CN112333130B

CN112333130B - Data processing method, device and storage medium

Info

Publication number: CN112333130B
Application number: CN201910717614.4A
Authority: CN
Inventors: 徐道晨
Original assignee: Alibaba Group Holding Ltd
Current assignee: Alibaba Group Holding Ltd
Priority date: 2019-08-05
Filing date: 2019-08-05
Publication date: 2023-04-07
Anticipated expiration: 2039-08-05
Also published as: WO2021023053A1; CN112333130A; TW202107312A

Abstract

The embodiment of the application provides a data processing method, data processing equipment and a storage medium. In some exemplary embodiments of the present application, traffic log data in a current time period is obtained; performing abnormal behavior detection on the flow log data in the current time period, and judging whether a generated first defense strategy exists in a defense strategy library or not when the abnormal behavior of the network flow in the current time period is determined; if the network traffic exists, the existing first defense strategy is used for carrying out data processing on the network traffic in the subsequent time period; if the network traffic does not exist, a second defense strategy generated by the known normal traffic is used for carrying out data processing on the network traffic in the subsequent time period, and the second defense strategy and the first defense strategy are combined, so that the source server is not attacked and broken down in the first time of attack, and the influence on the current normal access request is minimized.

Description

Data processing method, device and storage medium

Technical Field

The present application relates to the field of internet technologies, and in particular, to a data processing method, device, and storage medium.

Background

Distributed Denial of Service (DDoS) attacks are a form of network attacks that prevent users from accessing a target Service normally by consuming target resources, and are the main threats in current network attacks. DDoS attacks launch DDoS attacks on one or more targets by combining a plurality of computers as an attack platform by means of a client/server technology, thereby exponentially improving the power of denial of service attacks, causing normal users to not obtain network responses, and posing great threat to internet and internet services.

At present, in order to defend against DDoS attacks, a defense strategy for DDoS is generally preset at a target server, for example, source rate limiting is performed on network traffic, and the preset defense strategy may adversely affect normal traffic when DDoS attacks are not encountered or the attack frequency of the attack source is low.

Disclosure of Invention

Various aspects of the present application provide a data processing method, device, and storage medium, which on one hand ensure that a source server is not overwhelmed by an attack in the first time of the attack, and on the other hand ensure that a defense strategy has a small influence on normal traffic.

An embodiment of the present application provides a data processing method, including:

obtaining flow log data in the current time period, wherein the flow log data reflect the characteristics of the network flow in the current time period;

if the fact that the network traffic in the current time period has abnormal behaviors is determined according to the traffic log data in the current time period, whether a first defense strategy exists or not is judged, and the first defense strategy is generated aiming at the identified abnormal traffic before the current time;

if the network traffic exists, performing data processing on the network traffic in the subsequent time period according to the existing first defense strategy;

and if not, performing data processing on the network traffic in the subsequent period according to a second defense strategy, wherein the second defense strategy is generated according to the identified normal traffic before the current moment.

An embodiment of the present application further provides a data processing method, including:

analyzing the characteristics of the network flow in the current time period according to the flow log data in the current time period;

identifying abnormal traffic existing in the current time period according to the characteristics of the network traffic in the current time period and the baseline characteristics of the known normal traffic, wherein the baseline characteristics of the known normal traffic are obtained from historical traffic log data;

and generating a first defense strategy aiming at the abnormal flow existing in the current time period according to the characteristics of the abnormal flow existing in the current time period so as to perform data processing on the network flow in the subsequent time period.

An embodiment of the present application further provides a data processing apparatus, including: a memory and a processor;

the memory to store one or more computer instructions;

the processor to execute the one or more computer instructions to:

Embodiments of the present application also provide a computer-readable storage medium storing a computer program that, when executed by one or more processors, causes the one or more processors to perform actions comprising:

obtaining flow log data in a current time period, wherein the flow log data reflects characteristics of network flow in the current time period;

if the first defense strategy exists, performing data processing on the network flow in the subsequent time period according to the existing first defense strategy;

and if the second defense strategy does not exist, performing data processing on the network flow in the subsequent period according to the second defense strategy, wherein the second defense strategy is generated according to the identified normal flow before the current moment.

the memory to store one or more computer instructions;

the processor to execute the one or more computer instructions to:

generating a first defense strategy aiming at the abnormal flow existing in the current time period according to the characteristics of the abnormal flow existing in the current time period so as to process data of the network flow in the subsequent time period;

first defense strategy embodiments also provide a computer-readable storage medium having a computer program stored thereon, which when executed by one or more processors causes the one or more processors to perform actions comprising:

the memory to store one or more computer instructions;

the processor to execute the one or more computer instructions to:

obtaining database operation log data in the current time period, wherein the database operation log data reflect the characteristics of database operation flow in the current time period;

if data leakage behaviors exist in the current time period are determined according to database operation log data in the current time period, judging whether a first defense strategy exists, wherein the first defense strategy is generated aiming at the identified database abnormal operation flow before the current time;

if the first defense strategy exists, performing data processing on the database operation flow in the subsequent time period according to the existing first defense strategy;

and if the data processing is not carried out, carrying out data processing on the database operation flow in the subsequent period according to a second defense strategy, wherein the second defense strategy is generated according to the identified normal database operation flow before the current moment.

if the data leakage behavior in the current time period is determined according to the database operation log data in the current time period, judging whether a first defense strategy exists, wherein the first defense strategy is generated aiming at the identified abnormal operation flow of the database before the current time;

the memory to store one or more computer instructions;

the processor to execute the one or more computer instructions to:

if the abnormal behavior of the network flow in the current time period is determined according to the flow log data in the current time period, judging whether a first defense strategy exists, wherein the first defense strategy is generated aiming at the identified abnormal flow before the current time;

if the first defense strategy exists, first visual data are generated for the network flow in the subsequent time period according to the existing first defense strategy;

and if not, generating second visual data for the network traffic in the subsequent period according to a second defense strategy, wherein the second defense strategy is generated according to the identified normal traffic before the current moment.

if the first defense strategy exists, generating first visual data for the network traffic in the subsequent time period according to the existing first defense strategy;

In some exemplary embodiments of the present application, on one hand, whether abnormal traffic exists in a current time period may be analyzed according to traffic log data in the current time period, and a first defense policy may be generated for the abnormal traffic under the condition that the abnormal traffic exists; on the other hand, abnormal behavior detection can be performed according to the traffic log data in the current time period, and whether the generated first defense strategy exists or not is judged under the condition that the abnormal behavior of the network traffic in the current time period is determined; if the network traffic exists, the existing first defense strategy is used for carrying out data processing on the network traffic in the subsequent time period; if the source server does not exist, a second defense strategy generated by the known normal flow is used for carrying out data processing on the network flow in the subsequent period, wherein the second defense strategy and the first defense strategy are combined to carry out defense processing on the network flow, so that the source server is not attacked and broken down in the first time of attack, and the influence on the normal flow is small.

Drawings

The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:

FIG. 1a is a schematic structural diagram of a defense system according to an embodiment of the present application;

FIG. 1b is a schematic diagram of the working principle of a defense system according to another embodiment of the present application;

fig. 2a is a schematic flowchart of a data processing method according to an exemplary embodiment of the present application;

FIG. 2b is a schematic flow chart diagram of another data processing method provided in an exemplary embodiment of the present application;

FIG. 2c is a schematic flow chart diagram illustrating another data processing method according to an exemplary embodiment of the present application;

fig. 3 is a schematic flowchart of a data processing method according to an exemplary embodiment of the present application;

fig. 4 is a schematic structural diagram of a data processing device according to an exemplary embodiment of the present application;

fig. 5 is a schematic structural diagram of a data processing device according to an exemplary embodiment of the present application;

fig. 6 is a schematic structural diagram of a data processing device according to an exemplary embodiment of the present application;

fig. 7 is a schematic structural diagram of a data processing device according to an exemplary embodiment of the present application.

Detailed Description

In order to make the objects, technical solutions and advantages of the present application more apparent, the technical solutions of the present application will be described in detail and completely with reference to the following specific embodiments of the present application and the accompanying drawings. It should be apparent that the described embodiments are only some of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.

For a defense party of resource exhaustion DDoS attack, the following defense modes are mainly adopted at present:

in the first mode, the source speed limit is carried out on the network flow. On one hand, the number of devices behind the outlet IP is large, so that the normal request frequency of the outlet IP is high, the flow of the outlet IP can be accidentally injured by limiting the speed, and the defense effect is not realized when the attack frequency of an attack source is low; on the other hand, when the attack frequency of the attack source is high, even if the request frequency of a single attack source is extremely low, the aggregated total attack amount is quite huge, but the speed can be limited by the source smoothly. Therefore, the source speed limit is carried out on the network traffic, the normal traffic is greatly damaged by mistake, and the DDoS attack defense effect is small.

And secondly, carrying out target speed limit on the network flow. The normal traffic passing probability is extremely low when the total attack frequency is high: assuming that the normal request frequency of the website is 10 requests/second, and the speed limit threshold is 100 requests/second, when the total attack frequency is higher, such as 10W requests/second, the total request frequency is 100010 requests/second, the normal requests only pass 10/100010 × 100=0.009999 requests/second, and the passing probability is extremely low. The total attack frequency is low, and the defense effect is not achieved: 100 search requests (high resource consumption) per second result in static resource requests that are likely to be more than million times per second to the server, and the speed limit is likely to limit normal requests with low resource consumption, while passing attack requests with high resource consumption.

And in the third mode, the historical blacklist is forbidden to the network traffic. The number of devices behind the export IP is extremely large, and if attack sources are located behind the export IP, once the attacks are used as a history attack blacklist and are pulled back, normal devices behind the export IP can be injured by mistake in a large range. Most of attack sources of DDoS attack are not owned by an attacker, but are used as loopholes of normal equipment or are used as attack sources when software with risks is installed on the normal equipment, and the normal spontaneous flow is probably sealed by the normal equipment; if the attack cannot be suppressed, the effect is minimal. Due to the problems that the IP of an operator changes a defense strategy at regular time, the IP changes due to frequent change of the site of a mobile terminal attack source and the like, the coverage proportion of a historical blacklist to attack traffic is often low, the resource consumption caused by the attack traffic is often far beyond the bearing capacity of a target server, and the attack cannot be suppressed by blocking a part of the attack traffic. The disadvantages are as follows: has small effect and uncontrollable accidental injury.

And in the fourth mode, manual intervention is performed to grab the package for analysis. From the discovery of the attack by the server, the manual intervention of packet capturing, the feature analysis, the elimination of normal service features and the addition of a defense strategy, the whole emergency process usually takes more than half an hour, and the service interruption of half an hour has great influence on most websites. The disadvantages are as follows: the response speed of manual intervention is slow.

Aiming at the technical problems existing in the DDoS attack defense aspect in the prior art, in some exemplary embodiments of the application, flow log data in the current time period is obtained; performing abnormal behavior detection on the flow log data in the current time period, and judging whether a generated first defense strategy exists in a defense strategy library or not when the abnormal behavior of the network flow in the current time period is determined; if the network traffic exists, the existing first defense strategy is used for carrying out data processing on the network traffic in the subsequent time period; if the network traffic does not exist, a second defense strategy generated by the known normal traffic is used for carrying out data processing on the network traffic in the subsequent period, and the second defense strategy set for the normal traffic and the first defense strategy set for the abnormal traffic are combined, so that the source server is not attacked and broken down in the first time of attack, and the current normal traffic is less affected.

The technical solutions provided by the embodiments of the present application are described in detail below with reference to the accompanying drawings.

Fig. 1a is a schematic structural diagram of a defense system 10 according to an embodiment of the present disclosure. As shown in fig. 1a, the defense system 10 includes: a safeguard policy calculation device 11 and a safeguard execution device 12. Fig. 1a also illustrates a request source device 30 and a data source device 20 cooperating with the defense system 10 in practical application. In practical application, the defense system 10 serves as an intermediate device between the request end device 30 and the data source end device 20, detects whether the data source end device 20 is under network traffic attack, and performs flow control on an access request flow from the request end device 30 when the data source end device 20 is under network traffic attack, so that when the source end device is under DDoS attack, good defense performance is provided, and normal operation of the data source end device 20 is ensured.

In this embodiment, the request end device 30 may be represented as a browser or other application installed on a computer device or a handheld intelligent terminal device; the data source device 20 may be a server providing data support, computing services, and some management services, in this embodiment, the implementation form of the data source device 20 is not limited, for example, the data source device 20 may be a server device such as a conventional server, a cloud host, and a virtual center. The server device mainly comprises a processor, a hard disk, a memory, a system bus and the like, and a general computer architecture type. The data source device 20 may include one web server or may include a plurality of web servers. The user may access the network data of the data source device 20 through the requesting device 30.

In the present embodiment, the communication connection manner between the protection policy calculation device 11 and the protection enforcement device 12 depends on the actual deployment manner. In practice, the protection policy calculation device 11 and the protection enforcement device 12 may be deployed on the same server, or may be deployed on different servers. The protection policy calculation device 11 and the protection execution device 12 may be one computer or a computer cluster.

When the protection policy calculation device 11 and the protection enforcement device 12 are deployed on the same server, they may communicate through corresponding hardware interfaces or software interfaces on the server. When the protection policy calculation device 11 and the protection enforcement device 12 are deployed on different servers, they may be connected by wired or wireless communication. For example, the communication connection is made through a wireless/wired switch within a local area network, or the communication connection is made through a mobile network. When communicatively connected through a mobile network, the network format of the mobile network may be any one of 2G (GSM), 2.5G (GPRS), 3G (WCDMA, TD-SCDMA, CDMA2000, UTMS), 4G (LTE), 4G + (LTE +), wiMax, and the like. Optionally, when the protection policy calculation device 11 and the protection execution device 12 are deployed on different servers in the same machine room or cabinet, the two devices may also be in communication connection in short-range communication manners such as bluetooth, zigBee, infrared ray, and the like, which is not limited in this embodiment.

It should be noted that, the present embodiment is not limited to the implementation form of the server for deploying the protection policy computing device 11 and the protection executing device 12, and may be a server device such as a conventional server, a cloud host, and a virtual center. The server device mainly includes a processor, a hard disk, a memory, a system bus, and the like, and is similar to a general computer architecture.

In the defense system 10 of this embodiment, the protection execution device 12 performs data processing on a data access request of the requester device 30, generates flow log data, and the protection execution device 12 sends the generated log data to the protection policy calculation device 11 in time slots; the protection policy calculation device 11 receives the log data in each time period sent by the device 12, and when receiving the traffic log data in one time period, can perform two-way analysis on the received traffic log data, on one hand, perform abnormal traffic detection analysis, and on the other hand, perform attack detection analysis.

For convenience of description, the present embodiment takes the traffic log data in the current time period as an example for explanation. After receiving the traffic log data in the current time period sent by the protection execution device 12, the protection policy calculation device 11 may perform abnormal traffic detection according to the traffic log data in the current time period, and if abnormal traffic is detected, may generate a first protection policy for the abnormal traffic detected in the current time period; on the other hand, whether the network traffic in the current time period has an abnormal behavior or not may be detected according to the traffic log data in the current time period, and if it is detected that the network traffic in the current time period has the abnormal behavior, a defense policy may be provided to the protection execution device 12, so that the protection execution device 12 performs data processing on the network traffic in the subsequent time period according to the defense policy provided by the protection policy calculation device 11. The data processing is mainly referred to as defense processing to ensure the security of the data source device 20.

The defense policy provided by the defense policy computing device 11 to the defense execution device 12 may be a first defense policy or a second defense policy. The first defense strategy is generated aiming at the abnormal traffic which is identified before the current moment, and can be simply called as a real-time defense strategy; the second defense policy is generated for normal traffic that has been identified before the current time, and may be referred to as a default defense policy. Wherein the second defense policy may be pre-generated based on normal traffic log data over a historical period. Further optionally, when new normal traffic log data occurs, the second defense policy may be updated based on the new normal traffic log data. The current time is a time when the protection execution device 12 determines that the network traffic in the current time period has an abnormal behavior.

In this embodiment, the protection policy calculation device 11 may perform analysis of abnormal traffic for the traffic log data in each time period, and may generate a first defense policy for the abnormal traffic data identified in each time period. These first defense strategies may have a certain timeliness, and when the validation time is over, the corresponding defense strategies may be deleted. In addition, in this embodiment, an execution sequence between an operation of the protection policy calculation device 11 performing abnormal traffic detection according to the traffic log data in the current time period and an operation of the protection policy calculation device 11 detecting whether there is an abnormal behavior in the network traffic in the current time period according to the traffic log data in the current time period is not limited, and the two operations may be executed in parallel, or may be executed sequentially. In the case where two operations are executed in parallel, it is possible to detect an abnormal behavior first. Based on the analysis, the abnormal traffic that has been identified before the current time may include: the abnormal traffic identified from the traffic log data in the current time period (referred to as the abnormal traffic identified in the current time period for short), may also include the abnormal traffic identified from the traffic log data in at least one time period before the current time period (referred to as the abnormal traffic identified in at least one time period before the current time period for short), and may also include the abnormal traffic identified in the current time period and in at least one time period before the current time period. Accordingly, the first defense strategy that already exists before the current time may include: the defense strategies generated for the abnormal traffic identified in the current time period may also include the defense strategies generated for the abnormal traffic identified in at least one time period before the current time period, and of course, the defense strategies generated for the abnormal traffic identified in the current time period and the defense strategies generated for the abnormal traffic identified in at least one time period before the current time period may also be included.

The time length of each time interval is not limited in this embodiment, and the time lengths of the time intervals may be the same or different, and may be specifically set adaptively according to application requirements. The smaller the time length of each time interval is, the higher the real-time performance of generating the first defense policy and determining whether the data source end device 20 is attacked is.

Optionally, in this embodiment, each defense policy may be managed by a policy library, for example, the second defense policy and the first defense policy may be placed in the policy library. When detecting that the data source end device 20 is attacked, the protection policy calculation device 11 issues the first protection policy and the second protection policy in the policy library to the protection execution device 12, so that the protection execution device 12 performs data processing on the network traffic in the subsequent period according to the received first protection policy or the received second protection policy.

In this embodiment, when the protection and defense policy calculation device 11 detects that the data source device 20 is attacked, if there is no first defense policy in effect locally, the second defense policy may be issued to the protection and execution device 12 first, and after a new first defense policy is generated, the new first defense policy is issued to the protection and execution device 12, at this time, the second defense policy automatically fails.

It should be noted that the protection policy calculation device 11 has a time delay property, when the protection policy calculation device 11 detects that the data source device 20 is attacked, it is possible that the data source device 20 has already been attacked for a short time, and optionally, the second protection policy may be set to be in an active state all the time. In this way, for the protection enforcement device 12, the second defense strategy may be used to perform defense processing on the network traffic all the time without the first defense strategy, and when the first defense strategy is available, the first defense strategy is preferentially used to perform defense processing on the network traffic, and the second defense strategy automatically fails.

Optionally, considering that traffic attacks generally change dynamically, an effective duration may be set for the first defense policy, within the effective duration, the first defense policy may play a role, and after the effective duration is over, the first defense policy may be deleted. It should be noted that the same effective time duration may be set for different first defense policies, or different effective time durations may be set for different first defense policies. Based on this, when detecting that the data source device 20 is attacked, the protection policy calculation device 11 may issue, to the protection execution device 12, the first protection policy existing and in effect before the current time and an effective duration corresponding to the first protection policy existing and in effect before the current time, so that the protection execution device 12 performs data processing on network traffic in a subsequent period according to the received first protection policy in the corresponding effective duration. Optionally, the effective duration of the first defense policy may also be dynamically set according to the time period of the data source end device 20 being attacked; the first defense policy may be set to fail when the protection defense policy computing apparatus 11 detects that the data source device 20 is under attack, or to fail for a set period of time after the protection defense policy computing apparatus 11 detects that the data source device 20 is under attack. The effective time length is set through the first defense strategy, so that the first defense strategy can play a role in the flow attack period and can fail in the non-flow attack period, and the adverse effect of the first defense strategy on normal flow can be reduced.

In the embodiments of the present application, the specific implementation of the second defense policy is not limited. For example, one achievable way of the second defense strategy is: the target speed limit strategy is to limit the target speed of other traffic except the normal traffic, so that the influence of the second defense strategy on the normal traffic is as small as possible, and the coverage on the abnormal traffic is as large as possible. For another example, one achievable way of the second defense strategy is: and (3) limiting the source speed, namely, limiting the speed of all subsequent network flows after detecting that the network flows in the current time period have abnormal behaviors. For another example, one achievable way of the second defense strategy is: and (3) limiting the speed of the historical black and white list, namely blocking the flow in the black list in the subsequent flow after detecting that the network flow in the current time period has abnormal behaviors. For another example, one achievable way of the second defense strategy is: area control, namely performing speed limitation or blocking on an access request of a request end device in a specific area. For another example, one achievable way of the second defense strategy is: and performing accurate access control and source counting access control, namely performing access authority setting and access frequency limitation on an access request from a requesting terminal device. Obviously, the second defense strategy is not limited to the above implementation manners, and the second defense strategy may be one or more of the above implementation manners, and may also be other forms of defense strategies.

Optionally, after receiving the traffic log data in the current time period, the protection policy calculation device 11 may further update the second protection policy according to the traffic log data in the current time period, so as to minimize the influence on the normal traffic as much as possible. Optionally, the updating operation may be performed when it is detected that the data source device 20 is not attacked, where the flow log data in the current time period includes log data of mainly normal flow, and is adapted to update the second defense policy; under the condition that it is detected that the data source end device 20 is attacked, on one hand, because the traffic log data in the current time period contains a large amount of abnormal data, the judgment of the normal traffic is interfered, and the second defense strategy is not suitable for updating, and on the other hand, the resources can be preferentially used for issuing the corresponding defense strategy to the protection execution device 12, so that the efficiency of issuing the defense strategy is improved, and the subsequent network traffic can be timely defended.

In the above or following embodiments of the present application, the first defense strategy is generated according to the identified abnormal traffic, and the first defense strategy has a stronger pertinence, so that the abnormal traffic is more comprehensively covered, and the security of the data source device is ensured. Different first defense strategies may be set for different anomalous traffic. For example, one first defense strategy is a blocking defense strategy, i.e., blocking treatment of abnormal traffic. For another example, one of the first defense strategies is a defense strategy for limiting a speed, that is, limiting a speed of abnormal traffic. Obviously, the second defense strategy and the first defense strategy are not limited to the above-described implementation.

Fig. 1b is a schematic diagram illustrating an operation principle of the defense system 10 according to another embodiment of the present application. As shown in fig. 1b, on one hand, the protection execution device 12 performs a defense process on the received network traffic by using a local defense policy in an effective state, and sends the network traffic after the defense process to the data source device 20; on the other hand, the log data in the current time period is sent to the protection and defense strategy computing device 11, so that a data base is provided for the protection and defense strategy computing device 11.

As shown in fig. 1b, the protection defense policy calculation device 11 can perform three aspects of processing on the traffic log data in the current time period: on one hand, the second defense strategy can be updated according to the flow log data in the current time period; on the other hand, abnormal traffic detection can be performed according to the traffic log data in the current time period, and if the abnormal traffic is detected, a first defense strategy can be generated aiming at the abnormal traffic detected in the current time period; on the other hand, whether the network traffic in the current time period has an abnormal behavior or not may be detected according to the traffic log data in the current time period, and if it is detected that the network traffic in the current time period has the abnormal behavior, a defense policy may be provided or issued to the protection execution device 12, so that the protection execution device 12 may perform data processing on the network traffic in the subsequent time period according to the received defense policy. For detailed description of the above three aspects of processing, reference may be made to the detailed description in the foregoing embodiment or the following embodiments, which are not repeated herein.

As shown in fig. 1b, the protection enforcement device of the present application includes, but is not limited to, the following protection policy enforcement modules: the system comprises a black and white list library module, a region control module, an accurate access control and source counting access control module and a speed limit module. Each defense policy enforcement module is responsible for implementing one type of defense policy. Based on the black and white list library module, the area control module, the accurate access control and source counting access control module and the speed limit module, black and white list library data processing, area control data processing, accurate access control and source counting access control data processing and source speed limit and destination speed limit data processing can be respectively performed on the data access request from the request terminal equipment 30. After the protection execution equipment receives the corresponding defense strategy issued by the defense strategy calculation equipment, selecting a module corresponding to the defense strategy from each module of the protection execution equipment for parameter configuration; so as to perform corresponding data processing on the data access request of the requesting device in the subsequent time period.

In some embodiments of the present application, the second defense policy is generated from historical traffic log data. One way to implement is to filter abnormal log data in historical traffic log data to obtain log data of normal traffic; analyzing the baseline characteristics of the normal flow according to the log data of the normal flow; and generating a second defense strategy according to the target field characteristics in the baseline characteristics of the normal traffic. The amount of the historical flow log data may be adjusted according to actual conditions, for example, the flow log data of a month or a year is selected, or the flow log data in a certain day is screened from the flow log data of a year to serve as the historical flow log data.

In the above embodiment, the abnormal log data in the historical traffic log data is filtered to obtain the log data of the normal traffic, which includes but is not limited to the following implementation manners:

the first method is as follows: and acquiring a response status code of the historical data request according to the historical traffic log data, acquiring log data corresponding to the abnormal response status code, and filtering the log data. For example, when the response status code in a certain log data is 4 ×, 5 ×, it indicates that the log data is abnormal log data.

The second method comprises the following steps: if the historical traffic log data of a certain period of time is in the period of time that the data source end device is attacked, all log data in the period of time are taken as abnormal log data to be filtered.

The third method comprises the following steps: and acquiring the response status code of the historical data request according to the historical traffic log data of a certain time period, calculating the occupation ratio of the abnormal response status code, and filtering all log data in the time period as abnormal log data when the occupation ratio of the abnormal response status code is greater than a set ratio threshold value.

It should be noted that the above implementation manner may be set singly or in combination of multiple types; the set proportion threshold is not limited in the application, and can be adjusted according to actual conditions.

In the above or the following embodiments of the present application, after the log data of the normal flow rate is obtained, the baseline characteristic of the normal flow rate may be analyzed according to the log data of the normal flow rate. One way to achieve this is to extract field features from log data of normal traffic and calculate the distribution baseline parameters of the field features as the baseline features of the normal traffic. Wherein the field characteristics include, but are not limited to, at least one of the following fields: the method comprises the following steps of HTTP standard fields (such as uri, refer and the like), website self-defining fields, field sequences and fields obtained by secondary processing of the fields (such as query key analyzed from uri and the like). The distribution baseline parameters of the field features include, but are not limited to, at least one of: field feature duty, field feature request frequency, and field feature combination correlation.

In the above embodiment, the second defense strategy is generated according to the target field characteristics in the baseline characteristics of the normal traffic. One way to realize this is to analyze the baseline characteristics of the normal flow and screen out the target field characteristics from the field characteristics contained in the normal flow; and generating a second defense strategy aiming at the target field characteristics. For example, from the field features included in the normal traffic, the field feature having the baseline feature larger than the baseline feature threshold is identified as the target field feature. In combination with the target field feature, one implementation manner of the second defense policy is as follows: and carrying out speed limit processing on the traffic which does not contain the target field characteristics.

In the above embodiment, after the protection policy calculation device obtains the traffic log data in the current time period, the second protection policy may be updated according to the traffic log data in the current time period. One achievable updating mode is that normal flow log data is identified from the flow log data in the current time period, and the baseline characteristic of the normal flow is updated according to the identified normal flow log data; analyzing the updated baseline characteristics, and screening new target field characteristics from the field characteristics contained in the identified new normal flow; if the new target field characteristics are the same as the original target field characteristics, the original second defense strategy is not updated; and if the new target field characteristics are different from the original target field characteristics, generating a new second defense strategy according to the new target field characteristics, and supplementing the original second defense strategy by using the new second defense strategy.

In some embodiments of the application, after the protection defense policy computing device obtains the traffic log data in the current time period, the protection defense policy computing device analyzes the traffic log data in the current time period to generate the first defense policy. One way to achieve this is to analyze the characteristics of the network traffic in the current time period according to the traffic log data in the current time period; according to the characteristics of the network flow in the current time period and the baseline characteristics of the known normal flow, identifying abnormal flow existing in the current time period; and generating a first defense strategy aiming at the abnormal traffic existing in the current time period according to the characteristics of the abnormal traffic existing in the current time period.

In the foregoing embodiment, the characteristics of the network traffic in the current time period are analyzed according to the traffic log data in the current time period, and an optional embodiment is to extract field characteristics from the traffic log data in the current time period, and calculate distribution parameters of the field characteristics as the characteristics of the network traffic in the current time period. Wherein the field characteristics include, but are not limited to, at least one of the following fields: the method comprises the following steps of HTTP standard fields (such as uri, refer and the like), website self-defining fields, field sequences and fields obtained by secondary processing of the fields (such as query key analyzed from uri and the like). The distribution parameters of the field characteristics include, but are not limited to, at least one of: field feature fraction, field feature request frequency, and field feature combination correlation.

In the above embodiment, the abnormal traffic existing in the current time period is identified according to the characteristics of the network traffic in the current time period and the baseline characteristics of the known normal traffic. Including but not limited to at least one of the following:

in the first mode, the distribution parameters of the field characteristics of the network traffic in the current time period are compared with the existing distribution baseline parameters of the field characteristics, the proportional change rate of the corresponding field characteristics is calculated, and the network traffic corresponding to the field characteristics with the proportional change rate larger than the set change rate threshold is used as the abnormal traffic existing in the current time period.

And secondly, comparing the distribution parameters of the field characteristics of the network traffic in the current time period with the existing distribution baseline parameters of the field characteristics, calculating the request frequency growth rate of the corresponding field characteristics, and taking the network traffic corresponding to the field characteristics with the request frequency growth rate larger than the set growth rate threshold value as the abnormal traffic existing in the current time period.

In the present application, the set change rate threshold and the set increase rate threshold are not limited, and the set change rate threshold and the set increase rate threshold may be adjusted according to actual conditions.

In the above embodiment, after the abnormal traffic existing in the current time period is identified, the first defense strategy for the abnormal traffic existing in the current time period is generated according to the characteristics of the abnormal traffic existing in the current time period. Optionally, the new first defense strategy is a defense strategy for blocking traffic which is characteristic of normal traffic.

In some embodiments of the present application, after obtaining traffic log data in a current time period, determining whether there is an abnormal behavior in network traffic in the current time period according to the traffic log data in the current time period includes at least one of the following manners:

the method comprises the steps that in the first mode, according to log data in the current time period, the request frequency of a data request in the current time period is obtained, and when the request frequency is larger than a first threshold value, it is determined that abnormal behaviors exist in network flow in the current time period;

obtaining the abnormal proportion of the response status code of the data request in the current time period according to the log data in the current time period, and determining that the network flow in the current time period has abnormal behavior when the abnormal proportion of the response status code is greater than a second threshold value;

and thirdly, acquiring the growth rate of the number of the data requests in the current time period relative to the last time period according to the log data in the current time period, and determining that the network traffic in the current time period has abnormal behavior when the growth rate is greater than a third threshold value.

The three modes can be singly used as a judgment condition for the abnormal behavior of the network traffic in the current time period, and any two or three modes can be used as the judgment condition for the abnormal behavior of the network traffic in the current time period. The first threshold, the second threshold and the third threshold are not limited in the application, and the first threshold, the second threshold and the third threshold can be adjusted according to actual conditions.

In an optional embodiment, after the second defense strategy is updated and a new first defense strategy is generated, the updated second defense strategy and the new first defense strategy are placed in a strategy library, and corresponding effective time lengths are set for the first defense strategies, wherein the second defense strategy is effective all the time, but automatically fails when the first defense strategy appears. Based on the above, after receiving the flow log data in the current time period, determining that the network flow in the current time period has an abnormal behavior according to the flow log data in the current time period, and if the determination result shows that the abnormal behavior exists, determining whether a first defense strategy in effect exists in the strategy library; if the network traffic exists, performing data processing on the network traffic in the subsequent time period according to the first defense strategy in effect in the strategy library; and if not, performing data processing on the network traffic in the subsequent time period according to a second defense strategy in the strategy library. In combination with the above system embodiments, the data processing is performed on the network traffic in the subsequent period according to the first defense policy or the second defense policy in effect in the policy repository, which mainly means that the protection execution device 12 performs the data processing on the network traffic in the subsequent period according to the first defense policy or the second defense policy in effect in the policy repository. Of course, according to different application scenarios or system architectures, the devices for performing data processing on the network traffic in the subsequent period according to the first defense policy or the second defense policy in effect in the policy repository may also be different. According to the embodiment of the application, the second defense strategy and the first defense strategy are combined, so that the source server is not eroded by the attack in the first time of the attack, and the influence on the current normal access request is minimized.

The present application is further described below in conjunction with other application scenarios:

in other application scenarios of the present application, the protection execution device 12 obtains database operation log data in a current time period, and uploads the obtained database operation log data in the current time period to the protection policy calculation device 11, where the database operation log data reflects characteristics of database operation traffic in the current time period; the protection strategy calculation equipment 11 detects whether a data leakage behavior exists in the current time period and whether abnormal database operation flow exists according to the received database operation log data in the current time period, and when the protection strategy calculation equipment 11 detects that the data leakage behavior exists in the current time period, the protection strategy calculation equipment judges whether a first defense strategy exists, wherein the first defense strategy is generated aiming at the identified abnormal database operation flow before the current time; if the first defense strategy exists, performing data processing on the database operation flow in the subsequent time period according to the existing first defense strategy; and if the data processing flow rate does not exist, performing data processing on the database operation flow rate in the subsequent period according to a second defense strategy, wherein the second defense strategy is generated according to the identified normal database operation flow rate before the current moment.

In the application scenario of the present application, the protection policy calculation device 11 issues the existing first protection policy to the protection execution device 12 on the database operation traffic channel, so that the protection execution device 12 performs data processing on the database operation traffic in the subsequent time period according to the existing first protection policy. The protection policy calculation device 11 issues the generated second protection policy to the protection execution device 12 on the database operation traffic channel, so that the protection execution device 12 performs data processing on the database operation traffic in the subsequent time period according to the existing second protection policy. The data processing method for the database operation flow in the embodiment of the present application is not limited.

In the application scenario of the present application, a data leakage behavior in the current time period is determined according to the database operation log data in the current time period, which includes, but is not limited to, the following modes:

the method comprises the steps that the number of query data items in the current time period is obtained according to database operation log data in the current time period, and when the number of the query data items is larger than a first number threshold value, the database operation log data in the current time period determines that data leakage behaviors exist in the current time period;

and in the second mode, acquiring the byte number of query data in the current time period according to the database operation log data in the current time period, and when the byte number of the query data is greater than a second quantity threshold value, determining that the data leakage behavior exists in the current time period by the database operation log data in the current time period.

In the application scenario described above, the first defense policy is generated for the database abnormal operation traffic that has been identified before the current time. The baseline characteristics of the database oplog data include, but are not limited to, the following: the query frequency, the query time interval, the number of single query entries, the number of single query result bytes, the number of accumulated query entries, the number of accumulated query result entries, and the number of accumulated query result bytes.

In other application scenarios of the present application, the protection execution device 12 obtains traffic log data in a current time period, and uploads the obtained traffic log data in the current time period to the protection policy calculation device 11, where the traffic log data reflects characteristics of the network traffic in the current time period; the protection policy calculation device 11 detects whether an abnormal behavior exists and whether an abnormal traffic exists in the current time period according to the received traffic log data in the current time period. If the protection policy calculation device 11 determines that the network traffic in the current time period has an abnormal behavior according to the traffic log data in the current time period, determining whether a first protection policy exists, wherein the first protection policy is generated for the identified abnormal traffic before the current time; if the first defense strategy exists, generating first visual data for the network traffic in the subsequent time period according to the existing first defense strategy; and if the network traffic does not exist, generating second visual data for the network traffic in the subsequent period according to a second defense strategy, wherein the second defense strategy is generated according to the identified normal traffic before the current moment.

In the application scenario of the application, the protection policy calculation device 11 sends the first visualization data to the display terminal, so that the display terminal generates the first display interface according to the first visualization data. The display content of the first display interface is not limited in the present application, and the display content of the first interface may include, but is not limited to, the following: the abnormal total index curve chart, the normal total index fluctuation range, the abnormal component corresponding index and the normal fluctuation range are compared.

In the application scenario of the present application, after generating second visual data for network traffic in a subsequent period according to the second defense policy, the protection policy computing device 11 sends the second visual data to the display terminal, so that the display terminal generates a second display interface according to the second visual data. The display content of the second display interface is not limited in the present application, and the display content of the second interface may include, but is not limited to, the following: the current index total curve chart and the normal index total fluctuation range, the current index ring ratio curve chart and the normal index ring ratio fluctuation range, each component distribution pie chart, each component current ratio and normal fluctuation range comparison table, and each component absolute value and normal fluctuation range comparison table.

In the above application scenario of the present application, the baseline characteristics of the traffic log data include, but are not limited to, the following: the absolute value of the total index, the cyclic ratio of the index to the previous cycle, the absolute value of each component, the ratio of each component to the previous cycle.

In addition to the defense system provided above, some embodiments of the present application further provide a data processing method, and the data processing method provided in the present application can be applied to the defense system, but is not limited to the defense system provided in the above embodiments. Fig. 2a is a schematic flowchart of a data processing method according to an exemplary embodiment of the present application. As shown in fig. 2a, the method comprises:

s201: obtaining flow log data in the current time period, wherein the flow log data reflects the characteristics of the network flow in the current time period;

s202: determining whether the network flow in the current time period has abnormal behavior according to the flow log data in the current time period; if the abnormal behavior exists, executing step S203; if no abnormal behavior exists, ending the attack detection;

s203: judging whether a first defense strategy exists, wherein the first defense strategy is generated aiming at the abnormal traffic recognized before the current moment; if yes, executing step S204, and if no, executing step S205;

s204: performing data processing on the network flow in the subsequent time period according to the existing first defense strategy;

s205: and carrying out data processing on the network traffic in the subsequent period according to a second defense strategy, wherein the second defense strategy is generated according to the normal traffic identified before the current moment.

The method of this embodiment may be executed by a device having a defense function and a certain computing power, or may be implemented by cooperation of the protection policy computing device and the protection executing device in the above system embodiment. In a scenario where the protection policy calculation device and the protection execution device are cooperatively implemented, the protection execution device issues the generated log data to the protection policy calculation device, and the protection policy calculation device receives the log data to obtain the log data. The frequency of the protection policy computing device acquiring the log data can be acquired every 1S, 2S, 5S or 10S according to the actual situation.

In this embodiment, the second defense policy is generated from historical traffic log data. One way to implement is to filter abnormal log data in historical traffic log data to obtain log data of normal traffic; analyzing the baseline characteristics of the normal flow according to the log data of the normal flow; and generating a second defense strategy according to the target field characteristics in the baseline characteristics of the normal traffic. The amount of the historical traffic log data may be adjusted according to actual conditions, for example, the traffic log data of a month or a year is selected, or the traffic log data in a certain day is screened from the traffic log data of a year and used as the historical traffic log data.

The second method comprises the following steps: if the historical traffic log data in a certain period of time is in the period of time in which the data source end device is attacked, all log data in the period of time are taken as abnormal log data to be filtered.

The third method comprises the following steps: and acquiring the response state code of the historical data request according to the historical traffic log data of a certain time period, calculating the occupation proportion of the abnormal response state code, and filtering all log data in the time period as abnormal log data when the occupation proportion of the abnormal response state code is greater than a set proportion threshold value.

In the above or following embodiments of the present application, after the log data of the normal flow rate is obtained, the baseline characteristic of the normal flow rate may be analyzed according to the log data of the normal flow rate. One way to achieve this is to extract field features from log data of normal traffic and calculate the distribution baseline parameters of the field features as the baseline features of the normal traffic. Wherein the field characteristics include, but are not limited to, at least one of the following fields: the fields obtained by the secondary processing of the HTTP standard fields (such as uri, referrer and the like), the website self-defining fields, the field sequence and the fields (such as query key and the like analyzed from uri). The distribution baseline parameters of the field features include, but are not limited to, at least one of: field feature fraction, field feature request frequency, and field feature combination correlation.

In the above embodiment, the second defense policy is generated according to a target field characteristic in the baseline characteristic of the normal traffic. One way to realize this is to analyze the baseline characteristics of the normal flow and screen out the target field characteristics from the field characteristics contained in the normal flow; a second defense policy is generated for the target field features. For example, from the field features included in the normal traffic, the field feature having the baseline feature larger than the baseline feature threshold is identified as the target field feature. In combination with the target field feature, one implementation manner of the second defense policy is as follows: and carrying out speed limit processing on the traffic which does not contain the target field characteristics.

In the above embodiment, after the log data is acquired, the log data in the current time period is analyzed, and the second defense strategy is updated. One achievable updating mode is that normal flow log data is identified from the flow log data in the current time period, and the baseline characteristic of the normal flow is updated according to the identified normal flow log data; analyzing the distribution baseline parameters of the updated field characteristics, and screening new target field characteristics from the field characteristics contained in the identified new normal flow; if the new target field characteristics are the same as the original target field characteristics, the original second defense strategy is not updated; and if the new target field characteristics are different from the original target field characteristics, generating a new second defense strategy according to the new target field characteristics to update the original second defense strategy.

In the above embodiment, after the traffic log data in the current time period is acquired, the traffic log data in the current time period may also be analyzed, so as to generate the first defense policy. One way to achieve this is to analyze the characteristics of the network traffic in the current time period according to the traffic log data in the current time period; identifying abnormal traffic existing in the current time period according to the characteristics of the network traffic in the current time period and the baseline characteristics of the known normal traffic; and generating a first defense strategy aiming at the abnormal traffic existing in the current time period according to the characteristics of the abnormal traffic existing in the current time period.

in the first mode, the distribution parameters of the field characteristics of the network traffic in the current time period are compared with the existing distribution baseline parameters of the field characteristics, the proportional change rate of the corresponding field characteristics is calculated, and the network traffic corresponding to the field characteristics of which the proportional change rate is greater than the set change rate threshold value is used as the abnormal traffic existing in the current time period.

In the above embodiment, after the abnormal traffic existing in the current time period is identified, the first defense strategy for the abnormal traffic existing in the current time period is generated according to the characteristics of the abnormal traffic existing in the current time period. Optionally, the new first defense strategy is a defense strategy for blocking traffic that is characteristic of the normal traffic.

In the above embodiment, after obtaining the traffic log data in the current time period, determining whether the network traffic in the current time period has an abnormal behavior according to the traffic log data in the current time period includes at least one of the following manners:

the method comprises the steps that firstly, the request frequency of a data request in the current time period is obtained according to log data in the current time period, and when the request frequency is larger than a first threshold value, the network flow in the current time period is determined to have abnormal behavior;

After the second defense strategy is updated and a new first defense strategy is generated, the updated second defense strategy and the new first defense strategy are placed in a defense strategy library, and corresponding effective time length is set for each first defense strategy, wherein the second defense strategy is always effective, but automatically fails when the first defense strategy appears. Based on the method, after the flow log data in the current time period are received, the abnormal behavior of the network flow in the current time period can be determined according to the flow log data in the current time period, and if the abnormal behavior exists in the judgment result, whether a first defense strategy exists is judged; if the first defense strategy is available, performing data processing on the network flow in the subsequent time period according to the first defense strategy in effect; if not, performing data processing on the network traffic in the subsequent time period according to the second defense strategy; the embodiment of the application combines the second defense strategy and the first defense strategy, so that the source server is not attacked and broken down in the first attack time, and the influence on the current normal access request is minimized.

Fig. 3 is a schematic flow chart of another data processing method according to an exemplary embodiment of the present application. As shown in fig. 3, the method includes:

s301: analyzing the characteristics of the network flow in the current time period according to the flow log data in the current time period;

s302: identifying abnormal traffic existing in the current time period according to the characteristics of the network traffic in the current time period and the baseline characteristics of the known normal traffic, wherein the baseline characteristics of the known normal traffic are obtained from historical traffic log data;

s303: and generating a first defense strategy aiming at the abnormal flow existing in the current time period according to the characteristics of the abnormal flow existing in the current time period so as to process the data of the network flow in the subsequent time period.

The method of this embodiment may be executed by a device having a defense function and a certain computing power, or may be implemented by cooperation of the protection policy computing device and the protection executing device in the above system embodiment. In a scenario where the protection policy computing device and the protection executing device are cooperatively implemented, the protection executing device issues the generated log data to the protection policy computing device, and the protection policy computing device receives the log data to obtain the log data. The frequency of the protection policy computing device acquiring the log data can be acquired every 1S, 2S, 5S or 10S according to the actual situation.

Fig. 2b is a schematic flow chart of another data processing method according to an exemplary embodiment of the present application. As shown in fig. 2b, the method comprises:

s221: acquiring database operation log data in the current time period, wherein the database operation log data reflect the characteristics of database operation flow in the current time period;

s222: determining whether a data leakage behavior exists in the current time period according to the database operation log data in the current time period; if yes, go to step S223; if not, ending the data leakage behavior detection;

s223: judging whether a first defense strategy exists, wherein the first defense strategy is generated aiming at the identified abnormal operation traffic of the database before the current moment; if the step S224 exists, the step S225 is executed if the step S does not exist;

s224: performing data processing on the database operation flow in the subsequent time period according to the existing first defense strategy;

s225: and performing data processing on the database operation flow in the subsequent period according to a second defense strategy, wherein the second defense strategy is generated according to the identified normal database operation flow before the current moment.

In the embodiment of the application, the existing first defense strategy is issued to the protection execution device on the database operation flow channel, so that the protection execution device performs data processing on the database operation flow in the subsequent time period according to the existing first defense strategy. And issuing the generated second defense strategy to protection execution equipment on the database operation flow channel so that the protection execution equipment can perform data processing on the database operation flow in the subsequent time period according to the existing second defense strategy. The data processing method for the database operation flow in the embodiment of the present application is not limited.

In the embodiment of the present application, a data leakage behavior in the current time period is determined according to the database operation log data in the current time period, which includes, but is not limited to, the following modes:

the method comprises the steps that in the first mode, the number of query data items in the current time period is obtained according to database operation log data in the current time period, and when the number of the query data items is larger than a first number threshold value, the database operation log data in the current time period determines that a data leakage behavior exists in the current time period;

and in the second mode, acquiring the byte number of the query data in the current time period according to the database operation log data in the current time period, and when the byte number of the query data is greater than a second quantity threshold value, determining that the data leakage behavior exists in the current time period by the database operation log data in the current time period.

Fig. 2c is a schematic flowchart of a data processing method according to an exemplary embodiment of the present application. As shown in fig. 2c, the method comprises:

s231: obtaining flow log data in the current time period, wherein the flow log data reflects the characteristics of the network flow in the current time period;

s232: determining whether the network flow in the current time period has abnormal behavior according to the flow log data in the current time period; if the abnormal behavior exists, executing step S203; if the abnormal behavior does not exist, ending the detection of the abnormal behavior;

s233: judging whether a first defense strategy exists, wherein the first defense strategy is generated aiming at the abnormal traffic recognized before the current moment; if yes, executing step S234, otherwise executing step S235;

s234: generating first visual data for network traffic in a subsequent period according to an existing first defense strategy;

s235: and generating second visual data for the network traffic in the subsequent period according to a second defense strategy, wherein the second defense strategy is generated according to the normal traffic identified before the current moment.

In the embodiment of the application, the first visual data are sent to the display terminal, so that the display terminal can generate a first display interface according to the first visual data. The display content of the first display interface is not limited in the present application, and the display content of the first interface may include, but is not limited to, the following: the abnormal total index curve chart, the normal total index fluctuation range, the abnormal component corresponding index and the normal fluctuation range are compared.

In the embodiment of the application, after second visual data are generated for the network traffic in the subsequent period according to the second defense strategy, the second visual data are sent to the display terminal, so that the display terminal can generate a second display interface according to the second visual data. The display content of the second display interface is not limited in the present application, and the display content of the second interface may include, but is not limited to, the following: the current index total curve chart and the normal index total fluctuation range, the current index ring ratio curve chart and the normal index ring ratio fluctuation range, each component distribution pie chart, each component current ratio and normal fluctuation range comparison table, and each component absolute value and normal fluctuation range comparison table.

In the embodiment of the present application, the baseline characteristics of the traffic log data include, but are not limited to, the following: the absolute value of the total index, the cyclic ratio of the index to the previous cycle, the absolute value of each component, the ratio of each component to the previous cycle.

The present embodiment is a data processing method described in terms of generation of a first defense policy. The steps in this embodiment are described in detail in the embodiments of the data processing method, and according to the embodiments of the data processing method, the embodiments of the data processing method and the corresponding advantageous effects can be obtained, which are not described herein again.

Fig. 4 is a schematic structural diagram of a data processing device according to an exemplary embodiment of the present application. As shown in fig. 4, the data processing apparatus includes: a memory 401 and a processor 402, as well as necessary components of a communication component 403 and a power component 404.

The memory 401 is used for storing computer programs and may be configured to store other various data to support operations on the data processing apparatus. Examples of such data include instructions for any application or method operating on the data processing device.

The memory 401, which may be implemented by any type or combination of volatile or non-volatile memory devices, such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disks.

A communication component 403 for establishing a communication connection with other devices.

Processor 402, which may execute computer instructions stored in memory 401, to: obtaining flow log data in the current time period, wherein the flow log data reflects the characteristics of the network flow in the current time period; if the fact that the network flow in the current time period has abnormal behaviors is determined according to the flow log data in the current time period, whether a first defense strategy exists or not is judged, and the first defense strategy is generated aiming at the identified abnormal flow before the current time; if the network traffic exists, performing data processing on the network traffic in the subsequent time period according to the existing first defense strategy; and if not, performing data processing on the network traffic in the subsequent period according to a second defense strategy, wherein the second defense strategy is generated according to the identified normal traffic before the current moment.

Optionally, the processor 402 may be further configured to: analyzing the characteristics of the network flow in the current time period according to the flow log data in the current time period; identifying abnormal traffic existing in the current time period according to the characteristics of the network traffic in the current time period and the baseline characteristics of the known normal traffic; and generating a first defense strategy aiming at the abnormal traffic existing in the current time period according to the characteristics of the abnormal traffic existing in the current time period.

Optionally, when performing data processing on network traffic in a subsequent period according to the existing first defense policy, the processor 402 is specifically configured to: and issuing the existing first defense strategy to the protection execution equipment on the network traffic channel so that the protection execution equipment can perform data processing on the network traffic in the subsequent time period according to the existing first defense strategy.

Optionally, the processor 402 may be further configured to: and issuing the effective time length corresponding to the existing first defense strategy to the protection execution equipment so that the protection execution equipment can perform data processing on the network traffic in the subsequent time period according to the existing first defense strategy in the effective time length.

First defense strategy the first defense strategy optionally, the processor 402 may be further operable to: filtering abnormal log data in the flow log data in the historical time period to obtain log data of normal flow; analyzing the baseline characteristics of the normal flow according to the log data of the normal flow; and generating a second defense strategy according to the target field characteristics in the baseline characteristics of the normal traffic.

Optionally, when performing data processing on the network traffic in the subsequent period according to the second defense policy, the processor 402 is specifically configured to: and issuing the generated second defense strategy to protection execution equipment on the network traffic channel so that the protection execution equipment can perform data processing on the network traffic in the subsequent time period according to the generated second defense strategy.

Optionally, when determining that the network traffic in the current time period has an abnormal behavior according to the traffic log data in the current time period, the processor 402 includes at least one of the following: acquiring the request frequency of a data request in the current time period according to the log data in the current time period, and determining that the network traffic in the current time period has abnormal behavior when the request frequency is greater than a first threshold; acquiring the abnormal proportion of the response status code of the data request in the current time period according to the log data in the current time period, and determining that the network flow in the current time period has abnormal behavior when the abnormal proportion of the response status code is greater than a second threshold value; and acquiring the growth rate of the number of the data requests in the current time period relative to the last time period according to the log data in the current time period, and determining that the network traffic in the current time period has abnormal behavior when the growth rate is greater than a third threshold value.

Correspondingly, the embodiment of the application also provides a computer readable storage medium storing the computer program. The computer-readable storage medium stores a computer program, and the computer program, when executed by one or more processors, causes the one or more processors to perform the steps in the method embodiment of fig. 2 a.

In the data processing device and the storage medium embodiment, flow log data in a current time period is acquired; performing abnormal behavior detection on the flow log data in the current time period, and judging whether a generated first defense strategy exists in a defense strategy library or not when the abnormal behavior of the network flow in the current time period is determined; if the network traffic exists, the existing first defense strategy is used for carrying out data processing on the network traffic in the subsequent time period; if the network traffic does not exist, a second defense strategy generated by the known normal traffic is used for carrying out data processing on the network traffic in the subsequent time period, and the second defense strategy and the first defense strategy are combined, so that the source server is not attacked and broken down in the first time of attack, and the influence on the current normal access request is minimized.

Fig. 5 is a schematic structural diagram of a data processing device according to an exemplary embodiment of the present application. As shown in fig. 5, the data processing apparatus includes: a memory 501 and a processor 502, and also necessary components of a communication component 503 and a power component 504.

The memory 501 is used for storing computer programs and may be configured to store various other data to support operations on the data processing apparatus. Examples of such data include instructions for any application or method operating on a data processing device.

The memory 501, which may be implemented by any type of volatile or non-volatile memory device or combination thereof, such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disk.

A communication component 503 for establishing a communication connection with the other device.

The processor 502, which may execute computer instructions stored in the memory 501, is configured to: analyzing the characteristics of the network flow in the current time period according to the flow log data in the current time period; identifying abnormal traffic existing in the current time period according to the characteristics of the network traffic in the current time period and the baseline characteristics of the known normal traffic, wherein the baseline characteristics of the known normal traffic are obtained from historical traffic log data; generating a first defense strategy aiming at the abnormal traffic existing in the current time period according to the characteristics of the abnormal traffic existing in the current time period; so as to perform a first defense strategy of data processing on the network traffic in the subsequent time period.

Correspondingly, the embodiment of the application also provides a computer readable storage medium storing the computer program. The computer-readable storage medium stores a computer program, and the computer program, when executed by one or more processors, causes the one or more processors to perform the steps in the method embodiment of fig. 3.

In the data processing device and the storage medium embodiment, flow log data in a current time period is acquired; performing abnormal behavior detection on the flow log data in the current time period, and judging whether a generated first defense strategy exists in a defense strategy library or not when the abnormal behavior of the network flow in the current time period is determined; if the network traffic exists, the existing first defense strategy is used for carrying out data processing on the network traffic in the subsequent time period; if the network traffic does not exist, a second defense strategy generated by the known normal traffic is used for carrying out data processing on the network traffic in the subsequent period, and the combination of the second defense strategy and the first defense strategy is adopted, so that the source server is not attacked and broken down in the first time of attack, and the influence on the current normal access request is minimized.

Fig. 6 is a schematic structural diagram of a data processing device according to an exemplary embodiment of the present application. As shown in fig. 6, the data processing apparatus includes: memory 601 and processor 602, as well as necessary components of communication component 603 and power component 604.

The memory 601 is used for storing computer programs and may be configured to store other various data to support operations on the data processing apparatus. Examples of such data include instructions for any application or method operating on the data processing device.

The memory 601 may be implemented by any type or combination of volatile and non-volatile memory devices such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disks.

A communication component 603 configured to establish a communication connection with another device.

Processor 602, executing computer instructions stored in memory 601, is to: obtaining database operation log data in the current time period, wherein the database operation log data reflect the characteristics of database operation flow in the current time period; if the data leakage behavior in the current time period is determined according to the database operation log data in the current time period, judging whether a first defense strategy exists, wherein the first defense strategy is generated aiming at the identified abnormal operation flow of the database before the current time; if the first defense strategy exists, performing data processing on the database operation flow in the subsequent time period according to the existing first defense strategy; and if the data processing is not carried out, carrying out data processing on the database operation flow in the subsequent period according to a second defense strategy, wherein the second defense strategy is generated according to the identified normal database operation flow before the current moment.

Optionally, when performing data processing on the database operation traffic in the subsequent period according to the existing first defense policy, the processor 602 is specifically configured to: and issuing the existing first defense strategy to protection execution equipment on a database operation flow channel so that the protection execution equipment can perform data processing on the database operation flow in the subsequent time period according to the existing first defense strategy.

Optionally, when performing data processing on the network traffic in the subsequent period according to the second defense policy, the processor 602 is specifically configured to: and issuing the generated second defense strategy to protection execution equipment on a database operation flow channel so that the protection execution equipment can perform data processing on the database operation flow in a subsequent period according to the existing second defense strategy.

Optionally, when determining that the data leakage behavior exists in the current time period according to the database operation log data in the current time period, the processor 602 includes at least one of the following: acquiring the number of query data items in the current time period according to the database operation log data in the current time period, and determining that data leakage behaviors exist in the current time period according to the database operation log data in the current time period when the number of the query data items is larger than a first number threshold; and acquiring the number of bytes of query data in the current time period according to the database operation log data in the current time period, and when the number of bytes of the query data is greater than a second quantity threshold value, determining that data leakage behaviors exist in the current time period by the database operation log data in the current time period.

In the data processing device and the storage medium embodiment, database operation log data in a current time period is acquired; performing data leakage behavior detection on database operation log data in the current time period, and judging whether a generated first defense strategy exists in a defense strategy library or not when the data leakage behavior exists in the current time period; if so, performing data processing on the database operation traffic in the subsequent time period by using the existing first defense strategy; if the data leakage behavior does not exist, data processing is carried out on the database operation flow in the subsequent time period according to the second defense strategy, and the loss caused by the data leakage behavior is reduced by combining the second defense strategy and the first defense strategy.

Fig. 7 is a schematic structural diagram of a data processing device according to an exemplary embodiment of the present application. As shown in fig. 7, the data processing apparatus includes: memory 701 and processor 702, as well as necessary components of communications component 703 and power component 704.

A memory 701 for storing computer programs and may be configured to store various other data to support operations on the data processing apparatus. Examples of such data include instructions for any application or method operating on a data processing device.

The memory 701 may be implemented by any type or combination of volatile or non-volatile memory devices such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disks.

A communication component 703 for establishing a communication connection with the other device.

Processor 702, which may execute computer instructions stored in memory 701 for: obtaining flow log data in a current time period, wherein the flow log data reflects characteristics of network flow in the current time period; if the fact that the network traffic in the current time period has abnormal behaviors is determined according to the traffic log data in the current time period, whether a first defense strategy exists or not is judged, and the first defense strategy is generated aiming at the identified abnormal traffic before the current time; if the first defense strategy exists, generating first visual data for the network traffic in the subsequent time period according to the existing first defense strategy; and if not, generating second visual data for the network traffic in the subsequent period according to a second defense strategy, wherein the second defense strategy is generated according to the identified normal traffic before the current moment.

Optionally, the processor 702, after generating the first visualization data for network traffic in a subsequent period according to the existing first defense policy, is further operable to: and sending the first visual data to a display terminal so that the display terminal can generate a first display interface according to the first visual data.

Optionally, the processor 702, after generating second visualization data for network traffic in a subsequent period according to the second defense policy, is further operable to: and sending the second visual data to a display terminal so that the display terminal can generate a second display interface according to the second visual data.

In some exemplary embodiments of the present application, on one hand, whether abnormal traffic exists in a current time period may be analyzed according to traffic log data in the current time period, and in a case that the abnormal traffic exists, a first defense policy may be generated for the abnormal traffic; on the other hand, abnormal behavior detection can be performed according to the traffic log data in the current time period, and whether the generated first defense strategy exists or not is judged under the condition that the abnormal behavior of the network traffic in the current time period is determined; if the first defense strategy exists, the first visual data is generated for the network traffic in the subsequent time period by using the existing first defense strategy; and if not, generating second visual data for the network traffic in the subsequent period by using a second defense strategy generated by the known normal traffic, wherein the second defense strategy and the first defense strategy are combined to carry out data processing on the network traffic so as to visually display each index of the abnormal behavior and rapidly take defense measures.

The communication components of fig. 4-7 described above are configured to facilitate wired or wireless communication between the device in which the communication component is located and other devices. The device in which the communication component is located may access a wireless network based on a communication standard, such as WiFi,2G or 3G, or a combination thereof. In an exemplary embodiment, the communication component receives a broadcast signal or broadcast related information from an external broadcast management system via a broadcast channel. In an exemplary embodiment, the communication component further includes Near Field Communication (NFC) technology, radio Frequency Identification (RFID) technology, infrared data association (IrDA) technology, ultra Wideband (UWB) technology, bluetooth (BT) technology, and the like to facilitate short-range communications.

The power supply components of fig. 4-7 described above provide power to the various components of the device in which the power supply components are located. The power components may include a power management system, one or more power supplies, and other components associated with generating, managing, and distributing power for the device in which the power component is located.

As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present invention has been described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

The memory may include forms of volatile memory in a computer readable medium, random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.

Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.

It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising a … …" does not exclude the presence of another identical element in a process, method, article, or apparatus that comprises the element.

The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.

Claims

1. A method of data processing, comprising:

carrying out abnormal flow detection according to the flow log data in the current time period;

if the abnormal traffic is detected, generating a first defense strategy aiming at the abnormal traffic detected in the current time period;

if the fact that the network flow in the current time period has abnormal behaviors is determined according to the flow log data in the current time period, whether the first defense strategy exists or not is judged;

2. The method of claim 1, wherein performing abnormal traffic detection according to the traffic log data in the current time period comprises:

according to the characteristics of the network flow in the current time period and the baseline characteristics of the known normal flow, identifying abnormal flow existing in the current time period;

generating a first defense strategy for abnormal traffic detected within a current time period, comprising:

and generating a first defense strategy aiming at the abnormal traffic existing in the current time period according to the characteristics of the abnormal traffic existing in the current time period.

3. The method of claim 1, wherein data processing network traffic in a subsequent time period according to an existing first defense policy comprises:

and issuing the existing first defense strategy to protection execution equipment on a network traffic channel so that the protection execution equipment can perform data processing on the network traffic in the subsequent period according to the existing first defense strategy.

4. The method of claim 3, further comprising:

and issuing the effective time length corresponding to the existing first defense strategy to the protection execution equipment so that the protection execution equipment can perform data processing on the network traffic in the subsequent time period according to the existing first defense strategy in the effective time length.

5. The method of claim 1, further comprising:

filtering abnormal log data in the flow log data in the historical time period to obtain log data of normal flow;

analyzing the baseline characteristics of the normal flow according to the log data of the normal flow;

and generating the second defense strategy according to the target field characteristics in the baseline characteristics of the normal traffic.

6. The method of claim 1, wherein data processing network traffic for a subsequent time period according to a second defense policy comprises:

and issuing the generated second defense strategy to protection execution equipment on a network traffic channel so that the protection execution equipment can perform data processing on the network traffic in the subsequent time period according to the generated second defense strategy.

7. The method of claim 1, wherein determining that the network traffic has abnormal behavior in the current time period according to the traffic log data in the current time period comprises at least one of:

acquiring request frequency of a data request in the current time period according to log data in the current time period, and determining that abnormal behaviors exist in network traffic in the current time period when the request frequency is greater than a first threshold;

acquiring the abnormal proportion of the response status code of the data request in the current time period according to the log data in the current time period, and determining that the network flow in the current time period has abnormal behavior when the abnormal proportion of the response status code is greater than a second threshold value;

and acquiring the growth rate of the number of the data requests in the current time period relative to the last time period according to the log data in the current time period, and determining that the network traffic in the current time period has abnormal behavior when the growth rate is greater than a third threshold value.

8. A data processing method, comprising:

performing database abnormal operation flow detection according to the flow log data in the current time period;

if the abnormal operation traffic of the database is detected, generating a first defense strategy aiming at the abnormal operation traffic of the database detected in the current time period; if the data leakage behavior in the current time period is determined according to the database operation log data in the current time period, judging whether the first defense strategy exists or not;

9. The method of claim 8, wherein the data processing of the database operation traffic in the subsequent time period according to the existing first defense policy comprises:

and issuing the existing first defense strategy to protection execution equipment on a database operation flow channel so that the protection execution equipment can perform data processing on the database operation flow in the subsequent time period according to the existing first defense strategy.

10. The method of claim 8, wherein data processing network traffic for a subsequent time period according to a second defense policy comprises:

and issuing the generated second defense strategy to protection execution equipment on a database operation flow channel so that the protection execution equipment can perform data processing on the database operation flow in the subsequent time period according to the existing second defense strategy.

11. The method of claim 8, wherein determining that data leakage behavior exists in the current time period according to the database operation log data in the current time period comprises at least one of:

acquiring the number of query data items in the current time period according to the database operation log data in the current time period, and determining that data leakage behaviors exist in the current time period according to the database operation log data in the current time period when the number of the query data items is larger than a first number threshold;

and acquiring the number of bytes of query data in the current time period according to the database operation log data in the current time period, and when the number of bytes of the query data is greater than a second quantity threshold value, determining that data leakage behaviors exist in the current time period by the database operation log data in the current time period.

12. A data processing method, comprising:

if the fact that the network flow in the current time period has abnormal behaviors is determined according to the flow log data in the current time period, whether a first defense strategy exists or not is judged;

13. The method of claim 12, further comprising, after generating first visualization data for network traffic in a subsequent period of time in accordance with the existing first defense policy:

and sending the first visual data to a display terminal so that the display terminal can generate a first display interface according to the first visual data.

14. The method of claim 12, further comprising, after generating second visualization data for network traffic in a subsequent period in accordance with a second defense policy:

and sending the second visual data to a display terminal so that the display terminal can generate a second display interface according to the second visual data.

15. A data processing apparatus, characterized by comprising: a memory and a processor;

the memory to store one or more computer instructions;

the processor to execute the one or more computer instructions to:

if abnormal traffic is detected, generating a first defense strategy aiming at the abnormal traffic detected in the current time period;

16. A computer-readable storage medium storing a computer program, wherein the computer program, when executed by one or more processors, causes the one or more processors to perform acts comprising:

if the abnormal behavior of the network flow in the current time period is determined according to the flow log data in the current time period, judging whether the first defense strategy exists or not;

17. A data processing apparatus, characterized by comprising: a memory and a processor;

the memory to store one or more computer instructions;

the processor to execute the one or more computer instructions to:

obtaining database operation log data in a current time period, wherein the database operation log data reflect characteristics of database operation flow in the current time period;

if the abnormal operation traffic of the database is detected, generating a first defense strategy aiming at the abnormal operation traffic of the database detected in the current time period;

if data leakage behaviors exist in the current time period are determined according to the database operation log data in the current time period, judging whether the first defense strategy exists or not;

if yes, performing data processing on the database operation flow in the subsequent time period according to the existing first defense strategy;

18. A computer-readable storage medium storing a computer program, wherein the computer program, when executed by one or more processors, causes the one or more processors to perform acts comprising:

if the abnormal operation flow of the database is detected, generating a first defense strategy aiming at the abnormal operation flow of the database detected in the current time period;

19. A data processing apparatus, characterized by comprising: a memory and a processor;

the memory to store one or more computer instructions;

the processor to execute the one or more computer instructions to:

20. A computer-readable storage medium storing a computer program, wherein the computer program, when executed by one or more processors, causes the one or more processors to perform acts comprising: