网络入侵检测响应系统

1.产品的特点及优势 产品需对接漏洞扫描器的结果，自适应生成漏洞屏蔽策略，计算出最佳漏洞闭环解决方案，并根据解决方案自动防护抵御漏洞攻击，从而有效实现漏洞管理的闭环，漏洞无效化产品除了核心的漏洞屏蔽能力外，还需提供多项其他漏洞管理的友好功能协助用户更好完成漏洞管理的功能： 1.1可导入漏洞数据 产品支持导入外部漏扫的结果，解决漏扫设备漏洞发现和资产脱节的问题，可将漏扫结果导入漏洞无效化产品，漏洞无效化产品自动识别、筛选对本地资产确实有高威胁性的漏洞进行防御，避免传统IPS和WAF等设备采用全特征库处处防却处处防不住的情况。有效实现漏洞发现能力和资产保护能力的结合。 1.2针对化智能分析 支持导入外部漏扫结果，并根据设备可覆盖的主机，针对性地进行分析匹配，推荐最优解决方案，以缩减需要设置的规则数量，减少计算消耗，从而有效实现屏蔽拦截。在漏洞无效化产品帮助下，漏洞的修复直接简化为了策略的一键应用，轻松快捷。 1.3灵活管理策略 可视化展示效果让策略应用的效果清晰可见，并支持灵活调整屏蔽的策略，设置是否拦截漏洞攻击，也可对应设置屏蔽白名单，放行正常业务。 1.4实时漏洞防护 对识别到的漏洞探测和攻击等漏洞利用行为能够进行拦截和实时告警，不仅有效防御了攻击，也能为系统提供攻击预警，帮助用户及时响应攻击行为。 2、产品的目标客户群体 2.1有合规要求用户，有上级监管单位进行漏洞扫描检查压力的用户 等保三级有高危漏洞，无法通过等保测评。上级监管单位定期或者不定期对业务系统进行漏洞扫描，扫描到高危漏洞会进行通报、排名，扣考评分，并要求限期整改，被监管单位承受巨大压力。 2.2业务稳定性和连续性要求高的单位 从发现漏洞到真正在生产环境中全面打补丁修复，会有漫长的时间周期，要经过厂商发布补丁，企业补丁测试验证，生产灰度，生产全量修复，很多标准流程才能到生产环境中。 2.3关基单位，政府、医疗、教育、烟草、税务、能源 政府、医疗、教育等行业有大量老旧系统，没有供应商维护补丁，比如win7 xp以及客户已经没有服务支持的业务系统等。关基单位的关键业务存在高危漏洞，因为业务依赖性太强，担心影响业务所以没法修复。 3、产品所解决的问题或为用户带来的预期收益 3.1解决的问题： 3.1.1防御恶意漏洞探测 黑客开启入侵的第一步即是“恶意探测”，通常也可理解为踩点扫描。黑客为了对攻击目标进行多方了解，最常用的途径就是利用扫描工具对目标用户网络进行漏洞扫描，一旦发现安全漏洞就会实施攻击，最终达到非法入侵的目的。因此，要想降低安全事件发生的概率，我们必须从源头阻止黑客的攻击。通过防探测的方式阻止黑客“恶意探测”，让用户在第一时间发现安全威胁并阻止黑客扫描行为，从而提升黑客攻击成本，为自身安全赢得宝贵的应对时间，大幅度降低黑客侵入内网的风险。     3.1.2防御漏洞定向攻击 NPatch以“安全漏洞”为视角，针对性的匹配网络资产中的漏洞信息，精准防护网络资产中真实存在的漏洞，一旦发现网络流量中有对资产真实存在漏洞的定向攻击行为，会进行针对性的屏蔽，使漏洞探测和攻击行为失效。  3.1.3防御病毒利用漏洞扩散 病毒可以通过漏洞在局域网中无限传播，NPatch通过旁路镜像的方式接入 覆盖内网流量，不但可检测南北向流量还可以检测东西流量，拦截东西向的漏洞探测和攻击行为，切断利用漏洞进行病毒传播的途径。 3.2预期收益 3.2.1缓解安全和运维压力，提升工作价值 可以极大的降低漏洞修补的工作量，并且能把无法修补的漏洞无效化，使之无法被利用，从而从实质上消除这些漏洞带来的风险，提升工作效率和价值。 3.2.2漏洞屏蔽简单高效，降低合规监管风险 等保三级存在高危漏洞将无法通过等保测评，漏洞扫描是监管单位重要的检查手段，也是黑客攻击的第一步，NPatch可智能识别分析网络中的漏洞利用行为，并开启对应的漏洞屏蔽方案，能够让探测漏洞的行为无探测结果，帮助用户满足等保要求，降低因漏洞问题而被通报风险，减少被黑客利用机会。 3.2.3实现漏洞闭环管理，降低漏洞利用机会 Npatch可根据漏洞扫描器的结果，自适应生成漏洞屏蔽策略，计算出最佳漏洞闭环解决方案，并根据解决方案自动防护抵御漏洞探测、攻击等漏洞利用行为，使得管理人员可以有效地跟踪资源漏洞生命周期，实现漏洞全生命周期的闭环管理，降低黑客漏洞利用机会。

1. Product Features and Advantages This product integrates with vulnerability scanner results to adaptively generate vulnerability mitigation policies, calculate the optimal closed-loop vulnerability management solution, and automatically deploy protection against vulnerability exploits, thereby effectively realizing closed-loop vulnerability management. In addition to its core vulnerability mitigation capability, the product also provides multiple other user-friendly vulnerability management functions to assist users in completing vulnerability management tasks better: 1.1 Vulnerability Data Import The product supports importing external vulnerability scan results, addressing the disconnect between vulnerability discovery by scanning devices and asset protection. Users can import scan results into the vulnerability invalidation product, which automatically identifies and screens for high-severity vulnerabilities that pose actual threats to local assets for defense. This avoids the ineffectiveness of traditional IPS and WAF devices that rely on full signature libraries to attempt universal protection but fail to block all threats, effectively integrating vulnerability discovery and asset protection capabilities. 1.2 Targeted Intelligent Analysis It supports importing external vulnerability scan results, and performs targeted analysis and matching based on the hosts covered by the device, recommending the optimal solution to reduce the number of rules to be configured and lower computational overhead, thereby effectively implementing blocking and mitigation. With the help of the vulnerability invalidation product, vulnerability remediation is directly simplified to one-click policy application, making the process easy and efficient. 1.3 Flexible Policy Management Visualized display enables clear visibility of policy application effects, and supports flexible adjustment of mitigation policies, allowing configuration of whether to block vulnerability exploits, as well as setting mitigation whitelists to allow normal business traffic. 1.4 Real-time Vulnerability Protection It can intercept and send real-time alerts for identified vulnerability scanning and exploit behaviors, not only effectively defending against attacks but also providing attack warnings for the system to help users respond to attacks in a timely manner. 2. Target Customer Groups 2.1 Users with Compliance Requirements, Facing Pressure from Superior Regulatory Units Conducting Vulnerability Scanning Inspections Users with Class 3 Cybersecurity Level Protection who have high-severity vulnerabilities and cannot pass the cybersecurity assessment. Superior regulatory units conduct regular or irregular vulnerability scans of business systems, and will issue notifications, rankings, and score deductions for detected high-severity vulnerabilities, requiring rectification within a time limit, placing heavy pressure on regulated entities. 2.2 Entities with High Requirements for Business Stability and Continuity There is a lengthy time cycle from vulnerability discovery to full patch deployment in production environments, which requires multiple standard procedures including vendor patch release, enterprise patch testing and verification, production canary deployment, and full production rollout. 2.3 Critical Infrastructure Entities, Including Government, Healthcare, Education, Tobacco, Taxation, and Energy Sectors Industries such as government, healthcare, and education have a large number of legacy systems without vendor patch support, such as Windows 7, Windows XP, and business systems for which customers no longer have service support. Critical businesses of critical infrastructure entities have high-severity vulnerabilities that cannot be fixed due to strong business dependencies and concerns about service disruption. 3. Problems Solved by the Product or Expected Benefits for Users 3.1 Problems Solved 3.1.1 Defense Against Malicious Vulnerability Scanning The first step in a hacker's intrusion is "malicious probing", which is also commonly understood as footprint scanning. Hackers most commonly use scanning tools to perform vulnerability scans on target users' networks to gather information about their targets, and once they discover security vulnerabilities, they will launch attacks to achieve unauthorized intrusion. Therefore, to reduce the probability of security incidents, we must block hacker attacks at the source. By preventing probing, we can block hacker "malicious probing", allow users to detect security threats at the first time and stop hacker scanning behaviors, thereby increasing the cost of hacker attacks, gaining valuable response time for their own security, and significantly reducing the risk of hackers intruding into the internal network. 3.1.2 Defense Against Targeted Vulnerability Attacks From the perspective of "security vulnerabilities", NPatch matches vulnerability information in network assets in a targeted manner, and precisely protects the vulnerabilities that actually exist in network assets. Once targeted attacks exploiting actual vulnerabilities of assets are detected in network traffic, it will perform targeted blocking to invalidate vulnerability scanning and attack behaviors. 3.1.3 Defense Against Virus Spread via Vulnerabilities Viruses can spread infinitely through vulnerabilities in local area networks. NPatch accesses and covers internal network traffic via port mirroring, which can detect both north-south and east-west traffic. It intercepts east-west vulnerability scanning and attack behaviors, cutting off the channels of virus spread via vulnerabilities. 3.2 Expected Benefits 3.2.1 Alleviating Security and O&M Pressure and Enhancing Work Value It can greatly reduce the workload of vulnerability remediation, and invalidate unremediable vulnerabilities to prevent their exploitation, thereby substantially eliminating the risks posed by these vulnerabilities and improving work efficiency and value. 3.2.2 Simple and Efficient Vulnerability Mitigation, Reducing Compliance and Regulatory Risks High-severity vulnerabilities in Class 3 Cybersecurity Level Protection will prevent users from passing the cybersecurity assessment. Vulnerability scanning is an important inspection method for regulatory units and the first step of hacker attacks. NPatch can intelligently identify and analyze vulnerability exploit behaviors in the network and activate corresponding vulnerability mitigation solutions, making vulnerability scanning behaviors yield no results, helping users meet cybersecurity protection requirements, reducing the risk of being notified due to vulnerability issues, and lowering the chances of being exploited by hackers. 3.2.3 Achieving Closed-loop Vulnerability Management and Reducing Vulnerability Exploitation Opportunities NPatch can adaptively generate vulnerability mitigation policies based on vulnerability scanner results, calculate the optimal closed-loop vulnerability management solution, and automatically deploy protection against vulnerability scanning, attacks and other exploit behaviors according to the solution. This enables managers to effectively track the lifecycle of resource vulnerabilities, achieve closed-loop management of the entire vulnerability lifecycle, and reduce the opportunities for hackers to exploit vulnerabilities.