CN117675329A - Network protection method, device and storage medium - Google Patents
Network protection method, device and storage medium Download PDFInfo
- Publication number
- CN117675329A CN117675329A CN202311634231.3A CN202311634231A CN117675329A CN 117675329 A CN117675329 A CN 117675329A CN 202311634231 A CN202311634231 A CN 202311634231A CN 117675329 A CN117675329 A CN 117675329A
- Authority
- CN
- China
- Prior art keywords
- sealing
- stopping
- network
- time
- grade
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 87
- 238000003860 storage Methods 0.000 title claims abstract description 20
- 238000007789 sealing Methods 0.000 claims abstract description 183
- 230000000903 blocking effect Effects 0.000 claims description 24
- 238000004422 calculation algorithm Methods 0.000 claims description 11
- 230000008569 process Effects 0.000 claims description 11
- 238000012549 training Methods 0.000 claims description 11
- 238000007619 statistical method Methods 0.000 claims description 8
- 238000001514 detection method Methods 0.000 claims description 6
- 238000007477 logistic regression Methods 0.000 claims description 6
- 230000003542 behavioural effect Effects 0.000 claims description 3
- 230000006399 behavior Effects 0.000 abstract description 20
- 238000005516 engineering process Methods 0.000 description 12
- 238000010586 diagram Methods 0.000 description 6
- 238000012545 processing Methods 0.000 description 6
- 238000004364 calculation method Methods 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 3
- 230000008859 change Effects 0.000 description 3
- 230000007123 defense Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000013459 approach Methods 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000000605 extraction Methods 0.000 description 2
- 239000013307 optical fiber Substances 0.000 description 2
- 238000007781 pre-processing Methods 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 230000035945 sensitivity Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000004888 barrier function Effects 0.000 description 1
- FFBHFFJDDLITSX-UHFFFAOYSA-N benzyl N-[2-hydroxy-4-(3-oxomorpholin-4-yl)phenyl]carbamate Chemical compound OC1=C(NC(=O)OCC2=CC=CC=C2)C=CC(=C1)N1CCOCC1=O FFBHFFJDDLITSX-UHFFFAOYSA-N 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000003111 delayed effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012821 model calculation Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000035515 penetration Effects 0.000 description 1
- 230000001105 regulatory effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
- H04L63/306—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- Technology Law (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The application discloses a network protection method, a network protection device and a storage medium, which are applied to the technical field of network security. In the application, firstly, the type of the IP is judged, then the sealing and stopping grade is determined according to the type of the IP, and the sealing and stopping grade has a corresponding relation with the sealing and stopping time of the IP. And finally, adjusting the sealing and stopping time of the IP according to the attack condition of the IP on the network, and sealing and stopping the IP based on the sealing and stopping time so as to realize the protection of the network. Embodiments in specific application scenarios are also provided. Based on the method and the device, the problem that attack behaviors cannot be flexibly prevented and the network protection efficiency is low can be solved.
Description
Technical Field
The present disclosure relates to the field of network security technologies, and in particular, to a method, an apparatus, and a storage medium for protecting a network.
Background
Along with the continuous and deep development of informatization, the current severe situation of China in the aspect of network security exists in the interconnection and intercommunication of internal and external networks, and various network attacks from network boundaries and security risks such as virus, trojan horse penetration and the like exist. Defending network attack and invasion is an important security mechanism for guaranteeing information network security in the interconnection and intercommunication process of the internal network and the external network. However, the network protection method in the prior art cannot flexibly prevent the attack behavior for the treatment of external threats, and the protection efficiency is low.
Disclosure of Invention
In view of this, the embodiments of the present application provide a method, an apparatus, and a storage medium for network protection, which aim to solve the problems that attack behavior cannot be flexibly prevented and network protection efficiency is low.
In a first aspect, an embodiment of the present application provides a method for protecting a network, where the method includes:
judging the type of the IP;
determining a sealing and stopping grade according to the type of the IP, wherein the sealing and stopping grade has a corresponding relation with the sealing and stopping time of the IP;
adjusting the sealing time of the IP according to the attack condition of the IP to the network;
and stopping the IP based on the stopping time so as to realize the protection of the network.
In a second aspect, an embodiment of the present application provides an apparatus for network protection, where the apparatus includes: the device comprises a judging module, a grade determining module, a time determining module and a stopping module;
the judging module is used for judging the type of the IP;
the grade determining module is used for determining a sealing and stopping grade according to the type of the IP, and the sealing and stopping grade has a corresponding relation with the sealing and stopping time of the IP;
the time determining module is used for adjusting the sealing time of the IP according to the attack condition of the IP on the network;
And the blocking module is used for blocking the IP based on the blocking time so as to realize the protection of the network.
In a third aspect, embodiments of the present application provide a computer storage medium having code stored therein, which when executed, causes an apparatus for executing the code to implement a method according to any one of the first aspects.
