CN113630422B - Network security data processing method and system based on edge node - Google Patents
Network security data processing method and system based on edge node Download PDFInfo
- Publication number
- CN113630422B CN113630422B CN202110996619.2A CN202110996619A CN113630422B CN 113630422 B CN113630422 B CN 113630422B CN 202110996619 A CN202110996619 A CN 202110996619A CN 113630422 B CN113630422 B CN 113630422B
- Authority
- CN
- China
- Prior art keywords
- edge node
- service
- central server
- edge
- processed
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
Abstract
The application discloses a network security data processing method and a system based on edge nodes, wherein the method comprises the following steps: a first edge node acquires that the first edge node is under network attack; the first edge node acquires the service being processed by the first edge node and data corresponding to the service; the first edge node sends a service coordination request to a central server; after receiving a central server confirmation message, the first edge node sends information of the service being processed and data corresponding to the service to the central server, where the confirmation message is used to indicate that the central server of the first edge node agrees to transfer the service to the second edge node. The method and the device solve the problem that the network security of the edge node in the prior art has no corresponding processing scheme, thereby improving the security of the edge node.
Description
Technical Field
The present application relates to the field of network security, and in particular, to a method and a system for processing network security data based on edge nodes.
Background
With the scale of the internet becoming larger and larger, the number of required computing nodes or service nodes is increased, and in the traditional network architecture, all computing and services are assumed by the central server, which causes the delay generated by the computing and services to become larger and larger.
To solve this problem, it is now common to migrate the central computation to the edge nodes, which are closer to the user terminals and thus have less network latency. However, as the number of edge nodes increases, there is no good solution to the network security problem of the edge nodes.
Disclosure of Invention
The embodiment of the application provides a method and a system for processing network security data based on an edge node, so as to at least solve the problem in the prior art that no corresponding processing scheme exists for the network security of the edge node.
According to an aspect of the present application, there is provided a network security data processing method based on an edge node, including: a first edge node acquires that the first edge node is under network attack; the first edge node acquires the service being processed by the first edge node and data corresponding to the service; the first edge node sends a service coordination request to a central server, wherein the central server is used for coordinating service processing loads among the edge nodes, the service coordination request is used for instructing the central server to transfer a service which is being processed by the first edge node to a second edge node, and the second edge node is a node different from the first edge node; after receiving a central server confirmation message, the first edge node sends information of the service being processed and data corresponding to the service to the central server, where the confirmation message is used to indicate that the central server of the first edge node agrees to transfer the service to the second edge node.
Further, the acquiring, by the first edge node, that the first edge node is under a network attack includes: the first edge node obtains that the first edge node is attacked by the network through a firewall configured on the first edge node.
Further, the acquiring, by the first edge node, that the first edge node is under a network attack includes: the first edge node acquires the category of the network attack through the firewall, wherein the category is used for determining the amount of computing resources of the first edge node occupied by the network attack; and the first edge node determines whether the service which is processed by the first edge node needs to be transferred to the second edge node according to the category.
Further, the acquiring, by the first edge node, the service being processed by the first edge node and the data corresponding to the service includes: and under the condition that the first edge node determines that the service which is being processed by the first edge node needs to be transferred to the second edge node according to the category, the first edge node acquires the service which is being processed by the first edge node and data corresponding to the service.
According to another aspect of the present application, there is also provided an edge node-based network security data processing system, the system being located in a first edge node, the system comprising: the first acquisition module is used for acquiring that the first edge node is attacked by a network; the second acquisition module is used for acquiring the service being processed by the second acquisition module and the data corresponding to the service; a first sending module, configured to send a service coordination request to a central server, where the central server is configured to coordinate service processing loads among edge nodes, and the service coordination request is used to instruct the central server to transfer a service being processed by a first edge node to a second edge node, where the second edge node is a different node from the first edge node; a second sending module, configured to send, after receiving a central server acknowledgement message, information of the service being processed and data corresponding to the service to the central server, where the acknowledgement message is used to indicate that the central server agrees to transfer the service to the second edge node.
Further, the first obtaining module is configured to obtain that the first edge node is attacked by the network through a firewall configured on the first edge node.
Further, the first obtaining module is configured to obtain, through the firewall, a category of the network attack, where the category is used to determine an amount of computing resources that the network attack may occupy the first edge node; and determining whether the service which is being processed by the edge node needs to be transferred to the second edge node according to the category.
Further, the second obtaining module is configured to, when it is determined according to the category that the service being processed needs to be transferred to the second edge node, obtain, by the first edge node, the service being processed and data corresponding to the service.
According to another aspect of the application, there is also provided a processor for running software for performing the above method.
According to another aspect of the present application, there is also provided a memory for storing software for performing the above-described method.
In the embodiment of the application, a first edge node is adopted to acquire that the first edge node is attacked by a network; the first edge node acquires the service being processed by the first edge node and data corresponding to the service; the first edge node sends a service coordination request to a central server, wherein the central server is used for coordinating service processing loads among the edge nodes, the service coordination request is used for instructing the central server to transfer a service which is being processed by the first edge node to a second edge node, and the second edge node is a node different from the first edge node; after receiving a central server confirmation message, the first edge node sends information of the service being processed and data corresponding to the service to the central server, where the confirmation message is used to indicate that the central server of the first edge node agrees to transfer the service to the second edge node. The method and the device solve the problem that the network security of the edge node in the prior art has no corresponding processing scheme, thereby improving the security of the edge node.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this application, illustrate embodiments of the application and, together with the description, serve to explain the application and are not intended to limit the application. In the drawings:
fig. 1 is a flowchart of a network security data processing method based on edge nodes according to an embodiment of the present application.
Detailed Description
It should be noted that, in the present application, the embodiments and features of the embodiments may be combined with each other without conflict. The present application will be described in detail below with reference to the accompanying drawings in conjunction with embodiments.
It should be noted that the steps illustrated in the flowcharts of the figures may be performed in a computer system such as a set of computer-executable instructions and that, although a logical order is illustrated in the flowcharts, in some cases, the steps illustrated or described may be performed in an order different than here.
In this embodiment, a method for processing network security data based on an edge node is provided, and fig. 1 is a flowchart of a method for processing network security data based on an edge node according to an embodiment of the present application, as shown in fig. 1, the method includes the following steps:
step S102, a first edge node acquires that the first edge node is attacked by a network;
step S104, the first edge node obtains the service being processed by the first edge node and the data corresponding to the service;
step S106, the first edge node sends a service coordination request to a central server, wherein the central server is used for coordinating service processing loads among the edge nodes, the service coordination request is used for instructing the central server to transfer the service being processed by the first edge node to a second edge node, and the second edge node is a node different from the first edge node;
step S108, after receiving a central server confirmation message, the first edge node sends information of the service being processed and data corresponding to the service to the central server, where the confirmation message is used to indicate that the central server of the first edge node agrees to transfer the service to the second edge node.
In an alternative embodiment, after the first edge node receives the acknowledgement message and sends the service information being processed and the data corresponding to the service to the central server, the first edge node obtains a network address and a port at which a network attack is received, and the server discards all data packets from the network address and the port. And judging that the number of the data packets received by the network address and the port is reduced after a preset time period, and closing the network address and the port if the number of the data packets is not reduced.
After the predetermined length of time, shutting down the first edge node if the number of packets received by the network address and port is not decreasing. The first edge node restarts service after shutting down for a second predetermined length of time.
And after receiving the confirmation message, the first edge node sends a state adjustment message to the central server, wherein the state adjustment message is used for indicating that the first edge node becomes a suspended state, and the first edge node in the suspended state does not receive service processing. And the central server records the state of the first edge node and does not distribute service processing to the edge node.
As another optional implementation, after the first edge node transfers all the computing tasks to the second edge node, if the first edge node is still receiving a data packet, the first edge node records the network address and the port number of the data packet source, and then adds the network address and the port number to the blacklist. The network address and the port number in the blacklist may have a certain validity period, and after the validity period has passed, the network address and the port number are deleted from the blacklist.
The first edge node may further send the blacklist to a central server, and the central server sends the blacklist to all edge nodes connected to the central server. This prevents other edge nodes from being attacked as well.
The method solves the problem in the prior art that no corresponding processing scheme exists for the network security of the edge node, thereby improving the security of the edge node.
The first edge node may obtain the attack in various ways, for example, the first edge node may obtain the first edge node from a firewall configured on the first edge node. Optionally, the first edge node acquires a category of the network attack through the firewall, where the category is used to determine an amount of computing resources of the first edge node that the network attack may occupy; the first edge node determines whether it needs to transfer the traffic it is processing (or becomes a computational task) to the second edge node based on the category. In this optional implementation, when the first edge node determines that the service being processed needs to be transferred to the second edge node according to the category, the first edge node obtains the service being processed and data corresponding to the service.
In an optional embodiment, after determining that the traffic it is processing needs to be transferred to the second edge node according to the category, the first edge node sends a scheduling request to the central server; the central server sends a coordination instruction to the first edge node and the second edge node in the same communication area according to the scheduling request, and sends part (or all) of the calculation tasks of the first edge node and source data required by calculation to the second edge node through a point-to-point network channel; and after the second edge node finishes processing the part of the calculation tasks and the source data required by calculation, returning the generated result data to the first edge node through the point-to-point network channel.
The central server determines a target edge computing node which is the same as the source data type and the computing type of the first edge node as the second edge node according to the source data type and the computing type of the first edge node; inquiring whether a point-to-point network channel exists between the first edge node and the target edge computing node; if the point-to-point network channel exists, sending part of the computing tasks and source data required by computing of the first edge node to the target edge computing node through the point-to-point network channel; if the point-to-point network channel does not exist, coordinating the first edge node and the target edge computing node to establish the point-to-point network channel, and sending part of computing tasks of the first edge node and source data required by computing to the target edge computing node through the newly-established point-to-point network channel; and after the target edge computing node finishes processing the part of computing tasks and the source data required by computing, returning the generated result data to the first edge node through a newly-built point-to-point network channel.
In this embodiment, an electronic device is provided, comprising a memory in which a computer program is stored and a processor configured to run the computer program to perform the method in the above embodiments.
The programs described above may be run on a processor or may also be stored in memory (or referred to as computer-readable media), which includes both non-transitory and non-transitory, removable and non-removable media, that implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, computer readable media does not include transitory computer readable media (transmyedia) such as modulated data signals and carrier waves.
These computer programs may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks, and corresponding steps may be implemented by different modules.
In this embodiment, a system is provided, which is referred to as an edge node-based network security data processing system, the system being located in a first edge node, the system comprising: the first acquisition module is used for acquiring that the first edge node is attacked by a network; the second acquisition module is used for acquiring the service being processed by the second acquisition module and the data corresponding to the service; a first sending module, configured to send a service coordination request to a central server, where the central server is configured to coordinate service processing loads among edge nodes, and the service coordination request is used to instruct the central server to transfer a service being processed by a first edge node to a second edge node, where the second edge node is a different node from the first edge node; a second sending module, configured to send, after receiving a central server acknowledgement message, information of the service being processed and data corresponding to the service to the central server, where the acknowledgement message is used to indicate that the central server agrees to transfer the service to the second edge node.
The system is used for implementing the functions of the method, and each module in the system is used for implementing each step in the method, which has already been described, and is not described again here.
For example, the first obtaining module is configured to obtain that the first edge node is attacked by a network attack through a firewall configured on the first edge node. Optionally, the first obtaining module is configured to obtain, through the firewall, a category of the network attack, where the category is used to determine an amount of computing resources that the network attack may occupy the first edge node; and determining whether the service which is being processed by the second edge node needs to be transferred to the second edge node according to the category.
For another example, the second obtaining module is configured to, when it is determined according to the category that the service being processed needs to be transferred to the second edge node, obtain, by the first edge node, the service being processed and data corresponding to the service.
In the embodiment, the problem caused by the fact that no corresponding processing scheme exists for the network security of the edge node in the prior art is solved, and therefore the security of the edge node is improved.
The above are merely examples of the present application and are not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.
Claims (4)
1. A network security data processing method based on edge nodes is characterized by comprising the following steps:
a first edge node acquires that the first edge node is attacked by a network through a firewall configured on the first edge node; obtaining, by the first edge node, a category of the network attack through the firewall, where the category is used to determine an amount of computing resources that the network attack may occupy the first edge node; the first edge node determines whether the service which is processed by the first edge node needs to be transferred to a second edge node according to the category;
the first edge node acquires the service being processed by the first edge node and data corresponding to the service;
the first edge node sends a service coordination request to a central server, wherein the central server is used for coordinating service processing loads among the edge nodes, the service coordination request is used for instructing the central server to transfer a service which is being processed by the first edge node to a second edge node, and the second edge node is a node different from the first edge node;
after receiving a central server confirmation message, the first edge node sends information of the service being processed and data corresponding to the service to the central server, wherein the confirmation message is used for indicating the first edge node that the central server agrees to transfer the service to the second edge node; after the first edge node receives the confirmation message and sends the service information being processed and the data corresponding to the service to the central server, the first edge node acquires a network address and a port which receive the network attack, and the server discards all data packets from the network address and the port; judging whether the number of data packets received by the network address and the port is reduced after a preset time, and if the number of data packets received by the network address and the port is not reduced, closing the network address and the port; after the predetermined length of time, if the number of packets received by the network address and port is not reduced, shutting down the first edge node; the first edge node restarts service after being turned off for a second predetermined length of time; after receiving the confirmation message, the first edge node sends a state adjustment message to the central server, wherein the state adjustment message is used for indicating that the first edge node becomes a suspended state, and the first edge node in the suspended state does not receive service processing; the central server records the state of the first edge node and does not distribute service processing to the edge node;
after the first edge node transfers all the computing tasks to a second edge node, if the first edge node still receives a data packet, the first edge node records a network address and a port number of a source of the data packet, and adds the network address and the port number into a blacklist; the network address and the port number in the blacklist have certain validity periods, and after the validity periods are over, the network address and the port number are deleted from the blacklist;
and the first edge node sends the blacklist to a central server, and the central server sends the blacklist to all edge nodes connected with the central server.
2. The method of claim 1, wherein the first edge node obtaining the service it is processing and the data corresponding to the service comprises:
and under the condition that the first edge node determines that the service which is being processed by the first edge node needs to be transferred to the second edge node according to the category, the first edge node acquires the service which is being processed by the first edge node and data corresponding to the service.
3. A processor for executing software, characterized in that the software is adapted to perform the method of any of claims 1 to 2.
4. A memory for storing software, characterized in that the software is adapted to perform the method of any of claims 1 to 2.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110996619.2A CN113630422B (en) | 2021-08-27 | 2021-08-27 | Network security data processing method and system based on edge node |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110996619.2A CN113630422B (en) | 2021-08-27 | 2021-08-27 | Network security data processing method and system based on edge node |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113630422A CN113630422A (en) | 2021-11-09 |
| CN113630422B true CN113630422B (en) | 2023-04-18 |
Family
ID=78388166
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110996619.2A Active CN113630422B (en) | 2021-08-27 | 2021-08-27 | Network security data processing method and system based on edge node |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113630422B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8887249B1 (en) * | 2008-05-28 | 2014-11-11 | Zscaler, Inc. | Protecting against denial of service attacks using guard tables |
| CN111193715A (en) * | 2019-12-09 | 2020-05-22 | 北京邮电大学 | Service scheduling method and device of passive optical network, electronic equipment and storage medium |
| CN111415159A (en) * | 2020-04-27 | 2020-07-14 | 中国银行股份有限公司 | Settlement data processing method and system based on block chain and related nodes |
| CN113156992A (en) * | 2021-04-12 | 2021-07-23 | 安徽大学 | Three-layer architecture collaborative optimization system and method for unmanned aerial vehicle in edge environment |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110191104A (en) * | 2019-05-10 | 2019-08-30 | 新华三信息安全技术有限公司 | A kind of method and device of security protection |
| CN113301078B (en) * | 2020-05-22 | 2022-05-06 | 阿里巴巴集团控股有限公司 | Network system, service deployment and network division method, device and storage medium |
-
2021
- 2021-08-27 CN CN202110996619.2A patent/CN113630422B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8887249B1 (en) * | 2008-05-28 | 2014-11-11 | Zscaler, Inc. | Protecting against denial of service attacks using guard tables |
| CN111193715A (en) * | 2019-12-09 | 2020-05-22 | 北京邮电大学 | Service scheduling method and device of passive optical network, electronic equipment and storage medium |
| CN111415159A (en) * | 2020-04-27 | 2020-07-14 | 中国银行股份有限公司 | Settlement data processing method and system based on block chain and related nodes |
| CN113156992A (en) * | 2021-04-12 | 2021-07-23 | 安徽大学 | Three-layer architecture collaborative optimization system and method for unmanned aerial vehicle in edge environment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113630422A (en) | 2021-11-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111935315B (en) | Block synchronization method and device | |
| CN111966289B (en) | Partition optimization method and system based on Kafka cluster | |
| CN110677462B (en) | Access processing method, system, device and storage medium for multi-block chain network | |
| CN107105013B (en) | File processing method, server, terminal and system | |
| CN111327651A (en) | Resource downloading method, device, edge node and storage medium | |
| CN110519388B (en) | Processing method and device for block chain request, electronic equipment and readable storage medium | |
| CN113630422B (en) | Network security data processing method and system based on edge node | |
| CN110764930B (en) | Request or response processing method and device based on message mode | |
| CN106790354B (en) | Communication method and device for preventing data congestion | |
| CN112749015A (en) | Load balancing method and device | |
| CN111511041B (en) | Remote connection method and device | |
| CN110581826B (en) | Core network communication method, device and system | |
| CN112532664A (en) | Data upgrading method and device | |
| CN106899652B (en) | Method and device for pushing service processing result | |
| CN114040032A (en) | Protocol conversion method, system, storage medium and electronic equipment | |
| WO2021012974A1 (en) | Cloud-platform-based network flow control method and apparatus for containerized application, and device and storage medium | |
| CN107979517B (en) | Network request processing method and device | |
| CN113553193B (en) | Mirror image data auditing and distributing processing method and system | |
| CN112769885A (en) | Proxy broadcasting method and device based on data point subscription | |
| CN114095760B (en) | Data transmission method and data transmission device thereof | |
| CN114598701B (en) | CDN scheduling method, CDN scheduling system, computing device and storage medium | |
| CN113422772B (en) | Private network terminal access processing method and device and electronic equipment | |
| CN111404709B (en) | Method and device for operating policy rules under network function virtualization | |
| CN118018612A (en) | Scheduling method, scheduling device, and computer-readable medium | |
| CN117640184A (en) | Safety communication method and safety communication system for internal and external networks in power grid system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20220208 Address after: No.18 Chuanghui street, Binjiang District, Hangzhou City, Zhejiang Province 310051 Applicant after: BUAA HANGZHOU INNOVATION INSTITUTE Applicant after: INFORMATION AND COMMUNICATION BRANCH, STATE GRID ZHEJIANG ELECTRIC POWER Co.,Ltd. Address before: No.18 Chuanghui street, Binjiang District, Hangzhou City, Zhejiang Province 310051 Applicant before: BUAA HANGZHOU INNOVATION INSTITUTE |
|
| TA01 | Transfer of patent application right | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |