CN107347051A - A kind of service message processing method and system - Google Patents
A kind of service message processing method and system Download PDFInfo
- Publication number
- CN107347051A CN107347051A CN201610294119.3A CN201610294119A CN107347051A CN 107347051 A CN107347051 A CN 107347051A CN 201610294119 A CN201610294119 A CN 201610294119A CN 107347051 A CN107347051 A CN 107347051A
- Authority
- CN
- China
- Prior art keywords
- pending
- address
- source
- service message
- equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a kind of service message processing method and system, and wherein method includes obtaining pending service message corresponding with pending purpose IP address, comprising pending source IP address;By the corresponding relation of purpose IP address and credible source IP address set, it is determined that pending credible source IP address set corresponding with the pending purpose IP address;If it is determined that the pending source IP address is in the pending credible source IP address set, then by the pending service message re-injection to routing device.The accuracy rate that the application obtains credible source IP address set by big data mode is very high, so the application can be during the attack message in cleaning service message so that normal message is from manslaughtering.
Description
Technical field
The application is related to communication technical field, more particularly to a kind of service message processing method and system.
Background technology
With the continuous progress of network technology, the network attack in network field is also more and more.At present,
Distributed denial of service attack (Distributed Denial of Service, DDoS) in numerous network attacks
Have become more serious attack meanses.The principle of ddos attack is to know the resource of purpose equipment in advance
Bottleneck, attack equipment sends a large amount of attack messages and goes to consume bottleneck, and then make it that purpose equipment can not
Handle a large amount of attack messages and collapse.In order to take precautions against ddos attack, can add in original system framework
Enter defensive equipment to stop ddos attack.
A kind of as shown in figure 1, schematic diagram for existing network system.From diagram, system includes source
Equipment 11, routing device 12, defensive equipment 13 and purpose equipment 14.Wherein, source device includes normal
Equipment and attack equipment.Source device had both been sent to the service message that routing device is sent comprising attack equipment
Attack message, and the normal message sent comprising normal device.Defensive equipment can be according to cleaning strategy mistake
Attack message is filtered, most normal message is sent to purpose equipment at last.
There are a variety of defence policies at present, current defence policies are found to pass through a small amount of business by studying
What message determined, or technical staff manually set by experience, so current defence policies are not
Accurately;Also it is possible to normal message can be manslaughtered.For example, the cleaning strategy that defensive equipment is commonly used is message
Speed limit method.The operation principle of message rate-limiting method sets attack equipment to be commonly used in defensive equipment in advance
Protocol type (is subsequently referred to as preset protocol type) for the ease of calling, then by preset protocol type pair
Service message is filtered.Because attack message and normal message can use preset protocol type, institute
To be filtered by the manner to service message, a part of normal message can be manslaughtered.
Accordingly, it is now desired to a kind of new service message processing method, so as in service message is cleaned
While attack message, normal message can be caused from manslaughtering.
The content of the invention
This application provides a kind of service message processing method and system, the application can be in cleaning business report
Cause normal message from manslaughtering during attack message in text.
To achieve these goals, this application provides following technological means:
A kind of service message processing method, including:
Obtain pending business report corresponding with pending purpose IP address, comprising pending source IP address
Text;
By the corresponding relation of purpose IP address and credible source IP address set, it is determined that with the pending purpose
Pending credible source IP address set corresponding to IP address;
If it is determined that the pending source IP address is in the pending credible source IP address set, then will
The pending service message re-injection is forwarded to pending purpose IP address to routing device by routing device
Corresponding pending purpose equipment.
Preferably, pending service message corresponding to the pending purpose IP address of acquisition, including:
The traction pending business report corresponding with the pending purpose IP address in the routing device
Text.
Preferably, the pending credible source IP address set is based on the access pending purpose equipment
History service message characteristic information determine multiple trusted source devices IP address set.
Preferably, the characteristic information based on the history service message for accessing the pending purpose equipment determines
The set of the IP address of multiple trusted source devices, including:
It is determined that pending characteristic information set corresponding with the pending purpose IP address;Wherein, it is described
Pending characteristic information set is by accessing the history service message of the pending purpose equipment in preset number of days
Characteristic information composition;
Based on the pending characteristic information set, determine that the multiple trusted sources of pending purpose equipment are set
Standby IP address;
By the set of the IP address of the multiple trusted source devices, with being defined as the pending trusted sources IP
Gather location;
Store the pending credible source IP address set, and the pending purpose IP address with it is described
The corresponding relation of pending credible source IP address set.
Preferably, it is described to be based on the pending characteristic information set, determine the pending purpose equipment
The IP address of multiple trusted source devices, including:
After by source IP address to the characteristic information classification in the pending characteristic information set, according to every
Category feature information calculates the predetermined number attribute information of each source IP address respectively;
Predetermined number attribute information based on each source IP address, calculate the confidence area of each attribute information
Between;
If a source IP address has attribute information more than half to be in corresponding confidential interval, it is determined that
The source IP address is the IP address of the trusted source devices of the pending purpose equipment.
Preferably, the characteristic information of history service message includes:The source IP address of history service message, source
Port, purpose IP address, destination interface and access time;
The attribute information of each source IP address includes:Access total number of days, every of the pending purpose equipment
It accesses the Average visits of the pending purpose equipment, accesses the flat of the pending purpose equipment
Access interval and/or access the access time distribution of the pending purpose equipment.
Preferably, the predetermined number attribute information based on each source IP address, calculates each attribute
The confidential interval of information, including:
Predetermined number attribute information based on each source IP address, calculate the average value of each attribute information
And variance yields;
Using the average value and variance yields of each attribute information, it is determined that the confidential interval of each preset attribute.
Preferably, by [average value -3* variance yields, the average value+3* variance yields] of each preset attribute, it is determined that
For the confidential interval of each preset attribute.
Preferably, in addition to:
After receiving the pending service message of copy consistent with the pending service message, the pair is extracted
The characteristic information of this pending service message;
Using the characteristic information of the pending service message of the copy, the pending characteristic information collection is updated
Close.
Preferably, in addition to:
Based on the pending characteristic information set after renewal, with redefining the pending trusted sources IP
Gather location.
Preferably, obtain it is corresponding with pending purpose IP address, treated comprising pending source IP address
After processing business message, in addition to:
Judge the pending source IP address in the pending service message whether in blacklist;
If the pending IP address is in the blacklist, it is determined that the pending service message is
Attack message;
Forbid the pending service message re-injection to the routing device.
Preferably, in addition to:
If it is determined that the pending source IP address is not in the blacklist, and, the pending source IP
Address is not in the pending credible source IP address set, then the pending service message is carried out
Speed limit processing.
A kind of service message processing system, including:
Multiple source devices, the optical splitter being connected with the multiple source device, the road being connected with the optical splitter
By equipment and defensive equipment, the multiple purpose equipments being connected with the routing device;
Pending source device in the multiple source device, for the pending mesh into multiple purpose equipments
Equipment send pending service message;The pending service message includes treating for pending purpose equipment
The pending source IP address of processing intent IP address and the pending source device;
The optical splitter, for handling the pending service message, and by the pending service message
Send to the routing device;
The defensive equipment, for obtaining treat corresponding with pending purpose IP address from the routing device
Processing business message;By the corresponding relation of purpose IP address and credible source IP address set, it is determined that with it is described
Pending credible source IP address set corresponding to pending purpose IP address;If it is determined that the pending source IP
Address is in the pending credible source IP address set, then by the pending service message re-injection extremely
The routing device;
The routing device, for receiving the pending service message of the defensive equipment re-injection, and by institute
State pending service message and be forwarded to pending purpose equipment corresponding with the pending purpose IP address.
Preferably, the defensive equipment includes cleaning equipment and analytical equipment;Wherein, the analytical equipment
It is connected with the optical splitter, the cleaning equipment is connected with the routing device and the analytical equipment;
The analytical equipment, multiple source devices for being sent based on the optical splitter access purpose equipment
The characteristic information of history service message, it is determined that the credible source IP address set of each purpose equipment, Yi Jicun
Store up purpose IP address and the corresponding relation of credible source IP address set;
The cleaning equipment, for pressing purpose IP address and credible source IP address collection in the analytical equipment
The corresponding relation of conjunction, obtain pending credible source IP address collection corresponding with the pending purpose IP address
Close;Obtained from the routing device corresponding with pending purpose IP address, comprising pending source IP
The pending service message of location;If it is determined that the pending source IP address in the pending service message is in
In the pending credible source IP address set, then by the pending service message re-injection to the route
Equipment.
Preferably, the analytical equipment includes:Preprocessing server, Analysis server and database facility;
Wherein, the preprocessing server, it is corresponding with pending purpose IP address pending for determining
Characteristic information set;Wherein, the pending characteristic information set is treated described in being accessed in preset number of days
Manage the characteristic information composition of the history service message of purpose equipment;The history service message is the light splitting
Device replicates source device and sent to the replica service report after the original service message of the pending purpose equipment
Text;
The Analysis server, for based on the pending characteristic information set, determining described pending
The IP address of the multiple trusted source devices of purpose equipment;And by the collection of the IP address of the multiple trusted source devices
Close, be defined as the pending credible source IP address set;
The database facility, for storing the pending credible source IP address set, and described treat
Processing intent IP address and the corresponding relation of the pending credible source IP address set.
Preferably, the Analysis server performs and is based on the pending characteristic information set, it is determined that described
The detailed process of the IP address step of the pending multiple trusted source devices of purpose equipment includes:
After the characteristic information classification during processing feature information aggregate is treated by source IP address, according to special per class
Reference ceases the predetermined number attribute information for calculating each source IP address respectively;Based on each source IP address
Predetermined number attribute information, calculate the confidential interval of each attribute information;If a source IP address has half
The attribute information of the number above is in corresponding confidential interval, it is determined that the source IP address is described pending
The IP address of the trusted source devices of purpose equipment.
Preferably, the characteristic information of history service message includes:The source IP address of history service message, source
Port, purpose IP address, destination interface and access time;
The attribute information of each source IP address includes:Access total number of days, every of the pending purpose equipment
It accesses the Average visits of the pending purpose equipment, accesses the flat of the pending purpose equipment
Access interval and/or access the access time distribution of the pending purpose equipment.
Preferably, the Analysis server performs the predetermined number attribute information based on each source IP address,
The step of confidential interval for calculating each attribute information, specifically includes:
Predetermined number attribute information based on each source IP address, calculate the average value of each attribute information
And variance yields;
Using the average value and variance yields of each attribute information, it is determined that the confidential interval of each preset attribute.
Can be specifically:By [average value -3* variance yields, the average value+3* variance yields] of each preset attribute,
It is defined as the confidential interval of each preset attribute.
Preferably, the optical splitter handles the pending service message, specifically for waiting to locate described in duplication
Manage service message and obtain the pending service message of copy, and send the pending service message of the copy to institute
State preprocessing server;
The preprocessing server, it is additionally operable to receive the pending service message of the copy, and described in extraction
The characteristic information of the pending service message of copy, using the characteristic information of the pending service message of the copy,
Update the pending characteristic information set;
The Analysis server, for based on the pending characteristic information set after renewal, redefining
The pending credible source IP address set;And update the pending trusted sources IP in the database facility
Address set.
Preferably, the database facility of the analytical equipment, it is additionally operable to storage comprising multiple attack source IP
The blacklist of location;
The then cleaning equipment, it is additionally operable to judge the pending source IP address in the pending service message
Whether in the blacklist;If the pending IP address is in the blacklist, it is determined that institute
It is attack message to state pending service message;The pending service message re-injection to the route is forbidden to set
It is standby.
Preferably, the cleaning equipment, be additionally operable to if it is determined that the pending source IP address be not in it is described
In blacklist, and, the pending source IP address is not in the pending credible source IP address set,
Speed limit processing then is carried out to the pending service message.
From above-mentioned technology contents, it can be seen that the application has the advantages that:
This application provides a kind of service message processing method;The application includes pending purpose IP in reception
After the pending service message of address, it may be determined that corresponding with pending purpose IP address pending credible
Source IP address set, then, judge that whether pending source IP address is in described in pending service message
In pending credible source IP address set.If so, then explanation sends the pending source of pending service message
Equipment is trusted source devices, and then determines that pending service message is normal message.In order to ensure normally to report
The normal pass of text, so by the pending service message re-injection to the routing device, by the road
By device forwards to the pending purpose equipment.
It is understood that the application obtains the accuracy rate of credible source IP address set by big data mode
It is very high.Therefore, the application can make during the attack message in cleaning service message
Normal message is obtained from manslaughtering.
Brief description of the drawings
, below will be to reality in order to illustrate more clearly of the embodiment of the present application or technical scheme of the prior art
The required accompanying drawing used in example or description of the prior art is applied to be briefly described, it should be apparent that, below
Accompanying drawing in description is only some embodiments of the present application, for those of ordinary skill in the art,
On the premise of not paying creative work, other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is the structural representation of service message processing system in the prior art;
Fig. 2 is the structural representation of service message processing system disclosed in the embodiment of the present application;
Fig. 3 is the flow chart of service message processing method disclosed in the embodiment of the present application;
Fig. 4 is the flow chart of another service message processing method disclosed in the embodiment of the present application;
Fig. 5 is the flow chart of another service message processing method disclosed in the embodiment of the present application;
Fig. 6 is the flow chart of another service message processing method disclosed in the embodiment of the present application;
Fig. 7 is the flow chart of another service message processing method disclosed in the embodiment of the present application;
Fig. 8 is the flow chart of another service message processing method disclosed in the embodiment of the present application;
Fig. 9 is the structural representation of another service message processing system disclosed in the embodiment of the present application;
Figure 10 is the structural representation of another service message processing system disclosed in the embodiment of the present application;
Figure 11 is the structural representation of another service message processing system disclosed in the embodiment of the present application.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present application, the technical scheme in the embodiment of the present application is carried out
Clearly and completely describing, it is clear that described embodiment is only some embodiments of the present application, and
The embodiment being not all of.Based on the embodiment in the application, those of ordinary skill in the art are not doing
Go out under the premise of creative work the every other embodiment obtained, belong to the scope of the application protection.
In order that those skilled in the art know that present techniques term, below to occurring in the application
Professional term is explained and illustrated:
Service message:The data cell with transmission, i.e. the website data disposably to be sent are exchanged in network
Block.Message includes the complete data message that will be sent, and its length is very inconsistent, and length is unlimited and can
Become.
Attack message:It is being sent by attack terminal, the service message that necessarily influences can be caused on recipient.
Normal message:It is being sent by normal terminal, the service message that necessarily influences will not be caused on recipient.
Source device:The sender of service message.
Purpose equipment:The recipient of service message.
Optical splitter:A component optical splitter for setting up Ethernet passive optical network is that data are transmitted by optical fiber
Light data is replicated afterwards a for monitoring.Superficial says, the concept of optical splitter is similar to three links: link of trade, travel and post,
I.e. original flow normal pass, with the time-division, one is out analyzed for monitoring device uses.
Defensive equipment:It is provided with the equipment of the software program of defensive attack message.
3 σ criterions:σ represents standard deviation in normal distribution, and μ represents average.3 σ criterions are pointed out:Numerical value
The probability being distributed in (μ-σ, μ+σ) is 0.6826;Probability of the numeric distribution in (μ -2 σ, μ+2 σ) be
0.9544;Probability of the numeric distribution in (μ -3 σ, μ+3 σ) is 0.9974.So it is believed that conjunction of numerical value
Reason value almost all is concentrated in (μ -3 σ, μ+3 σ) section, the super possibility to go beyond the scope only account for less than
0.3%.
The application scenarios of the application are understood in order to facilitate those skilled in the art, the application offer is provided first
Transaction processing system.Transaction processing system specifically includes:Multiple source devices 21, with multiple source devices 21
Connected routing device 22 and defensive equipment 23, the multiple purpose equipments being connected with the routing device 22
24.The routing device 22 that the present embodiment provides can be core router.
There are multiple purpose equipments in service message processing system, the application can be directed to and access each mesh
The service message of equipment cleaned, now need to set each purpose equipment in defensive equipment
IP address.If wish to be cleaned for accessing the service message of a purpose equipment, in defensive equipment
The IP address of the purpose equipment is set.
Due to defensive equipment be to the processing procedure for accessing each purpose equipment service message it is consistent, because
This, the application only illustrates by taking a pending purpose equipment in multiple purpose equipments as an example.In addition,
There are multiple source devices in transaction processing system, the place of pending purpose equipment is accessed for each source device
Reason process is also consistent, therefore, only accesses the treated of pending purpose equipment with pending source device
Journey is described in detail.
The concrete processing procedure that defensive equipment is discussed in detail is described below.This application provides a kind of business report
Literary processing method, applied to the defensive equipment shown in Fig. 2.As shown in figure 3, specifically include following steps:
Step S301:Obtain corresponding with pending purpose IP address, comprising pending source IP address
Pending service message.
It is pending after the pending service message for accessing pending purpose equipment is sent in pending source device
Service message can reach routing device.In order to show the source of pending service message, whereabouts and time,
The source IP address and source port of pending source device, pending purpose equipment are included in pending service message
Purpose IP address and destination interface, and pending source device sends the time of pending service message,
Later abbreviation access time.
The present embodiment sets the pending purpose IP address of pending purpose equipment in defensive equipment, then says
The bright service message for accessing pending purpose equipment may have normal message to have exception message.Therefore,
Need from routing device to draw pending service message to defensive equipment, to treat processing business report
Text is determined whether.
It is understood that the service message that institute's active equipment accesses all purposes equipment can reach route
Equipment, also, the IP address of the IP address comprising source device and purpose equipment in each service message.
So defensive equipment can be by the purpose IP in each service message in pending IP address and routing device
Matched, so as to obtain the service message that purpose IP address is pending purpose IP address, that is, visited
Ask the service message of pending purpose equipment.
Step S302:By purpose IP address and the corresponding relation of credible source IP address set, it is determined that and institute
State pending credible source IP address set corresponding to pending purpose IP address.
It is understood that because the service message that trusted source devices are sent is normal message.Therefore,
If it is determined that the source device for sending service message is trusted source devices, then the industry that the source device is sent can be determined
Business message is normal message.But have many each purpose equipments in operation system, also, each mesh
Equipment trusted source devices it is different not to the utmost.Therefore, defensive equipment can be predefined or determined in real time
The trusted source devices set of each purpose equipment, and it is corresponding with trusted source devices set to build purpose equipment
Relation.
Because purpose equipment and source device can use IP address unique mark, therefore, structure purpose equipment with
The corresponding relation of trusted source devices set, as build purpose IP address and pair of credible source IP address set
It should be related to.After defensive equipment determines the trusted source devices set of each purpose equipment, that is, determine each mesh
IP address credible source IP address set after, just by each purpose IP address and each trusted sources IP
The corresponding storage of location set.
The application is by accessing the big data (a large amount of history service messages) of each purpose equipment, to determine
The credible source IP address set of each purpose equipment.There is generality and popularity due to big data, because
This, the credible source IP address set of each purpose equipment determined by analyzing big data is more accurate.In detail
Thin determination process, will be described in subsequent embodiment, will not be repeated here.
Defensive equipment after pending service message is received, just according to the purpose IP address of storage with it is credible
The corresponding relation of source IP address set, search pending trusted sources IP corresponding with pending purpose IP address
Address set.
Step S303:Judge that the pending source IP address is in the pending credible source IP address collection
In conjunction.If so, then enter step S304;Otherwise step S305 is entered.
Due to all trusted source devices comprising pending IP address in pending credible source IP address set
IP address, therefore, it is possible to judge that whether the source IP address of pending source device is in pending trusted sources
In IP address set, to determine whether pending service message is normal message.
Step S304:Treated if it is determined that the pending source IP address in the pending service message is in described
Handle in credible source IP address set, then by the pending service message re-injection to the routing device.
Pending purpose equipment corresponding with the pending purpose IP address is forwarded to as the routing device.
If it is determined that the pending source IP address in the pending service message is in the pending trusted sources
In IP address set, illustrate the trusted source devices that pending source device is pending purpose equipment, it is pending
The pending service message that source device is sent is normal message.Therefore, then will be by being pulled out in routing device
The pending service message re-injection come is to routing device, so that routing device turns by pending service message
It is sent to pending purpose equipment.
Step S305:If it is determined that the pending source IP address in the pending service message be not at it is described
In pending credible source IP address set, other processing procedures are performed.
If it is determined that the pending source IP address in the pending service message be not at it is described pending credible
In source IP address set, then illustrate the trusted source devices of the non-pending purpose equipment of pending source device, treat
Handle the improper message of pending service message that source device is sent.
By above-mentioned technical characteristic it can be found that the application has the advantages that:
This application provides a kind of service message processing method;The application includes pending purpose IP in reception
After the pending service message of address, it may be determined that corresponding with pending purpose IP address pending credible
Source IP address set, then, judge that whether pending source IP address is in described in pending service message
In pending credible source IP address set.If so, then explanation sends the pending source of pending service message
Equipment is trusted source devices, and then determines that pending service message is normal message.In order to ensure normally to report
The normal pass of text, so by the pending service message re-injection to the routing device, by the road
By device forwards to the pending purpose equipment.
It is understood that the accuracy rate that the application obtains credible source IP address set by big data mode is
It is very high.Therefore, the application be able to can make while the attack message in cleaning service message
Normal message is obtained from manslaughtering.
Due to the boundary of normal message attack message can not be determined completely in actual applications, so, for
For defensive equipment, service message can be divided into three kinds:Normal message, attack message and without feature message
(i.e. it is uncertain be normal message or exception message service message).Embodiment shown in Fig. 3, it is
Determine the process of normal message.So the application can also include determining attack message process.
Equipment is attacked for all purposes equipment to be shared;That is, one attack equipment is to institute
It is attack equipment for purposeful equipment.So defensive equipment can include being used to represent comprising multiple
Attack the blacklist of source IP address.
As shown in figure 4, obtain pending service message corresponding with pending purpose equipment in step S301
Afterwards, methods described also includes:
Step S401:Judge the pending source IP address in the pending service message whether in described
In blacklist;If so, then entering step S402, other processing procedures are otherwise performed.
In order to determine whether pending source device is attack equipment, can be obtained from pending service message
The pending source IP address of pending source device.Then, by pending source IP address with it is each in blacklist
IP address is compared, to judge that pending source IP address whether there is in blacklist.
Step S402:If the pending IP address is in the blacklist, it is determined that described pending
Service message is attack message.
If pending IP address is in blacklist, illustrate pending purpose equipment for attack equipment, its
The pending service message sent is attack message.
Step S403:Forbid the pending service message re-injection to the routing device.
In order to protect pending purpose equipment, it is determined that pending service message be attack message after, then
Forbid pending service message re-injection to routing device, so that routing device will not be by pending business report
Text is sent to pending purpose equipment, so that pending purpose equipment will not receive pending business
Message.
Step S404:Other processing procedures.
Above-mentioned Fig. 3 and Fig. 4 embodiment are performing order in no particular order.It can first carry out shown in Fig. 3
Embodiment, determine whether pending service message is normal message, if normal message then without perform
Embodiment shown in Fig. 4;If not normal message performs the embodiment shown in Fig. 4 again, to determine to wait to locate
Manage whether service message is attack message.
Or embodiment shown in Fig. 4 can be first carried out, determine whether pending service message is attack
Message, if attack message need not then perform the embodiment shown in Fig. 3;If not attack message performs again
Embodiment shown in Fig. 3, to determine whether pending service message is normal message.
If pending service message is found after the embodiment by Fig. 3 and Fig. 4 neither normal message non-is attacked again
Message is hit, then it is without feature message to illustrate pending service message;I.e. pending source IP address set and black
Do not store source IP address to be handled in list, be normal message due to not knowing pending service message
Or attack message.Therefore, speed limit processing is carried out to the pending service message.That is, if described treat
Processing source IP address is not in the blacklist, and, the pending source IP address is not in described treat
Handle in credible source IP address set, then speed limit processing is carried out to the pending service message.
The specific implementation procedure of speed limit processing can be to treat the pending service message that processing source device is sent
Packet loss processing is carried out, to reduce the speed of the pending service message of transmission of pending source device.
Holding in detail for the credible source IP address set of each purpose equipment is determined the following detailed description of defensive equipment
Row process.It is understood that multiple source devices can access purpose and set in service message processing system
Standby, some source devices are trusted source devices in the multiple source devices for accessing purpose equipment, some source devices
Being can not source device.Therefore, the spy of the service message of purpose equipment can be accessed based on each source device
Reference cease, come determine each source device whether be purpose equipment trusted source devices.
Therefore, the characteristic information collection firstly the need of the service message for determining each source device access purpose equipment
Close.Detailed implementation is as follows:
In order to realize using big data to determine the purpose of the credible source IP address set of each purpose equipment,
Defensive equipment, which needs to obtain, accesses each substantial amounts of history service message of purpose equipment, to obtain each go through
The characteristic information of history service message.
Defensive equipment can obtain the characteristic information for the history service message for accessing each purpose equipment, in order to
It is easy to control, defensive equipment can be that each purpose equipment builds a characteristic information set.One feature
Storage accesses the characteristic information of the history service message of the purpose equipment in information aggregate.And build purpose and set
Standby purpose IP address and the corresponding relation of characteristic information set, subsequently to use.
It is understood that for each purpose equipment, the number of characteristic information in characteristic information set
Amount is bigger, then illustrates that history service message amount is more;The trusted sources IP of purpose equipment is then calculated
Location set is more accurate.But the quantity of characteristic information is bigger, defensive equipment processing speed can be reduced.Cause
This, it is generally the case that technical staff can preset a preset number of days, and defensive equipment only obtains default
The characteristic information of history service message in number of days, i.e., only wrapped in the characteristic information set of each purpose equipment
Characteristic information containing the history service message in preset number of days.Preset number of days can depending on actual conditions,
Do not limit herein.
It is determined that after the characteristic information set of each source device, just according to the characteristic information of each source device
Set, come determine each source device whether be purpose equipment trusted source devices.Defensive equipment is described below
Characteristic information set based on each purpose equipment, it is determined that the credible source IP address set of each purpose equipment
Process.
For each purpose equipment, the process that determines credible source IP address be it is consistent, therefore, this
Application is only by taking pending purpose equipment in multiple purpose equipments as an example, to determining that pending purpose equipment is treated
The process for handling credible source IP address set is described in detail.
As shown in figure 5, specifically include following steps:
Step S501:It is determined that pending characteristic information set corresponding with pending purpose IP address.
Defensive equipment is stored with the corresponding relation of each purpose IP address and characteristic information set, therefore, can
With according to pending purpose IP address, to search pending characteristic information corresponding with pending purpose equipment
Set.Pending characteristic information set includes the characteristic information of several history service messages.Several
History service message can include the industry that multiple source devices are sent in preset number of days to pending purpose equipment
Business message.
The characteristic information includes source IP address, source port, purpose IP address, the mesh of history service message
Port and access time;And the history service message be the optical splitter replicate source device send to
Replica service message after the original service message of the pending purpose equipment.
Step S502:Based on the pending characteristic information set, determine that the pending purpose equipment is more
The IP address of individual trusted source devices.
Based on the pending characteristic information set, set in multiple sources of pending characteristic information set instruction
In standby, the IP address of multiple trusted source devices of pending purpose equipment is determined.
Step S503:By the set of the IP address of the multiple trusted source devices, it is defined as described pending
Credible source IP address set.
Step S504:Store the pending purpose IP address of the pending purpose equipment with it is described pending
The corresponding relation of credible source IP address set.
, can be with will be described more it is determined that after the IP address of the multiple trusted source devices of pending purpose equipment
The set of the IP address of individual trusted source devices, form the pending credible source IP address set.Structure is simultaneously
The corresponding relation of pending purpose IP address and pending credible source IP address set is stored, so as in Fig. 3
Used in shown embodiment.
The pending characteristic information set is based on the following detailed description of step S502 in Fig. 5, it is determined that described
The detailed implementation of the IP address of the pending multiple trusted source devices of purpose equipment.As shown in fig. 6, tool
Body includes herein below:
Step S601:After the characteristic information classification during processing feature information aggregate is treated by source IP address,
According to the predetermined number attribute information for calculating each source IP address respectively per category feature information.Pending spy
Levy the characteristic information of the history service message sent in information aggregate comprising multiple source devices.
The application by the attribute information of each source device it is found by the applicant that can determine whether source device is to treat
The trusted source devices of processing intent equipment.Therefore, pending characteristic information set is being obtained, can calculated
The attribute information of source device.Attribute information is predefined by technical staff, when technical staff determines 5
Attribute information, then predetermined number is 5.When technical staff determines 3 attribute informations, then present count
Measure as 3.It is understood that the quantity of attribute information is more, it more can accurately determine that source device is
The no trusted source devices for pending purpose equipment.
Specifically attribute information specifically includes:Access the pending purpose equipment total number of days, daily
Access the Average visits of the pending purpose equipment, access being averaged for the pending purpose equipment
Access interval and/or access the access time distribution of the pending purpose equipment.
Believe due to including feature corresponding to each source device in preset number of days in pending characteristic information set
Breath, therefore, the characteristic information that can be treated by source IP address in processing feature information aggregate is classified.
After the classification, can be to obtain each characteristic information group corresponding to source device in preset number of days, namely in advance
If each characteristic information group corresponding to source IP address in number of days.
Below for characteristic information group corresponding to a source IP address, describe each attribute information in detail and determine
Process:
(1) when attribute information is accesses total number of days of the pending purpose equipment, then believed by feature
The access time of each characteristic information in breath group, to determine the access date of each characteristic information.Then,
Different access date quantity is counted, so that it is determined that source device corresponding to the source IP address accesses pending mesh
Equipment total number of days;And use DayiRepresent.
(2) when attribute information is accesses the Average visits of the pending purpose equipment daily, then
By the access time in each characteristic information, calculate and the total of pending purpose equipment is accessed in phase same date
Number.Then, the total degree of each not same date and value are calculated;By with value and the quotient of preset number of days,
Access pending purpose equipment Average visits daily as source device;And use CountperdayiRepresent.
(3) when attribute information is accesses the average access interval of the pending purpose equipment, spy is passed through
The access time of each characteristic information in new group is levied, after being temporally ranked up to characteristic information group, meter
The access interval of two neighboring characteristic information is calculated, and calculates all superposition values for accessing interval.By superposition value
Quotient with accessing the total quantity being spaced, it is defined as accessing the average access interval of pending purpose equipment;
And use IntervaliRepresent.
(4) when attribute information is accesses the distribution of the access time of the pending purpose equipment, spy is passed through
The access time of each characteristic information in reference breath group, it is determined that accessing the access time of pending purpose equipment
Distribution;And use AccesstimeiRepresent.
In aforementioned four attribute information, i is natural number, and 1≤i≤N, N believe to treat processing feature
Source IP address number, i.e. source device quantity are obtained after ceasing sets classification.
Step S602:Predetermined number attribute information based on each source IP address, calculate each attribute letter
The confidential interval of breath.
Each attribute information has a reasonable interval, if the attribute information of a source device is in the attribute
Corresponding to information in confidential interval, then illustrate that the attribute information of the source device is reasonable.
The present embodiment applies 3 σ criterions to the confidential interval for determining each attribute information.This is described below
The specific implementation procedure of step, as shown in fig. 7, specifically including following steps:
Step 701:Predetermined number attribute information based on each source IP address, calculate each attribute letter
The average value and variance yields of breath.
Attribute information is represented with alphabetical X, then the average value of computation attribute information and the process of variance yields are:
The calculation formula of the average value of computation attribute information is:
The calculation formula of the variance yields of computation attribute information is:
In above-mentioned two formula, N is the total quantity of source device.
Pass through above calculation formula, it may be determined that the average value and variance of each attribute information.It is as described below
The statement of specific object information:
(1) when attribute information is total number of days Day of the access pending purpose equipmentiWhen, calculate total day
Several average valueWith variance yields Day σ.
(2) when attribute information daily to access the Average visits of the pending purpose equipment
CountperdayiWhen, calculate the average value of Average visitsWith variance yields Counteperday σ.
(3) when attribute information is the average access interval Interval of the access pending purpose equipmentiWhen,
Calculate the average value at average access intervalWith variance yields Interval σ.
(4) when attribute information is distributed Accesstime to access the access time of the pending purpose equipmenti
When, the average value of calculating access time distributionWith variance yields Accesstime σ.
Step 702:Using the average value and variance yields of each attribute information, it is determined that each preset attribute is put
Believe section.
A kind of concrete implementation mode is provided below:By [average value -3* variance yields, putting down for each preset attribute
Average+3* variance yields], it is defined as the confidential interval of each preset attribute.
(1) when attribute information is total number of days Day of the access pending purpose equipmentiWhen, confidential interval
For
(2) when attribute information is daily Average visits CountperdayiWhen;Confidential interval is
(3) when attribute information is the average access interval Interval of the access pending purpose equipmentiWhen,
Confidential interval is
(4) when attribute information is distributed Accesstime to access the access time of the pending purpose equipmenti
When, access time is reasonably distributed section:
It is, of course, also possible to the confidential interval of each preset attribute is determined using other manner, for example, [average
Value -2* variance yields, average value+2* variance yields], [average value -1* variance yields, average value+1* variance yields] etc.,
It will not be repeated here.
Step S603:If a source IP address has attribute information more than half to be in corresponding confidential interval
It is interior, it is determined that the source IP address is the IP address of the trusted source devices of the pending purpose equipment.
For each source IP address, each of which attribute information confidential interval corresponding with the attribute information is entered
Row matching.If attribute information is in confidential interval, illustrate that the attribute information is normal, if attribute information
It is not in confidential interval, then illustrates attribute information exception.
By taking four attribute informations as an example, if a source device has 3 attribute informations to be located at corresponding confidence area
In, then it is the trusted source devices of the purpose equipment to illustrate the source device.The IP address of the trusted source devices
It can organize added in the pending trusted IP address set of pending purpose equipment.
For example, so that attribute information is accesses total number of days of the pending purpose equipment as an example, then day is preset
Number is that confidential interval is 3-6 days in the case of 7 days.The then pending purpose equipment of access of source device
Number of days is 5 days, then it represents that total day number attribute of the source device is normal.If accessing for source device waits to locate
The number of days for managing purpose equipment is 7 days, then it represents that total number of days attribute abnormal of the source device.
To judging for institute's active equipment, to determine all trusted source devices of pending purpose equipment.
And by the set of the IP address of all trusted source devices, it is defined as the pending credible of pending purpose equipment
IP address set.
Above-mentioned is the characteristic information based on history service message in preset number of days, it is determined that credible source IP address
The process of set.As shown in figure 8, then methods described also includes:
Step S801:Receive the copy pending service message consistent with the pending service message
Afterwards, the characteristic information of the pending service message of the copy is extracted.
For source device during constantly purpose equipment is accessed, defensive equipment is also constantly updating each purpose
The characteristic information set of equipment.For example, defensive equipment can receive the pending service message of copy, and from
The characteristic information of the middle extraction pending service message of copy.
Step S802:It is described pending using the characteristic information of the pending service message of the copy, renewal
Characteristic information set.
By the characteristic information of the pending service message of copy, the pending spy of pending purpose equipment is updated to
Levy information aggregate.Certainly, other source devices access the service message of pending purpose equipment, also can be according to
Process shown in Fig. 8, the characteristic information of service message is updated in pending characteristic information set.
Because pending characteristic information set is only the history service that preset number of days accesses pending purpose equipment
The characteristic information of message, exemplified by 7 days, then when there is new one day characteristic information to update pending feature letter
During breath set, the characteristic information of last day time in pending characteristic information set is deleted.
Defensive equipment can be based on the pending characteristic information set after renewal, redefine and described wait to locate
Manage credible source IP address set.So that the moment ensures the pending trusted sources IP of pending purpose equipment at any time
Address set is real-time update.
For example, defensive equipment can be with operation in one day once, so as to according to the pending characteristic information after renewal
Set, determines the pending credible source IP address set of newest pending purpose equipment.So that figure
Embodiment shown in 3, can be according to the pending credible source IP address collection of newest pending purpose equipment
Close, determine whether the pending service message that pending source device is sent is normal, so as to higher standard
True rate.
This application provides a kind of scene embodiment of service message processing system, as shown in figure 9, specifically
Including:
Multiple source devices 100, be connected optical splitter 200 with multiple source devices 100, is connected with optical splitter 200
Routing device 300 and defensive equipment 400, the multiple purpose equipments being connected with the routing device 300
500.The routing device 300 that the present embodiment provides can be core router.
Pending source device 100 in multiple source devices, sets for the pending purpose into multiple purpose equipments
Standby 500 send pending service message.Wherein, the pending service message is set including pending purpose
Standby pending purpose IP address and the pending source IP address of the pending source device.
Optical splitter 200, sent out for handling the pending service message, and by the pending service message
Deliver to the routing device 300.
Optical splitter can receive the original service message that multiple source devices are sent, and original service message is entered
Row, which replicates, obtains replica service message.Then, replica service message is sent to defensive equipment, will be original
Service message is sent to routing device.Service message is required in the application routing device and defensive equipment,
Therefore, the application is replicated original service message using optical splitter, so as to obtain two parts of identical industry
Business message.It is achieved in that routing device and defensive equipment can obtain the purpose of service message.
The defensive equipment 400, for obtaining traction and pending purpose IP address from the routing device
Corresponding pending service message;By the corresponding relation of purpose IP address and credible source IP address set, really
Fixed pending credible source IP address set corresponding with the pending purpose IP address;If it is determined that described treat
Pending source IP address in processing business message is in the pending credible source IP address set, then
By the pending service message re-injection to the routing device 300.
Wherein, the pending credible source IP address set is based on the access pending purpose equipment
The characteristic information of history service message, identified pending purpose equipment multiple trusted source devices IP
The set of address.
The routing device 300, for receiving the pending service message of the defensive equipment re-injection, and will
The pending service message is forwarded to pending purpose equipment corresponding with the pending purpose IP address
500。
The specific implementation of defensive equipment 400 is described in detail below:
As shown in Figure 10, the defensive equipment includes cleaning equipment 410 and analytical equipment 420;Wherein,
The analytical equipment is connected with the optical splitter 200, the cleaning equipment 410 and the routing device 300
420 are set for being connected with the analysis.
The analytical equipment 420, multiple source devices for being sent based on the optical splitter access purpose equipment
History service message characteristic information, it is determined that the credible source IP address set of each purpose equipment, and
Storage purpose IP address and the corresponding relation of credible source IP address set.
The cleaning equipment 410, for pressing purpose IP address in the analytical equipment with trusted sources IP
The corresponding relation of location set, with obtaining pending trusted sources IP corresponding with the pending purpose IP address
Gather location;Acquisition is corresponding with pending purpose IP address from the routing device, includes pending source
The pending service message of IP address;If it is determined that the pending source IP address in the pending service message
In the pending credible source IP address set, then by the pending service message re-injection to described
Routing device 500.
As shown in figure 11, the analytical equipment 420 specifically includes:Preprocessing server 421, analysis clothes
Business device 422 and database facility 423.
Using determine the corresponding relation of pending purpose IP address and the pending credible source IP address set as
Example, describe the processing procedure of various pieces in analytical equipment 420 in detail.
The preprocessing server 421, for determining pending spy corresponding with pending purpose IP address
Levy information aggregate;Wherein, the pending characteristic information set is described pending by being accessed in preset number of days
The characteristic information composition of the history service message of purpose equipment;The history service message is the optical splitter
Source device is replicated to send to the replica service message after the original service message of the pending purpose equipment.
Wherein, the source IP address of characteristic information including history service message, source port, purpose IP address,
Destination interface and access time.