When the method is executed, the type of the IP is judged, and then the sealing and stopping grade is determined according to the type of the IP, and the sealing and stopping grade has a corresponding relation with the sealing and stopping time of the IP. And finally, adjusting the sealing and stopping time of the IP according to the attack times of the IP on the network, and sealing and stopping the IP based on the sealing and stopping time so as to realize the protection of the network. Therefore, by scoring the behavior of the external network attack IP, evaluating the IP risk, scoring the IP and setting different sealing and stopping grades to realize sealing and stopping of different IPs, personalized sealing and stopping of different IPs can be realized, the stiffness adjustment of one cut is avoided, the flexibility of network protection is improved, meanwhile, the occupation of system resources can be reduced, and the efficiency of network protection is improved; meanwhile, the closing time is determined according to the attack times of the IP, so that the punishment strength can be increased for repeatedly attacking the IP of the network, and the risk of network security can be effectively blocked. In addition, the operation of setting the time reset closing grade is also set, so that the punishment of the common IP is avoided, and the flexibility and the activity of the network protection method provided by the method are embodied.
Drawings
In order to more clearly illustrate the present embodiments or the technical solutions in the prior art, the drawings that are required for the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of a method for protecting a network according to an embodiment of the present application;
FIG. 2 is a flow chart of a method for determining a shutdown level according to an embodiment of the present disclosure;
fig. 3 is a schematic structural diagram of a network protection device according to an embodiment of the present application;
fig. 4 is a flowchart of a method for protecting a network in an application scenario according to an embodiment of the present application;
FIG. 5 is a flowchart of a method for resetting a historical highest shutdown level according to an embodiment of the present disclosure;
fig. 6 is a specific network protection method in an application scenario provided in the embodiment of the present application.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In this application, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
Network boundary security defense has been an important means of protecting against external attacks and internal information leakage. Conventional network boundary security protection technologies mainly include firewall technology, multiple security gateway technology, gatekeeper, virtual private network, and the like. Multiple security gateway technologies integrate multiple security features that can defend more attacks than firewalls, but are less stable and less available than firewall technologies due to their multiple functional nature. The network gate and the virtual private network technology mainly establish a data channel to realize data exchange, and the application scene is more suitable for completely isolating the private network inside an enterprise from the outside, but not for releasing the private network without limitation. Finally, the firewall can control the information flow of the access network according to a certain security policy (permission, rejection, discarding and monitoring), and is suitable for being used as the only access protection of the limited release network. Therefore, enterprises now mostly use firewall technology to perform network boundary security defenses.
The firewall technology is to organically combine various software and hardware devices for safety management and screening to help a computer network to construct a relatively isolated protection barrier between the internal network and the external network, and the firewall technology is mainly used for preventing the problems of safety risk, data transmission and the like possibly existing when the computer network operates according to a preset rule. Aiming at malicious attack IP on the Internet, most enterprises select to directly conduct permanent sealing on a fireproof wall at present, but the means have certain defects.
In the research of the related technology, it is found that the current common treatment approach for external network attacks in boundary protection in the industry is mainly to directly add rules on the firewall, and stop the external IP to prohibit its access. However, this approach has certain limitations, mainly:
1. firewall performance limitations. Firewall policies are a top-down ordered list. The parked IP needs to be placed at the forefront of all policies. The very many sealing and stopping strategies mean that each flow needs to pass through the detection of the strategies, and the consumption of system memory resources, the CPU processing capacity, the actual bearing capacity of a physical link and other factors need to be comprehensively considered, so that the efficiency of a firewall is reduced due to the fact that the sealing and stopping rules are more, and blocking or overflowing is caused.
2. Permanent seal stops have a large impact on normal traffic. The IP address can be forged and purchased, so that the service to which the IP belongs can become a normally accessed client IP after a period of time, the existing sealing IP is mainly permanently sealed, the sealing time cannot be dynamically adjusted, and the normal service access IP can be influenced.
Based on the above, the application provides a network protection method, a network protection device and a storage medium. The method can judge the source of the IP through the attack IP aiming at the external network, and adopts the firewall to permanently stop aiming at the IP from the threat information of the upper-level units. And grading the IP of other sources, determining IP sealing and stopping grades, wherein the sealing and stopping times of different IP sealing and stopping grades are different, and frequent attacks can prolong the sealing and stopping time to realize the protection of the network.
Fig. 1 is a flowchart of a method for protecting a network according to an embodiment of the present application, and referring to fig. 1, the method for protecting a network according to an embodiment of the present application includes:
s11: the type of the IP is determined.
IP is the core of the whole TCP/IP protocol family and also forms the basis of the Internet. The IP is located at a network layer of the TCP/IP model (corresponding to the network layer of the OSI model), and it can provide information of various protocols, such as TCP, UDP, etc., to a transport layer; IP packets may be placed on the link layer for delivery via various technologies such as ethernet, token ring networks, etc.
The specific implementation method of "judge type of IP" mentioned in step S11 may be: carrying out statistical analysis on the historical data of the network; extracting distinguishing features of normal data and attack data in the historical data; the kind of the IP is determined based on the distinguishing feature.
The distinguishing features mentioned above may include, but are not limited to, the following: (1) threat level of alarms: the detection result alarms mainly originate from security devices, and the elements include, but are not limited to: the number of high-risk and critical alarms, the number of missed and successful alarms, the number of alarm types, etc. Wherein: the number of high-risk and critical alarms represents the high risk degree of the attack behavior, the number of the collapse and the success represents the suspected or successful breakthrough of the boundary into the internal network, and the alarm type represents the frequent degree of the attack.
(2) Behavior characteristics of attack: statistics derived primarily from flow data, among which elements include, but are not limited to: traffic as a percentage of egress bandwidth, number of destination addresses, number of application services, etc.
(3) Threat intelligence: mainly derived from IP threat intelligence data, elements of which include, but are not limited to: reputation value of IP address.
The classification of the IP can be achieved based on the statistical analysis of the above-mentioned distinguishing features, and the specific type and specific elements of the distinguishing features can be determined by those skilled in the art according to the actual situation and application scenario, which is not limited herein.
Specifically, the IP is the IP for the attack of the external network, and the source of the attack IP needs to be determined first. The type of the IP can be determined according to the source of the attack IP, and the subsequent sealing and stopping grade and sealing and stopping time are determined according to the type of the IP. For example, if the attack IP is an IP that is reported by the government and is considered threatening by the authorities, the default IP blocking time is permanent and the blocking operation is performed directly on the firewall. If not, scoring the foreign network attack IP, and determining the sealing and stopping grade and sealing and stopping time through scoring. By judging the types of the IPs, the processing modes of the IPs of different types can be determined, so that the processing efficiency is improved, and the occupation of resources is reduced.
S12: and determining a sealing and stopping grade according to the type of the IP, wherein the sealing and stopping grade has a corresponding relation with the sealing and stopping time of the IP.
In the "determining the sealing and stopping level according to the type of the IP" mentioned in step S12, fig. 2 is a flowchart of a method for determining the sealing and stopping level provided in the embodiment of the present application, as shown in fig. 2, a specific implementation method may be:
S121: and training a big data scoring model based on the distinguishing features.
In this embodiment, specific explanation is made taking the distinguishing features including threat degrees of alarms, behavioral features of attacks and threat information as examples.
The "training the big data scoring model based on the distinguishing features" mentioned in step S121 may be specifically implemented as follows: alarming according to the detection result of the safety equipment to determine the threat degree of the alarming; carrying out statistical analysis on the flow data to obtain behavior characteristics of the attack; determining threat information based on an information credit value of the IP, wherein the information credit value is used for representing the trust degree of the network to the IP; and training the big data scoring model based on the threat degree of the alarm, the behavior characteristics of the attack and the threat information serving as input data of the big data scoring model.
As can be seen from the above description, the distinguishing features are input data trained by a big data scoring model, wherein the threat level of the alarm needs to be determined by the detection result of the security device; the behavior characteristics of the attack are required to be obtained through analysis of statistical results of the data; threat intelligence is primarily derived from IP threat intelligence data including, but not limited to: reputation value of IP address. Through the acquisition of the distinguishing characteristics, input training data is provided for the big data scoring model, so that the subsequent big data scoring model can conveniently score the IP.
S122: and scoring the IP based on the big data scoring model.
The implementation method of step S122 may be: calculating the characteristic value of the distinguishing characteristic; inputting the calculated characteristic value into the big data scoring model; different independent variable coefficients are distributed by utilizing different elements in the distinguishing characteristics; and calculating the score of the IP by using a logistic regression algorithm based on the independent variable coefficient.
Specifically, based on the case of the distinguishing feature, determining feature values for each element in the distinguishing feature, inputting the corresponding feature values into a big data scoring model, and analyzing by a logistic regression algorithm to obtain the independent variable coefficient. The independent variable coefficient is optimized by utilizing an algorithm, algorithm parameters are adjusted, the sensitivity, the specificity and the F1 value of the model under different parameters are compared, and the independent variable coefficient corresponding to the optimal result is selected. And carrying out IP scoring calculation according to the determined independent variable coefficient. The above-mentioned method for obtaining the independent variable coefficient through analysis of the logistic regression algorithm is only one method for obtaining the independent variable coefficient, and the independent variable coefficient can be obtained through calculation by distributing different weights, and the specific method can be determined by a person skilled in the art according to actual situations and application scenes, and is not limited herein.
S123: and determining the sealing grade of the IP by using the type and the grading of the IP.
The specific implementation method of step S123 may be: training a big data scoring model based on the distinguishing features; scoring the IP based on the big data scoring model; and determining the sealing grade of the IP by using the type and the grading of the IP.
The IP grading condition and the sealing grade grading standard can be determined through the big data grading model, the sealing grade corresponding to the IP is further determined according to the sealing grade, the sealing time is further determined, and the sealing operation is carried out on the IP by utilizing the sealing time, so that the protection of a network is realized.
The specific implementation method of step S123 may further be: determining the current sealing and stopping level according to the type of the IP; comparing the current sealing and stopping level with the historical highest sealing and stopping level of the IP, and obtaining a comparison result; and determining the actual sealing stop level of the IP based on the comparison result.
The above-mentioned "determining the sealing time according to the IP sealing grade", specifically, if the IP has reached the automatic unsealing of the unsealing piece in the earlier stage, the sealing operation is executed according to the sealing time corresponding to the grade; if the IP is still in the sealing stop, the sealing stop time corresponding to the sealing stop grade is accumulated, namely the expected unsealing time is increased by the sealing stop time of the IP.
S13: and adjusting the sealing time of the IP according to the attack condition of the IP on the network.
The attack condition may refer to the number of attacks, attack frequency, etc. of the IP on the network.
When the IP is detected to attack the network for a plurality of times, accumulating the closing time of the IP according to the attack times. The punishment force is increased by aiming at repeated attack behaviors and the IP with serious historical attack behaviors, so that the safety risk is effectively blocked.
S14: and stopping the IP based on the stopping time so as to realize the protection of the network.
The method of the embodiment further comprises the following steps: and periodically executing a reset process of the highest historical shutdown level, and resetting the shutdown level of the external network IP without attack for a long time. The common service IP penalty caused by the IP attribution change can be avoided through the reset operation.
The embodiment provides a network protection method, which specifically comprises the following steps: firstly judging the type of the IP, and then determining the sealing and stopping grade according to the type of the IP, wherein the sealing and stopping grade has a corresponding relation with the sealing and stopping time of the IP. And finally, adjusting the sealing and stopping time of the IP according to the attack condition of the IP on the network, and sealing and stopping the IP based on the sealing and stopping time so as to realize the protection of the network. Therefore, by scoring the behavior of the external network attack IP, evaluating the IP risk, scoring the IP and setting different sealing and stopping grades to realize sealing and stopping of different IPs, personalized sealing and stopping of different IPs can be realized, the stiffness adjustment of one cut is avoided, the flexibility of network protection is improved, and meanwhile, the occupation of system resources can be reduced; meanwhile, the closing time is determined according to the attack times of the IP, so that the punishment strength can be increased for repeatedly attacking the IP of the network, and the risk of network security can be effectively blocked. In addition, the operation of setting the time reset closing grade is also set, so that the punishment of the common IP is avoided, and the flexibility and the activity of the network protection method provided by the method are embodied.
Although operations are depicted in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order. In certain circumstances, multitasking and parallel processing may be advantageous.
It should be understood that the various steps recited in the method embodiments of the present application may be performed in a different order and/or performed in parallel. Furthermore, method embodiments may include additional steps and/or omit performing the illustrated steps. The scope of the present application is not limited in this respect.
Fig. 3 is a schematic structural diagram of a network protection device according to an embodiment of the present application, and as shown in fig. 3, the device includes: the system comprises a judging module 100, a grade determining module 200, a time determining module 300 and a stopping module 400;
the judging module 100 is configured to judge the type of the IP;
the level determining module 200 is configured to determine a sealing and stopping level according to the type of the IP, where the sealing and stopping level has a corresponding relationship with the sealing and stopping time of the IP;
the time determining module 300 is configured to adjust the time of stopping the IP according to the attack condition of the IP on the network;
the blocking module 400 is configured to block the IP based on the blocking time, so as to implement protection of the network.
In an implementation manner, the grade determining module 200 is specifically configured to:
carrying out statistical analysis on the historical data of the network;
extracting distinguishing features of normal data and attack data in the historical data, wherein the distinguishing features are used for determining the types of the IP;
training a big data scoring model based on the distinguishing features;
scoring the IP based on the big data scoring model;
and determining the sealing grade of the IP by using the type and the grading of the IP.
In an implementation manner, the grade determining module 200 is specifically configured to:
determining the current sealing and stopping level according to the type of the IP;
comparing the current sealing and stopping level with the historical highest sealing and stopping level of the IP, and obtaining a comparison result;
and determining the actual sealing stop level of the IP based on the comparison result.
In a possible implementation manner, the distinguishing features include threat degrees of alarms, behavioral features of attacks and threat information; the grade determining module 200 is specifically configured to:
alarming according to the detection result of the safety equipment to determine the threat degree of the alarming;
carrying out statistical analysis on the flow data to obtain behavior characteristics of the attack;
Determining threat information based on an information credit value of the IP, wherein the information credit value is used for representing the trust degree of the network to the IP;
and training the big data scoring model based on the threat degree of the alarm, the behavior characteristics of the attack and the threat information as input data of the big data scoring model.
In an implementation manner, the grade determining module 200 is specifically configured to:
calculating the characteristic value of the distinguishing characteristic;
inputting the calculated characteristic value into the big data scoring model;
different independent variable coefficients are distributed by utilizing different elements in the distinguishing characteristics;
and calculating the score of the IP by using a logistic regression algorithm based on the independent variable coefficient.
In an implementation manner, the time determining module 300 is specifically configured to:
when the IP is detected to attack the network for a plurality of times, accumulating the closing time of the IP according to the attack times.
In a possible implementation manner, the apparatus further includes a reset module 500, where the reset module 500 is specifically configured to:
and periodically executing a reset process of the highest historical shutdown level, and resetting the shutdown level of the external network IP without attack for a long time.
In an implementation manner, the stopping module 400 is specifically configured to:
judging whether the IP currently belongs to a sealing and stopping state;
if yes, accumulating the sealing time corresponding to the sealing grade and the previous sealing time;
if not, executing the sealing operation according to the sealing time corresponding to the sealing grade at the time.
The embodiment provides a network protection device, which comprises: the device comprises a judging module, a grade determining module, a time determining module and a stopping module. The judging module is used for judging the types of the IPs, and can distinguish different types of the IPs through judging the types of the IPs so as to carry out different processing modes on the different IPs. The grade determining module is used for determining a sealing and stopping grade according to the type of the IP, the sealing and stopping grade has a corresponding relation with the sealing and stopping time of the IP, and different sealing and stopping time can be set for different IP by determining different sealing and stopping grades for the IP, so that the network protection process is dynamically adjustable. The time determining module is used for adjusting the sealing and stopping time of the IP according to the attack times of the IP on the network, and the time for sealing and stopping the repeated attack and the IP with serious historical attack can be increased through the time determining module, so that the safety risk is effectively blocked; and the blocking module is used for blocking the IP based on the blocking time so as to realize the protection of the network. The IP dynamic sealing and stopping treatment can be realized through the network protection. The aim of avoiding firewall performance limitation, improving treatment efficiency and reducing influence of false sealing on service is achieved by dynamically treating the risk IP.
The embodiment of the application also provides a method for protecting a network in an application scene, and fig. 4 is a flowchart of the method for protecting a network in an application scene provided in the embodiment of the application, as shown in fig. 4, where the method specifically includes:
1. for the foreign network attack IP, firstly determining the source of the attack IP, if threat information from government report and authority safety mechanism is obtained, carrying out permanent sealing on the fireproof wall by default, if not, grading the foreign network attack IP, and determining the sealing grade and sealing time by grading.
2. Aiming at the IP attack of the external network which is not threat information from government report and authority security institutions, IP scoring is carried out according to the following steps, IP sealing and stopping grade and sealing and stopping time are determined, and IP sealing and stopping are automatically executed.
(1) Firstly, according to historical network data, characteristic values related to IP scoring are counted, and the characteristic values are used as input of a big data scoring model training set.
(2) And secondly, learning historical characteristic data by utilizing an algorithm, obtaining a model calculation result after obtaining weight coefficients of all flow characteristics through machine learning, and then calculating IP scores later, so as to complete the construction of a big data scoring model.
(3) And then, aiming at the IP of the foreign network attack, counting or calculating a relevant characteristic value, taking the relevant characteristic value as input data of a big data scoring model, obtaining a model result and converting the model result into a final IP score.
(4) According to the IP scores, the score range is divided into intervals, and the scores can be divided into different grades from low to high.
(5) And comparing the IP sealing stop grade with the historical highest sealing stop grade, and selecting the maximum value as the final sealing stop grade.
(6) And according to the sealing and stopping grades, considering the threat degrees of different grades of external network attack IP, and formulating a sealing and stopping time for each grade. If the IP is in an unsealed state at present, executing the sealing operation according to the sealing time corresponding to the grade at the time; if the IP is still in the sealing stop, the sealing stop time corresponding to the sealing stop grade is accumulated, namely the IP sealing stop time is expected to be delayed after the deblocking time.
The method further includes a method for resetting the historical highest sealing and stopping level, and fig. 5 is a flowchart of a method for resetting the historical highest sealing and stopping level according to an embodiment of the present application, as shown in fig. 5, where the method specifically includes:
1. and the historical highest sealing and stopping level resetting flow is executed regularly, the IP of the external network without attack for a long time is reset, the change of the IP address is avoided, and the punishment to the common service IP is overweight.
2. Judging whether the deblocking time of the currently deblocked external network attack IP exceeds a set threshold value according to the current time, resetting the highest historical blocking level to be empty if the current time is met, and clearing the historical behavior of the highest historical blocking level to avoid mistakenly blocking the normal service IP; if not, the existing history record is kept, and no operation is performed.
In this embodiment, by first determining the source of the IP, threat intelligence IP from government notices and authoritative security agencies will default to the highest risk, and IP permanent sealing will be automatically performed. Secondly, selecting obvious index features in the service for the external network attack IP analyzed by the network traffic threat, constructing a scoring model, scoring the external network attack IP, determining IP sealing and stopping grades according to scoring results, wherein different sealing and stopping grades have different sealing and stopping times, and accumulating the sealing and stopping times of multiple attacks, so that the IP dynamic sealing and stopping treatment is realized. The aim of avoiding firewall performance limitation, improving treatment efficiency and reducing influence of false sealing on service is achieved by dynamically treating the risk IP.
The embodiment of the application also provides a method for protecting a specific network in an application scene, and fig. 6 is a method for protecting a specific network in an application scene, as shown in fig. 6, where the method specifically includes:
in the present embodiment, the distinguishing features include: threat level of alarm, behavior characteristics of attack and threat information.
1. For the foreign network attack IP, firstly, determining an attack IP source, and if threat information from government report and authority security mechanism is obtained, setting the default IP sealing and stopping time to be permanent, and directly executing sealing and stopping operation on the fireproof wall. If not, scoring the foreign network attack IP, and determining the sealing and stopping grade and sealing and stopping time through scoring.
2. Aiming at the IP attack of the external network which is not threat information from government report and authority security institutions, IP scoring is carried out according to the following steps, IP sealing and stopping grade and sealing and stopping time are determined, and IP sealing and stopping are carried out.
(1) And (5) feature extraction and big data scoring model construction. Firstly, comparing the difference between normal business data and attack behavior data by carrying out statistical analysis on historical data, and extracting obvious characteristics as characteristic input of a big data scoring model. Next, after the extraction of the argument, preprocessing such as classification processing is performed. In this embodiment, the examples are divided into 3 classes, and the actual classification number can be set by those skilled in the art according to the requirements.
TABLE 1
| Features (e.g. a character) | Take the value=1 | Take the value = 2 | Take the value=3 |
| IP reputation value | Information reputation value below 60 | Information reputation value>60 | Information reputation value>90 |
| High risk&Number of critical alarms | Less than 2 | 2-10 strips | More than 10 |
| Collapse of&Number of successful alarms | Less than 2 | 2-5 strips | More than 5 |
| Number of alarm types | Less than 3 | 3-10 | More than 10 |
| Flow percentage | Less than 1% | 1%-10% | More than 10 percent |
| Number of destination addresses | More than 10 | 3-10 | Less than 3 |
| Number of application services | More than 10 | 3-10 | Less than 3 |
And finally, obtaining the independent variable coefficient through analysis of a logistic regression algorithm. The independent variable coefficients are optimized by utilizing an algorithm, algorithm parameters are adjusted, sensitivity, specificity and F1 values of the model under different parameters are compared, the independent variable coefficients corresponding to the optimal result are selected, and the following independent variable coefficients (only examples, and actual calculation is needed by a person skilled in the art) can be obtained: (1) threat level of alarms: the number of high-risk and critical alarms (1.1), the number of missed and successful alarms (3.1), the number of alarm types (0.4). (2) Behavior characteristics of attack: traffic is a percentage of the egress bandwidth (1.3), number of destination addresses (0.7), number of application services (0.2). (3) Threat intelligence: reputation value of IP address (4.1).
(2) And calculating an index value of the actual foreign network attack IP.
(3) The IP score was calculated from the big data scoring model results, IP score = model results 100.
(4) And dividing the score range into 5 sealing grades according to the IP score, comparing the sealing grade with the historical highest sealing grade, taking the maximum value of the sealing grade and the historical highest sealing grade, and determining the final sealing grade. The correspondence between the IP score and the sealing grade is shown in table 2. The actual number of steps can be set by one skilled in the art according to the needs.
TABLE 2
| IP score range | Seal stop grade |
| Less than 90 minutes | Grade 1 |
| 90-93 min (excluding 93 min) | Class 2 |
| 93-95 min (excluding 95 min) | Grade 3 |
| 95-98 min (excluding 98 min) | Grade 4 |
| 98 minutes or more | Grade 5 |
The case above 90 minutes was observed, the false seal rate was within an acceptable range. (false shut down occurs approximately every 3 months, and is most a class 1 transient shut down condition).
(5) And determining the sealing time according to the IP sealing grade. If the IP earlier stage reaches the automatic unsealing of the unsealing piece, executing the sealing operation according to the sealing time corresponding to the grade; if the IP is still in the sealing stop, the sealing stop time corresponding to the sealing stop grade is accumulated, namely the expected unsealing time is increased by the sealing stop time of the IP. The IP seal-stop level and seal-stop time correspondence are shown in table 3. The actual shut down time may be set by one skilled in the art as desired.
For example, when the internal security exercise is held, the seal down level time is regulated down, so that feedback during the exercise can be more effectively tested, and the influence caused by the exercise is reduced.
( In internal security exercises, only three or less services are tested at a time with small frequency and small traffic, and therefore, a large number of class 1 and class 2 stops are hit. The level 1 and level 2 time is adjusted to a small amount of time, so that the hit degree of security defense can be detected quickly, and the defending environment can be reset quickly. )
TABLE 3 Table 3
| Seal stop grade | Time of closing |
| Grade 1 | For 6 minutes |
| Class 2 | For 10 minutes |
| Grade 3 | For 1 week |
| Grade 4 | 1 month |
| Grade 5 | 2 months of |
Table 4 is a calculation of daily IP scores, and it can be seen that the penalty for downtime is more severe.
TABLE 4 Table 4
| Seal stop grade | Time of closing |
| Grade 1 | 4 hours |
| Class 2 | For 1 day |
| Grade 3 | For 1 week |
| Grade 4 | 1 month |
| Grade 5 | 2 months of |
The method also comprises resetting the historical highest sealing and stopping level, and the specific method can be as follows: and executing the historical highest sealing and stopping grade resetting process 1 day a month, resetting the historical highest sealing and stopping grade of the external network IP without attack for a long time (2 years after the current optimization in production), and avoiding punishment of common service IP due to IP address attribution change.
The following is an example of the practical application of the network protection method.
For example, there is a security event, assuming its historical highest seal-down level is 1, and the seal-down time is 2022, 9, 11, 14:00:03, which accesses the data this time including: (1) threat level of alarms: the number of high-risk and critical alarms (13), the number of missed and successful alarms (1), the number of alarm types (4). (2) Behavior characteristics of attack: traffic accounts for a percentage of the egress bandwidth (0.03%), number of destination addresses (20), number of application services (20). (3) Threat intelligence: reputation value of IP address (91.7). According to the treatment flow of the method, the following results are obtained:
1. Data preprocessing results: (1) threat level of alarms: the number of alarms at high risk and critical (value=3), the number of alarms with sag and success (value=1), the number of alarm types (value=2). (2) Behavior characteristics of attack: traffic as a percentage of the egress bandwidth (value=1), number of destination addresses (value=1), number of application services (value=1). (3) Threat intelligence: reputation value of IP address (value=3).
2. The IP score is: 0.927125×100= 92.7125 minutes.
3. Determining the IP blocking grade: score 90 <92.7125 <93, i.e., seal rating of rating 2.
4. Comparing the highest sealing and stopping grade of the history, wherein the grade 4 is higher than the grade 2, and the final sealing and stopping grade is as follows: grade 4.
5. The closing time is determined as follows: for 30 days. Since IP is still in the sealing stop at present, this sealing stop time will be accumulated, i.e. the expected sealing off time is: 2022, 10, 11, 14:00:03.
Assuming that the seal is released as expected at the time of 14:00:03 on the 10 th month 11 of 2022, no seal stop record is needed later, when the reset of the historical highest seal stop level is executed on the 1 th month 2024, the last historical seal stop time is found to be more than 2 years away from the current time, so that the historical highest seal stop level is reset to be 0, and the error seal operation caused by the transfer of the ownership of the IP is avoided.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The embodiment of the application also provides corresponding equipment and a computer readable storage medium, which are used for realizing the scheme provided by the embodiment of the application.
The device comprises a memory for storing instructions or code and a processor for executing the instructions or code to cause the device to perform a method for network protection as described in any of the embodiments of the present application.
In practical applications, the computer-readable storage medium may take the form of any combination of one or more computer-readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the computer-readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In this embodiment, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, either in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider).
According to one embodiment of the present application, example 1 provides a method of network protection, comprising:
judging the type of the IP;
determining a sealing and stopping grade according to the type of the IP, wherein the sealing and stopping grade has a corresponding relation with the sealing and stopping time of the IP;
adjusting the sealing time of the IP according to the attack times of the IP to the network;
and stopping the IP based on the stopping time so as to realize the protection of the network.
According to one embodiment of the present application, there is provided a method of determining a sealing stop level, comprising:
training a big data scoring model based on the distinguishing features;
scoring the IP based on the big data scoring model;
and determining the sealing grade of the IP by using the type and the grading of the IP.
According to one embodiment of the present application, an apparatus for network protection is provided [ example 3 ], comprising: the device comprises a judging module, a grade determining module, a time determining module and a stopping module;
the judging module is used for judging the type of the IP;
the grade determining module is used for determining a sealing and stopping grade according to the type of the IP, and the sealing and stopping grade has a corresponding relation with the sealing and stopping time of the IP;
The time determining module is used for adjusting the closing time of the IP according to the attack times of the IP to the network;
and the blocking module is used for blocking the IP based on the blocking time so as to realize the protection of the network.
According to one embodiment of the present disclosure, there is provided a network-secured storage medium, comprising:
corresponding devices and computer readable storage media for implementing the solutions provided by the embodiments of the present disclosure.
The device comprises a memory for storing instructions or code and a processor for executing the instructions or code to cause the device to perform a method for network protection as described in any of the embodiments of the present application.
Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are example forms of implementing the claims.
While several specific implementation details are included in the above discussion, these should not be construed as limiting the scope of the disclosure. Certain features that are described in the context of separate embodiments can also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment can also be implemented in multiple embodiments separately or in any suitable subcombination.
It is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The foregoing is merely one specific embodiment of the present application, but the protection scope of the present application is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present application should be covered in the protection scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (11)
1. A method of network protection, the method comprising:
judging the type of the IP;
determining a sealing and stopping grade according to the type of the IP, wherein the sealing and stopping grade has a corresponding relation with the sealing and stopping time of the IP;
adjusting the sealing time of the IP according to the attack condition of the IP to the network;
and stopping the IP based on the stopping time so as to realize the protection of the network.
2. The method according to claim 1, wherein the determining the type of the IP includes:
carrying out statistical analysis on the historical data of the network;
extracting distinguishing features of normal data and attack data in the historical data;
the kind of the IP is determined based on the distinguishing feature.
3. The method of claim 2, wherein said determining a sealing level according to the type of the IP comprises:
training a big data scoring model based on the distinguishing features;
scoring the IP based on the big data scoring model;
and determining the sealing grade of the IP by using the type and the grading of the IP.
4. The method of claim 1, wherein said determining a sealing level according to the type of the IP comprises:
Determining the current sealing and stopping level according to the type of the IP;
comparing the current sealing and stopping level with the historical highest sealing and stopping level of the IP, and obtaining a comparison result;
and determining the actual sealing stop level of the IP based on the comparison result.
5. A method according to claim 3, wherein the distinguishing features include threat level of alarms, behavioral features of attacks and threat intelligence; the training of the big data scoring model based on the distinguishing features comprises the following steps:
alarming according to the detection result of the safety equipment to determine the threat degree of the alarming;
carrying out statistical analysis on the flow data to obtain behavior characteristics of the attack;
determining threat information based on an information credit value of the IP, wherein the information credit value is used for representing the trust degree of the network to the IP;
and taking the threat degree of the alarm, the behavior characteristics of the attack and the threat information as input data of the big data scoring model to train the big data scoring model.
6. The method of claim 3, wherein scoring the IP based on the big data scoring model comprises:
calculating the characteristic value of the distinguishing characteristic;
Inputting the calculated characteristic value into the big data scoring model;
different independent variable coefficients are distributed by utilizing different elements in the distinguishing characteristics;
and calculating the score of the IP by using a logistic regression algorithm based on the independent variable coefficient.
7. The method according to claim 1, wherein said adjusting the blocking time of the IP according to the attack condition of the IP on the network comprises:
when the IP is detected to attack the network for a plurality of times, accumulating the closing time of the IP according to the attack times.
8. The method according to claim 1, wherein the method further comprises:
and periodically executing a reset process of the highest historical shutdown level, and resetting the shutdown level of the external network IP without attack for a long time.
9. The method of claim 1, wherein the blocking the IP based on the blocking time comprises:
judging whether the IP currently belongs to a sealing and stopping state;
if yes, accumulating the sealing time corresponding to the sealing grade and the previous sealing time;
if not, executing the sealing operation according to the sealing time corresponding to the sealing grade at the time.
10. An apparatus for network protection, the apparatus comprising: the device comprises a judging module, a grade determining module, a time determining module and a stopping module;
the judging module is used for judging the type of the IP;
the grade determining module is used for determining a sealing and stopping grade according to the type of the IP, and the sealing and stopping grade has a corresponding relation with the sealing and stopping time of the IP;
the time determining module is used for adjusting the sealing time of the IP according to the attack condition of the IP on the network;
and the blocking module is used for blocking the IP based on the blocking time so as to realize the protection of the network.
11. A computer readable storage medium, wherein a program for implementing a method for implementing network protection is stored on the computer readable storage medium, and when the program for implementing the method for implementing network protection is executed by a processor, the method according to any one of claims 1-9 is implemented.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311634231.3A CN117675329A (en) | 2023-11-30 | 2023-11-30 | Network protection method, device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311634231.3A CN117675329A (en) | 2023-11-30 | 2023-11-30 | Network protection method, device and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117675329A true CN117675329A (en) | 2024-03-08 |
Family
ID=90082036
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311634231.3A Pending CN117675329A (en) | 2023-11-30 | 2023-11-30 | Network protection method, device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117675329A (en) |
-
2023
- 2023-11-30 CN CN202311634231.3A patent/CN117675329A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Pillai et al. | Mitigating ddos attacks using sdn-based network security measures | |
| US7617170B2 (en) | Generated anomaly pattern for HTTP flood protection | |
| CN113225349B (en) | Method and device for establishing malicious IP address threat intelligence library and preventing malicious attack | |
| CN106790023A (en) | Network security Alliance Defense method and apparatus | |
| WO2006071985A3 (en) | Threat scoring system and method for intrusion detection security networks | |
| US8302189B2 (en) | Methods, devices, systems, and computer program products for edge driven communications network security monitoring | |
| Grechishnikov et al. | Algorithmic model of functioning of the system to detect and counter cyber attacks on virtual private network | |
| Sree et al. | HADM: detection of HTTP GET flooding attacks by using Analytical hierarchical process and Dempster–Shafer theory with MapReduce | |
| Britto Dennis et al. | Deep belief network and support vector machine fusion for distributed denial of service and economical denial of service attack detection in cloud | |
| CN112861132A (en) | Cooperative protection method and device | |
| Cuzzocrea et al. | Cyber-attack detection via non-linear prediction of IP addresses: an innovative big data analytics approach | |
| Enoch et al. | Automated security investment analysis of dynamic networks | |
| Akbar et al. | Intrusion detection system methodologies based on data analysis | |
| CN117675329A (en) | Network protection method, device and storage medium | |
| CN116827697B (en) | Push method of network attack event, electronic equipment and storage medium | |
| Meng et al. | Adaptive character frequency-based exclusive signature matching scheme in distributed intrusion detection environment | |
| Cho et al. | Method of quantification of cyber threat based on indicator of compromise | |
| Ro et al. | Detection Method for Distributed Web‐Crawlers: A Long‐Tail Threshold Model | |
| CN118784266A (en) | An intelligent abnormal traffic blocking system based on machine learning algorithm and real-time traffic monitoring | |
| CN117061214A (en) | Security defense system and method for power transmission edge gateway network | |
| Zaghdoud et al. | Contextual fuzzy cognitive map for intrusion response system | |
| Ashoor et al. | Intrusion detection system (IDS) & intrusion prevention system (IPS): Case study | |
| Sood et al. | Wip: Slow rate http attack detection with behavioral parameters | |
| Zhang et al. | A network security situation analysis framework based on information fusion | |
| CN113315784A (en) | Security event processing method, device, equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |