CN101505302A - Dynamic regulating method and system for security policy - Google Patents

Abstract

Translated fromChinese

本发明公开了一种安全策略的动态调整方法和系统，安全策略的动态调整方法包括：检测网络链路流量、设备实际处理能力和业务类型中的任意一种及其组合，获取检测结果；根据所述检测结果，动态调整当前的安全策略。安全策略的动态调整系统包括：检测模块，用于检测网络链路流量、设备实际处理能力和业务类型中的任意一种及其组合，获取检测结果；调整模块，用于根据所述检测模块检测到的所述检测结果，动态调整当前的安全策略。本发明实现了对入侵防御系统的安全策略的动态调整，达到了处理效率和安全防护的动态平衡。

The invention discloses a method and system for dynamically adjusting security policies. The method for dynamically adjusting security policies includes: detecting any one of network link flow, actual processing capability of equipment, and service type and a combination thereof, and obtaining detection results; according to The detection result dynamically adjusts the current security policy. The dynamic adjustment system of the security policy includes: a detection module, which is used to detect any one of the network link flow, the actual processing capability of the equipment, and the business type and its combination, and obtains the detection result; an adjustment module, which is used to detect according to the detection module Based on the detected detection results, the current security policy is dynamically adjusted. The invention realizes the dynamic adjustment of the security policy of the intrusion prevention system, and achieves the dynamic balance of processing efficiency and security protection.

Description

Translated fromChinese

安全策略的动态调整方法和系统Method and system for dynamic adjustment of security policy

技术领域technical field

本发明涉及网络安全技术，尤其涉及一种安全策略的动态调整方法和系统。The invention relates to network security technology, in particular to a method and system for dynamically adjusting security policies.

背景技术Background technique

随着网络技术的不断发展进步，网络攻击手段也逐渐复杂和多样化，网络的安全性面临极大的挑战。传统的信息安全防护体系采用防火墙技术和/或入侵检测技术，串行部署的防火墙可以拦截对低层的攻击行为，但无法阻止对应用层等深层的攻击行为；旁路部署的入侵检测系统可以及时检测对深层的攻击行为，以作为防火墙技术的有效补充，但其无法实现对攻击行为的实时阻断，即无法处理越来越多的“瞬间”攻击行为。因此，为保证网络的有效安全性，入侵防御系统应运而生。With the continuous development and progress of network technology, network attack methods are becoming more and more complex and diversified, and network security is facing great challenges. The traditional information security protection system uses firewall technology and/or intrusion detection technology. Firewalls deployed in series can intercept attacks on the lower layers, but cannot prevent attacks on deep layers such as the application layer; the intrusion detection system deployed in the bypass can timely Detect deep attack behaviors as an effective supplement to firewall technology, but it cannot achieve real-time blocking of attack behaviors, that is, it cannot handle more and more "instantaneous" attack behaviors. Therefore, in order to ensure the effective security of the network, the intrusion prevention system came into being.

入侵防御系统采用串联方式部署在网络出口位置，所有来自外部的数据必须串行通过入侵防御系统才能将其传送到内部系统。入侵防御系统采用的是主动防护方式，其主动防护的原理在于入侵防御系统拥有众多过滤器，且当发现新的攻击手段后，入侵防御系统就会创建对应的新的过滤器。入侵防御系统对数据包进行逐字节检查，可以检查并阻止数据链路层至应用层之间的攻击行为，可以有效保证网络的安全性。然而，现有技术中的入侵防御系统的安全策略均为用户事先手动配置且配置后为固定不变的，而防护链路的实际流量则是实时变化的。如果配置的安全策略的安全等级较低，虽然可以保证处理效率，但当链路流量较小时，则会造成系统资源的闲置；如果配置的安全策略的安全等级较高，虽然可以保证网络的安全，但当链路流量较大时，则会造成链路带宽的限制，影响用户正常使用业务。而且用户使用的业务不同时，对网络的带宽和安全性的要求也不同。由于现有技术中的入侵防御系统的安全策略是固定配置的，因此不能根据网络状态和业务信息对安全策略进行实时调整，不能兼顾网络的安全性和网络的处理效率。The intrusion prevention system is deployed at the egress of the network in series, and all external data must pass through the intrusion prevention system in series before it can be transmitted to the internal system. The intrusion prevention system adopts the active protection method. The principle of active protection is that the intrusion prevention system has many filters, and when a new attack method is discovered, the intrusion prevention system will create a corresponding new filter. The intrusion prevention system checks the data packets byte by byte, which can check and prevent attacks between the data link layer and the application layer, and can effectively ensure the security of the network. However, the security policy of the intrusion prevention system in the prior art is manually configured by the user in advance and is fixed after configuration, while the actual traffic of the protection link changes in real time. If the security level of the configured security policy is low, although the processing efficiency can be guaranteed, when the link traffic is small, the system resources will be idle; if the security level of the configured security policy is high, although the security of the network can be guaranteed , but when the link traffic is large, it will limit the link bandwidth and affect the normal use of services by users. Moreover, when the services used by users are different, the requirements for network bandwidth and security are also different. Since the security policy of the intrusion prevention system in the prior art is fixedly configured, the security policy cannot be adjusted in real time according to the network status and service information, and the security of the network and the processing efficiency of the network cannot be considered.

发明内容Contents of the invention

本发明的目的在于提供一种安全策略的动态调整方法和系统，实现对入侵防御系统的安全策略的动态调整，达到处理效率和安全防护的动态平衡。The purpose of the present invention is to provide a method and system for dynamically adjusting security policies, to realize dynamic adjustment to the security policies of the intrusion prevention system, and to achieve a dynamic balance between processing efficiency and security protection.

为了实现上述目的，本发明提供了一种安全策略的动态调整方法，包括：In order to achieve the above object, the present invention provides a method for dynamically adjusting security policies, including:

检测网络链路流量、设备实际处理能力和业务类型中的任意一种及其组合，获取检测结果；Detect any one or combination of network link traffic, actual processing capability of equipment, and business type, and obtain the detection results;

根据所述检测结果，动态调整当前的安全策略。According to the detection result, the current security policy is dynamically adjusted.

本发明还提供了一种安全策略的动态调整系统，包括：The present invention also provides a dynamic adjustment system for security policies, including:

检测模块，用于检测网络链路流量、设备实际处理能力和业务类型中的任意一种及其组合，获取检测结果；The detection module is used to detect any one or combination of network link traffic, actual processing capability of equipment and service type, and obtain detection results;

调整模块，用于根据所述检测模块检测到的所述检测结果，动态调整当前的安全策略。An adjustment module, configured to dynamically adjust the current security policy according to the detection result detected by the detection module.

本发明提供的一种安全策略的动态调整方法和系统，根据检测到的网络链路流量、设备实际处理能力以及业务类型对当前的安全策略进行调整，实现了对入侵防御系统的安全策略的动态调整，达到了处理效率和安全防护的动态平衡。The method and system for dynamically adjusting security policies provided by the present invention adjust the current security policies according to the detected network link traffic, actual processing capabilities of equipment and service types, and realize the dynamic adjustment of the security policies of the intrusion prevention system. The adjustment has achieved a dynamic balance between processing efficiency and security protection.

附图说明Description of drawings

图1为本发明安全策略的动态调整方法实施例的流程图；FIG. 1 is a flow chart of an embodiment of a method for dynamically adjusting a security policy in the present invention;

图2为本发明安全策略的动态调整系统一实施例的结构图；Fig. 2 is a structural diagram of an embodiment of the dynamic adjustment system of the security policy of the present invention;

图3为本发明安全策略的动态调整系统另一实施例的结构图。FIG. 3 is a structural diagram of another embodiment of the system for dynamically adjusting security policies of the present invention.

具体实施方式Detailed ways

下面通过附图和实施例，对本发明的技术方案做进一步的详细描述。The technical solutions of the present invention will be described in further detail below with reference to the accompanying drawings and embodiments.

入侵防御系统作为有效防止网络攻击行为的一种安全防护系统，通过流量特征分析及深度数据包检测等技术，对病毒、攻击、垃圾邮件等入侵行为进行检测和拦截，实施深层防御的安全策略。入侵防御系统通过设备的一个网络端口接收来自外部系统的网络数据，对数据进行检测，确认其中不包含异常活动或可疑的内容后，再通过另一个网络端口将数据传送到内部系统中，若发现攻击行为则立即予以阻断，因此可以保证来自外部的攻击数据不能通过网络边界进入网络。入侵防御系统倾向于提供主动防护，能够预先对入侵活动和攻击性网络流量进行拦截，避免其造成损失，而不是简单地在恶意流量传送或到达后才发出警报。入侵防御系统的数据包处理引擎是专业化定制的集成电路，可以对数据链路层至应用层中的数据包的内容进行逐字节的检查。入侵防御系统具有多个优点，如嵌入式运行、深入分析和控制能力、高质量的特征库以及高效的处理能力，上述能力特点使得入侵防御系统在进行网络安全防护时可以实现对网络数据的实时检查和网络攻击行为的有效阻止。As a security protection system that effectively prevents network attacks, the intrusion prevention system detects and intercepts viruses, attacks, spam and other intrusions through technologies such as traffic characteristic analysis and deep data packet inspection, and implements a security strategy of deep defense. The intrusion prevention system receives network data from an external system through one network port of the device, detects the data, and confirms that it does not contain abnormal activities or suspicious content, and then transmits the data to the internal system through another network port. The attack behavior is immediately blocked, so it can be guaranteed that the attack data from the outside cannot enter the network through the network boundary. Intrusion prevention systems tend to provide proactive protection by intercepting intrusion activities and offensive network traffic before it can cause damage, rather than simply raising the alarm after malicious traffic is transmitted or arrives. The data packet processing engine of the intrusion prevention system is a specialized customized integrated circuit, which can check the content of data packets from the data link layer to the application layer byte by byte. The intrusion prevention system has many advantages, such as embedded operation, in-depth analysis and control capabilities, high-quality feature library, and efficient processing capabilities. Effective prevention of inspection and network attack behavior.

安全策略为入侵防御系统的核心，入侵防御系统通过配置合理的安全策略来实现有效且适时的防护，但现有技术中的入侵防御系统的安全策略均为用户手动配置，在一定时间内系统的安全策略的安全等级是固定不变的，这种安全等级固定的入侵防御系统存在很多弊端，无法满足用户的特定需求，也不能充分发挥设备和系统的能力。本发明针对现有入侵防御系统中存在的缺陷，为入侵防御系统提供了一种安全策略的动态调整方法，以实现根据特定情况对入侵防御系统中安全策略的动态调整。The security policy is the core of the intrusion prevention system. The intrusion prevention system implements effective and timely protection by configuring a reasonable security policy. However, the security policies of the intrusion prevention system in the prior art are manually configured by the user. The security level of the security policy is fixed. This intrusion prevention system with a fixed security level has many disadvantages, and cannot meet the specific needs of users, nor can it fully utilize the capabilities of equipment and systems. Aiming at the defects existing in the existing intrusion prevention system, the present invention provides a method for dynamically adjusting the security strategy for the intrusion prevention system, so as to realize the dynamic adjustment of the security strategy in the intrusion prevention system according to specific conditions.

图1为本发明安全策略的动态调整方法实施例的流程图，如图1所示，本发明提供的一种安全策略的动态调整方法具体包括如下步骤：Fig. 1 is a flowchart of an embodiment of a method for dynamically adjusting a security policy of the present invention. As shown in Fig. 1 , a method for dynamically adjusting a security policy provided by the present invention specifically includes the following steps:

步骤101，检测网络链路流量、设备实际处理能力和业务类型中的任意一种及其组合，获取检测结果。Step 101 , detecting any one or combination of network link traffic, actual processing capability of equipment, and service type, and obtaining a detection result.

由于用户在各个时期内使用网络的频率不同，且使用网络所进行的业务类型也不同，必然使得不同时期的网络状态不同，例如中央处理器(CentralProcessing Unit；以下简称：CPU)的使用率、内存使用率、链路带宽以及用户使用的业务类型等在每个时间点均不相同。由于现有技术中的入侵防御系统的安全策略在用户手动配置完成后是固定不变的，即与网络状态的变化情况无关，必然会出现安全策略与网络状态不相匹配的情况，导致或者安全策略的安全等级较高而不能满足网络状态的情况，或者安全等级较低使得网络资源出现长期闲置的状况。因此，本发明对各个时期内的网络状态进行检测并获取检测结果，根据检测结果来调整当前的安全策略。其中，检测的信息包括但不限于下述几种信息：网络链路流量、设备实际处理能力和业务类型。网络链路流量可以包括网络链路流量峰值和网络链路流量均值，即对某一段时间内的网络链路流量进行完全的统计，以反映当前网络链路流量的实际情况，当网络链路流量比较小或比较大时，可以对安全策略进行调整，以充分且合理地利用网络资源。设备实际处理能力可以包括CPU使用率和内存使用率，对设备的总体能力水平进行检测，以反映设备当前的总体使用情况，当设备实际处理能力比较低或比较高时，可以通过调整安全策略来实现最佳的设备使用效率。业务类型为用户当前所使用的主要业务的类型，如邮件业务、音视频业务等等，不同业务类型对网络安全性以及网络带宽等的要求均不相同，判断该业务是否对时延要求较高，或者对安全性的要求较强等。例如，当使用邮件业务时，该业务对安全性的要求较高，即用户宁可牺牲带宽要求也要保证网络安全性；而当使用音视频业务时，该业务对时延要求较高，即用户希望当前的网络带宽足够宽，以保证所播放的音视频的流畅。Due to the different frequency of users using the network in each period, and the different types of business using the network, the network status in different periods will inevitably be different, such as the usage rate of the central processing unit (Central Processing Unit; hereinafter referred to as: CPU), memory The usage rate, link bandwidth, and service types used by users are different at each time point. Since the security policy of the intrusion prevention system in the prior art is fixed after the user manually configures it, that is, it has nothing to do with the change of the network status, the situation that the security policy does not match the network status will inevitably occur, resulting in or security The security level of the policy is too high to satisfy the network status, or the security level is low so that the network resources are idle for a long time. Therefore, the present invention detects the network status in each period and obtains the detection results, and adjusts the current security policy according to the detection results. Wherein, the detected information includes, but is not limited to, the following information: network link traffic, actual processing capability of the device, and service type. Network link traffic can include network link traffic peak value and network link traffic average value, that is, complete statistics of network link traffic in a certain period of time to reflect the actual situation of current network link traffic. When network link traffic When it is relatively small or relatively large, the security policy can be adjusted to fully and reasonably utilize network resources. The actual processing capability of the device can include CPU usage and memory usage. The overall capability level of the device is detected to reflect the current overall usage of the device. When the actual processing capability of the device is relatively low or high, it can be adjusted by adjusting the security policy. Achieve optimal equipment usage efficiency. The service type is the main service type currently used by the user, such as email service, audio and video service, etc. Different service types have different requirements for network security and network bandwidth, and judge whether the service has high requirements for delay , or have strong requirements for security. For example, when using the email service, the service has high requirements on security, that is, users would rather sacrifice bandwidth requirements to ensure network security; and when using audio and video services, the service has high requirements on delay, that is, users It is hoped that the current network bandwidth is wide enough to ensure smooth audio and video playback.

步骤102，根据检测结果，动态调整当前的安全策略。Step 102, dynamically adjust the current security policy according to the detection result.

在检测并获取到当前各个状态的检测结果后，根据该检测结果对当前的安全策略进行调整，即根据获取到的网络链路流量峰值、网络链路流量均值、CPU使用率、内存使用率以及当前使用的业务类型，调整当前的安全策略。在进行安全策略的调整前，需要对获取到的各个信息进行综合的分析和判断，以协调当前的网络状态，完成对安全策略的合理调整。如果当前网络链路流量较小，设备实际处理能力较高，且主要业务的时延要求较低时，则可以调整入侵防御系统的安全策略，以提高安全策略的安全等级，实现对网络的较高安全等级的防护。如果当前网络链路流量较大，设备实际处理能力较低，且主要业务的时延要求较高时，则可以调整入侵防御系统的安全策略，以降低安全策略的安全等级，提高设备的处理效率。除此之外，还存在其他的多种情况，例如当前网络链路流量较小，而业务的时延要求较高时，则需要对当前状态的整体情况进行综合分析，再决定是否调整以及如何调整当前的安全策略。After detecting and obtaining the detection results of the current states, adjust the current security policy according to the detection results, that is, according to the obtained network link traffic peak value, network link traffic average value, CPU usage, memory usage, and The type of business currently in use, adjust the current security policy. Before adjusting the security policy, it is necessary to comprehensively analyze and judge the obtained information to coordinate the current network status and complete the reasonable adjustment of the security policy. If the current network link traffic is small, the actual processing capability of the device is high, and the delay requirement of the main business is low, you can adjust the security policy of the intrusion prevention system to improve the security level of the security policy and achieve a relatively high level of security for the network. High security level protection. If the current network link traffic is large, the actual processing capability of the device is low, and the delay requirement of the main business is high, you can adjust the security policy of the intrusion prevention system to reduce the security level of the security policy and improve the processing efficiency of the device . In addition, there are many other situations. For example, when the current network link traffic is small and the service delay requirements are high, it is necessary to conduct a comprehensive analysis of the overall situation of the current state before deciding whether to adjust and how to adjust it. Adjust the current security policy.

本发明提供的一种安全策略的动态调整方法，根据检测到的网络链路流量、设备实际处理能力以及业务类型对当前的安全策略进行调整，实现了对入侵防御系统的安全策略的动态调整，达到了处理效率和安全防护的动态平衡。The method for dynamically adjusting a security policy provided by the present invention adjusts the current security policy according to detected network link traffic, actual processing capabilities of equipment, and service types, and realizes dynamic adjustment of the security policy of the intrusion prevention system. A dynamic balance between processing efficiency and security protection is achieved.

具体地，上述步骤101可以具体为：根据预设的检测周期，周期性地检测网络链路流量、设备实际处理能力和业务类型中的任意一种及其组合。在设备运行期间，以一定的检测周期对当前状态进行检测，该检测周期为用户根据网络自身的情况而设置的，若网络状态的变化比较频繁，则设置较短的检测周期，否则设置较长的检测周期。根据已设置的检测周期，对当前状态进行监控，即对检测周期内的网络链路流量峰值、网络链路流量均值、CPU使用率、内存使用率以及使用的业务类型进行监控。根据对当前状态进行监控的监控结果，获取该检测周期内的各个状态信息。Specifically, theabove step 101 may specifically include: periodically detecting any one of network link traffic, actual processing capability of equipment, and service type and a combination thereof according to a preset detection period. During the operation of the device, the current state is detected with a certain detection cycle. The detection cycle is set by the user according to the situation of the network itself. If the network state changes frequently, set a shorter detection cycle, otherwise set a longer one. detection cycle. According to the set detection period, the current status is monitored, that is, the network link traffic peak value, network link traffic average value, CPU usage rate, memory usage rate, and service type used during the detection period are monitored. According to the monitoring result of monitoring the current state, various state information in the detection cycle is obtained.

上述步骤102可以具体为：根据所述检测结果，在保持当前的安全策略中基本安全策略的基础上，调整当前的安全策略中的增强安全策略。在本发明实施例中，入侵防御系统中的安全策略包括基本安全策略和增强安全策略。其中，在任何情况下均配置基本安全策略，而可以根据检测结果对增强安全策略进行动态调整，以实现在保证入侵防御系统的基本的安全防护功能的基础上，根据网络的实际情况调整安全策略。Theabove step 102 may specifically be: according to the detection result, on the basis of maintaining the basic security policy in the current security policy, adjusting the enhanced security policy in the current security policy. In the embodiment of the present invention, the security policy in the intrusion prevention system includes a basic security policy and an enhanced security policy. Among them, the basic security policy is configured in any case, and the enhanced security policy can be dynamically adjusted according to the detection results, so as to realize the adjustment of the security policy according to the actual situation of the network on the basis of ensuring the basic security protection function of the intrusion prevention system .

进一步地，在步骤101之前，还包括如下步骤：Further, beforestep 101, the following steps are also included:

首先，设置基本安全策略。用户根据网络自身的情况，设置入侵防御系统的基本安全策略，基本安全策略可以为系统的安全等级最低的一种或几种安全策略的组合。在入侵防御系统中保存有对应设备的所有安全策略，基本安全策略为从所有安全策略中选出的一种或几种安全策略，剩余的安全策略则为增强安全策略。在本实施例中，为了保证网络的安全，在任何情况下，入侵防御系统均配置该基本安全策略。First, set a basic security policy. The user sets the basic security policy of the intrusion prevention system according to the situation of the network itself. The basic security policy can be one or a combination of several security policies with the lowest security level of the system. All security policies of corresponding devices are stored in the intrusion prevention system, the basic security policy is one or several security policies selected from all security policies, and the remaining security policies are enhanced security policies. In this embodiment, in order to ensure the security of the network, in any case, the intrusion prevention system configures the basic security policy.

其次，根据增强安全策略的防护能力和资源占用信息，对增强安全策略的安全等级进行划分。入侵防御系统对网络的防护能力由其中设置的安全策略来决定，不同的安全策略对应入侵防御系统的不同的防护能力，而不同安全策略又由安全策略的安全等级来区分。用户根据自身的网络特点，制定入侵防御系统中的所有安全策略，在本实施例中，用户根据安全策略的防护能力和资源占用信息，对增强安全策略的安全等级进行划分，即对入侵防御系统中除了基本安全策略之外的安全策略的安全等级进行划分，也就是说，按照各安全策略的防护能力和资源占用等的情况，对所有增强安全策略进行安全等级的排序。在本实施例中，划分安全策略的安全等级时，除了考虑其防护能力之外，还考虑配置该安全策略之后的资源占用等情况，由于在进行安全策略的调整时，某个防护能力很强的安全策略可能占用的资源比较大，则选择增加该安全策略的性价比就不高，因此需要综合其资源占用信息来对各个安全策略的安全等级进行划分，以便于在后续安全策略调整过程中对安全策略的调整。Secondly, according to the protection capability and resource occupation information of the enhanced security policy, the security level of the enhanced security policy is divided. The protection capability of the intrusion prevention system to the network is determined by the security policies set in it. Different security policies correspond to different protection capabilities of the intrusion prevention system, and different security policies are distinguished by the security level of the security policies. Users formulate all security policies in the intrusion prevention system according to their own network characteristics. In this embodiment, users divide the security levels of enhanced security policies according to the protection capabilities of the security policies and resource occupation information, that is, the intrusion prevention system In addition to the basic security policy, the security level of the security policy is divided, that is, according to the protection capability and resource occupation of each security policy, the security level of all enhanced security policies is sorted. In this embodiment, when dividing the security level of the security policy, in addition to its protection capability, the resource occupation after the configuration of the security policy is also considered. Since a certain protection capability is very strong when adjusting the security policy If the security policy may occupy relatively large resources, it is not cost-effective to increase the security policy. Therefore, it is necessary to divide the security level of each security policy based on its resource occupation information, so as to facilitate the subsequent security policy adjustment process. Adjustment of security policies.

当进行网络设备的初始配置时，利用上述过程便可以完成对入侵防御系统中全部安全策略的安全等级的配置。除此之外，当发现有新的攻击行为时，入侵防御系统会创建一个新的过滤器，即创建新的安全策略，当有新的安全策略创建时，入侵防御系统需要对当前的安全策略进行更新，以包含新的策略。因此，当更新入侵防御系统中的安全策略时，也需要对新的安全策略进行安全等级的划分，划分方法与上述方法类似。When performing the initial configuration of the network device, the configuration of the security levels of all the security policies in the intrusion prevention system can be completed by using the above process. In addition, when a new attack behavior is found, the intrusion prevention system will create a new filter, that is, create a new security policy. When a new security policy is created, the intrusion prevention system needs to update the current security policy Update to include the new policy. Therefore, when updating the security policy in the intrusion prevention system, it is also necessary to divide the security level of the new security policy, and the division method is similar to the above method.

进一步地，本实施例中所指的对安全策略的调整可以具体为增加安全策略或者减少安全策略，则上述根据检测结果，在保持当前的安全策略中基本安全策略的基础上，调整当前的安全策略中的增强安全策略的步骤可以具体为：若获取的检测结果为以下情况中的任意一种及其组合时：网络链路流量低于预设的第一链路流量门限，设备实际处理能力高于预设的第一设备处理门限和业务类型的安全要求高于预设的安全要求门限，则增加当前的安全策略中的增强安全策略。其中，第一链路流量门限、第一设备处理门限以及安全要求门限分别为预设的一特定值或者为预设的一特定范围，该值或范围可以由用户根据实际情况进行设定。对获取到的检测结果进行分析判断，如果网络链路流量低于预设的第一链路流量门限，即网络链路流量比较小，包括检测时间段内的网络链路流量均值和网络链路流量峰值，则表明当前的安全策略的安全等级不高，可以增加安全策略，以提高安全策略的安全等级，提高入侵防御系统的防护能力。或者，如果检测到的设备实际处理能力高于预设的第一设备处理门限，即设备实际处理能力较高，包括CPU使用率和内存使用率，如检测时间段内的CPU使用率维持在30％以下，则可以增加安全策略，以提高安全策略的安全等级。或者，如果通过检测发现用户当前使用的主要业务的安全要求高于预设的安全要求门限，即主要业务的安全要求较高，如使用邮件业务等，用户希望提高防护能力以保证足够的安全性，则增加安全策略，以提高安全策略的安全等级，满足用户的安全性需求。需要指出的是，当检测到出现上述情况的一种或几种的组合时，均执行增加安全策略的步骤，此处不再赘述。Further, the adjustment to the security policy referred to in this embodiment can specifically be adding a security policy or reducing a security policy. Then, according to the detection results, the current security policy is adjusted on the basis of maintaining the basic security policy in the current security policy. The steps of enhancing the security policy in the policy can be specifically as follows: if the obtained detection result is any one of the following situations and their combination: the network link traffic is lower than the preset first link traffic threshold, the actual processing capacity of the device If it is higher than the preset first device processing threshold and the security requirement of the service type is higher than the preset security requirement threshold, the enhanced security policy in the current security policy is added. Wherein, the first link traffic threshold, the first device processing threshold, and the security requirement threshold are respectively a preset specific value or a preset specific range, and the value or range can be set by the user according to the actual situation. Analyze and judge the obtained detection results. If the network link traffic is lower than the preset first link traffic threshold, that is, the network link traffic is relatively small, including the average network link traffic and network link traffic during the detection period. Traffic peaks indicate that the security level of the current security policy is not high, and security policies can be added to improve the security level of the security policy and improve the protection capability of the intrusion prevention system. Or, if the actual processing capability of the detected device is higher than the preset processing threshold of the first device, that is, the actual processing capability of the device is relatively high, including CPU usage and memory usage. For example, the CPU usage during the detection period is maintained at 30 % or less, you can increase the security policy to improve the security level of the security policy. Or, if it is found through detection that the security requirements of the main business currently used by the user are higher than the preset security requirement threshold, that is, the security requirements of the main business are relatively high, such as using email services, etc., the user hopes to improve the protection capability to ensure sufficient security , add a security policy to improve the security level of the security policy and meet the security requirements of users. It should be pointed out that when one or a combination of the above situations is detected, the step of adding a security policy is executed, which will not be repeated here.

或者，若获取的检测结果为以下情况中的任意一种及其组合时：网络链路流量高于预设的第二链路流量门限，设备实际处理能力低于预设的第二设备处理门限和业务类型的时延要求高于预设的时延要求门限，则减少当前的安全策略中的增强安全策略。其中，第二链路流量门限、第二设备处理门限以及安全要求门限分别为预设的一特定值或者为预设的一特定范围，该值或范围可以由用户根据实际情况进行设定，当然，第二链路流量门限大于第一链路流量门限，第二设备处理门限小于第一设备处理门限。对获取到的检测结果进行分析判断，如果网络链路流量高于预设的第二链路流量门限，即网络链路流量比较大，包括检测时间段内的网络链路流量均值和网络链路流量峰值，则表明当前的安全策略的安全等级较高，可以通过减少安全策略，降低安全策略的安全等级，来降低网络流量。或者，如果检测到的设备实际处理能力低于预设的第二设备处理门限，即设备实际处理能力较低，包括CPU使用率和内存使用率，如检测时间段内的CPU使用率维持在70％以上，则可以减少安全策略，降低安全策略的安全等级，以提高设备处理效率。或者，如果通过检测发现用户当前使用的主要业务的时延要求高于预设的时延要求门限，即主要业务的时延要求较高，如使用音视频业务等，用户希望增加网络带宽以保证业务的正常使用，则通过减少安全策略，降低安全策略的安全等级，来提高设备处理效率，满足用户的需求。需要指出的是，当检测到出现上述情况的一种或几种的组合时，均执行减少安全策略的步骤，此处不再赘述。Or, if the obtained detection result is any one of the following situations and a combination thereof: the network link traffic is higher than the preset second link traffic threshold, and the actual processing capability of the device is lower than the preset second device processing threshold If the delay requirement of the service type is higher than the preset delay requirement threshold, the enhanced security policy in the current security policy is reduced. Wherein, the second link traffic threshold, the second device processing threshold, and the security requirement threshold are respectively a preset specific value or a preset specific range, and the value or range can be set by the user according to the actual situation, of course , the traffic threshold of the second link is greater than the traffic threshold of the first link, and the processing threshold of the second device is smaller than the processing threshold of the first device. Analyze and judge the obtained detection results. If the network link traffic is higher than the preset second link traffic threshold, that is, the network link traffic is relatively large, including the average network link traffic and network link traffic during the detection period. The traffic peak indicates that the security level of the current security policy is relatively high, and the network traffic can be reduced by reducing the security policy and the security level of the security policy. Or, if the actual processing capability of the detected device is lower than the preset processing threshold of the second device, that is, the actual processing capability of the device is low, including CPU usage and memory usage. For example, the CPU usage during the detection period is maintained at 70 % or more, the security policy can be reduced and the security level of the security policy can be reduced to improve the processing efficiency of the device. Or, if it is found through detection that the delay requirement of the main service currently used by the user is higher than the preset delay requirement threshold, that is, the delay requirement of the main service is relatively high, such as using audio and video services, the user hopes to increase the network bandwidth to ensure For normal business use, reduce the security policy and lower the security level of the security policy to improve the processing efficiency of the equipment and meet the needs of users. It should be pointed out that when one or a combination of the above situations is detected, the step of reducing the security policy is executed, which will not be repeated here.

具体地，上述增加当前的安全策略中的增强安全策略具体为：选择与检测结果相匹配的较高安全等级对应的增强安全策略；将该增强安全策略添加到当前的安全策略中。在进行本发明实施例的增加安全策略的步骤时，从入侵防御系统中保存的其余增强安全策略中选择一种或几种安全策略，选择与检测到的当前各检测结果相匹配的增强安全策略，由于之前根据增强安全策略的防护能力和资源占用信息，对各增强安全策略进行了安全等级的划分，在选择增加的增强安全策略时，便可选择与检测到的当前的网络链路流量、设备实际处理能力以及业务类型相匹配的增强安全策略。此处相匹配的含义可以为选择的增强安全策略为与当前的网络状态最适应，在考虑其防护能力和资源占用信息等的性价比最高的安全策略，以保证增加该安全策略后，不会因安全等级的提高而带来资源的极大耗费。Specifically, adding the enhanced security policy in the current security policy includes: selecting an enhanced security policy corresponding to a higher security level that matches the detection result; and adding the enhanced security policy to the current security policy. When performing the step of adding security policies in the embodiment of the present invention, select one or more security policies from the remaining enhanced security policies stored in the intrusion prevention system, and select the enhanced security policies that match the detected current detection results , because the security level of each enhanced security policy was divided according to the protection capability and resource occupation information of the enhanced security policy, when selecting the added enhanced security policy, the current network link traffic detected, Enhanced security policies that match the actual processing capabilities of devices and service types. The meaning of matching here can be that the selected enhanced security policy is the most cost-effective security policy that is most suitable for the current network state, considering its protection capability and resource occupation information, so as to ensure that after adding this security policy, it will not be affected by The improvement of the security level brings about a great consumption of resources.

上述减少当前的安全策略中的增强安全策略具体为：在当前的安全策略中选择与检测结果相匹配的安全等级对应的增强安全策略；从当前的安全策略中删除该增强安全策略。在进行本发明实施例的增加安全策略的步骤时，在当前的安全策略中，选择与检测到的当前各检测结果相匹配的一种或几种增强安全策略，从当前的安全策略中删除该一种或几种增强安全策略。由于之前根据增强安全策略的防护能力和资源占用信息，对各增强安全策略进行了安全等级的划分，在选择要减少的增强安全策略时，便可选择与检测到的当前的网络链路流量、设备实际处理能力以及业务类型相匹配的增强安全策略。The aforementioned reduction of the enhanced security policy in the current security policy specifically includes: selecting the enhanced security policy corresponding to the security level matching the detection result in the current security policy; deleting the enhanced security policy from the current security policy. When performing the step of adding a security policy in the embodiment of the present invention, in the current security policy, select one or several enhanced security policies that match the detected current detection results, and delete the security policy from the current security policy. One or several enhanced security policies. Since the security levels of each enhanced security policy were divided according to the protection capability and resource occupation information of the enhanced security policy, when selecting the enhanced security policy to be reduced, the current network link traffic detected, Enhanced security policies that match the actual processing capabilities of devices and service types.

本发明提供了一种安全策略的动态调整方法，通过在任何情况下均设置基本安全策略，并对增强安全策略的安全等级进行划分，通过检测到的网络链路流量、设备实际处理能力以及业务类型对当前的安全策略进行调整，使得在保证基本安全防护功能的基础上，可以满足用户的需求，实现了网络安全和设备处理效率之间的平衡。The present invention provides a dynamic adjustment method of a security policy, by setting the basic security policy in any case, and dividing the security level of the enhanced security policy, through the detected network link flow, the actual processing capacity of the equipment and the business The type adjusts the current security policy to meet the needs of users on the basis of ensuring basic security protection functions, and achieves a balance between network security and device processing efficiency.

图2为本发明安全策略的动态调整系统一实施例的结构图，如图2所示，该安全策略的动态调整系统包括：检测模块1和调整模块2。其中，检测模块1用于网络链路流量、设备实际处理能力和/或业务类型中的任意一种及其组合，获取检测结果。调整模块2用于根据检测模块1检测到的检测结果调整当前的安全策略。具体地，在检测模块1获取到当前的检测结果后，根据获取到的网络链路流量峰值、网络链路流量均值、CPU使用率、内存使用率以及当前使用的业务类型，利用调整模块2调整当前的安全策略。本实施例中调整模块2对安全策略的调整可以具体为增加安全策略或者减少安全策略，则调整模块2执行的操作可以具体为：若获取的网络链路流量较小，或设备实际处理能力较高，或业务类型的安全要求较高，则增加当前的安全策略中的增强安全策略。或者，若获取的网络链路流量较大，或设备实际处理能力较低，或业务类型的时延要求较高，则减少当前的安全策略中的增强安全策略。FIG. 2 is a structural diagram of an embodiment of a system for dynamically adjusting security policies according to the present invention. As shown in FIG. 2 , the system for dynamically adjusting security policies includes: a detection module 1 and anadjustment module 2 . Among them, the detection module 1 is used for any one and combination of network link traffic, actual processing capability of equipment and/or service type, and obtains detection results. Theadjustment module 2 is used to adjust the current security policy according to the detection result detected by the detection module 1 . Specifically, after the detection module 1 obtains the current detection result, according to the acquired network link traffic peak value, network link traffic average value, CPU usage rate, memory usage rate, and the currently used service type, use theadjustment module 2 to adjust Current security policy. In this embodiment, the adjustment of the security policy by theadjustment module 2 can be specifically to increase or decrease the security policy, and the operation performed by theadjustment module 2 can be specifically: if the obtained network link traffic is small, or the actual processing capacity of the device is relatively small If the security requirements of the business type are high, or the security requirements of the business type are high, add the enhanced security policy in the current security policy. Alternatively, if the obtained network link traffic is large, or the actual processing capability of the device is low, or the service type has a high delay requirement, the enhanced security policy in the current security policy is reduced.

本发明提供了一种安全策略的动态调整系统，根据检测模块检测网络链路流量、设备实际处理能力以及业务类型，利用调整模块对当前的安全策略进行调整，实现了对入侵防御系统的安全策略的动态调整，实现了网络安全和设备处理效率之间的平衡。The present invention provides a dynamic adjustment system for security policies. According to the detection module to detect the network link flow, the actual processing capability of the equipment and the business type, the adjustment module is used to adjust the current security policy, and the security policy for the intrusion prevention system is realized. The dynamic adjustment achieves a balance between network security and device processing efficiency.

图3为本发明安全策略的动态调整系统另一实施例的结构图，如图2所示，本实施例与上述实施例的区别在于，该实施例提供的一种安全策略的动态调整系统还包括：设置模块3和等级划分模块4。其中，设置模块3用于设置当前的安全策略中的基本安全策略。等级划分模块4用于根据当前的安全策略中的增强安全策略的防护能力和资源占用信息，对增强安全策略的安全等级进行划分。用户根据网络自身的情况，通过设置模块3设置入侵防御系统的基本安全策略，基本安全策略可以为系统的安全等级最低的一种或几种安全策略的组合。在本实施例中，为了保证网络的安全，在任何情况下，入侵防御系统均配置该基本安全策略。在本实施例中，用户根据安全策略的防护能力和资源占用信息，通过等级划分模块4对增强安全策略的安全等级进行划分。Fig. 3 is a structural diagram of another embodiment of the system for dynamically adjusting security policies according to the present invention. As shown in Fig. Including: settingmodule 3 andgrade division module 4. Wherein, thesetting module 3 is used to set the basic security policy in the current security policy. Theclass division module 4 is used to classify the security level of the enhanced security policy according to the protection capability and resource occupation information of the enhanced security policy in the current security policy. According to the situation of the network itself, the user sets the basic security policy of the intrusion prevention system through thesetting module 3. The basic security policy can be one or a combination of several security policies with the lowest security level of the system. In this embodiment, in order to ensure the security of the network, in any case, the intrusion prevention system configures the basic security policy. In this embodiment, the user classifies the security level of the enhanced security policy through thelevel division module 4 according to the protection capability of the security policy and the resource occupation information.

具体地，调整模块2可以包括第一策略选择单元21和第一策略调整单元22。其中，第一策略选择单元21用于选择与检测模块1检测到的检测结果相匹配的安全等级对应的增强安全策略。第一策略调整单元22用于根据第一策略选择单元21选择的增强安全策略，将增强安全策略添加到当前的安全策略中。或者，调整模块2可以包括第二策略选择单元和第二策略调整单元。其中，第二策略选择单元用于在当前的安全策略中选择与检测模块1检测到的检测结果相匹配的安全等级对应的增强安全策略。第二策略调整单元用于根据第二策略选择单元选择的增强安全策略，从当前的安全策略中删除该增强安全策略。Specifically, theadjustment module 2 may include a firstpolicy selection unit 21 and a firstpolicy adjustment unit 22 . Wherein, the firstpolicy selection unit 21 is configured to select an enhanced security policy corresponding to a security level that matches the detection result detected by the detection module 1 . The firstpolicy adjustment unit 22 is configured to add the enhanced security policy to the current security policy according to the enhanced security policy selected by the firstpolicy selection unit 21 . Alternatively, theadjustment module 2 may include a second policy selection unit and a second policy adjustment unit. Wherein, the second policy selection unit is used to select the enhanced security policy corresponding to the security level matching the detection result detected by the detection module 1 in the current security policy. The second policy adjustment unit is configured to delete the enhanced security policy from the current security policy according to the enhanced security policy selected by the second policy selection unit.

本发明提供了一种安全策略的动态调整系统，通过设置模块设置基本安全策略，等级划分模块划分增强安全策略的安全等级，以及根据检测模块检测网络链路流量、设备实际处理能力以及业务类型，利用调整模块对当前的安全策略进行调整，使得在保证基本安全防护功能的基础上，可以满足用户的需求，实现了网络安全和设备处理效率之间的平衡。The present invention provides a dynamic adjustment system for security policies. The basic security policy is set through the setting module, the security level of the enhanced security policy is divided by the grade division module, and the network link flow, the actual processing capability of the equipment and the service type are detected according to the detection module. The adjustment module is used to adjust the current security policy, so that on the basis of ensuring the basic security protection function, it can meet the needs of users and realize the balance between network security and equipment processing efficiency.

最后应说明的是：以上实施例仅用以说明本发明的技术方案，而非对其限制；尽管参照前述实施例对本发明进行了详细的说明，本领域的普通技术人员应当理解：其依然可以对前述实施例所记载的技术方案进行修改，或者对其中部分技术特征进行等同替换；而这些修改或者替换，并不使相应技术方案的本质脱离本发明实施例技术方案的精神和范围。Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present invention, rather than to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: it can still be Modifications are made to the technical solutions described in the foregoing embodiments, or equivalent replacements are made to some of the technical features; these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (13)

1, a kind of dynamic adjusting method of security strategy is characterized in that, comprising:

Testing result is obtained in detection network link flow, equipment actual treatment ability and the type of service any one and combination thereof;

According to described testing result, dynamically adjust current security strategy.

2, the dynamic adjusting method of security strategy according to claim 1 is characterized in that, and is described according to described testing result, dynamically adjusts current security strategy and is specially:

According to described testing result, in keeping described current security strategy, on the basis of basic security strategy, dynamically adjust the enhancing security strategy in the described current security strategy.

3, the dynamic adjusting method of security strategy according to claim 2 is characterized in that, before any one in described detection network link flow, equipment actual treatment ability and type of service and the combination thereof, also comprises:

Described basic security strategy is set;

According to the protective capacities and the resource occupation information of described enhancing security strategy, the safe class of described enhancing security strategy is divided.

4, according to the dynamic adjusting method of claim 2 or 3 described security strategies, it is characterized in that, described according to described testing result, on the basis of basic security strategy, the enhancing security strategy of dynamically adjusting in the described current security strategy is specially in keeping described current security strategy:

If described testing result comprises that described network link flow is lower than the first default link flow thresholding, the safety requirements that described equipment actual treatment ability is higher than first default device processes thresholding and described type of service is higher than any one and the combination thereof in the default safety requirements thresholding, then increases the enhancing security strategy in the current security strategy;

If described testing result comprises that described network link flow is higher than the second default link flow thresholding, the delay requirement that described equipment actual treatment ability is lower than second default device processes thresholding and described type of service is higher than any one and the combination thereof in the delay requirement thresholding, then reduces the enhancing security strategy in the current security strategy.

5, the dynamic adjusting method of security strategy according to claim 4 is characterized in that, the enhancing security strategy in the described increase current security strategy is specially:

Select the corresponding enhancing security strategy of safe class that is complementary with described testing result;

Described enhancing security strategy is added in the described current security strategy.

6, the dynamic adjusting method of security strategy according to claim 4 is characterized in that, the enhancing security strategy in the described minimizing current security strategy is specially:

In described current security strategy, select the corresponding enhancing security strategy of safe class that is complementary with described testing result;

The described enhancing security strategy of deletion from described current security strategy.

7, the dynamic adjusting method of security strategy according to claim 1 is characterized in that, any one in described detection network link flow, equipment actual treatment ability and the type of service and combination thereof are specially:

According to default sense cycle, periodically detect any one and combination thereof in network link flow, equipment actual treatment ability and the type of service.

8, the dynamic adjusting method of security strategy according to claim 7 is characterized in that, described network link flow comprises network link peak flow and network link flow average.

9, the dynamic adjusting method of security strategy according to claim 7 is characterized in that, described equipment actual treatment ability comprises central processing unit utilization rate and memory usage.

10, a kind of dynamic debugging system of security strategy is characterized in that, comprising:

Detection module is used for detecting any one and combination thereof of network link flow, equipment actual treatment ability and type of service, obtains testing result;

Adjusting module is used for dynamically adjusting current security strategy according to the detected described testing result of described detection module.

11, the dynamic debugging system of security strategy according to claim 10 is characterized in that, also comprises:

Module is set, is used for being provided with the basic security strategy of described current security strategy;

The grade classification module is used for protective capacities and resource occupation information according to the enhancing security strategy of described current security strategy, and the safe class of described enhancing security strategy is divided.

12, the dynamic debugging system of security strategy according to claim 11 is characterized in that, described adjusting module comprises:

The first policy selection unit is used to select the corresponding enhancing security strategy of safe class that is complementary with the detected testing result of described detection module;

The first tactful adjustment unit is used for the enhancing security strategy according to the selection of the described first policy selection unit, and described enhancing security strategy is added in the described current security strategy.

13, the dynamic debugging system of security strategy according to claim 11 is characterized in that, described adjusting module comprises:

The second policy selection unit is used for the corresponding enhancing security strategy of safe class that is complementary in described current security strategy selection and described testing result;

The second tactful adjustment unit is used for from the described enhancing security strategy of described current security strategy deletion.

Images