CN117201195B - Process network policy limiting method and device, equipment and storage medium - Google Patents
Process network policy limiting method and device, equipment and storage medium Download PDFInfo
- Publication number
- CN117201195B CN117201195B CN202311463958.XA CN202311463958A CN117201195B CN 117201195 B CN117201195 B CN 117201195B CN 202311463958 A CN202311463958 A CN 202311463958A CN 117201195 B CN117201195 B CN 117201195B
- Authority
- CN
- China
- Prior art keywords
- access
- application
- resource
- flow
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 507
- 230000008569 process Effects 0.000 title claims abstract description 413
- 238000001514 detection method Methods 0.000 claims description 41
- 238000004590 computer program Methods 0.000 claims description 12
- 238000012544 monitoring process Methods 0.000 claims description 10
- 238000012545 processing Methods 0.000 claims description 8
- 238000010586 diagram Methods 0.000 description 7
- 230000002159 abnormal effect Effects 0.000 description 5
- 238000004891 communication Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 230000008520 organization Effects 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 230000008859 change Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000005192 partition Methods 0.000 description 3
- 238000004422 calculation algorithm Methods 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 241001123248 Arma Species 0.000 description 1
- 230000005856 abnormality Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000008260 defense mechanism Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000012417 linear regression Methods 0.000 description 1
- 238000000611 regression analysis Methods 0.000 description 1
- 239000004984 smart glass Substances 0.000 description 1
- 238000013179 statistical model Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the application discloses a method, a device, equipment and a storage medium for limiting process network policies, which comprise the following steps: under the condition that an application process of a client accesses an application resource, acquiring actual access flow and preset access flow of the application process for accessing the application resource in a preset time period; calculating a flow difference value between the actual access flow and the preset access flow; and controlling the access operation of the application process to the application resource according to the magnitude relation between the flow difference and the error threshold, wherein under the condition that the flow difference is larger than the error threshold, the access operation is suspended and alarm information is generated, and the alarm information comprises the access time and the access data content of the application process for accessing the application resource. By implementing the method, the application process with network security threat in the client can be controlled to access the application resource without affecting the access operation of other application processes in the client.
Description
Technical Field
The embodiment of the application relates to the technical field of network information security, and relates to a method, a device, equipment and a storage medium for limiting a process network policy.
Background
A virtual private network (Virtual Private Network, VPN) is a technology and service that establishes an encrypted tunnel over a network through a public network to provide a secure, private network connection.
In the related art, when VPN service is used, most security policies of network security systems are formulated based on IP addresses (Internet Protocol Address) of access sources, that is, corresponding security policies are formulated according to different IP addresses of access sources to ensure security of the systems, and the security policies cannot be automatically adjusted. After the network attack behavior occurs, a technician needs to manually handle and change the security policy after receiving the attack warning information, and limits the access of all processes under the abnormal access source IP address to the server resource data, so that the method is difficult to cope with diversified network attack modes in practical application.
Therefore, the network policy that is flexible and can automatically change the security policy to cope with diversified network attacks is a problem to be solved.
Disclosure of Invention
In view of this, the process network policy limiting method, device, equipment and storage medium provided in the embodiments of the present application can perform network security monitoring on a plurality of application processes in a client, and limit access to application resources in a server by application processes identified as possibly having network security threats, while not affecting normal access to application resources in the server by other application processes under the same IP address. The method, the device, the equipment and the storage medium provided by the embodiment of the application are realized as follows.
The process network policy limiting method provided by the embodiment of the application comprises the following steps:
under the condition that an application process of a client accesses an application resource, acquiring actual access flow and preset access flow of the application process for accessing the application resource in a preset time period;
calculating a flow difference value between the actual access flow and the preset access flow;
and controlling the access operation of the application process to the application resource according to the magnitude relation between the flow difference and the error threshold, wherein under the condition that the flow difference is larger than the error threshold, the access operation is suspended and alarm information is generated, and the alarm information comprises the access time and the access data content of the application process for accessing the application resource.
In some embodiments, before the obtaining the actual access flow and the preset access flow of the application process to access the application resource in the preset time period, the method further includes:
acquiring a flow packet of the access operation of the target process to the target resource;
determining whether to release the flow packet according to the flow packet and an access strategy, wherein the access strategy comprises a client address and a process identifier corresponding to each application process, a resource address and a port corresponding to each application resource, an access corresponding relation between each application process and each application resource and an access corresponding protocol;
and under the condition of releasing the flow packet, determining the target process as the application process, determining the target resource as the application resource, and controlling the application process to access the application resource.
In some embodiments, the determining whether to release the traffic packet according to the traffic packet and the access policy includes:
processing the header information of the flow packet to obtain a target client address corresponding to the target process and a target resource address corresponding to the target resource;
acquiring a target source port according to the target client address, wherein the target source port is a port used for sending the flow packet in the target client;
Traversing and inquiring a socket file of the target client according to the target source port to obtain a target process identifier corresponding to the target source port, wherein the socket file comprises a corresponding relation between a resource address and the process identifier;
judging whether the target process identifier exists in the process identifiers corresponding to the application processes according to the access policy;
if the target process identifier exists, acquiring a resource address corresponding to the target process identifier according to the access corresponding relation in the access strategy; releasing the flow packet under the condition that the target resource address is the same as the resource address corresponding to the target process identifier;
and if the target process identification does not exist, not releasing the flow packet.
In some embodiments, the preset access flow is obtained by predicting the flow of the application process accessing the application resource in the preset time period according to an autoregressive model, and the autoregressive model is obtained according to the historical access times of the application process accessing the application resource and the historical flow of each access.
In some embodiments, the preset access flow is determined according to a preset rule and at least two other preset access flows of at least two other application processes in the case of accessing the application resource, where the preset rule is that the minimum other preset access flow is selected or the maximum other preset access flow is selected or a mean value of the at least two other preset access flows is selected as the preset access flow.
In some embodiments, before the obtaining the actual access flow and the preset access flow of the application process to access the application resource in the preset time period, the method further includes:
acquiring an access request of the application process to access the application resource;
and determining whether to release the access request according to the access request and an access policy, wherein the access policy comprises a source port number corresponding to the application process, a data address corresponding to the application resource and an access protocol.
In some embodiments, the suspending the access operation and generating the alert information if the flow difference is greater than the error threshold comprises:
the error threshold includes a first threshold and a second threshold, the first threshold being less than the second threshold;
judging the magnitude relation between the flow difference and the first threshold value and the second threshold value respectively;
if the flow difference is larger than the first threshold and smaller than or equal to the second threshold, generating alarm information, judging whether to suspend the access operation of the application process to the application resource according to the preset resource level of the application resource, wherein the preset resource level comprises an important level and a secondary level, suspending the access operation of the application process to the application resource if the application resource is the important level, and controlling the application process to continuously access the application resource if the application resource is the secondary level;
And if the flow difference value is larger than the second threshold value, generating alarm information, and suspending the access operation of the application process to all application resources.
In some embodiments, after generating the alert information, the method further comprises:
detecting access data of the application process for accessing the application resource in the preset time period to obtain a detection result, wherein the detection result comprises data quantity and data content of the access data;
if the detection result meets the detection condition, controlling the application process to continuously access the application resource;
and if the detection result does not accord with the detection condition, ending the access of the application process to all application resources.
The process network policy limiting device provided by the embodiment of the application comprises:
the monitoring module is used for acquiring the actual access flow and the preset access flow of the application process for accessing the application resource in a preset time period under the condition that the application process of the client accesses the application resource; calculating a flow difference value between the actual access flow and the preset access flow;
the control module is used for controlling the application process to access the application resource according to the magnitude relation between the flow difference value and the error threshold value, wherein under the condition that the flow difference value is larger than the error threshold value, the access operation is suspended and alarm information is generated, and the alarm information comprises the access time and the access data content of the application process for accessing the application resource.
The computer device provided by the embodiment of the application comprises a memory and a processor, wherein the memory stores a computer program capable of running on the processor, and the processor realizes the method described by the embodiment of the application when executing the program.
The computer readable storage medium provided in the embodiments of the present application stores a computer program thereon, which when executed by a processor implements the method provided in the embodiments of the present application.
According to the process network policy limiting method, device, computer equipment and computer readable storage medium, under the condition that an application process in a client accesses application resources, the actual access flow and the preset access flow generated by the application process accessing the application resources are obtained in a preset time period, and the flow difference value of the actual access flow and the preset access flow is calculated. The difference between the actual flow condition of the application process accessing the application resource and the ideal preset condition can be reflected by comparing the flow difference with the preset error threshold, and the access operation of the application process to the application resource is controlled. And under the condition that the calculated flow difference value is larger than the error threshold value, suspending the access operation of the application process to the application resource, and generating alarm information containing the access time and the access data content. In this way, the network limiting strategy is performed at the process level, the access operation of the application process identified as abnormal to the application resource is suspended, the access of other normal application processes to the application resource under the same IP address is not affected, and the technical problem in the background technology is solved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and, together with the description, serve to explain the technical aspects of the application.
Fig. 1 is an application scenario diagram of a process network policy restriction method provided in an embodiment of the present application;
FIG. 2 is a flowchart illustrating an implementation of a process network policy restriction method provided in an embodiment of the present application;
FIG. 3 is a flowchart of an implementation of controlling an access operation of an application process to an application resource in a method provided in an embodiment of the present application;
FIG. 4 is a flowchart illustrating another implementation of the process network policy restriction method provided in an embodiment of the present application;
FIG. 5 is a flowchart illustrating another implementation of the process network policy restriction method provided in an embodiment of the present application;
FIG. 6 is a flowchart of an implementation of controlling an access operation of an application process to an application resource according to a magnitude relation between a flow difference and an error threshold in the method provided by the embodiment of the present application;
fig. 7 is a schematic structural diagram of a process network policy restriction device according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of a computer device according to an embodiment of the present application.
Detailed Description
For the purposes, technical solutions and advantages of the embodiments of the present application to be more apparent, the specific technical solutions of the present application will be described in further detail below with reference to the accompanying drawings in the embodiments of the present application. The following examples are illustrative of the present application, but are not intended to limit the scope of the present application.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein is for the purpose of describing embodiments of the present application only and is not intended to be limiting of the present application.
In the following description, reference is made to "some embodiments" which describe a subset of all possible embodiments, but it is to be understood that "some embodiments" can be the same subset or different subsets of all possible embodiments and can be combined with one another without conflict.
It should be noted that the term "first/second/third" in reference to the embodiments of the present application is used to distinguish similar or different objects, and does not represent a specific ordering of the objects, it being understood that the "first/second/third" may be interchanged with a specific order or sequence, as permitted, to enable the embodiments of the present application described herein to be implemented in an order other than that illustrated or described herein.
VPN belongs to the remote access technology, simply by using public networks to build private networks. An application scenario of VPN will be described below. Many organizations have members distributed at different addresses, and remote members need to access server resources of the organization's internal network, such access being among the remote accesses. The solution of utilizing VPN is to set up a VPN server in the internal network, the remote member connects VPN to the server through public network such as Internet, then enter into the organization internal network through VPN server, in order to realize the business demands of accessing files, data and internal application programs. VPN protects the security of data transmission by encrypting tunnels so that remote members can access the organization's network resources as securely as inside the organization. This approach may ensure confidentiality and integrity of data while improving the efficiency and flexibility of tele-office.
To ensure the security of VPN services, network security systems monitor, identify and filter traffic from the public network for potential network threats, such as malware, traffic attacks or abnormal behavior. The network security system is also capable of enforcing security policies to ensure that only authenticated users can access the internal network, i.e., only authorized devices corresponding to the IP address can access the resources of the internal network. Such a security policy helps to prevent unauthorized access and protects the security of the remote access connection, but may present other problems in practical applications.
It can be understood that there may be multiple processes in the device corresponding to one IP address that need to access resources of the internal network through VPN service at the same time, if there is one process identified by the network security system as a network threat, in some security policies, all processes in the device corresponding to the process may be restricted or prohibited from accessing the internal resources, so as to avoid the influence of other potential threats in the device corresponding to the same IP address on the internal network, and such security policies may also influence normal processes at the same time. Therefore, in the process of security policy, security and service requirements need to be balanced, and even if a problem occurs, other normal processes can still normally access internal network resources through VPN services.
In view of this, embodiments of the present application provide a process network policy restriction method. Process network policy restrictions aim to be able to execute different network policies between different processes on the same computer or on the same system. For the same network access target, the impossible process can show different access results according to policies. The method provided by the embodiment of the application can execute the network policy in the process dimension and can be controlled to a smaller granularity. The access flow is compared in real time, if abnormal access is found, the process level is limited, and safety emergency measures can be made on the minimum dimension and the minimum granularity, so that the influence is the lowest, the normal operation of other services can be ensured, and an efficient, sensitive and accurate safety defense mechanism can be built.
Referring to fig. 1, an application scenario diagram of a process network policy restriction method provided in an embodiment of the present application is shown. As shown in fig. 1, in some embodiments, the computer device 102 controls the access operation of the application process in the client 101 to the application resource in the server 103 by using the process network policy restriction method provided in the embodiments of the present application. The client 101, the computer device 102, and the server 103 may include, but are not limited to, a mobile phone, a wearable device (e.g., a smart watch, a smart bracelet, a smart glasses, etc.), a tablet computer, a notebook computer, a vehicle-mounted terminal, a PC (Personal Computer, a personal computer), and the like. The functions implemented by the methods provided in the embodiments of the present application may be implemented by invoking program codes by a processor in the computer device 102, and of course, the program codes may be stored in a computer storage medium, and it is apparent that the computer device 102 includes at least the processor and the storage medium.
It can be appreciated that in some embodiments, the access operations of the client 101 and the server 103 are bidirectional and connected to the same network, and the security of resources between different devices can be protected on a process level by the method provided by the embodiments of the present application.
In fig. 1, a client 101 includes a plurality of application processes, and a server 103 includes a plurality of application resources. It should be noted that, the application processes and the application resources are not in a one-to-one correspondence relationship, that is, one application process may have access rights of a plurality of application resources, and one application resource may be accessed by a plurality of application processes. The application resources comprise services, programs, memory resources and the like in the server 103, and in the process of accessing the application resources by the application process, data forms are transmitted in different devices, so that the data size in the preset time can be calculated to obtain the access flow.
In order to ensure security of access to the application resource by the application process, in some embodiments, before the obtaining the actual access flow and the preset access flow of the application process to access the application resource in the preset time period, the method further includes:
acquiring a flow packet of the access operation of the target process to the target resource;
determining whether to release the flow packet according to the flow packet and an access strategy, wherein the access strategy comprises a client address and a process identifier corresponding to each application process, a resource address and a port corresponding to each application resource, an access corresponding relation between each application process and each application resource and an access corresponding protocol;
And under the condition of releasing the flow packet, determining the target process as the application process, determining the target resource as the application resource, and controlling the application process to access the application resource.
It should be noted that, the access policy is obtained by recording the process identifier of the application process, the resource port or resource address of the application resource to be accessed by the same application process, and the protocol used for the access operation. Before the application process subsequently accesses the target application resource, the access strategy is traversed by acquiring the original port number of the application process so as to determine whether the application process algorithm can access the corresponding application resource.
In some embodiments, the access policy is stored in the computer device 102 and the server 103, so as to determine whether a specific application process can access a specified application resource in the access request, and ensure that only authorized processes can access the resource, thereby improving security of application resource data and protecting sensitive data.
In some embodiments, the access policy is further stored in the client 101, so as to preliminarily determine that the application process algorithm can access the application resource, so as to avoid an invalid access request and improve the overall efficiency of application resource access.
The implementation flow of the process network policy limitation method provided in the embodiment of the present application will be described below with reference to the accompanying drawings.
Referring to fig. 2, a flowchart of an implementation of the process network policy restriction method provided in the embodiment of the present application is shown. As shown in fig. 2, the method may include the following steps 201 to 203.
The process network policy limiting method provided by the embodiment of the application comprises the following steps:
under the condition that an application process of a client accesses an application resource, acquiring actual access flow and preset access flow of the application process for accessing the application resource in a preset time period;
calculating a flow difference value between the actual access flow and the preset access flow;
and controlling the access operation of the application process to the application resource according to the magnitude relation between the flow difference and the error threshold, wherein under the condition that the flow difference is larger than the error threshold, the access operation is suspended and alarm information is generated, and the alarm information comprises the access time and the access data content of the application process for accessing the application resource.
Step 201, under the condition that an application process of a client accesses an application resource, acquiring an actual access flow and a preset access flow of the application process accessing the application resource in a preset time period.
In some embodiments, according to the application process and the application resource accessed by the application process, the accessed data content and the data volume can be determined, the data volume in the preset time period can be obtained, the actual access flow of the application process to the application resource can be obtained, and the preset access flow in the preset time period can be obtained.
In some embodiments, before the obtaining the actual access flow and the preset access flow of the application process to access the application resource in the preset time period, the method further includes:
acquiring a flow packet of the access operation of the target process to the target resource;
determining whether to release the flow packet according to the flow packet and an access strategy, wherein the access strategy comprises a client address and a process identifier corresponding to each application process, a resource address and a port corresponding to each application resource, an access corresponding relation between each application process and each application resource and an access corresponding protocol;
and under the condition of releasing the flow packet, determining the target process as the application process, determining the target resource as the application resource, and controlling the application process to access the application resource.
It should be noted that, by acquiring the access request and determining whether to release the access request according to the access request and the access policy, an unauthorized application process can be prevented from accessing the application resource, so that the security of the data is improved and the sensitive data is protected.
Step 202, calculating a flow difference between the actual access flow and the preset access flow.
It should be noted that, in the actual application of the method provided in the embodiment of the present application, the actual access flow and the preset access flow are not always the same, and there is a certain difference between the two, so as to calculate the flow difference. If the flow difference is larger, an abnormal condition may exist in the application process when accessing the application resource. The flow difference is an absolute value of a difference between the actual access flow and the preset access flow, and is a positive value.
And 203, controlling the access operation of the application process to the application resource according to the magnitude relation between the flow difference and the error threshold, wherein under the condition that the flow difference is larger than the error threshold, the access operation is suspended and the alarm information is generated.
In the method provided by the embodiment of the application, the access operation of the application process to the application resource is controlled according to the magnitude relation between the flow difference value and the error threshold value. And under the condition that the flow difference value is larger than a preset error threshold value, suspending the access of the application process to the application resource, and generating warning information.
In some embodiments, after generating the alert information, the method further comprises:
detecting access data of the application process for accessing the application resource in the preset time period to obtain a detection result, wherein the detection result comprises data quantity and data content of the access data;
if the detection result meets the detection condition, controlling the application process to continuously access the application resource;
and if the detection result does not accord with the detection condition, ending the access of the application process to all application resources.
It should be noted that, in some embodiments, the actual access flow of the application process to access the application resource may exceed the preset access flow in some cases. For example, for a developer to modify part of the data content of the application resource through a specific application process, a large amount of data can be uploaded in a short time, so that the actual access flow measured in a preset time end is far greater than the preset access flow, under the condition that the application process is not replaced, the access is suspended because the flow difference is greater than an error threshold value, at this time, the data accessed in the preset time period can be detected according to the generated alarm information, a detection result is obtained, if the detection condition is met, the access operation is determined to be safe, the application process is controlled to continue to access the application resource, and the corresponding service is completed. If the detection result does not accord with the detection condition, the access operation is finished, and the network security is ensured.
In the above technical solution, the flow difference is obtained by acquiring the actual access flow and the preset access flow in the preset time period. And under the condition that the flow difference value is larger than the error threshold value, suspending the access operation of the application process to the application resource, and generating warning information. The method and the system can control the application process with network security threat in the client to access the application resource without affecting the access operation of other application processes in the client, and make security emergency measures on the minimum dimension and the minimum granularity, thereby having the lowest influence and realizing the efficient, sensitive and accurate network security policy.
In the process network policy limiting method provided in the embodiment of the present application, a flow of determining whether an application process can access an application resource according to an access policy will be described below with reference to the accompanying drawings.
Referring to fig. 3, a flowchart of an implementation of an access operation of an application process to an application resource in a method provided by an embodiment of the present application is shown. As shown in fig. 3, the method may include the following steps 301 to 309.
In some embodiments, before the obtaining the actual access flow and the preset access flow of the application process to access the application resource in the preset time period, the method further includes:
Acquiring a flow packet of the access operation of the target process to the target resource;
determining whether to release the flow packet according to the flow packet and an access strategy, wherein the access strategy comprises a client address and a process identifier corresponding to each application process, a resource address and a port corresponding to each application resource, an access corresponding relation between each application process and each application resource and an access corresponding protocol;
and under the condition of releasing the flow packet, determining the target process as the application process, determining the target resource as the application resource, and controlling the application process to access the application resource.
It should be noted that, the flow packet of the access operation of the target process to the target resource is obtained, and the flow packet is monitored, so that it can be judged whether the target process is the application process allowed to perform the access operation, and the network policy is implemented on the process level to access the access operation, so that only the application process allowed can access the application resource, and the security of the data is protected.
In some embodiments, the determining whether to release the traffic packet according to the traffic packet and the access policy includes:
Processing the header information of the flow packet to obtain a target client address corresponding to the target process and a target resource address corresponding to the target resource;
acquiring a target source port according to the target client address, wherein the target source port is a port used for sending the flow packet in the target client;
traversing and inquiring a socket file of the target client according to the target source port to obtain a target process identifier corresponding to the target source port, wherein the socket file comprises a corresponding relation between a resource address and the process identifier;
judging whether the target process identifier exists in the process identifiers corresponding to the application processes according to the access policy;
if the target process identifier exists, acquiring a resource address corresponding to the target process identifier according to the access corresponding relation in the access strategy; releasing the flow packet under the condition that the target resource address is the same as the resource address corresponding to the target process identifier;
and if the target process identification does not exist, not releasing the flow packet.
The above embodiments will be described in steps.
Step 301, obtaining a flow packet of the target process for performing access operation on the target resource.
And 302, processing the header information of the flow packet to obtain a target client address corresponding to the target process and a target resource address corresponding to the target resource.
In some embodiments, the header of the preset byte number of the header of the flow packet is processed to obtain a target client address corresponding to the target process and a target resource address corresponding to the target resource.
It should be noted that, if the traffic packet uses the fourth version of the internet communication protocol (Internet Protocol version, ipv 4), the preset number of bytes is 20. If the traffic packet employs internet protocol version six (Internet Protocol version, ipv 6), the preset number of bytes is 40.
Step 303, obtaining a target source port according to the target client address, and performing traversal query on the socket file of the target client to obtain a target process identifier corresponding to the target source port.
It should be noted that a Socket file includes a file of a specific type, and is used for inter-process communication in computer network communication. Unlike conventional data files, it is mainly used for local applications to communicate with network sockets through socket interfaces. Socket files typically contain socket identifiers and other communication-related information.
In some embodiments, the socket file includes a corresponding relationship between a resource address and a source port and a process identifier of a process sending the traffic packet, and the process identifier corresponding to the process sending the traffic packet can be obtained by traversing the query socket file.
It should be noted that, when performing the traversal operation on the socket file, the authority application needs to be performed on the client in advance.
Step 304, judging whether a target process identifier exists in the process identifiers corresponding to the application processes according to the access policy.
It should be noted that, the access policy includes a client address and a process identifier (Process Identifier, PID) corresponding to each application process, a resource address and a port corresponding to each application resource, an access correspondence relationship between each application process and each application resource, and an access correspondence protocol.
By performing traversal query processing on the process identifiers corresponding to the application processes included in the access policy, whether the application process corresponding to the target process identifier exists in the access policy can be judged. If present, step 305 is performed, and if not, step 309 is performed.
Step 305, obtaining the resource address corresponding to the target process identifier according to the access corresponding relation in the access policy.
The corresponding relation between each process identifier and the resource address can be obtained through the access corresponding relation between each application process and each application resource recorded in the access strategy. And under the condition that the target process identifier exists in each process identifier, acquiring the resource address corresponding to the target process identifier according to the corresponding relation between each process identifier and the resource address. In the subsequent step, whether the target process can access the target resource can be judged by judging whether the target resource address is the same as the resource address corresponding to the target process identifier acquired through the access strategy.
Step 306, it is determined whether the target resource address is the same as the resource address corresponding to the target process identifier.
If the target resource address is the same as the resource address corresponding to the target process identifier, step 307 is performed, the traffic packet is released, the target process is determined to be the application process, and the target resource is determined to be the application resource. If the target resource address is different from the resource address corresponding to the target process identifier, step 309 is performed without releasing the traffic packet.
Step 307, releasing the traffic packet, determining the target process as the application process, and determining the target resource as the application resource.
Through steps 301 to 307 above, it is determined that the target process can access the target resource, the traffic packet is released, the target process is determined to be the application process, and the target resource is determined to be the application resource.
In step 308, control applies for the process to access the application resource.
After the application process is controlled to access the application resource, network security monitoring can be performed on a plurality of application processes in the client through the method provided by the embodiment of the application, and the application processes identified as possibly having network security threat are restricted from accessing the application resource in the server. Meanwhile, normal access of other application processes to application resources in the server under the same IP address is not affected, and the security policy can be flexibly and automatically changed to cope with diversified network attacks.
Step 309, the traffic packet is not released.
The target process cannot access the target resource without releasing the traffic packet.
In some embodiments, the method provided by the embodiments further generates alarm information for recording a target process that is not accessed without releasing the traffic packet, and prompts a relevant technician to confirm the target process, so as to ensure network security.
In the technical scheme, the flow packet of the access operation of the target process to the target resource is obtained, and the flow packet is analyzed and processed to obtain the target client address corresponding to the target process and the target resource address corresponding to the target resource. And acquiring a target source port according to the target client address, performing traversal inquiry on the socket file of the target client, and acquiring a target process identifier corresponding to the target source port. And traversing the query access strategy, and judging whether the target process identifier exists or not. If the application resources exist, acquiring the resource address of the application resources corresponding to the target process identification according to the access corresponding relation between each application process and each application resource contained in the access strategy, and releasing the flow packet under the condition that the target resource address is the same as the resource address, determining that the target process is the application process, determining that the target resource is the application resource, and controlling the application process to access the application resource. At the process level, only the allowed application process can access the application resource, and the security of the data is improved.
The flow of obtaining the preset access flow in the process network policy limiting method provided in the embodiment of the present application will be described below with reference to the accompanying drawings.
Referring to fig. 4, a flowchart of another implementation of the process network policy restriction method provided in the embodiment of the present application is shown. As shown in fig. 4, the method may include the following steps 401 to 404.
In some embodiments, the preset access flow is obtained by predicting the flow of the application process accessing the application resource in the preset time period according to an autoregressive model, and the autoregressive model is obtained according to the historical access times of the application process accessing the application resource and the historical flow of each access.
Step 401, under the condition that an application process of a client accesses an application resource, acquiring actual access flow of the application process accessing the application resource in a preset time period.
Step 402, predicting the flow of the application process accessing the application resource in a preset time period according to the autoregressive model to obtain a preset access flow.
It should be noted that an Auto-regression Model (AR Model) is a statistical Model based on historical data, and can be used to predict future values or sequences. The performance of the present period is predicted by the performance of each period before the same variable, and is called an autoregressive model because the performance is developed from linear regression in regression analysis and only the latest variable is predicted by using a historical variable.
There are a variety of manifestations of autoregressive models. For example, in some embodiments, the preset access flow may be predicted by an autoregressive moving average model (Auto-Regressive Moving Average Model, ARMA model) that combines the characteristics of autoregressive and moving averages, taking a linear combination of both the value at the past time point and the error term as a basis for prediction.
In some embodiments, an autoregressive model is obtained based on the historical number of accesses and the historical traffic of each access of an application process to an application resource, the autoregressive model being capable of predicting a preset access traffic of the application process to the application resource.
The model can be expressed as:
(1)
wherein X is t Indicating the flow size at time t, c is a constant,is an autoregressive coefficient, X t-p Represents the flow size at time t-p,/->The error term, p is the order and is expressed as the historical access times of the application process to the application resource.
In some embodiments, an autoregressive model is obtained according to the historical access times and the historical flow of each access of at least two application processes to at least two application resources, wherein the autoregressive model can predict the preset access flow of a target application process in the at least two application processes to access the target process resources in the at least two application resources.
The model can be expressed as:
(2)
wherein X is it Indicating the flow of the application process accessing the application resource in the corresponding relation between the i-th group application process and the application resource at the time t, c i 、And +.>The constant, the autoregressive coefficient and the error term in the corresponding relation between the i-th group application process and the application resource are respectively.
In some embodiments, the application process predicts a preset time period according to an autoregressive model, and the application process accesses a preset access flow of the application resource.
The calculation formula of the preset access flow can be expressed as:
(3)
wherein p is i For the order of the corresponding relationship between the i-th group application process and the application resource,for the corresponding autoregressive coefficients of the set, according to the t-p set i Flow size at time ∈>And autoregressive coefficients->Can obtain the preset access flow of the i-th group application process and the application resource>。
And calculating the difference value between the actual access flow and the preset access flow and taking a positive value to obtain a flow difference value.
The preset access flow of the application process to the application resources can be obtained by accessing the historical access times of at least two application resources and the historical flow of each access according to at least two application processes and the autoregressive coefficient.
It should be noted that, because the autoregressive model predicts the preset access flow based on the characteristics of the historical data, the precondition that the autoregressive model is used is that the application process accesses the application resource, the historical access data exists, and the autoregressive model is built, and the historical access data includes the historical access times and the historical access flow of each access. The autoregressive model is obtained according to the historical access times of the application process in accessing the application resource and the historical flow of each access.
In some embodiments, in the case that the application process accesses the application resource, a flow difference between the preset access flow obtained through the autoregressive model and the actual access flow in the preset time period is smaller than or equal to an error threshold value, and the application process is controlled to continuously access the application resource. The autoregressive model can be trained according to the actual access flow which is not found abnormal at the time, so that the trained autoregressive model is better adapted to the change condition of the application process on the access of the application resource, and the prediction accuracy of the preset access flow is improved.
Step 403, calculating a flow difference between the actual access flow and the preset access flow.
And step 404, controlling the access operation of the application process to the application resource according to the magnitude relation between the flow difference and the error threshold, wherein under the condition that the flow difference is larger than the error threshold, the access operation is suspended and the alarm information is generated.
Steps 403 to 404 are similar to steps 202 to 203 in the embodiment shown in fig. 2, and are not described here.
In the above technical solution, in the process network policy limiting method provided in the embodiment of the present application, the preset access flow is obtained by predicting the flow of accessing the application resource in the preset time period by the application process according to an autoregressive model, where the autoregressive model is obtained according to the historical access times of the application process in accessing the application resource and the historical flow of each access.
The following will describe another process of obtaining the preset access flow in the process network policy restriction method provided in the embodiment of the present application with reference to the accompanying drawings.
Referring to fig. 5, a flowchart of another implementation of the process network policy restriction method provided in the embodiment of the present application is shown. As shown in fig. 5, the method may include the following steps 501 to 504.
In some embodiments, the preset access flow is determined according to a preset rule and at least two other preset access flows of at least two other application processes in the case of accessing the application resource, where the preset rule is that the minimum other preset access flow is selected or the maximum other preset access flow is selected or a mean value of the at least two other preset access flows is selected as the preset access flow.
Step 501, under the condition that an application process of a client accesses an application resource, acquiring actual access flow of the application process accessing the application resource in a preset time period.
Step 502, determining a preset access flow according to a preset rule and at least two other preset access flows of at least two other application processes in a preset time period under the condition of accessing application resources.
In some embodiments, the preset access flow of the application process to the application resource is obtained under the condition that the application process accesses the application resource for the first time or cannot be obtained through an autoregressive model. At this time, the preset access flow is obtained according to a preset rule and at least two other preset access flows of the application resource accessed by at least two other application processes.
It should be noted that, the preset rule is to select the smallest other preset access flow or select the largest other preset access flow or select the average value of the at least two other preset access flows as the preset access flow. The preset rule is selected according to actual application requirements, and is not limited herein.
In some embodiments, if the application process accesses the application resource for the first time, the preset access flow of the application process to access the application resource cannot be obtained through the autoregressive model, at least two other preset access flows of at least two other application processes to access the application resource do not exist, alarm information is generated, the actual access flow and the access data content of the access operation are monitored, and the application process is allowed to access the application resource and the autoregressive model is trained under the condition of normal access.
In step 503, a flow difference between the actual access flow and the preset access flow is calculated.
And 504, controlling the access operation of the application process to the application resource according to the magnitude relation between the flow difference and the error threshold, wherein under the condition that the flow difference is larger than the error threshold, the access operation is suspended and the alarm information is generated.
Steps 503 to 504 are similar to steps 202 to 203 in the embodiment shown in fig. 2, and are not described here again.
In the above technical solution, in the process network policy restriction method provided in the embodiment of the present application, the preset access flow is determined according to a preset rule and at least two other preset access flows of at least two other application processes in a preset time period under the condition of accessing the application resource.
The following will describe, with reference to the accompanying drawings, the flow of the access operation of the application process to the application resource according to the magnitude relation between the flow difference and the error threshold in the process network policy limiting method provided in the embodiment of the present application.
Referring to fig. 6, a flowchart of an implementation of controlling an access operation of an application process to an application resource according to a magnitude relation between a flow difference and an error threshold in the embodiment of the present application is shown. As shown in fig. 6, the method may include the following steps 601 to 609.
In step 601, a flow difference between the actual access flow and the preset access flow is calculated.
Step 602, determining whether the flow difference is greater than a first threshold.
In some embodiments, the error threshold includes a first threshold and a second threshold, the first threshold being less than the second threshold.
In some embodiments, if the flow difference is greater than the first threshold, step 603 is performed, and further determination is made on the magnitude relationship between the flow difference and the error threshold.
In some embodiments, if the flow difference is less than or equal to the first threshold, then step 608 is performed to control the application process to continue accessing the application resource.
Step 603, determining whether the flow difference is greater than a second threshold.
In some embodiments, if the flow difference is greater than the second threshold, step 604 is performed to generate alarm information, and the access operation of the application process to all application resources is suspended.
In some embodiments, if the flow difference is greater than the first threshold and less than or equal to the second threshold, step 605 is performed to generate alarm information, and according to the preset resource level of the application resource, it is determined whether to suspend the access operation of the application process to the application resource.
In step 604, alarm information is generated, and the access operation of the application process to all application resources is suspended.
In some embodiments, if the flow difference is greater than the second threshold, generating alarm information, and suspending access operations of the application process to all application resources.
Step 605, generating alarm information, and determining whether to suspend the access operation of the application process to the application resource according to the preset resource level of the application resource.
The preset resource level comprises an important level and a secondary level, if the application resource is the important level, the access operation of the application process to the application resource is paused, and if the application resource is the secondary level, the application process is controlled to continuously access the application resource.
It should be noted that, by setting the preset resource level of the application resource, different network policy restrictions can be made according to different preset resource levels of the application resource when the flow difference is greater than the first threshold and less than or equal to the second threshold. If the application resource is the secondary level, generating alarm information, and disapproval the application process to access the application resource. Therefore, the access operation of the application process to the application resource can be controlled more flexibly, and when the flow difference value only slightly exceeds the error threshold value, the access is not interrupted immediately. The access operation can be responded and processed in time through the alarm information, and the network security is ensured.
In some embodiments, if the flow difference is greater than the first threshold and less than or equal to the second threshold, generating alarm information, and suspending the access operation of the application process to the application resource that is performing the access operation and causes the exception, without suspending the access operation of the application process to other application resources.
It should be noted that, one application process can access a plurality of application resources, if a flow difference value of one application process accessing a corresponding application resource is greater than a first threshold value and less than or equal to a second threshold value, the application process pauses access of the application process to the application resource causing access abnormality, without affecting access operation of the application process to other application resources.
Step 606, detecting the data accessed by the application process in the preset time period to obtain a detection result.
In some embodiments, after generating the alert information, the method further comprises:
detecting access data of the application process for accessing the application resource in the preset time period to obtain a detection result, wherein the detection result comprises data quantity and data content of the access data;
if the detection result meets the detection condition, controlling the application process to continuously access the application resource;
And if the detection result does not accord with the detection condition, ending the access of the application process to all application resources.
It should be noted that, for the access operation of all the application processes in step 604 and step 605 to the application resource, it is further required to control whether the application process can continue to access the application resource according to the detection result obtained by detecting the access data of the application process to access the application resource in the preset time period, where the detection time is a preset detection time after the alarm information is generated, and the preset detection time can be set according to the actual needs.
In step 607, it is determined whether the detection result meets the detection condition.
In step 608, control continues with accessing the application resource.
Step 609, the application process ends access to all application resources.
In some embodiments, after the application process finishes accessing all application resources, the method further includes prohibiting all access operations subsequent to the application process until a related technician performs a forbidding process on the application process.
In the above technical solution, the method provided in the embodiments of the present application controls the access operation of the application process to the application resource according to the magnitude relation between the flow difference and the error threshold.
It should be understood that, although the steps in the flowcharts described above are shown in order as indicated by the arrows, these steps are not necessarily performed in order as indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described above may include a plurality of sub-steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of execution of the sub-steps or stages is not necessarily sequential, but may be performed alternately or alternately with at least a part of the sub-steps or stages of other steps or other steps.
Based on the foregoing embodiments, the embodiments of the present application provide a process network policy restriction device, where the device includes each module included, and each unit included in each module may be implemented by a processor; of course, the method can also be realized by a specific logic circuit; in an implementation, the processor may be a Central Processing Unit (CPU), a Microprocessor (MPU), a Digital Signal Processor (DSP), a Field Programmable Gate Array (FPGA), or the like.
Referring to fig. 7, a schematic structural diagram of a process network policy restriction device provided in an embodiment of the present application is shown in fig. 7, and the process network policy restriction device 700 includes a monitoring module 701 and a control module 702.
The monitoring module 701 is configured to obtain, when an application process of the client accesses an application resource, an actual access flow and a preset access flow of the application process for accessing the application resource in a preset time period; and calculating a flow difference value between the actual access flow and the preset access flow.
And the control module 702 is configured to control an access operation of the application process to the application resource according to the magnitude relation between the flow difference value and the error threshold value, where, when the flow difference value is greater than the error threshold value, the access operation is suspended and alarm information is generated, and the alarm information includes access time and access data content of the application process for accessing the application resource.
In some embodiments, the monitoring module 701 is further configured to obtain a traffic packet for the target process to perform an access operation on the target resource; determining whether to release the flow packet according to the flow packet and an access strategy, wherein the access strategy comprises a client address and a process identifier corresponding to each application process, a resource address and a port corresponding to each application resource, an access corresponding relation between each application process and each application resource and an access corresponding protocol; and under the condition of releasing the flow packet, determining the target process as the application process, determining the target resource as the application resource, and controlling the application process to access the application resource.
In some embodiments, the monitoring module 701 is further configured to process header information of the traffic packet to obtain a target client address corresponding to the target process and a target resource address corresponding to the target resource; acquiring a target source port according to the target client address, wherein the target source port is a port used for sending the flow packet in the target client; traversing and inquiring a socket file of the target client according to the target source port to obtain a target process identifier corresponding to the target source port, wherein the socket file comprises a corresponding relation between a resource address and the process identifier; judging whether the target process identifier exists in the process identifiers corresponding to the application processes according to the access policy; if the target process identifier exists, acquiring a resource address corresponding to the target process identifier according to the access corresponding relation in the access strategy; releasing the flow packet under the condition that the target resource address is the same as the resource address corresponding to the target process identifier; and if the target process identification does not exist, not releasing the flow packet.
In some embodiments, the control module 702 is further configured to determine a magnitude relation between the flow difference and the first and second thresholds, respectively; if the flow difference is larger than the first threshold and smaller than or equal to the second threshold, generating alarm information, judging whether to suspend the access operation of the application process to the application resource according to the preset resource level of the application resource, wherein the preset resource level comprises an important level and a secondary level, suspending the access operation of the application process to the application resource if the application resource is the important level, and controlling the application process to continuously access the application resource if the application resource is the secondary level; and if the flow difference value is larger than the second threshold value, generating alarm information, and suspending the access operation of the application process to all application resources.
In some embodiments, the control module 702 is further configured to detect access data of the application process for accessing the application resource in the preset time period, so as to obtain a detection result, where the detection result includes a data amount and a data content of the access data; if the detection result meets the detection condition, controlling the application process to continuously access the application resource; and if the detection result does not accord with the detection condition, ending the access of the application process to all application resources.
The description of the apparatus embodiments above is similar to that of the method embodiments above, with similar advantageous effects as the method embodiments. For technical details not disclosed in the device embodiments of the present application, please refer to the description of the method embodiments of the present application for understanding.
It should be noted that, in the embodiment of the present application, the partition of the module by the process network policy limiting device shown in fig. 7 is schematic, which is merely a logic function partition, and there may be another partition manner in actual implementation. In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units. Or in a combination of software and hardware.
It should be noted that, in the embodiment of the present application, if the method is implemented in the form of a software functional module, and sold or used as a separate product, the method may also be stored in a computer readable storage medium. Based on such understanding, the technical solutions of the embodiments of the present application may be essentially or part contributing to the related art, and the computer software product may be stored in a storage medium, including several instructions for causing an electronic device to execute all or part of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read Only Memory (ROM), a magnetic disk, an optical disk, or other various media capable of storing program codes. Thus, embodiments of the present application are not limited to any specific combination of hardware and software.
The embodiment of the application provides a computer device, which may be a server, and an internal structure diagram thereof may be shown in fig. 8. The computer device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The database of the computer device is for storing data. The network interface of the computer device is used for communicating with an external terminal through a network connection. Which computer program, when being executed by a processor, carries out the above-mentioned method.
The present embodiment provides a computer-readable storage medium, on which a computer program is stored, which when executed by a processor, implements the steps of the method provided in the above embodiment.
The present application provides a computer program product comprising instructions which, when run on a computer, cause the computer to perform the steps of the method provided by the method embodiments described above.
It will be appreciated by those skilled in the art that the structure shown in fig. 8 is merely a block diagram of some of the structures associated with the present application and is not limiting of the computer device to which the present application may be applied, and that a particular computer device may include more or fewer components than shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, the process network policy limiting device provided in the present application may be implemented in the form of a computer program, which may be executed on a computer device as shown in fig. 8. The memory of the computer device may store the various program modules that make up the apparatus. The computer program of each program module causes a processor to perform the steps in the methods of each embodiment of the present application described in the present specification.
It should be noted here that: the description of the storage medium and apparatus embodiments above is similar to that of the method embodiments described above, with similar benefits as the method embodiments. For technical details not disclosed in the storage medium, storage medium and device embodiments of the present application, please refer to the description of the method embodiments of the present application for understanding.
It should be appreciated that reference throughout this specification to "one embodiment" or "an embodiment" or "some embodiments" means that a particular feature, structure or characteristic described in connection with the embodiment is included in at least one embodiment of the present application. Thus, the appearances of the phrases "in one embodiment" or "in an embodiment" or "in some embodiments" in various places throughout this specification are not necessarily referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. It should be understood that, in various embodiments of the present application, the sequence numbers of the foregoing processes do not mean the order of execution, and the order of execution of the processes should be determined by the functions and internal logic thereof, and should not constitute any limitation on the implementation process of the embodiments of the present application. The foregoing embodiment numbers of the present application are merely for describing, and do not represent advantages or disadvantages of the embodiments. The foregoing description of various embodiments is intended to highlight differences between the various embodiments, which may be the same or similar to each other by reference, and is not repeated herein for the sake of brevity.
The term "and/or" is herein merely an association relation describing associated objects, meaning that there may be three relations, e.g. object a and/or object B, may represent: there are three cases where object a alone exists, object a and object B together, and object B alone exists.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
In the several embodiments provided in this application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described embodiments are merely illustrative, and the division of the modules is merely a logical function division, and other divisions may be implemented in practice, such as: multiple modules or components may be combined, or may be integrated into another system, or some features may be omitted, or not performed. In addition, the various components shown or discussed may be coupled or directly coupled or communicatively coupled to each other via some interface, whether indirectly coupled or communicatively coupled to devices or modules, whether electrically, mechanically, or otherwise.
The modules described above as separate components may or may not be physically separate, and components shown as modules may or may not be physical modules; can be located in one place or distributed to a plurality of network units; some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional module in each embodiment of the present application may be integrated in one processing unit, or each module may be separately used as one unit, or two or more modules may be integrated in one unit; the integrated modules may be implemented in hardware or in hardware plus software functional units.
Those of ordinary skill in the art will appreciate that: all or part of the steps for implementing the above method embodiments may be implemented by hardware related to program instructions, and the foregoing program may be stored in a computer readable storage medium, where the program, when executed, performs steps including the above method embodiments; and the aforementioned storage medium includes: a mobile storage device, a Read Only Memory (ROM), a magnetic disk or an optical disk, or the like, which can store program codes.
Alternatively, the integrated units described above may be stored in a computer readable storage medium if implemented in the form of software functional modules and sold or used as a stand-alone product. Based on such understanding, the technical solutions of the embodiments of the present application may be essentially or part contributing to the related art, and the computer software product may be stored in a storage medium, including several instructions for causing an electronic device to execute all or part of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a removable storage device, a ROM, a magnetic disk, or an optical disk.
The methods disclosed in the several method embodiments provided in the present application may be arbitrarily combined without collision to obtain a new method embodiment.
The features disclosed in the several product embodiments provided in the present application may be combined arbitrarily without conflict to obtain new product embodiments.
The features disclosed in the several method or apparatus embodiments provided in the present application may be arbitrarily combined without conflict to obtain new method embodiments or apparatus embodiments.
The foregoing is merely an embodiment of the present application, but the protection scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes and substitutions are intended to be covered in the protection scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (8)
1. A process network policy restriction method, the method comprising:
under the condition that an application process of a client accesses an application resource, acquiring actual access flow and preset access flow of the application process for accessing the application resource in a preset time period, wherein the preset access flow is obtained by predicting the flow of the application process for accessing the application resource in the preset time period according to an autoregressive model, or is obtained according to a preset rule and at least two other preset access flows of at least two other application processes for accessing the application resource;
calculating a flow difference value between the actual access flow and the preset access flow;
controlling the access operation of the application process to the application resource according to the magnitude relation between the flow difference and the error threshold, wherein under the condition that the flow difference is larger than the error threshold, the access operation is suspended and alarm information is generated, and the alarm information comprises the access time and the access data content of the application process for accessing the application resource;
Before the obtaining the actual access flow and the preset access flow of the application process for accessing the application resource in the preset time period, the method further comprises:
acquiring a flow packet of the access operation of the target process to the target resource;
determining whether to release the flow packet according to the flow packet and an access strategy, wherein the access strategy comprises a client address and a process identifier corresponding to each application process, a resource address and a port corresponding to each application resource, an access corresponding relation between each application process and each application resource and an access corresponding protocol;
under the condition of releasing the flow packet, determining the target process as the application process, determining the target resource as the application resource, and controlling the application process to access the application resource;
the determining whether to release the traffic packet according to the traffic packet and the access policy includes:
processing the header information of the flow packet to obtain a target client address corresponding to the target process and a target resource address corresponding to the target resource;
acquiring a target source port according to the target client address, wherein the target source port is a port used for sending the flow packet in the target client;
Traversing and inquiring a socket file of the target client according to the target source port to obtain a target process identifier corresponding to the target source port, wherein the socket file comprises a corresponding relation between a resource address and the process identifier;
judging whether the target process identifier exists in the process identifiers corresponding to the application processes according to the access policy;
if the target process identifier exists, acquiring a resource address corresponding to the target process identifier according to the access corresponding relation in the access strategy; releasing the flow packet under the condition that the target resource address is the same as the resource address corresponding to the target process identifier;
and if the target process identification does not exist, not releasing the flow packet.
2. The method of claim 1, wherein the preset access flow is obtained by predicting the flow of the application process accessing the application resource in the preset time period according to an autoregressive model, and the autoregressive model is obtained according to the historical access times of the application process accessing the application resource and the historical flow of each access.
3. The method according to claim 1, wherein the preset access flow is determined according to a preset rule and at least two other preset access flows of at least two other application processes in case of accessing the application resource, the preset rule being selecting the smallest other preset access flow or selecting the largest other preset access flow or selecting the average of the at least two other preset access flows as the preset access flow.
4. The method of claim 1, wherein suspending the access operation and generating alert information if the flow difference is greater than the error threshold comprises:
the error threshold includes a first threshold and a second threshold, the first threshold being less than the second threshold;
judging the magnitude relation between the flow difference and the first threshold value and the second threshold value respectively;
if the flow difference is larger than the first threshold and smaller than or equal to the second threshold, generating alarm information, judging whether to suspend the access operation of the application process to the application resource according to the preset resource level of the application resource, wherein the preset resource level comprises an important level and a secondary level, suspending the access operation of the application process to the application resource if the application resource is the important level, and controlling the application process to continuously access the application resource if the application resource is the secondary level;
And if the flow difference value is larger than the second threshold value, generating alarm information, and suspending the access operation of the application process to all application resources.
5. A method according to any one of claims 1-3, characterized in that after generating the alarm information, the method further comprises:
detecting access data of the application process for accessing the application resource in the preset time period to obtain a detection result, wherein the detection result comprises data quantity and data content of the access data;
if the detection result meets the detection condition, controlling the application process to continuously access the application resource;
and if the detection result does not accord with the detection condition, ending the access of the application process to all application resources.
6. A process network policy restriction device, comprising:
the monitoring module is used for acquiring actual access flow and preset access flow of the application process accessing the application resource in a preset time period under the condition that the application process of the client accesses the application resource, wherein the preset access flow is obtained by predicting the flow of the application process accessing the application resource in the preset time period according to an autoregressive model, or is obtained by accessing at least two other preset access flows of the application resource according to a preset rule and at least two other application processes; calculating a flow difference value between the actual access flow and the preset access flow;
The control module is used for controlling the access operation of the application process to the application resource according to the magnitude relation between the flow difference value and the error threshold value, wherein under the condition that the flow difference value is larger than the error threshold value, the access operation is suspended and alarm information is generated, and the alarm information comprises the access time and the access data content of the application process for accessing the application resource;
the monitoring module is also used for acquiring a flow packet of the target process for accessing the target resource; determining whether to release the flow packet according to the flow packet and an access strategy, wherein the access strategy comprises a client address and a process identifier corresponding to each application process, a resource address and a port corresponding to each application resource, an access corresponding relation between each application process and each application resource and an access corresponding protocol; under the condition of releasing the flow packet, determining the target process as the application process, determining the target resource as the application resource, and controlling the application process to access the application resource;
the monitoring module is further configured to process header information of the traffic packet to obtain a target client address corresponding to the target process and a target resource address corresponding to the target resource; acquiring a target source port according to the target client address, wherein the target source port is a port used for sending the flow packet in the target client; traversing and inquiring a socket file of the target client according to the target source port to obtain a target process identifier corresponding to the target source port, wherein the socket file comprises a corresponding relation between a resource address and the process identifier; judging whether the target process identifier exists in the process identifiers corresponding to the application processes according to the access policy; if the target process identifier exists, acquiring a resource address corresponding to the target process identifier according to the access corresponding relation in the access strategy; releasing the flow packet under the condition that the target resource address is the same as the resource address corresponding to the target process identifier; and if the target process identification does not exist, not releasing the flow packet.
7. A computer device comprising a memory and a processor, the memory storing a computer program executable on the processor, characterized in that the processor implements the steps of the method of any of claims 1 to 5 when the program is executed.
8. A computer readable storage medium, on which a computer program is stored, which computer program, when being executed by a processor, implements the method according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311463958.XA CN117201195B (en) | 2023-11-06 | 2023-11-06 | Process network policy limiting method and device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311463958.XA CN117201195B (en) | 2023-11-06 | 2023-11-06 | Process network policy limiting method and device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117201195A CN117201195A (en) | 2023-12-08 |
| CN117201195B true CN117201195B (en) | 2024-01-26 |
Family
ID=89001992
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311463958.XA Active CN117201195B (en) | 2023-11-06 | 2023-11-06 | Process network policy limiting method and device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117201195B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103873381A (en) * | 2014-03-25 | 2014-06-18 | 安一恒通(北京)科技有限公司 | Network flow rate limiting method and device |
| CN104104560A (en) * | 2014-08-08 | 2014-10-15 | 广东欧珀移动通信有限公司 | Monitoring method and device for application flow and mobile terminal |
| CN108307337A (en) * | 2017-08-22 | 2018-07-20 | 深圳市爱培科技术股份有限公司 | Flux monitoring method, system and the storage device of vehicle mounted guidance terminal |
| WO2021008028A1 (en) * | 2019-07-18 | 2021-01-21 | 平安科技(深圳)有限公司 | Network attack source tracing and protection method, electronic device and computer storage medium |
| CN114244624A (en) * | 2021-12-31 | 2022-03-25 | 北京市商汤科技开发有限公司 | Flow control method and device, equipment and storage medium |
| CN116566739A (en) * | 2023-06-29 | 2023-08-08 | 北京安天网络安全技术有限公司 | Security detection system, electronic equipment and storage medium |
| CN116996440A (en) * | 2022-04-26 | 2023-11-03 | 腾讯科技(深圳)有限公司 | Flow control method, flow control device, electronic device, storage medium, and program product |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9495538B2 (en) * | 2008-09-25 | 2016-11-15 | Symantec Corporation | Graduated enforcement of restrictions according to an application's reputation |
| US9992217B2 (en) * | 2015-12-31 | 2018-06-05 | The University Of North Carolina At Chapel Hill | Methods, systems, and computer readable media for detecting malicious network traffic |
-
2023
- 2023-11-06 CN CN202311463958.XA patent/CN117201195B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103873381A (en) * | 2014-03-25 | 2014-06-18 | 安一恒通(北京)科技有限公司 | Network flow rate limiting method and device |
| CN104104560A (en) * | 2014-08-08 | 2014-10-15 | 广东欧珀移动通信有限公司 | Monitoring method and device for application flow and mobile terminal |
| CN108307337A (en) * | 2017-08-22 | 2018-07-20 | 深圳市爱培科技术股份有限公司 | Flux monitoring method, system and the storage device of vehicle mounted guidance terminal |
| WO2021008028A1 (en) * | 2019-07-18 | 2021-01-21 | 平安科技(深圳)有限公司 | Network attack source tracing and protection method, electronic device and computer storage medium |
| CN114244624A (en) * | 2021-12-31 | 2022-03-25 | 北京市商汤科技开发有限公司 | Flow control method and device, equipment and storage medium |
| CN116996440A (en) * | 2022-04-26 | 2023-11-03 | 腾讯科技(深圳)有限公司 | Flow control method, flow control device, electronic device, storage medium, and program product |
| CN116566739A (en) * | 2023-06-29 | 2023-08-08 | 北京安天网络安全技术有限公司 | Security detection system, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117201195A (en) | 2023-12-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11657174B2 (en) | Dynamic multi-factor authentication | |
| US20190207966A1 (en) | Platform and Method for Enhanced Cyber-Attack Detection and Response Employing a Global Data Store | |
| US20190207967A1 (en) | Platform and method for retroactive reclassification employing a cybersecurity-based global data store | |
| CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
| US11240275B1 (en) | Platform and method for performing cybersecurity analyses employing an intelligence hub with a modular architecture | |
| US10341355B1 (en) | Confidential malicious behavior analysis for virtual computing resources | |
| US20130133026A1 (en) | System, method, and apparatus for data, data structure, or encryption cognition incorporating autonomous security protection | |
| US10142343B2 (en) | Unauthorized access detecting system and unauthorized access detecting method | |
| CN105409164A (en) | Rootkit detection by using hardware resources to detect inconsistencies in network traffic | |
| US20180176262A1 (en) | Systems and methods for device specific security policy control | |
| US9940181B2 (en) | System and method for reacting to system calls made to a kernal of the system | |
| CN112165455A (en) | Data access control method and device, computer equipment and storage medium | |
| CN113168469B (en) | System and method for behavioral threat detection | |
| CN113711559B (en) | System and method for detecting anomalies | |
| US10339307B2 (en) | Intrusion detection system in a device comprising a first operating system and a second operating system | |
| JP2018509822A (en) | Reliable third-party broker for collection and private sharing of successful computer security practices | |
| CN109997138A (en) | For detecting the system and method for calculating the malicious process in equipment | |
| CN113411297A (en) | Situation awareness defense method and system based on attribute access control | |
| CN113411295A (en) | Role-based access control situation awareness defense method and system | |
| Zavalyshyn et al. | My house, my rules: A private-by-design smart home platform | |
| CN117201195B (en) | Process network policy limiting method and device, equipment and storage medium | |
| US20110126217A1 (en) | System, a method, and a data-structure for processing system calls in a computerized system that implements a kernel | |
| CN115883170A (en) | Network flow data monitoring and analyzing method and device, electronic equipment and storage medium | |
| CN115022008A (en) | Access risk assessment method, device, equipment and medium | |
| CN117494185B (en) | Database access control method, device, system, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |