CN107347051A - A kind of service message processing method and system - Google Patents

A kind of service message processing method and system Download PDF

Info

Publication number
CN107347051A
CN107347051A CN201610294119.3A CN201610294119A CN107347051A CN 107347051 A CN107347051 A CN 107347051A CN 201610294119 A CN201610294119 A CN 201610294119A CN 107347051 A CN107347051 A CN 107347051A
Authority
CN
China
Prior art keywords
pending
address
source
service message
equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610294119.3A
Other languages
Chinese (zh)
Other versions
CN107347051B (en
Inventor
李晗
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Group Holding Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to CN201610294119.3A priority Critical patent/CN107347051B/en
Publication of CN107347051A publication Critical patent/CN107347051A/en
Application granted granted Critical
Publication of CN107347051B publication Critical patent/CN107347051B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a kind of service message processing method and system, and wherein method includes obtaining pending service message corresponding with pending purpose IP address, comprising pending source IP address;By the corresponding relation of purpose IP address and credible source IP address set, it is determined that pending credible source IP address set corresponding with the pending purpose IP address;If it is determined that the pending source IP address is in the pending credible source IP address set, then by the pending service message re-injection to routing device.The accuracy rate that the application obtains credible source IP address set by big data mode is very high, so the application can be during the attack message in cleaning service message so that normal message is from manslaughtering.

Description

A kind of service message processing method and system
Technical field
The application is related to communication technical field, more particularly to a kind of service message processing method and system.
Background technology
With the continuous progress of network technology, the network attack in network field is also more and more.At present, Distributed denial of service attack (Distributed Denial of Service, DDoS) in numerous network attacks Have become more serious attack meanses.The principle of ddos attack is to know the resource of purpose equipment in advance Bottleneck, attack equipment sends a large amount of attack messages and goes to consume bottleneck, and then make it that purpose equipment can not Handle a large amount of attack messages and collapse.In order to take precautions against ddos attack, can add in original system framework Enter defensive equipment to stop ddos attack.
A kind of as shown in figure 1, schematic diagram for existing network system.From diagram, system includes source Equipment 11, routing device 12, defensive equipment 13 and purpose equipment 14.Wherein, source device includes normal Equipment and attack equipment.Source device had both been sent to the service message that routing device is sent comprising attack equipment Attack message, and the normal message sent comprising normal device.Defensive equipment can be according to cleaning strategy mistake Attack message is filtered, most normal message is sent to purpose equipment at last.
There are a variety of defence policies at present, current defence policies are found to pass through a small amount of business by studying What message determined, or technical staff manually set by experience, so current defence policies are not Accurately;Also it is possible to normal message can be manslaughtered.For example, the cleaning strategy that defensive equipment is commonly used is message Speed limit method.The operation principle of message rate-limiting method sets attack equipment to be commonly used in defensive equipment in advance Protocol type (is subsequently referred to as preset protocol type) for the ease of calling, then by preset protocol type pair Service message is filtered.Because attack message and normal message can use preset protocol type, institute To be filtered by the manner to service message, a part of normal message can be manslaughtered.
Accordingly, it is now desired to a kind of new service message processing method, so as in service message is cleaned While attack message, normal message can be caused from manslaughtering.
The content of the invention
This application provides a kind of service message processing method and system, the application can be in cleaning business report Cause normal message from manslaughtering during attack message in text.
To achieve these goals, this application provides following technological means:
A kind of service message processing method, including:
Obtain pending business report corresponding with pending purpose IP address, comprising pending source IP address Text;
By the corresponding relation of purpose IP address and credible source IP address set, it is determined that with the pending purpose Pending credible source IP address set corresponding to IP address;
If it is determined that the pending source IP address is in the pending credible source IP address set, then will The pending service message re-injection is forwarded to pending purpose IP address to routing device by routing device Corresponding pending purpose equipment.
Preferably, pending service message corresponding to the pending purpose IP address of acquisition, including:
The traction pending business report corresponding with the pending purpose IP address in the routing device Text.
Preferably, the pending credible source IP address set is based on the access pending purpose equipment History service message characteristic information determine multiple trusted source devices IP address set.
Preferably, the characteristic information based on the history service message for accessing the pending purpose equipment determines The set of the IP address of multiple trusted source devices, including:
It is determined that pending characteristic information set corresponding with the pending purpose IP address;Wherein, it is described Pending characteristic information set is by accessing the history service message of the pending purpose equipment in preset number of days Characteristic information composition;
Based on the pending characteristic information set, determine that the multiple trusted sources of pending purpose equipment are set Standby IP address;
By the set of the IP address of the multiple trusted source devices, with being defined as the pending trusted sources IP Gather location;
Store the pending credible source IP address set, and the pending purpose IP address with it is described The corresponding relation of pending credible source IP address set.
Preferably, it is described to be based on the pending characteristic information set, determine the pending purpose equipment The IP address of multiple trusted source devices, including:
After by source IP address to the characteristic information classification in the pending characteristic information set, according to every Category feature information calculates the predetermined number attribute information of each source IP address respectively;
Predetermined number attribute information based on each source IP address, calculate the confidence area of each attribute information Between;
If a source IP address has attribute information more than half to be in corresponding confidential interval, it is determined that The source IP address is the IP address of the trusted source devices of the pending purpose equipment.
Preferably, the characteristic information of history service message includes:The source IP address of history service message, source Port, purpose IP address, destination interface and access time;
The attribute information of each source IP address includes:Access total number of days, every of the pending purpose equipment It accesses the Average visits of the pending purpose equipment, accesses the flat of the pending purpose equipment Access interval and/or access the access time distribution of the pending purpose equipment.
Preferably, the predetermined number attribute information based on each source IP address, calculates each attribute The confidential interval of information, including:
Predetermined number attribute information based on each source IP address, calculate the average value of each attribute information And variance yields;
Using the average value and variance yields of each attribute information, it is determined that the confidential interval of each preset attribute.
Preferably, by [average value -3* variance yields, the average value+3* variance yields] of each preset attribute, it is determined that For the confidential interval of each preset attribute.
Preferably, in addition to:
After receiving the pending service message of copy consistent with the pending service message, the pair is extracted The characteristic information of this pending service message;
Using the characteristic information of the pending service message of the copy, the pending characteristic information collection is updated Close.
Preferably, in addition to:
Based on the pending characteristic information set after renewal, with redefining the pending trusted sources IP Gather location.
Preferably, obtain it is corresponding with pending purpose IP address, treated comprising pending source IP address After processing business message, in addition to:
Judge the pending source IP address in the pending service message whether in blacklist;
If the pending IP address is in the blacklist, it is determined that the pending service message is Attack message;
Forbid the pending service message re-injection to the routing device.
Preferably, in addition to:
If it is determined that the pending source IP address is not in the blacklist, and, the pending source IP Address is not in the pending credible source IP address set, then the pending service message is carried out Speed limit processing.
A kind of service message processing system, including:
Multiple source devices, the optical splitter being connected with the multiple source device, the road being connected with the optical splitter By equipment and defensive equipment, the multiple purpose equipments being connected with the routing device;
Pending source device in the multiple source device, for the pending mesh into multiple purpose equipments Equipment send pending service message;The pending service message includes treating for pending purpose equipment The pending source IP address of processing intent IP address and the pending source device;
The optical splitter, for handling the pending service message, and by the pending service message Send to the routing device;
The defensive equipment, for obtaining treat corresponding with pending purpose IP address from the routing device Processing business message;By the corresponding relation of purpose IP address and credible source IP address set, it is determined that with it is described Pending credible source IP address set corresponding to pending purpose IP address;If it is determined that the pending source IP Address is in the pending credible source IP address set, then by the pending service message re-injection extremely The routing device;
The routing device, for receiving the pending service message of the defensive equipment re-injection, and by institute State pending service message and be forwarded to pending purpose equipment corresponding with the pending purpose IP address.
Preferably, the defensive equipment includes cleaning equipment and analytical equipment;Wherein, the analytical equipment It is connected with the optical splitter, the cleaning equipment is connected with the routing device and the analytical equipment;
The analytical equipment, multiple source devices for being sent based on the optical splitter access purpose equipment The characteristic information of history service message, it is determined that the credible source IP address set of each purpose equipment, Yi Jicun Store up purpose IP address and the corresponding relation of credible source IP address set;
The cleaning equipment, for pressing purpose IP address and credible source IP address collection in the analytical equipment The corresponding relation of conjunction, obtain pending credible source IP address collection corresponding with the pending purpose IP address Close;Obtained from the routing device corresponding with pending purpose IP address, comprising pending source IP The pending service message of location;If it is determined that the pending source IP address in the pending service message is in In the pending credible source IP address set, then by the pending service message re-injection to the route Equipment.
Preferably, the analytical equipment includes:Preprocessing server, Analysis server and database facility;
Wherein, the preprocessing server, it is corresponding with pending purpose IP address pending for determining Characteristic information set;Wherein, the pending characteristic information set is treated described in being accessed in preset number of days Manage the characteristic information composition of the history service message of purpose equipment;The history service message is the light splitting Device replicates source device and sent to the replica service report after the original service message of the pending purpose equipment Text;
The Analysis server, for based on the pending characteristic information set, determining described pending The IP address of the multiple trusted source devices of purpose equipment;And by the collection of the IP address of the multiple trusted source devices Close, be defined as the pending credible source IP address set;
The database facility, for storing the pending credible source IP address set, and described treat Processing intent IP address and the corresponding relation of the pending credible source IP address set.
Preferably, the Analysis server performs and is based on the pending characteristic information set, it is determined that described The detailed process of the IP address step of the pending multiple trusted source devices of purpose equipment includes:
After the characteristic information classification during processing feature information aggregate is treated by source IP address, according to special per class Reference ceases the predetermined number attribute information for calculating each source IP address respectively;Based on each source IP address Predetermined number attribute information, calculate the confidential interval of each attribute information;If a source IP address has half The attribute information of the number above is in corresponding confidential interval, it is determined that the source IP address is described pending The IP address of the trusted source devices of purpose equipment.
Preferably, the characteristic information of history service message includes:The source IP address of history service message, source Port, purpose IP address, destination interface and access time;
The attribute information of each source IP address includes:Access total number of days, every of the pending purpose equipment It accesses the Average visits of the pending purpose equipment, accesses the flat of the pending purpose equipment Access interval and/or access the access time distribution of the pending purpose equipment.
Preferably, the Analysis server performs the predetermined number attribute information based on each source IP address, The step of confidential interval for calculating each attribute information, specifically includes:
Predetermined number attribute information based on each source IP address, calculate the average value of each attribute information And variance yields;
Using the average value and variance yields of each attribute information, it is determined that the confidential interval of each preset attribute. Can be specifically:By [average value -3* variance yields, the average value+3* variance yields] of each preset attribute, It is defined as the confidential interval of each preset attribute.
Preferably, the optical splitter handles the pending service message, specifically for waiting to locate described in duplication Manage service message and obtain the pending service message of copy, and send the pending service message of the copy to institute State preprocessing server;
The preprocessing server, it is additionally operable to receive the pending service message of the copy, and described in extraction The characteristic information of the pending service message of copy, using the characteristic information of the pending service message of the copy, Update the pending characteristic information set;
The Analysis server, for based on the pending characteristic information set after renewal, redefining The pending credible source IP address set;And update the pending trusted sources IP in the database facility Address set.
Preferably, the database facility of the analytical equipment, it is additionally operable to storage comprising multiple attack source IP The blacklist of location;
The then cleaning equipment, it is additionally operable to judge the pending source IP address in the pending service message Whether in the blacklist;If the pending IP address is in the blacklist, it is determined that institute It is attack message to state pending service message;The pending service message re-injection to the route is forbidden to set It is standby.
Preferably, the cleaning equipment, be additionally operable to if it is determined that the pending source IP address be not in it is described In blacklist, and, the pending source IP address is not in the pending credible source IP address set, Speed limit processing then is carried out to the pending service message.
From above-mentioned technology contents, it can be seen that the application has the advantages that:
This application provides a kind of service message processing method;The application includes pending purpose IP in reception After the pending service message of address, it may be determined that corresponding with pending purpose IP address pending credible Source IP address set, then, judge that whether pending source IP address is in described in pending service message In pending credible source IP address set.If so, then explanation sends the pending source of pending service message Equipment is trusted source devices, and then determines that pending service message is normal message.In order to ensure normally to report The normal pass of text, so by the pending service message re-injection to the routing device, by the road By device forwards to the pending purpose equipment.
It is understood that the application obtains the accuracy rate of credible source IP address set by big data mode It is very high.Therefore, the application can make during the attack message in cleaning service message Normal message is obtained from manslaughtering.
Brief description of the drawings
, below will be to reality in order to illustrate more clearly of the embodiment of the present application or technical scheme of the prior art The required accompanying drawing used in example or description of the prior art is applied to be briefly described, it should be apparent that, below Accompanying drawing in description is only some embodiments of the present application, for those of ordinary skill in the art, On the premise of not paying creative work, other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is the structural representation of service message processing system in the prior art;
Fig. 2 is the structural representation of service message processing system disclosed in the embodiment of the present application;
Fig. 3 is the flow chart of service message processing method disclosed in the embodiment of the present application;
Fig. 4 is the flow chart of another service message processing method disclosed in the embodiment of the present application;
Fig. 5 is the flow chart of another service message processing method disclosed in the embodiment of the present application;
Fig. 6 is the flow chart of another service message processing method disclosed in the embodiment of the present application;
Fig. 7 is the flow chart of another service message processing method disclosed in the embodiment of the present application;
Fig. 8 is the flow chart of another service message processing method disclosed in the embodiment of the present application;
Fig. 9 is the structural representation of another service message processing system disclosed in the embodiment of the present application;
Figure 10 is the structural representation of another service message processing system disclosed in the embodiment of the present application;
Figure 11 is the structural representation of another service message processing system disclosed in the embodiment of the present application.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present application, the technical scheme in the embodiment of the present application is carried out Clearly and completely describing, it is clear that described embodiment is only some embodiments of the present application, and The embodiment being not all of.Based on the embodiment in the application, those of ordinary skill in the art are not doing Go out under the premise of creative work the every other embodiment obtained, belong to the scope of the application protection.
In order that those skilled in the art know that present techniques term, below to occurring in the application Professional term is explained and illustrated:
Service message:The data cell with transmission, i.e. the website data disposably to be sent are exchanged in network Block.Message includes the complete data message that will be sent, and its length is very inconsistent, and length is unlimited and can Become.
Attack message:It is being sent by attack terminal, the service message that necessarily influences can be caused on recipient.
Normal message:It is being sent by normal terminal, the service message that necessarily influences will not be caused on recipient.
Source device:The sender of service message.
Purpose equipment:The recipient of service message.
Optical splitter:A component optical splitter for setting up Ethernet passive optical network is that data are transmitted by optical fiber Light data is replicated afterwards a for monitoring.Superficial says, the concept of optical splitter is similar to three links: link of trade, travel and post, I.e. original flow normal pass, with the time-division, one is out analyzed for monitoring device uses.
Defensive equipment:It is provided with the equipment of the software program of defensive attack message.
3 σ criterions:σ represents standard deviation in normal distribution, and μ represents average.3 σ criterions are pointed out:Numerical value The probability being distributed in (μ-σ, μ+σ) is 0.6826;Probability of the numeric distribution in (μ -2 σ, μ+2 σ) be 0.9544;Probability of the numeric distribution in (μ -3 σ, μ+3 σ) is 0.9974.So it is believed that conjunction of numerical value Reason value almost all is concentrated in (μ -3 σ, μ+3 σ) section, the super possibility to go beyond the scope only account for less than 0.3%.
The application scenarios of the application are understood in order to facilitate those skilled in the art, the application offer is provided first Transaction processing system.Transaction processing system specifically includes:Multiple source devices 21, with multiple source devices 21 Connected routing device 22 and defensive equipment 23, the multiple purpose equipments being connected with the routing device 22 24.The routing device 22 that the present embodiment provides can be core router.
There are multiple purpose equipments in service message processing system, the application can be directed to and access each mesh The service message of equipment cleaned, now need to set each purpose equipment in defensive equipment IP address.If wish to be cleaned for accessing the service message of a purpose equipment, in defensive equipment The IP address of the purpose equipment is set.
Due to defensive equipment be to the processing procedure for accessing each purpose equipment service message it is consistent, because This, the application only illustrates by taking a pending purpose equipment in multiple purpose equipments as an example.In addition, There are multiple source devices in transaction processing system, the place of pending purpose equipment is accessed for each source device Reason process is also consistent, therefore, only accesses the treated of pending purpose equipment with pending source device Journey is described in detail.
The concrete processing procedure that defensive equipment is discussed in detail is described below.This application provides a kind of business report Literary processing method, applied to the defensive equipment shown in Fig. 2.As shown in figure 3, specifically include following steps:
Step S301:Obtain corresponding with pending purpose IP address, comprising pending source IP address Pending service message.
It is pending after the pending service message for accessing pending purpose equipment is sent in pending source device Service message can reach routing device.In order to show the source of pending service message, whereabouts and time, The source IP address and source port of pending source device, pending purpose equipment are included in pending service message Purpose IP address and destination interface, and pending source device sends the time of pending service message, Later abbreviation access time.
The present embodiment sets the pending purpose IP address of pending purpose equipment in defensive equipment, then says The bright service message for accessing pending purpose equipment may have normal message to have exception message.Therefore, Need from routing device to draw pending service message to defensive equipment, to treat processing business report Text is determined whether.
It is understood that the service message that institute's active equipment accesses all purposes equipment can reach route Equipment, also, the IP address of the IP address comprising source device and purpose equipment in each service message. So defensive equipment can be by the purpose IP in each service message in pending IP address and routing device Matched, so as to obtain the service message that purpose IP address is pending purpose IP address, that is, visited Ask the service message of pending purpose equipment.
Step S302:By purpose IP address and the corresponding relation of credible source IP address set, it is determined that and institute State pending credible source IP address set corresponding to pending purpose IP address.
It is understood that because the service message that trusted source devices are sent is normal message.Therefore, If it is determined that the source device for sending service message is trusted source devices, then the industry that the source device is sent can be determined Business message is normal message.But have many each purpose equipments in operation system, also, each mesh Equipment trusted source devices it is different not to the utmost.Therefore, defensive equipment can be predefined or determined in real time The trusted source devices set of each purpose equipment, and it is corresponding with trusted source devices set to build purpose equipment Relation.
Because purpose equipment and source device can use IP address unique mark, therefore, structure purpose equipment with The corresponding relation of trusted source devices set, as build purpose IP address and pair of credible source IP address set It should be related to.After defensive equipment determines the trusted source devices set of each purpose equipment, that is, determine each mesh IP address credible source IP address set after, just by each purpose IP address and each trusted sources IP The corresponding storage of location set.
The application is by accessing the big data (a large amount of history service messages) of each purpose equipment, to determine The credible source IP address set of each purpose equipment.There is generality and popularity due to big data, because This, the credible source IP address set of each purpose equipment determined by analyzing big data is more accurate.In detail Thin determination process, will be described in subsequent embodiment, will not be repeated here.
Defensive equipment after pending service message is received, just according to the purpose IP address of storage with it is credible The corresponding relation of source IP address set, search pending trusted sources IP corresponding with pending purpose IP address Address set.
Step S303:Judge that the pending source IP address is in the pending credible source IP address collection In conjunction.If so, then enter step S304;Otherwise step S305 is entered.
Due to all trusted source devices comprising pending IP address in pending credible source IP address set IP address, therefore, it is possible to judge that whether the source IP address of pending source device is in pending trusted sources In IP address set, to determine whether pending service message is normal message.
Step S304:Treated if it is determined that the pending source IP address in the pending service message is in described Handle in credible source IP address set, then by the pending service message re-injection to the routing device. Pending purpose equipment corresponding with the pending purpose IP address is forwarded to as the routing device.
If it is determined that the pending source IP address in the pending service message is in the pending trusted sources In IP address set, illustrate the trusted source devices that pending source device is pending purpose equipment, it is pending The pending service message that source device is sent is normal message.Therefore, then will be by being pulled out in routing device The pending service message re-injection come is to routing device, so that routing device turns by pending service message It is sent to pending purpose equipment.
Step S305:If it is determined that the pending source IP address in the pending service message be not at it is described In pending credible source IP address set, other processing procedures are performed.
If it is determined that the pending source IP address in the pending service message be not at it is described pending credible In source IP address set, then illustrate the trusted source devices of the non-pending purpose equipment of pending source device, treat Handle the improper message of pending service message that source device is sent.
By above-mentioned technical characteristic it can be found that the application has the advantages that:
This application provides a kind of service message processing method;The application includes pending purpose IP in reception After the pending service message of address, it may be determined that corresponding with pending purpose IP address pending credible Source IP address set, then, judge that whether pending source IP address is in described in pending service message In pending credible source IP address set.If so, then explanation sends the pending source of pending service message Equipment is trusted source devices, and then determines that pending service message is normal message.In order to ensure normally to report The normal pass of text, so by the pending service message re-injection to the routing device, by the road By device forwards to the pending purpose equipment.
It is understood that the accuracy rate that the application obtains credible source IP address set by big data mode is It is very high.Therefore, the application be able to can make while the attack message in cleaning service message Normal message is obtained from manslaughtering.
Due to the boundary of normal message attack message can not be determined completely in actual applications, so, for For defensive equipment, service message can be divided into three kinds:Normal message, attack message and without feature message (i.e. it is uncertain be normal message or exception message service message).Embodiment shown in Fig. 3, it is Determine the process of normal message.So the application can also include determining attack message process.
Equipment is attacked for all purposes equipment to be shared;That is, one attack equipment is to institute It is attack equipment for purposeful equipment.So defensive equipment can include being used to represent comprising multiple Attack the blacklist of source IP address.
As shown in figure 4, obtain pending service message corresponding with pending purpose equipment in step S301 Afterwards, methods described also includes:
Step S401:Judge the pending source IP address in the pending service message whether in described In blacklist;If so, then entering step S402, other processing procedures are otherwise performed.
In order to determine whether pending source device is attack equipment, can be obtained from pending service message The pending source IP address of pending source device.Then, by pending source IP address with it is each in blacklist IP address is compared, to judge that pending source IP address whether there is in blacklist.
Step S402:If the pending IP address is in the blacklist, it is determined that described pending Service message is attack message.
If pending IP address is in blacklist, illustrate pending purpose equipment for attack equipment, its The pending service message sent is attack message.
Step S403:Forbid the pending service message re-injection to the routing device.
In order to protect pending purpose equipment, it is determined that pending service message be attack message after, then Forbid pending service message re-injection to routing device, so that routing device will not be by pending business report Text is sent to pending purpose equipment, so that pending purpose equipment will not receive pending business Message.
Step S404:Other processing procedures.
Above-mentioned Fig. 3 and Fig. 4 embodiment are performing order in no particular order.It can first carry out shown in Fig. 3 Embodiment, determine whether pending service message is normal message, if normal message then without perform Embodiment shown in Fig. 4;If not normal message performs the embodiment shown in Fig. 4 again, to determine to wait to locate Manage whether service message is attack message.
Or embodiment shown in Fig. 4 can be first carried out, determine whether pending service message is attack Message, if attack message need not then perform the embodiment shown in Fig. 3;If not attack message performs again Embodiment shown in Fig. 3, to determine whether pending service message is normal message.
If pending service message is found after the embodiment by Fig. 3 and Fig. 4 neither normal message non-is attacked again Message is hit, then it is without feature message to illustrate pending service message;I.e. pending source IP address set and black Do not store source IP address to be handled in list, be normal message due to not knowing pending service message Or attack message.Therefore, speed limit processing is carried out to the pending service message.That is, if described treat Processing source IP address is not in the blacklist, and, the pending source IP address is not in described treat Handle in credible source IP address set, then speed limit processing is carried out to the pending service message.
The specific implementation procedure of speed limit processing can be to treat the pending service message that processing source device is sent Packet loss processing is carried out, to reduce the speed of the pending service message of transmission of pending source device.
Holding in detail for the credible source IP address set of each purpose equipment is determined the following detailed description of defensive equipment Row process.It is understood that multiple source devices can access purpose and set in service message processing system Standby, some source devices are trusted source devices in the multiple source devices for accessing purpose equipment, some source devices Being can not source device.Therefore, the spy of the service message of purpose equipment can be accessed based on each source device Reference cease, come determine each source device whether be purpose equipment trusted source devices.
Therefore, the characteristic information collection firstly the need of the service message for determining each source device access purpose equipment Close.Detailed implementation is as follows:
In order to realize using big data to determine the purpose of the credible source IP address set of each purpose equipment, Defensive equipment, which needs to obtain, accesses each substantial amounts of history service message of purpose equipment, to obtain each go through The characteristic information of history service message.
Defensive equipment can obtain the characteristic information for the history service message for accessing each purpose equipment, in order to It is easy to control, defensive equipment can be that each purpose equipment builds a characteristic information set.One feature Storage accesses the characteristic information of the history service message of the purpose equipment in information aggregate.And build purpose and set Standby purpose IP address and the corresponding relation of characteristic information set, subsequently to use.
It is understood that for each purpose equipment, the number of characteristic information in characteristic information set Amount is bigger, then illustrates that history service message amount is more;The trusted sources IP of purpose equipment is then calculated Location set is more accurate.But the quantity of characteristic information is bigger, defensive equipment processing speed can be reduced.Cause This, it is generally the case that technical staff can preset a preset number of days, and defensive equipment only obtains default The characteristic information of history service message in number of days, i.e., only wrapped in the characteristic information set of each purpose equipment Characteristic information containing the history service message in preset number of days.Preset number of days can depending on actual conditions, Do not limit herein.
It is determined that after the characteristic information set of each source device, just according to the characteristic information of each source device Set, come determine each source device whether be purpose equipment trusted source devices.Defensive equipment is described below Characteristic information set based on each purpose equipment, it is determined that the credible source IP address set of each purpose equipment Process.
For each purpose equipment, the process that determines credible source IP address be it is consistent, therefore, this Application is only by taking pending purpose equipment in multiple purpose equipments as an example, to determining that pending purpose equipment is treated The process for handling credible source IP address set is described in detail.
As shown in figure 5, specifically include following steps:
Step S501:It is determined that pending characteristic information set corresponding with pending purpose IP address.
Defensive equipment is stored with the corresponding relation of each purpose IP address and characteristic information set, therefore, can With according to pending purpose IP address, to search pending characteristic information corresponding with pending purpose equipment Set.Pending characteristic information set includes the characteristic information of several history service messages.Several History service message can include the industry that multiple source devices are sent in preset number of days to pending purpose equipment Business message.
The characteristic information includes source IP address, source port, purpose IP address, the mesh of history service message Port and access time;And the history service message be the optical splitter replicate source device send to Replica service message after the original service message of the pending purpose equipment.
Step S502:Based on the pending characteristic information set, determine that the pending purpose equipment is more The IP address of individual trusted source devices.
Based on the pending characteristic information set, set in multiple sources of pending characteristic information set instruction In standby, the IP address of multiple trusted source devices of pending purpose equipment is determined.
Step S503:By the set of the IP address of the multiple trusted source devices, it is defined as described pending Credible source IP address set.
Step S504:Store the pending purpose IP address of the pending purpose equipment with it is described pending The corresponding relation of credible source IP address set.
, can be with will be described more it is determined that after the IP address of the multiple trusted source devices of pending purpose equipment The set of the IP address of individual trusted source devices, form the pending credible source IP address set.Structure is simultaneously The corresponding relation of pending purpose IP address and pending credible source IP address set is stored, so as in Fig. 3 Used in shown embodiment.
The pending characteristic information set is based on the following detailed description of step S502 in Fig. 5, it is determined that described The detailed implementation of the IP address of the pending multiple trusted source devices of purpose equipment.As shown in fig. 6, tool Body includes herein below:
Step S601:After the characteristic information classification during processing feature information aggregate is treated by source IP address, According to the predetermined number attribute information for calculating each source IP address respectively per category feature information.Pending spy Levy the characteristic information of the history service message sent in information aggregate comprising multiple source devices.
The application by the attribute information of each source device it is found by the applicant that can determine whether source device is to treat The trusted source devices of processing intent equipment.Therefore, pending characteristic information set is being obtained, can calculated The attribute information of source device.Attribute information is predefined by technical staff, when technical staff determines 5 Attribute information, then predetermined number is 5.When technical staff determines 3 attribute informations, then present count Measure as 3.It is understood that the quantity of attribute information is more, it more can accurately determine that source device is The no trusted source devices for pending purpose equipment.
Specifically attribute information specifically includes:Access the pending purpose equipment total number of days, daily Access the Average visits of the pending purpose equipment, access being averaged for the pending purpose equipment Access interval and/or access the access time distribution of the pending purpose equipment.
Believe due to including feature corresponding to each source device in preset number of days in pending characteristic information set Breath, therefore, the characteristic information that can be treated by source IP address in processing feature information aggregate is classified. After the classification, can be to obtain each characteristic information group corresponding to source device in preset number of days, namely in advance If each characteristic information group corresponding to source IP address in number of days.
Below for characteristic information group corresponding to a source IP address, describe each attribute information in detail and determine Process:
(1) when attribute information is accesses total number of days of the pending purpose equipment, then believed by feature The access time of each characteristic information in breath group, to determine the access date of each characteristic information.Then, Different access date quantity is counted, so that it is determined that source device corresponding to the source IP address accesses pending mesh Equipment total number of days;And use DayiRepresent.
(2) when attribute information is accesses the Average visits of the pending purpose equipment daily, then By the access time in each characteristic information, calculate and the total of pending purpose equipment is accessed in phase same date Number.Then, the total degree of each not same date and value are calculated;By with value and the quotient of preset number of days, Access pending purpose equipment Average visits daily as source device;And use CountperdayiRepresent.
(3) when attribute information is accesses the average access interval of the pending purpose equipment, spy is passed through The access time of each characteristic information in new group is levied, after being temporally ranked up to characteristic information group, meter The access interval of two neighboring characteristic information is calculated, and calculates all superposition values for accessing interval.By superposition value Quotient with accessing the total quantity being spaced, it is defined as accessing the average access interval of pending purpose equipment; And use IntervaliRepresent.
(4) when attribute information is accesses the distribution of the access time of the pending purpose equipment, spy is passed through The access time of each characteristic information in reference breath group, it is determined that accessing the access time of pending purpose equipment Distribution;And use AccesstimeiRepresent.
In aforementioned four attribute information, i is natural number, and 1≤i≤N, N believe to treat processing feature Source IP address number, i.e. source device quantity are obtained after ceasing sets classification.
Step S602:Predetermined number attribute information based on each source IP address, calculate each attribute letter The confidential interval of breath.
Each attribute information has a reasonable interval, if the attribute information of a source device is in the attribute Corresponding to information in confidential interval, then illustrate that the attribute information of the source device is reasonable.
The present embodiment applies 3 σ criterions to the confidential interval for determining each attribute information.This is described below The specific implementation procedure of step, as shown in fig. 7, specifically including following steps:
Step 701:Predetermined number attribute information based on each source IP address, calculate each attribute letter The average value and variance yields of breath.
Attribute information is represented with alphabetical X, then the average value of computation attribute information and the process of variance yields are:
The calculation formula of the average value of computation attribute information is:
The calculation formula of the variance yields of computation attribute information is:
In above-mentioned two formula, N is the total quantity of source device.
Pass through above calculation formula, it may be determined that the average value and variance of each attribute information.It is as described below The statement of specific object information:
(1) when attribute information is total number of days Day of the access pending purpose equipmentiWhen, calculate total day Several average valueWith variance yields Day σ.
(2) when attribute information daily to access the Average visits of the pending purpose equipment CountperdayiWhen, calculate the average value of Average visitsWith variance yields Counteperday σ.
(3) when attribute information is the average access interval Interval of the access pending purpose equipmentiWhen, Calculate the average value at average access intervalWith variance yields Interval σ.
(4) when attribute information is distributed Accesstime to access the access time of the pending purpose equipmenti When, the average value of calculating access time distributionWith variance yields Accesstime σ.
Step 702:Using the average value and variance yields of each attribute information, it is determined that each preset attribute is put Believe section.
A kind of concrete implementation mode is provided below:By [average value -3* variance yields, putting down for each preset attribute Average+3* variance yields], it is defined as the confidential interval of each preset attribute.
(1) when attribute information is total number of days Day of the access pending purpose equipmentiWhen, confidential interval For
(2) when attribute information is daily Average visits CountperdayiWhen;Confidential interval is
(3) when attribute information is the average access interval Interval of the access pending purpose equipmentiWhen, Confidential interval is
(4) when attribute information is distributed Accesstime to access the access time of the pending purpose equipmenti When, access time is reasonably distributed section:
It is, of course, also possible to the confidential interval of each preset attribute is determined using other manner, for example, [average Value -2* variance yields, average value+2* variance yields], [average value -1* variance yields, average value+1* variance yields] etc., It will not be repeated here.
Step S603:If a source IP address has attribute information more than half to be in corresponding confidential interval It is interior, it is determined that the source IP address is the IP address of the trusted source devices of the pending purpose equipment.
For each source IP address, each of which attribute information confidential interval corresponding with the attribute information is entered Row matching.If attribute information is in confidential interval, illustrate that the attribute information is normal, if attribute information It is not in confidential interval, then illustrates attribute information exception.
By taking four attribute informations as an example, if a source device has 3 attribute informations to be located at corresponding confidence area In, then it is the trusted source devices of the purpose equipment to illustrate the source device.The IP address of the trusted source devices It can organize added in the pending trusted IP address set of pending purpose equipment.
For example, so that attribute information is accesses total number of days of the pending purpose equipment as an example, then day is preset Number is that confidential interval is 3-6 days in the case of 7 days.The then pending purpose equipment of access of source device Number of days is 5 days, then it represents that total day number attribute of the source device is normal.If accessing for source device waits to locate The number of days for managing purpose equipment is 7 days, then it represents that total number of days attribute abnormal of the source device.
To judging for institute's active equipment, to determine all trusted source devices of pending purpose equipment. And by the set of the IP address of all trusted source devices, it is defined as the pending credible of pending purpose equipment IP address set.
Above-mentioned is the characteristic information based on history service message in preset number of days, it is determined that credible source IP address The process of set.As shown in figure 8, then methods described also includes:
Step S801:Receive the copy pending service message consistent with the pending service message Afterwards, the characteristic information of the pending service message of the copy is extracted.
For source device during constantly purpose equipment is accessed, defensive equipment is also constantly updating each purpose The characteristic information set of equipment.For example, defensive equipment can receive the pending service message of copy, and from The characteristic information of the middle extraction pending service message of copy.
Step S802:It is described pending using the characteristic information of the pending service message of the copy, renewal Characteristic information set.
By the characteristic information of the pending service message of copy, the pending spy of pending purpose equipment is updated to Levy information aggregate.Certainly, other source devices access the service message of pending purpose equipment, also can be according to Process shown in Fig. 8, the characteristic information of service message is updated in pending characteristic information set.
Because pending characteristic information set is only the history service that preset number of days accesses pending purpose equipment The characteristic information of message, exemplified by 7 days, then when there is new one day characteristic information to update pending feature letter During breath set, the characteristic information of last day time in pending characteristic information set is deleted.
Defensive equipment can be based on the pending characteristic information set after renewal, redefine and described wait to locate Manage credible source IP address set.So that the moment ensures the pending trusted sources IP of pending purpose equipment at any time Address set is real-time update.
For example, defensive equipment can be with operation in one day once, so as to according to the pending characteristic information after renewal Set, determines the pending credible source IP address set of newest pending purpose equipment.So that figure Embodiment shown in 3, can be according to the pending credible source IP address collection of newest pending purpose equipment Close, determine whether the pending service message that pending source device is sent is normal, so as to higher standard True rate.
This application provides a kind of scene embodiment of service message processing system, as shown in figure 9, specifically Including:
Multiple source devices 100, be connected optical splitter 200 with multiple source devices 100, is connected with optical splitter 200 Routing device 300 and defensive equipment 400, the multiple purpose equipments being connected with the routing device 300 500.The routing device 300 that the present embodiment provides can be core router.
Pending source device 100 in multiple source devices, sets for the pending purpose into multiple purpose equipments Standby 500 send pending service message.Wherein, the pending service message is set including pending purpose Standby pending purpose IP address and the pending source IP address of the pending source device.
Optical splitter 200, sent out for handling the pending service message, and by the pending service message Deliver to the routing device 300.
Optical splitter can receive the original service message that multiple source devices are sent, and original service message is entered Row, which replicates, obtains replica service message.Then, replica service message is sent to defensive equipment, will be original Service message is sent to routing device.Service message is required in the application routing device and defensive equipment, Therefore, the application is replicated original service message using optical splitter, so as to obtain two parts of identical industry Business message.It is achieved in that routing device and defensive equipment can obtain the purpose of service message.
The defensive equipment 400, for obtaining traction and pending purpose IP address from the routing device Corresponding pending service message;By the corresponding relation of purpose IP address and credible source IP address set, really Fixed pending credible source IP address set corresponding with the pending purpose IP address;If it is determined that described treat Pending source IP address in processing business message is in the pending credible source IP address set, then By the pending service message re-injection to the routing device 300.
Wherein, the pending credible source IP address set is based on the access pending purpose equipment The characteristic information of history service message, identified pending purpose equipment multiple trusted source devices IP The set of address.
The routing device 300, for receiving the pending service message of the defensive equipment re-injection, and will The pending service message is forwarded to pending purpose equipment corresponding with the pending purpose IP address 500。
The specific implementation of defensive equipment 400 is described in detail below:
As shown in Figure 10, the defensive equipment includes cleaning equipment 410 and analytical equipment 420;Wherein, The analytical equipment is connected with the optical splitter 200, the cleaning equipment 410 and the routing device 300 420 are set for being connected with the analysis.
The analytical equipment 420, multiple source devices for being sent based on the optical splitter access purpose equipment History service message characteristic information, it is determined that the credible source IP address set of each purpose equipment, and Storage purpose IP address and the corresponding relation of credible source IP address set.
The cleaning equipment 410, for pressing purpose IP address in the analytical equipment with trusted sources IP The corresponding relation of location set, with obtaining pending trusted sources IP corresponding with the pending purpose IP address Gather location;Acquisition is corresponding with pending purpose IP address from the routing device, includes pending source The pending service message of IP address;If it is determined that the pending source IP address in the pending service message In the pending credible source IP address set, then by the pending service message re-injection to described Routing device 500.
As shown in figure 11, the analytical equipment 420 specifically includes:Preprocessing server 421, analysis clothes Business device 422 and database facility 423.
Using determine the corresponding relation of pending purpose IP address and the pending credible source IP address set as Example, describe the processing procedure of various pieces in analytical equipment 420 in detail.
The preprocessing server 421, for determining pending spy corresponding with pending purpose IP address Levy information aggregate;Wherein, the pending characteristic information set is described pending by being accessed in preset number of days The characteristic information composition of the history service message of purpose equipment;The history service message is the optical splitter Source device is replicated to send to the replica service message after the original service message of the pending purpose equipment.
Wherein, the source IP address of characteristic information including history service message, source port, purpose IP address, Destination interface and access time.
The Analysis server 422, for based on the pending characteristic information set, it is determined that described wait to locate Manage the IP address of the multiple trusted source devices of purpose equipment;And by the IP address of the multiple trusted source devices Set, is defined as the pending credible source IP address set.
The database facility 423, for storing the pending credible source IP address set, Yi Jisuo State the pending purpose IP address of pending purpose equipment and pair of the pending credible source IP address set It should be related to.
The Analysis server 422 performs and is based on the pending characteristic information set in fig. 11, it is determined that The detailed process of the IP address step of the multiple trusted source devices of pending purpose equipment includes:
After the characteristic information classification during processing feature information aggregate is treated by source IP address, according to special per class Reference ceases the predetermined number attribute information for calculating each source IP address respectively;Based on each source IP address Predetermined number attribute information, calculate the confidential interval of each attribute information;If a source IP address has half The attribute information of the number above is in corresponding confidential interval, it is determined that the source IP address is described pending The IP address of the trusted source devices of purpose equipment.
Wherein, the attribute information of each source IP address includes:Access total day of the pending purpose equipment Number, the Average visits for accessing the pending purpose equipment daily, the access pending purpose are set Standby average access interval and/or the access time distribution of the access pending purpose equipment.
The Analysis server 422 performs the predetermined number attribute based on each source IP address in fig. 11 Information, specifically include the step of the confidential interval for calculating each attribute information:
Predetermined number attribute information based on each source IP address, calculate the average value of each attribute information And variance yields;By [average value -3* variance yields, the average value+3* variance yields] of each preset attribute, it is defined as The confidential interval of each preset attribute.
In the system shown in Fig. 9, the optical splitter 200 handles the pending service message, specifically The pending service message of copy is obtained for replicating the pending service message, and sends the copy and treats Processing business message is to the preprocessing server.
The preprocessing server 421, it is additionally operable to receive the pending service message of the copy, and extracts institute The characteristic information of the pending service message of copy is stated, is believed using the feature of the pending service message of the copy Breath, update the pending characteristic information set.
The Analysis server 422, for based on the pending characteristic information set after renewal, again really The fixed pending credible source IP address set;And update in the database facility 423 it is pending can Information source IP address set.
In addition, the database facility 423 of the analytical equipment 420, is additionally operable to storage and includes multiple attack sources The blacklist of IP address.
The then cleaning equipment 410, it is additionally operable to judge the pending source IP in the pending service message Whether address is in the blacklist;If the pending IP address is in the blacklist, really The fixed pending service message is attack message;Forbid the pending service message re-injection to the road By equipment.
The cleaning equipment 410, it is additionally operable to if it is determined that the pending source IP address is not in the black name In list, and, the pending source IP address is not in the pending credible source IP address set, then Speed limit processing is carried out to the pending service message.
From above-mentioned technology contents it can be found that the application has the advantages that:
This application provides a kind of service message processing system.The application includes pending purpose IP in reception After the pending service message of address, it may be determined that corresponding with pending purpose IP address pending credible Source IP address set, then, judge that whether pending source IP address is in described in pending service message In pending credible source IP address set.If so, then explanation sends the pending source of pending service message Equipment is trusted source devices, and then determines that pending service message is normal message.In order to ensure normally to report The normal pass of text, so by the pending service message re-injection to the routing device, by the road By device forwards to the pending purpose equipment.
It is understood that the application obtains the accuracy rate of credible source IP address set by big data mode It is very high.Therefore, the application can be while the attack message in cleaning service message, can be with So that normal message is from manslaughtering.
If the function described in the present embodiment method is realized in the form of SFU software functional unit and as independent Production marketing in use, can be stored in a computing device read/write memory medium.Based on so Understanding, the part or the part of the technical scheme that the embodiment of the present application contributes to prior art can To be embodied in the form of software product, the software product is stored in a storage medium, if including Dry instruction to cause a computing device (can be personal computer, server, mobile computing device Or network equipment etc.) perform each embodiment methods described of the application all or part of step.It is and preceding The storage medium stated includes:USB flash disk, mobile hard disk, read-only storage (ROM, Read-Only Memory), Random access memory (RAM, Random Access Memory), magnetic disc or CD etc. are various can With the medium of store program codes.
Each embodiment is described by the way of progressive in this specification, and each embodiment stresses The difference with other embodiments, between each embodiment same or similar part mutually referring to.
The foregoing description of the disclosed embodiments, professional and technical personnel in the field are enable to realize or use The application.A variety of modifications to these embodiments will be aobvious and easy for those skilled in the art See, generic principles defined herein can in the case where not departing from spirit herein or scope, Realize in other embodiments.Therefore, the application is not intended to be limited to the embodiments shown herein, And it is to fit to the most wide scope consistent with principles disclosed herein and features of novelty.

Claims (16)

  1. A kind of 1. service message processing method, it is characterised in that including:
    Obtain pending business report corresponding with pending purpose IP address, comprising pending source IP address Text;
    By the corresponding relation of purpose IP address and credible source IP address set, it is determined that with the pending purpose Pending credible source IP address set corresponding to IP address;
    If it is determined that the pending source IP address is in the pending credible source IP address set, then will The pending service message re-injection is to routing device.
  2. 2. the method as described in claim 1, it is characterised in that described to obtain pending purpose IP address Corresponding pending service message, including:
    The traction pending business report corresponding with the pending purpose IP address in the routing device Text.
  3. 3. the method as described in claim 1, it is characterised in that the pending credible source IP address collection Being combined into the multiple of characteristic information determination based on the history service message for accessing the pending purpose equipment can The set of the IP address of source device.
  4. 4. method as claimed in claim 3, it is characterised in that set based on the pending purpose is accessed The characteristic information of standby history service message determines the set of the IP address of multiple trusted source devices, including:
    It is determined that pending characteristic information set corresponding with the pending purpose IP address;Wherein, it is described Pending characteristic information set is by accessing the history service message of the pending purpose equipment in preset number of days Characteristic information composition;
    Based on the pending characteristic information set, determine that the multiple trusted sources of pending purpose equipment are set Standby IP address;
    By the set of the IP address of the multiple trusted source devices, with being defined as the pending trusted sources IP Gather location;
    Store the pending credible source IP address set, and the pending purpose IP address with it is described The corresponding relation of pending credible source IP address set.
  5. 5. method as claimed in claim 4, it is characterised in that described based on the pending feature letter Breath set, the IP address of the multiple trusted source devices of pending purpose equipment is determined, including:
    After by source IP address to the characteristic information classification in the pending characteristic information set, according to every Category feature information calculates the predetermined number attribute information of each source IP address respectively;
    Predetermined number attribute information based on each source IP address, calculate the confidence area of each attribute information Between;
    If a source IP address has attribute information more than half to be in corresponding confidential interval, it is determined that The source IP address is the IP address of the trusted source devices of the pending purpose equipment.
  6. 6. method as claimed in claim 5, it is characterised in that
    The characteristic information of history service message includes:Source IP address, source port, the mesh of history service message IP address, destination interface and access time;
    The attribute information of each source IP address includes:Access total number of days, every of the pending purpose equipment It accesses the Average visits of the pending purpose equipment, accesses the flat of the pending purpose equipment Access interval and/or access the access time distribution of the pending purpose equipment.
  7. 7. method as claimed in claim 5, it is characterised in that described based on the pre- of each source IP address If quantity attribute information, the confidential interval of each attribute information is calculated, including:
    Predetermined number attribute information based on each source IP address, calculate the average value of each attribute information The average value and variance yields of each attribute information are utilized with variance yields, it is determined that the confidence area of each preset attribute Between.
  8. 8. method as claimed in claim 4, it is characterised in that also include:
    After receiving the pending service message of copy consistent with the pending service message, the pair is extracted The characteristic information of this pending service message;
    Using the characteristic information of the pending service message of the copy, the pending characteristic information collection is updated Close.
  9. 9. method as claimed in claim 8, it is characterised in that also include:
    Based on the pending characteristic information set after renewal, with redefining the pending trusted sources IP Gather location.
  10. 10. the method as described in claim 1, it is characterised in that obtaining with pending purpose IP Corresponding to location, after the pending service message comprising pending source IP address, in addition to:
    Judge the pending source IP address in the pending service message whether in blacklist;
    If the pending IP address is in the blacklist, it is determined that the pending service message is Attack message;
    Forbid the pending service message re-injection to the routing device.
  11. 11. method as claimed in claim 10, it is characterised in that also include:
    If it is determined that the pending source IP address is not in the blacklist, and, the pending source IP Address is not in the pending credible source IP address set, then the pending service message is carried out Speed limit processing.
  12. A kind of 12. service message processing system, it is characterised in that including:
    Multiple source devices, the optical splitter being connected with the multiple source device, the road being connected with the optical splitter By equipment and defensive equipment, the multiple purpose equipments being connected with the routing device;
    Pending source device in the multiple source device, for the pending mesh into multiple purpose equipments Equipment send pending service message;The pending service message includes treating for pending purpose equipment The pending source IP address of processing intent IP address and the pending source device;
    The optical splitter, for handling the pending service message, and by the pending service message Send to the routing device;
    The defensive equipment, for obtaining treat corresponding with pending purpose IP address from the routing device Processing business message;By the corresponding relation of purpose IP address and credible source IP address set, it is determined that with it is described Pending credible source IP address set corresponding to pending purpose IP address;If it is determined that the pending source IP Address is in the pending credible source IP address set, then by the pending service message re-injection extremely The routing device;
    The routing device, for receiving the pending service message of the defensive equipment re-injection, and by institute State pending service message and be forwarded to pending purpose equipment corresponding with the pending purpose IP address.
  13. 13. system as claimed in claim 12, it is characterised in that the defensive equipment is set including cleaning Standby and analytical equipment;Wherein, the analytical equipment is connected with the optical splitter, the cleaning equipment and institute Routing device is stated with the analytical equipment to be connected;
    The analytical equipment, multiple source devices for being sent based on the optical splitter access purpose equipment The characteristic information of history service message, it is determined that the credible source IP address set of each purpose equipment, Yi Jicun Store up purpose IP address and the corresponding relation of credible source IP address set;
    The cleaning equipment, for pressing purpose IP address and credible source IP address collection in the analytical equipment The corresponding relation of conjunction, obtain pending credible source IP address collection corresponding with the pending purpose IP address Close;Obtained from the routing device corresponding with pending purpose IP address, comprising pending source IP The pending service message of location;If it is determined that the pending source IP address in the pending service message is in In the pending credible source IP address set, then by the pending service message re-injection to the route Equipment.
  14. 14. system as claimed in claim 13, it is characterised in that the analytical equipment includes:Pre- place Manage server, Analysis server and database facility;
    Wherein, the preprocessing server, it is corresponding with pending purpose IP address pending for determining Characteristic information set;Wherein, the pending characteristic information set is treated described in being accessed in preset number of days Manage the characteristic information composition of the history service message of purpose equipment;The history service message is the light splitting Device replicates source device and sent to the replica service report after the original service message of the pending purpose equipment Text;
    The Analysis server, for based on the pending characteristic information set, determining described pending The IP address of the multiple trusted source devices of purpose equipment;And by the collection of the IP address of the multiple trusted source devices Close, be defined as the pending credible source IP address set;
    The database facility, for storing the pending credible source IP address set, and described treat Processing intent IP address and the corresponding relation of the pending credible source IP address set.
  15. 15. system as claimed in claim 14, it is characterised in that
    The database facility of the analytical equipment, it is additionally operable to the black name that storage includes multiple attack source IP address It is single;
    The then cleaning equipment, it is additionally operable to judge the pending source IP address in the pending service message Whether in the blacklist;If the pending IP address is in the blacklist, it is determined that institute It is attack message to state pending service message;The pending service message re-injection to the route is forbidden to set It is standby.
  16. 16. system as claimed in claim 15, it is characterised in that
    The cleaning equipment, it is additionally operable to if it is determined that the pending source IP address is not in the blacklist, And the pending source IP address is not in the pending credible source IP address set, then to described Pending service message carries out speed limit processing.
CN201610294119.3A 2016-05-05 2016-05-05 Service message processing method and system Active CN107347051B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610294119.3A CN107347051B (en) 2016-05-05 2016-05-05 Service message processing method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610294119.3A CN107347051B (en) 2016-05-05 2016-05-05 Service message processing method and system

Publications (2)

Publication Number Publication Date
CN107347051A true CN107347051A (en) 2017-11-14
CN107347051B CN107347051B (en) 2021-02-05

Family

ID=60253854

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610294119.3A Active CN107347051B (en) 2016-05-05 2016-05-05 Service message processing method and system

Country Status (1)

Country Link
CN (1) CN107347051B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107896232A (en) * 2017-12-27 2018-04-10 北京奇艺世纪科技有限公司 A kind of IP address appraisal procedure and device
CN110324295A (en) * 2018-03-30 2019-10-11 阿里巴巴集团控股有限公司 A kind of defence method and device of domain name system extensive aggression
CN111756679A (en) * 2019-03-29 2020-10-09 北京数安鑫云信息技术有限公司 Log analysis method and device, storage medium and computer equipment
CN114221906A (en) * 2021-11-11 2022-03-22 百度在线网络技术(北京)有限公司 Flow control method and device, electronic equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001038999A1 (en) * 1999-11-23 2001-05-31 Escom Corporation Electronic message filter having a whitelist database and a quarantining mechanism
CN101431449A (en) * 2008-11-04 2009-05-13 中国科学院计算技术研究所 Network flux cleaning system
CN102413105A (en) * 2010-09-25 2012-04-11 杭州华三通信技术有限公司 Method and device for preventing attack of challenge collapsar (CC)
CN103593609A (en) * 2012-08-16 2014-02-19 阿里巴巴集团控股有限公司 Trustworthy behavior recognition method and device
CN104468631A (en) * 2014-12-31 2015-03-25 国家电网公司 Network intrusion identification method based on anomaly flow and black-white list library of IP terminal

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001038999A1 (en) * 1999-11-23 2001-05-31 Escom Corporation Electronic message filter having a whitelist database and a quarantining mechanism
CN101431449A (en) * 2008-11-04 2009-05-13 中国科学院计算技术研究所 Network flux cleaning system
CN102413105A (en) * 2010-09-25 2012-04-11 杭州华三通信技术有限公司 Method and device for preventing attack of challenge collapsar (CC)
CN103593609A (en) * 2012-08-16 2014-02-19 阿里巴巴集团控股有限公司 Trustworthy behavior recognition method and device
CN104468631A (en) * 2014-12-31 2015-03-25 国家电网公司 Network intrusion identification method based on anomaly flow and black-white list library of IP terminal

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107896232A (en) * 2017-12-27 2018-04-10 北京奇艺世纪科技有限公司 A kind of IP address appraisal procedure and device
CN107896232B (en) * 2017-12-27 2020-04-03 北京奇艺世纪科技有限公司 IP address evaluation method and device
CN110324295A (en) * 2018-03-30 2019-10-11 阿里巴巴集团控股有限公司 A kind of defence method and device of domain name system extensive aggression
CN110324295B (en) * 2018-03-30 2022-04-12 阿里云计算有限公司 Defense method and device for domain name system flooding attack
CN111756679A (en) * 2019-03-29 2020-10-09 北京数安鑫云信息技术有限公司 Log analysis method and device, storage medium and computer equipment
CN114221906A (en) * 2021-11-11 2022-03-22 百度在线网络技术(北京)有限公司 Flow control method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN107347051B (en) 2021-02-05

Similar Documents

Publication Publication Date Title
CN109218281B (en) Intent-based network security policy modification
CN107292183B (en) A kind of data processing method and equipment
CN107315968B (en) A kind of data processing method and equipment
US10057296B2 (en) Detecting and managing abnormal data behavior
CN107347051A (en) A kind of service message processing method and system
CN102075404A (en) Message detection method and device
CN202663444U (en) Cloud safety data migration model
CN107528712A (en) The determination of access rights, the access method of the page and device
CN108965324A (en) A kind of anti-brush method of short message verification code, terminal, server, equipment and medium
CN104618853B (en) A kind of information push method, apparatus and system
CN100452714C (en) Method for providing interconnected network access control and/or entering user into interconnected network and its equipment
CN106874371A (en) A kind of data processing method and device
CN107547523A (en) Message processing method, device, the network equipment and machinable medium
CN113098852A (en) Log processing method and device
CA3180341A1 (en) Threat mitigation system and method
CN113158192A (en) Batch construction and management method and system for anti-detection online social network virtual users
CN107995199A (en) The port speed constraint method and device of the network equipment
CN115840965B (en) Information security guarantee model training method and system
CN107483508B (en) Message filtering method, device, equipment and storage medium
CN106533891A (en) Information processing method based on groups and device
CN105991630B (en) A kind of shared access detection method and device
CN106998327A (en) A kind of connection control method and device
CN108449252B (en) Dump method and device for access log
Ethilu et al. Improving Performance and Efficiency of Software Defined Networking by Identifying Malicious Switches through Deep Learning Model
CN103763324A (en) Method for monitoring virus procedure spreading equipment and server

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant