CN115150167A

CN115150167A - Method and device for synchronous control, electronic equipment and computer readable storage medium

Info

Publication number: CN115150167A
Application number: CN202210771104.7A
Authority: CN
Inventors: 张萌; 卞传旭
Original assignee: Beijing Topsec Technology Co Ltd; Beijing Topsec Network Security Technology Co Ltd; Beijing Topsec Software Co Ltd
Current assignee: Beijing Topsec Technology Co Ltd; Beijing Topsec Network Security Technology Co Ltd; Beijing Topsec Software Co Ltd
Priority date: 2022-06-30
Filing date: 2022-06-30
Publication date: 2022-10-04
Anticipated expiration: 2042-06-30
Also published as: CN115150167B

Abstract

The application belongs to the technical field of network security, and discloses a method, a device, electronic equipment and a computer readable storage medium for synchronous control, wherein the method comprises the steps of carrying out network security assessment based on message data to obtain a security assessment result; and if the safety evaluation result is determined to be network safety, synchronizing the connection table for transmitting the message to the slave firewall, otherwise, stopping the synchronous operation of the connection table, wherein the slave firewall is used for forwarding the message based on the synchronous connection table when determining that the master firewall is abnormal. Therefore, whether the connection table is synchronized or not is controlled according to the safety evaluation result, and the safety of the network and the continuity of service transmission are considered.

Description

Method and device for synchronous control, electronic equipment and computer readable storage medium

Technical Field

The present application relates to the field of network security technologies, and in particular, to a method and an apparatus for synchronization control, an electronic device, and a computer-readable storage medium.

Background

To improve network reliability and avoid the risk of a single point of failure, a master firewall and a slave firewall are typically deployed at key nodes of the network. The main firewall is responsible for service forwarding processing, namely after a connection table is generated based on forwarded messages, the messages are forwarded through the connection table of the messages. When the main firewall is in a normal operation state, the slave firewall is in an idle state. And when the main firewall is determined to be in failure, the slave firewall takes over the main firewall to process forwarding traffic. The slave firewall is switched to the master firewall to handle traffic forwarding.

However, since the slave firewall does not have a connection table, the already connected transmission data is interrupted, which affects the service communication of the user.

Disclosure of Invention

Embodiments of the present application provide a method, an apparatus, an electronic device, and a computer-readable storage medium for synchronization control, so as to reduce transmission interruption of service data when the service data is forwarded through a firewall.

In one aspect, a method for synchronization control is provided, which is applied to a main firewall, and includes:

performing network security assessment based on the message data to obtain a security assessment result;

and if the safety evaluation result is determined to be network safety, synchronizing the connection table for transmitting the message to the slave firewall, otherwise, stopping the synchronous operation of the connection table, wherein the slave firewall is used for forwarding the message based on the synchronous connection table when determining that the master firewall is abnormal.

In the implementation process, whether the connection table is synchronized is controlled according to the safety evaluation result, and the safety of the network and the continuity of service transmission are considered.

In one embodiment, the security assessment result is determined according to at least one of an attack rate of an intrusion prevention system and an infection rate of a virus prevention;

the attack rate of the intrusion prevention system is determined according to the attack message in the message data;

the virus defense infection rate is determined according to the virus messages in the message data.

In the implementation process, the security evaluation result can be determined according to the attack rate of the intrusion prevention system and the virus prevention infection rate, and the accuracy of network security evaluation is improved.

In one embodiment, performing network security assessment based on packet data to obtain a security assessment result includes:

determining the number of attack messages and the total number of the messages according to the message data;

determining the attack rate of the intrusion prevention system according to the ratio of the number of the attack messages to the total number of the messages;

and if the attack rate of the intrusion prevention system is lower than the attack rate threshold value, determining that the safety evaluation result is network safety, otherwise, determining that the safety evaluation result is network abnormity.

In the implementation process, the security evaluation result can be determined according to the attack rate of the intrusion prevention system, so that the accuracy of network security evaluation is improved.

determining the number of virus messages and the total number of the messages according to the message data;

determining the virus defense infection rate according to the ratio of the number of the virus messages to the total number of the messages;

and if the virus defense infection rate is lower than the infection rate threshold value, determining that the safety evaluation result is network safety, otherwise, determining that the safety evaluation result is network abnormity.

In the implementation process, the security evaluation result can be determined through the virus defense infection rate, and the accuracy of network security evaluation is improved.

determining the number of attack messages, the number of virus messages and the total number of messages according to the message data;

and if the attack rate of the intrusion prevention system and the virus prevention infection rate are determined to accord with the network security condition, determining the security evaluation result as network security, otherwise, determining the security evaluation result as network anomaly.

In one embodiment, the network security conditions include at least one of:

the weighted sum result between the attack rate of the intrusion prevention system and the virus prevention infection rate is lower than an abnormal threshold value; the weighted summation result is obtained by carrying out weighted summation on the attack rate of the intrusion prevention system and the virus prevention infection rate;

and, the intrusion prevention system attack rate is below the attack rate threshold, and the virus defense infection rate is determined to be below the infection rate threshold.

In the implementation process, a plurality of modes can be adopted to determine the security evaluation result, so that the accuracy of network security evaluation is improved.

In one aspect, an apparatus for synchronous control is provided, including:

the evaluation unit is used for carrying out network security evaluation based on the message data to obtain a security evaluation result;

and the synchronization unit is used for synchronizing the connection table for transmitting the message to the slave firewall if the security evaluation result is determined to be network security, otherwise, stopping the synchronous operation of the connection table, and the slave firewall is used for forwarding the message based on the synchronous connection table when the master firewall is determined to be abnormal.

In one embodiment, the evaluation unit is configured to:

In one embodiment, the network security conditions include at least one of:

In one aspect, an electronic device is provided, comprising a processor and a memory, the memory storing computer readable instructions which, when executed by the processor, perform the steps of the method provided in any of the various alternative implementations of synchronization control described above.

In one aspect, a computer-readable storage medium is provided, on which a computer program is stored, which, when being executed by a processor, performs the steps of the method as provided in any of the various alternative implementations of synchronization control.

In one aspect, a computer program product is provided which, when run on a computer, causes the computer to perform the steps of the method as provided in any of the various alternative implementations of synchronization control described above.

Additional features and advantages of the present application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the present application. The objectives and other advantages of the application may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.

Drawings

To more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, and it should be understood that the following drawings only show some embodiments of the present application, and therefore should not be considered as limiting the scope, from which other related figures can be derived by those of ordinary skill in the art without inventive faculty.

Fig. 1 is a flowchart of a method for synchronization control according to an embodiment of the present application;

fig. 2 is a detailed flowchart of a method for synchronization control according to an embodiment of the present application;

fig. 3 is a block diagram of a synchronous control apparatus according to an embodiment of the present disclosure;

fig. 4 is a schematic structural diagram of an electronic device in an embodiment of the present application.

Detailed Description

The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. The components of the embodiments of the present application, generally described and illustrated in the figures herein, can be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the present application, as presented in the figures, is not intended to limit the scope of the claimed application, but is merely representative of selected embodiments of the application. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present application without making any creative effort, shall fall within the protection scope of the present application.

First, some terms referred to in the embodiments of the present application will be described to facilitate understanding by those skilled in the art.

The terminal equipment: may be a mobile terminal, a fixed terminal, or a portable terminal such as a mobile handset, station, unit, device, multimedia computer, multimedia tablet, internet node, communicator, desktop computer, laptop computer, notebook computer, netbook computer, tablet computer, personal communication system device, personal navigation device, personal digital assistant, audio/video player, digital camera/camcorder, positioning device, television receiver, radio broadcast receiver, electronic book device, gaming device, or any combination thereof, including the accessories and peripherals of these devices, or any combination thereof. It is also contemplated that the terminal device can support any type of interface to the user (e.g., wearable device), and the like.

A server: the cloud server can be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, and can also be a cloud server for providing basic cloud computing services such as cloud service, a cloud database, cloud computing, cloud functions, cloud storage, network service, cloud communication, middleware service, domain name service, security service, big data and artificial intelligence platform and the like.

In order to reduce transmission interruption of service data when service forwarding is processed through a firewall, embodiments of the present application provide a method, an apparatus, an electronic device, and a computer-readable storage medium for synchronization control.

The embodiment of the application is applied to a firewall service forwarding scene (such as a dual-computer hot standby environment). The scenario includes a master firewall and a slave firewall. The main firewall is responsible for traffic forwarding. And when the master firewall is in a normal operation state, the slave firewall is in an idle state. And when the master firewall is determined to be in failure, the slave firewall forwards the message based on the connection table synchronized with the master firewall. The slave firewall is switched to the master firewall, and service forwarding is carried out through the switched master firewall. The main firewall and the auxiliary firewall are both electronic devices, and the electronic devices can be servers or terminal devices. The number of the master firewall and the slave firewall may be set according to an actual application scenario, for example, both are one, and is not limited herein.

Referring to fig. 1, a flowchart of a method for synchronization control according to an embodiment of the present application is applied to a main firewall, and the method includes the following specific implementation processes:

step 100: performing network security assessment based on the message data to obtain a security assessment result; step 101: and if the safety evaluation result is determined to be network safety, synchronizing the connection table for transmitting the message to the slave firewall, otherwise, stopping the synchronous operation of the connection table, wherein the slave firewall is used for forwarding the message based on the synchronous connection table when determining that the master firewall is abnormal.

In order to perform accurate security assessment on the network, the security assessment result may be determined according to at least one of an Intrusion Prevention System (IPS) attack rate and a Virus defense infection rate (Anti-Virus Detection rate, AV Detection rate); the security evaluation result comprises network security and network abnormity. The attack rate of the intrusion prevention system is determined according to the attack message in the message data; the virus defense infection rate is determined according to the virus messages in the message data.

It should be noted that, the network security may be evaluated in real time or periodically, or may be set according to an actual application scenario, which is not limited herein.

In one embodiment, when performing step 100, any of the following methods may be used:

mode 1: and determining a security evaluation result based on the attack rate of the intrusion prevention system.

Specifically, the number of attack messages and the total number of the messages are determined according to message data; determining the attack rate of the intrusion prevention system according to the ratio of the number of the attack messages to the total number of the messages; and if the attack rate of the intrusion prevention system is lower than the attack rate threshold value, determining that the safety evaluation result is network safety, otherwise, determining that the safety evaluation result is network abnormity.

As an example, the ratio of the number of attack messages to the total number of messages is determined as the attack rate of the intrusion prevention system.

In practical applications, the attack rate threshold may be set according to practical application scenarios, for example, 0.6, and is not limited herein.

Mode 2: and determining a safety evaluation result based on the virus defense infection rate.

Specifically, the number of virus messages and the total number of the messages are determined according to message data; determining the virus defense infection rate according to the ratio of the number of the virus messages to the total number of the messages; and if the virus defense infection rate is lower than the infection rate threshold, determining that the security evaluation result is network security, otherwise, determining that the security evaluation result is network anomaly.

As an example, the ratio between the number of virus packets and the total number of packets is determined as the virus defense infection rate.

In practical applications, the infection rate threshold may be set according to practical application scenarios, such as 0.2, and is not limited herein.

Mode 3: and determining a safety evaluation result based on the attack rate of the intrusion prevention system and the virus prevention infection rate.

Specifically, the number of attack messages, the number of virus messages and the total number of messages are determined according to message data; determining the attack rate of the intrusion prevention system according to the ratio of the number of the attack messages to the total number of the messages; determining the virus defense infection rate according to the ratio of the number of the virus messages to the total number of the messages; and if the attack rate of the intrusion prevention system and the virus prevention infection rate are determined to accord with the network security condition, determining the security evaluation result as network security, otherwise, determining the security evaluation result as network anomaly.

In one embodiment, the network security conditions include at least one of:

condition 1: the weighted sum result between the attack rate of the intrusion prevention system and the infection rate of the virus prevention is lower than the abnormal threshold value.

Wherein the content of the first and second substances, the weighted summation result is obtained by carrying out weighted summation on the attack rate of the intrusion prevention system and the infection rate of the virus prevention.

As an example, a first weight set for an attack rate of an intrusion prevention system and a second weight set for an infection rate of virus prevention are obtained, and weighted summation is performed based on the attack rate of the intrusion prevention system, the first weight, the infection rate of virus prevention and the second weight, so as to obtain a weighted summation result.

It should be noted that, if the first weight and the second weight are the same, the network security condition may be: the sum of the intrusion prevention system attack rate and the virus prevention infection rate is below an anomaly threshold.

In practical applications, the first weight, the second weight, and the abnormal threshold may be set according to practical application scenarios, and are not limited herein.

Condition 2: the attack rate of the intrusion prevention system is lower than the attack rate threshold, and the virus defense infection rate is determined to be lower than the infection rate threshold.

As an example, if it is determined that the attack rate of the intrusion prevention system is lower than the attack rate threshold and the virus defense infection rate is lower than the infection rate threshold, the security evaluation result is determined to be network security, otherwise, the security evaluation result is determined to be network anomaly.

In order to achieve network security and continuity of data transmission, when step 101 is executed, the method may include:

and if the security evaluation result is determined to be network security, marking the connection table of the received message, and synchronizing the marked connection table to the slave firewall. And receiving and storing the connection table sent by the main firewall from the firewall, and processing the message forwarding service based on the received connection table when determining that the main firewall has a fault.

And if the security evaluation result is determined to be network abnormity, stopping marking the connection table of the received message, and further stopping synchronizing the connection table to the slave firewall. When the master firewall fails, the slave firewall does not have a connection table synchronized with the master firewall, so the connected packet forwarding service is interrupted.

Therefore, whether the synchronous connection table is adjusted in a self-adaptive mode according to the safety evaluation result so as to take network safety and data transmission continuity into account.

Furthermore, a manual switch mode can be adopted to control whether to start the self-adaptive adjustment synchronous mode. Referring to fig. 2, a detailed flowchart of a method for synchronization control according to an embodiment of the present application is shown, and the synchronization control in fig. 1 is further described with reference to fig. 2, where the method is implemented in the following specific steps:

step 200: the current synchronization control mode is acquired.

Step 201: and judging whether the synchronous control mode is manually started, if so, executing the step 205, otherwise, executing the step 202.

Step 202: and judging whether the adaptive adjustment mode is started, if so, executing the step 203, otherwise, executing the step 206.

Step 203: and periodically performing network security evaluation based on the message data to obtain a security evaluation result.

Step 204: and judging whether the network is safe or not based on the safety evaluation result, if so, executing the step 205, and otherwise, executing the step 206.

Step 205: and synchronizing the connection table of the transmission message to the slave firewall.

Step 206: the synchronization operation of the connection table is stopped.

As one example, in the synchronous control interface, a switch of the synchronous control mode is provided. After the synchronous control mode is determined to be manually opened according to manual opening operation (such as checking operation) of a user, the main firewall synchronizes a connection table generated based on the received message to the slave firewall.

As another example, it is determined that the synchronization control mode is not manually turned on according to the adaptive adjustment turn-on operation of the user, and the adaptive adjustment mode is turned on, it is determined whether to synchronize the connection table according to the security evaluation result. Specifically, after detecting that the user performs the self-adaptive adjustment starting operation, the network security evaluation is performed in real time, the synchronization operation is started or closed according to the security evaluation result, and the security evaluation result is periodically refreshed according to the set duration, and the synchronization operation is restarted or closed based on the refreshed security evaluation result.

In practical applications, the set duration may be set according to practical application scenarios, for example, 1 week, which is not limited herein.

As another example, the master firewall and the slave firewall are in a dual-hot-standby mode, and the configuration of the master firewall and the configuration of the slave firewall are the same, and both the master firewall and the slave firewall are in an adaptive adjustment mode. In the process that the client downloads data from the server through the main firewall, if the sum of the attack rate of the intrusion prevention system and the virus prevention infection rate is lower than the abnormal threshold value, the main firewall generates a connection table based on the forwarded message when forwarding the message, marks the connection table, and synchronizes the marked connection table to the slave firewall. And when the monitoring interface of the main firewall is determined to be interrupted (namely the firewall is in failure), switching the main and standby modes of the slave firewall. After the switching of the slave firewall, the message is forwarded by taking over the master firewall based on the synchronous connection table, so that the downloaded data between the client and the server is not interrupted, and the reliability of the network is ensured.

As another example, the master firewall and the slave firewall are in a dual-hot-standby mode, and the configuration of the master firewall and the configuration of the slave firewall are the same, and both the master firewall and the slave firewall are in an adaptive adjustment mode. In the process that the client downloads data from the server through the main firewall, if the sum of the attack rate of the intrusion prevention system and the virus prevention infection rate is not lower than the abnormal threshold value, the main firewall does not mark a connection table generated based on the forwarded message when forwarding the message, so that the connection table is stopped from being synchronized into the slave firewall, namely the connection table cannot be found from the slave firewall. And when the monitoring interface of the master firewall is determined to be interrupted (namely the firewall has a fault), switching the master-backup mode of the slave firewall. After the switching of the slave firewall, because the slave firewall does not store the connection table, a channel for downloading data between the client and the server is interrupted, and the connection needs to be reestablished, thereby ensuring the security of the network.

In the embodiment of the application, the network security is periodically evaluated, whether the connection table is synchronized or not is adaptively adjusted according to the security evaluation result, the flexibility of the synchronization of the connection table is improved, when the network security is determined, the connection table is synchronized into the slave firewall to ensure that the data connection is not interrupted, namely, the connectivity of services is ensured, and when the network anomaly (namely, the network is not safe) is determined, the connection table is stopped being synchronized into the firewall to ensure the security of the network, network attack is avoided, so that a user does not worry about the problem of the data security, the reliability of the network connection and the security of the network are both considered, and the reliability of the network connection and the security of the network are in a more optimized state.

Based on the same inventive concept, the embodiment of the present application further provides a device for synchronous control, and because the principle of the device and the apparatus for solving the problem is similar to that of a method for synchronous control, the implementation of the device can refer to the implementation of the method, and repeated details are not repeated.

As shown in fig. 3, which is a schematic structural diagram of a synchronous control device provided in an embodiment of the present application, the synchronous control device includes:

an evaluation unit 301, configured to perform network security evaluation based on the message data to obtain a security evaluation result;

a synchronization unit 302, configured to synchronize the connection table of the transmission packet to the slave firewall if the security evaluation result is determined to be network security, otherwise, stop the synchronization operation of the connection table, where the slave firewall is configured to determine that the connection table is a network security

Based on the abnormal condition of the main firewall and the synchronous connection table forwards the message.

the attack rate of the intrusion prevention system is determined according to attack messages in the message data;

In one embodiment, the evaluation unit 301 is configured to:

and if the virus defense infection rate is lower than the infection rate threshold, determining that the security evaluation result is network security, otherwise, determining that the security evaluation result is network anomaly.

In one embodiment, the method comprises the step of, the evaluation unit 301 is configured to:

determining the attack rate of an intrusion prevention system according to the ratio of the number of attack messages to the total number of the messages;

In one embodiment, the network security conditions include at least one of:

In the method, the device, the electronic device and the computer-readable storage medium for synchronous control provided by the embodiment of the application, network security evaluation is performed based on message data to obtain a security evaluation result; and if the safety evaluation result is determined to be network safety, synchronizing the connection table for transmitting the message to the slave firewall, otherwise, stopping the synchronous operation of the connection table, wherein the slave firewall is used for forwarding the message based on the synchronous connection table when determining that the master firewall is abnormal. Therefore, whether the connection table is synchronized or not is controlled according to the safety evaluation result, and the safety of the network and the continuity of service transmission are considered.

Fig. 4 shows a schematic structural diagram of an electronic device 4000. Referring to fig. 4, the electronic apparatus 4000 includes: the processor 4010 and the memory 4020 may further include a power supply 4030, a display unit 4040, and an input unit 4050.

The processor 4010 is a control center of the electronic device 4000, connects each component using various interfaces and lines, and executes various functions of the electronic device 4000 by running or executing software programs and/or data stored in the memory 4020, thereby integrally monitoring the electronic device 4000.

In the embodiment of the present application, the processor 4010 executes each step in the above embodiments when calling the computer program stored in the memory 4020.

Optionally, processor 4010 may comprise one or more processing units; preferably, the processor 4010 can integrate an application processor, which mainly handles operating systems, user interfaces, applications, etc., and a modem processor, which mainly handles wireless communications. It will be appreciated that the modem processor described above may not be integrated into processor 4010. In some embodiments, the processor, memory, and/or memory may be implemented on a single chip, or in some embodiments, they may be implemented separately on separate chips.

The memory 4020 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, various applications, and the like; the storage data area may store data created according to the use of the electronic device 4000, and the like. Further, the memory 4020 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device.

Electronic device 4000 also includes a power supply 4030 (e.g., a battery) to provide power to various components, which may be logically coupled to processor 4010 via a power management system to enable management of charging, discharging, and power consumption via the power management system.

The display unit 4040 may be configured to display information input by a user or information provided to the user, various menus of the electronic device 4000, and the like. The display unit 4040 may include a display panel 4041. The Display panel 4041 may be configured in the form of a Liquid Crystal Display (LCD), an Organic Light-Emitting Diode (OLED), or the like.

The input unit 4050 may be used to receive information input by a user, such as numbers or characters. The input unit 4050 may include a touch panel 4051 and other input devices 4052. Touch panel 4051, also referred to as a touch screen, may collect touch operations by a user on or near the touch panel 4051 (e.g., operations by a user on or near touch panel 4051 using a finger, a stylus, or any other suitable object or attachment).

Specifically, the touch panel 4051 may detect a touch operation of the user, detect signals generated by the touch operation, convert the signals into touch point coordinates, transmit the touch point coordinates to the processor 4010, receive a command transmitted from the processor 4010, and execute the command. In addition, the touch panel 4051 may be implemented by various types such as a resistive type, a capacitive type, an infrared ray, and a surface acoustic wave. Other input devices 4052 may include, but are not limited to, one or more of a physical keyboard, function keys (such as volume control keys, power on/off keys, etc.), a trackball, a mouse, a joystick, and the like.

Of course, the touch panel 4051 may cover the display panel 4041, and when the touch panel 4051 detects a touch operation thereon or nearby, the touch operation is transmitted to the processor 4010 to determine the type of the touch event, and then the processor 4010 provides a corresponding visual output on the display panel 4041 according to the type of the touch event. Although in fig. 4, the touch panel 4051 and the display panel 4041 are two separate components to implement the input and output functions of the electronic apparatus 4000, in some embodiments, the touch panel 4051 and the display panel 4041 may be integrated to implement the input and output functions of the electronic apparatus 4000.

The electronic device 4000 may also include one or more sensors, such as pressure sensors, gravitational acceleration sensors, proximity light sensors, and the like. Of course, the electronic device 4000 may further include other components such as a camera, which are not shown in fig. 4 and will not be described in detail since they are not components used in the embodiment of the present application.

Those skilled in the art will appreciate that fig. 4 is merely an example of an electronic device and is not limiting of electronic devices and may include more or fewer components than those shown, or some components may be combined, or different components.

In an embodiment of the present application, a computer-readable storage medium has a computer program stored thereon, and when the computer program is executed by a processor, the communication device may perform the steps in the above embodiments.

For convenience of description, the above parts are separately described as modules (or units) according to functional division. Of course, the functionality of the various modules (or units) may be implemented in the same one or more pieces of software or hardware when implementing the present application.

As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.

It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims

1. A method for synchronous control is applied to a main firewall and comprises the following steps:

performing network security evaluation based on the message data to obtain a security evaluation result;

if the safety evaluation result is determined to be network safety, synchronizing a connection table for transmitting the message to a slave firewall, otherwise, stopping the synchronous operation of the connection table, wherein the slave firewall is used for determining that the message is forwarded based on the synchronized connection table when the master firewall is abnormal.

2. The method of claim 1, wherein the security assessment result is determined based on at least one of an intrusion prevention system attack rate and a virus defense infection rate;

3. The method of claim 2, wherein the performing network security assessment based on the message data to obtain a security assessment result comprises:

4. The method of claim 2, wherein the performing network security assessment based on the message data to obtain a security assessment result comprises:

5. The method of claim 2, wherein the performing network security assessment based on the message data to obtain a security assessment result comprises:

and if the attack rate of the intrusion prevention system and the virus prevention infection rate are determined to accord with network security conditions, determining that the security evaluation result is network security, otherwise, determining that the security evaluation result is network anomaly.

6. The method of claim 5, wherein the network security condition comprises at least one of:

the weighted sum result between the attack rate of the intrusion prevention system and the infection rate of the virus prevention is lower than an abnormal threshold value; the weighted summation result is obtained by carrying out weighted summation on the attack rate of the intrusion prevention system and the infection rate of the virus defense;

and the intrusion prevention system attack rate is lower than an attack rate threshold, and the virus defense infection rate is determined to be lower than an infection rate threshold.

7. A device for synchronous control, comprising:

and the synchronizing unit is used for synchronizing the connection table for transmitting the message to the slave firewall if the security evaluation result is determined to be network security, otherwise, stopping the synchronous operation of the connection table, and the slave firewall is used for forwarding the message based on the synchronous connection table when the master firewall is determined to be abnormal.

8. The apparatus of claim 7, wherein the security assessment result is determined according to at least one of an intrusion prevention system attack rate and a virus defense infection rate;

9. The apparatus of claim 8, wherein the evaluation unit is to:

10. The apparatus of claim 8, wherein the evaluation unit is to:

according to the message data, the message data is sent to the server, determining the number of virus messages and the total number of the messages;

11. The apparatus of claim 8, wherein the evaluation unit is to:

12. The apparatus of claim 11, wherein the network security condition comprises at least one of:

the weighted sum result between the attack rate of the intrusion prevention system and the infection rate of the virus prevention is lower than an abnormal threshold value; the weighted summation result is obtained by carrying out weighted summation on the attack rate of the intrusion prevention system and the infection rate of the virus prevention;

13. An electronic device comprising a processor and a memory, the memory storing computer readable instructions that, when executed by the processor, perform the method of any of claims 1-6.

14. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1 to 6.