Method and device for realizing automatic suppression and protection based on network equipment log

Abstract

The invention discloses a method and a device for realizing automatic suppression and protection based on a network equipment log, and the method comprises the steps: respectively collecting network equipment log information through a front-end processor server which configures each resource pool, and carrying out the classification and preprocessing; the security protection management system receives the pre-processed alarm and flow information, analyzes and stores the information, and dynamically presents the information in real time; and the safety protection management system executes automatic suppression logic according to the acquired IP alarm and flow information, the IP protection level, the alarm notification threshold value and the automatic suppression threshold value, judges whether a real-time suppression task exists at present and whether suppression is in a waiting period or an observation period, and further implements or adjusts a corresponding protection strategy and issues the corresponding protection strategy. According to the method and the device, a resource pool IP protection strategy is flexibly configured according to own service characteristics and requirements, and the working difficulty of operation and maintenance management personnel is reduced; the corresponding suppression or protection rule is dynamically adjusted according to the traffic value in the network equipment log, and the network security protection efficiency is improved.

Description

technical field [0001] The invention relates to the field of realizing security protection based on analyzing network equipment logs, in particular to a method and device for realizing automatic suppression and protection based on network equipment logs. Background technique [0002] In the prior art, there are already a variety of security protection methods based on analyzing network device logs. These methods usually configure a fixed protection strategy for the IP to be protected, but cannot dynamically control and adjust according to the real-time traffic attack situation. For example, once it is determined that it is Blacklist, the black+list cannot be automatically upgraded; the resource pool IP that has not been entered in advance will be automatically discarded even if it is attacked by a large amount of traffic; Adjust the suppression strategy, etc.; therefore, the existing technology is not flexible enough, and the function is relatively single, requiring operatio...

AI Technical Summary

Problems solved by technology

[0002] In the prior art, there are already a variety of security protection methods based on analyzing network device logs. These methods usually configure a fixed protection strategy for the IP to be protected, but cannot dynamically control and adjust according to the real-time traffic attack situation. For example, once it is determined that it is Blacklist, the black+list cannot be automatically upgraded; the resource pool IP that has not been entered in advance will be automatically discarded even if it is attacked by a large amount of traffic; Adjust the suppression strategy, etc.; therefore, the existing technology is not flexible enough, and the function is relatively single, requiring operation and maintenance managers to manually adjust the protection strategy, resulting in low efficiency of network security protection

Images