A network security management method, device, equipment and machine readable storage medium
By establishing a false alarm prevention hash table in the IPS system, attack false alarm signature IDs are identified and allowed, thus solving the IPS false alarm problem and improving the performance and efficiency of network devices.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- NEW H3C SECURITY TECH CO LTD
- Filing Date
- 2023-02-22
- Publication Date
- 2026-07-03
AI Technical Summary
Existing IPS systems are prone to false alarms during the detection process, leading to the interception of normal data packets and affecting network services.
By establishing a hash table to prevent false alarms, the characteristic IDs of attack false alarms are identified and recorded. The hash table is then used to quickly match and allow relevant messages, thereby reducing the false alarm rate.
It effectively reduces the false alarm rate of IPS, saves memory, and improves the forwarding performance and efficiency of network devices.
Smart Images

Figure CN116318903B_ABST
Abstract
Description
Technical Field
[0001] This disclosure relates to the field of communication technology, and in particular to a network security management method, apparatus, device, and machine-readable storage medium. Background Technology
[0002] IPS (Intrusion Prevention System) is a security technology that can detect and defend against application-layer attacks. IPS devices first upgrade and load an attack signature database. Users then configure IPS policies to filter attack signatures and add them to the kernel's deep packet inspection engine.
[0003] DPI (Deep Packet Inspection) is a packet-based deep inspection technology that performs deep inspections on different network application layer payloads (such as HTTP, DNS, etc.) and determines the legitimacy of packets by inspecting their payloads.
[0004] IPS devices are deployed in the network. When traffic enters the IPS device, it performs deep, byte-by-byte inspection of the traffic packets. It scans the AC (Aho-Corasick) tree using the AC algorithm to detect intrusion behavior and blocks it through specific response actions, thus protecting enterprise information systems and networks from attacks. For example, if a data packet contains attack features from the IPS signature database, it confirms that the packet matches the database, indicating it is an illegitimate packet. The system then identifies the matching feature in the database as a hit feature and determines that the sender of the illegitimate packet is a network attacker. The illegitimate packet is then discarded, the matched attack feature is recorded in the IPS log, and all subsequent packets from the attacker are intercepted. The effectiveness of IPS defense depends on the accuracy of the IPS signature database. Although IPS attack signature databases are becoming increasingly accurate and comprehensive, the accuracy of attack features in the database decreases relatively over time due to the complexity and variability of data packets. During the inspection of packets passing through the IPS, normal packets may be discarded as illegitimate packets, resulting in false positives. If a false alarm occurs in the IPS, the IPS will block all data packets that are not from network attackers but from normal senders, which often affects normal network services. Summary of the Invention
[0005] In view of this, the present disclosure provides a network security management method, apparatus, electronic device, and machine-readable storage medium to improve the problem of false alarms easily detected by security detection based on IPS signature database.
[0006] The specific technical solution is as follows:
[0007] This disclosure provides a network security management method applied to a security device. The security device uses a non-configurable intrusion prevention system (IPS) signature library. The method includes: obtaining attack signature IDs of attack features identified as false alarms based on the enabled IPS false alarm prevention function, wherein the attack signature IDs are included in an IPS-specific library issued to a DPI detection engine; adding the attack signature IDs identified as false alarms to a false alarm prevention hash table, wherein the false alarm prevention hash table is established in response to enabling the IPS false alarm prevention function; obtaining each attack signature ID associated with each attack behavior reported by the DPI detection engine; matching each obtained attack signature ID in the false alarm prevention hash table; and determining that the attack behavior associated with the successfully matched attack signature ID is a false alarm.
[0008] As a technical solution, the step of obtaining the attack feature ID of the attack feature identified as a false alarm based on the enabled IPS false alarm prevention function, wherein the attack feature ID is included in the IPS-specific library issued to the DPI detection engine, includes: obtaining the attack feature ID of the attack feature associated with the user's judgment of the false alarm based on the enabled IPS false alarm prevention function, wherein the attack feature ID is included in the IPS-specific library issued to the DPI detection engine.
