Device and method for controlling flow quantity facing to target network

Abstract

The invention discloses a device and a method for controlling the flow quantity facing to a target network. The method comprises the following steps: counting the network flow quantity passing in and out each target host computer while forwarding network data packets; when abnormal flow quantity is detected, sampling the data packet sent into the target host computer with the abnormal flow quantity; according to the sampled network data packet sample statistics and each TCP / IP protocol packet header field value as an item, extracting a frequent item set meeting the preset minimum support degree as an abnormal flow quantity filtering rule applied to the target host computer; and controlling the flow quantity of the network data packet of the target host computer according to the abnormal flow quantity filtering rule. The device and the method are applicable to a flow quantity control method applied to a network security border gateway, and can accurately discover the abnormal flow quantity aiming at the target host computer to achieve the fine grain flow quantity control of the abnormal flow quantity, and ensure the security of the target host computer.

Description

technical field [0001] The invention relates to a device and method for realizing flow control, in particular to a target network-oriented flow control device and method. Background technique [0002] Common network security border gateways include firewalls, VPN (Virtual Private Network, virtual private network) gateways, and intrusion prevention systems (Intrusion Protection System, IPS for short). The network security border gateway is usually deployed at the entrance of the protected network. It checks the network data packets entering and leaving the protected network. Once a network intrusion is found, it prevents network intrusion attempts through message filtering and other methods, so as to prevent network attacks from occurring. Losses are minimized. [0003] The current common network attacks against target hosts in the protected network can be divided into two categories: one is vulnerability attacks based on a small amount of maliciously constructed packets; th...

AI Technical Summary

Problems solved by technology

The invention patent "CN1282331C" describes a flow control technology that can be applied to communication data forwarding equipment. It detects abnormal traffic by monitoring the traffic of each receiving port, and extracts the most frequently occurring network data packet length and The IP address is used as the main feature of the abnormal flow, and accordingly the flow of the relevant receiving port is controlled; this flow control method is mainly used to control the abnormal flow such as fixed-length and short packets, and it has the following problems: Abnormal traffic is only detected by preset receiving port traffic thresholds. If the threshold is set too high, false positives will result, and if the threshold is too low, false positives will result. Especially those abnormal flows that forge the source IP address are effectively controlled; 3) There is a lack of an evaluation mechanism to measure the effect of flow control, and it is impossible to effectively resist distributed denial-of-service attacks

Invention patent "200510069473.8" discloses a packet feature detection method for traffic attacking network equipment. This method counts the occurrence frequency of fixed values ​​of each header field in the processed packets, and selects those packet fields whose occurrence frequency exceeds the attack threshold. value is used as the attack message feature, and the attack feature detection method has the following problems: 1) only relying on a single message field value to describe the attack message feature is one-sided; 2) the detection threshold used to screen the attack message feature is difficult to determine. If it is too high, too few attack features will be obtained, and if it is set too low, too many attack features will be selected; 3) It is impossible to directly control the attack flow based on the attack packet characteristics based on a single field value, otherwise it will lead to accidental killing

The existing flow control methods implemented by forwarding devices in the middle of the network generally use the receiving port as the detection and control object, which is not suitable for direct use on the network security border gateway

In addition, network intermediate forwarding devices generally cannot know the specific information of the protected network, such as the IP address of the protected target host, the network service to be protected, etc. Granular flow control, if the flow control method of the network intermediate forwarding device is directly transplanted to the network security border gateway, it will not be able to implement the best protection for the protected network

Images