公开(公告)号：US09380067B2

公开(公告)日：2016-06-28

申请号：US14317278

申请日：2014-06-27

Applicant: Huawei Technologies Co., Ltd.

Inventor： Zhihui Xue ,  Wu Jiang ,  Shiguang Li ,  Shiguang Wan

IPC: G06F21/55 ,  H04L29/06 ,  H04L12/26

CPC classification number: H04L63/1416 ,  H04L43/026 ,  H04L63/02 ,  H04L63/0263 ,  H04L63/1441

Abstract: An IPS detection processing method, a network security device and a system are disclosed. The method includes: determining, by a network security device, whether an internal network device is a client or a server; if the internal network device is the client, simplifying an IPS signature rule base to obtain an IPS signature rule base corresponding to the client, or if the internal network device is the server, simplifying the IPS signature rule base to obtain an IPS signature rule base corresponding to the server; generating a state machine according to a signature rule in the IPS signature rule base obtained through simplifying processing; and performing IPS detection on flowing-through traffic by applying the state machine. In embodiments of the present invention, the network security device performs IPS detection by adopting the state machine with a redundant state removed, thereby improving IPS detection efficiency.

Abstract translation: 公开了IPS检测处理方法，网络安全装置和系统。 该方法包括：由网络安全设备确定内部网络设备是客户端还是服务器; 如果内部网络设备是客户端，则简化IPS签名规则库，以获取与客户端相对应的IPS签名规则库，或者内部网络设备为服务器，简化IPS签名规则库以获取IPS签名规则库 对应于服务器; 根据通过简化处理获得的IPS签名规则库中的签名规则生成状态机; 并通过应用状态机对流量进行IPS检测。 在本发明的实施例中，网络安全装置通过采用去除冗余状态的状态机来执行IPS检测，从而提高IPS检测效率。

公开(公告)号：US09331981B2

公开(公告)日：2016-05-03

申请号：US14307014

申请日：2014-06-17

Applicant: Huawei Technologies Co., Ltd.

Inventor： Wu Jiang ,  Zhihui Xue ,  Shiguang Li ,  Shiguang Wan

IPC: H04L29/06 ,  G06F17/30 ,  H04L29/08

CPC classification number: H04L63/0245 ,  G06F17/30876 ,  H04L63/0227 ,  H04L63/0236 ,  H04L63/20 ,  H04L67/02

Abstract: A method and an apparatus for filtering a uniform resource locator (URL). According to the method, a first category corresponding to a URL connection request can be found in a pre-stored category information table; when the first category conforms to a predetermined URL passing through policy, the URL connection request is allowed to pass through; the URL connection request is forwarded to a corresponding server; a second category corresponding to a URL is determined according to web page content returned by the server; if the second category conforms to the predetermined URL passing through policy, the web page content is sent to a client; if the second category does not conform to the predetermined URL passing through policy, the web page content is blocked. A category to which a URL belongs can be determined in real time, and implementing a function of accurate category filtration.

Abstract translation: 用于过滤统一资源定位符（URL）的方法和装置。 根据该方法，可以在预先存储的类别信息表中找到对应于URL连接请求的第一类别; 当第一类别符合通过策略的预定URL时，允许URL连接请求通过; URL连接请求被转发到相应的服务器; 根据服务器返回的网页内容确定与URL对应的第二类别; 如果第二类符合通过策略的预定URL，则将网页内容发送给客户端; 如果第二类别不符合通过策略的预定URL，则网页内容被阻止。 可以实时确定URL所属的类别，并实现准确的类别过滤功能。

公开(公告)号：US20140317718A1

公开(公告)日：2014-10-23

申请号：US14317278

申请日：2014-06-27

Applicant: Huawei Technologies Co., Ltd.

Inventor： Zhihui Xue ,  Wu Jiang ,  Shiguang Li ,  Shiguang Wan

IPC: H04L29/06

CPC classification number: H04L63/1416 ,  H04L43/026 ,  H04L63/02 ,  H04L63/0263 ,  H04L63/1441

Abstract: An IPS detection processing method, a network security device and a system are disclosed. The method includes: determining, by a network security device, whether an internal network device is a client or a server; if the internal network device is the client, simplifying an IPS signature rule base to obtain an IPS signature rule base corresponding to the client, or if the internal network device is the server, simplifying the IPS signature rule base to obtain an IPS signature rule base corresponding to the server; generating a state machine according to a signature rule in the IPS signature rule base obtained through simplifying processing; and performing IPS detection on flowing-through traffic by applying the state machine. In embodiments of the present invention, the network security device performs IPS detection by adopting the state machine with a redundant state removed, thereby improving IPS detection efficiency.

Abstract translation: 公开了IPS检测处理方法，网络安全装置和系统。 该方法包括：由网络安全设备确定内部网络设备是客户端还是服务器; 如果内部网络设备是客户端，则简化IPS签名规则库，以获取与客户端相对应的IPS签名规则库，或者内部网络设备为服务器，简化IPS签名规则库以获取IPS签名规则库 对应于服务器; 根据通过简化处理获得的IPS签名规则库中的签名规则生成状态机; 并通过应用状态机对流量进行IPS检测。 在本发明的实施例中，网络安全装置通过采用去除冗余状态的状态机来执行IPS检测，从而提高IPS检测效率。

公开(公告)号：US09398027B2

公开(公告)日：2016-07-19

申请号：US14305723

申请日：2014-06-16

Applicant: Huawei Technologies Co., Ltd.

Inventor： Shiguang Li ,  Wu Jiang ,  Zhihui Xue ,  Linghong Ruan

IPC: H04L29/00 ,  H04L29/06 ,  H04L12/26 ,  H04L12/24

CPC classification number: H04L63/14 ,  H04L41/082 ,  H04L43/028 ,  H04L63/0236 ,  H04L63/1408

Abstract: A data detecting method and apparatus for a firewall device connected with a network to identify security threat in the data, where the method is implemented by a fast forwarder in the firewall device and includes: the fast forwarder receives application data; obtains application information in the received application data; determines an application protocol type corresponding to the application data according to the application information and an application identifying table; queries a configuration item for threat detection according to the application protocol type to determine whether the application data requires threat detection; and if the application data does not require threat detection, forwarding the application data. The data detecting method avoids a problem that performance of a firewall is degraded because all application data is sent to a detecting processor in the firewall device for detection, thereby improving an performance of the firewall device.

Abstract translation: 一种用于与网络连接以识别数据中的安全威胁的防火墙设备的数据检测方法和装置，其中该方法由防火墙设备中的快速转发器实现，并且包括：快速转发器接收应用数据; 获取所接收的应用数据中的应用信息; 根据应用信息和应用识别表确定与应用数据相对应的应用协议类型; 根据应用协议类型查询配置项进行威胁检测，以确定应用数据是否需要威胁检测; 并且如果应用程序数据不需要威胁检测，则转发应用程序数据。 数据检测方法避免了防火墙性能下降的问题，因为所有应用数据都发送到防火墙设备中的检测处理器进行检测，从而提高了防火墙设备的性能。

公开(公告)号：US20140298466A1

公开(公告)日：2014-10-02

申请号：US14305723

申请日：2014-06-16

Applicant: Huawei Technologies Co., Ltd.

Inventor： Shiguang Li ,  Wu Jiang ,  Zhihui Xue ,  Linghong Ruan

IPC: H04L29/06

CPC classification number: H04L63/14 ,  H04L41/082 ,  H04L43/028 ,  H04L63/0236 ,  H04L63/1408

Abstract: A data detecting method and apparatus for a firewall device connected with a network to identify security threat in the data, where the method is implemented by a fast forwarder in the firewall device and includes: the fast forwarder receives application data; obtains application information in the received application data; determines an application protocol type corresponding to the application data according to the application information and an application identifying table; queries a configuration item for threat detection according to the application protocol type to determine whether the application data requires threat detection; and if the application data does not require threat detection, forwarding the application data. The data detecting method avoids a problem that performance of a firewall is degraded because all application data is sent to a detecting processor in the firewall device for detection, thereby improving an performance of the firewall device.

Abstract translation: 一种用于与网络连接以识别数据中的安全威胁的防火墙设备的数据检测方法和装置，其中该方法由防火墙设备中的快速转发器实现，并且包括：快速转发器接收应用数据; 获取所接收的应用数据中的应用信息; 根据应用信息和应用识别表确定与应用数据相对应的应用协议类型; 根据应用协议类型查询配置项进行威胁检测，以确定应用数据是否需要威胁检测; 并且如果应用程序数据不需要威胁检测，则转发应用程序数据。 数据检测方法避免了防火墙性能下降的问题，因为所有应用数据都发送到防火墙设备中的检测处理器进行检测，从而提高了防火墙设备的性能。

公开(公告)号：US20140298445A1

公开(公告)日：2014-10-02

申请号：US14307014

申请日：2014-06-17

Applicant: Huawei Technologies Co., Ltd.

Inventor： Wu Jiang ,  Zhihui Xue ,  Shiguang Li ,  Shiguang Wan

IPC: H04L29/06

CPC classification number: H04L63/0245 ,  G06F17/30876 ,  H04L63/0227 ,  H04L63/0236 ,  H04L63/20 ,  H04L67/02

Abstract: A method and an apparatus for filtering a uniform resource locator (URL). According to the method, a first category corresponding to a URL connection request can be found in a pre-stored category information table; when the first category conforms to a predetermined URL passing through policy, the URL connection request is allowed to pass through; the URL connection request is forwarded to a corresponding server; a second category corresponding to a URL is determined according to web page content returned by the server; if the second category conforms to the predetermined URL passing through policy, the web page content is sent to a client; if the second category does not conform to the predetermined URL passing through policy, the web page content is blocked. A category to which a URL belongs can be determined in real time, and implementing a function of accurate category filtration.

Abstract translation: 用于过滤统一资源定位符（URL）的方法和装置。 根据该方法，可以在预先存储的类别信息表中找到对应于URL连接请求的第一类别; 当第一类别符合通过策略的预定URL时，允许URL连接请求通过; URL连接请求被转发到相应的服务器; 根据服务器返回的网页内容确定与URL对应的第二类别; 如果第二类符合通过策略的预定URL，则将网页内容发送给客户端; 如果第二类别不符合通过策略的预定URL，则网页内容被阻止。 可以实时确定URL所属的类别，并实现准确的类别过滤功能。