华三云计算技术有限公司 报文转发控制方法及装置

Also Published As

Publication number Publication date
CN113810348B (zh) 2023-04-07
CN113810348A (zh) 2021-12-17

Similar Documents

Publication Publication Date Title
US20210144120A1 (en) Service resource scheduling method and apparatus
EP2985961B1 (fr) Procédé et dispositif de commande de trafic de paquets fondés sur une transmission par chemins multiples
CN107172171B (zh) 一种服务请求处理方法、装置及计算机可读存储介质
CN106656989B (zh) 一种流量监控方法及终端
CN108390856B (zh) 一种DDoS攻击检测方法、装置及电子设备
US20150049640A1 (en) Data transmission controlling device and method for controlling data transmission
WO2017035717A1 (fr) Procédé de détection d'attaque de déni de service distribué et dispositif associé
US20190319923A1 (en) Network data control method, system and security protection device
WO2022142740A1 (fr) Procédé et appareil de connexion de tranche de réseau, support de stockage et appareil électronique
CN106341270A (zh) 一种故障处理方法及装置
CN108920339A (zh) 一种系统异常上报方法及装置
CN105897766A (zh) 一种虚拟网络流量安全控制方法及装置
CN106059806A (zh) 一种can报文发送方法及装置
CN105337970A (zh) 路由器、服务器以及两者协同的网络访问控制方法
WO2021254397A1 (fr) Procédé et système de détection de sécurité de réseau, et dispositif et contrôleur
CN107872846A (zh) 一种数据传输方法及装置
CN109787790A (zh) 基于双链路管理口的通信方法、设备及存储介质
CN105656855B (zh) 资源访问的控制方法和装置
CN108882296B (zh) 一种处理报文的方法及装置
CN114826906B (zh) 流量控制方法、装置、电子设备及存储介质
CN102821415B (zh) 一种故障检测、处理方法和故障检测处理装置
CN113965367B (zh) 策略对象上限控制方法、系统、计算机及存储介质
CN111327543A (zh) 报文转发方法及装置、存储介质、电子装置
US20210004308A1 (en) Data processing method and system
CN110233759B (zh) 一种负载异常告警方法及相关装置

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21825745

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21825745

Country of ref document: EP

Kind code of ref document: A1