公开(公告)号：US20230025946A1

公开(公告)日：2023-01-26

申请号：US17956591

申请日：2022-09-29

Applicant: Huawei Technologies Co., Ltd.

Inventor： Shiguang Li ,  Mengwen Xu ,  Lijuan Jiao

IPC: H04L9/40 ,  H04L69/22

Abstract: A network attack detection method and apparatus is provided. The network protection device obtains first key data from received first network traffic, and matches the first key data with an attack signature in a signature database to obtain a first matching result; if the network protection device determines, based on the first matching result, that the first network traffic is aggressive, the network protection device obtains a target attack detection model based on the first network traffic, where the target attack detection model is used to identify one or more attack signatures that are different from the attack signature in the signature database; and when the network protection device receives second network traffic, the network protection device determines, based on the target attack detection model, whether the second network traffic is aggressive.

公开(公告)号：US20140310322A1

公开(公告)日：2014-10-16

申请号：US14314711

申请日：2014-06-25

Applicant: Huawei Technologies Co., Ltd.

Inventor： Linghong Ruan ,  Wu Jiang ,  Shiguang Li ,  Zhenhui Wang

IPC: G06F17/30

CPC classification number: G06F17/30115 ,  G06F17/3012

Abstract: A method and a system for identifying a file type. A modification interface may be provided so that a user inputs a file feature parameter, and the file feature parameter input by the user is added to a file type configuration file, then the file type configuration file is loaded to a state machine to perform file type identification. Therefore, the user can modify a file feature parameter in the original file type configuration file, and when a file feature parameter of a file of a certain type is changed or a file of a new type appears, the user can update a file feature parameter in the state machine in time to identify the changed file or the file of the new type. In this way, the user does not need to search for an identification tool on the Internet.

Abstract translation: 用于识别文件类型的方法和系统。 可以提供修改界面，使得用户输入文件特征参数，并且将由用户输入的文件特征参数添加到文件类型配置文件中，然后将文件类型配置文件加载到状态机以执行文件类型 识别。 因此，用户可以修改原始文件类型配置文件中的文件特征参数，并且当特定类型的文件的文件特征参数改变或新类型的文件出现时，用户可以更新文件特征参数 在状态机中及时识别已更改的文件或新文件的类型。 以这种方式，用户不需要在因特网上搜索识别工具。

公开(公告)号：US12218937B2

公开(公告)日：2025-02-04

申请号：US17731893

申请日：2022-04-28

Applicant: Huawei Technologies Co., Ltd.

Inventor： Shiguang Li

IPC: G06F7/04 ,  G06F15/16 ,  H04L9/40 ,  H04L29/06

Abstract: A packet processing method. A protection device receives a first access request packet. The first access request packet includes a packet sent based on a TCP/IP protocol. The protection device extracts a first fingerprint feature from a transport-layer packet header and/or a network-layer packet header of the first access request packet. The first fingerprint feature corresponds to an operating system type of a terminal device that transmits the first access request packet. The protection device recognizes the first fingerprint feature based on a fingerprint feature database to determine whether to allow the first access request packet to access a server. The protection device allows the first access request packet to pass through when the first access request packet is allowed to access the server. The protection device blocks the first access request packet when the first access request packet is not allowed to access the server.

公开(公告)号：US09380067B2

公开(公告)日：2016-06-28

申请号：US14317278

申请日：2014-06-27

Applicant: Huawei Technologies Co., Ltd.

Inventor： Zhihui Xue ,  Wu Jiang ,  Shiguang Li ,  Shiguang Wan

IPC: G06F21/55 ,  H04L29/06 ,  H04L12/26

CPC classification number: H04L63/1416 ,  H04L43/026 ,  H04L63/02 ,  H04L63/0263 ,  H04L63/1441

Abstract: An IPS detection processing method, a network security device and a system are disclosed. The method includes: determining, by a network security device, whether an internal network device is a client or a server; if the internal network device is the client, simplifying an IPS signature rule base to obtain an IPS signature rule base corresponding to the client, or if the internal network device is the server, simplifying the IPS signature rule base to obtain an IPS signature rule base corresponding to the server; generating a state machine according to a signature rule in the IPS signature rule base obtained through simplifying processing; and performing IPS detection on flowing-through traffic by applying the state machine. In embodiments of the present invention, the network security device performs IPS detection by adopting the state machine with a redundant state removed, thereby improving IPS detection efficiency.

Abstract translation: 公开了IPS检测处理方法，网络安全装置和系统。 该方法包括：由网络安全设备确定内部网络设备是客户端还是服务器; 如果内部网络设备是客户端，则简化IPS签名规则库，以获取与客户端相对应的IPS签名规则库，或者内部网络设备为服务器，简化IPS签名规则库以获取IPS签名规则库 对应于服务器; 根据通过简化处理获得的IPS签名规则库中的签名规则生成状态机; 并通过应用状态机对流量进行IPS检测。 在本发明的实施例中，网络安全装置通过采用去除冗余状态的状态机来执行IPS检测，从而提高IPS检测效率。

公开(公告)号：US20220263823A1

公开(公告)日：2022-08-18

申请号：US17731893

申请日：2022-04-28

Applicant: Huawei Technologies Co., Ltd.

Inventor： Shiguang Li

IPC: H04L9/40

Abstract: A packet processing method. A protection device receives a first access request packet. The first access request packet includes a packet sent based on a TCP/IP protocol. The protection device extracts a first fingerprint feature from a transport-layer packet header and/or a network-layer packet header of the first access request packet. The first fingerprint feature corresponds to an operating system type of a terminal device that transmits the first access request packet. The protection device recognizes the first fingerprint feature based on a fingerprint feature database to determine whether to allow the first access request packet to access a server. The protection device allows the first access request packet to pass through when the first access request packet is allowed to access the server. The protection device blocks the first access request packet when the first access request packet is not allowed to access the server.

公开(公告)号：US09331981B2

公开(公告)日：2016-05-03

申请号：US14307014

申请日：2014-06-17

Applicant: Huawei Technologies Co., Ltd.

Inventor： Wu Jiang ,  Zhihui Xue ,  Shiguang Li ,  Shiguang Wan

IPC: H04L29/06 ,  G06F17/30 ,  H04L29/08

CPC classification number: H04L63/0245 ,  G06F17/30876 ,  H04L63/0227 ,  H04L63/0236 ,  H04L63/20 ,  H04L67/02

Abstract: A method and an apparatus for filtering a uniform resource locator (URL). According to the method, a first category corresponding to a URL connection request can be found in a pre-stored category information table; when the first category conforms to a predetermined URL passing through policy, the URL connection request is allowed to pass through; the URL connection request is forwarded to a corresponding server; a second category corresponding to a URL is determined according to web page content returned by the server; if the second category conforms to the predetermined URL passing through policy, the web page content is sent to a client; if the second category does not conform to the predetermined URL passing through policy, the web page content is blocked. A category to which a URL belongs can be determined in real time, and implementing a function of accurate category filtration.

Abstract translation: 用于过滤统一资源定位符（URL）的方法和装置。 根据该方法，可以在预先存储的类别信息表中找到对应于URL连接请求的第一类别; 当第一类别符合通过策略的预定URL时，允许URL连接请求通过; URL连接请求被转发到相应的服务器; 根据服务器返回的网页内容确定与URL对应的第二类别; 如果第二类符合通过策略的预定URL，则将网页内容发送给客户端; 如果第二类别不符合通过策略的预定URL，则网页内容被阻止。 可以实时确定URL所属的类别，并实现准确的类别过滤功能。

公开(公告)号：US20140331306A1

公开(公告)日：2014-11-06

申请号：US14333788

申请日：2014-07-17

Applicant: Huawei Technologies Co., Ltd.

Inventor： Jiwei Zhao ,  Wu Jiang ,  Shiguang Li ,  Zhigang Chen

IPC: H04L29/06

CPC classification number: H04L63/1408 ,  H04L63/02 ,  H04L63/1416 ,  H04L63/145

Abstract: An anti-virus method which includes receiving, by a first thread, data packets belonging to the same data stream, and sequentially buffering payload data of data packets bearing file content among the received data packets into a first queue, reading, by a second thread, payload data of at least one data packet from a start position of the first queue, and determining whether payload data in the first queue is file content of a compressed file. If yes, identifying a compressed format of the compressed file, querying a decompression algorithm from a mapping between a compressed format and a decompression algorithm, by using the queried decompression algorithm, reading payload data of data packets one by one from the first queue, and performing decompression processing separately on payload data that is read each time, and performing anti-virus detection separately on file content that is obtained.

Abstract translation: 一种防病毒方法，包括由第一线程接收属于相同数据流的数据分组，并且将接收到的数据分组中承载文件内容的数据分组的有效载荷数据顺序地缓存到第一队列中，由第二线程 来自第一队列的开始位置的至少一个数据分组的有效载荷数据，以及确定第一队列中的有效载荷数据是否是压缩文件的文件内容。 如果是，则通过使用查询解压缩算法，从第一队列逐个读取数据包的有效载荷数据，识别压缩文件的压缩格式，从压缩格式和解压缩算法之间的映射查询解压缩算法，以及 对每次读取的有效载荷数据分别进行解压缩处理，并对获得的文件内容分别进行防病毒检测。

公开(公告)号：US20140317718A1

公开(公告)日：2014-10-23

申请号：US14317278

申请日：2014-06-27

Applicant: Huawei Technologies Co., Ltd.

Inventor： Zhihui Xue ,  Wu Jiang ,  Shiguang Li ,  Shiguang Wan

IPC: H04L29/06

CPC classification number: H04L63/1416 ,  H04L43/026 ,  H04L63/02 ,  H04L63/0263 ,  H04L63/1441

Abstract: An IPS detection processing method, a network security device and a system are disclosed. The method includes: determining, by a network security device, whether an internal network device is a client or a server; if the internal network device is the client, simplifying an IPS signature rule base to obtain an IPS signature rule base corresponding to the client, or if the internal network device is the server, simplifying the IPS signature rule base to obtain an IPS signature rule base corresponding to the server; generating a state machine according to a signature rule in the IPS signature rule base obtained through simplifying processing; and performing IPS detection on flowing-through traffic by applying the state machine. In embodiments of the present invention, the network security device performs IPS detection by adopting the state machine with a redundant state removed, thereby improving IPS detection efficiency.

Abstract translation: 公开了IPS检测处理方法，网络安全装置和系统。 该方法包括：由网络安全设备确定内部网络设备是客户端还是服务器; 如果内部网络设备是客户端，则简化IPS签名规则库，以获取与客户端相对应的IPS签名规则库，或者内部网络设备为服务器，简化IPS签名规则库以获取IPS签名规则库 对应于服务器; 根据通过简化处理获得的IPS签名规则库中的签名规则生成状态机; 并通过应用状态机对流量进行IPS检测。 在本发明的实施例中，网络安全装置通过采用去除冗余状态的状态机来执行IPS检测，从而提高IPS检测效率。

公开(公告)号：US09405758B2

公开(公告)日：2016-08-02

申请号：US14314711

申请日：2014-06-25

Applicant: Huawei Technologies Co., Ltd.

Inventor： Linghong Ruan ,  Wu Jiang ,  Shiguang Li ,  Zhenhui Wang

IPC: G06F17/30

CPC classification number: G06F17/30115 ,  G06F17/3012

Abstract: A method and a system for identifying a file type. A modification interface may be provided so that a user inputs a file feature parameter, and the file feature parameter input by the user is added to a file type configuration file, then the file type configuration file is loaded to a state machine to perform file type identification. Therefore, the user can modify a file feature parameter in the original file type configuration file, and when a file feature parameter of a file of a certain type is changed or a file of a new type appears, the user can update a file feature parameter in the state machine in time to identify the changed file or the file of the new type. In this way, the user does not need to search for an identification tool on the Internet.

Abstract translation: 用于识别文件类型的方法和系统。 可以提供修改界面，使得用户输入文件特征参数，并且将由用户输入的文件特征参数添加到文件类型配置文件中，然后将文件类型配置文件加载到状态机以执行文件类型 识别。 因此，用户可以修改原始文件类型配置文件中的文件特征参数，并且当特定类型的文件的文件特征参数改变或新类型的文件出现时，用户可以更新文件特征参数 在状态机中及时识别已更改的文件或新文件的类型。 以这种方式，用户不需要在因特网上搜索识别工具。

公开(公告)号：US09398027B2

公开(公告)日：2016-07-19

申请号：US14305723

申请日：2014-06-16

Applicant: Huawei Technologies Co., Ltd.

Inventor： Shiguang Li ,  Wu Jiang ,  Zhihui Xue ,  Linghong Ruan

IPC: H04L29/00 ,  H04L29/06 ,  H04L12/26 ,  H04L12/24

CPC classification number: H04L63/14 ,  H04L41/082 ,  H04L43/028 ,  H04L63/0236 ,  H04L63/1408

Abstract: A data detecting method and apparatus for a firewall device connected with a network to identify security threat in the data, where the method is implemented by a fast forwarder in the firewall device and includes: the fast forwarder receives application data; obtains application information in the received application data; determines an application protocol type corresponding to the application data according to the application information and an application identifying table; queries a configuration item for threat detection according to the application protocol type to determine whether the application data requires threat detection; and if the application data does not require threat detection, forwarding the application data. The data detecting method avoids a problem that performance of a firewall is degraded because all application data is sent to a detecting processor in the firewall device for detection, thereby improving an performance of the firewall device.

Abstract translation: 一种用于与网络连接以识别数据中的安全威胁的防火墙设备的数据检测方法和装置，其中该方法由防火墙设备中的快速转发器实现，并且包括：快速转发器接收应用数据; 获取所接收的应用数据中的应用信息; 根据应用信息和应用识别表确定与应用数据相对应的应用协议类型; 根据应用协议类型查询配置项进行威胁检测，以确定应用数据是否需要威胁检测; 并且如果应用程序数据不需要威胁检测，则转发应用程序数据。 数据检测方法避免了防火墙性能下降的问题，因为所有应用数据都发送到防火墙设备中的检测处理器进行检测，从而提高了防火墙设备的性能。