CN101227289A - Unified Threat Management Device and Threat Defense Module Loading Method - Google Patents
Unified Threat Management Device and Threat Defense Module Loading Method Download PDFInfo
- Publication number
- CN101227289A CN101227289A CNA2008100575304A CN200810057530A CN101227289A CN 101227289 A CN101227289 A CN 101227289A CN A2008100575304 A CNA2008100575304 A CN A2008100575304A CN 200810057530 A CN200810057530 A CN 200810057530A CN 101227289 A CN101227289 A CN 101227289A
- Authority
- CN
- China
- Prior art keywords
- module
- threat
- priority
- management device
- threat defense
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本发明实施例公开了一种统一威胁管理设备及威胁防御模块的加载方法,该设备包括:至少一个威胁防御模块;自适应加载模块,用于根据统一威胁管理设备的处理性能信息,动态加载所述威胁防御模块。该方法包括:统一威胁管理设备接收到报文后,获取所述统一威胁管理设备的处理性能信息;根据所述处理性能信息,加载威胁防御模块。由上述技术方案可知,本发明的实施例通过自适应的动态调整方式,即根据设备的处理性能,来动态的加载威胁防御模块,兼顾了各种安全防御功能和设备正常业务处理能力,最大限度的保证了设备的吞吐量。
The embodiment of the present invention discloses a unified threat management device and a method for loading a threat defense module. The device includes: at least one threat defense module; an adaptive loading module, which is used to dynamically load all Threat Defense Module described above. The method includes: after receiving the message, the unified threat management device acquires processing performance information of the unified threat management device; and loads a threat defense module according to the processing performance information. It can be seen from the above technical solutions that the embodiments of the present invention dynamically load the threat defense module through an adaptive dynamic adjustment method, that is, according to the processing performance of the device, taking into account various security defense functions and normal business processing capabilities of the device, and maximizing The throughput of the device is guaranteed.
Description
技术领域technical field
本发明涉及一种网络处理设备及其应用方法,尤其涉及一种统一威胁管理设备及威胁防御模块的加载方法。The invention relates to a network processing device and an application method thereof, in particular to a unified threat management device and a method for loading a threat defense module.
背景技术Background technique
随着网络应用的发展,网络安全需求也在日益更新,传统的防火墙主要针对单个报文的攻击检测,对应用层威胁的防御能力不够,所以在现有防火墙的基础上,提出了统一威胁管理(Unified Threat Management,UTM)的解决方案。统一威胁管理设备集成了防火墙,以及一些应用层威胁防御的功能,包括反病毒(Anti Virus,AV),入侵防御系统(Intrusion PreventionSystem,IPS),反垃圾邮件(Anti Spam,AS),统一资源定位(Uniform ResourceLocation,统一资源定位)过滤等,这些功能不一定要同时使用,一款UTM设备可以只具备其中的某几项功能。With the development of network applications, network security requirements are also being updated. Traditional firewalls are mainly aimed at the attack detection of a single packet, and their defense capabilities against application-layer threats are insufficient. Therefore, based on the existing firewalls, a unified threat management is proposed. (Unified Threat Management, UTM) solution. The unified threat management device integrates the firewall and some application-layer threat defense functions, including anti-virus (Anti Virus, AV), intrusion prevention system (Intrusion Prevention System, IPS), anti-spam (Anti Spam, AS), and unified resource location (Uniform ResourceLocation, uniform resource location) filtering, etc. These functions do not have to be used at the same time, and a UTM device can only have some of them.
其中防火墙模块提供转发以及单包检测,以及网络地址转换(NetworkAddress Translation,NAT),虚拟专用网(Virtual Private Network,VPN)等功能;IPS模块提供内容深度检测功能,过滤包含恶意内容的数据包;AS模块提供对邮件的检测功能,通过对发件人的IP、邮件标题、邮件正文内容的过滤等手段过滤大部分的垃圾邮件;AV模块提供对报文的病毒扫描功能,把报文还原成文件,并进行预处理(解压,脱壳等)及病毒扫描;统一资源定位过滤模块根据预定义的统一资源定位黑白名单或者统一资源定位分类对请求的统一资源定位进行过滤。Among them, the firewall module provides functions such as forwarding and single-packet detection, Network Address Translation (NAT), Virtual Private Network (Virtual Private Network, VPN); the IPS module provides content depth detection function, and filters data packets containing malicious content; The AS module provides the mail detection function, and filters most of the spam by means of filtering the sender's IP, mail title, mail body content, etc.; the AV module provides the virus scanning function of the message, and restores the message to file, and perform preprocessing (decompression, shelling, etc.) and virus scanning; the URL filtering module filters the requested URL according to a predefined URL blacklist or URL list or URL classification.
如图1所示,其为现有技术中应用了统一威胁管理设备的网络结构示意图。统一威胁管理设备部署在企业网出口处,作为一个网关设备,接收报文,同时根据报文的不同特征,主要是根据报文的应用层协议,把报文发送给不同的功能模块进行安全检测。例如,把邮件协议的报文发送给AS模块进行进一步检测,把HTTP请求报文发送给统一资源定位过滤模块等。As shown in FIG. 1 , it is a schematic diagram of a network structure in which a unified threat management device is applied in the prior art. The unified threat management device is deployed at the exit of the enterprise network. As a gateway device, it receives packets and sends the packets to different functional modules for security detection according to different characteristics of the packets, mainly according to the application layer protocol of the packets. . For example, send the mail protocol message to the AS module for further detection, send the HTTP request message to the URL filter module, and so on.
现有的统一威胁管理设备存在如下缺陷:Existing unified threat management devices have the following defects:
1)基于现有的统一威胁管理设备,在只有防火墙安全防御的情况下,由于防火墙对报文内容不作进一步的分析过滤,现有的软件系统可以满足防火墙性能的需求。但是,在大多数情况下,统一威胁管理设备需要对大量的报文内容进行安全分析和检测,例如反垃圾邮件,反病毒等,都是需要扫描整个报文的内容来确定报文的安全性,而现有的统一威胁管理设备中的软件无法满足设备处理性能上的需求,而采用硬件加速又会使设备成本急速增加。1) Based on the existing unified threat management equipment, in the case of only firewall security defense, because the firewall does not further analyze and filter the content of the message, the existing software system can meet the performance requirements of the firewall. However, in most cases, the unified threat management device needs to perform security analysis and detection on a large amount of message content, such as anti-spam, anti-virus, etc., all need to scan the content of the entire message to determine the security of the message , and the software in the existing unified threat management device cannot meet the processing performance requirements of the device, and the use of hardware acceleration will increase the cost of the device rapidly.
2)网络流量一旦超过统一威胁管理设备的处理能力时,报文将被随机丢弃,所有业务都有可能受到较大影响,不能保证关键业务的运行。2) Once the network traffic exceeds the processing capacity of the unified threat management device, the packets will be randomly discarded, and all services may be greatly affected, and the operation of key services cannot be guaranteed.
3)QOS(Quality of Service,服务质量,简称QoS)技术为IP网络上的特定的业务提供了所需要的服务,它主要保证吞吐量、时延、抖动和分组丢失率。从目前的应用来看,主要是为了对语音、视频等对时延分组丢失十分敏感的应用提供传输质量的保证。但开启QOS功能后,统一威胁管理设备整体性能会进一步降低,无法增加吞吐量。3) QOS (Quality of Service, QoS for short) technology provides the required services for specific services on the IP network, and it mainly guarantees throughput, delay, jitter and packet loss rate. Judging from the current application, it is mainly to provide transmission quality guarantee for voice, video and other applications that are very sensitive to delay and packet loss. However, after the QOS function is enabled, the overall performance of the unified threat management device will be further reduced, and the throughput cannot be increased.
发明内容Contents of the invention
本发明实施例提供了一种统一威胁管理设备及威胁防御模块的加载方法,以实现动态调整各种防御功能,同时维持设备的正常业务处理,保证设备的吞吐量。The embodiment of the present invention provides a unified threat management device and a method for loading a threat defense module, so as to realize dynamic adjustment of various defense functions, maintain normal service processing of the device, and ensure the throughput of the device.
为实现上述目的,本发明提供了一种统一威胁管理设备,包括:To achieve the above purpose, the present invention provides a unified threat management device, including:
至少一个威胁防御模块,用于对报文进行安全检测;At least one threat defense module is used to perform security detection on the message;
自适应加载模块,用于根据所述统一威胁管理设备的处理性能信息,动态加载所述威胁防御模块。An adaptive loading module, configured to dynamically load the threat defense module according to the processing performance information of the unified threat management device.
本发明还提供了一种威胁防御模块的加载方法,包括:The present invention also provides a method for loading a threat defense module, including:
接收到报文后,获取所述统一威胁管理设备的处理性能信息;After receiving the message, acquire the processing performance information of the unified threat management device;
根据所述处理性能信息,加载威胁防御模块。A threat defense module is loaded according to the processing performance information.
由上述技术方案可知,本发明的实施例通过自适应的动态调整方式,即根据设备的处理性能,来动态的加载威胁防御模块,兼顾了各种安全防御功能和设备正常业务处理能力,最大限度的保证了设备的吞吐量。It can be seen from the above technical solutions that the embodiments of the present invention dynamically load the threat defense module through an adaptive dynamic adjustment method, that is, according to the processing performance of the device, taking into account various security defense functions and normal business processing capabilities of the device, and maximizing The throughput of the device is guaranteed.
下面通过附图和实施例,对本发明的技术方案做进一步的详细描述。The technical solutions of the present invention will be described in further detail below with reference to the accompanying drawings and embodiments.
附图说明Description of drawings
图1为现有技术中应用了统一威胁管理设备的网络结构示意图;FIG. 1 is a schematic diagram of a network structure applying a unified threat management device in the prior art;
图2为本发明实施例的统一威胁管理设备的一结构示意图;FIG. 2 is a schematic structural diagram of a unified threat management device according to an embodiment of the present invention;
图3为本发明实施例的统一威胁管理设备的另一结构示意图;FIG. 3 is another schematic structural diagram of a unified threat management device according to an embodiment of the present invention;
图4为本发明实施例的统一威胁管理设备的又一结构示意图;FIG. 4 is another schematic structural diagram of a unified threat management device according to an embodiment of the present invention;
图5为本发明实施例威胁防御模块的加载方法的流程图。Fig. 5 is a flowchart of a method for loading a threat defense module according to an embodiment of the present invention.
具体实施方式Detailed ways
下面结合附图,对本发明实施例中的统一威胁管理设备进行说明。The unified threat management device in the embodiment of the present invention will be described below with reference to the accompanying drawings.
图2所示为本发明实施例的统一威胁管理设备的一结构示意图。包括:FIG. 2 is a schematic structural diagram of a unified threat management device according to an embodiment of the present invention. include:
到少一个威胁防御模块1,用于对报文进行安全检测;At least one
自适应加载模块2,用于根据统一威胁管理设备的处理性能信息,动态加载威胁防御模块1。The
如图3所示,威胁防御模块1在本发明实施例中可以为防火墙模块11、统一资源定位过滤模块12、垃圾邮件过滤模块13、病毒扫描模块14、入侵检测模块15中的任意多个。威胁防御模块的种类及组合可根据实际需要加载,本实施例只是给出一种可能组合的示意图。As shown in FIG. 3 , the
统一威胁管理设备的处理性能信息可以为CPU使用率信息、内存使用率信息、网络流量信息中的一个或多个。自适应加载模块就是根据这些处理性能信息来动态加载各个威胁防御模块,从而兼顾各种安全防御功能和设备正常业务处理能力,最大限度的保证了设备的吞吐量。The processing performance information of the unified threat management device may be one or more of CPU usage information, memory usage information, and network flow information. The adaptive loading module dynamically loads each threat defense module based on these processing performance information, so as to take into account various security defense functions and normal business processing capabilities of the device, and maximize the throughput of the device.
本发明实施例还给出了统一威胁管理设备的另一实施例,如图4所示,与前一实施例相比,本实施例的不同之处在于,统一威胁管理设备还包括:The embodiment of the present invention also provides another embodiment of the unified threat management device, as shown in FIG. 4 , compared with the previous embodiment, the difference of this embodiment is that the unified threat management device also includes:
优先级配置模块3,用于配置威胁防御模块的优先级,并存储配置好的优先级信息;The
自适应加载模块根据优先级配置模块中优先级信息和统一威胁管理设备的处理性能信息动态加载威胁防御模块。The adaptive loading module dynamically loads the threat defense module according to the priority information in the priority configuration module and the processing performance information of the unified threat management device.
下面以网络流量作为设备性能信息的标准为例,来进一步说明本发明实施例的自适应加载模块的加载原理。The loading principle of the adaptive loading module in the embodiment of the present invention is further described below by taking network traffic as a standard of device performance information as an example.
为适应不同网络流量下的安全防护策略,可以通过设置网络带宽阈值和威胁防御模块优先级来保证吞吐量和安全性之间的平衡;网络阈值和威胁防御模块的优先级可以由用户预先自定义。当有防火墙模块时,防火墙的优先级定为最高优先级,用户不能自定义;除防火墙模块外,用户可以根据实际需要定义威胁防御模块的优先级。例如,在网络架构中,邮件服务器的用户可以把垃圾邮件过滤功能模块的优先级设为最高,把统一资源定位过滤模块的优先级设为低。用户还可以根据需要设置网络带宽的阈值,如把需要调整威胁防御模块的加载状态网络流量点设置为低阈值100Mbps,高阈值200Mbps。在实际应用中,也可以设置多种网络流量的阈值,根据网络流量的阈值和威胁防御模块的优先级来动态加载各个威胁防御模块,比如可以设置阈值为100Mbps,150Mbps,200Mbps,当流量大于150Mbps时,关闭优先级最低的威胁防御模块,当流量大于200Mbps时,除了关闭最低优先级的威胁防御模块,还关闭中优先级的威胁防御模块。当流量恢复到小于150Mbps时,恢复中优先级的威胁防御模块,最低优先级的威胁防御模块继续保持关闭;当流量小于100MBps时,恢复最低优先级的威胁防御模块。In order to adapt to the security protection strategy under different network traffic, the balance between throughput and security can be ensured by setting the network bandwidth threshold and the priority of the threat defense module; the network threshold and the priority of the threat defense module can be pre-defined by the user . When there is a firewall module, the priority of the firewall is set as the highest priority, and the user cannot customize it; except for the firewall module, the user can define the priority of the threat defense module according to actual needs. For example, in the network architecture, the user of the mail server can set the priority of the spam filtering function module to be the highest, and set the priority of the URL filtering module to be low. Users can also set the threshold of network bandwidth according to their needs, such as setting the low threshold of 100Mbps and the high threshold of 200Mbps to adjust the loading state network traffic point of the threat defense module. In practical applications, you can also set thresholds for various network traffic, and dynamically load each threat defense module according to the threshold of network traffic and the priority of the threat defense module. For example, you can set the threshold as 100Mbps, 150Mbps, or 200Mbps. , turn off the threat defense module with the lowest priority. When the traffic is greater than 200 Mbps, turn off the threat defense module with the lowest priority and the threat defense module with medium priority. When the traffic returns to less than 150Mbps, the threat defense module with medium priority is restored, and the threat defense module with the lowest priority remains closed; when the traffic is less than 100MBps, the threat defense module with the lowest priority is restored.
同理,本实施例也可以以统一威胁管理设备的CPU使用率作为设备性能的标准,CPU使用率的阈值和功能模块的优先级由用户预先自定义,例如,可以把设备CPU使用率的阈值设置为80%,当大于80%时候,关闭优先级最低的统一资源定位过滤模块。也可以设置多个CPU使用率的阈值,根据CPU使用率的阈值和威胁防御模块的优先级来动态加载各个威胁防御模块,比如可以设置阈值为80%,60%,40%,当CPU使用率大于60%时,关闭优先级最低的威胁防御模块,当CPU使用率大于%80时,除了关闭最低优先级的威胁防御模块,还关闭中优先级的威胁防御模块。当CPU使用率恢复到小于60%时,恢复中优先级的威胁防御模块,最低优先级的威胁防御模块继续保持关闭;当CPU使用率小于40%时,恢复最低优先级的威胁防御模块。Similarly, in this embodiment, the CPU usage rate of the unified threat management device can also be used as the device performance standard, and the threshold value of the CPU usage rate and the priority of the functional modules are pre-defined by the user. For example, the threshold value of the device CPU usage rate can be set to Set it to 80%, when it is greater than 80%, close the uniform resource location filter module with the lowest priority. Multiple CPU usage thresholds can also be set, and each threat defense module can be dynamically loaded according to the CPU usage threshold and the priority of the threat defense module. For example, the threshold can be set to 80%, 60%, and 40%. When the CPU usage When it is greater than 60%, turn off the threat defense module with the lowest priority. When the CPU usage is greater than %80, turn off the threat defense module with the lowest priority and turn off the threat defense module with medium priority. When the CPU usage returns to less than 60%, the threat defense module with medium priority is restored, and the threat defense module with the lowest priority remains closed; when the CPU usage is less than 40%, the threat defense module with the lowest priority is restored.
另外,上述两个实施例中的统一威胁管理设备还可以进一步包括:In addition, the unified threat management device in the above two embodiments may further include:
性能检测模块,用于检测统一威胁管理设备的处理性能,并将检测到的统一威胁管理设备的处理性能信息发送给自适应加载模块。该性能检测模块根据需要可以具体包括CPU使用率检测模块、内存使用率检测模块、网络流量检测模块中的一个或多个。The performance detection module is configured to detect the processing performance of the unified threat management device, and send the detected processing performance information of the unified threat management device to the adaptive loading module. The performance detection module may specifically include one or more of a CPU usage detection module, a memory usage detection module, and a network traffic detection module as required.
通过上述实施例可以看出,通过自适应的动态调整方式,即根据设备的处理性能,来动态的加载威胁防御模块,兼顾了各种安全防御功能和设备正常业务处理能力,最大限度的保证了设备的吞吐量。其中设备处理性能的阈值和各个威胁防御模块的优先级还可以根据实际应用而灵活设置,更好的调节了安全防御功能和设备正常业务处理能力之间的矛盾。It can be seen from the above-mentioned embodiments that through adaptive dynamic adjustment, that is, dynamically loading the threat defense module according to the processing performance of the device, taking into account various security defense functions and normal business processing capabilities of the device, and ensuring maximum protection The throughput of the device. Among them, the threshold of device processing performance and the priority of each threat defense module can also be flexibly set according to actual applications, which better adjusts the contradiction between the security defense function and the normal business processing capability of the device.
接下来对本发明实施例的威胁防御模块的加载方法进行说明。Next, the method for loading the threat defense module according to the embodiment of the present invention will be described.
本实施例的威胁防御模块的加载方法包括:The method for loading the threat defense module of this embodiment includes:
统一威胁管理设备接收到报文后,获取该统一威胁管理设备的处理性能信息;After receiving the message, the unified threat management device acquires processing performance information of the unified threat management device;
根据所述处理性能信息,加载威胁防御模块。A threat defense module is loaded according to the processing performance information.
另外,当有多个威胁防御模块时,还可以设置所述多个威胁防御模块的优先级信息;并根据多个威胁防御模块的优先级信息和处理性能信息,加载多个威胁防御模块。设备性能的阈值和功能模块的优先级可以由用户预先自定义,当统一威胁管理设备接收到报文后,可以实时获取设备性能信息,然后将设备性能信息和预先设定的阈值进行比较,然后根据预先设定的阈值和威胁防御模块的优先级来动态加载各个威胁防御模块。In addition, when there are multiple threat defense modules, priority information of the multiple threat defense modules can also be set; and multiple threat defense modules can be loaded according to the priority information and processing performance information of the multiple threat defense modules. The threshold of device performance and the priority of function modules can be pre-defined by the user. After the unified threat management device receives the message, it can obtain the device performance information in real time, and then compare the device performance information with the preset threshold, and then Each threat defense module is dynamically loaded according to the preset threshold and the priority of the threat defense module.
上述的多个威胁防御模块可以为防火墙模块、统一资源定位过滤模块、垃圾邮件过滤模块、病毒扫描模块、入侵检测模块中的一个或任意多个。The multiple threat defense modules mentioned above may be one or more of a firewall module, a uniform resource location filtering module, a spam filtering module, a virus scanning module, and an intrusion detection module.
在实际应用中,可以将防火墙模块的优先级强制定为最高优先级,用户不能改变防火墙模块的优先级。In practical applications, the priority of the firewall module can be forced to be the highest priority, and the user cannot change the priority of the firewall module.
统一威胁管理设备的处理性能信息可以为CPU使用率信息、内存使用率信息、网络流量信息中的一个或多个。The processing performance information of the unified threat management device may be one or more of CPU usage information, memory usage information, and network flow information.
根据威胁防御模块的优先级信息和统一威胁管理设备的处理性能信息,加载多个威胁防御模块可以具体采用如下方式:According to the priority information of the threat defense module and the processing performance information of the unified threat management device, multiple threat defense modules can be loaded in the following ways:
设定多个等级处理性能的阈值,各个等级的阈值与多个优先级等级一一对应,根据预先设定的阈值和威胁防御模块的优先级来动态加载各个威胁防御模块。Set thresholds for multiple levels of processing performance, each level of threshold corresponds to multiple priority levels, and dynamically load each threat defense module according to the preset threshold and the priority of the threat defense module.
本发明实施例还提供了另一种威胁防御模块的加载方法。The embodiment of the present invention also provides another method for loading the threat defense module.
如图5所示,图中给出了本发明实施例的威胁防御模块的加载方法的流程图。在本实施例中,需要考虑的统一威胁管理设备的性能为网络流量,为了简化描述,将网络流量阈值设定为两个,即高阈值和低阈值。具体流程如下:As shown in FIG. 5 , a flowchart of a method for loading a threat defense module according to an embodiment of the present invention is shown in the figure. In this embodiment, the performance of the unified threat management device that needs to be considered is network traffic. To simplify the description, two network traffic thresholds are set, namely, a high threshold and a low threshold. The specific process is as follows:
步骤101、接收到报文后,查看当前网络流量统计数据;
步骤102、判断当前网络流量是否超过设置的高阈值(比如200Mbps)。如果是,根据用户预先设定的威胁防御模块的优先级(比如统一资源定位过滤模块的优先级为最低),关闭优先级最低的威胁防御模块(如,统一资源定位过滤模块)。否则,执行步骤103;
步骤103、判断当前网络流量是否小于设置的低阈值(比如100Mbps)。如果是,并且存在已经关闭的威胁防御模块,则恢复已经关闭的威胁防御模块(即重新开启最低优先级的威胁防御模块)。否则,仍然维持当前状态,即优先级最低的威胁防御模块仍处于关闭状态,被关闭的威胁防御模块对该报文不做检测。
在实际应用中也可以设置网络流量的多个阈值。威胁防御模块的优先级可以设置为最低优先级、中优先级和高优先级,每个阈值与威胁防御模块的优先级相对应。比如可以设置网络流量阈值为100Mbps(对应于低优先级的威胁防御模块),150Mbps(对应于中优先级的威胁防御模块),200Mbps(对应于高优先级的威胁防御模块),当流量大于150Mbps时,关闭最低优先级的威胁防御模块,当流量大于200Mbps时,除了关闭最低优先级的威胁防御模块,还需要关闭中优先级的威胁防御模块。当流量恢复到小于150Mbps时,恢复中优先级的功能检测,当流量小于100MBps时,恢复最低优先级的威胁防御模块。Multiple thresholds for network traffic can also be set in practical applications. The priority of the threat defense module can be set as the lowest priority, medium priority and high priority, and each threshold corresponds to the priority of the threat defense module. For example, you can set the network traffic threshold to 100Mbps (corresponding to low-priority threat defense modules), 150Mbps (corresponding to medium-priority threat defense modules), and 200Mbps (corresponding to high-priority threat defense modules). , turn off the threat defense module with the lowest priority. When the traffic is greater than 200 Mbps, in addition to turning off the threat defense module with the lowest priority, you also need to turn off the threat defense module with medium priority. When the traffic is restored to less than 150Mbps, the function detection with medium priority will be restored, and when the traffic is less than 100MBps, the threat defense module with the lowest priority will be restored.
另外,本发明实施例也可以采用如下模式:In addition, the embodiment of the present invention may also adopt the following mode:
当流量大于100Mbps时,关闭最低优先级的威胁防御模块,当流量小于100Mbps时,开启最低优先级的威胁防御模块;When the traffic is greater than 100Mbps, turn off the threat defense module with the lowest priority; when the traffic is less than 100Mbps, turn on the threat defense module with the lowest priority;
当流量大于150Mbps时,除了关闭最低优先级的威胁防御模块以外,还要关闭中优先级的威胁防御模块;当流量小于150Mbps时,开启中优先级的威胁防御模块,并保持最低优先级的威胁防御模块处于关闭状态;When the traffic is greater than 150Mbps, in addition to turning off the lowest priority threat defense module, the medium priority threat defense module should also be turned off; when the traffic is less than 150Mbps, turn on the medium priority threat defense module and keep the lowest priority threat The defense module is turned off;
当流量大于200Mbps时,除了关闭最低优先级和中优先级的威胁防御模块以外,还要关闭高优先级的威胁防御模块;当流量小于200Mbps时,开启高优先级的威胁防御模块,并保持最低优先级和中优先级的威胁防御模块处于关闭状态。When the traffic is greater than 200Mbps, in addition to turning off the lowest priority and medium priority threat defense modules, the high priority threat defense module should also be turned off; when the traffic is less than 200Mbps, the high priority threat defense module should be turned on and kept at the lowest The Priority and Medium priority Threat Defense modules are turned off.
当设备处理性能信息为CPU的使用率信息时,其实现方式类似。设定CPU使用率的多个阈值来与各个威胁防御模块的优先级相对应,在次不再赘述。When the device processing performance information is CPU usage information, its implementation is similar. Multiple thresholds of CPU usage are set to correspond to the priority of each threat defense module, which will not be repeated here.
通过本发明的实施例可以看出,用户可以设置不同的威胁防御模块进行优先级,在设备处理性能低的情况下,例如,在网络流量小或者设备CPU使用率低的情况下,对所有的流量进行安全检测,当网络流量超过设备的处理能力时,根据用户实际的应用以及预先设置的威胁防御模块优先级别,动态关闭优先级低的功能模块,增加了设备的吞吐量,保证业务正常,同时也确保了必要的安全防护。It can be seen from the embodiments of the present invention that the user can set different threat defense modules for priority, and when the processing performance of the device is low, for example, when the network traffic is small or the CPU usage of the device is low, all Traffic security detection, when the network traffic exceeds the processing capacity of the device, according to the actual application of the user and the priority level of the threat defense module set in advance, the functional modules with low priority are dynamically shut down, which increases the throughput of the device and ensures normal business. At the same time, the necessary safety protection is ensured.
最后应说明的是:以上实施例仅用以说明本发明的技术方案而非对其进行限制,尽管参照较佳实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对本发明的技术方案进行修改或者等同替换,而这些修改或者等同替换亦不能使修改后的技术方案脱离本发明技术方案的精神和范围。Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention and not to limit them. Although the present invention has been described in detail with reference to the preferred embodiments, those of ordinary skill in the art should understand that: it still Modifications or equivalent replacements can be made to the technical solutions of the present invention, and these modifications or equivalent replacements cannot make the modified technical solutions deviate from the spirit and scope of the technical solutions of the present invention.
Claims (12)
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNA2008100575304A CN101227289A (en) | 2008-02-02 | 2008-02-02 | Unified Threat Management Device and Threat Defense Module Loading Method |
PCT/CN2008/072237 WO2009097715A1 (en) | 2008-02-02 | 2008-09-02 | Device for uniform threat management and method for loading threat defense modules |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNA2008100575304A CN101227289A (en) | 2008-02-02 | 2008-02-02 | Unified Threat Management Device and Threat Defense Module Loading Method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN101227289A true CN101227289A (en) | 2008-07-23 |
Family
ID=39859061
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CNA2008100575304A Pending CN101227289A (en) | 2008-02-02 | 2008-02-02 | Unified Threat Management Device and Threat Defense Module Loading Method |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN101227289A (en) |
WO (1) | WO2009097715A1 (en) |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2009097715A1 (en) * | 2008-02-02 | 2009-08-13 | Chengdu Huawei Symantec Technologies Co., Ltd. | Device for uniform threat management and method for loading threat defense modules |
CN101719899A (en) * | 2008-10-09 | 2010-06-02 | 丛林网络公司 | Dynamic access control policy with port restrictions for a network security appliance |
CN101827083B (en) * | 2010-02-09 | 2012-10-17 | 蓝盾信息安全技术股份有限公司 | Method and system for realizing unified threat management in heterogeneous network |
CN102779066A (en) * | 2012-06-14 | 2012-11-14 | 中国电子科技集团公司第四十一研究所 | Method for reducing influence of antivirus software on operational efficiency of test instrument |
CN102970186A (en) * | 2012-12-03 | 2013-03-13 | 网神信息技术(北京)股份有限公司 | Equipment performance detection method and equipment performance detection device |
CN101996101B (en) * | 2009-08-13 | 2013-08-28 | 北京搜狗科技发展有限公司 | Method and device for optimizing application program performance |
CN106059944A (en) * | 2016-08-18 | 2016-10-26 | 杭州华三通信技术有限公司 | Overload protection method and device |
CN106598740A (en) * | 2016-12-15 | 2017-04-26 | 郑州云海信息技术有限公司 | System and method for limiting CPU (Central Processing Unit) occupancy rate of multi-thread program |
CN106888196A (en) * | 2015-12-16 | 2017-06-23 | 国家电网公司 | A kind of coordinated defense system of unknown threat detection |
CN107171950A (en) * | 2017-07-20 | 2017-09-15 | 国网上海市电力公司 | A kind of Email Body threatens the recognition methods of behavior |
CN111859397A (en) * | 2020-07-23 | 2020-10-30 | 国家工业信息安全发展研究中心 | Terminal protection strategy configuration method and device |
CN112291205A (en) * | 2020-10-13 | 2021-01-29 | 杭州迪普科技股份有限公司 | Control method and device for deep packet inspection service and computer equipment |
US11290491B2 (en) * | 2019-03-14 | 2022-03-29 | Oracle International Corporation | Methods, systems, and computer readable media for utilizing a security service engine to assess security vulnerabilities on a security gateway element |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117278335B (en) * | 2023-11-22 | 2024-04-09 | 深圳奥联信息安全技术有限公司 | Password suite selection method and device, electronic equipment and storage medium |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6499107B1 (en) * | 1998-12-29 | 2002-12-24 | Cisco Technology, Inc. | Method and system for adaptive network security using intelligent packet analysis |
FR2887722A1 (en) * | 2005-06-23 | 2006-12-29 | Checkphone Soc Par Actions Sim | SECURING IP TELEPHONY |
CN101115057A (en) * | 2006-07-27 | 2008-01-30 | 中兴通讯股份有限公司 | Tactic management based firewall system and dispatching method |
CN101227289A (en) * | 2008-02-02 | 2008-07-23 | 华为技术有限公司 | Unified Threat Management Device and Threat Defense Module Loading Method |
-
2008
- 2008-02-02 CN CNA2008100575304A patent/CN101227289A/en active Pending
- 2008-09-02 WO PCT/CN2008/072237 patent/WO2009097715A1/en active Application Filing
Cited By (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2009097715A1 (en) * | 2008-02-02 | 2009-08-13 | Chengdu Huawei Symantec Technologies Co., Ltd. | Device for uniform threat management and method for loading threat defense modules |
CN101719899A (en) * | 2008-10-09 | 2010-06-02 | 丛林网络公司 | Dynamic access control policy with port restrictions for a network security appliance |
CN101996101B (en) * | 2009-08-13 | 2013-08-28 | 北京搜狗科技发展有限公司 | Method and device for optimizing application program performance |
CN101827083B (en) * | 2010-02-09 | 2012-10-17 | 蓝盾信息安全技术股份有限公司 | Method and system for realizing unified threat management in heterogeneous network |
CN102779066A (en) * | 2012-06-14 | 2012-11-14 | 中国电子科技集团公司第四十一研究所 | Method for reducing influence of antivirus software on operational efficiency of test instrument |
CN102970186A (en) * | 2012-12-03 | 2013-03-13 | 网神信息技术(北京)股份有限公司 | Equipment performance detection method and equipment performance detection device |
CN102970186B (en) * | 2012-12-03 | 2019-01-25 | 网神信息技术(北京)股份有限公司 | Equipment performance testing method and device |
CN106888196A (en) * | 2015-12-16 | 2017-06-23 | 国家电网公司 | A kind of coordinated defense system of unknown threat detection |
CN106059944A (en) * | 2016-08-18 | 2016-10-26 | 杭州华三通信技术有限公司 | Overload protection method and device |
CN106598740A (en) * | 2016-12-15 | 2017-04-26 | 郑州云海信息技术有限公司 | System and method for limiting CPU (Central Processing Unit) occupancy rate of multi-thread program |
CN107171950A (en) * | 2017-07-20 | 2017-09-15 | 国网上海市电力公司 | A kind of Email Body threatens the recognition methods of behavior |
US11290491B2 (en) * | 2019-03-14 | 2022-03-29 | Oracle International Corporation | Methods, systems, and computer readable media for utilizing a security service engine to assess security vulnerabilities on a security gateway element |
CN111859397A (en) * | 2020-07-23 | 2020-10-30 | 国家工业信息安全发展研究中心 | Terminal protection strategy configuration method and device |
CN112291205A (en) * | 2020-10-13 | 2021-01-29 | 杭州迪普科技股份有限公司 | Control method and device for deep packet inspection service and computer equipment |
Also Published As
Publication number | Publication date |
---|---|
WO2009097715A1 (en) | 2009-08-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN101227289A (en) | Unified Threat Management Device and Threat Defense Module Loading Method | |
US8856913B2 (en) | Method and protection system for mitigating slow HTTP attacks using rate and time monitoring | |
US8819821B2 (en) | Proactive test-based differentiation method and system to mitigate low rate DoS attacks | |
CN101019405B (en) | Method and system for mitigating denial of service in a communication network | |
US9444749B2 (en) | Apparatus and method for selectively delaying network data flows | |
US8904514B2 (en) | Implementing a host security service by delegating enforcement to a network device | |
EP2974212B1 (en) | Filtering network data transfers | |
Cambiaso et al. | Taxonomy of slow DoS attacks to web applications | |
US8006303B1 (en) | System, method and program product for intrusion protection of a network | |
CN101160876B (en) | Network security control method and system | |
US20150256431A1 (en) | Selective flow inspection based on endpoint behavior and random sampling | |
US20150365430A1 (en) | Protecting networks from cyber attacks and overloading | |
US20060098585A1 (en) | Detecting malicious attacks using network behavior and header analysis | |
EP3399723B1 (en) | Performing upper layer inspection of a flow based on a sampling rate | |
CN101631026A (en) | Method and device for defending against denial-of-service attacks | |
CN101505302A (en) | Dynamic regulating method and system for security policy | |
EP2289221A2 (en) | Network intrusion protection | |
US20040128539A1 (en) | Method and apparatus for denial of service attack preemption | |
WO2019201458A1 (en) | Methods, nodes and operator network for enabling management of an attack towards an application | |
EP2611087A2 (en) | Application level admission overload control | |
Gao et al. | Differentiating malicious DDoS attack traffic from normal TCP flows by proactive tests | |
Monshizadeh et al. | An adaptive detection and prevention architecture for unsafe traffic in SDN enabled mobile networks | |
US11503471B2 (en) | Mitigation of DDoS attacks on mobile networks using DDoS detection engine deployed in relation to an evolve node B | |
US10382340B1 (en) | Dynamic filtering of network traffic | |
CN104038409A (en) | Method and device for email security management |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
ASS | Succession or assignment of patent right |
Owner name: CHENGDU CITY HUAWEI SAIMENTEKE SCIENCE CO., LTD. Free format text: FORMER OWNER: HUAWEI TECHNOLOGY CO., LTD. Effective date: 20090424 |
|
C41 | Transfer of patent application or patent right or utility model | ||
TA01 | Transfer of patent application right |
Effective date of registration: 20090424 Address after: Qingshui River District, Chengdu high tech Zone, Sichuan Province, China: 611731 Applicant after: Chengdu Huawei Symantec Technologies Co., Ltd. Address before: Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen Province, China: 518129 Applicant before: Huawei Technologies Co., Ltd. |
|
C12 | Rejection of a patent application after its publication | ||
RJ01 | Rejection of invention patent application after publication |
Open date: 20080723 |