[go: up one dir, main page]

CN111277567B - Intrusion prevention processing method and device - Google Patents

Intrusion prevention processing method and device Download PDF

Info

Publication number
CN111277567B
CN111277567B CN202010023054.5A CN202010023054A CN111277567B CN 111277567 B CN111277567 B CN 111277567B CN 202010023054 A CN202010023054 A CN 202010023054A CN 111277567 B CN111277567 B CN 111277567B
Authority
CN
China
Prior art keywords
ips
bypass threshold
intrusion prevention
processing capability
mapping table
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010023054.5A
Other languages
Chinese (zh)
Other versions
CN111277567A (en
Inventor
戈龙颜
刘浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Secworld Information Technology Beijing Co Ltd
Qax Technology Group Inc
Original Assignee
Secworld Information Technology Beijing Co Ltd
Qax Technology Group Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Secworld Information Technology Beijing Co Ltd, Qax Technology Group Inc filed Critical Secworld Information Technology Beijing Co Ltd
Priority to CN202010023054.5A priority Critical patent/CN111277567B/en
Publication of CN111277567A publication Critical patent/CN111277567A/en
Application granted granted Critical
Publication of CN111277567B publication Critical patent/CN111277567B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/25Flow control; Congestion control with rate being modified by the source upon detecting a change of network conditions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/29Flow control; Congestion control using a combination of thresholds

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明实施例提供一种入侵防御处理方法及装置,所述方法包括:根据当前网络流量状况确定入侵防御系统IPS旁路阈值;根据IPS旁路阈值对主机中的报文进行IPS处理。本发明实施例提供的入侵防御处理方法及装置,由于根据当前网络流量状况确定入侵防御系统IPS旁路阈值,从而能够根据当前网络流量状况动态向IPS引擎发送IPS引擎当前有能力处理的报文量,从而使得在任何网络流量大小情况下,都能够保证网络业务的稳定性。

Figure 202010023054

Embodiments of the present invention provide an intrusion prevention processing method and device. The method includes: determining an IPS bypass threshold of an intrusion prevention system according to current network traffic conditions; and performing IPS processing on packets in a host according to the IPS bypass threshold. In the intrusion prevention processing method and device provided by the embodiments of the present invention, since the IPS bypass threshold of the intrusion prevention system is determined according to the current network traffic situation, the amount of packets currently capable of being processed by the IPS engine can be dynamically sent to the IPS engine according to the current network traffic situation. , so that the stability of network services can be guaranteed under any network traffic size.

Figure 202010023054

Description

入侵防御处理方法及装置Intrusion prevention processing method and device

技术领域technical field

本发明涉及网络安全技术领域,尤其涉及一种入侵防御处理方法及装置。The invention relates to the technical field of network security, and in particular, to an intrusion prevention processing method and device.

背景技术Background technique

入侵预防系统(Intrusion-prevention system,简称IPS)能够监视网络或网络设备的网络数据传输行为,即时中断、调整或隔离一些不正常的网络数据。目前的终端IPS的作用是检测进出本机的报文,对恶意报文进行拦截告警。具体实现上是在内核HOOK里将报文劫持,并copy给应用层的IPS引擎进行处理,IPS引擎对报文进行解码、预处理、规则匹配等处理后,最终根据匹配结果通知内核将报文丢弃或继续处理。Intrusion prevention system (Intrusion-prevention system, IPS for short) can monitor the network data transmission behavior of the network or network equipment, and immediately interrupt, adjust or isolate some abnormal network data. The role of the current terminal IPS is to detect incoming and outgoing packets, and to block and alert malicious packets. The specific implementation is to hijack the packet in the kernel HOOK and copy it to the IPS engine at the application layer for processing. After the IPS engine decodes, preprocesses, and matches the packet, it finally informs the kernel to send the packet according to the matching result. Discard or continue processing.

Bypass是在IPS引擎成为瓶颈时保持网速稳定的一种技术。其思想是将超过引擎处理能力的报文直接放行。目前的Bypass技术方案为:IPS引擎和内核之间分配固定大小的共享内存来作为报文队列,内核每收到一个包首先检测队列是否满,满了就将报文直接Bypass掉,假如没满就将报文拷贝到共享队列上,应用层IPS引擎逐个对队列上的包进行检测。Bypass is a technology that keeps the network speed stable when the IPS engine becomes the bottleneck. The idea is to directly release the packets that exceed the processing capacity of the engine. The current Bypass technical solution is as follows: a fixed-size shared memory is allocated between the IPS engine and the kernel as a packet queue. Each time the kernel receives a packet, it first checks whether the queue is full. When it is full, the packet is directly bypassed. The packets are copied to the shared queue, and the application-layer IPS engine checks the packets on the queue one by one.

目前的Bypass技术方案存在如下问题:目前的Bypass为基于共享内存尺寸的固定值,当发现共享内存被写满时会将当前报文直接Bypass。然而由于网络流量越大,IPS引擎处理能力越低。当流量达到某个值时,IPS引擎的处理能力将降低到不能及时处理队列上的报文,导致缓存在队列里的报文延时增大到一定程度,最终会出现网络卡顿或连接失败的情况。The current Bypass technical solution has the following problems: the current Bypass is a fixed value based on the size of the shared memory. When the shared memory is found to be full, the current packet will be bypassed directly. However, due to the larger network traffic, the processing power of the IPS engine is lower. When the traffic reaches a certain value, the processing capability of the IPS engine will be reduced to the point that it cannot process the packets in the queue in time, resulting in an increase in the delay of the packets buffered in the queue to a certain extent, and eventually network freezes or connection failures will occur. Case.

发明内容SUMMARY OF THE INVENTION

针对现有技术中的问题,本发明实施例提供一种入侵防御处理方法及装置。In view of the problems in the prior art, embodiments of the present invention provide an intrusion prevention processing method and apparatus.

具体地,本发明实施例提供了以下技术方案:Specifically, the embodiments of the present invention provide the following technical solutions:

第一方面,本发明实施例提供了一种入侵防御处理方法,包括:In a first aspect, an embodiment of the present invention provides an intrusion prevention processing method, including:

根据当前网络流量状况确定入侵防御系统IPS旁路阈值;Determine the IPS bypass threshold of the intrusion prevention system according to the current network traffic conditions;

根据IPS旁路阈值对主机中的报文进行IPS处理。IPS processing is performed on the packets in the host according to the IPS bypass threshold.

进一步地,所述根据当前网络流量状况确定入侵防御系统IPS旁路阈值,具体包括:Further, determining the intrusion prevention system IPS bypass threshold according to the current network traffic situation specifically includes:

获取当前主机每秒新建连接数;Get the number of new connections per second on the current host;

根据每秒新建连接数查询映射表获取IPS处理能力值;Query the mapping table according to the number of new connections per second to obtain the IPS processing capability value;

根据所述IPS处理能力值确定IPS旁路阈值;Determine the IPS bypass threshold according to the IPS processing capability value;

其中,所述映射表中存储有每秒新建连接数与IPS处理能力值之间的对应关系。Wherein, the mapping table stores the correspondence between the number of new connections per second and the IPS processing capability value.

进一步地,所述根据当前网络流量状况确定入侵防御系统IPS旁路阈值,具体包括:Further, determining the intrusion prevention system IPS bypass threshold according to the current network traffic situation specifically includes:

判断当前主机是否存在经过重传且连接失败的连接数,若存在,查询映射表中的最低IPS处理能力值,并根据所述最低IPS处理能力值确定IPS旁路阈值;Determine whether the current host has the number of connections that have been retransmitted and failed to connect, and if so, query the minimum IPS processing capability value in the mapping table, and determine the IPS bypass threshold according to the minimum IPS processing capability value;

若不存在经过重传且连接失败的连接数,则查询映射表中当前每秒新建连接数所对应的IPS旁路阈值;If there are no retransmitted and failed connections, query the mapping table for the IPS bypass threshold corresponding to the current number of new connections per second;

其中,所述映射表中存储有每秒新建连接数与IPS处理能力值之间的对应关系。Wherein, the mapping table stores the correspondence between the number of new connections per second and the IPS processing capability value.

进一步地,在根据每秒新建连接数查询映射表获取入侵防御系统IPS处理能力值之前,所述方法还包括:Further, before querying the mapping table to obtain the IPS processing capability value of the intrusion prevention system according to the number of new connections per second, the method further includes:

在IPS的推荐配置下,测试在每秒新建各种连接数的情况下,以不发生网络卡顿或连接失败为前提,IPS能够处理的最大连接数量,将最大连接数量作为对应新建连接数下的IPS处理能力值;Under the recommended configuration of the IPS, test the maximum number of connections that the IPS can handle under the premise that no network freezes or connection failures occur under the condition that various new connections per second are created, and the maximum number of connections is taken as the corresponding number of new connections IPS processing capability value;

根据各连接数与对应的IPS处理能力值建立所述映射表。The mapping table is established according to each connection number and the corresponding IPS processing capability value.

进一步地,所述根据IPS旁路阈值对主机中的报文进行IPS处理,具体包括:Further, performing IPS processing on the packets in the host according to the IPS bypass threshold specifically includes:

根据IPS旁路阈值对主机中的新建连接进行IPS标记;IPS marking new connections in the host according to the IPS bypass threshold;

相应地,所述入侵防御处理方法,还包括:Correspondingly, the intrusion prevention processing method further includes:

当IPS内核HOOK接收到报文时,将匹配连接带有IPS标记的报文发送至应用层IPS引擎进行检测,将匹配连接不带有IPS标记的报文进行放行。When the IPS kernel HOOK receives the packets, it sends the packets with the IPS tag on the matching connection to the application-layer IPS engine for detection, and releases the packets with the matching connection without the IPS tag.

第二方面,本发明实施例还提供了一种入侵防御处理装置,包括:In a second aspect, an embodiment of the present invention further provides an intrusion prevention processing device, including:

确定模块,用于根据当前网络流量状况确定入侵防御系统IPS旁路阈值;A determination module, used for determining the IPS bypass threshold of the intrusion prevention system according to the current network traffic condition;

第一处理模块,用于根据IPS旁路阈值对主机中的报文进行IPS处理。The first processing module is configured to perform IPS processing on the packets in the host according to the IPS bypass threshold.

进一步地,所述确定模块,具体用于:Further, the determining module is specifically used for:

获取当前主机每秒新建连接数;Get the number of new connections per second on the current host;

根据每秒新建连接数查询映射表获取IPS处理能力值;Query the mapping table according to the number of new connections per second to obtain the IPS processing capability value;

根据所述IPS处理能力值确定IPS旁路阈值;Determine the IPS bypass threshold according to the IPS processing capability value;

其中,所述映射表中存储有每秒新建连接数与IPS处理能力值之间的对应关系。Wherein, the mapping table stores the correspondence between the number of new connections per second and the IPS processing capability value.

第三方面,本发明实施例还提供了一种电子设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述程序时实现如第一方面所述入侵防御处理方法的步骤。In a third aspect, an embodiment of the present invention further provides an electronic device, including a memory, a processor, and a computer program stored in the memory and running on the processor, the processor implementing the first program when executing the program The steps of the intrusion prevention processing method described in the aspect.

第四方面,本发明实施例还提供了一种非暂态计算机可读存储介质,其上存储有计算机程序,该计算机程序被处理器执行时实现如第一方面所述入侵防御处理方法的步骤。In a fourth aspect, an embodiment of the present invention further provides a non-transitory computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, implements the steps of the intrusion prevention processing method according to the first aspect .

第五方面,本发明实施例还提供了一种计算机程序产品,所计算机程序产品包括有计算机程序,该计算机程序被处理器执行时实现如第一方面所述入侵防御处理方法的步骤。In a fifth aspect, an embodiment of the present invention further provides a computer program product, where the computer program product includes a computer program, which implements the steps of the intrusion prevention processing method described in the first aspect when the computer program is executed by a processor.

由上面技术方案可知,本发明实施例提供的入侵防御处理方法及装置,由于根据当前网络流量状况确定入侵防御系统IPS旁路阈值,从而能够根据当前网络流量状况动态向IPS引擎发送IPS引擎当前有能力处理的报文量,从而使得在任何网络流量大小情况下,都能够保证网络业务的稳定性。As can be seen from the above technical solutions, in the intrusion prevention processing method and device provided by the embodiments of the present invention, since the intrusion prevention system IPS bypass threshold is determined according to the current network traffic situation, it can dynamically send the IPS engine current information to the IPS engine according to the current network traffic situation. The amount of packets that can be processed, so that the stability of network services can be guaranteed under any network traffic size.

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作一简单地介绍,显而易见地,下面描述中的附图是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the following briefly introduces the accompanying drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description These are some embodiments of the present invention. For those of ordinary skill in the art, other drawings can also be obtained according to these drawings without creative efforts.

图1为本发明一实施例提供的入侵防御处理方法的流程图;FIG. 1 is a flowchart of an intrusion prevention processing method provided by an embodiment of the present invention;

图2为现有技术提供的Bypass技术方案的处理流程图;Fig. 2 is the processing flow chart of the Bypass technical scheme that the prior art provides;

图3时本发明一实施例提供的Bypass技术方案的处理流程图;Fig. 3 is a processing flow chart of the Bypass technical solution provided by an embodiment of the present invention;

图4为本发明一实施例提供的入侵防御处理装置的结构示意图;4 is a schematic structural diagram of an intrusion prevention processing device according to an embodiment of the present invention;

图5为本发明一实施例提供的电子设备的结构示意图。FIG. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.

具体实施方式Detailed ways

为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the purposes, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments These are some embodiments of the present invention, but not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.

在本实施例中,需要说明的是,目前的终端IPS的作用是检测进出本机的报文,对恶意报文进行拦截告警。具体实现上是在内核hook里将报文劫持,并copy给应用层的IPS引擎进行处理,IPS引擎对报文进行解码、预处理、规则匹配等处理后,最终根据匹配结果通知内核将报文丢弃或继续处理。报文端到端的延时是衡量网络质量的一个指标,延时越短网速越快,反之越慢;IPS引擎缓存在队列里的报文逐个检测,检测越快对报文延时影响越小,反之越大;而在检测流程固定时检测快慢由两个因素决定:In this embodiment, it should be noted that the function of the current terminal IPS is to detect incoming and outgoing packets, and to block and alarm malicious packets. The specific implementation is to hijack the packet in the kernel hook and copy it to the IPS engine at the application layer for processing. After the IPS engine decodes, preprocesses, and matches the packet, it finally informs the kernel to send the packet according to the matching result. Discard or continue processing. The end-to-end delay of packets is an indicator for measuring network quality. The shorter the delay, the faster the network speed, and vice versa. The packets buffered in the queue by the IPS engine are detected one by one. The faster the detection, the greater the impact on the packet delay. Small, and vice versa, the larger; and when the detection process is fixed, the detection speed is determined by two factors:

1、硬件配置,配置越高处理越快,反之越慢;1. Hardware configuration, the higher the configuration, the faster the processing, and vice versa the slower;

2、流量大小,流量越大,IPS引擎被分配的时间资源越少,处理的越慢。2. The size of the traffic, the larger the traffic, the less time resources the IPS engine is allocated, and the slower the processing.

因此在一定硬件配置下,当网络流量达到某个值时,IPS引擎的处理能力会成为瓶颈,这时会开始感觉到网速下降,当网络流量再增加导致重传乃至连接失败时,网络使用者会明显感觉到卡顿或访问失败。Bypass(旁路功能)便是在IPS引擎成为瓶颈时保持网速稳定的一种技术。其核心思想是将超过引擎处理能力的报文直接放行。如图2所示,现有技术中的Bypass技术方案的处理流程为:IPS引擎和内核之间分配固定大小的共享内存来作为报文队列,内核每收到一个包首先检测队列是否满,满了就将报文直接Bypass掉,假如没满就将报文拷贝到共享队列上,应用层IPS引擎逐个对队列上的包进行检测。由图2所示的Bypass技术方案可知,目前的Bypass技术方案仅基于共享内存的尺寸,当发现共享内存被写满时会将当前报文直接Bypass,但因为共享内存是一个固定的值,不能根据网络流量大小调节上送报文速率。根据前面介绍的原理可知,当网络流量越大时,IPS引擎处理能力越低。当流量达到某个值时,IPS引擎的处理能力将降低到不能及时处理队列上的报文,导致缓存在队列里的报文延时增大到一定程度,最终会出现网络卡顿或连接失败的情况。因此有必要设计一个能根据网络流量大小动态调节报文上送速率的机制,保证随着网络流量的变化,能够向IPS引擎发送IPS引擎当前有能力处理的报文量,而不是固定的共享内存大小的报文量。下面将通过具体实施例对本实施例提供的入侵防御处理方法及装置给予进一步的详细解释说明。Therefore, under a certain hardware configuration, when the network traffic reaches a certain value, the processing capacity of the IPS engine will become a bottleneck, and the network speed will begin to decrease. Users will obviously feel stuck or failed to access. Bypass (bypass function) is a technology to keep the network speed stable when the IPS engine becomes the bottleneck. The core idea is to directly release the packets that exceed the processing capacity of the engine. As shown in Figure 2, the processing flow of the Bypass technical solution in the prior art is as follows: a shared memory of a fixed size is allocated between the IPS engine and the kernel as a message queue, and the kernel first detects whether the queue is full every time a packet is received. If it is not full, it will copy the packet to the shared queue, and the application layer IPS engine will check the packets on the queue one by one. As can be seen from the Bypass technical solution shown in Figure 2, the current Bypass technical solution is only based on the size of the shared memory. When the shared memory is found to be full, the current message will be bypassed directly. However, because the shared memory is a fixed value, it cannot be used. Adjust the rate of sending packets according to the size of network traffic. According to the principle introduced above, when the network traffic is larger, the processing capability of the IPS engine is lower. When the traffic reaches a certain value, the processing capability of the IPS engine will be reduced to the point that it cannot process the packets in the queue in time, resulting in an increase in the delay of the packets buffered in the queue to a certain extent, and eventually network freezes or connection failures will occur. Case. Therefore, it is necessary to design a mechanism that can dynamically adjust the packet sending rate according to the size of network traffic, so as to ensure that as the network traffic changes, the amount of packets currently capable of being processed by the IPS engine can be sent to the IPS engine instead of a fixed shared memory. size of packets. The intrusion prevention processing method and apparatus provided in this embodiment will be further explained in detail below through specific embodiments.

图1示出了本发明实施例提供的入侵防御处理方法的流程图。如图1所示,本发明实施例提供的入侵防御处理方法包括如下步骤:FIG. 1 shows a flowchart of an intrusion prevention processing method provided by an embodiment of the present invention. As shown in FIG. 1 , the intrusion prevention processing method provided by the embodiment of the present invention includes the following steps:

步骤101:根据当前网络流量状况确定入侵防御系统IPS旁路阈值;Step 101: Determine the IPS bypass threshold of the intrusion prevention system according to the current network traffic condition;

步骤102:根据IPS旁路阈值对主机中的报文进行IPS处理。Step 102: Perform IPS processing on the packets in the host according to the IPS bypass threshold.

在本实施例中,正如前面介绍的原理,当网络流量越小时,IPS引擎被分配的时间资源越多,处理的越快。当网络流量越大时,IPS引擎被分配的时间资源越少,处理的越慢。因此,根据当前网络流量状况确定入侵防御系统IPS旁路阈值,能够避免当网络流量较大时,导致的卡顿或连接失败。In this embodiment, just as the principle described above, when the network traffic is smaller, the more time resources are allocated to the IPS engine, and the processing is faster. When the network traffic is larger, the less time resources are allocated to the IPS engine and the slower the processing. Therefore, the IPS bypass threshold of the intrusion prevention system is determined according to the current network traffic conditions, which can avoid stalls or connection failures caused by heavy network traffic.

在本实施例中,根据当前网络流量状况确定入侵防御系统IPS旁路阈值可以指:根据当前网络流量状况,将当前网络流量状况下IPS引擎能够处理的最大连接数量作为IPS旁路阈值。这里,IPS引擎能够处理的最大连接数量是指在不发生网络卡顿或连接失败的前提下IPS引擎能够处理的最大连接数量。In this embodiment, determining the IPS bypass threshold of the intrusion prevention system according to the current network traffic condition may refer to: taking the maximum number of connections that the IPS engine can handle under the current network traffic condition as the IPS bypass threshold according to the current network traffic condition. Here, the maximum number of connections that the IPS engine can handle refers to the maximum number of connections that the IPS engine can handle under the premise that no network freezes or connection failures occur.

在本实施例中,根据当前网络流量状况确定入侵防御系统IPS旁路阈值还可以指:当前网络流量较小时,采用较大的IPS旁路阈值;当前网络流量较大时,采用较小的IPS旁路阈值。举例来说,当每秒新建连接数为1-1000时,可以确定相应的IPS旁路阈值为1000,当每秒新建连接数为1001-2000时,可以确定相应的IPS旁路阈值为800,当每秒新建连接数为2001-3000时,可以确定相应的IPS旁路阈值为500,当每秒新建连接数为3001-4000时,可以确定相应的IPS旁路阈值为300。In this embodiment, determining the IPS bypass threshold of the intrusion prevention system according to the current network traffic situation may also refer to: when the current network traffic is small, a larger IPS bypass threshold is used; when the current network traffic is large, a smaller IPS bypass threshold is used Bypass threshold. For example, when the number of new connections per second is 1-1000, the corresponding IPS bypass threshold can be determined to be 1000, and when the number of new connections per second is 1001-2000, the corresponding IPS bypass threshold can be determined to be 800. When the number of new connections per second is 2001-3000, the corresponding IPS bypass threshold can be determined to be 500, and when the number of new connections per second is 3001-4000, the corresponding IPS bypass threshold can be determined to be 300.

在本实施例中,IPS旁路阈值的含义是:大于IPS旁路阈值的报文将直接Bypass,而小于或等于IPS旁路阈值的报文将发送给IPS引擎并由IPS引擎进行IPS检测分析。因此可知,当网络流量越大时,由于IPS引擎被分配的时间资源越少,处理的越慢,因此,此时设置较小的IPS旁路阈值可以降低IPS引擎的处理压力,进而可以避免出现因IPS引擎不能及时处理队列上的报文而导致的网络卡顿或连接失败的问题。由此可见,由于本实施例能够根据当前网络流量状况确定入侵防御系统IPS旁路阈值,从而能够根据当前网络流量状况动态向IPS引擎发送IPS引擎能够处理的报文量,从而使得在任何网络流量大小情况下,都能够保证网络业务的稳定性。In this embodiment, the meaning of the IPS bypass threshold is: packets greater than the IPS bypass threshold will be bypassed directly, while packets less than or equal to the IPS bypass threshold will be sent to the IPS engine for IPS detection and analysis by the IPS engine . Therefore, it can be seen that when the network traffic is larger, the processing time will be slower due to the less time resources allocated to the IPS engine. Therefore, setting a smaller IPS bypass threshold at this time can reduce the processing pressure of the IPS engine, thereby avoiding the occurrence of Network freezes or connection failures caused by the inability of the IPS engine to process packets in the queue in a timely manner. It can be seen that, because this embodiment can determine the IPS bypass threshold of the intrusion prevention system according to the current network traffic situation, the amount of packets that the IPS engine can process can be dynamically sent to the IPS engine according to the current network traffic situation, so that any network traffic The stability of network services can be guaranteed in all cases.

在本实施例中,需要说明的是,在确定IPS旁路阈值后,就可以根据IPS旁路阈值对主机中的报文进行IPS处理了,也即将未超过IPS旁路阈值的报文拷贝到共享队列上,使得应用层IPS引擎逐个对队列上的报文进行检测,而将超过IPS旁路阈值的报文直接Bypass掉。In this embodiment, it should be noted that after the IPS bypass threshold is determined, IPS processing can be performed on the packets in the host according to the IPS bypass threshold, that is, the packets that do not exceed the IPS bypass threshold are copied to On a shared queue, the application-layer IPS engine checks the packets on the queue one by one, and directly bypasses the packets that exceed the IPS bypass threshold.

由上面技术方案可知,本发明实施例提供的入侵防御处理方法,由于根据当前网络流量状况确定入侵防御系统IPS旁路阈值,从而能够根据当前网络流量状况动态向IPS引擎发送IPS引擎当前有能力处理的报文量,从而使得在任何网络流量大小情况下,都能够保证网络业务的稳定性。As can be seen from the above technical solutions, in the intrusion prevention processing method provided by the embodiment of the present invention, since the IPS bypass threshold of the intrusion prevention system is determined according to the current network traffic situation, it can dynamically send the IPS engine to the IPS engine according to the current network traffic situation. This ensures the stability of network services under any network traffic size.

进一步地,基于上述实施例的内容,在本实施例中,所述根据当前网络流量状况确定入侵防御系统IPS旁路阈值,具体包括:Further, based on the content of the foregoing embodiment, in this embodiment, the determining of the IPS bypass threshold of the intrusion prevention system according to the current network traffic condition specifically includes:

获取当前主机每秒新建连接数;Get the number of new connections per second on the current host;

根据每秒新建连接数查询映射表获取IPS处理能力值;Query the mapping table according to the number of new connections per second to obtain the IPS processing capability value;

根据所述IPS处理能力值确定IPS旁路阈值;Determine the IPS bypass threshold according to the IPS processing capability value;

其中,所述映射表中存储有每秒新建连接数与IPS处理能力值之间的对应关系。Wherein, the mapping table stores the correspondence between the number of new connections per second and the IPS processing capability value.

在本实施例中,在根据当前网络流量状况确定入侵防御系统IPS旁路阈值时,由于主机每秒新建连接数可以反映当前网络流量状况,因此可以根据当前主机每秒新建连接数确定IPS旁路阈值,且这种获取方式简单且高效。具体地,当前主机每秒新建连接数与IPS旁路阈值之间的对应关系,可以通过查询映射表的方式确定。In this embodiment, when the IPS bypass threshold of the intrusion prevention system is determined according to the current network traffic situation, since the number of new connections per second of the host can reflect the current network traffic situation, the IPS bypass can be determined according to the number of new connections per second of the current host. threshold, and this acquisition method is simple and efficient. Specifically, the correspondence between the number of new connections per second of the current host and the IPS bypass threshold can be determined by querying the mapping table.

在本实施例中,需要说明的是,映射表中存储有每秒新建连接数与IPS处理能力值之间的对应关系,映射表中存储的对应关系是经实验测试获得的。映射表中存储的每秒新建连接数与IPS处理能力值之间的对应关系是指:在相应的每秒新建连接数下,以不发生网络卡顿或连接失败为前提,IPS引擎能够处理的最大连接数量,这里的最大连接数量也即IPS处理能力值。In this embodiment, it should be noted that the mapping table stores the correspondence between the number of new connections per second and the IPS processing capability value, and the correspondence stored in the mapping table is obtained through experimental testing. The corresponding relationship between the number of new connections per second stored in the mapping table and the value of the IPS processing capability refers to: under the corresponding number of new connections per second, on the premise that no network freezes or connection failures occur, the IPS engine can process the number of new connections per second. The maximum number of connections, where the maximum number of connections is also the value of the IPS processing capability.

在本实施例中,在根据每秒新建连接数查询映射表获取IPS处理能力值后,可以直接将获得的IPS处理能力值作为IPS旁路阈值。这里的IPS旁路阈值表示的含义是:大于IPS处理能力值(IPS旁路阈值)的报文将直接Bypass,而小于或等于IPS处理能力值(IPS旁路阈值)的报文将发送给IPS引擎进行IPS检测分析。In this embodiment, after the IPS processing capability value is obtained by querying the mapping table according to the number of new connections per second, the obtained IPS processing capability value may be directly used as the IPS bypass threshold. The meaning of the IPS bypass threshold here is: packets greater than the IPS processing capability (IPS bypass threshold) will be bypassed directly, while packets less than or equal to the IPS processing capability (IPS bypass threshold) will be sent to the IPS The engine performs IPS detection analysis.

在本实施例中,需要说明的是,根据实验获取IPS推荐配置下每秒新建连接数CPS与IPS引擎的处理能力值之间的对应关系并将该对应关系存储在映射表中以待查询。In this embodiment, it should be noted that the corresponding relationship between the number of new connections per second (CPS) and the processing capability value of the IPS engine under the IPS recommended configuration is obtained according to the experiment, and the corresponding relationship is stored in the mapping table for query.

在本实施例中,在Bypass功能中实时检测CPS,然后根据检测结果查询映射表,以获取在当前CPS状况下IPS引擎的处理能力值,进而根据查询得到的处理能力值动态调整Bypass阈值,从而在任何网络流量状况下均能够保证网络业务的稳定性,同时能够将IPS检出率最大化。In this embodiment, the CPS is detected in real time in the Bypass function, and then the mapping table is queried according to the detection result to obtain the processing capability value of the IPS engine under the current CPS condition, and then the Bypass threshold is dynamically adjusted according to the processing capability value obtained by the query, thereby It can ensure the stability of network services under any network traffic conditions and maximize the IPS detection rate.

进一步地,基于上述实施例的内容,在本实施例中,所述根据当前网络流量状况确定入侵防御系统IPS旁路阈值,具体包括:Further, based on the content of the foregoing embodiment, in this embodiment, the determining of the IPS bypass threshold of the intrusion prevention system according to the current network traffic condition specifically includes:

判断当前主机是否存在经过重传且连接失败的连接数,若存在,查询映射表中的最低IPS处理能力值,并根据所述最低IPS处理能力值确定IPS旁路阈值;Determine whether the current host has the number of connections that have been retransmitted and failed to connect, and if so, query the minimum IPS processing capability value in the mapping table, and determine the IPS bypass threshold according to the minimum IPS processing capability value;

若不存在经过重传且连接失败的连接数,则查询映射表中当前每秒新建连接数所对应的IPS旁路阈值;If there are no retransmitted and failed connections, query the mapping table for the IPS bypass threshold corresponding to the current number of new connections per second;

其中,所述映射表中存储有每秒新建连接数与IPS处理能力值之间的对应关系。Wherein, the mapping table stores the correspondence between the number of new connections per second and the IPS processing capability value.

在本实施例中,判断当前主机是否存在经过重传且连接失败的连接数,若存在,说明主机流量达到了一个较高的值,此时,IPS引擎的处理能力降低到不能及时处理队列上的报文,进而导致缓存在队列里的报文延时增大到一定程度,因此才会出现网络卡顿或连接失败的情况,因此,在这种网络流量状况下,为了稳定网络业务的稳定性,此时应该设置一个较低的IPS旁路阈值。因此,当判断获知当前主机是否存在经过重传且连接失败的连接数时,直接查询映射表中的最低IPS处理能力值,并将所述最低IPS处理能力值确定为IPS旁路阈值。若不存在经过重传且连接失败的连接数,则查询映射表中当前每秒新建连接数所对应的IPS旁路阈值。由此可见,本实施例给出了存在经过重传且连接失败的连接数和不存在经过重传且连接失败的连接数两种情形下的处理方式,从而使得在不同网络情形下均能够得到较为合适的IPS旁路阈值。尤其对于网络状态差的情况,根据所述最低IPS处理能力值确定IPS旁路阈值能够稳定网络业务的稳定性。In this embodiment, it is determined whether the current host has the number of connections that have been retransmitted and failed to connect. If there is, it means that the host traffic has reached a high value. At this time, the processing capability of the IPS engine is reduced to the point where it cannot process the queue in time. Therefore, in this network traffic situation, in order to stabilize the stability of network services In this case, a lower IPS bypass threshold should be set. Therefore, when judging whether the current host has the number of retransmitted and failed connections, the minimum IPS processing capability value in the mapping table is directly inquired, and the minimum IPS processing capability value is determined as the IPS bypass threshold. If there are no retransmitted and failed connections, query the mapping table for the IPS bypass threshold corresponding to the current number of new connections per second. It can be seen that this embodiment provides two processing methods in the case of the number of connections that have been retransmitted and failed to connect, and the number of connections that have been retransmitted and failed to be connected, so that it can be obtained in different network situations. A more appropriate IPS bypass threshold. Especially in the case of poor network status, determining the IPS bypass threshold according to the minimum IPS processing capability value can stabilize the stability of the network service.

进一步地,基于上述实施例的内容,在本实施例中,在根据每秒新建连接数查询映射表获取入侵防御系统IPS处理能力值之前,所述方法还包括:Further, based on the content of the foregoing embodiment, in this embodiment, before querying the mapping table according to the number of new connections per second to obtain the IPS processing capability value of the intrusion prevention system, the method further includes:

在IPS的推荐配置下,测试在每秒新建各种连接数的情况下,以不发生网络卡顿或连接失败为前提,IPS能够处理的最大连接数量,将最大连接数量作为对应新建连接数下的IPS处理能力值;Under the recommended configuration of the IPS, test the maximum number of connections that the IPS can handle under the premise that no network freezes or connection failures occur under the condition that various new connections per second are created, and the maximum number of connections is taken as the corresponding number of new connections IPS processing capability value;

根据各连接数与对应的IPS处理能力值建立所述映射表。The mapping table is established according to each connection number and the corresponding IPS processing capability value.

在本实施例中,为了测定在变化流量下IPS引擎的处理能力,在IPS的推荐配置下,测试在每秒新建各种连接数的情况下,以不发生网络卡顿或连接失败为前提,IPS能够处理的最大连接数量,将最大连接数量作为对应新建连接数下的IPS处理能力值,然后根据各连接数与对应的IPS处理能力值建立所述映射表。举例来说,映射表的结构可以如下所示:In this embodiment, in order to measure the processing capability of the IPS engine under changing traffic, under the recommended configuration of the IPS, the test is conducted under the condition that various numbers of new connections are created per second, on the premise that no network freeze or connection failure occurs. The maximum number of connections that the IPS can handle, and the maximum number of connections is taken as the IPS processing capability value corresponding to the number of newly created connections, and then the mapping table is established according to each connection number and the corresponding IPS processing capability value. For example, the structure of the mapping table can be as follows:

{1000:1000,//新建连接数在1-1000时,IPS处理能力值为1000;{1000:1000, //When the number of new connections is 1-1000, the IPS processing capacity value is 1000;

2000:800,//新建连接数在1001-2000时,IPS处理能力值为800;2000:800, //When the number of new connections is 1001-2000, the IPS processing capacity value is 800;

3000:500,//新建连接数在2001-3000时,IPS处理能力值为500;3000:500, //When the number of new connections is 2001-3000, the IPS processing capacity value is 500;

4000:300,//新建连接数在3001-4000时,IPS处理能力值为300}4000:300, //When the number of new connections is 3001-4000, the IPS processing capacity value is 300}

在本实施例中,需要说明的是,根据上面建立好的映射表可以实现新的Bypass机制,也即根据每秒新建连接数查询上述映射表,获取IPS处理能力值,然后根据IPS处理能力值确定IPS旁路阈值。一般情况下,IPS旁路阈值即为IPS处理能力值。In this embodiment, it should be noted that a new Bypass mechanism can be implemented according to the mapping table established above, that is, the mapping table is queried according to the number of new connections per second to obtain the IPS processing capability value, and then the IPS processing capability value is obtained according to the IPS processing capability value. Determines the IPS bypass threshold. In general, the IPS bypass threshold is the IPS processing capability value.

由此可见,本实施例中,通过在IPS的推荐配置下测试在每秒新建各种连接数的情况下以不发生网络卡顿或连接失败为前提,IPS能够处理的最大连接数量将最大连接数量作为对应新建连接数下的IPS处理能力值,并据此建立了具备参考价值的包含每秒新建各种连接数与IPS处理能力值之间映射关系的映射表,从而后续可以根据建立的映射表查询当前每秒新建连接数所对应的IPS旁路阈值。It can be seen that, in this embodiment, by testing the number of new connections per second under the recommended configuration of the IPS, on the premise that there is no network freeze or connection failure, the maximum number of connections that the IPS can handle will be the maximum number of connections. The number is used as the IPS processing capability value corresponding to the number of newly created connections, and based on this, a mapping table containing the mapping relationship between the number of new connections per second and the IPS processing capability value with reference value is established. The table queries the IPS bypass threshold corresponding to the current number of new connections per second.

进一步地,基于上述实施例的内容,在本实施例中,所述根据IPS旁路阈值对主机中的报文进行IPS处理,具体包括:Further, based on the content of the foregoing embodiment, in this embodiment, the performing IPS processing on the packets in the host according to the IPS bypass threshold specifically includes:

根据IPS旁路阈值对主机中的新建连接进行IPS标记;IPS marking new connections in the host according to the IPS bypass threshold;

相应地,所述入侵防御处理方法,还包括:Correspondingly, the intrusion prevention processing method further includes:

当IPS内核HOOK接收到报文时,将匹配连接带有IPS标记的报文发送至应用层IPS引擎进行检测,将匹配连接不带有IPS标记的报文进行放行。When the IPS kernel HOOK receives the packets, it sends the packets with the IPS tag on the matching connection to the application-layer IPS engine for detection, and releases the packets with the matching connection without the IPS tag.

在本实施例中,如图3所示,本实施例提供的Bypass技术方案实现过程包括下面内容:In this embodiment, as shown in FIG. 3 , the implementation process of the Bypass technical solution provided by this embodiment includes the following contents:

①Bypass令牌桶处理流程①Bypass token bucket processing flow

令牌桶的设置使用两个定时器。The setup of the token bucket uses two timers.

定时器1:每5秒统计经过重传并且失败的连接数以及这5s的CPS,假如有失败连接,读取上述映射表中的最低处理能力值,否则根据CPS从上述映射表中获取对应处理能力值,然后根据相应的处理能力值设置Bypass阈值。Timer 1: Count the number of retransmitted and failed connections and the CPS of these 5s every 5 seconds. If there is a failed connection, read the minimum processing capacity value in the above mapping table, otherwise obtain the corresponding processing from the above mapping table according to CPS capacity value, and then set the bypass threshold according to the corresponding processing capacity value.

定时器2:每隔1秒读取Bypass阈值设置令牌桶。Timer 2: Read the Bypass threshold every 1 second to set the token bucket.

②报文处理流程②Message processing flow

当IPS内核hook接收到报文时,首先根据五元组查询连接表,假如查询到,查看连接的IPS标记,假如标记存在就送应用层IPS引擎检测,假如不存在直接放行。假如查询不到,就会创建连接并加入连接表,并从令牌桶中读取令牌,假如能获取到令牌,将连接设置IPS检测标记;获取不到就不设置。When the IPS kernel hook receives a packet, it first queries the connection table according to the quintuple. If it is queried, check the IPS tag of the connection. If the tag exists, it will be sent to the application layer IPS engine for detection. If it does not exist, it will be released directly. If the query cannot be found, a connection will be created and added to the connection table, and the token will be read from the token bucket. If the token can be obtained, the IPS detection flag will be set on the connection; if it cannot be obtained, it will not be set.

由图3可知,通过这种方案实现了根据CPS动态调整IPS Bypass阈值的功能,保证了在任何流量下的网络正常,并能在此基础上将IPS的检出率最大化。As can be seen from Figure 3, this solution realizes the function of dynamically adjusting the IPS Bypass threshold according to the CPS, ensuring that the network is normal under any traffic, and on this basis, the IPS detection rate can be maximized.

图4示出了本发明实施例提供的入侵防御处理装置的结构示意图。如图4所示,本发明实施例提供的入侵防御处理装置包括:确定模块21和第一处理模块22,其中:FIG. 4 shows a schematic structural diagram of an intrusion prevention processing apparatus provided by an embodiment of the present invention. As shown in FIG. 4 , the intrusion prevention processing apparatus provided by the embodiment of the present invention includes: a determination module 21 and a first processing module 22, wherein:

确定模块21,用于根据当前网络流量状况确定入侵防御系统IPS旁路阈值;The determining module 21 is used for determining the IPS bypass threshold of the intrusion prevention system according to the current network traffic condition;

第一处理模块22,用于根据IPS旁路阈值对主机中的报文进行IPS处理。The first processing module 22 is configured to perform IPS processing on the packets in the host according to the IPS bypass threshold.

进一步地,基于上述实施例的内容,在本实施例中,所述确定模块21,具体用于:Further, based on the content of the foregoing embodiment, in this embodiment, the determining module 21 is specifically configured to:

获取当前主机每秒新建连接数;Get the number of new connections per second on the current host;

根据每秒新建连接数查询映射表获取IPS处理能力值;Query the mapping table according to the number of new connections per second to obtain the IPS processing capability value;

根据所述IPS处理能力值确定IPS旁路阈值;Determine the IPS bypass threshold according to the IPS processing capability value;

其中,所述映射表中存储有每秒新建连接数与IPS处理能力值之间的对应关系。Wherein, the mapping table stores the correspondence between the number of new connections per second and the IPS processing capability value.

进一步地,基于上述实施例的内容,在本实施例中,所述确定模块21,具体用于:Further, based on the content of the foregoing embodiment, in this embodiment, the determining module 21 is specifically configured to:

判断当前主机是否存在经过重传且连接失败的连接数,若存在,查询映射表中的最低IPS处理能力值,并根据所述最低IPS处理能力值确定IPS旁路阈值;Determine whether the current host has the number of connections that have been retransmitted and failed to connect, and if so, query the minimum IPS processing capability value in the mapping table, and determine the IPS bypass threshold according to the minimum IPS processing capability value;

若不存在经过重传且连接失败的连接数,则查询映射表中当前每秒新建连接数所对应的IPS旁路阈值;If there are no retransmitted and failed connections, query the mapping table for the IPS bypass threshold corresponding to the current number of new connections per second;

其中,所述映射表中存储有每秒新建连接数与IPS处理能力值之间的对应关系。Wherein, the mapping table stores the correspondence between the number of new connections per second and the IPS processing capability value.

进一步地,基于上述实施例的内容,在本实施例中,所述装置还包括:构建模块,用于:Further, based on the content of the foregoing embodiment, in this embodiment, the apparatus further includes: a building module for:

在IPS的推荐配置下,测试在每秒新建各种连接数的情况下,以不发生网络卡顿或连接失败为前提,IPS能够处理的最大连接数量,将最大连接数量作为对应新建连接数下的IPS处理能力值;Under the recommended configuration of the IPS, test the maximum number of connections that the IPS can handle under the premise that no network freezes or connection failures occur under the condition that various new connections per second are created, and the maximum number of connections is taken as the corresponding number of new connections IPS processing capability value;

根据各连接数与对应的IPS处理能力值建立所述映射表。The mapping table is established according to each connection number and the corresponding IPS processing capability value.

进一步地,基于上述实施例的内容,在本实施例中,所述第一处理模块22,具体用于:根据IPS旁路阈值对主机中的新建连接进行IPS标记;Further, based on the content of the foregoing embodiment, in this embodiment, the first processing module 22 is specifically configured to: perform IPS marking on the newly created connection in the host according to the IPS bypass threshold;

相应地,所述入侵防御处理装置,还包括:Correspondingly, the intrusion prevention processing device further includes:

第二处理模块,用于当IPS内核HOOK接收到报文时,将匹配连接带有IPS标记的报文发送至应用层IPS引擎进行检测,将匹配连接不带有IPS标记的报文进行放行。The second processing module is configured to, when the IPS kernel HOOK receives the packet, send the packet with the IPS tag on the matching connection to the application layer IPS engine for detection, and release the packet with the matching connection without the IPS tag.

由于本发明实施例提供的入侵防御处理装置,可以用于执行上述实施例所述的入侵防御处理方法,其工作原理和有益效果类似,故此处不再详述,具体内容可参见上述实施例的介绍。Since the intrusion prevention processing device provided by the embodiment of the present invention can be used to execute the intrusion prevention processing method described in the above-mentioned embodiment, the working principle and beneficial effect thereof are similar, so they are not described in detail here. introduce.

基于相同的发明构思,本发明又一实施例提供了一种电子设备,参见图5,所述电子设备具体包括如下内容:处理器501、存储器502、通信接口503和通信总线504;Based on the same inventive concept, another embodiment of the present invention provides an electronic device, see FIG. 5 , the electronic device specifically includes the following: a processor 501, a memory 502, a communication interface 503, and a communication bus 504;

其中,所述处理器501、存储器502、通信接口503通过所述通信总线504完成相互间的通信;The processor 501, the memory 502, and the communication interface 503 communicate with each other through the communication bus 504;

所述处理器501用于调用所述存储器502中的计算机程序,所述处理器执行所述计算机程序时实现上述入侵防御处理方法的全部步骤,例如,所述处理器执行所述计算机程序时实现下述过程:根据当前网络流量状况确定入侵防御系统IPS旁路阈值;根据IPS旁路阈值对主机中的报文进行IPS处理。The processor 501 is configured to call a computer program in the memory 502, and when the processor executes the computer program, all steps of the above-mentioned intrusion prevention processing method are implemented, for example, when the processor executes the computer program. The following process: determine the IPS bypass threshold of the intrusion prevention system according to the current network traffic condition; perform IPS processing on the packets in the host according to the IPS bypass threshold.

可以理解的是,所述计算机程序可以执行的细化功能和扩展功能可参照上面实施例的描述。It can be understood that, for the refined functions and extended functions that can be performed by the computer program, reference may be made to the descriptions of the above embodiments.

基于相同的发明构思,本发明又一实施例提供了一种非暂态计算机可读存储介质,该非暂态计算机可读存储介质上存储有计算机程序,该计算机程序被处理器执行时实现上述入侵防御处理方法的全部步骤,例如,所述处理器执行所述计算机程序时实现下述过程:根据当前网络流量状况确定入侵防御系统IPS旁路阈值;根据IPS旁路阈值对主机中的报文进行IPS处理。Based on the same inventive concept, another embodiment of the present invention provides a non-transitory computer-readable storage medium, where a computer program is stored on the non-transitory computer-readable storage medium, and when the computer program is executed by a processor, the above-mentioned All steps of the intrusion prevention processing method, for example, when the processor executes the computer program, the following processes are implemented: determining the IPS bypass threshold of the intrusion prevention system according to the current network traffic condition; IPS processing is performed.

可以理解的是,所述计算机程序可以执行的细化功能和扩展功能可参照上面实施例的描述。It can be understood that, for the refined functions and extended functions that can be performed by the computer program, reference may be made to the descriptions of the above embodiments.

基于相同的发明构思,本发明又一实施例提供了一种计算机程序产品,所计算机程序产品包括有计算机程序,该计算机程序被处理器执行时实现上述入侵防御处理方法的全部步骤,例如,所述处理器执行所述计算机程序时实现下述过程:根据当前网络流量状况确定入侵防御系统IPS旁路阈值;根据IPS旁路阈值对主机中的报文进行IPS处理。Based on the same inventive concept, another embodiment of the present invention provides a computer program product, wherein the computer program product includes a computer program, and when the computer program is executed by a processor, all steps of the above-mentioned intrusion prevention processing method are implemented. When the processor executes the computer program, the following processes are implemented: determining the IPS bypass threshold of the intrusion prevention system according to the current network traffic condition; and performing IPS processing on the packets in the host according to the IPS bypass threshold.

可以理解的是,所述计算机程序可以执行的细化功能和扩展功能可参照上面实施例的描述。It can be understood that, for the refined functions and extended functions that can be performed by the computer program, reference may be made to the descriptions of the above embodiments.

此外,上述的存储器中的逻辑指令可以通过软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。In addition, the above-mentioned logic instructions in the memory can be implemented in the form of software functional units and can be stored in a computer-readable storage medium when sold or used as an independent product. Based on this understanding, the technical solution of the present invention can be embodied in the form of a software product in essence, or the part that contributes to the prior art or the part of the technical solution. The computer software product is stored in a storage medium, including Several instructions are used to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present invention. The aforementioned storage medium includes: U disk, mobile hard disk, Read-Only Memory (ROM, Read-Only Memory), Random Access Memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program codes .

以上所描述的装置实施例仅仅是示意性的,其中所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本发明实施例方案的目的。本领域普通技术人员在不付出创造性的劳动的情况下,即可以理解并实施。The device embodiments described above are only illustrative, wherein the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in One place, or it can be distributed over multiple network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solutions of the embodiments of the present invention. Those of ordinary skill in the art can understand and implement it without creative effort.

通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到各实施方式可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件。基于这样的理解,上述技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品可以存储在计算机可读存储介质中,如ROM/RAM、磁碟、光盘等,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行各个实施例或者实施例的某些部分所述的入侵防御处理方法。From the description of the above embodiments, those skilled in the art can clearly understand that each embodiment can be implemented by means of software plus a necessary general hardware platform, and certainly can also be implemented by hardware. Based on this understanding, the above-mentioned technical solutions can be embodied in the form of software products in essence or the parts that make contributions to the prior art, and the computer software products can be stored in computer-readable storage media, such as ROM/RAM, magnetic A disc, an optical disc, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the intrusion prevention processing method described in each embodiment or some part of the embodiment.

此外,在本发明中,诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、物品或者设备中还存在另外的相同要素。Furthermore, in the present invention, relational terms such as first and second, etc. are only used to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply existence between these entities or operations any such actual relationship or sequence. Moreover, the terms "comprising", "comprising" or any other variation thereof are intended to encompass non-exclusive inclusion such that a process, method, article or device comprising a list of elements includes not only those elements, but also includes not explicitly listed or other elements inherent to such a process, method, article or apparatus. Without further limitation, an element qualified by the phrase "comprising a..." does not preclude the presence of additional identical elements in a process, method, article or apparatus that includes the element.

此外,在本发明中,参考术语“一个实施例”、“一些实施例”、“示例”、“具体示例”、或“一些示例”等的描述意指结合该实施例或示例描述的具体特征、结构、材料或者特点包含于本发明的至少一个实施例或示例中。在本说明书中,对上述术语的示意性表述不必须针对的是相同的实施例或示例。而且,描述的具体特征、结构、材料或者特点可以在任一个或多个实施例或示例中以合适的方式结合。此外,在不相互矛盾的情况下,本领域的技术人员可以将本说明书中描述的不同实施例或示例以及不同实施例或示例的特征进行结合和组合。Furthermore, in the present invention, description with reference to the terms "one embodiment," "some embodiments," "example," "specific example," or "some examples", etc., mean specific features described in connection with the embodiment or example , structure, material or feature is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms are not necessarily directed to the same embodiment or example. Furthermore, the particular features, structures, materials or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, those skilled in the art may combine and combine the different embodiments or examples described in this specification, as well as the features of the different embodiments or examples, without conflicting each other.

最后应说明的是:以上实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围。Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, but not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that it can still be The technical solutions described in the foregoing embodiments are modified, or some technical features thereof are equivalently replaced; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (7)

1. An intrusion prevention processing method, comprising:
determining an intrusion prevention system IPS bypass threshold according to the current network traffic condition; the IPS bypass threshold is used for directly passing the messages larger than the IPS bypass threshold, sending the messages smaller than or equal to the IPS bypass threshold to an IPS engine and carrying out IPS detection analysis by the IPS engine; the larger the current network flow is, the smaller the IPS bypass threshold value is; the method for determining the IPS bypass threshold of the intrusion prevention system according to the current network traffic condition comprises the following steps: judging whether the current host has the retransmitted connection number which fails in connection, if so, inquiring the lowest IPS processing capability value in a mapping table, and determining an IPS bypass threshold according to the lowest IPS processing capability value;
if the connection number which is retransmitted and failed in connection does not exist, inquiring an IPS (in-plane switching) bypass threshold value corresponding to the number of newly-built connections per second in the mapping table;
the mapping table stores a corresponding relation between the number of newly established connections per second and the IPS processing capability value;
according to the IPS bypass threshold value, performing IPS marking on the newly-built connection in the host;
when the IPS kernel HOOK receives the message, the message matched and connected with the IPS mark is sent to an application layer IPS engine for detection, and the message matched and connected without the IPS mark is released.
2. The intrusion prevention processing method according to claim 1, wherein the determining an intrusion prevention system IPS bypass threshold according to the current network traffic condition specifically includes:
acquiring the number of newly established connections per second of the current host;
inquiring a mapping table according to the newly established connection number per second to obtain an IPS processing capability value;
determining an IPS bypass threshold according to the IPS processing capability value;
and the mapping table stores the corresponding relation between the newly established connection number per second and the IPS processing capability value.
3. The intrusion prevention processing method according to claim 2, before obtaining the IPS processing capability value of the intrusion prevention system according to the newly created connection number query mapping table per second, the method further comprises:
under the recommended configuration of the IPS, testing the maximum connection quantity which can be processed by the IPS under the condition of newly building various connection quantities per second on the premise of not generating network blockage or connection failure, and taking the maximum connection quantity as the IPS processing capacity value under the corresponding newly built connection quantity;
and establishing the mapping table according to each connection number and the corresponding IPS processing capability value.
4. An intrusion prevention processing apparatus, comprising:
the determining module is used for determining an intrusion prevention system IPS bypass threshold according to the current network traffic condition; the IPS bypass threshold is used for directly passing the messages larger than the IPS bypass threshold, sending the messages smaller than or equal to the IPS bypass threshold to an IPS engine and carrying out IPS detection analysis by the IPS engine; the larger the current network flow is, the smaller the IPS bypass threshold value is; the determining module is further configured to determine whether the current host has a connection number which is retransmitted and failed in connection, if so, query a lowest IPS processing capability value in a mapping table, and determine an IPS bypass threshold according to the lowest IPS processing capability value;
if the connection number which is retransmitted and failed in connection does not exist, inquiring an IPS (in-plane switching) bypass threshold value corresponding to the number of newly-built connections per second in the mapping table;
the mapping table stores a corresponding relation between the number of newly established connections per second and the IPS processing capability value;
the first processing module is used for carrying out IPS marking on the newly-built connection in the host according to the IPS bypass threshold value; when the IPS kernel HOOK receives the message, the message matched and connected with the IPS mark is sent to an application layer IPS engine for detection, and the message matched and connected without the IPS mark is released.
5. The intrusion prevention processing device according to claim 4, wherein the determining module is specifically configured to:
acquiring the number of newly established connections per second of the current host;
inquiring a mapping table according to the newly established connection number per second to obtain an IPS processing capability value;
determining an IPS bypass threshold according to the IPS processing capacity value;
and the mapping table stores the corresponding relation between the newly established connection number per second and the IPS processing capability value.
6. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the intrusion prevention processing method according to any one of claims 1 to 3 when executing the program.
7. A non-transitory computer readable storage medium having stored thereon a computer program, which when executed by a processor implements the steps of the intrusion prevention processing method according to any one of claims 1 to 3.
CN202010023054.5A 2020-01-09 2020-01-09 Intrusion prevention processing method and device Active CN111277567B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010023054.5A CN111277567B (en) 2020-01-09 2020-01-09 Intrusion prevention processing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010023054.5A CN111277567B (en) 2020-01-09 2020-01-09 Intrusion prevention processing method and device

Publications (2)

Publication Number Publication Date
CN111277567A CN111277567A (en) 2020-06-12
CN111277567B true CN111277567B (en) 2022-10-25

Family

ID=71000174

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010023054.5A Active CN111277567B (en) 2020-01-09 2020-01-09 Intrusion prevention processing method and device

Country Status (1)

Country Link
CN (1) CN111277567B (en)

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2474545B (en) * 2009-09-24 2015-06-24 Fisher Rosemount Systems Inc Integrated unified threat management for a process control system
CN105099825B (en) * 2015-08-17 2018-10-02 北京神州绿盟信息安全科技股份有限公司 A kind of safeguard method and device of external Bypass
CN106375330B (en) * 2016-09-21 2020-01-17 东软集团股份有限公司 Data detection method and device
CN106921520A (en) * 2017-02-28 2017-07-04 北京匡恩网络科技有限责任公司 Communication processing method and device
CN107689901B (en) * 2017-11-13 2020-12-18 锐捷网络股份有限公司 Method and device for monitoring service message flow
CN107872401B (en) * 2017-12-22 2021-01-12 成都飞鱼星科技股份有限公司 Network key service guarantee method and device
CN109525500B (en) * 2018-12-27 2021-08-24 北京天融信网络安全技术有限公司 Information processing method and information processing device capable of automatically adjusting threshold

Also Published As

Publication number Publication date
CN111277567A (en) 2020-06-12

Similar Documents

Publication Publication Date Title
US9148437B1 (en) Detecting adverse network conditions for a third-party network site
CN103561048B (en) A kind of method and device determining that tcp port scans
US8856913B2 (en) Method and protection system for mitigating slow HTTP attacks using rate and time monitoring
WO2017088326A1 (en) Tcp connection processing method, device and system
CN111556068B (en) Distributed Denial of Service Monitoring and Prevention Method Based on Traffic Feature Recognition
CN106790299B (en) Wireless attack defense method and device applied to wireless Access Point (AP)
CN114338159A (en) Access limiting method, device, nonvolatile storage medium and processor
CN104113559A (en) Method for resisting tcp full-link attack
CN108183884B (en) A kind of network attack determination method and device
CN110247893A (en) A kind of data transmission method and SDN controller
CN111277567B (en) Intrusion prevention processing method and device
CN109347810B (en) Method and device for processing message
CN115190077B (en) Control method, control device and computing equipment
CN114510711A (en) Method, device, medium and computer equipment for preventing CC attacks
US20250310259A1 (en) Programmable congestion monitoring and/or control
US20120110665A1 (en) Intrusion Detection Within a Distributed Processing System
CN111277509A (en) Flow guiding method and device for IPS engine
WO2025081847A1 (en) Fault analysis method and apparatus, computing device cluster, and readable storage medium
CN206294205U (en) A kind of network security detection device
US20230141028A1 (en) Traffic control server and method
CN115021960A (en) Message processing method and network security equipment
CN116319436A (en) Method and device for detecting network links of container firewall
CN110753015B (en) Short message processing method, device and equipment
CN108471428B (en) DDoS attack active defense technology and equipment applied to CDN system
CN107094126A (en) A kind of hold-up interception method of messaging virus, apparatus and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder

Address after: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088

Patentee after: QAX Technology Group Inc.

Patentee after: Qianxin Wangshen information technology (Beijing) Co.,Ltd.

Address before: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088

Patentee before: QAX Technology Group Inc.

Patentee before: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc.

CP01 Change in the name or title of a patent holder