WO2009097715A1 - Device for uniform threat management and method for loading threat defense modules - Google Patents

Device for uniform threat management and method for loading threat defense modules Download PDF

Info

Publication number
WO2009097715A1
WO2009097715A1 PCT/CN2008/072237 CN2008072237W WO2009097715A1 WO 2009097715 A1 WO2009097715 A1 WO 2009097715A1 CN 2008072237 W CN2008072237 W CN 2008072237W WO 2009097715 A1 WO2009097715 A1 WO 2009097715A1
Authority
WO
WIPO (PCT)
Prior art keywords
module
threat
priority
unified
management device
Prior art date
Application number
PCT/CN2008/072237
Other languages
French (fr)
Chinese (zh)
Inventor
Xiuying Ni
Original Assignee
Chengdu Huawei Symantec Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Huawei Symantec Technologies Co., Ltd. filed Critical Chengdu Huawei Symantec Technologies Co., Ltd.
Publication of WO2009097715A1 publication Critical patent/WO2009097715A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Definitions

  • the present invention relates to a network processing device and an application method thereof, and in particular, to a unified threat management device (UTM) and a method for loading a threat defense module.
  • UDM unified threat management device
  • Unified Threat Management UTM
  • Unified Threat Management devices integrate firewalls and some application-layer threat defense features, including Anti-Virus (AV), Intrusion Prevention System (IPS), Anti-Spam
  • a UTM device can only have some of these functions.
  • the firewall module provides forwarding and single-packet detection, and functions such as Network Address Translation (NAT) and Virtual Private Network (VPN).
  • the IPS module provides content depth detection to filter packets containing malicious content.
  • the AS module provides the function of detecting emails. It filters most of the spam by filtering the sender's IP, email header, and email body content.
  • the AV module provides virus scanning for packets and restores the packets. Filed, and pre-processed (decompressed, unpacked, etc.) and virus scan;
  • the unified resource location filtering module filters the requested uniform resource location according to a predefined uniform resource location blacklist or a uniform resource location classification.
  • FIG. 1 it is a schematic diagram of a network structure in which a unified threat management device is applied in the prior art.
  • the unified threat management device is deployed at the egress of the enterprise network as a gateway device to receive packets.
  • the unified threat management device sends packets to the packet based on the application layer protocol.
  • the same function module performs safety detection. For example, the message of the mail protocol is sent to the AS module for further detection, and the HTTP request message is sent to the unified resource location filtering module.
  • the existing unified threat management device has the following defects:
  • the existing software system can meet the performance requirements of the firewall because the firewall does not further analyze and filter the message content.
  • the unified threat management device needs to perform security analysis and detection on a large number of message contents, such as anti-spam, anti-virus, etc., all need to scan the entire message to determine the security of the message.
  • the software in the existing unified threat management device cannot meet the processing performance requirements of the device, and the hardware acceleration causes the device cost to increase rapidly.
  • QoS Quality of Service, QoS for short
  • IP network IP network
  • QoS Quality of Service
  • It mainly guarantees throughput, delay, jitter and packet loss rate. From the current application, it is mainly to provide transmission quality assurance for applications such as voice and video that are sensitive to delay packet loss.
  • the QoS function is enabled, the overall performance of the unified threat management device will be further reduced, and the throughput cannot be increased. Summary of the invention
  • the embodiments of the present invention provide a unified threat management device and a method for loading a threat defense module, so as to dynamically adjust various defense functions, and maintain normal service processing of the device to ensure the throughput of the device.
  • the present invention provides a unified threat management device, including: at least one threat defense module, configured to perform security detection on a packet;
  • the adaptive loading module is configured to dynamically load the threat anti-P module according to processing performance information of the unified threat management device.
  • the invention also provides a method for loading a threat defense module, comprising: After receiving the packet, obtain the processing performance information of the unified threat management device.
  • the threat defense module is loaded.
  • the embodiment of the present invention dynamically loads the threat defense module according to the adaptive dynamic adjustment mode, that is, according to the processing performance of the device, and takes into account various security defense functions and normal service processing capabilities of the device, and maximizes The throughput of the device is guaranteed.
  • FIG. 1 is a schematic structural diagram of a network in which a unified threat management device is applied in the prior art
  • FIG. 2 is a schematic structural diagram of a unified threat management device according to an embodiment of the present invention
  • FIG. 3 is another schematic structural diagram of a unified threat management device according to an embodiment of the present invention.
  • FIG. 4 is another schematic structural diagram of a unified threat management device according to an embodiment of the present invention.
  • FIG. 5 is a flowchart of a method for loading a threat defense module according to an embodiment of the present invention. detailed description
  • FIG. 2 is a schematic structural diagram of a unified threat management device according to an embodiment of the present invention, including: at least one threat defense module 1 configured to perform security detection on a packet;
  • the adaptive loading module 2 is configured to dynamically load the threat defense module according to the processing performance information of the unified threat management device.
  • the threat defense module 1 may be any one of the firewall module 1 1 , the unified resource location filtering module 12 , the spam filtering module 13 , the virus scanning module 14 , and the intrusion detection module 15 in the embodiment of the present invention. .
  • the types and combinations of the threat defense modules can be loaded according to actual needs. This embodiment only gives a schematic diagram of a possible combination.
  • the processing performance information of the unified threat management device may be one or more of CPU usage information, memory usage information, and network traffic information.
  • the adaptive loading module dynamically loads each threat defense module based on these processing performance information, thereby taking into account various security defense functions and
  • the normal service processing capability of the device ensures the throughput of the device to the utmost extent.
  • the embodiment of the present invention further provides another embodiment of the unified threat management device.
  • the unified threat management device further includes:
  • the configuration module 3 is configured to configure a priority of the threat defense module and store the configured priority information.
  • the adaptive loading module dynamically loads the threat defense module according to the priority information in the priority configuration module and the processing performance information of the unified threat management device.
  • the following takes the network traffic as the standard of the device performance information as an example to further illustrate the loading principle of the adaptive loading module of the embodiment of the present invention.
  • the network threshold and the priority of the threat defense module can be pre-defined by the user. .
  • the priority of the firewall is set to the highest priority, and the user cannot customize it.
  • the user can define the priority of the threat defense module according to actual needs. For example, in a network architecture, users of the mail server can set the priority of the spam filtering function module to the highest and the priority of the unified resource location filtering module to be low. The user can also set the threshold of the network bandwidth as needed.
  • the state network traffic point that needs to be adjusted to load the threat defense module is set to a low threshold of 100 Mbps and a high threshold of 200 Mbps.
  • thresholds of multiple network traffic may also be set, and each threat defense module may be dynamically loaded according to the threshold of the network traffic and the priority of the threat defense module, for example, the threshold may be set to 100 Mbps, 150 Mbps, 200 Mbps, when the traffic is greater than 150 Mbps.
  • the threshold may be set to 100 Mbps, 150 Mbps, 200 Mbps, when the traffic is greater than 150 Mbps.
  • the medium-priority threat defense module is also disabled except for the lowest priority threat defense module.
  • the medium priority threat defense module is restored, and the lowest priority threat defense module remains closed; when the traffic is less than lOOMBps, the lowest priority threat defense module is restored.
  • this embodiment can also use the CPU usage rate of the unified threat management device as the device property.
  • the standard of the energy, the threshold of the CPU usage and the priority of the function module are pre-defined by the user. For example, the threshold of the CPU usage of the device can be set to 80%. When the value is greater than 80%, the unified resource positioning with the lowest priority is disabled. Filter module. You can also set multiple CPU usage thresholds, dynamically load each threat defense module based on the CPU usage threshold and the threat defense module's priority. For example, you can set the threshold to 80%, 60%, 40%, when CPU usage. When the CPU usage is greater than %80, the medium-priority threat defense module is disabled.
  • the medium-priority threat defense module is also disabled.
  • the CPU usage is restored to less than 60%, the medium priority threat defense module is restored, and the lowest priority threat defense module continues to be closed; when the CPU usage is less than 40%, the lowest priority threat defense module is restored.
  • the unified threat management device in the foregoing two embodiments may further include: a performance detecting module, configured to detect processing performance of the unified threat management device, and send the detected processing performance information of the unified threat management device to the adaptive Load the module.
  • the performance detection module may specifically include one or more of a CPU usage detection module, a memory usage detection module, and a network traffic detection module.
  • the adaptive dynamic adjustment mode that is, dynamically loading the threat defense module according to the processing performance of the device, takes into account various security defense functions and normal service processing capabilities of the device, and ensures the maximum guarantee.
  • the throughput of the device The threshold of the device processing performance and the priority of each threat defense module can also be flexibly set according to the actual application, which better adjusts the contradiction between the security defense function and the normal service processing capability of the device.
  • the unified threat management device After receiving the packet, the unified threat management device obtains the processing performance information of the unified threat management device.
  • the threat defense module is loaded.
  • the multiple threat defense modules may also be set. Priority information; and load multiple threat defense modules according to priority information and processing performance information of multiple threat defense modules.
  • the device performance threshold and the priority of the function module can be pre-defined by the user.
  • the unified threat management device receives the packet, it can obtain the device performance information in real time, and then compare the device performance information with a preset threshold.
  • Each threat defense module is dynamically loaded according to a preset threshold and a priority of the threat defense module.
  • the foregoing multiple threat defense modules may be one or any of a firewall module, a unified resource location filtering module, a spam filtering module, a virus scanning module, and an intrusion detection module.
  • the priority of the firewall module can be set to the highest priority, and the user cannot change the priority of the firewall module.
  • the processing performance information of the unified threat management device may be one or more of CPU usage information, memory usage information, and network traffic information.
  • loading multiple threat defense modules may be specifically implemented as follows:
  • the thresholds of each level are in one-to-one correspondence with multiple priority levels, and each of the embodiments is dynamically loaded according to a preset threshold and a priority of the threat defense module.
  • a method of loading a threat defense module is
  • FIG. 5 a flow chart of a method for loading a threat defense module according to an embodiment of the present invention is shown.
  • the performance of the unified threat management device to be considered is network traffic.
  • the network traffic threshold is set to two, that is, a high threshold and a low threshold. The specific process is as follows:
  • Step 101 After receiving the packet, check the current network traffic statistics.
  • Step 102 Determine whether the current network traffic exceeds a set high threshold (for example, 200 Mbps). If yes, according to the priority of the threat defense module preset by the user (for example, the priority of the uniform resource location filtering module is the lowest), the threat defense module with the lowest priority is closed (for example, unified) Resource location filtering module). Otherwise, go to step 103;
  • a set high threshold for example, 200 Mbps.
  • Step 103 Determine whether the current network traffic is less than a set low threshold (for example, 100 Mbps). If yes, and there is a threat defense module that has been shut down, restore the threat defense module that has been shut down (ie, re-enable the lowest priority threat defense module). Otherwise, the current state is maintained, that is, the threat defense module with the lowest priority is still in the closed state, and the closed threat defense module does not detect the packet.
  • a set low threshold for example, 100 Mbps.
  • the priority of the threat protection module can be set to the lowest priority, medium priority, and high priority, and each threshold corresponds to the priority of the threat defense module. For example, you can set the network traffic threshold to 100Mbps (corresponding to the low-priority threat defense module), 150Mbps (corresponding to the medium-priority threat defense module), 200Mbps (corresponding to the high-priority threat defense module), when the traffic is greater than 150Mbps.
  • the network traffic threshold 100Mbps (corresponding to the low-priority threat defense module), 150Mbps (corresponding to the medium-priority threat defense module), 200Mbps (corresponding to the high-priority threat defense module), when the traffic is greater than 150Mbps.
  • the medium priority threat defense module needs to be shut down.
  • the traffic is restored to less than 150 Mbps, the medium priority function is detected, and when the traffic is less than 100 MBps, the lowest priority threat defense module is restored.
  • the lowest priority threat defense module When the traffic is greater than 100 Mbps, the lowest priority threat defense module is turned off, and when the traffic is less than 100 Mbps, the lowest priority threat defense module is enabled;
  • the medium priority threat defense module When the traffic is greater than 150 Mbps, in addition to turning off the lowest priority threat defense module, the medium priority threat defense module is also turned off; when the traffic is less than 150 Mbps, the medium priority threat defense module is enabled, and the lowest priority threat is maintained.
  • the defense module is in the off state; when the traffic is greater than 200 Mbps, in addition to turning off the lowest priority and medium priority threat defense modules, the high priority threat defense module is also turned off; when the traffic is less than 200 Mbps, the high priority threat is turned on.
  • the defense module, and the lowest priority and medium priority threat defense modules are turned off.
  • the device processing performance information is CPU usage information
  • its implementation is similar. set up The multiple thresholds of CPU usage correspond to the priority of each threat defense module, and will not be described again.
  • the user can set different threat defense modules to perform priority, in case the device processing performance is low, for example, the network traffic is small or the device

Abstract

A device for uniform threat management and a method for loading threat defense modules are disclosed. The device includes at least a threat defense module and an adaptive loading module that dynamically loads the threat defense module according to the processing performance information of the device for uniform threat management. The method includes: after the device for uniform threat management receives the packets, the processing performance information of the device for uniform threat management is got. The threat defense module is loaded according to the processing performance information. The threat defense module is dynamically loadedby the adaptive and dynamic adjusting, that is according to the processing performance of the device. The variable security defense functions and the normal service processing capability of the device are achieved at the same time. The maximum throughout of the device is maintained.

Description

统一威胁管理设备及加载威胁防御模块的方法 技术领域  Unified threat management device and method for loading threat defense module
本发明涉及一种网络处理设备及其应用方法, 尤其涉及一种统一威胁管 理设备 (Unified Threat Management, UTM )及加载威胁防御模块的方法。 背景技术  The present invention relates to a network processing device and an application method thereof, and in particular, to a unified threat management device (UTM) and a method for loading a threat defense module. Background technique
随着网络应用的发展, 网络安全需求也在日益更新, 传统的防火墙主要 针对单个报文的攻击检测, 对应用层威胁的防御能力不够, 所以在现有防火 墙的基础上, 提出了统一威胁管理(Unified Threat Management, UTM) 的 解决方案。 统一威胁管理设备集成了防火墙, 以及一些应用层威胁防御的功 能, 包括反病毒( Ant i Virus, AV ) , 入侵防御系统( Intrus ion Prevent ion System, IPS ),反垃圾由 |^件( Anti Spam, AS ),统一资源定位( Uniform Resource Location, 统一资源定位)过滤等, 这些功能不一定要同时使用, 一款 UTM 设备可以只具备其中的某几项功能。  With the development of network applications, network security requirements are also being updated. Traditional firewalls are mainly used for attack detection of individual packets and have insufficient defense capabilities against application layer threats. Therefore, based on existing firewalls, unified threat management is proposed. (Unified Threat Management, UTM) solution. Unified threat management devices integrate firewalls and some application-layer threat defense features, including Anti-Virus (AV), Intrusion Prevention System (IPS), Anti-Spam | Anti Spam , AS), Uniform Resource Location (Universal Resource Location) filtering, etc. These functions do not have to be used at the same time. A UTM device can only have some of these functions.
其中防火墙模块提供转发以及单包检测, 以及网络地址转换(Network Address Translation, NAT ) , 虚拟专用网 ( Virtual Private Network, VPN ) 等功能; IPS模块提供内容深度检测功能, 过滤包含恶意内容的数据包; AS 模块提供对邮件的检测功能, 通过对发件人的 IP、 邮件标题、 邮件正文内容 的过滤等手段过滤大部分的垃圾邮件; AV模块提供对报文的病毒扫描功能, 把报文还原成文件, 并进行预处理(解压, 脱壳等)及病毒扫描; 统一资源 定位过滤模块根据预定义的统一资源定位黑白名单或者统一资源定位分类对 请求的统一资源定位进行过滤。  The firewall module provides forwarding and single-packet detection, and functions such as Network Address Translation (NAT) and Virtual Private Network (VPN). The IPS module provides content depth detection to filter packets containing malicious content. The AS module provides the function of detecting emails. It filters most of the spam by filtering the sender's IP, email header, and email body content. The AV module provides virus scanning for packets and restores the packets. Filed, and pre-processed (decompressed, unpacked, etc.) and virus scan; The unified resource location filtering module filters the requested uniform resource location according to a predefined uniform resource location blacklist or a uniform resource location classification.
如图 1所示, 其为现有技术中应用了统一威胁管理设备的网络结构示意 图。 统一威胁管理设备部署在企业网出口处,作为一个网关设备,接收报文, 同时根据报文的不同特征, 主要是根据报文的应用层协议, 把报文发送给不 同的功能模块进行安全检测。 例如, 把邮件协议的报文发送给 AS模块进行进 一步检测, 把 HTTP请求报文发送给统一资源定位过滤模块等。 As shown in FIG. 1 , it is a schematic diagram of a network structure in which a unified threat management device is applied in the prior art. The unified threat management device is deployed at the egress of the enterprise network as a gateway device to receive packets. According to the different characteristics of the packets, the unified threat management device sends packets to the packet based on the application layer protocol. The same function module performs safety detection. For example, the message of the mail protocol is sent to the AS module for further detection, and the HTTP request message is sent to the unified resource location filtering module.
现有的统一威胁管理设备存在如下缺陷:  The existing unified threat management device has the following defects:
1 )基于现有的统一威胁管理设备, 在只有防火墙安全防御的情况下, 由 于防火墙对报文内容不作进一步的分析过滤, 现有的软件系统可以满足防火 墙性能的需求。 但是, 在大多数情况下, 统一威胁管理设备需要对大量的报 文内容进行安全分析和检测, 例如反垃圾邮件, 反病毒等, 都是需要扫描整 个报文的内容来确定报文的安全性, 而现有的统一威胁管理设备中的软件无 法满足设备处理性能上的需求, 而釆用硬件加速又会使设备成本急速增加。  1) Based on the existing unified threat management device, in the case of only firewall security defense, the existing software system can meet the performance requirements of the firewall because the firewall does not further analyze and filter the message content. However, in most cases, the unified threat management device needs to perform security analysis and detection on a large number of message contents, such as anti-spam, anti-virus, etc., all need to scan the entire message to determine the security of the message. However, the software in the existing unified threat management device cannot meet the processing performance requirements of the device, and the hardware acceleration causes the device cost to increase rapidly.
2 )网络流量一旦超过统一威胁管理设备的处理能力时,报文将被随机丟 弃, 所有业务都有可能受到较大影响, 不能保证关键业务的运行。  2) Once the network traffic exceeds the processing capacity of the unified threat management device, the packets will be randomly discarded. All services may be greatly affected, and the operation of critical services cannot be guaranteed.
3 ) QoS ( Qua l i ty of Service , 服务质量, 简称 QoS )技术为 IP网络上 的特定的业务提供了所需要的服务, 它主要保证吞吐量、 时延、 抖动和分组 丟失率。 从目前的应用来看, 主要是为了对语音、 视频等对时延分组丟失十 分敏感的应用提供传输质量的保证。 但开启 QoS功能后, 统一威胁管理设备 整体性能会进一步降低, 无法增加吞吐量。 发明内容  3) QoS (Quality of Service, QoS for short) technology provides the required services for specific services on the IP network. It mainly guarantees throughput, delay, jitter and packet loss rate. From the current application, it is mainly to provide transmission quality assurance for applications such as voice and video that are sensitive to delay packet loss. However, after the QoS function is enabled, the overall performance of the unified threat management device will be further reduced, and the throughput cannot be increased. Summary of the invention
本发明实施例提供了一种统一威胁管理设备及加载威胁防御模块的方 法, 以实现动态调整各种防御功能, 同时维持设备的正常业务处理, 保证设 备的吞吐量。  The embodiments of the present invention provide a unified threat management device and a method for loading a threat defense module, so as to dynamically adjust various defense functions, and maintain normal service processing of the device to ensure the throughput of the device.
为实现上述目的, 本发明提供了一种统一威胁管理设备, 包括: 至少一个威胁防御模块, 用于对报文进行安全检测;  To achieve the foregoing, the present invention provides a unified threat management device, including: at least one threat defense module, configured to perform security detection on a packet;
自适应加载模块, 用于根据统一威胁管理设备的处理性能信息, 动态加 载所述威胁防 P模块。  The adaptive loading module is configured to dynamically load the threat anti-P module according to processing performance information of the unified threat management device.
本发明还提供了一种加载威胁防御模块的方法, 包括: 收到报文后, 获取统一威胁管理设备的处理性能信息; The invention also provides a method for loading a threat defense module, comprising: After receiving the packet, obtain the processing performance information of the unified threat management device.
根据所述处理性能信息, 加载威胁防御模块。  According to the processing performance information, the threat defense module is loaded.
由上述技术方案可知, 本发明的实施例通过自适应的动态调整方式, 即 根据设备的处理性能, 来动态的加载威胁防御模块, 兼顾了各种安全防御功 能和设备正常业务处理能力, 最大限度的保证了设备的吞吐量。 附图说明  According to the foregoing technical solution, the embodiment of the present invention dynamically loads the threat defense module according to the adaptive dynamic adjustment mode, that is, according to the processing performance of the device, and takes into account various security defense functions and normal service processing capabilities of the device, and maximizes The throughput of the device is guaranteed. DRAWINGS
图 1为现有技术中应用了统一威胁管理设备的网络结构示意图; 图 2为本发明实施例的统一威胁管理设备的一结构示意图;  1 is a schematic structural diagram of a network in which a unified threat management device is applied in the prior art; FIG. 2 is a schematic structural diagram of a unified threat management device according to an embodiment of the present invention;
图 3为本发明实施例的统一威胁管理设备的另一结构示意图;  3 is another schematic structural diagram of a unified threat management device according to an embodiment of the present invention;
图 4为本发明实施例的统一威胁管理设备的又一结构示意图;  4 is another schematic structural diagram of a unified threat management device according to an embodiment of the present invention;
图 5为本发明实施例加载威胁防御模块的方法的流程图。 具体实施方式  FIG. 5 is a flowchart of a method for loading a threat defense module according to an embodiment of the present invention. detailed description
下面结合附图, 对本发明实施例中的统一威胁管理设备进行说明。 图 2所示为本发明实施例的统一威胁管理设备的一结构示意图,包括: 至少一个威胁防御模块 1 , 用于对报文进行安全检测;  The unified threat management device in the embodiment of the present invention will be described below with reference to the accompanying drawings. FIG. 2 is a schematic structural diagram of a unified threat management device according to an embodiment of the present invention, including: at least one threat defense module 1 configured to perform security detection on a packet;
自适应加载模块 2 , 用于根据统一威胁管理设备的处理性能信息, 动 态加载威胁防御模块 1。  The adaptive loading module 2 is configured to dynamically load the threat defense module according to the processing performance information of the unified threat management device.
如图 3所示,威胁防御模块 1在本发明实施例中可以为防火墙模块 1 1、 统一资源定位过滤模块 12、 垃圾邮件过滤模块 13、 病毒扫描模块 14、 入 侵检测模块 15 中的任意多个。 威胁防御模块的种类及组合可根据实际需 要加载, 本实施例只是给出一种可能组合的示意图。  As shown in FIG. 3, the threat defense module 1 may be any one of the firewall module 1 1 , the unified resource location filtering module 12 , the spam filtering module 13 , the virus scanning module 14 , and the intrusion detection module 15 in the embodiment of the present invention. . The types and combinations of the threat defense modules can be loaded according to actual needs. This embodiment only gives a schematic diagram of a possible combination.
统一威胁管理设备的处理性能信息可以为 CPU使用率信息、内存使用 率信息、 网络流量信息中的一个或多个。 自适应加载模块就是根据这些处 理性能信息来动态加载各个威胁防御模块, 从而兼顾各种安全防御功能和 设备正常业务处理能力, 最大限度的保证了设备的吞吐量。 The processing performance information of the unified threat management device may be one or more of CPU usage information, memory usage information, and network traffic information. The adaptive loading module dynamically loads each threat defense module based on these processing performance information, thereby taking into account various security defense functions and The normal service processing capability of the device ensures the throughput of the device to the utmost extent.
本发明实施例还给出了统一威胁管理设备的另一实施例,如图 4所示, 与前一实施例相比,本实施例的不同之处在于,统一威胁管理设备还包括: 优先级配置模块 3 , 用于配置威胁防御模块的优先级, 并存储配置好 的优先级信息;  The embodiment of the present invention further provides another embodiment of the unified threat management device. As shown in FIG. 4, compared with the previous embodiment, the difference in this embodiment is that the unified threat management device further includes: The configuration module 3 is configured to configure a priority of the threat defense module and store the configured priority information.
自适应加载模块根据优先级配置模块中优先级信息和统一威胁管理 设备的处理性能信息动态加载威胁防御模块。  The adaptive loading module dynamically loads the threat defense module according to the priority information in the priority configuration module and the processing performance information of the unified threat management device.
下面以网络流量作为设备性能信息的标准为例, 来进一步说明本发明 实施例的自适应加载模块的加载原理。  The following takes the network traffic as the standard of the device performance information as an example to further illustrate the loading principle of the adaptive loading module of the embodiment of the present invention.
为适应不同网络流量下的安全防护策略, 可以通过设置网络带宽阈值 和威胁防御模块优先级来保证吞吐量和安全性之间的平衡; 网络阈值和威 胁防御模块的优先级可以由用户预先自定义。 当有防火墙模块时, 防火墙 的优先级定为最高优先级, 用户不能自定义; 除防火墙模块外, 用户可以 根据实际需要定义威胁防御模块的优先级。 例如, 在网络架构中, 邮件服 务器的用户可以把垃圾邮件过滤功能模块的优先级设为最高, 把统一资源 定位过滤模块的优先级设为低。 用户还可以根据需要设置网络带宽的阈 值, 如把需要调整加载威胁防御模块的状态网络流量点设置为低阈值 100Mbps, 高阈值 200Mbps。 在实际应用中, 也可以设置多种网络流量的 阈值, 根据网络流量的阈值和威胁防御模块的优先级来动态加载各个威胁 防御模块, 比如可以设置阈值为 100Mbps, 150Mbps, 200Mbps, 当流量 大于 150Mbps时, 关闭优先级最低的威胁防御模块, 当流量大于 200Mbps 时, 除了关闭最低优先级的威胁防御模块, 还关闭中优先级的威胁防御模 块。 当流量恢复到小于 150Mbps时, 恢复中优先级的威胁防御模块, 最低 优先级的威胁防御模块继续保持关闭; 当流量小于 lOOMBps 时, 恢复最 低优先级的威胁防御模块。  To adapt to the security policy of different network traffic, you can ensure the balance between throughput and security by setting the network bandwidth threshold and the threat defense module priority. The network threshold and the priority of the threat defense module can be pre-defined by the user. . When there is a firewall module, the priority of the firewall is set to the highest priority, and the user cannot customize it. In addition to the firewall module, the user can define the priority of the threat defense module according to actual needs. For example, in a network architecture, users of the mail server can set the priority of the spam filtering function module to the highest and the priority of the unified resource location filtering module to be low. The user can also set the threshold of the network bandwidth as needed. For example, the state network traffic point that needs to be adjusted to load the threat defense module is set to a low threshold of 100 Mbps and a high threshold of 200 Mbps. In practical applications, thresholds of multiple network traffic may also be set, and each threat defense module may be dynamically loaded according to the threshold of the network traffic and the priority of the threat defense module, for example, the threshold may be set to 100 Mbps, 150 Mbps, 200 Mbps, when the traffic is greater than 150 Mbps. When the traffic with the lowest priority is closed, when the traffic is greater than 200 Mbps, the medium-priority threat defense module is also disabled except for the lowest priority threat defense module. When the traffic is restored to less than 150 Mbps, the medium priority threat defense module is restored, and the lowest priority threat defense module remains closed; when the traffic is less than lOOMBps, the lowest priority threat defense module is restored.
同理,本实施例也可以以统一威胁管理设备的 CPU使用率作为设备性 能的标准, CPU使用率的阈值和功能模块的优先级由用户预先自定义, 例 如, 可以把设备 CPU使用率的阈值设置为 80% , 当大于 80 %时候, 关闭 优先级最低的统一资源定位过滤模块。 也可以设置多个 CPU使用率的阈 值, 根据 CPU使用率的阈值和威胁防御模块的优先级来动态加载各个威 胁防御模块, 比如可以设置阈值为 80% , 60%, 40%, 当 CPU使用率大于 60%时, 关闭优先级最低的威胁防御模块, 当 CPU使用率大于%80时, 除 了关闭最低优先级的威胁防御模块, 还关闭中优先级的威胁防御模块。 当 CPU使用率恢复到小于 60%时, 恢复中优先级的威胁防御模块, 最低优先 级的威胁防御模块继续保持关闭; 当 CPU使用率小于 40%时, 恢复最低 优先级的威胁防御模块。 Similarly, this embodiment can also use the CPU usage rate of the unified threat management device as the device property. The standard of the energy, the threshold of the CPU usage and the priority of the function module are pre-defined by the user. For example, the threshold of the CPU usage of the device can be set to 80%. When the value is greater than 80%, the unified resource positioning with the lowest priority is disabled. Filter module. You can also set multiple CPU usage thresholds, dynamically load each threat defense module based on the CPU usage threshold and the threat defense module's priority. For example, you can set the threshold to 80%, 60%, 40%, when CPU usage. When the CPU usage is greater than %80, the medium-priority threat defense module is disabled. When the CPU usage is greater than %80, the medium-priority threat defense module is also disabled. When the CPU usage is restored to less than 60%, the medium priority threat defense module is restored, and the lowest priority threat defense module continues to be closed; when the CPU usage is less than 40%, the lowest priority threat defense module is restored.
另外, 上述两个实施例中的统一威胁管理设备还可以进一步包括: 性能检测模块, 用于检测统一威胁管理设备的处理性能, 并将检测到 的统一威胁管理设备的处理性能信息发送给自适应加载模块。 该性能检测 模块根据需要可以具体包括 CPU使用率检测模块、 内存使用率检测模块、 网络流量检测模块中的一个或多个。  In addition, the unified threat management device in the foregoing two embodiments may further include: a performance detecting module, configured to detect processing performance of the unified threat management device, and send the detected processing performance information of the unified threat management device to the adaptive Load the module. The performance detection module may specifically include one or more of a CPU usage detection module, a memory usage detection module, and a network traffic detection module.
通过上述实施例可以看出, 通过自适应的动态调整方式, 即根据设备 的处理性能, 来动态的加载威胁防御模块, 兼顾了各种安全防御功能和设 备正常业务处理能力, 最大限度的保证了设备的吞吐量。 其中设备处理性 能的阈值和各个威胁防御模块的优先级还可以根据实际应用而灵活设置, 更好的调节了安全防御功能和设备正常业务处理能力之间的矛盾。  It can be seen from the foregoing embodiment that the adaptive dynamic adjustment mode, that is, dynamically loading the threat defense module according to the processing performance of the device, takes into account various security defense functions and normal service processing capabilities of the device, and ensures the maximum guarantee. The throughput of the device. The threshold of the device processing performance and the priority of each threat defense module can also be flexibly set according to the actual application, which better adjusts the contradiction between the security defense function and the normal service processing capability of the device.
接下来对本发明实施例的加载威胁防御模块的方法进行说明。  Next, a method of loading a threat defense module according to an embodiment of the present invention will be described.
本实施例的加载威胁防御模块的方法包括:  The method for loading the threat defense module in this embodiment includes:
统一威胁管理设备接收到报文后, 获取该统一威胁管理设备的处理性 能信息;  After receiving the packet, the unified threat management device obtains the processing performance information of the unified threat management device.
根据所述处理性能信息, 加载威胁防御模块。  According to the processing performance information, the threat defense module is loaded.
另外, 当有多个威胁防御模块时, 还可以设置所述多个威胁防御模块 的优先级信息; 并根据多个威胁防御模块的优先级信息和处理性能信息, 加载多个威胁防御模块。 设备性能的阈值和功能模块的优先级可以由用户 预先自定义, 当统一威胁管理设备接收到报文后, 可以实时获取设备性能 信息, 然后将设备性能信息和预先设定的阈值进行比较, 然后根据预先设 定的阈值和威胁防御模块的优先级来动态加载各个威胁防御模块。 In addition, when there are multiple threat defense modules, the multiple threat defense modules may also be set. Priority information; and load multiple threat defense modules according to priority information and processing performance information of multiple threat defense modules. The device performance threshold and the priority of the function module can be pre-defined by the user. When the unified threat management device receives the packet, it can obtain the device performance information in real time, and then compare the device performance information with a preset threshold. Each threat defense module is dynamically loaded according to a preset threshold and a priority of the threat defense module.
上述的多个威胁防御模块可以为防火墙模块、 统一资源定位过滤模 块、 垃圾邮件过滤模块、 病毒扫描模块、 入侵检测模块中的一个或任意多 个。  The foregoing multiple threat defense modules may be one or any of a firewall module, a unified resource location filtering module, a spam filtering module, a virus scanning module, and an intrusion detection module.
在实际应用中, 可以将防火墙模块的优先级强制定为最高优先级, 用 户不能改变防火墙模块的优先级。  In practical applications, the priority of the firewall module can be set to the highest priority, and the user cannot change the priority of the firewall module.
统一威胁管理设备的处理性能信息可以为 CPU使用率信息、内存使用 率信息、 网络流量信息中的一个或多个。  The processing performance information of the unified threat management device may be one or more of CPU usage information, memory usage information, and network traffic information.
根据威胁防御模块的优先级信息和统一威胁管理设备的处理性能信 息, 加载多个威胁防御模块可以具体釆用如下方式:  According to the priority information of the threat defense module and the processing performance information of the unified threat management device, loading multiple threat defense modules may be specifically implemented as follows:
设定多个等级处理性能的阈值, 各个等级的阈值与多个优先级等级一 一对应, 根据预先设定的阈值和威胁防御模块的优先级来动态加载各个威 本发明实施例还提供了另一种加载威胁防御模块的方法。  Setting thresholds for multiple levels of processing performance, the thresholds of each level are in one-to-one correspondence with multiple priority levels, and each of the embodiments is dynamically loaded according to a preset threshold and a priority of the threat defense module. A method of loading a threat defense module.
如图 5所示, 图中给出了本发明实施例的加载威胁防御模块的方法的 流程图。在本实施例中,需要考虑的统一威胁管理设备的性能为网络流量, 为了简化描述, 将网络流量阈值设定为两个, 即高阈值和低阈值。 具体流 程如下:  As shown in FIG. 5, a flow chart of a method for loading a threat defense module according to an embodiment of the present invention is shown. In this embodiment, the performance of the unified threat management device to be considered is network traffic. To simplify the description, the network traffic threshold is set to two, that is, a high threshold and a low threshold. The specific process is as follows:
步骤 101、 接收到报文后, 查看当前网络流量统计数据;  Step 101: After receiving the packet, check the current network traffic statistics.
步骤 102、判断当前网络流量是否超过设置的高阈值(比如 200Mbps )。 如果是, 根据用户预先设定的威胁防御模块的优先级 (比如统一资源定位 过滤模块的优先级为最低) , 关闭优先级最低的威胁防御模块 (如, 统一 资源定位过滤模块)。 否则, 执行步骤 103; Step 102: Determine whether the current network traffic exceeds a set high threshold (for example, 200 Mbps). If yes, according to the priority of the threat defense module preset by the user (for example, the priority of the uniform resource location filtering module is the lowest), the threat defense module with the lowest priority is closed (for example, unified) Resource location filtering module). Otherwise, go to step 103;
步骤 103、判断当前网络流量是否小于设置的低阈值(比如 100Mbps )。 如果是, 并且存在已经关闭的威胁防御模块, 则恢复已经关闭的威胁防御 模块(即重新开启最低优先级的威胁防御模块) 。 否则, 仍然维持当前状 态, 即优先级最低的威胁防御模块仍处于关闭状态, 被关闭的威胁防御模 块对该报文不做检测。  Step 103: Determine whether the current network traffic is less than a set low threshold (for example, 100 Mbps). If yes, and there is a threat defense module that has been shut down, restore the threat defense module that has been shut down (ie, re-enable the lowest priority threat defense module). Otherwise, the current state is maintained, that is, the threat defense module with the lowest priority is still in the closed state, and the closed threat defense module does not detect the packet.
在实际应用中也可以设置网络流量的多个阈值。 威胁防御模块的优先 级可以设置为最低优先级、 中优先级和高优先级, 每个阈值与威胁防御模 块的优先级相对应。 比如可以设置网络流量阈值为 100Mbps (对应于低优 先级的威胁防御模块) , 150Mbps (对应于中优先级的威胁防御模块) , 200Mbps (对应于高优先级的威胁防御模块 ) , 当流量大于 150Mbps时, 关闭最低优先级的威胁防御模块, 当流量大于 200Mbps时, 除了关闭最低 优先级的威胁防御模块, 还需要关闭中优先级的威胁防御模块。 当流量恢 复到小于 150Mbps时, 恢复中优先级的功能检测, 当流量小于 lOOMBps 时, 恢复最低优先级的威胁防御模块。  In practice, multiple thresholds for network traffic can also be set. The priority of the threat protection module can be set to the lowest priority, medium priority, and high priority, and each threshold corresponds to the priority of the threat defense module. For example, you can set the network traffic threshold to 100Mbps (corresponding to the low-priority threat defense module), 150Mbps (corresponding to the medium-priority threat defense module), 200Mbps (corresponding to the high-priority threat defense module), when the traffic is greater than 150Mbps. When the traffic of the lowest priority threat defense module is turned off, when the traffic is greater than 200 Mbps, in addition to turning off the lowest priority threat defense module, the medium priority threat defense module needs to be shut down. When the traffic is restored to less than 150 Mbps, the medium priority function is detected, and when the traffic is less than 100 MBps, the lowest priority threat defense module is restored.
另外, 本发明实施例也可以釆用如下模式:  In addition, the following modes can also be used in the embodiments of the present invention:
当流量大于 100Mbps时, 关闭最低优先级的威胁防御模块, 当流量小 于 100Mbps时, 开启最低优先级的威胁防御模块;  When the traffic is greater than 100 Mbps, the lowest priority threat defense module is turned off, and when the traffic is less than 100 Mbps, the lowest priority threat defense module is enabled;
当流量大于 150Mbps时, 除了关闭最低优先级的威胁防御模块以外, 还要关闭中优先级的威胁防御模块; 当流量小于 150Mbps时, 开启中优先 级的威胁防御模块, 并保持最低优先级的威胁防御模块处于关闭状态; 当流量大于 200Mbps时,除了关闭最低优先级和中优先级的威胁防御 模块以外, 还要关闭高优先级的威胁防御模块; 当流量小于 200Mbps时, 开启高优先级的威胁防御模块, 并保持最低优先级和中优先级的威胁防御 模块处于关闭状态。  When the traffic is greater than 150 Mbps, in addition to turning off the lowest priority threat defense module, the medium priority threat defense module is also turned off; when the traffic is less than 150 Mbps, the medium priority threat defense module is enabled, and the lowest priority threat is maintained. The defense module is in the off state; when the traffic is greater than 200 Mbps, in addition to turning off the lowest priority and medium priority threat defense modules, the high priority threat defense module is also turned off; when the traffic is less than 200 Mbps, the high priority threat is turned on. The defense module, and the lowest priority and medium priority threat defense modules are turned off.
当设备处理性能信息为 CPU的使用率信息时, 其实现方式类似。设定 CPU使用率的多个阈值来与各个威胁防御模块的优先级相对应 ,在次不再 赘述。 When the device processing performance information is CPU usage information, its implementation is similar. set up The multiple thresholds of CPU usage correspond to the priority of each threat defense module, and will not be described again.
通过本发明的实施例可以看出, 用户可以设置不同的威胁防御模块进 行优先级, 在设备处理性能低的情况下, 例如, 在网络流量小或者设备 It can be seen by the embodiment of the present invention that the user can set different threat defense modules to perform priority, in case the device processing performance is low, for example, the network traffic is small or the device
CPU使用率低的情况下, 对所有的流量进行安全检测, 当网络流量超过设 备的处理能力时, 根据用户实际的应用以及预先设置的威胁防御模块优先 级别, 动态关闭优先级低的功能模块, 增加了设备的吞吐量, 保证业务正 常, 同时也确保了必要的安全防护。 When the CPU usage is low, security detection is performed on all traffic. When the network traffic exceeds the processing capability of the device, the function module with low priority is dynamically shut down according to the actual application of the user and the priority level of the threat defense module. Increases the throughput of the device, ensures the normal business, and ensures the necessary security protection.
最后应说明的是: 以上实施例仅用以说明本发明的技术方案, 而非对 其限制; 尽管参照前述实施例对本发明进行了详细的说明, 本领域的普通 技术人员应当理解: 其依然可以对前述各实施例所记载的技术方案进行修 改, 或者对其中部分技术特征进行等同替换; 而这些修改或者替换, 并不 使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围。  It should be noted that the above embodiments are only for explaining the technical solutions of the present invention, and are not intended to be limiting; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those skilled in the art that: The technical solutions described in the foregoing embodiments are modified, or some of the technical features are equivalently replaced. The modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims

权 利 要 求 书 Claim
1、 一种统一威胁管理设备, 其特征在于, 包括:  1. A unified threat management device, characterized in that it comprises:
至少一个威胁防御模块, 用于对报文进行安全检测;  At least one threat defense module for performing security detection on the packet;
自适应加载模块, 用于根据统一威胁管理设备的处理性能信息, 动态加 载所述威胁防 P模块。  The adaptive loading module is configured to dynamically load the threat anti-P module according to processing performance information of the unified threat management device.
2、 根据权利要求 1所述的设备, 其特征在于, 还包括:  2. The device according to claim 1, further comprising:
优先级配置模块, 用于配置所述威胁防御模块的优先级, 并存储配置好 的优先级信息;  a priority configuration module, configured to configure a priority of the threat defense module, and store the configured priority information;
所述自适应模块根据所述优先级配置模块中的优先级信息和统一威胁管 理设备的处理性能信息动态加载所述威胁防 「模块。  The adaptive module dynamically loads the threat prevention module according to the priority information in the priority configuration module and the processing performance information of the unified threat management device.
3、 根据权利要求 1所述的设备, 其特征在于, 所述威胁防御模块为防火 墙模块、 统一资源定位过滤模块、 垃圾邮件过滤模块、 病毒扫描模块、 入侵 检测模块中的一个或任意多个。  The device according to claim 1, wherein the threat defense module is one or more of a firewall module, a unified resource location filtering module, a spam filtering module, a virus scanning module, and an intrusion detection module.
4、 根据权利要求 3所述的设备, 其特征在于, 所述威胁防御模块中有防 火墙模块时, 所述防火墙模块的优先级为最高优先级。  The device according to claim 3, wherein when the firewall module has a firewall module, the priority of the firewall module is the highest priority.
5、 根据权利要求 1至 4中任一权利要求所述的设备, 其特征在于, 该设 备还包括:  The device according to any one of claims 1 to 4, wherein the device further comprises:
性能检测模块, 用于检测所述统一威胁管理设备的处理性能, 并将检测 到的所述统一威胁管理设备的处理性能信息发送给所述自适应加载模块。  The performance detection module is configured to detect processing performance of the unified threat management device, and send the detected processing performance information of the unified threat management device to the adaptive loading module.
6、 根据权利要求 5所述的设备, 其特征在于, 所述性能检测模块包括: The device according to claim 5, wherein the performance detecting module comprises:
CPU使用率检测模块、 内存使用率检测模块、 网络流量检测模块中的一个或 多个。 One or more of the CPU usage detection module, the memory usage detection module, and the network traffic detection module.
7、 一种加载威胁防御模块的方法, 其特征在于, 包括:  7. A method for loading a threat defense module, comprising:
收到报文后, 获取统一威胁管理设备的处理性能信息;  After receiving the packet, obtain the processing performance information of the unified threat management device.
艮据所述处理性能信息, 加载威胁防 P模块。  According to the processing performance information, the threat anti-P module is loaded.
8、 根据权利要求 7所述的方法, 其特征在于, 还包括: 设置所述威胁防 御模块的优先级信息; 8. The method according to claim 7, further comprising: setting the threat prevention Priority information of the Royal Module;
根据所述威胁防御模块的优先级信息和所述统一威胁管理设备的处理性 能信息, 加载所述威胁防御模块。  And loading the threat defense module according to the priority information of the threat defense module and the processing performance information of the unified threat management device.
9、 根据权利要求 7所述的方法, 其特征在于, 所述加载威胁防御模块具 体为加载防火墙模块、 统一资源定位过滤模块、 垃圾邮件过滤模块、 病毒扫 描模块、 入侵检测模块中的一个或任意多个。  The method according to claim 7, wherein the loading threat defense module is specifically one or any of a load firewall module, a unified resource location filtering module, a spam filtering module, a virus scanning module, and an intrusion detection module. Multiple.
10、 根据权利要求 9所述的方法, 其特征在于, 所述加载威胁防御模块 至少包括加载所述防火墙模块。  10. The method according to claim 9, wherein the loading threat defense module comprises at least loading the firewall module.
11、 根据权利要求 7至 10中任一权利要求所述的方法, 其特征在于, 所 述统一威胁管理设备的处理性能信息为: 所述统一威胁管理设备的 CPU使用 率信息、 内存使用率信息、 网络流量信息中的一个或多个。  The method according to any one of claims 7 to 10, wherein the processing performance information of the unified threat management device is: CPU usage information and memory usage information of the unified threat management device , one or more of the network traffic information.
12、 根据权利要求 8所述的方法, 其特征在于, 该方法还包括: 设定多个等级的处理性能的阈值, 各个等级的阈值与多个优先级等级对 应;  12. The method according to claim 8, wherein the method further comprises: setting thresholds of processing performance of the plurality of levels, the thresholds of the respective levels corresponding to the plurality of priority levels;
所述根据威胁防御模块的优先级信息和所述统一威胁管理设备的处理性 能信息 , 加载所述威胁防御模块具体为:  And loading the threat defense module according to the priority information of the threat defense module and the processing performance information of the unified threat management device:
将获取到的设备性能信息与各个阈值比较, 如果大于其中某一等级的阈 值时, 关闭与该等级的阈值对应的优先级等级的威胁防御模块; 如果小于其 中某一等级的阈值时, 开启与该等级的阈值对应的优先级等级的威胁防御模 块。  Comparing the obtained device performance information with each threshold, if it is greater than a certain threshold, the threat defense module of the priority level corresponding to the threshold of the level is closed; if it is smaller than the threshold of one of the levels, The threat threshold module of the priority level corresponding to the threshold of the level.
PCT/CN2008/072237 2008-02-02 2008-09-02 Device for uniform threat management and method for loading threat defense modules WO2009097715A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CNA2008100575304A CN101227289A (en) 2008-02-02 2008-02-02 Uniform intimidation managing device and loading method of intimidation defense module
CN200810057530.4 2008-02-02

Publications (1)

Publication Number Publication Date
WO2009097715A1 true WO2009097715A1 (en) 2009-08-13

Family

ID=39859061

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/072237 WO2009097715A1 (en) 2008-02-02 2008-09-02 Device for uniform threat management and method for loading threat defense modules

Country Status (2)

Country Link
CN (1) CN101227289A (en)
WO (1) WO2009097715A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117278335A (en) * 2023-11-22 2023-12-22 深圳奥联信息安全技术有限公司 Password suite selection method and device, electronic equipment and storage medium

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101227289A (en) * 2008-02-02 2008-07-23 华为技术有限公司 Uniform intimidation managing device and loading method of intimidation defense module
US8572717B2 (en) * 2008-10-09 2013-10-29 Juniper Networks, Inc. Dynamic access control policy with port restrictions for a network security appliance
CN101996101B (en) * 2009-08-13 2013-08-28 北京搜狗科技发展有限公司 Method and device for optimizing application program performance
CN101827083B (en) * 2010-02-09 2012-10-17 蓝盾信息安全技术股份有限公司 Method and system for realizing unified threat management in heterogeneous network
CN102779066A (en) * 2012-06-14 2012-11-14 中国电子科技集团公司第四十一研究所 Method for reducing influence of antivirus software on operational efficiency of test instrument
CN102970186B (en) * 2012-12-03 2019-01-25 网神信息技术(北京)股份有限公司 The method for testing performance and device of equipment
CN106888196A (en) * 2015-12-16 2017-06-23 国家电网公司 A kind of coordinated defense system of unknown threat detection
CN106059944A (en) * 2016-08-18 2016-10-26 杭州华三通信技术有限公司 Overload protection method and device
CN106598740B (en) * 2016-12-15 2020-11-27 苏州浪潮智能科技有限公司 System and method for limiting CPU utilization rate occupied by multithreading program
CN107171950A (en) * 2017-07-20 2017-09-15 国网上海市电力公司 A kind of Email Body threatens the recognition methods of behavior
US11290491B2 (en) * 2019-03-14 2022-03-29 Oracle International Corporation Methods, systems, and computer readable media for utilizing a security service engine to assess security vulnerabilities on a security gateway element
CN111859397A (en) * 2020-07-23 2020-10-30 国家工业信息安全发展研究中心 Terminal protection strategy configuration method and device
CN112291205B (en) * 2020-10-13 2023-04-07 杭州迪普科技股份有限公司 Control method and device for deep packet inspection service and computer equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6499107B1 (en) * 1998-12-29 2002-12-24 Cisco Technology, Inc. Method and system for adaptive network security using intelligent packet analysis
WO2006136733A1 (en) * 2005-06-23 2006-12-28 Checkphone Ip telephony securing
CN101115057A (en) * 2006-07-27 2008-01-30 中兴通讯股份有限公司 Tactic management based firewall system and dispatching method
CN101227289A (en) * 2008-02-02 2008-07-23 华为技术有限公司 Uniform intimidation managing device and loading method of intimidation defense module

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6499107B1 (en) * 1998-12-29 2002-12-24 Cisco Technology, Inc. Method and system for adaptive network security using intelligent packet analysis
WO2006136733A1 (en) * 2005-06-23 2006-12-28 Checkphone Ip telephony securing
CN101115057A (en) * 2006-07-27 2008-01-30 中兴通讯股份有限公司 Tactic management based firewall system and dispatching method
CN101227289A (en) * 2008-02-02 2008-07-23 华为技术有限公司 Uniform intimidation managing device and loading method of intimidation defense module

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117278335A (en) * 2023-11-22 2023-12-22 深圳奥联信息安全技术有限公司 Password suite selection method and device, electronic equipment and storage medium
CN117278335B (en) * 2023-11-22 2024-04-09 深圳奥联信息安全技术有限公司 Password suite selection method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN101227289A (en) 2008-07-23

Similar Documents

Publication Publication Date Title
WO2009097715A1 (en) Device for uniform threat management and method for loading threat defense modules
US20230126426A1 (en) Protecting Networks from Cyber Attacks and Overloading
US8904514B2 (en) Implementing a host security service by delegating enforcement to a network device
US8819821B2 (en) Proactive test-based differentiation method and system to mitigate low rate DoS attacks
US7764612B2 (en) Controlling access to a host processor in a session border controller
US7930740B2 (en) System and method for detection and mitigation of distributed denial of service attacks
EP1844596B1 (en) Method and system for mitigating denial of service in a communication network
US8879388B2 (en) Method and system for intrusion detection and prevention based on packet type recognition in a network
US20120278492A1 (en) Using a server's capability profile to establish a connection
EP2549694B1 (en) Method and data communication device for building a flow forwarding table item
US20150036502A1 (en) Packet Processing Indication
KR20120060655A (en) Routing Method And Apparatus For Detecting Server Attacking And Network Using Method Thereof
US20040128539A1 (en) Method and apparatus for denial of service attack preemption
US8301712B1 (en) System and method for protecting mail servers from mail flood attacks
CN107360182B (en) Embedded active network defense system and defense method thereof
US8006303B1 (en) System, method and program product for intrusion protection of a network
US20140283057A1 (en) Tcp validation via systematic transmission regulation and regeneration
Gao et al. Differentiating malicious DDoS attack traffic from normal TCP flows by proactive tests
Monshizadeh et al. An adaptive detection and prevention architecture for unsafe traffic in SDN enabled mobile networks
JP4602158B2 (en) Server equipment protection system
Kumarasamy et al. An active defense mechanism for TCP SYN flooding attacks
US11153217B1 (en) Systems and methods for policing network traffic rates
US11503471B2 (en) Mitigation of DDoS attacks on mobile networks using DDoS detection engine deployed in relation to an evolve node B
US8880614B1 (en) Method and apparatus for dynamically protecting a mail server
CN104038409A (en) Method and device for email security management

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08800749

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1)EPC

122 Ep: pct application non-entry in european phase

Ref document number: 08800749

Country of ref document: EP

Kind code of ref document: A1