公开(公告)号：US09398027B2

公开(公告)日：2016-07-19

申请号：US14305723

申请日：2014-06-16

Applicant: Huawei Technologies Co., Ltd.

Inventor： Shiguang Li ,  Wu Jiang ,  Zhihui Xue ,  Linghong Ruan

IPC: H04L29/00 ,  H04L29/06 ,  H04L12/26 ,  H04L12/24

CPC classification number: H04L63/14 ,  H04L41/082 ,  H04L43/028 ,  H04L63/0236 ,  H04L63/1408

Abstract: A data detecting method and apparatus for a firewall device connected with a network to identify security threat in the data, where the method is implemented by a fast forwarder in the firewall device and includes: the fast forwarder receives application data; obtains application information in the received application data; determines an application protocol type corresponding to the application data according to the application information and an application identifying table; queries a configuration item for threat detection according to the application protocol type to determine whether the application data requires threat detection; and if the application data does not require threat detection, forwarding the application data. The data detecting method avoids a problem that performance of a firewall is degraded because all application data is sent to a detecting processor in the firewall device for detection, thereby improving an performance of the firewall device.

Abstract translation: 一种用于与网络连接以识别数据中的安全威胁的防火墙设备的数据检测方法和装置，其中该方法由防火墙设备中的快速转发器实现，并且包括：快速转发器接收应用数据; 获取所接收的应用数据中的应用信息; 根据应用信息和应用识别表确定与应用数据相对应的应用协议类型; 根据应用协议类型查询配置项进行威胁检测，以确定应用数据是否需要威胁检测; 并且如果应用程序数据不需要威胁检测，则转发应用程序数据。 数据检测方法避免了防火墙性能下降的问题，因为所有应用数据都发送到防火墙设备中的检测处理器进行检测，从而提高了防火墙设备的性能。

公开(公告)号：US20150033343A1

公开(公告)日：2015-01-29

申请号：US14512777

申请日：2014-10-13

Applicant: Huawei Technologies Co., Ltd.

Inventor： Wu Jiang ,  Xingshui Dong

IPC: H04L29/06

CPC classification number: H04L63/1416 ,  H04L51/12 ,  H04L63/1408 ,  H04L63/1441 ,  H04L63/1458 ,  H04L69/28

Abstract: A method, an apparatus, and a device for detecting an E-mail attack. The device receives a data flow; obtains an E-mail traffic parameter of each statistic period within a predetermined number of statistic periods, where within each statistic period, the E-mail traffic parameter of each of the statistic periods is determined according to a protocol type of the received data flow; and determines that an E-mail attack is detected when the E-mail traffic parameter of each statistic period within the predetermined number of statistic periods matches a first threshold. By applying the disclosed embodiments, a detection result of the E-mail attack is more accurate.

Abstract translation: 一种用于检测电子邮件攻击的方法，装置和设备。 设备接收数据流; 在预定数量的统计周期内获取每个统计周期的电子邮件流量参数，其中在每个统计周期内，根据接收到的数据流的协议类型确定每个统计周期的电子邮件流量参数; 并且当预定数量的统计周期内的每个统计期间的电子邮件流量参数与第一阈值匹配时，确定检测到电子邮件攻击。 通过应用所公开的实施例，电子邮件攻击的检测结果更准确。

公开(公告)号：US20140298466A1

公开(公告)日：2014-10-02

申请号：US14305723

申请日：2014-06-16

Applicant: Huawei Technologies Co., Ltd.

Inventor： Shiguang Li ,  Wu Jiang ,  Zhihui Xue ,  Linghong Ruan

IPC: H04L29/06

CPC classification number: H04L63/14 ,  H04L41/082 ,  H04L43/028 ,  H04L63/0236 ,  H04L63/1408

Abstract: A data detecting method and apparatus for a firewall device connected with a network to identify security threat in the data, where the method is implemented by a fast forwarder in the firewall device and includes: the fast forwarder receives application data; obtains application information in the received application data; determines an application protocol type corresponding to the application data according to the application information and an application identifying table; queries a configuration item for threat detection according to the application protocol type to determine whether the application data requires threat detection; and if the application data does not require threat detection, forwarding the application data. The data detecting method avoids a problem that performance of a firewall is degraded because all application data is sent to a detecting processor in the firewall device for detection, thereby improving an performance of the firewall device.

Abstract translation: 一种用于与网络连接以识别数据中的安全威胁的防火墙设备的数据检测方法和装置，其中该方法由防火墙设备中的快速转发器实现，并且包括：快速转发器接收应用数据; 获取所接收的应用数据中的应用信息; 根据应用信息和应用识别表确定与应用数据相对应的应用协议类型; 根据应用协议类型查询配置项进行威胁检测，以确定应用数据是否需要威胁检测; 并且如果应用程序数据不需要威胁检测，则转发应用程序数据。 数据检测方法避免了防火墙性能下降的问题，因为所有应用数据都发送到防火墙设备中的检测处理器进行检测，从而提高了防火墙设备的性能。

公开(公告)号：US20140298445A1

公开(公告)日：2014-10-02

申请号：US14307014

申请日：2014-06-17

Applicant: Huawei Technologies Co., Ltd.

Inventor： Wu Jiang ,  Zhihui Xue ,  Shiguang Li ,  Shiguang Wan

IPC: H04L29/06

CPC classification number: H04L63/0245 ,  G06F17/30876 ,  H04L63/0227 ,  H04L63/0236 ,  H04L63/20 ,  H04L67/02

Abstract: A method and an apparatus for filtering a uniform resource locator (URL). According to the method, a first category corresponding to a URL connection request can be found in a pre-stored category information table; when the first category conforms to a predetermined URL passing through policy, the URL connection request is allowed to pass through; the URL connection request is forwarded to a corresponding server; a second category corresponding to a URL is determined according to web page content returned by the server; if the second category conforms to the predetermined URL passing through policy, the web page content is sent to a client; if the second category does not conform to the predetermined URL passing through policy, the web page content is blocked. A category to which a URL belongs can be determined in real time, and implementing a function of accurate category filtration.

Abstract translation: 用于过滤统一资源定位符（URL）的方法和装置。 根据该方法，可以在预先存储的类别信息表中找到对应于URL连接请求的第一类别; 当第一类别符合通过策略的预定URL时，允许URL连接请求通过; URL连接请求被转发到相应的服务器; 根据服务器返回的网页内容确定与URL对应的第二类别; 如果第二类符合通过策略的预定URL，则将网页内容发送给客户端; 如果第二类别不符合通过策略的预定URL，则网页内容被阻止。 可以实时确定URL所属的类别，并实现准确的类别过滤功能。

公开(公告)号：US20140189879A1

公开(公告)日：2014-07-03

申请号：US14198326

申请日：2014-03-05

Applicant: Huawei Technologies Co., Ltd.

Inventor： Linghong Ruan ,  Wu Jiang ,  Shiguang Li ,  Zhenhui Wang

IPC: G06F21/60

CPC classification number: G06F21/60 ,  G06F21/64 ,  H04L63/0245 ,  H04L63/145 ,  H04L67/06

Abstract: A method for identifying a file type and an apparatus for identifying a file type, so as to solve a problem in the prior art that a file type cannot be effectively identified when a sender tampers with a file being transmitted. The method includes: acquiring, from a transmitted data packet, a file header of a file to be identified, and determining whether a magic number can be obtained from the file header; if the magic number can be obtained, searching for the file type that corresponds to the magic number; determining whether data of the file to be identified complies with a data structure feature of the file type; if yes, determining that a file type of the file to be identified is the file type that corresponds to the magic number; and if not, determining that a file type of the file is an abnormal type.

Abstract translation: 用于识别文件类型的方法和用于识别文件类型的装置，以便解决现有技术中当发送者篡改正在发送的文件时文件类型不能被有效识别的问题。 该方法包括：从发送的数据分组中获取要识别的文件的文件头，并且确定是否可以从文件头获取幻数; 如果可以获得魔法数，则搜索对应于魔数的文件类型; 确定要识别的文件的数据是否符合文件类型的数据结构特征; 如果是，确定要识别的文件的文件类型是对应于魔术数字的文件类型; 如果不是，则确定文件的文件类型是异常类型。