< Home

Overview of the Update Center

You can connect to the update center to update your signature databases, artificial intelligence engine database, external malicious URL signature database, and local reputation. Signature databases update improves the device's capability and efficiency in detecting the latest intrusions, viruses, applications, malicious domain names, IP reputation, asset identification, and locations of IP addresses. Artificial intelligence engine database update can improve the detection capability and efficiency of unknown threats and APT attacks. External malicious URL signature database update improves the detection capability and efficiency of malicious URLs. Local reputation update improves the device's capability and efficiency in detecting malicious files and URLs.

Updating Signature Databases

Signature databases need to be updated to deal with threat challenges from emerging intrusion patterns, virus types, and application types. The signature databases include:

  • IPS signature database for intrusion prevention
  • Antivirus signature database for antivirus
  • Service awareness signature database: It is used by the FW to identify application protocols
  • Malicious domain name database for intrusion prevention
  • IP reputation database for DDoS attack defense
  • Location signature database for the device to identify locations of IP addresses
  • Asset identification signature database for the device to identify assets.
  • File reputation signature database for APT defense

Updating the Artificial Intelligence Engine Database

In conventional threat detection mode, the FW periodically updates its signature databases to obtain the latest virus and intrusion features, and matches traffic with the extracted features to complete threat detection. This detection mode can only defend against known threats and cannot identify unknown threats. The advanced threat detection function can solve the preceding problem. This function uses the flow probe to collect information about traffic and sends the collected information to the artificial intelligence engine of the FW. The artificial intelligence engine analyzes and evaluates the information based on the security detection algorithm of machine learning or deep learning. In this way, unknown threats and APT attacks can be accurately identified. To improve the detection capability and efficiency of unknown threats, you can update the artificial intelligence engine database. By updating the artificial intelligence engine database, you can update the AI security detection algorithm and optimize the artificial intelligence engine.

Updating the External Malicious URL Signature Database

URLs can be filtered based on the external malicious URL list. The external dynamic malicious URL list is a text file of malicious URLs released by external official websites. By updating the external malicious URL signature database, the FW downloads the latest external dynamic malicious URL list from the external official websites and loads it to its cache. To enable the device to identify and block the latest malicious URLs in a timely manner, you need to upgrade the external malicious URL signature database from the external official websites to update the external malicious URL signature database in the device cache.

Updating Local Reputation

The FW can send files and URLs in which it detects no abnormalities to the sandbox for further detection and then obtain the detection results from the sandbox. This requires that the FW be properly connected to the sandbox. Note that each can be connected with only one sandbox and therefore can obtain detection results from only one sandbox. To address this issue, local reputation is introduced.

In the following figure, the FW sends files and URLs in which it detects no abnormalities to the sandbox for further detection, and the sandbox sends the detection results to the HiSec Insight in logs. Based on the logs, the HiSec Insight summarizes malicious file and URL information into a database, which is called the local reputation. Local reputation includes file reputation and URL reputation. After the FW is connected to the HiSec Insight, it downloads local reputation, including file and URL reputation information, from the HiSec Insight and updates the cached malicious file and URL lists. After traffic with the same malicious signatures arrives at the FW, the traffic matches the malicious file or URL list and the FW processes the traffic.

The advantage of local reputation is that the FW can still obtain detection results from the sandbox even if it is not connected to the sandbox. In addition, in scenarios with a large number of FWs and sandboxes, the log information of all sandboxes connected to the HiSec Insight needs to be sent to the HiSec Insight only. The HiSec Insight generates local reputation and sends the reputation to all the FWs connected to the HiSec Insight. In this way, the FW can obtain file reputation and URL reputation from multiple sandboxes, implementing resource sharing and improving the capability of detecting malicious files and URLs.
Figure 1 Local reputation


Parent Topic: Update Center
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >