CN113630331B - Processing method for parent-child connection in full-flow storage backtracking analysis system - Google Patents
Processing method for parent-child connection in full-flow storage backtracking analysis system Download PDFInfo
- Publication number
- CN113630331B CN113630331B CN202111180366.8A CN202111180366A CN113630331B CN 113630331 B CN113630331 B CN 113630331B CN 202111180366 A CN202111180366 A CN 202111180366A CN 113630331 B CN113630331 B CN 113630331B
- Authority
- CN
- China
- Prior art keywords
- data connection
- connection
- worker thread
- thread
- processing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/12—Avoiding congestion; Recovering from congestion
- H04L47/125—Avoiding congestion; Recovering from congestion by balancing the load, e.g. traffic engineering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
- H04L45/745—Address table lookup; Address filtering
- H04L45/7453—Address table lookup; Address filtering using hashing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/24—Traffic characterised by specific attributes, e.g. priority or QoS
- H04L47/2483—Traffic characterised by specific attributes, e.g. priority or QoS involving identification of individual flows
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
Abstract
The invention relates to the technical field of data analysis and processing, and particularly provides a method for processing parent-child connection in a full-flow storage backtracking analysis system, which comprises the following steps: determining the port range of each worker thread, and establishing a mapping relation between each worker thread and each port; based on the set mapping relation, configuring two directions of flow, wherein one direction selects source port configuration, and the other direction selects destination port configuration; constructing a data connection hash mapping table of each worker thread; and respectively processing the control connection, the data connection and the storage thread. The invention ensures the application identification accuracy of the parent-child connection message, does not have the robustness problem caused by load balance caused by the fact that the same ip address is distributed to the same thread, and can also improve the overall high concurrency performance.
Description
Technical Field
The invention relates to the technical field of data analysis and processing, and particularly provides a method for processing parent-child connection in a full-flow storage backtracking analysis system.
Background
For security manufacturers, although a firewall and a full-traffic storage backtracking analysis system both analyze and process traffic, processing logic for data connection packets is different. The reason is that the firewall and other systems can ensure the message time sequence of control connection and data connection, while the full-flow storage backtracking analysis system performs mirror processing on the message, and because the multi-core system processes the message drive receiving packet, the thread processing the full-flow storage cannot ensure that the control connection and the data connection are received by the same worker thread, and even cannot ensure that the control connection is processed before the data connection. For a traffic analysis system, data connection needs to rely on control connection to identify the application type, and if the data connection is slower than the control connection, accuracy of application identification is likely to be affected, and report omission is caused.
Taking ftp passive PASV as an example, to solve the problem of server initiated connections to clients, the client is only enabled when it notifies the server that it is in passive mode. In the passive mode FTP, control connection and data connection are initiated by a client, so that the problem that the connection in the incoming direction from a server to a data port of the client is filtered by a firewall can be solved.
Unlike FTP, which is an active mode, the client does not submit a PORT command and allows the server to connect back to its data PORT, but instead submits a PASV command, which results in the server opening an arbitrary non-privileged PORT (PORT number greater than 1024, say PortA) and sending a PORT P command to the client. The client, upon receipt, initiates a connection from the local port (port number greater than 1024, assumed to be PortB) to port PortA of the server for transferring data. For ftp, the consequence of failing to identify ftp traffic in time is that the file extraction function in ftp data connection cannot be processed in real time to detect whether the downloaded traffic in ftp is a virus or not and whether sandbox processing is required or not.
For a firewall, because ftp traffic is processed in real time, data connection is established only after control connection is established, but for a full-traffic storage system, processing time sequence of data connection cannot be guaranteed because processing logic is mirror image processing of a message. The general method in the industry is that a capture process and an analysis process are divided into two parts, the capture process is responsible for load balancing and sends the same ip message into the same analysis process, and the ip addresses of parent-child connections are the same, so that the analysis process can be guaranteed to process the parent-child connections according to time sequence. However, the design scheme can increase process switching and message circulation among threads, and cache miss can be caused, thereby affecting performance.
Due to the disadvantage of separating the capturing thread and the analyzing thread, another method in the industry is to perform analyzing processing on the capturing thread at the same time, that is, the capturing thread and the analyzing thread are combined into one, but it is required to ensure that parent-child connections are received by the same capturing thread, and it is required to use hardware packet receiving drive configuration to enable messages of the same (sip, dip) or the same sip or the same dip to be received by the same capturing thread, but this method easily causes load imbalance, thereby affecting the robustness of the system.
The processing of ftp parent-child connections in the full-flow storage backtracking system belongs to a part of flow analysis, and is not a key function in the full-flow storage system, and each manufacturer does not particularly process the ftp parent-child connections, so that the performance or robustness caused by load balancing is sacrificed, and the problem of report missing caused by disorder of multi-core processing parent-child connection time sequences is not endured.
Disclosure of Invention
In order to solve the technical problems, the invention provides a method for processing parent-child connections in a full-flow storage backtracking analysis system, which optimizes the parent-child connections, ensures the application identification accuracy of parent-child connection messages, does not have the robustness problem caused by load balance caused by the fact that the same ip address is allocated to the same thread, and can also improve the overall high concurrency performance.
The invention is realized in this way, and provides a method for processing parent-child connection in a full-flow storage backtracking analysis system, which comprises the following steps:
1) determining the port range of each worker thread, and establishing a mapping relation between each worker thread and each port;
2) configuring two directions of flow based on the mapping relation set in the step 1), wherein one direction selects source port configuration, and the other direction selects destination port configuration;
3) constructing a data connection hash mapping table of each worker thread;
4) the control connection is processed according to the following flow:
401) when the worker thread A identifies that the control connection has passive connection and needs to establish data connection, the worker thread A acquires a destination port sent by a server, calculates the id of the worker thread corresponding to the port according to the mapping relation established in the step 1), supposes the worker thread B, then the worker thread A sends the information of the data connection to the worker thread B, and the worker thread B adds a hash table item of the data connection on the hash mapping table of the worker thread B;
402) when the worker thread A identifies that the control connection is finished, namely the control connection session deleting stage, inquiring the hash mapping table of a worker thread B corresponding to the data connection without lock, and checking whether the hash table item corresponding to the data connection in the table is cleared so as to judge whether the data connection is really identified:
4021) if the hash table entry corresponding to the data connection is cleared and indicates that the application type of the data connection is identified, marking a label flag =1 on the data connection, and sending the data connection to a storage thread for normal processing;
4022) if the hash table entry corresponding to the data connection is not cleared, the tag flag is marked =0, and there are two cases:
the data connection message is not processed, and the data connection is waited to be processed;
after the data connection message is processed and sent to the storage thread at the moment, the storage thread inquires the index table, re-marks the application types of all the data connection messages as data connection and re-indexes the data connection messages;
5) the data connection is processed according to the following flow:
501) when a worker thread B receives a new or deleted message of the data connection, processing a hash table item corresponding to the data connection in the worker thread B without a lock, and adding or deleting the corresponding hash table item;
502) when the worker thread B needs to identify data connection, processing according to the following flow:
502-1) if the type of the session is tcp message and the ranges of the source port and the destination port are both 1024-;
502-2) when the connection is possibly passive, extracting a key (sip, dip, dport) of the data connection, searching a hash mapping table of a worker thread B without a lock, and if the hash mapping table is found, acquiring a value, namely acquiring a corresponding application type;
502-3) processing based on the application type after the application type is identified;
502-4), deleting the hash table entry corresponding to the data connection in the hash mapping table after the processing is finished;
503) when the data connection is finished, if the application type of the data connection is identified, marking a flag =1 label on the message for normal processing;
504) when the application type of the data connection is not identified, and the message of the data connection needs to be sent to a storage thread for processing, marking a flag =2 on the message;
6) the storage thread is processed according to the following flow:
601) calculating the id of the storage thread according to the sip and the dip of the control connection and the data connection;
602) when the condition in step 4022) is that the connection is the control connection and flag =0, searching an index table according to information of the data connection, if the connection can be found, setting the connection as the data connection, processing according to the application type of the connection, resetting an index of the data connection, if the connection cannot be found, ending additional processing of the control connection, and normally storing a message of the control connection;
603) when the condition in the step 504) is that the data connection is established and flag =2, determining the id of the worker thread corresponding to the port according to the information of the data connection port, then searching the hash mapping table of the worker thread, if the hash mapping table can be found, setting the connection as the data connection, processing according to the application type of the connection, deleting the hash table item corresponding to the data connection in the hash mapping table of the worker thread, resetting the index of the data connection and storing the message, if the hash mapping table is not found, ending the additional processing of the data connection, and normally storing the message of the data connection;
604) when the situation is in step 4021) and step 503), that is, when the situation is the control connection or the data connection and flag =1, setting an index of the connection and storing the message.
Preferably, in step 2), a software configuration manner or a hardware network card configuration manner is used to configure two directions of the flow.
Preferably, in step 3), a key is established by using the local data connection hash mapping table of each worker thread based on the triple of the data connection, the key is set as three items (sip, dip, dport) in the four-tuple of the message, and the value is the application type of the control connection.
Preferably, in step 4), the data connection information includes a client ip address, a server ip address, and a port.
Compared with the prior art, the invention has the advantages that:
1. under the condition that a parent-child connection (namely control connection and data connection) message is not required to be forcibly divided into the same worker thread for processing, the flow is more balanced;
2. the parent-child connection is lock-free processing, and the multi-core performance is increased linearly along with the increase of the number of the woker threads;
3. the flow identification is accurate, and the phenomenon of missing report is avoided.
Drawings
The invention is described in further detail below with reference to the following figures and embodiments:
FIG. 1 is a flow chart of step 1), step 2), step 3);
FIG. 2 is a process flow diagram of a control connection;
FIG. 3 is a flow chart of a process for data connection;
FIG. 4 is a process flow diagram of a store thread.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
In order to solve the timing problem that parent-child connections are easy to generate in a full-flow storage backtracking analysis system and optimize the parent-child connections, the invention provides a processing method of parent-child connections in the full-flow storage backtracking analysis system, which comprises the following steps:
referring to fig. 1:
1) determining the port range of each worker thread, and establishing a mapping relation between each worker thread and each port;
for example, assuming that only 10 worker threads are currently used to process packets, the following port mapping relationship is established:
worker 0: the numeric end of port is 0;
worker 1: the numeric end of port is 1;
worker 2: the numeric end of port is 2;
……
worker 9: the numeric end of port is 9.
2) Based on the mapping relation set in the step 1), messages in a fixed port range can be received by the same worker thread certainly, and in order to ensure that messages in two directions of the same session can be received by the same worker thread, two directions of flow are configured, wherein one direction selects source port configuration, and the other direction selects destination port configuration;
and configuring two directions of the flow by using a software configuration mode or a hardware network card configuration mode. For example, using a hardware network card configuration:
the relationship of the network card a configuring the first network card queue is as follows:
the end of digit of destination port is 0;
the relationship of the network card B configuring the first network card queue is as follows:
the end of the number of the source port is 0.
3) Constructing a data connection hash mapping table of each worker thread;
the local data connection Hash mapping table frame of each worker thread establishes a key on the basis of a triple of data connection, the key is set as three items (sip, dip and dport) in a four-tuple of a message, and a value is an application type of control connection.
4) Referring to fig. 2, taking ftp as an example, the control connection is processed according to the following procedures, and is divided into two cases, namely, the control connection recognizes that a passive connection exists, and the control connection session deletion stage:
401) when the worker thread A identifies that the control connection has passive connection and needs to establish data connection, the worker thread A acquires a destination port sent by a server, calculates the id of the worker thread corresponding to the port according to the mapping relation established in the step 1), assumes the port as a worker thread B, then the worker thread A sends the information of the data connection (the ip address of a client end, the ip address of a server end and the port) to the worker thread B, and the worker thread B adds a hash table item of the data connection to the hash table item of the worker thread B so that the worker thread B can add the hash table item in the hash table item of the worker thread B when receiving the information;
402) when the worker thread A identifies that the control connection is finished, namely the control connection session deleting stage, inquiring the hash mapping table of a worker thread B corresponding to the data connection without lock, and checking whether the hash table item corresponding to the data connection in the table is cleared so as to judge whether the data connection is really identified:
4021) if the hash table entry corresponding to the data connection is cleared and indicates that the application type of the data connection is identified, marking a label flag =1 on the data connection, and sending the data connection to a storage thread for normal processing;
4022) if the hash table entry corresponding to the data connection is not cleared, the tag flag is marked =0, and there are two cases:
the data connection message is not processed, and the data connection is waited to be processed;
after the data connection message is processed and sent to the storage thread at the moment, the storage thread inquires the index table, re-marks the application types of all the data connection messages as data connection and re-indexes the data connection messages;
5) referring to fig. 3, the data connection is divided into two parts, one is to identify the data connection traffic; the second is data connection flow supplementary processing, because a scene that data connection is earlier than control connection may occur, and the type of the application is not recognized yet, supplementary processing is required, specifically, the following process is performed:
501) when a worker thread B receives a new or deleted message of the data connection, processing a hash table item corresponding to the data connection in the worker thread B without a lock, and adding or deleting the corresponding hash table item;
502) when the worker thread B needs to identify data connection, processing according to the following flow:
taking ftp as an example, when a data connection destination port dport =20 of a packet, it is directly recognized that the data connection is legal, and for passive connection, if there is no control connection notification, the application type cannot be determined, but not every packet needs to be determined for ftp data connection, and the patent is designed as follows:
502-1) if the type of the session is tcp message and the ranges of the source port and the destination port are both 1024-;
502-2) when the connection is possibly passive, extracting a key (sip, dip, dport) of the data connection, searching a hash mapping table of a worker thread B without a lock, and if the hash mapping table is found, acquiring a value, namely acquiring a corresponding application type;
when it is not possible to be a passive connection and it is possible to be a passive connection but this entry is not found in the hash map, then the process is as per the existing normal process flow.
502-3) processing based on the application type after the application type is identified;
taking the ftp passive connection as an example, identifying the data content of the ftp data connection normally, and if a file is downloaded, extracting the file, and performing normal detection.
502-4), deleting the hash table entry corresponding to the data connection in the hash mapping table after the processing is finished;
in the invention, for the same session, the maximum number of messages entering the application identification module is X, and if the application is identified by the X messages, the application is marked; otherwise, the application belongs to the unidentified application.
In the invention, the sub-connections for application processing in the worker thread are all messages with the maximum number of Y without identifying the application, but the messages with the application type can be identified by inquiring the sub-connection table, the messages with the application type exceeding the Y are not included, and the condition of identifying the application by continuously inquiring the sub-connection mapping table is still kept.
As shown in fig. 3, in order to optimize performance, the worker thread queries the mapping table only twice before identifying an application, one of which is to create a session table query for the first packet, and the other is to query when Y packets are still identified as an application.
503) When the data connection is finished, if the application type of the data connection is identified, marking a flag =1 label on the message for normal processing;
504) when the application type of the data connection is not identified, and the message of the data connection needs to be sent to a storage thread for processing, marking a flag =2 on the message;
for the messages which are not identified with the applied session and are about to be ended or need to be stored, the data connection is probably processed faster than the control connection in the scene, so the data connection table needs to be inquired again in the storage thread, and the data connection can be identified before being stored.
For the session which identifies the application, because the session is about to end or needs to be stored, this indicates that there are many messages processed according to the application type, the worker thread is not influenced to hold towards the normal traffic processing, and the application processing logic of the part of messages is transferred to the storage thread for processing.
In summary, the number of times of querying the sub-connection mapping table by the worker thread is at most three times, which is 1 time for the first packet, the previous Y messages still do not identify the application for 1 time, and the session table message is queried for 1 time when the session table message is to be stored. And based on the application type, the message is analyzed again, wherein if the query is successfully processed in the worker thread in the first two times, the message is processed in the storage thread in the last time regardless of success or failure.
6) The storage thread is processed according to the following flow:
601) calculating the id of the storage thread according to the sip and the dip of the control connection and the data connection;
because the sip and the dip of the parent-child connection are consistent, the id of the storage thread is calculated according to the sip and the dip as the reference, and the parent-child connection is ensured to be sent to the same storage thread.
id = func (sip, dip), and it is determined which storage thread to process based on this value.
602) When the condition in step 4022) is that the connection is the control connection and flag =0, searching an index table according to information of the data connection, if the connection can be found, setting the connection as the data connection, processing according to the application type of the connection, resetting an index of the data connection, if the connection cannot be found, ending additional processing of the control connection, and normally storing a message of the control connection;
603) when the condition in the step 504) is that the data connection is established and flag =2, determining the id of the worker thread corresponding to the port according to the information of the data connection port, then searching the hash mapping table of the worker thread, if the hash mapping table can be found, setting the connection as the data connection, processing according to the application type of the connection, deleting the hash table item corresponding to the data connection in the hash mapping table of the worker thread, resetting the index of the data connection and storing the message, if the hash mapping table is not found, ending the additional processing of the data connection, and normally storing the message of the data connection;
604) when the situation is in step 4021) and step 503), that is, when the situation is the control connection or the data connection and flag =1, setting an index of the connection and storing the message.
In summary, the present invention has the following features:
1. the method is characterized in that a spoke-based traffic mapping mechanism determines that a data connection processes a browser thread, and meanwhile, two directions of connection can be ensured to process in the same worker thread, so that the worker thread where the data connection is located can be confirmed when the control connection processes a passive mode.
2. The method for processing the message supports the method for processing the message with the application type identified after the mode that the worker thread is used as the main part and the storage thread is used as the auxiliary part, and the data connection table is combined with the index storage table, so that the problem of missing report can not occur even if the multithreading is out of order.
3. And the core selection of the storage thread is calculated based on sip and dip, so that the control connection and the data connection are processed in the same storage thread.
4. The query times of the worker thread facing the sub-connection mapping table are at most three times, the query times are respectively 1 time for the first packet, the previous Y messages are not recognized for application for 1 time, and the query times are 1 time when the session table messages are about to be stored. And analyzing the messages again based on the application type, wherein if the query is successfully processed in the worker thread in the first two times, the query is successfully processed in the storage thread in the last time, and whether the query is successful or not is processed in the storage thread in the last time.
5. The data connection mapping table is designed as a local table, the multi-core processing is lock-free in the whole process, and the life cycle does not exist along with the data connection session table or the control connection session table but exists according to whether the sub-connection is identified as the data connection. In current vendors, this table is co-located with either the data session table or the control connection table.
6. Under the condition that the parent-child connection message is not required to be forcibly divided into the same worker thread for processing, parent-child connections are distributed in different worker threads for processing, and under the condition that the packet receiving sequence cannot be guaranteed, lock-free processing can be achieved, the dependency relationship that child connections are deleted along with the parent connections is not deleted, and the coupling of the parent-child connections is greatly reduced.
The embodiments of the present invention have been described in detail with reference to the drawings, but the present invention is not limited to the above embodiments, and various changes can be made within the knowledge of those skilled in the art without departing from the gist of the present invention.
Claims (4)
1. The processing method of parent-child connection in the full-flow storage backtracking analysis system is characterized by comprising the following steps:
1) determining the port range of each worker thread, and establishing a mapping relation between each worker thread and each port;
2) configuring two directions of flow based on the mapping relation set in the step 1), wherein one direction selects source port configuration, and the other direction selects destination port configuration;
3) constructing a data connection hash mapping table of each worker thread;
4) the control connection is processed according to the following flow:
401) when the worker thread A identifies that the control connection has passive connection and needs to establish data connection, the worker thread A acquires a destination port sent by a server, calculates the id of the worker thread corresponding to the port according to the mapping relation established in the step 1), supposes the worker thread B, then the worker thread A sends the information of the data connection to the worker thread B, and the worker thread B adds a hash table item of the data connection on the hash mapping table of the worker thread B;
402) when the worker thread A identifies that the control connection is finished, namely the control connection session deleting stage, inquiring the hash mapping table of a worker thread B corresponding to the data connection without lock, and checking whether the hash table item corresponding to the data connection in the table is cleared so as to judge whether the data connection is really identified:
4021) if the hash table entry corresponding to the data connection is cleared and indicates that the application type of the data connection is identified, marking a label flag =1 on the data connection, and sending the data connection to a storage thread for normal processing;
4022) if the hash table entry corresponding to the data connection is not cleared, the tag flag is marked =0, and there are two cases:
the data connection message is not processed, and the data connection is waited to be processed;
after the data connection message is processed and sent to the storage thread at the moment, the storage thread inquires the index table, re-marks the application types of all the data connection messages as data connection and re-indexes the data connection messages;
5) the data connection is processed according to the following flow:
501) when a worker thread B receives a new or deleted message of the data connection, processing a hash table item corresponding to the data connection in the worker thread B without a lock, and adding or deleting the corresponding hash table item;
502) when the worker thread B needs to identify data connection, processing according to the following flow:
502-1) if the type of the session is tcp message and the ranges of the source port and the destination port are both 1024-;
502-2) when the connection is possibly passive, extracting a key (sip, dip, dport) of the data connection, searching a hash mapping table of a worker thread B without a lock, and if the hash mapping table is found, acquiring a value, namely acquiring a corresponding application type;
502-3) processing based on the application type after the application type is identified;
502-4), deleting the hash table entry corresponding to the data connection in the hash mapping table after the processing is finished;
503) when the data connection is finished, if the application type of the data connection is identified, marking a flag =1 label on the message for normal processing;
504) when the application type of the data connection is not identified, and the message of the data connection needs to be sent to a storage thread for processing, marking a flag =2 on the message;
6) the storage thread is processed according to the following flow:
601) calculating the id of the storage thread according to the sip and the dip of the control connection and the data connection;
602) when the condition in step 4022) is that the connection is the control connection and flag =0, searching an index table according to information of the data connection, if the connection can be found, setting the connection as the data connection, processing according to the application type of the connection, resetting an index of the data connection, if the connection cannot be found, ending additional processing of the control connection, and normally storing a message of the control connection;
603) when the condition in the step 504) is that the data connection is established and flag =2, determining the id of the worker thread corresponding to the port according to the information of the data connection port, then searching the hash mapping table of the worker thread, if the hash mapping table can be found, setting the connection as the data connection, processing according to the application type of the connection, deleting the hash table item corresponding to the data connection in the hash mapping table of the worker thread, resetting the index of the data connection and storing the message, if the hash mapping table is not found, ending the additional processing of the data connection, and normally storing the message of the data connection;
604) when the situation is in step 4021) and step 503), that is, when the situation is the control connection or the data connection and flag =1, setting an index of the connection and storing the message.
2. The processing method for parent-child connection in the full-flow storage backtracking analysis system according to claim 1, wherein in step 2), a software configuration mode or a hardware network card configuration mode is used to configure two directions of flow.
3. The method for processing parent-child connections in a full-traffic storage backtracking analysis system according to claim 1, wherein in step 3), a key is established based on a triple of data connection in the hash mapping table of local data connection of each worker thread, the key is set as a triple (sip, dip, dport) in a four-tuple of a packet, and a value is an application type of control connection.
4. The method for processing parent-child connections in a full-traffic storage backtracking analysis system according to claim 1, wherein in step 4), the data connection information includes ip addresses of the client, ip addresses of the server, and ports.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111180366.8A CN113630331B (en) | 2021-10-11 | 2021-10-11 | Processing method for parent-child connection in full-flow storage backtracking analysis system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111180366.8A CN113630331B (en) | 2021-10-11 | 2021-10-11 | Processing method for parent-child connection in full-flow storage backtracking analysis system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113630331A CN113630331A (en) | 2021-11-09 |
| CN113630331B true CN113630331B (en) | 2021-12-28 |
Family
ID=78390860
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111180366.8A Active CN113630331B (en) | 2021-10-11 | 2021-10-11 | Processing method for parent-child connection in full-flow storage backtracking analysis system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113630331B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115065599B (en) * | 2022-04-09 | 2023-07-18 | 北京金睛云华科技有限公司 | NAT rule optimizing configuration method in full-flow storage backtracking analysis system |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104734993A (en) * | 2013-12-24 | 2015-06-24 | 杭州华为数字技术有限公司 | Data distribution method and distributor |
| CN108494771A (en) * | 2018-03-23 | 2018-09-04 | 平安科技(深圳)有限公司 | Electronic device, fire wall open verification method and storage medium |
| CN109672589A (en) * | 2018-12-29 | 2019-04-23 | 江苏博智软件科技股份有限公司 | A kind of implementation method of the data message depth recognition based on DPI |
| WO2020236300A1 (en) * | 2019-05-23 | 2020-11-26 | Cray Inc. | Method and system for providing network ingress fairness between applications |
| CN112965824A (en) * | 2021-03-31 | 2021-06-15 | 北京金山云网络技术有限公司 | Message forwarding method and device, storage medium and electronic equipment |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10148575B2 (en) * | 2014-12-22 | 2018-12-04 | Telefonaktiebolaget Lm Ericsson (Publ) | Adaptive load balancing in packet processing |
| US10187308B2 (en) * | 2016-09-30 | 2019-01-22 | Intel Corporation | Virtual switch acceleration using resource director technology |
| US10581859B2 (en) * | 2017-08-07 | 2020-03-03 | International Business Machines Corporation | Detection and prevention of attempts to access sensitive information in real-time |
-
2021
- 2021-10-11 CN CN202111180366.8A patent/CN113630331B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104734993A (en) * | 2013-12-24 | 2015-06-24 | 杭州华为数字技术有限公司 | Data distribution method and distributor |
| CN108494771A (en) * | 2018-03-23 | 2018-09-04 | 平安科技(深圳)有限公司 | Electronic device, fire wall open verification method and storage medium |
| CN109672589A (en) * | 2018-12-29 | 2019-04-23 | 江苏博智软件科技股份有限公司 | A kind of implementation method of the data message depth recognition based on DPI |
| WO2020236300A1 (en) * | 2019-05-23 | 2020-11-26 | Cray Inc. | Method and system for providing network ingress fairness between applications |
| CN112965824A (en) * | 2021-03-31 | 2021-06-15 | 北京金山云网络技术有限公司 | Message forwarding method and device, storage medium and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113630331A (en) | 2021-11-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US6182146B1 (en) | Automatic identification of application protocols through dynamic mapping of application-port associations | |
| CN109992465B (en) | Service tracking method, device and computer readable storage medium | |
| US6131163A (en) | Network gateway mechanism having a protocol stack proxy | |
| US8161468B2 (en) | Processing of expressions | |
| US7930516B1 (en) | Linked list traversal with reduced memory accesses | |
| US7623450B2 (en) | Methods and apparatus for improving security while transmitting a data packet | |
| US7756961B2 (en) | Hardware device and method for creation and management of toe-based socket information | |
| WO2018032399A1 (en) | Server and method having high concurrency capability | |
| US20060184672A1 (en) | Communication channels in a storage network | |
| WO2022078104A1 (en) | Network traffic analysis method and apparatus, electronic device, and storage medium | |
| CN113630331B (en) | Processing method for parent-child connection in full-flow storage backtracking analysis system | |
| CN103475586A (en) | Method, device and system for forwarding network data messages | |
| US10069797B2 (en) | 10Gbps line rate stream to disk with fast retrieval (metadata) and network statistics | |
| EP2797278A1 (en) | Anti-virus method and apparatus and firewall device | |
| CN111130936B (en) | Method and device for testing load balancing algorithm | |
| CN109286684B (en) | Communication connection processing method and device, proxy server and storage medium | |
| CN108429703B (en) | DHCP client-side online method and device | |
| US20210185132A1 (en) | Sip information analysis method and device, server, and medium | |
| US20210243248A1 (en) | Cloud service load balancing | |
| CN110324199B (en) | Method and device for realizing universal protocol analysis framework | |
| KR101017536B1 (en) | Network message processing using pattern matching | |
| US9819766B1 (en) | System and method for improving infrastructure to infrastructure communications | |
| US20060153215A1 (en) | Connection context prefetch | |
| CN111010362A (en) | Monitoring method and device for abnormal host | |
| US9444729B2 (en) | Fast application recognition system and fast application processing method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |