+

CN101272254A - Method for generating attack signature database, method and device for preventing network attacks - Google Patents

Method for generating attack signature database, method and device for preventing network attacks Download PDF

Info

Publication number
CN101272254A
CN101272254A CNA2008100279902A CN200810027990A CN101272254A CN 101272254 A CN101272254 A CN 101272254A CN A2008100279902 A CNA2008100279902 A CN A2008100279902A CN 200810027990 A CN200810027990 A CN 200810027990A CN 101272254 A CN101272254 A CN 101272254A
Authority
CN
China
Prior art keywords
attack
attack signature
message
signature
judged
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CNA2008100279902A
Other languages
Chinese (zh)
Other versions
CN101272254B (en
Inventor
李振海
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN2008100279902A priority Critical patent/CN101272254B/en
Publication of CN101272254A publication Critical patent/CN101272254A/en
Application granted granted Critical
Publication of CN101272254B publication Critical patent/CN101272254B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明实施例公开了一种生成攻击特征库的方法、防范网络攻击的方法以及用于防范网络攻击的装置。其中所述一种防范网络攻击的方法,包括:根据攻击特征库判断需上送至主控CP的报文中是否包含有所述攻击特征库中的攻击特征,判断为是时,根据所述攻击特征对所述报文进行相应的防攻击处理;当判断否时,将所述报文上送至主控CP并缓存至待分析队列。通过使用本发明,能够从庞大的IPS规则库中提取出已发生的攻击特征形成攻击特征库,从而能够对后续的同类型攻击实施有效的实时防范,在保证系统性能的同时,可以取得较好的防范效果。

Figure 200810027990

The embodiment of the invention discloses a method for generating an attack feature library, a method for preventing network attacks and a device for preventing network attacks. The method for preventing network attacks includes: judging according to the attack signature database whether the message to be sent to the main control CP contains the attack signature in the attack signature database, and if it is judged to be yes, according to the The attack feature performs corresponding anti-attack processing on the message; when the judgment is no, the message is sent to the main control CP and cached in the queue to be analyzed. By using the present invention, the attack signatures that have occurred can be extracted from the huge IPS rule library to form an attack signature database, so that effective real-time defense can be implemented against subsequent attacks of the same type, and better system performance can be achieved while ensuring system performance. preventive effect.

Figure 200810027990

Description

生成攻击特征库的方法、防范网络攻击的方法以及装置 Method for generating attack signature database, method and device for preventing network attacks

技术领域 technical field

本发明涉及互联网,尤其涉及一种生成攻击特征库的方法、防范网络攻击的方法以及用于防范网络攻击的装置。The invention relates to the Internet, in particular to a method for generating an attack feature database, a method for preventing network attacks and a device for preventing network attacks.

背景技术 Background technique

谈到安全网络,一般分为三个层面,即设备安全、网络安全、业务安全。其中设备安全是构建安全网络的基础,因此如何保证网络设备尤其是重要节点的网络设备(如路由器和交换机)安全是业界需要重点解决的问题。When it comes to secure networks, it is generally divided into three levels, namely equipment security, network security, and business security. Among them, device security is the basis for building a secure network. Therefore, how to ensure the security of network devices, especially network devices of important nodes (such as routers and switches) is a problem that the industry needs to focus on solving.

对于服务器等关键设备防护,很自然地想到防火墙,一般在设备网络接口上串接一台防火墙可以有效保证设备的安全。但是对于路由器等设备的防护则比较难,因为路由器特别是高端路由器接口密度高、流量大,因此,无法使用外置防火墙对路由器本身进行攻击防护。因此,对于路由器的防护一般有下面两种技术。For the protection of key equipment such as servers, it is natural to think of firewalls. Generally, connecting a firewall to the network interface of the equipment can effectively ensure the security of the equipment. However, it is more difficult to protect devices such as routers, because routers, especially high-end routers, have high interface density and large traffic, so it is impossible to use an external firewall to protect the router itself from attacks. Therefore, there are generally the following two technologies for the protection of routers.

现有技术的解决方案是将IPS(Intrusion Prevention System,入侵防御系统)/IDS(Intrusion Detection System,入侵检测系统)系统全部集成到系统内,由系统CPU进行实时防攻击处理。IPS规则库是对网络上已有的各种攻击特征的总结。随着时间的推移,攻击越来越多,IPS规则库也越来越大,系统处理负担(资源及性能消耗)也越来越重,所以IPS规则库一般较大,且处理过程复杂,对于CPU性能要求较高,而一般普通的CPU处理性能较低,因此,通常在企业级的中低端路由器上使用。如果应用在基于分布式架构的高端路由器上,会占用太多的资源和CPU性能,效果较差。The solution of the prior art is to integrate the IPS (Intrusion Prevention System, intrusion prevention system)/IDS (Intrusion Detection System, intrusion detection system) system into the system, and the system CPU performs real-time anti-attack processing. The IPS rule base is a summary of various attack characteristics existing on the network. As time goes by, there are more and more attacks, the IPS rule base is also getting bigger and bigger, and the system processing burden (resource and performance consumption) is also getting heavier, so the IPS rule base is generally large and the processing process is complicated. The CPU performance requirements are high, and the general CPU processing performance is low, so it is usually used on enterprise-level low-end routers. If it is applied to a high-end router based on a distributed architecture, it will take up too many resources and CPU performance, and the effect will be poor.

发明内容 Contents of the invention

本发明实施例所要解决的技术问题在于,提供一种防范网络攻击的方法及装置,可在不占用太多的资源和CPU性能的前提下,能对系统实施有效的实时防护,提高整个系统的防范能力。The technical problem to be solved by the embodiments of the present invention is to provide a method and device for preventing network attacks, which can implement effective real-time protection for the system without occupying too many resources and CPU performance, and improve the security of the entire system. preventive ability.

为了解决上述技术问题,本发明实施例提供了一种生成攻击特征库的方法,包括:In order to solve the above technical problems, an embodiment of the present invention provides a method for generating an attack signature library, including:

将报文上送至主控CP的同时将所述报文缓存至待分析队列;When the message is sent to the main control CP, the message is cached in the queue to be analyzed;

当主控CP发生主备异常倒换时根据IPS规则库判断所述待分析队列中缓存的上送报文是否含有攻击特征,判断为是时,提取所述报文的攻击特征保存至攻击特征库。When the active/standby abnormal switchover occurs in the master control CP, it is judged according to the IPS rule base whether the cached uploaded message in the queue to be analyzed contains an attack signature, and if it is judged to be yes, the attack signature of the message is extracted and stored in the attack signature database .

还提供了一种防范网络攻击的方法,包括:Also provides a way to protect against cyber attacks, including:

根据攻击特征库判断需上送至主控CP的报文中是否包含有所述攻击特征库中的攻击特征,判断为是时,根据所述攻击特征对所述报文进行相应的防攻击处理;当判断否时,将所述报文上送至主控CP并缓存至待分析队列。According to the attack signature library, it is judged whether the message that needs to be sent to the main control CP contains the attack signature in the attack signature database, and if it is judged to be yes, the message is subjected to corresponding anti-attack processing according to the attack signature ; When judging no, send the message to the main control CP and cache it in the queue to be analyzed.

相应地,本发明实施例还提供了一种防范网络攻击的装置,包括:Correspondingly, the embodiment of the present invention also provides a device for preventing network attacks, including:

接收单元,用于接收需上送至主控CP的报文;a receiving unit, configured to receive messages to be sent to the main control CP;

队列单元,用于存储所述接收单元接收到的所述需上送至主控CP的报文;a queue unit, configured to store the message received by the receiving unit that needs to be sent to the main control CP;

攻击特征库,用于存储攻击特征及对应所述攻击特征的初始统计数据及老化间隔;An attack signature library, configured to store attack signatures and initial statistical data and aging intervals corresponding to the attack signatures;

检测单元,用于根据IPS规则库判断所述队列单元中缓存的上送报文是否含有攻击特征,判断为是时,提取所述报文的攻击特征保存至攻击特征库,和/或根据所述攻击规则库中存储的攻击规则判断所述接收单元接收的报文是否含有攻击特征,判断为是时,根据攻击特征对该攻击报文进行相应的防攻击处理当判断否时,将所述报文上送至主控CP并缓存至所述队列单元。The detection unit is used to judge whether the uploaded message cached in the queue unit contains an attack feature according to the IPS rule base, and if it is judged to be yes, extract the attack feature of the message and save it to the attack feature base, and/or according to the According to the attack rules stored in the attack rule base, it is judged whether the message received by the receiving unit contains an attack feature. The message is sent to the main control CP and buffered in the queue unit.

实施本发明实施例,具有如下有益效果:能够从庞大的IPS规则库中提取出已发生的攻击特征形成攻击特征库,从而能够对后续的同类型攻击实施有效的实时防范,在保证系统性能的同时,可以取得较好的防范效果。Implementing the embodiment of the present invention has the following beneficial effects: the attack signatures that have occurred can be extracted from the huge IPS rule base to form an attack signature base, so that subsequent attacks of the same type can be effectively prevented in real time, while ensuring system performance At the same time, better prevention effect can be obtained.

附图说明 Description of drawings

图1是本发明实施例的整体结构示意图;Fig. 1 is the overall structure schematic diagram of the embodiment of the present invention;

图2是本发明实施例中检测单元的结构示意图;Fig. 2 is a schematic structural diagram of a detection unit in an embodiment of the present invention;

图3是本发明实施例中生成攻击特征库的流程示意图;Fig. 3 is a schematic flow diagram of generating an attack signature library in an embodiment of the present invention;

图4是本发明实施例中防范网络攻击的流程示意图。Fig. 4 is a schematic flow diagram of preventing network attacks in an embodiment of the present invention.

具体实施方式Detailed ways

为使本发明的目的、技术方案和优点更加清楚,下面将结合附图对本发明作进一步地详细描述。In order to make the object, technical solution and advantages of the present invention clearer, the present invention will be further described in detail below in conjunction with the accompanying drawings.

参照图1和图2,图1是本发明实施例防范网络攻击装置的整体结构示意图,包括接收单元1、队列单元2、检测单元3、攻击特征库4、记录单元5和老化处理单元6,其中:接收单元1,用于接收需上送至主控CP的报文。队列单元2,用于存储所述接收单元1接收到的所述需上送至主控CP的报文。攻击特征库4,用于存储攻击特征及对应所述攻击特征的初始统计数据及老化间隔,所述初始统计数据为所述攻击特征的攻击次数,所述老化间隔为所述攻击特征的存活时间段。检测单元3,用于根据IPS规则库判断所述队列单元2中缓存的上送报文是否含有攻击特征,判断为是时,提取所述报文的攻击特征保存至所述攻击特征库4,和/或根据所述攻击规则库4中存储的攻击规则判断所述接收单元接收的报文是否含有攻击特征,判断为是时,根据攻击特征对该攻击报文进行相应的防攻击处理当判断否时,将所述报文上送至主控CP并缓存至所述队列单元2。参照图2,所述检测单元3包括:第一检测单元31,用于根据IPS库中的规则检测所述待分析的报文中是否含有攻击特征,判断为是时,提取所述报文的攻击特征保存至攻击特征库4;第二检测单元32,用于根据所述攻击特征库4中的攻击特征检测所述接收单元3接收的报文是否含有攻击特征,判断为是时,根据所述攻击特征对所述报文进行相应的防攻击处理并进行现有攻击次数的累计;当判断为否时,将所述报文上送至主控CP并缓存至所述队列单元2。记录单元5,用于在所述攻击特征库4接收所述第一检测单元31提交的攻击特征时,为所述攻击特征产生初始统计数据和老化间隔。老化处理单元6,用于当所述攻击特征到达老化间隔时,判断所述第二检测单元32中所述攻击特征的现有攻击次数与所述攻击特征在所述攻击特征库4中对应的初始统计数据是否一致,判断为是时,从所述攻击特征库4中删除所述攻击特征,释放系统资源;判断为否时,将通过所述记录单元5将所述攻击特征的初始统计数据替换为所述攻击特征的现有攻击次数并为所述攻击特征产生新的老化间隔。Referring to Figures 1 and 2, Figure 1 is a schematic diagram of the overall structure of the device for preventing network attacks according to an embodiment of the present invention, including a receiving unit 1, a queue unit 2, a detection unit 3, an attack signature library 4, a recording unit 5 and an aging processing unit 6, Wherein: the receiving unit 1 is used for receiving the message to be sent to the main control CP. The queue unit 2 is configured to store the message received by the receiving unit 1 that needs to be sent to the main control CP. The attack feature library 4 is used to store the attack feature and initial statistical data corresponding to the attack feature and the aging interval, the initial statistical data is the number of attacks of the attack feature, and the aging interval is the survival time of the attack feature part. The detection unit 3 is used to judge whether the uploaded message cached in the queue unit 2 contains an attack feature according to the IPS rule base, and if it is judged to be yes, extract the attack feature of the message and save it to the attack feature base 4, And/or judge whether the message received by the receiving unit contains an attack feature according to the attack rule stored in the attack rule base 4, and if it is judged to be yes, perform corresponding anti-attack processing on the attack message according to the attack feature. If not, send the message to the main control CP and cache it in the queue unit 2. With reference to Fig. 2, described detection unit 3 comprises: the first detection unit 31, is used for detecting whether contains attack feature in the described message to be analyzed according to the rule in the IPS storehouse, when judged to be yes, extract the information of described message The attack feature is saved to the attack feature library 4; the second detection unit 32 is used to detect whether the message received by the receiving unit 3 according to the attack feature in the attack feature library 4 contains an attack feature, and when it is judged to be yes, according to the attack feature According to the above attack characteristics, perform corresponding anti-attack processing on the message and accumulate the number of existing attacks; The recording unit 5 is configured to generate initial statistical data and an aging interval for the attack signature when the attack signature database 4 receives the attack signature submitted by the first detection unit 31 . The aging processing unit 6 is configured to judge that the number of existing attacks of the attack signature in the second detection unit 32 corresponds to the attack signature in the attack signature library 4 when the attack signature reaches the aging interval. Whether the initial statistical data is consistent, when judged to be yes, delete the attack signature from the attack signature database 4, and release system resources; Replace the existing attack count with the attack signature and generate a new aging interval for the attack signature.

在具体实施过程中,当接收单元1接收到需上送至主控CP的报文后,通过检测单元3中的第二检测单元32根据攻击特征库4中的攻击特征检测所述接收单元1接收的报文是否含有攻击特征,判断为是时,根据所述攻击特征的类型对报文进行相应防攻击处理,同时对所述攻击特征类型进行现有攻击次数的累计,所有攻击特征库4中的攻击特征的现有攻击次数在初始时为0,在具体实施时,例如某攻击特征的现有攻击次数为3,当所述第二检测单元32从上送至主控CP的报文发现了含有所述攻击特征的报文,则对所述报文进行防攻击处理的同时,还将所述攻击特征的现有攻击次数累计为4。所述防攻击处理包括丢弃、限速等,所述攻击特征的类型可分为五元组型、深度过滤型、限速型三种;当判断否时,将所述报文上送至主控CP并缓存至所述队列单元2。报文上送完后判断主控CP是否受到攻击产生重启,发生主备异常导换,判断为否时,继续接收报文,判断为是时,检测单元3将对队列单元2中缓存的报文进行攻击特征检测,具体由检测单元3中的第一检测单元31根据IPS规则库中的攻击特征判断所述队列单元2中的报文是否含有攻击特征,判断为是时,提取所述报文的攻击特征保存至攻击特征库4;每次攻击特征库4接收所述检测单元3发送的攻击特征时,记录单元5都将为所述接收的攻击特征记录产生初始统计数据和老化间隔,攻击特征的初始统计数据为0;当所述攻击特征到达老化间隔时,则由老化单元6判断所述第二检测单元32中记录的所述攻击特征的现有攻击次数与所述攻击特征在所述攻击特征库中对应的初始统计数据是否一致,判断为是时,从所述攻击特征库4中删除所述攻击特征,释放系统资源;判断为否时,将通过所述记录单元将所述攻击特征的初如统计数据替换为所述攻击特征的现有攻击次数并为所述攻击特征产生新的老化间隔。具体实施时,例如某攻击特征A的现有攻击次数为3,攻击特征B的现有攻击次数为0,而攻击特征A和B在攻击特征库中的初始统计数据均为0,当攻击特征A到达老化间隔时,老化单元6将所述攻击特征A的现有攻击次数3与其在攻击特征库中相应的初始统计数据0相比较是否一致,判断为否,此时,老化单元6将所述攻击特征A的初如统计数据0替换为所述攻击特征的现有攻击次数3,则攻击特征A的初始统计数据变成了3,同时,老化单元6还将为攻击特征A产生新的老化间隔。当攻击特征B到达老化间隔时,老化单元6将所述攻击特征B的现有攻击次数0与其在攻击特征库中相应的初始统计数据0相比较是否一致,判断为是,此时,老化单元6将从所述攻击特征库中删除所述攻击特征B,释放系统资源。In the specific implementation process, after the receiving unit 1 receives the message that needs to be sent to the main control CP, the second detection unit 32 in the detection unit 3 detects the receiving unit 1 according to the attack signature in the attack signature database 4 Whether the received message contains an attack feature, if it is judged to be yes, the message is subjected to corresponding anti-attack processing according to the type of the attack feature, and at the same time, the existing attack times are accumulated for the attack feature type, and all attack feature databases 4 The current number of attacks of the attack feature in is initially 0, and in specific implementation, for example, the current number of attacks of a certain attack feature is 3, when the second detection unit 32 is sent from the message sent to the main control CP If a message containing the attack feature is found, the attack prevention process is performed on the message, and the number of existing attacks of the attack feature is accumulated to 4. The anti-attack processing includes discarding, speed limit, etc., and the types of the attack features can be divided into three types: quintuple type, depth filter type, and speed limit type; Control the CP and buffer it to the queue unit 2. After the message is sent, it is judged whether the main control CP is attacked and restarted, and the master and standby abnormal switch occurs. If the judgment is no, continue to receive the message. The attack feature detection is performed on the text, specifically, the first detection unit 31 in the detection unit 3 judges whether the message in the queue unit 2 contains an attack feature according to the attack feature in the IPS rule base, and when it is judged to be yes, extracts the message. The attack feature of text is saved to attack feature storehouse 4; When attack feature storehouse 4 receives the attack feature that described detection unit 3 sends every time, recording unit 5 will all be for described received attack feature record and produce initial statistical data and aging interval, The initial statistical data of attack feature is 0; Whether the corresponding initial statistical data in the attack signature database is consistent, if it is judged to be yes, delete the attack signature from the attack signature database 4, and release system resources; The original statistics of the attack signature are replaced with the existing number of attacks for the attack signature and a new aging interval is generated for the attack signature. In specific implementation, for example, the existing attack count of an attack signature A is 3, the existing attack count of an attack signature B is 0, and the initial statistical data of attack signatures A and B in the attack signature database are both 0, when the attack signature When A arrives at the aging interval, the aging unit 6 compares the existing attack times 3 of the attack feature A with its corresponding initial statistical data 0 in the attack feature database to see if it is consistent, and judges as no, at this time, the aging unit 6 will If the original statistical data 0 of the attack feature A is replaced with the existing attack times 3 of the attack feature A, the initial statistical data of the attack feature A becomes 3, and at the same time, the aging unit 6 will also generate a new attack feature A aging interval. When the attack feature B reaches the aging interval, the aging unit 6 compares the existing attack times 0 of the attack feature B with its corresponding initial statistical data 0 in the attack feature database to see if it is consistent, and it is judged as yes, at this time, the aging unit 6. Delete the attack signature B from the attack signature database to release system resources.

在具体实施过程中,各个防范网络攻击装置之间的攻击特征库可以根据需要实行同步,以达至更好的防范效果。In the specific implementation process, the attack signature databases among the network attack prevention devices can be synchronized according to the needs, so as to achieve better prevention effect.

图3是本发明实施例中生成攻击特征库的流程示意图,在生成攻击特征库的方法中,具体包括以下步骤:Fig. 3 is a schematic flow diagram of generating an attack signature database in an embodiment of the present invention, and in the method for generating an attack signature database, specifically includes the following steps:

步骤S301,接收需上送主控CP的报文。Step S301, receiving a message to be sent to the main control CP.

步骤S302,缓存报文至待分析队列。具体实施时,将接收的报文上送至主控CP后,不释放报文的缓存空间,而是将所述上送的报文缓存至待分析队列中,所述待分析队列为循环队列。Step S302, buffering the message to the queue to be analyzed. During specific implementation, after sending the received message to the main control CP, the cache space of the message is not released, but the message sent is cached in the queue to be analyzed, and the queue to be analyzed is a circular queue .

步骤S303,判断主控CP是否发生主备异常倒换。在具体实施时,当报文上送完成后,刚判断所述主控CP是否发生主备异常倒换,当判断为否时,结束流程,当判断为是时,继续步骤S304。Step S303, judging whether the active/standby abnormal switching of the main control CP occurs. In specific implementation, after the message is sent, it is judged whether the main control CP has an abnormal master/standby switchover. If the judgment is no, the process ends. If the judgment is yes, step S304 is continued.

步骤S304,根据IPS规则判断待分析队列中的报文是否含有攻击特征。判断为是时,执行步骤S305;判断为否时,结束流程。Step S304, judging according to the IPS rules whether the packets in the queue to be analyzed contain attack characteristics. If it is judged as yes, execute step S305; if it is judged as no, the process ends.

步骤S305,将所述发现的攻击特征保存至攻击特征库。具体实施时,当根据IPS规则从待分析队列的报文中发现攻击特征时,则将所述发现的攻击特征从所述报文中提取出来保存至攻击特征库中。Step S305, saving the found attack signatures to an attack signature database. During specific implementation, when an attack signature is found from the packets in the queue to be analyzed according to the IPS rule, the discovered attack signature is extracted from the packet and stored in the attack signature database.

步骤S306,为攻击特征产生初始统计数据和老化间隔。具体操作时,每次有新的攻击特征保存至攻击特征库,都将为所述新保存的攻击特征设定对应的初始统计数据和老化间隔,所述初始统计数据在初始化时为0。Step S306, generating initial statistical data and an aging interval for the attack signature. During specific operations, each time a new attack signature is saved to the attack signature database, the corresponding initial statistical data and aging interval will be set for the newly saved attack signature, and the initial statistical data is 0 at initialization.

图4是本发明实施例中防范网络攻击的流程示意图。具体步骤为:Fig. 4 is a schematic flow diagram of preventing network attacks in an embodiment of the present invention. The specific steps are:

步骤S401,接收需上送主控CP的报文。Step S401, receiving a message to be sent to the main control CP.

步骤S402,根据攻击特征库判断所述报文中是否含有攻击特征,判断为是时,执行步骤S403;判断为否时,执行步骤S405。Step S402, judging whether the packet contains an attack signature according to the attack signature database, if it is judged yes, execute step S403; if judged no, execute step S405.

步骤S403,根据攻击特征的类型对所述报文进行相应防攻击处理。在具体实施时,当检测至攻击特征后,则将所述含有攻击特征的报文按照所述报文中攻击特征的类型相应的防攻击进行处理。攻击特征的类型具体分为三种类型:五元组型、深度过滤型、限速型。相应的防攻击处理为丢弃、限速等。Step S403, performing corresponding anti-attack processing on the message according to the type of the attack feature. During specific implementation, after the attack signature is detected, the packet containing the attack signature is processed according to the attack prevention corresponding to the type of the attack signature in the packet. The types of attack signatures are specifically divided into three types: quintuple type, depth filter type, and speed limit type. Corresponding anti-attack processing includes discarding, rate limiting, and so on.

步骤S404,累计所述攻击特征的现有攻击次数。具体实施时,例如某攻击特征的原现有攻击次数为3,当从上送至主控CP的报文发现了含有所述攻击特征的报文,则对所述报文进行防攻击处理的同时,还将所述攻击特征所述攻击特征的现有攻击次数累计为4。Step S404, accumulating the number of existing attacks of the attack signature. During specific implementation, for example, the original existing number of attacks of a certain attack feature is 3, when a message containing the attack feature is found from the message sent to the main control CP, the attack prevention process is performed on the message At the same time, the number of existing attacks of the attack signature of the attack signature is also accumulated to 4.

步骤S405,将所述报文上送至主控CP。具体实施时,当根据攻击特征库判断需上送的报文中没有攻击特征时,则将所述报文上送至主控CP。Step S405, sending the message to the main control CP. During specific implementation, when it is judged according to the attack signature database that there is no attack signature in the message to be sent, the message is sent to the main control CP.

步骤S406,缓存报文至待分析队列。具体实施时,将报文上送至主控CP后,不释放报文的缓存空间,而是将所述上送的报文缓存至待分析队列中,所述待分析队列为循环队列。Step S406, buffering the message to the queue to be analyzed. During specific implementation, after the message is sent to the main control CP, the cache space of the message is not released, but the sent message is cached in the queue to be analyzed, and the queue to be analyzed is a circular queue.

步骤S407,判断主控CP是否发生主备异常倒换。在具体实施时,当报文上送完成后,刚判断所述主控CP是否发生主备异常倒换,当判断为否时,结束流程,当判断为是时,继续步骤S408。Step S407, judging whether the active/standby abnormal switching of the main control CP occurs. In specific implementation, after the message is sent, it is judged whether the main control CP has an abnormal master/standby switchover. If the judgment is no, the process ends. If the judgment is yes, go to step S408.

步骤S408,根据IPS规则判断待分析队列中的报文是否含有攻击特征。判断为是时,执行步骤S409;判断为否时,结束流程。Step S408, judging according to the IPS rules whether the packets in the queue to be analyzed contain attack characteristics. If it is judged as yes, execute step S409; if it is judged as no, the process ends.

步骤S409,将所述发现的攻击特征保存至攻击特征库。具体实施时,当根据IPS规则从待分析队列的报文中发现攻击特征时,则将所述发现的攻击特征从所述报文中提取出来保存至攻击特征库中。Step S409, saving the discovered attack signatures to an attack signature database. During specific implementation, when an attack signature is found from the packets in the queue to be analyzed according to the IPS rule, the discovered attack signature is extracted from the packet and stored in the attack signature database.

步骤S410,为攻击特征产生初始统计数据和老化间隔。具体操作时,每次有新的攻击特征保存至攻击特征库,都将为所述新保存的攻击特征设定对应的初始统计数据和老化间隔,所述初始统计数据在初始化时为0。Step S410, generating initial statistical data and aging intervals for attack signatures. During specific operations, each time a new attack signature is saved to the attack signature database, the corresponding initial statistical data and aging interval will be set for the newly saved attack signature, and the initial statistical data is 0 at initialization.

步骤S411,当攻击特征到达老化间隔后判断所述攻击特征的现有攻击次数是否和初始统计数据一致,当判断为是时,执行步骤S502,判断为否时,执行步骤S503;Step S411, when the attack signature reaches the aging interval, it is judged whether the current number of attacks of the attack signature is consistent with the initial statistical data, if it is judged yes, execute step S502, if judged no, execute step S503;

步骤S412,当判断为是时,即所述攻击特征的现有攻击次数与初始统计数据一致,则从攻击特征库中删除所述攻击特征,并释放占用的系统资源;Step S412, when the judgment is yes, that is, the existing attack times of the attack signature is consistent with the initial statistical data, then delete the attack signature from the attack signature database, and release the occupied system resources;

步骤S413,当判断为否时,即所述攻击特征的现有攻击次数与初始统计数据不一致,则将所述攻击特征的初始统计数据替换为现有攻击次数,并为所述攻击特征产生新的老化间隔。Step S413, when the judgment is no, that is, the existing number of attacks of the attack signature is inconsistent with the initial statistical data, replace the initial statistical data of the attack signature with the existing number of attacks, and generate a new attack signature for the attack signature aging interval.

具体实施时,例如某攻击特征A的现有攻击次数为3,攻击特征B的现有攻击次数为0,而攻击特征A和B的初始统计数据均为0,当攻击特征A到达老化间隔时,将判断所述攻击特征A的现有攻击次数3与其相应的初始统计数据0是否一致,判断为否,此时,将所述攻击特征A的初如统计数据0替换为所述攻击特征的现有攻击次数3,则攻击特征A的初始统计数据变成了3,同时,还将为攻击特征A产生新的老化间隔。当攻击特征B到达老化间隔时,将判断所述攻击特征B的现有攻击次数0与其在攻击特征库中相应的初始统计数据0是否一致,判断为是,此时,将从所述攻击特征库中删除所述攻击特征B,释放其占用的系统资源。In specific implementation, for example, the current attack count of an attack signature A is 3, the current attack count of an attack signature B is 0, and the initial statistics of attack signatures A and B are both 0, when the attack signature A reaches the aging interval , it will be judged whether the existing attack times 3 of the attack feature A is consistent with its corresponding initial statistical data 0, if the judgment is no, at this time, the initial statistical data 0 of the attack feature A will be replaced by the initial statistical data 0 of the attack feature If the number of attacks is 3, the initial statistical data of attack signature A becomes 3, and at the same time, a new aging interval will be generated for attack signature A. When the attack signature B reaches the aging interval, it will be judged whether the existing attack times 0 of the attack signature B is consistent with its corresponding initial statistical data 0 in the attack signature database, and if it is judged to be yes, at this time, the The attack signature B is deleted from the library, and the system resources occupied by it are released.

通过实施本发明实施例,能够从庞大的IPS规则库中提取出当前最有可能发生的攻击形成攻击特征库,能对发生过的同类型攻击实施有效的实时防范,既优化了系统的性能,又取得了较好的防范效果。By implementing the embodiment of the present invention, the attack that is most likely to occur at present can be extracted from the huge IPS rule base to form an attack feature base, and effective real-time prevention can be implemented for the same type of attack that has occurred, which not only optimizes the performance of the system, And achieved a better preventive effect.

以上所揭露的仅为本发明较佳实施例而已,当然不能以此来限定本发明之权利范围,因此依本发明权利要求所作的等同变化,仍属本发明所涵盖的范围。The above disclosures are only preferred embodiments of the present invention, and certainly cannot limit the scope of rights of the present invention. Therefore, equivalent changes made according to the claims of the present invention still fall within the scope of the present invention.

Claims (11)

1、一种生成攻击特征库的方法,其特征在于,包括:1. A method for generating an attack signature database, comprising: 将报文上送至主控CP的同时将所述报文缓存至待分析队列;When the message is sent to the main control CP, the message is cached in the queue to be analyzed; 当主控CP发生主备异常倒换时根据IPS规则库判断所述待分析队列中缓存的上送报文是否含有攻击特征,判断为是时,提取所述报文的攻击特征保存至攻击特征库。When the active/standby abnormal switchover occurs in the master control CP, it is judged according to the IPS rule base whether the cached uploaded message in the queue to be analyzed contains an attack signature, and if it is judged to be yes, the attack signature of the message is extracted and stored in the attack signature database . 2,如权利要求1所述的方法,其特征在于,所述待分析队列是循环队列。2. The method according to claim 1, wherein the queue to be analyzed is a circular queue. 3,如权利要求1所述的方法,其特征在于,所述提取所述报文的攻击特征保存至攻击特征库之后包括:3. The method according to claim 1, wherein said extracting the attack signature of the message and storing it in the attack signature database comprises: 为所述攻击特征产生初始统计数据和老化间隔。Initial statistics and aging intervals are generated for the attack signature. 4,一种防范网络攻击的方法,其特征在于,包括:4. A method for preventing network attacks, comprising: 根据攻击特征库判断需上送至主控CP的报文中是否包含有所述攻击特征库中的攻击特征,判断为是时,根据所述攻击特征对所述报文进行相应的防攻击处理;当判断否时,将所述报文上送至主控CP并缓存至待分析队列。According to the attack signature library, it is judged whether the message that needs to be sent to the main control CP contains the attack signature in the attack signature database, and if it is judged to be yes, the message is subjected to corresponding anti-attack processing according to the attack signature ; When judging no, send the message to the main control CP and cache it in the queue to be analyzed. 5,如权利要求4所述的方法,其特征在于,在对所述含有攻击特征的报文进行防攻击处理的同时,还包括:5. The method according to claim 4, further comprising: 累计所述攻击特征的现有攻击次数;Accumulate the number of existing attacks of the attack signature; 6,如权利要求5所述的方法,其特征在于,当所述攻击特征到达老化间隔时,判断所述攻击特征的现有攻击次数与所述攻击特征在所述攻击特征库中对应的初始统计数据是否一致,判断为是时,从所述攻击特征库中删除所述攻击特征,释放系统资源;判断为否时,将所述攻击特征的初始统计数据替换为所述现有攻击次数并产生新的老化间隔。6. The method according to claim 5, wherein when the attack signature reaches the aging interval, it is judged that the current attack times of the attack signature correspond to the initial attack signature in the attack signature library. Whether the statistical data is consistent, when it is judged to be yes, delete the attack signature from the attack signature database, and release system resources; when it is judged to be no, replace the initial statistical data of the attack signature with the existing attack times and Generate a new aging interval. 7,如权利要求4所述的方法,其特征在于,还包括:7. The method of claim 4, further comprising: 当主控CP发生主备异常倒换时根据IPS规则库判断所述待分析队列中缓存的上送报文是含有攻击特征,判断为是时,提取所述报文的攻击特征保存至攻击特征库。When the main control CP has an abnormal master-standby switchover, it is judged according to the IPS rule base that the uploaded message cached in the queue to be analyzed contains an attack signature, and if it is judged to be yes, the attack signature of the message is extracted and saved to the attack signature database . 8,如权利要求4-7中任一项所述的方法,其特征在于,所述攻击特征类型具体为:五元组型、深度过滤型、限速型。8. The method according to any one of claims 4-7, wherein the attack signature types are specifically: quintuple type, depth filter type, and speed limit type. 9,一种防范网络攻击的装置,其特征在于,包括:9. A device for preventing network attacks, comprising: 接收单元,用于接收需上送至主控CP的报文;a receiving unit, configured to receive messages to be sent to the main control CP; 队列单元,用于存储所述接收单元接收到的所述需上送至主控CP的报文;a queue unit, configured to store the message received by the receiving unit that needs to be sent to the main control CP; 攻击特征库,用于存储攻击特征及对应所述攻击特征的初始统计数据及老化间隔;An attack signature library, configured to store attack signatures and initial statistical data and aging intervals corresponding to the attack signatures; 检测单元,用于根据IPS规则库判断所述队列单元中缓存的上送报文是否含有攻击特征,判断为是时,提取所述报文的攻击特征保存至攻击特征库,和/或根据所述攻击规则库中存储的攻击规则判断所述接收单元接收的报文是否含有攻击特征,判断为是时,根据攻击特征对该攻击报文进行相应的防攻击处理当判断否时,将所述报文上送至主控CP并缓存至所述队列单元。The detection unit is used to judge whether the uploaded message cached in the queue unit contains an attack feature according to the IPS rule base, and if it is judged to be yes, extract the attack feature of the message and save it to the attack feature base, and/or according to the According to the attack rules stored in the attack rule base, it is judged whether the message received by the receiving unit contains an attack feature. The message is sent to the main control CP and buffered in the queue unit. 10,如权利要求9所述的防范网络攻击的装置,其特征在于,所述检测单元具体包括:10. The device for preventing network attacks according to claim 9, wherein the detection unit specifically includes: 第一检测单元,用于根据IPS库中的规则检测所述待分析的报文中是否含有攻击特征,判断为是时,提取所述报文的攻击特征保存至攻击特征库;The first detection unit is used to detect whether the message to be analyzed contains an attack feature according to the rules in the IPS library, and if it is judged to be yes, extract the attack feature of the message and save it to the attack feature library; 第二检测单元,用于根据所述攻击特征库中的攻击特征检测所述接收单元接收的报文是否含有攻击特征,判断为是时,根据所述攻击特征对所述报文进行相应的防攻击处理并进行现有攻击次数的累计;当判断否时,将所述报文上送至主控CP并缓存至所述队列单元。The second detection unit is used to detect whether the message received by the receiving unit contains an attack feature according to the attack feature in the attack feature database, and if it is judged to be yes, perform corresponding defense against the message according to the attack feature Attack processing and accumulating the number of existing attacks; if no, send the message to the main control CP and cache it in the queue unit. 11,如权利要求9所述的防范网络攻击的装置,其特征在于,还包括:11. The device for preventing network attacks according to claim 9, further comprising: 记录单元,用于在所述攻击特征库接收所述第一检测单元提交的攻击特征时,为所述攻击特征产生初始统计数据和老化间隔;A recording unit, configured to generate initial statistical data and an aging interval for the attack signature when the attack signature library receives the attack signature submitted by the first detection unit; 老化处理单元,当所述攻击特征到达老化间隔时,判断所述第二检测单元中所述攻击特征的现有攻击次数与所述攻击特征在所述攻击特征库中对应的初始统计数据是否一致,判断为是时,从所述攻击特征库中删除所述攻击特征,释放系统资源;判断为否时,将通过所述记录单元将所述攻击特征的初如统计数据替换为所述攻击特征的现有攻击次数并为所述攻击特征产生新的老化间隔。The aging processing unit, when the attack signature reaches the aging interval, judges whether the current number of attacks of the attack signature in the second detection unit is consistent with the initial statistical data corresponding to the attack signature in the attack signature database , when the judgment is yes, delete the attack signature from the attack signature library, and release system resources; when it is judged no, replace the original statistical data of the attack signature with the attack signature by the recording unit and generate a new aging interval for the attack signature.
CN2008100279902A 2008-05-09 2008-05-09 Method for generating attack signature database, method and device for preventing network attacks Expired - Fee Related CN101272254B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2008100279902A CN101272254B (en) 2008-05-09 2008-05-09 Method for generating attack signature database, method and device for preventing network attacks

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2008100279902A CN101272254B (en) 2008-05-09 2008-05-09 Method for generating attack signature database, method and device for preventing network attacks

Publications (2)

Publication Number Publication Date
CN101272254A true CN101272254A (en) 2008-09-24
CN101272254B CN101272254B (en) 2010-09-29

Family

ID=40005967

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2008100279902A Expired - Fee Related CN101272254B (en) 2008-05-09 2008-05-09 Method for generating attack signature database, method and device for preventing network attacks

Country Status (1)

Country Link
CN (1) CN101272254B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102231747A (en) * 2011-07-18 2011-11-02 杭州华三通信技术有限公司 Method and equipment for obtaining attack message
CN103746909A (en) * 2013-12-23 2014-04-23 华为技术有限公司 Message processing method and apparatus
CN105939310A (en) * 2015-07-31 2016-09-14 杭州迪普科技有限公司 File synchronization method and device based on multiple devices
CN106470127A (en) * 2015-08-18 2017-03-01 中兴通讯股份有限公司 A kind of detection method of exception flow of network and system
CN107085576A (en) * 2016-02-15 2017-08-22 阿里巴巴集团控股有限公司 A kind of stream data statistic algorithm and device
CN108028832A (en) * 2016-05-10 2018-05-11 华为技术有限公司 Detect the method and apparatus of network attack
CN110768976A (en) * 2019-10-21 2020-02-07 新华三信息安全技术有限公司 Message processing method, device and network equipment
CN111291425A (en) * 2020-05-09 2020-06-16 南京芯驰半导体科技有限公司 Chip protection method and device, storage medium and vehicle-mounted chip

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1421771A (en) * 2001-11-27 2003-06-04 四川安盟科技有限责任公司 Guard system to defend network invansion of unkown attack trick effectively
CN1282081C (en) * 2003-08-04 2006-10-25 联想(北京)有限公司 Invasion detecting method
CN100428688C (en) * 2005-06-09 2008-10-22 杭州华三通信技术有限公司 Protective method for network attack
CN100579004C (en) * 2007-08-08 2010-01-06 华为技术有限公司 Method and network equipment for preventing invalid message attack

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102231747A (en) * 2011-07-18 2011-11-02 杭州华三通信技术有限公司 Method and equipment for obtaining attack message
CN103746909A (en) * 2013-12-23 2014-04-23 华为技术有限公司 Message processing method and apparatus
CN103746909B (en) * 2013-12-23 2017-04-19 华为技术有限公司 Message processing method and apparatus
CN105939310A (en) * 2015-07-31 2016-09-14 杭州迪普科技有限公司 File synchronization method and device based on multiple devices
CN106470127A (en) * 2015-08-18 2017-03-01 中兴通讯股份有限公司 A kind of detection method of exception flow of network and system
CN107085576A (en) * 2016-02-15 2017-08-22 阿里巴巴集团控股有限公司 A kind of stream data statistic algorithm and device
CN108028832A (en) * 2016-05-10 2018-05-11 华为技术有限公司 Detect the method and apparatus of network attack
CN110768976A (en) * 2019-10-21 2020-02-07 新华三信息安全技术有限公司 Message processing method, device and network equipment
CN110768976B (en) * 2019-10-21 2022-05-24 新华三信息安全技术有限公司 Message processing method, device and network equipment
CN111291425A (en) * 2020-05-09 2020-06-16 南京芯驰半导体科技有限公司 Chip protection method and device, storage medium and vehicle-mounted chip

Also Published As

Publication number Publication date
CN101272254B (en) 2010-09-29

Similar Documents

Publication Publication Date Title
CN101272254B (en) Method for generating attack signature database, method and device for preventing network attacks
KR102039842B1 (en) How to prevent network attacks, devices, and systems
CN104539594B (en) SDN architecture, system and working method integrating DDoS threat filtering and routing optimization
Cambiaso et al. Taxonomy of slow DoS attacks to web applications
CN109617931B (en) A DDoS attack defense method and defense system of an SDN controller
CN109313689B (en) Method and system for detecting capacity exhaustion attacks on a network
CN108737447B (en) User datagram protocol flow filtering method, device, server and storage medium
CN107968785A (en) A kind of method of defending DDoS (Distributed Denial of Service) attacks in SDN data centers
Ricciulli et al. TCP SYN flooding defense
CN108270722B (en) Attack behavior detection method and device
CN104539595B (en) An SDN Architecture and Working Method Integrating Threat Processing and Routing Optimization
JP2009534001A (en) Malicious attack detection system and related use method
CN103916387B (en) A kind of method and system of protection DDOS attack
CN105049291A (en) Method for detecting network traffic anomaly
CN103428224A (en) Method and device for intelligently defending DDoS attacks
CN108028828B (en) A distributed denial of service DDoS attack detection method and related equipment
CN105897674A (en) DDoS attack protection method applied to CDN server group and system
CN101102323B (en) Method and device for preventing DOS attack
CN104660582A (en) Software-defined network architecture for DDoS identification, protection and path optimization
CN113037716B (en) An attack defense method based on content distribution network
Khattak et al. Dofur: Ddos forensics using mapreduce
CN104780178B (en) A kind of connection management method for being used to prevent that TCP from attacking
CN119094220A (en) SYN Flood Attack Detection and Mitigation Method Based on GCBF
CN111031077B (en) Flow cleaning method, flow cleaning system and equipment
CN101771575B (en) Method, device and system for processing IP partitioned message

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20100929

Termination date: 20150509

EXPY Termination of patent right or utility model
点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载