[0009] As a technical solution, the step of obtaining the attack feature ID of the attack feature identified as a false alarm based on the enabled IPS false alarm prevention function, wherein the attack feature ID is included in the IPS-specific library issued to the DPI detection engine, includes: obtaining a pre-configured specific attack feature ID based on the enabled IPS false alarm prevention function, wherein the attack feature ID is included in the IPS-specific library issued to the DPI detection engine.
[0010] As a technical solution, the step of obtaining each attack feature ID associated with each attack behavior reported by the DPI detection engine, matching the obtained attack feature IDs in the anti-false alarm hash table, and determining that the attack behavior associated with the successfully matched attack feature ID is an attack false alarm includes: in response to the signaling that the attack behavior associated with the successfully matched attack feature ID is an attack false alarm, allowing the associated message to pass.
[0011] This disclosure also provides a network security management device applied to a security device that uses a non-configurable intrusion prevention system (IPS) signature library. The device includes: a signature module, used to obtain attack signature IDs of attack features identified as false alarms based on the enabled IPS false alarm prevention function, the attack signature IDs being included in an IPS-specific library issued to the DPI detection engine; a configuration module, used to add the attack signature IDs identified as false alarms to a false alarm prevention hash table, the false alarm prevention hash table being established in response to enabling the IPS false alarm prevention function; and a determination module, used to obtain each attack signature ID associated with each attack behavior reported by the DPI detection engine, match each obtained attack signature ID in the false alarm prevention hash table, and determine that the attack behavior associated with the successfully matched attack signature ID is a false alarm.
[0012] As a technical solution, the step of obtaining the attack feature ID of the attack feature identified as a false alarm based on the enabled IPS false alarm prevention function, wherein the attack feature ID is included in the IPS-specific library issued to the DPI detection engine, includes: obtaining the attack feature ID of the attack feature associated with the user's judgment of the false alarm based on the enabled IPS false alarm prevention function, wherein the attack feature ID is included in the IPS-specific library issued to the DPI detection engine.
[0013] As a technical solution, the step of obtaining the attack feature ID of the attack feature identified as a false alarm based on the enabled IPS false alarm prevention function, wherein the attack feature ID is included in the IPS-specific library issued to the DPI detection engine, includes: obtaining a pre-configured specific attack feature ID based on the enabled IPS false alarm prevention function, wherein the attack feature ID is included in the IPS-specific library issued to the DPI detection engine.
[0014] As a technical solution, the step of obtaining each attack feature ID associated with each attack behavior reported by the DPI detection engine, matching the obtained attack feature IDs in the anti-false alarm hash table, and determining that the attack behavior associated with the successfully matched attack feature ID is an attack false alarm includes: in response to the signaling that the attack behavior associated with the successfully matched attack feature ID is an attack false alarm, allowing the associated message to pass.
[0015] This disclosure also provides an electronic device including a processor and a machine-readable storage medium storing machine-executable instructions that can be executed by the processor, the processor executing the machine-executable instructions to implement the aforementioned network security management method.
[0016] This disclosure also provides a machine-readable storage medium storing machine-executable instructions that, when invoked and executed by a processor, cause the processor to implement the aforementioned network security management method.
[0017] The technical solution provided in this disclosure brings at least the following beneficial effects:
[0018] For intrusion prevention systems that cannot update or configure the IPS signature database in a timely manner, a whitelist is established based on the attack signature ID associated with the attack behavior that is determined to be a false alarm. When the attack behavior associated with the attack signature ID is discovered again, it is directly regarded as a false alarm and the relevant packets are allowed to pass, thereby reducing the false alarm rate. Attached Figure Description
[0019] To more clearly illustrate the technical solutions in the embodiments of this disclosure or the prior art, the drawings used in the description of the embodiments of this disclosure or the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments recorded in this disclosure. For those skilled in the art, other drawings can be obtained based on these drawings of the embodiments of this disclosure.
[0020] Figure 1 This is a flowchart of a network security management method according to one embodiment of the present disclosure;
[0021] Figure 2 This is a structural diagram of a network security management device according to one embodiment of the present disclosure;
[0022] Figure 3 This is a hardware structure diagram of an electronic device according to one embodiment of the present disclosure. Detailed Implementation
[0023] The terminology used in this disclosure is for the purpose of describing particular embodiments only and is not intended to limit the disclosure. The singular forms “a,” “the,” and “the” as used in this disclosure and claims are also intended to include the plural forms unless the context clearly indicates otherwise. It should also be understood that the term “and / or” as used herein refers to any and all possible combinations comprising one or more of the associated listed items.
[0024] It should be understood that although the terms first, second, third, etc., may be used to describe various information in embodiments of this disclosure, such information should not be limited to these terms. These terms are only used to distinguish information of the same type from one another. For example, without departing from the scope of this disclosure, first information may also be referred to as second information, and similarly, second information may also be referred to as first information. Depending on the context, the word "if" may also be interpreted as "when," "when," or "in response to a determination."
[0025] In one technical solution, a whitelist can be set based on three dimensions: IP address, URL, and MAC address of the packet. When the packet enters the detection engine and matches the attack characteristics, it is then matched against the whitelist. If all dimensions in the whitelist match, it indicates that although the packet matches the attack characteristics, the user has configured a whitelist, so it is considered a false alarm of IPS attack and the packet is allowed to pass.
[0026] However, this solution has several problems. First, the more whitelists configured by the user, the more IP addresses, MAC addresses, and strings the IPS device kernel needs to store, resulting in a larger amount of information stored by the kernel and a greater memory requirement. Second, after a packet matches an attack signature and enters the IPS engine, it will perform a match against the user-configured whitelist and its configured dimensions. The more whitelists and dimensions configured, the higher the complexity of the packet matching process, thus reducing packet forwarding efficiency. Furthermore, when packets are fragmented, the matching results also need to be cached, consuming memory and further impacting forwarding performance.
[0027] In summary, when users need to configure packet access based on IP address, signature string, or MAC address, they can enable the whitelist function mentioned above. However, if users need to quickly resolve IPS false alarms and do not have requirements for IP address, MAC address, or signature string, enabling the above function will result in excessive waste of hardware performance.
[0028] In view of this, the present disclosure provides a network security management method, apparatus, electronic device, and machine-readable storage medium to improve the above-mentioned technical problems.
[0029] Specifically, the technical solution is described below.
[0030] In one embodiment, this disclosure provides a network security management method applied to a security device that uses a non-configurable intrusion prevention system (IPS) signature library. The method includes: obtaining attack signature IDs of attack features identified as false alarms based on an enabled IPS false alarm prevention function, wherein the attack signature IDs are included in an IPS-specific library issued to a DPI detection engine; adding the attack signature IDs identified as false alarms to a false alarm prevention hash table, wherein the false alarm prevention hash table is established in response to enabling the IPS false alarm prevention function; obtaining attack signature IDs associated with each attack behavior reported by the DPI detection engine; matching the obtained attack signature IDs in the false alarm prevention hash table; and determining that the attack behavior associated with the successfully matched attack signature ID is a false alarm.
[0031] Specifically, such as Figure 1 This includes the following steps:
[0032] Step S11: Based on the enabled IPS false alarm prevention function, obtain the attack feature ID of the attack feature identified as a false alarm. The attack feature ID is included in the IPS-specific library issued to the DPI detection engine.
[0033] Step S12: The attack signature ID that is identified as a false alarm is added to the anti-false alarm hash table, which is established in response to enabling the IPS anti-false alarm function;
[0034] Step S13: Obtain each attack feature ID associated with each attack behavior reported by the DPI detection engine, match each obtained attack feature ID in the anti-false alarm hash table, and determine that the attack behavior associated with the successfully matched attack feature ID is an attack false alarm.
[0035] For intrusion prevention systems that cannot update or configure the IPS signature database in a timely manner, a whitelist is established based on the attack signature ID associated with the attack behavior that is determined to be a false alarm. When the attack behavior associated with the attack signature ID is discovered again, it is directly regarded as a false alarm and the relevant packets are allowed to pass, thereby reducing the false alarm rate.
[0036] In one implementation, the step of obtaining the attack feature ID of the attack feature identified as a false alarm based on the enabled IPS false alarm prevention function, wherein the attack feature ID is included in the IPS-specific library issued to the DPI detection engine, includes: obtaining the attack feature ID of the attack feature associated with the user's judgment of the false alarm based on the enabled IPS false alarm prevention function, wherein the attack feature ID is included in the IPS-specific library issued to the DPI detection engine.
[0037] In one implementation, the step of obtaining an attack signature ID that is identified as an attack false alarm based on the enabled IPS false alarm prevention function, wherein the attack signature ID is included in the IPS-specific library issued to the DPI detection engine, includes: obtaining a pre-configured specific attack signature ID based on the enabled IPS false alarm prevention function, wherein the attack signature ID is included in the IPS-specific library issued to the DPI detection engine.
[0038] In one implementation, the step of obtaining each attack feature ID associated with each attack behavior reported by the DPI detection engine, matching the obtained attack feature IDs in the anti-false alarm hash table, and determining that the attack behavior associated with the successfully matched attack feature ID is an attack false alarm includes: in response to the signaling that the attack behavior associated with the successfully matched attack feature ID is an attack false alarm, allowing the associated message to pass.
[0039] The IPS records attack signature IDs that match the IPS signature database in the IPS log. Users can view the IPS log to obtain the attack signature IDs that have caused false positives. Once a user obtains an attack signature ID they believe to be a false positive, they can enable the IPS false positive function, select that attack signature ID, and mark it as an IPS false positive ID via command line or web interface. This ID is then sent to the kernel, which distributes the attack signature ID to the DPI detection engine by loading the IPS signature database.
[0040] When the IPS false alarm function is enabled, the IPS kernel engine creates a new anti-false alarm hash table. The length of the anti-false alarm hash table can be customized according to the actual number of IPS false alarm feature IDs, so that the hash table is requested according to the actual usage and memory is not wasted.
[0041] When an attack signature ID that is considered a false IPS report is sent to the kernel, the kernel will use the attack signature ID as the key of the hash table to create a node. In order to save hardware resources, the node can include only an attack signature ID within the range of an unsigned integer added to the created hash table.
[0042] Configure IPS policies to filter features in the IPS attack signature database. The selected attack features are sent to the packet detection engine. Once the packet data enters the DPI detection engine, the attack packet features are detected.
[0043] The DPI deep packet inspection engine first detects all features. If a packet matches an attack feature, it handles IPS attack false alarms by using the attack feature ID provided by the DPI packet inspection engine as the key and performing a hash lookup in the anti-false alarm hash table. If a node with that ID as the key is found in the hash table, it means that the matched IPS attack feature is a configured false alarm feature, and no action is taken; the packet is allowed to pass directly. Otherwise, IPS service processing continues.
[0044] The above technical solution can quickly and easily solve the problem of false positives in IPS attacks, save memory effectively, and have only a minor impact on the performance and efficiency of IPS packet forwarding.
[0045] In one embodiment, this disclosure also provides a network security management device, such as... Figure 2 The entire device uses a non-configurable intrusion prevention system (IPS) signature library. The device includes: a signature module 21, used to obtain attack signature IDs of attack features identified as false alarms based on the enabled IPS false alarm prevention function, the attack signature IDs being included in the IPS-specific library issued to the DPI detection engine; a configuration module 22, used to add the attack signature IDs identified as false alarms to a false alarm prevention hash table, the false alarm prevention hash table being established in response to enabling the IPS false alarm prevention function; and a determination module 23, used to obtain each attack signature ID associated with each attack behavior reported by the DPI detection engine, match each obtained attack signature ID in the false alarm prevention hash table, and determine that the attack behavior associated with the successfully matched attack signature ID is a false alarm.
[0046] In one implementation, the step of obtaining the attack feature ID of the attack feature identified as a false alarm based on the enabled IPS false alarm prevention function, wherein the attack feature ID is included in the IPS-specific library issued to the DPI detection engine, includes: obtaining the attack feature ID of the attack feature associated with the user's judgment of the false alarm based on the enabled IPS false alarm prevention function, wherein the attack feature ID is included in the IPS-specific library issued to the DPI detection engine.
[0047] In one implementation, the step of obtaining an attack signature ID that is identified as an attack false alarm based on the enabled IPS false alarm prevention function, wherein the attack signature ID is included in the IPS-specific library issued to the DPI detection engine, includes: obtaining a pre-configured specific attack signature ID based on the enabled IPS false alarm prevention function, wherein the attack signature ID is included in the IPS-specific library issued to the DPI detection engine.
[0048] In one implementation, the step of obtaining each attack feature ID associated with each attack behavior reported by the DPI detection engine, matching the obtained attack feature IDs in the anti-false alarm hash table, and determining that the attack behavior associated with the successfully matched attack feature ID is an attack false alarm includes: in response to the signaling that the attack behavior associated with the successfully matched attack feature ID is an attack false alarm, allowing the associated message to pass.
[0049] The implementation methods of the apparatus are the same as or similar to the corresponding implementation methods, and will not be described again here.
[0050] In one embodiment, this disclosure provides an electronic device including a processor and a machine-readable storage medium. The machine-readable storage medium stores machine-executable instructions that can be executed by the processor. The processor executes the machine-executable instructions to implement the aforementioned network security management method. From a hardware perspective, a hardware architecture diagram can be found... Figure 3 As shown.
[0051] In one embodiment, this disclosure provides a machine-readable storage medium storing machine-executable instructions that, when invoked and executed by a processor, cause the processor to implement the aforementioned network security management method.
[0052] Here, a machine-readable storage medium can be any electronic, magnetic, optical, or other physical storage device that can contain or store information, such as executable instructions, data, etc. For example, a machine-readable storage medium can be: RAM (Random Access Memory), volatile memory, non-volatile memory, flash memory, storage drives (such as hard disk drives), solid-state drives, any type of storage disk (such as optical discs, DVDs, etc.), or similar storage media, or combinations thereof.
[0053] The systems, devices, modules, or units described in the above embodiments can be implemented by computer chips or entities, or by products with certain functions. A typical implementation device is a computer, which can take the form of a personal computer, laptop computer, cellular phone, camera phone, smartphone, personal digital assistant, media player, navigation device, email sending and receiving device, game console, tablet computer, wearable device, or any combination of these devices.
[0054] For ease of description, the above apparatus is described by dividing it into various functional units. Of course, in implementing this disclosure, the functions of each unit can be implemented in one or more software and / or hardware.
[0055] Those skilled in the art will understand that embodiments of this disclosure can be provided as methods, systems, or computer program products. Therefore, this disclosure can take the form of a completely hardware implementation, a completely software implementation, or an implementation combining software and hardware aspects. Furthermore, embodiments of this disclosure can take the form of a computer program product implemented on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.
[0056] This disclosure is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of this disclosure. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, generate instructions for implementing the flowchart illustrations. Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.
[0057] Furthermore, these computer program instructions can also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in the process. Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.
[0058] These computer program instructions may also be loaded onto a computer or other programmable data processing equipment to cause a series of operational steps to be performed on the computer or other programmable equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.
[0059] Those skilled in the art will understand that embodiments of this disclosure can be provided as methods, systems, or computer program products. Therefore, this disclosure can take the form of a completely hardware implementation, a completely software implementation, or an implementation combining software and hardware aspects. Furthermore, this disclosure can take the form of a computer program product implemented on one or more computer-usable storage media (which may include, but are not limited to, disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.
[0060] The above description is merely an embodiment of this disclosure and is not intended to limit the scope of this disclosure. Various modifications and variations can be made to this disclosure by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this disclosure should be included within the scope of the claims of this disclosure.
Claims
1. A network security management method, characterized in that, Applied to a security device that uses a non-configurable intrusion prevention system (IPS) signature library, the method includes: Based on the enabled IPS false alarm prevention function, the attack feature IDs that are identified as false alarms are determined from the attack feature IDs that hit the IPS feature library recorded in the IPS log. The attack feature IDs are included in the IPS specific library that is issued to the DPI detection engine. In response to enabling the IPS false alarm prevention function, a false alarm prevention hash table is established. The length of the false alarm prevention hash table is customized according to the actual number of IPS false alarm feature IDs. Attack feature IDs that are identified as false alarms are added to the false alarm prevention hash table. The attack feature IDs are used as the keys of the false alarm prevention hash table, and the nodes of the false alarm prevention hash table only contain the attack feature IDs within the range of unsigned integers. Obtain the attack feature IDs associated with each attack behavior reported by the DPI detection engine, match the obtained attack feature IDs in the anti-false alarm hash table, and determine that the attack behavior associated with the successfully matched attack feature ID is a false alarm.
2. The method according to claim 1, characterized in that, The process involves obtaining the attack signature ID of attacks identified as false positives based on the enabled IPS false positive prevention function. This attack signature ID is included in the IPS-specific library distributed to the DPI detection engine, and includes: The attack feature ID, which is associated with the attack characteristics determined by the user based on the enabled IPS false alarm prevention function, is obtained. The attack feature ID is included in the IPS-specific library issued to the DPI detection engine.
3. The method according to claim 1, characterized in that, The process involves obtaining the attack signature ID of attacks identified as false positives based on the enabled IPS false positive prevention function. This attack signature ID is included in the IPS-specific library distributed to the DPI detection engine, and includes: The method involves obtaining a pre-configured specific attack signature ID based on the enabled IPS false alarm prevention function. The attack signature ID is included in the IPS-specific library issued to the DPI detection engine.
4. The method according to claim 1, characterized in that, The process of obtaining attack feature IDs associated with each attack behavior reported by the DPI detection engine, matching the obtained attack feature IDs in the anti-false alarm hash table, and determining that the attack behavior associated with a successfully matched attack feature ID is a false alarm includes: In response to the signaling that the attack behavior associated with the successfully matched attack signature ID is a false alarm, the associated message is allowed to pass.
5. A network security management device, characterized in that, Applied to a security device that uses a non-configurable intrusion prevention system (IPS) signature library, the device includes: The feature module is used to determine and obtain the attack feature ID of the attack feature that is identified as a false alarm from each attack feature ID that hits the IPS feature library recorded in the IPS log, based on the enabled IPS false alarm prevention function. The attack feature ID is included in the IPS specific library that is issued to the DPI detection engine. The configuration module is used to establish a false alarm prevention hash table in response to enabling the IPS false alarm prevention function. The length of the false alarm prevention hash table is customized according to the actual number of IPS false alarm feature IDs. Attack feature IDs that are identified as false alarms are added to the false alarm prevention hash table. The attack feature IDs are used as the keys of the false alarm prevention hash table, and the nodes of the false alarm prevention hash table only contain the attack feature IDs within the range of unsigned integers. The determination module is used to obtain the attack feature IDs associated with each attack behavior reported by the DPI detection engine, match the obtained attack feature IDs in the anti-false alarm hash table, and determine whether the attack behavior associated with the successfully matched attack feature ID is a false alarm.
6. The apparatus according to claim 5, characterized in that, The process involves obtaining the attack signature ID of attacks identified as false positives based on the enabled IPS false positive prevention function. This attack signature ID is included in the IPS-specific library distributed to the DPI detection engine, and includes: The attack feature ID, which is associated with the attack characteristics determined by the user based on the enabled IPS false alarm prevention function, is obtained. The attack feature ID is included in the IPS-specific library issued to the DPI detection engine.
7. The apparatus according to claim 5, characterized in that, The process involves obtaining the attack signature ID of attacks identified as false positives based on the enabled IPS false positive prevention function. This attack signature ID is included in the IPS-specific library distributed to the DPI detection engine, and includes: The method involves obtaining a pre-configured specific attack signature ID based on the enabled IPS false alarm prevention function. The attack signature ID is included in the IPS-specific library issued to the DPI detection engine.
8. The apparatus according to claim 5, characterized in that, The process of obtaining attack feature IDs associated with each attack behavior reported by the DPI detection engine, matching the obtained attack feature IDs in the anti-false alarm hash table, and determining that the attack behavior associated with a successfully matched attack feature ID is a false alarm includes: In response to the signaling that the attack behavior associated with the successfully matched attack signature ID is a false alarm, the associated message is allowed to pass.
9. An electronic device, characterized in that, include: A processor and a machine-readable storage medium storing machine-executable instructions that can be executed by the processor to implement the method of any one of claims 1-4.
10. A machine-readable storage medium, characterized in that, The machine-readable storage medium stores machine-executable instructions that, when invoked and executed by a processor, cause the processor to implement the method described in any one of claims 1-4.