CN104184722B - Port group generating method and device of intrusion prevention system - Google Patents
Port group generating method and device of intrusion prevention system Download PDFInfo
- Publication number
- CN104184722B CN104184722B CN201410360727.0A CN201410360727A CN104184722B CN 104184722 B CN104184722 B CN 104184722B CN 201410360727 A CN201410360727 A CN 201410360727A CN 104184722 B CN104184722 B CN 104184722B
- Authority
- CN
- China
- Prior art keywords
- port
- rule
- port object
- rules
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The invention discloses a port group generating method and device of an intrusion prevention system, belonging to the field of computer network communication safety. The method comprises that a rule base of the intrusion prevention system is analyzed to obtain all rules; the rules are integrated according to port information of the rules to form port objects, the port objects comprise a first port object and N second port objects, each first port object is formed by integrating rules which does not include port information, and each second port object is formed by integrating rules which include the same port information; and the first port object and m second port objects are combined to generate a port group, m is not greater than N, and both N and m are integral that is not lower than 2. According to the method and device, the port group is formed by combining the first port object and multiple second port objects, the generated amount of the port group is reduced, the port objects which are generated by rules that do not contain port information are prevented from being copied for multiple times, and the occupation rate of memory is reduced.
Description
Technical field
The invention belongs to computer network communication security fields, more particularly to a kind of generation of intrusion prevention system port set
Method and its device.
Background technology
With the extensive use and the continuous popularization of network of computer, the dangerous and crime also day from network internal and outside
Benefit increases.Nowadays, not only viral load increases severely, Quality advance, and by network fast propagation, within short a few houres just
Can spread throughout the world.Some virus can also change form in communication process, antivirus software is failed.Traditional firewall is added and invaded
The technology of detecting system (Intrusion Detection Systems, abbreviation IDS) cannot tackle some new network prestige
The side of body.In this case, intrusion prevention system (Intrusion Prevention System, abbreviation IPS) technology meet the tendency of and
Raw, IPS can flow through the message of the IPS with depth perception and active detecting, infected information be abandoned to block attack, to indiscriminate
Carry out current limliting to protect network bandwidth resources with message.
Current most of IPS products are all based on the mode of port set to realize, that is to say, that in parsing IPS rule
Then in the flow in storehouse, port object (po) is formed, port set is then generated by port object (po).This IPS frameworks based on port set, such as
The more not rule comprising port information is included in fruit rule base, then when port set is generated, by these not comprising end
The port object (po) of the rule generation of message breath will be by repeat replication once in each port set, and this will cause in system
Occupancy is deposited to sharply increase.
The content of the invention
To prevent the port object (po) of the above-mentioned rule generation not comprising port information by massive duplication, reduction system is realized
The purpose of memory usage, the invention provides a kind of generation method of intrusion prevention system port set, methods described include with
Lower step:
Rule base to intrusion prevention system is parsed, to obtain whole rules;
Port information in rule is integrated to the rule, to form port object (po), the port object (po) bag
Include:First port object and N number of second port object, the first port object are led to by all not rules comprising port information
Cross integration to be formed, each second port object is formed by the rule with same port information by integrating;
By the first port object and m second port object composition generation port set, m is not more than N, N and m and is not
Integer less than 2.
Wherein, the regular number sum that m second port object corresponding to each port set is included is no more than default rule
Then count.
Wherein, the preset rules number is calculated by following formula,
S=2*A/N
Wherein, S is the preset rules number, the regular number sum that A is included by N number of second port object.
The invention also discloses a kind of generating means of intrusion prevention system port set, described device includes:
Parsing module, parses for the rule base to intrusion prevention system, to obtain whole rules;
Rules integration module, integrates for the port information in rule to the rule, to form port pair
As the port object (po) includes:First port object and N number of second port object, the first port object are not wrapped by all
Rule containing port information is formed by integrating, and each second port object is by the rule with same port information by whole
Conjunction is formed;
Port set generation module, for generating port set with m second port object composition by the first port object,
M is not more than N, N and m and is integer not less than 2.
Wherein, the regular number sum that m second port object corresponding to each port set is included is no more than default rule
Then count.
Wherein, the preset rules number is calculated by following formula,
S=2*A/N
Wherein, S is the preset rules number, the regular number sum that A is included by N number of second port object.
By the first port object and m second port object composition generation port set, m is not less than 2 to the present invention
Integer, reduces the quantity of port set generation, and then prevents the port object (po) of the rule generation not comprising port information big
Amount is replicated, and reduces the memory usage of system.
Brief description of the drawings
The features and advantages of the present invention can be more clearly understood from by reference to accompanying drawing, accompanying drawing is schematical without that should manage
Solution is to carry out any limitation to the present invention, in the accompanying drawings:
Fig. 1 is the flow chart of the generation method of the intrusion prevention system port set of one embodiment of the present invention;
Fig. 2 is the schematic diagram that port object (po) generates port set;
Fig. 3 is the structured flowchart of the generating means of the intrusion prevention system port set of one embodiment of the present invention.
Specific embodiment
With reference to the accompanying drawings and examples, specific embodiment of the invention is described in further detail.Hereinafter implement
Example is not limited to the scope of the present invention for illustrating the present invention.
Fig. 1 is the flow chart of the generation method of the intrusion prevention system port set of one embodiment of the present invention;Reference picture
1, the described method comprises the following steps:
Step S1:Rule base to IPS is parsed, to obtain whole rules.
IPS products are parsed one by one to the rule in the rule base of IPS first in initialization procedure, to obtain IPS
Rule base in all rule.
Step S2:Port information in rule is integrated to the rule, to form port object (po), the port
Object includes:First port object and N number of second port object, the first port object do not include port information by all
Rule is formed by integrating, and each second port object is formed by the rule with same port information by integrating.
For example, it is 80 ports to have the port information that 500 rules are included in the rule that parsing is obtained, then by this
500 rules integrate the second port object that 80 ports are pointed in generation;Furthermore may obtain certain in resolving
Quantity does not include the rule of any port information, for example, have 300, then this 300 rule is integrated into generation first port
Object.
Step S3:By the first port object and m second port object composition generation port set, m is not more than N, N with
M is the integer not less than 2.
Reference picture 2, integrates generation port set I, by second port by second port object i to j-1 and first port object
Object j, j+1 ... integrate generation port set J with first port object.
The value of m is related to the regular number that port object (po) is included, regular number in port set (the regular number in port set,
The regular number sum that the regular number that as corresponding first port object is included is included with m second port object) it is difficult
Too much or very little.If the regular number included in port set is too many, message matches the multi-mode states machine (Multi- of port set
Pattern State Engine, abbreviation MPSE) success after, traversal rule tree node one by one (Rule Tree Node, referred to as
RTN) and time of option tree node (Option Tree Node, abbreviation OTN) will be more long, this can cause gulping down for IPS products
The amount of telling declines;If the regular number included in port set is very little, it will produce substantial amounts of port set, also will repeat replication generation
A large amount of second port objects, this will greatly consume Installed System Memory.
In order to not appreciably affect the handling capacity of IPS products while reducing IPS to EMS memory occupation, so in the following ways
Determine the value of m:The regular number sum that m second port object is included meets following formula no more than preset rules number:
S1+S2+S3+…+Sm≤ S,
Wherein, S is preset rules number, S1、S2、S3、…、SmEach port object (po) is wrapped in respectively m second port object
The regular number for containing.
In order to not appreciably affect the handling capacity of IPS products while reducing IPS to greatest extent to EMS memory occupation, preferably
Ground, the preset rules number is calculated by following formula,
S=2*A/N
Wherein, S is preset rules number, and S is the preset rules number, the rule that A is included by N number of second port object
Then count sum (the regular number sum that i.e. all second port objects are included).
The invention also discloses a kind of generating means of intrusion prevention system port set, reference picture 3, described device includes:
Parsing module, parses for the rule base to intrusion prevention system, to obtain whole rules;
Rules integration module, integrates for the port information in rule to the rule, to form port pair
As the port object (po) includes:First port object and N number of second port object, the first port object are not wrapped by all
Rule containing port information is formed by integrating, and the second port object is by the rule with same port information by whole
Conjunction is formed;
Port set generation module, for generating port set with m second port object composition by the first port object,
M is not more than N, N and m and is integer not less than 2.
Wherein, the regular number sum that m second port object corresponding to each port set is included is no more than default rule
Then count.
Wherein, the preset rules number is calculated by following formula,
S=2*A/N
Wherein, S is the preset rules number, the regular number sum that A is included by N number of second port object.
Embodiment of above is merely to illustrate the present invention, and not limitation of the present invention, about the common of technical field
Technical staff, without departing from the spirit and scope of the present invention, can also make a variety of changes and modification, therefore all
Equivalent technical scheme falls within scope of the invention, and scope of patent protection of the invention should be defined by the claims.
Claims (2)
1. a kind of generation method of intrusion prevention system port set, it is characterised in that the described method comprises the following steps:
Rule base to intrusion prevention system is parsed, to obtain whole rules;
Port information in rule is integrated to the rule, and to form port object (po), the port object (po) includes:The
Single port object and N number of second port object, the first port object is by all not rules comprising port information by whole
Conjunction is formed, and each second port object is formed by the rule with same port information by integrating;
Port set is generated by the first port object and m second port object composition, m is not more than N, N and m and is and is not less than
2 integer;
The regular number sum that m second port object corresponding to each port set is included is no more than preset rules number.
The preset rules number is calculated by following formula,
S=2*A/N
Wherein, S is the preset rules number, the regular number sum that A is included by N number of second port object.
2. a kind of generating means of intrusion prevention system port set, it is characterised in that described device includes:
Parsing module, parses for the rule base to intrusion prevention system, to obtain whole rules;
Rules integration module, integrates for the port information in rule to the rule, to form port object (po), institute
Stating port object (po) includes:First port object and N number of second port object, the first port object do not include port by all
The rule of information by integrate formed, each second port object by the rule with same port information by integrating shape
Into;
Port set generation module, for by the first port object and m second port object composition generation port set, m to be not
Be the integer not less than 2 more than N, N and m, the regular number that m second port object corresponding to each port set is included it
With no more than preset rules number.
The preset rules number is calculated by following formula,
S=2*A/N
Wherein, S is the preset rules number, the regular number sum that A is included by N number of second port object.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410360727.0A CN104184722B (en) | 2014-07-25 | 2014-07-25 | Port group generating method and device of intrusion prevention system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410360727.0A CN104184722B (en) | 2014-07-25 | 2014-07-25 | Port group generating method and device of intrusion prevention system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104184722A CN104184722A (en) | 2014-12-03 |
CN104184722B true CN104184722B (en) | 2017-05-24 |
Family
ID=51965464
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410360727.0A Active CN104184722B (en) | 2014-07-25 | 2014-07-25 | Port group generating method and device of intrusion prevention system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104184722B (en) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101426000A (en) * | 2007-10-30 | 2009-05-06 | 北京启明星辰信息技术有限公司 | General protocol parsing method and system |
CN102916955A (en) * | 2012-10-15 | 2013-02-06 | 北京神州绿盟信息安全科技股份有限公司 | System and method for preventing/detecting network intrusion |
CN103491069A (en) * | 2013-09-05 | 2014-01-01 | 北京科能腾达信息技术股份有限公司 | Filtering method for network data package |
CN103685221A (en) * | 2013-09-05 | 2014-03-26 | 北京科能腾达信息技术股份有限公司 | A network invasion detection method |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9813448B2 (en) * | 2010-02-26 | 2017-11-07 | Ixia | Secured network arrangement and methods thereof |
US8599854B2 (en) * | 2010-04-16 | 2013-12-03 | Cisco Technology, Inc. | Method of identifying destination in a virtual environment |
-
2014
- 2014-07-25 CN CN201410360727.0A patent/CN104184722B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101426000A (en) * | 2007-10-30 | 2009-05-06 | 北京启明星辰信息技术有限公司 | General protocol parsing method and system |
CN102916955A (en) * | 2012-10-15 | 2013-02-06 | 北京神州绿盟信息安全科技股份有限公司 | System and method for preventing/detecting network intrusion |
CN103491069A (en) * | 2013-09-05 | 2014-01-01 | 北京科能腾达信息技术股份有限公司 | Filtering method for network data package |
CN103685221A (en) * | 2013-09-05 | 2014-03-26 | 北京科能腾达信息技术股份有限公司 | A network invasion detection method |
Also Published As
Publication number | Publication date |
---|---|
CN104184722A (en) | 2014-12-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9661013B2 (en) | Manipulating API requests to indicate source computer application trustworthiness | |
CN105282169B (en) | Ddos attack method for early warning based on SDN controller threshold values and its system | |
US7958227B2 (en) | Attributes of captured objects in a capture system | |
CN106790193B (en) | The method for detecting abnormality and device of Intrusion Detection based on host network behavior | |
CN105337991B (en) | A kind of integrated message flow is searched and update method | |
CN101577721A (en) | Method for splitting Broome filter by indexes and inserting, deleting and inquiring methods thereof | |
CN105429963A (en) | Invasion detection analysis method based on Modbus/Tcp | |
CN105049450A (en) | Cloud security system based on virtual network environment and deployment framework of cloud security system | |
CN103618692A (en) | A method for constructing log fast matching | |
US20160294848A1 (en) | Method for protection of automotive components in intravehicle communication system | |
CN103746920B (en) | A kind of method that data transfer is realized based on gateway | |
CN104394180B (en) | A kind of wireless terminal authentication method, wireless router and system | |
CN104283736B (en) | A kind of network communication five-tuple Fast Match Algorithm based on improvement automatic state machine | |
CN104184722B (en) | Port group generating method and device of intrusion prevention system | |
CN102571949B (en) | Network-based data self-destruction method | |
CN106790068B (en) | One kind is for accelerating the matched method of industry control firewall rule | |
CN104378426B (en) | A kind of load-balancing method for real time information dissemination system | |
CN104579939B (en) | Gateway protection method and device | |
CN107294991B (en) | Network function defense system based on output judgment and safety protection method | |
CN112653707A (en) | Enhanced mimicry input agent | |
CN107124410A (en) | Network safety situation feature clustering method based on machine deep learning | |
CN104184725A (en) | Engine detection data updating method and device of intrusion prevention system | |
CN105357177A (en) | Method for processing data packet filtering rule set and data packet matching method | |
CN112448916B (en) | Privacy protection method for preventing GAN model attack and protecting CDL training information | |
CN105635145B (en) | The chip-scale safety protecting method in the tunnel CAPWAP DTLS |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
PP01 | Preservation of patent right | ||
PP01 | Preservation of patent right |
Effective date of registration: 20180528 Granted publication date: 20170524 |