CN102752275B

CN102752275B - Matching route generation method and related device for signature library

Info

Publication number: CN102752275B
Application number: CN201110461977.XA
Authority: CN
Inventors: 周
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2011-12-31
Filing date: 2011-12-31
Publication date: 2015-05-13
Anticipated expiration: 2031-12-31
Also published as: CN102752275A; WO2013097600A1

Abstract

An embodiment of the invention discloses a matching route generation method and a related device for a signature library. The method and the related device are used for improving the efficiency of signature matching of an intrusion prevention system (IPS). The method includes layering and classifying the IPS signature library to obtain N signature sub-libraries; obtaining application statistical information which is obtained through statistics after network data are subjected to feature identification; selecting M signature sub-libraries which are adaptive to a user group and correspond to the application statistical information according to the application statistical information in the N signature sub-libraries, wherein M is an integer which is larger than 1 and smaller than N; and generating a first matching route which corresponds to the user group according to the M signature sub-libraries so that according to the IPS signature matching device, by means of the first matching route, the network data of the user group are subjected to IPS signature matching.

Description

The coupling path generating method in signature storehouse and relevant apparatus

Technical field

The present invention relates to the communications field, particularly relate to a kind of coupling path generating method and relevant apparatus of storehouse of signing.

Background technology

Along with the development of the Internet, network attack becomes to rise fast situation, drastically influence the data security of enterprise customer, also constitutes a serious threat simultaneously to the personal information security of personal user.Intrusion prevention system (IPS, Intrusion Prevention System) can identify the data of various illegal invasion, and cleans the data of these illegal invasions, makes user from the threat of network attack, ensure that the data security of user; Therefore, IPS is detected as the primary protection means in order to network side guarantee secure user data.

In actual applications, because network data user being formed to Cyberthreat is numerous, as, virus, Trojan Horse, backdoor programs, rogue software (comprising spyware, ad ware, Browser Hijack etc.), phishing program (network defraud) and spam etc., therefore, the signature storehouse (i.e. the property data base of Cyberthreat) of IPS is very huge, general all in the rank of 10K byte, and coupling target location is distributed in two layers to seven layers, therefore IPS protects the resource of at substantial, the degraded performance of operation.And the enterprise customer larger to network traffics says, the performance of existing IPS obviously cannot meet the actual demand of this enterprise customer, and therefore the performance boost of IPS is extremely urgent.

Summary of the invention

Embodiments providing a kind of coupling path generating method and relevant apparatus of storehouse of signing, carrying out the efficiency of signatures match for improving IPS.

The coupling path generating method in signature storehouse provided by the invention, comprising: to intrusion prevention system IPS sign storehouse carry out layering classification, obtain N number of son signature storehouse, described N be greater than 1 integer; Obtain applied statistics information, described applied statistics information is added up after carrying out feature identification to network data and is obtained; According to described applied statistics information in described N number of son signature storehouse, select the user corresponding with described applied statistics information to organize suitable M sub storehouse of signing, described M is the integer being greater than 1 and being less than N; Generate described user according to described M son signature storehouse and organize the first corresponding coupling path, make IPS signatures match device use described first coupling path to carry out IPS signatures match to the network data that described user organizes, described first coupling path is the memory address mapping relations in described M son signature storehouse.

Optionally, described applied statistics information comprises:

User ID, the application type that described user ID is corresponding and application message;

Described according to applied statistics information in described N number of son signature storehouse, select the sub storehouse of signing of the user group corresponding with described applied statistics information match M, comprising:

Search user's group that described user ID is corresponding; According to presetting rule in described N number of son signature storehouse, the son selecting the application type corresponding with described user ID and application message to match is signed storehouse; Statistics obtains a described user and organizes M son signature storehouse corresponding to interior all user ID.

Optionally, described applied statistics information also comprises:

The usage ratio that described application type is corresponding;

Describedly generate described user according to M son signature storehouse and organize the first corresponding coupling path, comprising:

The usage ratio corresponding according to each application type is described M son signature lab setting coupling priority, matched node is disposed successively according to described coupling priority, obtain user and organize the first corresponding coupling path, described matched node and described son are signed the memory address one_to_one corresponding in storehouse.

Optionally, described method also comprises: upgrade described applied statistics information every preset time period; The applied statistics information after upgrading is used to calculate the second coupling path; Judge whether IPS signatures match device is using described first coupling path to carry out IPS signatures match, if not, then use described second coupling path to replace described first coupling path; If, ongoing IPS signatures match still uses described first coupling path to mate, newly-established IPS signatures match task then uses described second coupling path to mate, after using the IPS signatures match task in described first coupling path to terminate, described second coupling path is used to replace described first coupling path.

The signatures match method of intrusion prevention system provided by the invention, comprising: obtain network data, inquire about the user ID of described network data; Search user's group that described user ID is corresponding, and obtain to organize with described user according to described user group and the mapping relations of mating path and corresponding mate path; Described coupling path is used to carry out IPS signatures match to described network data, described coupling path generates according to M the son signature storehouse in IPS signature storehouse, described M son signature storehouse chooses according to the applied statistics information of network data in all N number of son signature storehouse in described IPS signature storehouse, described N be greater than 1 integer, described M is the integer being greater than 1 and being less than N, and described coupling path is the memory address mapping relations in described M son signature storehouse.

Optionally, IPS signatures match is carried out to described network data in coupling path corresponding to described use user ID, comprising: IPS signatures match is carried out to described network data in the son signature storehouse using matched node in coupling path corresponding successively; If the match is successful for the arbitrary signature in described son signature storehouse and described network data, then described IPS signatures match terminates, output matching result; If all it fails to match for all signatures in described M son signature storehouse, then described IPS signatures match terminates.

Optionally, after described acquisition network data, comprising: feature identification is carried out to described network data; The result of described feature identification is used to upgrade the applied statistics information of IPS signatures match device storage.

Coordinates measurement device provided by the invention, comprising: sort out unit, for IPS sign storehouse carry out layering classification, obtain N number of son signature storehouse, described N be greater than 1 integer; Information acquisition unit, for obtaining applied statistics information, described applied statistics information is added up after carrying out feature identification to network data and is obtained; Unit is chosen in signature storehouse, and for signing in storehouse according to described applied statistics information at described N number of son, select the user corresponding with described applied statistics information to organize suitable M sub storehouse of signing, described M is the integer being greater than 1 and being less than N; Coordinates measurement unit, the first corresponding coupling path is organized for generating described user according to described M son signature storehouse, make IPS signatures match device use described first coupling path to carry out IPS signatures match to the network data that described user organizes, described first coupling path is the memory address mapping relations in described M son signature storehouse.

Optionally, described signature storehouse is chosen unit and is comprised: user's group searches module, user's group that the user ID for searching described applied statistics information is corresponding; Module is chosen in signature storehouse, for according to presetting rule in described N number of son signature storehouse, the son selecting the application type corresponding with described user ID and application message to match is signed storehouse; Signature storehouse statistical module, obtains a described user and organizes M son corresponding to interior all user ID for adding up and to sign storehouse.

Optionally, described coordinates measurement unit comprises: priority arranges module, is described M son signature lab setting coupling priority for the usage ratio corresponding according to each application type; Coupling path-generating module, for disposing matched node successively according to described coupling priority, obtaining user and organizing the first corresponding coupling path, and described matched node and described son are signed the memory address one_to_one corresponding in storehouse.

IPS signatures match device provided by the invention, comprising: data capture unit, for obtaining network data, and inquires about the user ID of described network data; Path acquiring unit, for searching user's group corresponding to described user ID, and obtains to organize with described user according to described user group and the mapping relations of mating path and corresponding mates path; Signatures match unit, for using described coupling path, IPS signatures match is carried out to described network data, described coupling path generates according to M the son signature storehouse in IPS signature storehouse, described M son signature storehouse chooses according to the applied statistics information of network data in all N number of son signature storehouse in described IPS signature storehouse, described N be greater than 1 integer, described M is the integer being greater than 1 and being less than N, and described coupling path is the memory address mapping relations in described M son signature storehouse.

Intrusion prevention system provided by the invention, comprising: coordinates measurement device and IPS signatures match device;

Described coordinates measurement device be used for IPS sign storehouse carry out layering classification, obtain N number of son signature storehouse, described N be greater than 1 integer; Obtain applied statistics information, described applied statistics information is added up after carrying out feature identification to network data and is obtained; According to described applied statistics information in described N number of son signature storehouse, select the user corresponding with described applied statistics information to organize suitable M sub storehouse of signing, described M is the integer being greater than 1 and being less than N; Generate described user according to described M son signature storehouse and organize corresponding coupling path, make IPS signatures match device use described coupling path to carry out IPS signatures match to the network data that described user organizes, described coupling path is the memory address mapping relations in described M son signature storehouse;

Described IPS signatures match device, for obtaining network data, searches user's group that described user ID is corresponding, and obtains to organize with described user according to described user group and the mapping relations of mating path and corresponding mate path; The coupling path corresponding with described user ID is obtained according to described user ID; Described coupling path is used to carry out IPS signatures match to described network data.

As can be seen from the above technical solutions, the embodiment of the present invention has the following advantages:

In embodiments of the present invention, layering classification is carried out to IPS signature storehouse, obtain N number of son signature storehouse, in described N number of son signature storehouse, select M son signature storehouse to generate coupling path according to applied statistics information again, make IPS signatures match device use described coupling path to carry out IPS signatures match to network data; Due to applied statistics information feature identification is carried out to network data after add up and obtain, therefore, the coupling path generated and the application characteristic of relative users group match, when the network data organized this user carries out IPS signatures match, only need M (M is less than N) the signature storehouse in coupling corresponding coupling path, effectively can complete the identification of threat characteristics, avoid coupling whole IPS signature storehouse, improve the efficiency of carrying out IPS signatures match.

Accompanying drawing explanation

Fig. 1 is the schematic flow sheet of coupling path generating method in storehouse of signing in the embodiment of the present invention;

Fig. 2 is another schematic flow sheet of coupling path generating method in storehouse of signing in the embodiment of the present invention;

Fig. 3 is a schematic flow sheet of IPS signatures match method in the embodiment of the present invention;

Fig. 4 is another schematic flow sheet of IPS signatures match method in the embodiment of the present invention;

Fig. 5 is another schematic flow sheet of IPS signatures match method in the embodiment of the present invention;

Fig. 6 is a logical construction schematic diagram of path generating apparatus in the embodiment of the present invention;

Fig. 7 is a logical construction schematic diagram of IPS signatures match device in the embodiment of the present invention;

Fig. 8 is a logical construction schematic diagram of intrusion prevention system in the embodiment of the present invention;

Fig. 9 is an application schematic diagram of intrusion prevention system in the embodiment of the present invention;

Figure 10 is the Another application schematic diagram of intrusion prevention system in the embodiment of the present invention;

Figure 11 is the Another application schematic diagram of intrusion prevention system in the embodiment of the present invention.

Embodiment

Refer to Fig. 1, to sign in the embodiment of the present invention embodiment of coupling path generating method in storehouse, should be understood that, the executive agent of the method for the embodiment of the present invention can be coordinates measurement device, should be understood that, described coordinates measurement device can be independently physical unit, is connected or mode that network connects communicates with the described equipment realizing signatures match function by data wire; Described coordinates measurement device also can be software equipment, with function strengthen form be arranged on the existing network element device in intrusion prevention system, be such as arranged on realize signatures match function gateway device on.Should be understood that, the support of coordinates measurement device is independent external, and also can be built on the network element device of existing network, the method can comprise:

101, layering classification is carried out to intrusion prevention system signature storehouse;

Coordinates measurement device to IPS sign storehouse carry out layering classification, obtain N number of son signature storehouse, described N be greater than 1 integer.Wherein, the signature in IPS signature storehouse is the threat characteristics of network data, specifically can show as some fixing word string or behavioural characteristics of network data; And the threat characteristics of network data can be virus, Trojan Horse, backdoor programs, rogue software (comprising spyware, ad ware, Browser Hijack etc.), the feature of phishing program (network defraud) or spam.

Concrete, coordinates measurement device can carry out layering classification according to the sign application of each signature in storehouse and attribute of IPS to IPS storehouse of signing; As, IPS signature storehouse can be divided into the son signature storehouse of three layers, is respectively basal layer signature storehouse, operating system layer signature storehouse and application layer signature storehouse; Wherein, basal layer signature consists predominantly of the common signature such as protocol stack in storehouse, consist predominantly of the signature storehouse (such as windows shock wave leak signature) relevant to operating system in operating system layer signature storehouse, application layer signature storehouse consists predominantly of the relevant signature storehouse of application leak (the Overflow Vulnerability signature storehouse of such as Server-U).

102, applied statistics information is obtained;

Coordinates measurement device obtains applied statistics information, and described applied statistics information is added up after carrying out feature identification to network data and obtained.Concrete, coordinates measurement device can obtain this applied statistics information from the staqtistical data base of IPS.

In actual applications, IPS signatures match device is while carrying out signatures match to network data, also can carry out feature identification to this network data, and the result of this feature identification is recorded and added up, applied statistics information according to the result real-time update of statistics; Optionally, in this applied statistics information, include user ID, and application type corresponding to described user ID and application message; Wherein, this user ID can be user name or five-tuple information (source Internet Protocol (IP, Internet Protocol) address, object IP address, source port, destination interface and transport layer protocol number); This application message can be the operation system information and service provider information that this application type is corresponding.

103, select the user corresponding with described applied statistics information to organize suitable son to sign storehouse;

Coordinates measurement device is according to described applied statistics information in described N number of son signature storehouse, and select the user corresponding with described applied statistics information to organize suitable M sub storehouse of signing, described M is the integer being greater than 1 and being less than N.

In actual applications, coupling path arranges for dissimilar user, there is the user of same characteristic features will classify as same user's group, according to the difference of set feature, the number of users comprised in a kind of user's group is also uncertain, if user's group divides according to the scope of activities of mobile phone users, then each area (can be provincial, city-level or at county level) be to there being user's group; Optionally, also a user can only be included in user's group.

When for a coupling Path selection signature storehouse, need to consider the applied statistics information of all users in this user's group corresponding to coupling path; As, according to the application type that this user of applied statistics acquisition of information commonly uses, be respectively this application type in application layer signature storehouse, select corresponding son signature storehouse.

During matched node in configurations match path, basal layer signature storehouse is essential (being namely applicable to all users), the difference of the operating system that operating system layer signature storehouse then uses according to user and difference (namely the user of same operation system mates same set of signature storehouse), application layer signature storehouse then according to the use habit of user carry out matching (as, user in a certain user's group always unused Server-U, then can for this user's group for coupling path in then there will not be Server-U to apply son signature storehouse).

104, generate described user according to described M son signature storehouse and organize the first corresponding coupling path.

Coordinates measurement device generates described user according to described M son signature storehouse and organizes the first corresponding coupling path, IPS signatures match device is made to use described first coupling path to carry out IPS signatures match to the network data that described user organizes, first coupling path is the memory address mapping relations in described M son signature storehouse, concrete, these memory address mapping relations can realize by the form of memory address mapping table.

In actual applications, each matched node in coupling path corresponds respectively to the memory address in described M son signature storehouse, namely M son signature storehouse of the required coupling of network data setting user's group corresponding to described coupling path is mated in path, when carrying out IPS signatures match, IPS signatures match uses the son signature storehouse in the first coupling path to carry out IPS signatures match to described network data.

To how generating coupling path be described in detail below, refer to Fig. 2, another embodiment of the coupling path generating method in storehouse of signing in the embodiment of the present invention comprises:

201, layering classification is carried out to intrusion prevention system signature storehouse;

202, applied statistics information is obtained;

Coordinates measurement device obtains applied statistics information from the staqtistical data base of IPS, and described applied statistics information is added up after carrying out feature identification to network data and obtained.Described applied statistics information comprises useful family mark, the application type that described user ID is corresponding and application message, and the usage ratio that described application type is corresponding; Wherein, described applied statistics packets of information containing described user ID, application type, application message and the usage ratio organized more.

In actual applications, IPS signatures match device is while carrying out signatures match to network data, also can carry out feature identification to this network data, and the result of this feature identification is recorded and added up, applied statistics information according to the result real-time update of statistics.Concrete, IPS signatures match device first carries out protocol identification to described network data, obtains the information such as user ID corresponding to described network data, application protocol and application type; Further, IPS signatures match device first can also carry out deep analysis to the network data after protocol identification, obtains the information such as operation system information service provider corresponding to described network data; Finally, the result of protocol identification and deep analysis is committed to statistical module and adds up, obtain user ID, the application type that described user ID is corresponding and application message, and the usage ratio that described application type is corresponding; Optionally, described usage ratio can obtain according to message number statistics, also can obtain according to traffic statistics, and concrete needs determines according to defendd Cyberthreat, is not construed as limiting herein.

Wherein, according to the actual requirements, the parameter type that last applied statistics information exports, except above-mentioned user ID, application type, application message and usage ratio, can also comprise the information such as application protocol, flow or message number, specifically be not construed as limiting herein.

203, select the user corresponding with described applied statistics information to organize suitable son to sign storehouse;

Concrete, because coupling path arranges for different user's groups (user's group has divided according to the actual requirements in advance), therefore, when choosing this user and organizing the son signature storehouse of required coupling, need to consider that this user organizes the relevant information of interior all users; After getting applied statistics information, coordinates measurement device first searches user ID in described applied statistics information user's group corresponding respectively, and this user ID can be source IP address, object IP address, source port, destination interface and transport layer protocol number etc.; Again according to presetting rule in described N number of son signature storehouse, the son selecting the application type corresponding with described user ID and application message (can be operation system information) to match is signed storehouse; This presetting rule can be: when the frequency of utilization of a certain application type reaches preset value, then choose the son signature storehouse (son signature storehouse is in step 201 to classify according to application type) that this application type matches; Finally, statistics obtains a described user and organizes M son signature storehouse corresponding to interior all user ID, duplicate removal superposition is carried out in the son signature storehouse being about to choose according to the related data (application type and application message) of each user ID, obtains described user and organizes M corresponding son signature storehouse.

When choosing son signature storehouse, basal layer signature storehouse is essential (being namely applicable to all users), the difference of the operating system that operating system layer signature storehouse then uses according to user and difference (namely the user of same operation system mates same set of signature storehouse), application layer signature storehouse then can be chosen according to the related application information of user (concrete the preceding paragraph has description).

204, generate described user according to described M son signature storehouse and organize the first corresponding coupling path.

Coordinates measurement device generates described user according to described M son signature storehouse and organizes the first corresponding coupling path, makes IPS signatures match device use described first coupling path to carry out IPS signatures match to the network data that described user organizes.

Concrete, after getting described M son signature storehouse, due to described M son signature storehouse respectively corresponding different application type and or application message (operation system information), therefore, the usage ratio corresponding according to each application type can obtain the frequency of utilization in each height signature storehouse, thus can be that described M son signature lab setting mates priority (wherein, because basal layer signature storehouse is applicable to described user, therefore, the son signature storehouse belonging to basal layer signature storehouse does not need to determine frequency of utilization according to described usage ratio, and the coupling priority belonging to the son signature storehouse in basal layer signature storehouse can be the highest), coordinates measurement device can dispose matched node successively according to according to described coupling priority, obtains user and organizes the first corresponding coupling path, and described matched node and described son are signed the memory address one_to_one corresponding in storehouse.

When carrying out IPS signatures match, IPS signatures match device can carry out the coupling in each height signature storehouse successively according to the matched node in described coupling path, make IPS signatures match assembly first mate the high son signature storehouse of frequency of utilization, thus improve the efficiency of match hit.

205, described applied statistics information is upgraded every preset time period;

In actual applications, due to the ambiguity of network, IPS signatures match device may be different with frequency in the type of the network data do not received in the same time; The network data received described in the basis that IPS signatures match device in the embodiment of the present invention can be real-time upgrades applied statistics information, and coordinates measurement device of the present invention also can obtain the applied statistics information of adding up in IPS signatures match device and obtaining every preset time period, the applied statistics information used with more newly-generated coupling path.

206, the applied statistics information after upgrading is used to calculate the second coupling path;

The generative process in concrete second coupling path is 203 similar with 204 to aforementioned, repeats no more herein.

207, coupling path is upgraded.

Coordinates measurement device confirm newly-generated second coupling path with before first mate path different after, then the more new technological process in trigger match path, is specially:

Coordinates measurement device judges whether IPS signatures match device is using described first coupling path to carry out IPS signatures match, if not, then use described second coupling path to replace described first coupling path; If, ongoing IPS signatures match still uses described first coupling path to mate, newly-established IPS signatures match task then uses described second coupling path to mate, after the described first IPS signatures match task of mating path to be used terminates, described second coupling path is used to replace described first coupling path.

Below the signatures match method using above-mentioned coupling path to perform the intrusion prevention system of the present invention of IPS signatures match is described, refer to Fig. 3, an embodiment of the signatures match method of intrusion prevention system in the embodiment of the present invention, should be understood that, the executive agent of the method for the embodiment of the present invention can be IPS signatures match device, should be understood that, described IPS signatures match device can be independently physical unit, its product form can be router, gateway device, network firewall equipment etc.; Described IPS signatures match device also can be software equipment, is arranged on the existing network element device in intrusion prevention system with the form that function is strengthened.Should be understood that, the support of IPS signatures match device is independent external, and also can be built on the network element device of existing network, the method can comprise:

301, network data is obtained;

IPS signatures match device obtains needs the network data of carrying out signatures match; Optionally, IPS signatures match device may be used for processing all network data, also can only process wherein a part of.Such as, network data is not directly through IPS equipment road, but on intelligent exchange, a branch can be selected selectively to carry out IPS signatures match.The network data with unusual networking behavioural characteristic according to the observation to some unusual networking behaviors, can be guided to IPS equipment road by intelligent exchange, thus has the network data of unusual networking behavioural characteristic to carry out IPS signatures match to this.

302, the user ID of described network data is inquired about;

In embodiments of the present invention, because coupling path arranges for dissimilar user, therefore, before carrying out IPS signatures match, needing the user ID by inquiring about described network data, finding the coupling path that this user ID is corresponding.

Concrete, after obtaining user ID corresponding to described network data, user's group belonging to described user ID can be searched according to described user ID, thus organize the coupling path of correspondence to this user according to the mapping relationship searching in described user's group and coupling path.

303, IPS signatures match is carried out to described network data in the coupling path using described user ID corresponding.

After finding coupling path corresponding to described user ID, IPS signatures match is carried out to described network data in the coupling path that IPS signatures match device uses described user ID corresponding.

Described coupling path generates according to M the son signature storehouse in IPS signature storehouse, described M son signature storehouse chooses according to the applied statistics information of network data in all N number of son signature storehouse in described IPS signature storehouse, described N be greater than 1 integer, described M is the integer being greater than 1 and being less than N.

Concrete, each matched node in coupling path corresponds respectively to described M son signature storehouse, IPS signatures match device is according to the order of each matched node, mate son signature storehouse corresponding described in each matched node successively, when the signatures match in any one son signature storehouse is successful, then illustrate that described network data has threat characteristics, IPS defends process accordingly to described network data; If after all M son signature storehouse is all mated, none signatures match success, then illustrate that described network data is not Cyberthreat, described network data can be allowed by IPS router.

In actual applications, described threat characteristics specifically can show as some fixing word string or behavioural characteristics of network data; And the threat characteristics of network data can be virus, Trojan Horse, backdoor programs, rogue software (comprising spyware, ad ware, Browser Hijack etc.), the feature of phishing program (network defraud) or spam.

In embodiments of the present invention, because described coupling path generates according to M the son signature storehouse in IPS signature storehouse, described M son signature storehouse chooses according to the applied statistics information of network data in all N number of son signature storehouse in IPS signature storehouse, described N be greater than 1 integer, described M is the integer being greater than 1 and being less than N; Therefore, when the network data organized this user carries out IPS signatures match, only need M (M is less than N) the signature storehouse in coupling corresponding coupling path, effectively can complete the identification of threat characteristics, avoid coupling whole IPS signature storehouse, improve the efficiency of carrying out IPS signatures match.

To how carrying out IPS signatures match be described in detail below, refer to Fig. 4, in the embodiment of the present invention, another embodiment of the signatures match method of intrusion prevention system comprises:

401, network data is obtained;

The content of the step 401 in the present embodiment is identical with the content of step 301 in the embodiment shown in earlier figures 3, repeats no more herein.

402, the user ID of described network data is inquired about;

403, the signature in son signature storehouse is obtained;

After finding coupling path corresponding to described user ID, IPS signatures match device extracts the son signature storehouse that in described coupling path, first matched node is corresponding, and obtains the signature in described son signature storehouse one by one, and triggered step 404 mates.

After the signature in the son signature storehouse that first matched node is corresponding has all obtained, IPS signatures match device extracts the son signature storehouse that in described coupling path, second matched node is corresponding, continuation obtains new signature and triggered step 404 mates, until the signature in all son signature storehouses all mated, if the match is successful for the arbitrary signature in described son signature storehouse and described network data, then described IPS signatures match terminates, output matching result; If all it fails to match for all signatures in described M son signature storehouse, then described IPS signatures match terminates; Or step 404 no longer triggered step 403 (i.e. signatures match success) coupling, then the flow process obtaining signature terminates.

404, described signature is used to mate described network data.

IPS signatures match device uses described signature to mate described network data, if the match is successful, then described IPS signatures match terminates, output matching result; If it fails to match, then triggered step 403 continues to obtain all the other signatures not carrying out mating.

In actual applications, because in coupling path, the deployment of matched node can consider the frequency of utilization in each height signature storehouse, preferentially son high for frequency of utilization signature storehouse is deployed in before coupling path, therefore, in the process of carrying out signatures match, the son signature storehouse that signature hit (i.e. signatures match success) probability is high is preferentially mated, once signature hit, then mate flow process to terminate, without the need to proceeding coupling to remaining son signature storehouse, thus further increase the efficiency of IPS signatures match.

In embodiments of the present invention, while carrying out signatures match to network data, can also add up, specifically refer to Fig. 5 to the relevant information of network data, in the embodiment of the present invention, another embodiment of the signatures match method of intrusion prevention system comprises:

501, network data is obtained;

After network data arrives, described network data is copied into two parts by IPS router (can be mirror image switch), a network data carries out the signatures match flow process (repeating no more) described by above-mentioned Fig. 3 or Fig. 4 embodiment herein, and another part then carries out data statistics processing.

502, protocol identification is carried out to described network data;

IPS signatures match device carries out protocol identification to described network data, obtains the information such as user ID, protocol type and application type; Wherein, described user ID can be user name or five-tuple information (source IP address, object IP address, source port, destination interface and transport layer protocol number), the agreement that described protocol type can use for the application that described network data is corresponding, described application type can be application corresponding to described network data.Concrete, protocol identification can the recognition methods such as use characteristic String matching or checking algorithm, and the result of protocol identification can use list to carry out record storage, as shown in table 1:

Table 1

503, IPS signatures match device judges whether to need to carry out deep analysis to described network data;

IPS signatures match device judges whether to need to carry out deep analysis to described network data according to the result of described protocol identification, and if so, then triggered step 504, carries out deep analysis to described network data; If not, then direct triggered step 505, confirms the result of feature identification.

Concrete, in actual applications, the threat characteristics of some application may not need to be judged by application messages such as operation system information, ISP or flows, therefore, IPS signatures match device can preset one to be needed to carry out the application protocol of deep analysis or the list of application type, according to the protocol identification result of network data and this list preset, IPS signatures match device can judge that network data is the need of carrying out deep analysis.

504, deep analysis is carried out to described network data;

After determining that described network data needs to carry out deep analysis, IPS signatures match device carries out deep analysis according to the result (deep analysis needs protocol type or the application type of knowing described network data) of protocol identification to described network data, obtains the result of deep analysis; Concrete, the result of described deep analysis can comprise following dimension: operation system information, COS and service provider etc.

Concrete, the result of carrying out deep analysis is further as shown in table 2:

Table 2

505, the result of feature identification is confirmed;

Concrete, above-mentioned steps 502 to step 504 is the feature identification process of network data, after IPS signatures match device confirms not need to carry out deep analysis to described network data, then confirms that the result of described protocol identification is the result of feature identification; After IPS signatures match device confirms to need to carry out deep analysis to described network data, then confirm that the result of described protocol identification and described deep analysis is the result of feature identification.

506, generate or upgrade applied statistics information.

After the feature recognition result confirming described network data, IPS signatures match device can carry out statistical analysis by feature recognition result according to application demand, as carried out cluster operation according to presetting rule to above-mentioned table 2, concrete, presetting rule can be: if operating system, application protocol (or application type), service provider are identical, then its message number and flow are added up respectively, obtain the data in table 3:

Table 3

In actual applications, the rule of cluster can change according to application demand, target as IPS defence is spam, then what the rule of cluster was paid close attention to is the flow of the network data that source IP address sends, then can arrange the network data identical to source IP address and carry out cluster; And for example, the target of IPS defence is virus, then can arrange and carry out cluster to operating system, network data that application protocol (or application type) is identical with service provider, concrete clustering rule is determined according to the application demand of reality, is not construed as limiting herein.

Optionally, further contemplate the priority order in coupling signature storehouse if need when arranging coupling path, then in embodiments of the present invention, can according to the usage ratio of the message number of application type or this application type of flow rate calculation; Concrete, if the target of IPS defence is spam, then can according to the usage ratio of this application type of flow rate calculation; If the target of IPS defence is virus, then can calculate the usage ratio of this application type according to message number, as shown in table 4 (according to message number):

Table 4

IPS signatures match device uses the applied statistics information of the result generating network data of above-mentioned statistical analysis or upgrades the applied statistics information stored in IPS signatures match device, concrete, the applied statistics information stored in the applied statistics information of the above-mentioned parameter information generating network data as table 3 or table 4 or renewal IPS signatures match device can be used.

Example above by means of only some data lists is illustrated the application scenarios in the embodiment of the present invention, is understandable that, in actual applications, can also have more application scenarios, specifically be not construed as limiting herein.

Be described the embodiment of path generating apparatus in the present invention of the coupling path generating method for performing above-mentioned signature storehouse below, its logical construction please refer to Fig. 6, and in the embodiment of the present invention, an embodiment of path generating apparatus comprises:

Sort out unit 601, for IPS sign storehouse carry out layering classification, obtain N number of son signature storehouse, described N be greater than 1 integer;

Information acquisition unit 602, for obtaining applied statistics information, described applied statistics information is added up after carrying out feature identification to network data and is obtained;

Unit 603 is chosen in signature storehouse, and for signing in storehouse according to described applied statistics information at described N number of son, select the user corresponding with described applied statistics information to organize suitable M sub storehouse of signing, described M is the integer being greater than 1 and being less than N;

Coordinates measurement unit 604, organizes the first corresponding coupling path for generating described user according to described M son signature storehouse, makes IPS signatures match device use described first coupling path to carry out IPS signatures match to the network data that described user organizes.

Optionally, the signature storehouse in the embodiment of the present invention is chosen unit 603 and can be comprised:

User's group searches module 6031, user's group that the user ID for searching described applied statistics information is corresponding;

Module 6032 is chosen in signature storehouse, for according to presetting rule in described N number of son signature storehouse, the son selecting the application type corresponding with described user ID and application message to match is signed storehouse;

Signature storehouse statistical module 6033, obtains a described user and organizes M son corresponding to interior all user ID for adding up and to sign storehouse.

Optionally, the coordinates measurement unit 604 in the embodiment of the present invention can comprise:

Priority arranges module 6041, is described M son signature lab setting coupling priority for the usage ratio corresponding according to each application type;

Coupling path-generating module 6042, for disposing matched node successively according to described coupling priority, obtaining user and organizing the first corresponding coupling path, and described matched node and described son are signed the memory address one_to_one corresponding in storehouse.

The reciprocal process that in embodiment of the present invention coordinates measurement device, unit is concrete is as follows:

Sort out unit 601 couples of IPS storehouses of signing and carry out layering classification, obtain N number of son signature storehouse, described N be greater than 1 integer.Wherein, the signature in IPS signature storehouse is the threat characteristics of network data, specifically can show as some fixing word string or behavioural characteristics of network data; And the threat characteristics of network data can be virus, Trojan Horse, backdoor programs, rogue software (comprising spyware, ad ware, Browser Hijack etc.), the feature of phishing program (network defraud) or spam.

Concrete, layering classification can be carried out according to the sign application of each signature in storehouse and attribute of IPS to IPS storehouse of signing; As, IPS signature storehouse can be divided into the son signature storehouse of three layers, is respectively basal layer signature storehouse, operating system layer signature storehouse and application layer signature storehouse; Wherein, basal layer signature consists predominantly of the common signature such as protocol stack in storehouse, consist predominantly of the signature storehouse (such as windows shock wave leak signature) relevant to operating system in operating system layer signature storehouse, application layer signature storehouse consists predominantly of the relevant signature storehouse of application leak (the Overflow Vulnerability signature storehouse of such as Server-U).

Information acquisition unit 602 obtains the applied statistics information that IPS signatures match device provides, and described applied statistics information is added up after carrying out feature identification to network data and obtained.In actual applications, IPS signatures match device is while carrying out signatures match to network data, also can carry out feature identification to this network data, and the result of this feature identification is recorded and added up, applied statistics information according to the result real-time update of statistics; Optionally, in this applied statistics information, include user ID, and application type corresponding to described user ID and application message; Wherein, this user ID can be user name or five-tuple information (source Internet Protocol (IP, Internet Protocol) address, object IP address, source port, destination interface and transport layer protocol number); This application message can be the operation system information and service provider information that this application type is corresponding.

After getting described applied statistics information, signature storehouse is chosen unit 603 and is signed in storehouse according to described applied statistics information at described N number of son, select the user corresponding with described applied statistics information to organize suitable M sub storehouse of signing, described M is the integer being greater than 1 and being less than N.In actual applications, coupling path arranges for dissimilar user, there is the user of same characteristic features will classify as same user's group, according to the difference of set feature, the number of users comprised in a kind of user's group is also uncertain, if user's group divides according to the scope of activities of mobile phone users, then each area (can be provincial, city-level or at county level) be to there being user's group; Optionally, also a user can only be included in user's group.Therefore, the user's group can choosing unit 603 by storehouse of first signing is searched module 6031 and is searched user's group corresponding to the user ID of described applied statistics information; Choose module 6032 according to presetting rule in described N number of son signature storehouse by signature storehouse again, the son selecting the application type corresponding with described user ID and application message to match is signed storehouse; When for a coupling Path selection signature storehouse, need to consider the applied statistics information of all users in this user's group corresponding to coupling path; As, according to the application type that this user of applied statistics acquisition of information commonly uses, be respectively this application type in application layer signature storehouse, select corresponding son signature storehouse.Finally, obtain a described user by signature storehouse statistical module 6033 statistics and organize M son signature storehouse corresponding to interior all user ID; During matched node in configurations match path, basal layer signature storehouse is essential (being namely applicable to all users), the difference of the operating system that operating system layer signature storehouse then uses according to user and difference (namely the user of same operation system mates same set of signature storehouse), application layer storehouse of signing then is matched according to the use habit of user.

After obtaining described M son signature storehouse, coordinates measurement unit 604 generates described user according to described M son signature storehouse and organizes the first corresponding coupling path, makes IPS signatures match device use described first coupling path to carry out IPS signatures match to the network data that described user organizes.

Concrete, it is described M son signature lab setting coupling priority that the priority of coordinates measurement unit 604 arranges the module usage ratio corresponding according to each application type; Due to described M son signature storehouse respectively corresponding different application type and or application message (operation system information), therefore, the usage ratio corresponding according to each application type can obtain the frequency of utilization in each height signature storehouse, thus can be that described M son signature lab setting mates priority (wherein, because basal layer signature storehouse is applicable to described user, therefore, the son signature storehouse belonging to basal layer signature storehouse does not need to determine frequency of utilization according to described usage ratio, and the coupling priority belonging to the son signature storehouse in basal layer signature storehouse can be the highest); Dispose matched node by coupling path-generating module 6042 successively according to described coupling priority again, obtain user and organize the first corresponding coupling path, described matched node and described son are signed the memory address one_to_one corresponding in storehouse.When carrying out IPS signatures match, IPS signatures match device can carry out the coupling in each height signature storehouse successively according to the matched node in described coupling path, make IPS signatures match assembly first mate the high son signature storehouse of frequency of utilization, thus improve the efficiency of match hit.

Be described the embodiment of the IPS signatures match device of the present invention for performing above-mentioned IP S signatures match method below, its logical construction please refer to Fig. 7, and in the embodiment of the present invention, an embodiment of IPS signatures match device comprises:

Data capture unit 701, for obtaining network data;

Query unit 702, for searching user's group corresponding to described user ID, and obtains to organize with described user according to described user group and the mapping relations of mating path and corresponding mates path;

Signatures match unit 703, for using described coupling path, IPS signatures match is carried out to described network data, described coupling path generates according to M the son signature storehouse in IPS signature storehouse, described M son signature storehouse chooses according to the applied statistics information of network data in all N number of son signature storehouse in described IPS signature storehouse, described N be greater than 1 integer, described M is the integer being greater than 1 and being less than N.

Optionally, the signatures match unit 703 in the embodiment of the present invention can comprise:

Signatures match module 7031, carries out IPS signatures match for the son signature storehouse using matched node in coupling path corresponding successively to described network data;

Coupling stop module 7032, if for described son signature storehouse in arbitrary signature and described network data the match is successful, then described IPS signatures match terminates, output matching result; Coupling stops module 7032, if also for all signatures in described M son signature storehouse, all it fails to match, then described IPS signatures match terminates.

Optionally, the IPS signatures match device in the embodiment of the present invention can further include:

Feature identification unit 704, for carrying out feature identification to described network data;

Information updating unit 705, for the applied statistics information using the result of described feature identification to upgrade the storage of IPS signatures match device.

Optionally, the feature identification unit 704 in the embodiment of the present invention can comprise:

Protocol identification module 7041, for carrying out protocol identification to described network data;

Judge module 7042, needing to carry out deep analysis to described network data for judging whether according to the result of described protocol identification, if so, then triggering deep analysis module; If not, then determine that the result of described protocol identification is the result of described feature identification.

Deep analysis module 7043, for carrying out deep analysis to described network data, and determines that the result of described protocol identification and described deep analysis is the result of described feature identification.

The reciprocal process that in embodiment of the present invention IPS signatures match device, unit is concrete is as follows:

Data capture unit 701 obtains needs the network data of carrying out signatures match; Optionally, IPS signatures match device may be used for processing all network data, also can only process wherein a part of.Such as, network data is not directly through IPS equipment road, but on intelligent exchange, a branch can be selected selectively to carry out IPS signatures match.The network data with unusual networking behavioural characteristic according to the observation to some unusual networking behaviors, can be guided to IPS equipment road by intelligent exchange, thus has the network data of unusual networking behavioural characteristic to carry out IPS signatures match to this.

After getting described network data, query unit 702 can search user's group belonging to described user ID according to described user ID, thus organizes the coupling path of correspondence to this user according to the mapping relationship searching in described user's group and coupling path.Because coupling path arranges for dissimilar user, therefore, before carrying out IPS signatures match, needing the user ID by inquiring about described network data, finding the coupling path that this user ID is corresponding.

After finding described coupling path, IPS signatures match is carried out to described network data in the coupling path that signatures match unit 703 uses described user ID corresponding; Concrete, can extract by the signatures match module 7031 of signatures match unit 703 the son signature storehouse that in described coupling path, first matched node is corresponding, and the signature obtained one by one in described son signature storehouse mates to described network data; If the match is successful, then trigger match termination module 7032 terminates described IPS signatures match flow process, and output matching result; If it fails to match, then continue to use other son signature storehouses of correspondence in described coupling path to mate, until the signature in all son signature storehouses all mated, then trigger match termination module 7032 terminated described IPS signatures match flow process, and output matching result.

Optionally, after network data arrives, described network data is copied into two parts by IPS router (can be mirror image switch), and a network data carries out IPS signatures match flow process, and another part then carries out data statistics processing.

After getting network data, feature identification unit 704 carries out feature identification to described network data, concrete, the protocol identification module 7041 of feature identification unit 704 first can carry out protocol identification, obtains the information such as user ID, protocol type and application type; Wherein, described user ID can be user name or five-tuple information (source IP address, object IP address, source port, destination interface and transport layer protocol number), the agreement that described protocol type can use for the application that described network data is corresponding, described application type can be application corresponding to described network data.Concrete, protocol identification can the recognition methods such as use characteristic String matching or checking algorithm, and the result of protocol identification can use list to carry out record storage;

Further, the judge module 7042 of feature identification unit 704 can also judge whether to need to carry out deep analysis to described network data according to the result of described protocol identification, if so, then trigger deep analysis module 7043, deep analysis is carried out to described network data; If not, then the result of feature identification is directly confirmed.In actual applications, the threat characteristics of some application may not need to be judged by application messages such as operation system information, ISP or flows, therefore, IPS signatures match device can preset one to be needed to carry out the application protocol of deep analysis or the list of application type, according to the protocol identification result of network data and this list preset, IPS signatures match device can judge that network data is the need of carrying out deep analysis.After determining that described network data needs to carry out deep analysis, IPS signatures match device carries out deep analysis according to the result (deep analysis needs protocol type or the application type of knowing described network data) of protocol identification to described network data, obtains the result of deep analysis; Concrete, the result of described deep analysis can comprise following dimension: operation system information, COS and service provider etc.After IPS signatures match device confirms not need to carry out deep analysis to described network data, then confirm that the result of described protocol identification is the result of feature identification; After IPS signatures match device confirms to need to carry out deep analysis to described network data, then confirm that the result of described protocol identification and described deep analysis is the result of feature identification.

After the feature identification completing network data, information updating unit 705 uses the result of described feature identification to upgrade the applied statistics information of IPS signatures match device storage.Concrete, information updating unit 705 can carry out statistical analysis by feature recognition result according to application demand, as carried out cluster operation according to presetting rule to above-mentioned table 2, concrete, presetting rule can be: if operating system, application protocol (or application type), service provider are identical, then add up respectively to its message number and flow.

In actual applications, the rule of cluster can change according to application demand, target as IPS defence is spam, then what the rule of cluster was paid close attention to is the flow of the network data that source IP address sends, then can arrange the network data identical to source IP address and carry out cluster; And for example, the target of IPS defence is virus, then can arrange and carry out cluster to operating system, network data that application protocol (or application type) is identical with service provider, concrete clustering rule is determined according to the application demand of reality, is not construed as limiting herein.Optionally, further contemplate the priority order in coupling signature storehouse if need when arranging coupling path, then in embodiments of the present invention, can according to the usage ratio of the message number of application type or this application type of flow rate calculation; Concrete, if the target of IPS defence is spam, then can according to the usage ratio of this application type of flow rate calculation; If the target of IPS defence is virus, then can calculate the usage ratio of this application type according to message number.

Information updating unit 705 uses the applied statistics information of the result generating network data of above-mentioned statistical analysis or upgrades the applied statistics information stored in IPS signatures match device.

Below the embodiment of the intrusion prevention system of the present invention for performing above-mentioned IP S signatures match method is described, its logical construction please refer to Fig. 8, and in the embodiment of the present invention, an embodiment of intrusion prevention system comprises: coordinates measurement device 801 and IPS signatures match device 802;

Described IPS signatures match device, for obtaining network data, inquires about the user ID of described network data; The coupling path corresponding with described user ID is obtained according to described user ID; Described coupling path is used to carry out IPS signatures match to described network data.

In actual applications, described IPS signatures match device can for realizing the server of signatures match function in intrusion prevention system; Described coordinates measurement device can be independently physical unit, is connected or mode that network connects communicates with the described server realizing signatures match function by data wire; Described coordinates measurement device also can be software equipment, and the form strengthened with function is arranged on any station server (can for realizing the server of signatures match function) of intrusion prevention system; Described coordinates measurement device mates path for described IPS signatures match device provides, and described IPS signatures match device is then for described coordinates measurement device provides the network data needed for statistics.

In actual applications, the intrusion prevention system in the embodiment of the present invention can in layout gateway in a network or router.Online application scenarios as shown in Figure 9, at subscriber equipment (UE, User Experience) network data is sent to internet (Internet) before need through gateway, intrusion prevention system of the present invention can be deployed on the gateway between UE and Internet; Enterprise's application scenarios as shown in Figure 10 again, the local area network (LAN) of enterprise object two places needs to carry out transfer of data, the local area network (LAN) of two places is by respective gateway and VPN (virtual private network) (VPN, Virtual Private Network) establish a communications link, on the respective gateway of local area network (LAN) that intrusion prevention system of the present invention can dispose two places.

By means of only some concrete examples, the application scenarios of intrusion prevention system in the embodiment of the present invention is illustrated above, is understandable that, in actual applications, more application scenarios can also be had, be specifically not construed as limiting herein.

Optionally, in the intrusion prevention system of the embodiment of the present invention, IPS signatures match device and coordinates measurement device can separately be disposed, as shown in figure 11, gateway device in the corresponding Figure 11 of IPS signatures match device, in other words, gateway device in Figure 11 is except general gateway device function, also there is the function of IPS signatures match, server (being understandable that the extra server disposed in a network, also can be the server utilized in existing network) in the corresponding Figure 11 of coordinates measurement device.

Should be understood that, the intrusion prevention system of the embodiment of the present invention has different physics to dispose implementation, and under a kind of implementation, coordinates measurement device 801 and IPS signatures match device 802 can be two modules be deployed on individual node equipment; Under another kind of implementation, coordinates measurement device 801 and IPS signatures match device 802 also can be deployed in respectively on two node devices.

In several embodiments that the application provides, should be understood that, disclosed apparatus and method can realize by another way.Such as, device embodiment described above is only schematic, such as, the division of described unit, be only a kind of logic function to divide, actual can have other dividing mode when realizing, such as multiple unit or assembly can in conjunction with or another system can be integrated into, or some features can be ignored, or do not perform.Another point, shown or discussed coupling each other or direct-coupling or communication connection can be by some interfaces, and the indirect coupling of device or unit or communication connection can be electrical, machinery or other form.

The described unit illustrated as separating component or can may not be and physically separates, and the parts as unit display can be or may not be physical location, namely can be positioned at a place, or also can be distributed in multiple network element.Some or all of unit wherein can be selected according to the actual needs to realize the object of the present embodiment scheme.

In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, also can be that the independent physics of unit exists, also can two or more unit in a unit integrated.Above-mentioned integrated unit both can adopt the form of hardware to realize, and the form of SFU software functional unit also can be adopted to realize.

If described integrated unit using the form of SFU software functional unit realize and as independently production marketing or use time, can be stored in a computer read/write memory medium.Based on such understanding, the part that technical scheme of the present invention contributes to prior art in essence in other words or all or part of of this technical scheme can embody with the form of software product, this computer software product is stored in a storage medium, comprising some instructions in order to make a computer equipment (can be personal computer, server, or the network equipment etc.) perform all or part of step of method described in each embodiment of the present invention.And aforesaid storage medium comprises: USB flash disk, portable hard drive, read-only memory (ROM, Read-OnlyMemory), random access memory (RAM, Random Access Memory), magnetic disc or CD etc. various can be program code stored medium.

The above; be only the specific embodiment of the present invention, but protection scope of the present invention is not limited thereto, is anyly familiar with those skilled in the art in the technical scope that the present invention discloses; change can be expected easily or replace, all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should described be as the criterion with the protection range of claim.

Claims

1. to sign the coupling path generating method in storehouse, it is characterized in that, comprising:

To intrusion prevention system IPS sign storehouse carry out layering classification, obtain N number of son signature storehouse, described N be greater than 1 integer;

Obtain applied statistics information, described applied statistics information is added up after carrying out feature identification to network data and is obtained;

According to described applied statistics information in described N number of son signature storehouse, select the user corresponding with described applied statistics information to organize suitable M sub storehouse of signing, described M is the integer being greater than 1 and being less than N;

Generate described user according to described M son signature storehouse and organize the first corresponding coupling path, make IPS signatures match device use described first coupling path to carry out IPS signatures match to the network data that described user organizes, described first coupling path is the memory address mapping relations in described M son signature storehouse.

2. method according to claim 1, is characterized in that, described applied statistics information comprises:

Search user's group that described user ID is corresponding;

According to presetting rule in described N number of son signature storehouse, the son selecting the application type corresponding with described user ID and application message to match is signed storehouse;

Statistics obtains a described user and organizes M son signature storehouse corresponding to interior all user ID.

3. method according to claim 2, is characterized in that, described applied statistics information also comprises:

The usage ratio that described application type is corresponding;

4. the method according to claims 1 to 3 any one, is characterized in that, described method also comprises:

Described applied statistics information is upgraded every preset time period;

The applied statistics information after upgrading is used to calculate the second coupling path;

Judge whether IPS signatures match device is using described first coupling path to carry out IPS signatures match, if not, then use described second coupling path to replace described first coupling path; If, ongoing IPS signatures match still uses described first coupling path to mate, newly-established IPS signatures match task then uses described second coupling path to mate, after using the IPS signatures match task in described first coupling path to terminate, described second coupling path is used to replace described first coupling path.

5. a signatures match method for intrusion prevention system, is characterized in that, comprising:

Obtain network data, inquire about the user ID of described network data;

Search user's group that described user ID is corresponding, and obtain to organize with described user according to described user group and the mapping relations of mating path and corresponding mate path;

Described coupling path is used to carry out IPS signatures match to described network data, described coupling path generates according to M the son signature storehouse in IPS signature storehouse, described M son signature storehouse chooses according to the applied statistics information of network data in all N number of son signature storehouse in described IPS signature storehouse, described N be greater than 1 integer, described M is the integer being greater than 1 and being less than N, and described coupling path is the memory address mapping relations in described M son signature storehouse.

6. method according to claim 5, is characterized in that, IPS signatures match is carried out to described network data in coupling path corresponding to described use user ID, comprising:

IPS signatures match is carried out to described network data in the son signature storehouse using matched node in coupling path corresponding successively;

If the match is successful for the arbitrary signature in described son signature storehouse and described network data, then described IPS signatures match terminates, output matching result.

7. method according to claim 5, is characterized in that, after described acquisition network data, comprising:

Feature identification is carried out to described network data;

The result of described feature identification is used to upgrade the applied statistics information of IPS signatures match device storage.

8. method according to claim 7, is characterized in that, describedly carries out feature identification to network data, comprising:

Protocol identification is carried out to described network data;

Judge whether to need to carry out deep analysis to described network data according to the result of described protocol identification, if so, then deep analysis is carried out to described network data, and determine that the result of described protocol identification and described deep analysis is the result of described feature identification; If not, then determine that the result of described protocol identification is the result of described feature identification.

9. a coordinates measurement device, is characterized in that, comprising:

Sort out unit, for IPS sign storehouse carry out layering classification, obtain N number of son signature storehouse, described N be greater than 1 integer;

Information acquisition unit, for obtaining applied statistics information, described applied statistics information is added up after carrying out feature identification to network data and is obtained;

Unit is chosen in signature storehouse, and for signing in storehouse according to described applied statistics information at described N number of son, select the user corresponding with described applied statistics information to organize suitable M sub storehouse of signing, described M is the integer being greater than 1 and being less than N;

Coordinates measurement unit, the first corresponding coupling path is organized for generating described user according to described M son signature storehouse, make IPS signatures match device use described first coupling path to carry out IPS signatures match to the network data that described user organizes, described first coupling path is the memory address mapping relations in described M son signature storehouse.

10. device according to claim 9, is characterized in that, described signature storehouse is chosen unit and comprised:

User's group searches module, user's group that the user ID for searching described applied statistics information is corresponding;

Module is chosen in signature storehouse, for according to presetting rule in described N number of son signature storehouse, the son selecting the application type corresponding with described user ID and application message to match is signed storehouse;

Signature storehouse statistical module, obtains a described user and organizes M son corresponding to interior all user ID for adding up and to sign storehouse.

11. devices according to claim 9, is characterized in that, described coordinates measurement unit comprises:

Priority arranges module, is described M son signature lab setting coupling priority for the usage ratio corresponding according to each application type;

Coupling path-generating module, for disposing matched node successively according to described coupling priority, obtaining user and organizing the first corresponding coupling path, and described matched node and described son are signed the memory address one_to_one corresponding in storehouse.

12. 1 kinds of IPS signatures match devices, is characterized in that, comprising:

Data capture unit, for obtaining network data, and inquires about the user ID of described network data;

Path acquiring unit, for searching user's group corresponding to described user ID, and obtains to organize with described user according to described user group and the mapping relations of mating path and corresponding mates path;

Signatures match unit, for using described coupling path, IPS signatures match is carried out to described network data, described coupling path generates according to M the son signature storehouse in IPS signature storehouse, described M son signature storehouse chooses according to the applied statistics information of network data in all N number of son signature storehouse in described IPS signature storehouse, described N be greater than 1 integer, described M is the integer being greater than 1 and being less than N, and described coupling path is the memory address mapping relations in described M son signature storehouse.

13. devices according to claim 12, is characterized in that, described signatures match unit comprises:

Signatures match module, carries out IPS signatures match for the son signature storehouse using matched node in coupling path corresponding successively to described network data;

Coupling stop module, if for described son signature storehouse in arbitrary signature and described network data the match is successful, then described IPS signatures match terminates, output matching result.

14. devices according to claim 12, is characterized in that, described IPS signatures match device also comprises:

Feature identification unit, for carrying out feature identification to described network data;

Information updating unit, for the applied statistics information using the result of described feature identification to upgrade the storage of IPS signatures match device.

15. devices according to claim 14, is characterized in that, described feature identification unit comprises:

Protocol identification module, for carrying out protocol identification to described network data;

Judge module, needing to carry out deep analysis to described network data for judging whether according to the result of described protocol identification, if so, then triggering deep analysis module; If not, then determine that the result of described protocol identification is the result of described feature identification;

Deep analysis module, for carrying out deep analysis to described network data, and determines that the result of described protocol identification and described deep analysis is the result of described feature identification.

16. 1 kinds of intrusion prevention systems, is characterized in that, comprising: coordinates measurement device and IPS signatures match device;

17. systems according to claim 16, is characterized in that,

Described coordinates measurement device also for the usage ratio corresponding according to each application type in described applied statistics information be described M son signature lab setting coupling priority, matched node is disposed successively according to described coupling priority, obtain user and organize corresponding coupling path, described matched node and described son are signed the memory address one_to_one corresponding in storehouse;

Described IPS signatures match device uses described coupling path to carry out IPS signatures match to described network data, comprising:

IPS signatures match is carried out to described network data in the son signature storehouse that described IPS signatures match device uses matched node in coupling path corresponding successively; If the match is successful for the arbitrary signature in described son signature storehouse and described network data, then described IPS signatures match terminates, output matching result.

18. systems according to claim 16, is characterized in that, described IPS signatures match device, also for carrying out feature identification to described network data, uses the result of described feature identification to upgrade the applied statistics information of IPS signatures match device storage.