The Analysis server 422, for based on the pending characteristic information set, it is determined that described wait to locate
Manage the IP address of the multiple trusted source devices of purpose equipment;And by the IP address of the multiple trusted source devices
Set, is defined as the pending credible source IP address set.
The database facility 423, for storing the pending credible source IP address set, Yi Jisuo
State the pending purpose IP address of pending purpose equipment and pair of the pending credible source IP address set
It should be related to.
The Analysis server 422 performs and is based on the pending characteristic information set in fig. 11, it is determined that
The detailed process of the IP address step of the multiple trusted source devices of pending purpose equipment includes:
After the characteristic information classification during processing feature information aggregate is treated by source IP address, according to special per class
Reference ceases the predetermined number attribute information for calculating each source IP address respectively;Based on each source IP address
Predetermined number attribute information, calculate the confidential interval of each attribute information;If a source IP address has half
The attribute information of the number above is in corresponding confidential interval, it is determined that the source IP address is described pending
The IP address of the trusted source devices of purpose equipment.
Wherein, the attribute information of each source IP address includes:Access total day of the pending purpose equipment
Number, the Average visits for accessing the pending purpose equipment daily, the access pending purpose are set
Standby average access interval and/or the access time distribution of the access pending purpose equipment.
The Analysis server 422 performs the predetermined number attribute based on each source IP address in fig. 11
Information, specifically include the step of the confidential interval for calculating each attribute information:
Predetermined number attribute information based on each source IP address, calculate the average value of each attribute information
And variance yields;By [average value -3* variance yields, the average value+3* variance yields] of each preset attribute, it is defined as
The confidential interval of each preset attribute.
In the system shown in Fig. 9, the optical splitter 200 handles the pending service message, specifically
The pending service message of copy is obtained for replicating the pending service message, and sends the copy and treats
Processing business message is to the preprocessing server.
The preprocessing server 421, it is additionally operable to receive the pending service message of the copy, and extracts institute
The characteristic information of the pending service message of copy is stated, is believed using the feature of the pending service message of the copy
Breath, update the pending characteristic information set.
The Analysis server 422, for based on the pending characteristic information set after renewal, again really
The fixed pending credible source IP address set;And update in the database facility 423 it is pending can
Information source IP address set.
In addition, the database facility 423 of the analytical equipment 420, is additionally operable to storage and includes multiple attack sources
The blacklist of IP address.
The then cleaning equipment 410, it is additionally operable to judge the pending source IP in the pending service message
Whether address is in the blacklist;If the pending IP address is in the blacklist, really
The fixed pending service message is attack message;Forbid the pending service message re-injection to the road
By equipment.
The cleaning equipment 410, it is additionally operable to if it is determined that the pending source IP address is not in the black name
In list, and, the pending source IP address is not in the pending credible source IP address set, then
Speed limit processing is carried out to the pending service message.
From above-mentioned technology contents it can be found that the application has the advantages that:
This application provides a kind of service message processing system.The application includes pending purpose IP in reception
After the pending service message of address, it may be determined that corresponding with pending purpose IP address pending credible
Source IP address set, then, judge that whether pending source IP address is in described in pending service message
In pending credible source IP address set.If so, then explanation sends the pending source of pending service message
Equipment is trusted source devices, and then determines that pending service message is normal message.In order to ensure normally to report
The normal pass of text, so by the pending service message re-injection to the routing device, by the road
By device forwards to the pending purpose equipment.
It is understood that the application obtains the accuracy rate of credible source IP address set by big data mode
It is very high.Therefore, the application can be while the attack message in cleaning service message, can be with
So that normal message is from manslaughtering.
If the function described in the present embodiment method is realized in the form of SFU software functional unit and as independent
Production marketing in use, can be stored in a computing device read/write memory medium.Based on so
Understanding, the part or the part of the technical scheme that the embodiment of the present application contributes to prior art can
To be embodied in the form of software product, the software product is stored in a storage medium, if including
Dry instruction to cause a computing device (can be personal computer, server, mobile computing device
Or network equipment etc.) perform each embodiment methods described of the application all or part of step.It is and preceding
The storage medium stated includes:USB flash disk, mobile hard disk, read-only storage (ROM, Read-Only Memory),
Random access memory (RAM, Random Access Memory), magnetic disc or CD etc. are various can
With the medium of store program codes.
Each embodiment is described by the way of progressive in this specification, and each embodiment stresses
The difference with other embodiments, between each embodiment same or similar part mutually referring to.
The foregoing description of the disclosed embodiments, professional and technical personnel in the field are enable to realize or use
The application.A variety of modifications to these embodiments will be aobvious and easy for those skilled in the art
See, generic principles defined herein can in the case where not departing from spirit herein or scope,
Realize in other embodiments.Therefore, the application is not intended to be limited to the embodiments shown herein,
And it is to fit to the most wide scope consistent with principles disclosed herein and features of novelty.
Claims (16)
- A kind of 1. service message processing method, it is characterised in that including:Obtain pending business report corresponding with pending purpose IP address, comprising pending source IP address Text;By the corresponding relation of purpose IP address and credible source IP address set, it is determined that with the pending purpose Pending credible source IP address set corresponding to IP address;If it is determined that the pending source IP address is in the pending credible source IP address set, then will The pending service message re-injection is to routing device.
- 2. the method as described in claim 1, it is characterised in that described to obtain pending purpose IP address Corresponding pending service message, including:The traction pending business report corresponding with the pending purpose IP address in the routing device Text.
- 3. the method as described in claim 1, it is characterised in that the pending credible source IP address collection Being combined into the multiple of characteristic information determination based on the history service message for accessing the pending purpose equipment can The set of the IP address of source device.
- 4. method as claimed in claim 3, it is characterised in that set based on the pending purpose is accessed The characteristic information of standby history service message determines the set of the IP address of multiple trusted source devices, including:It is determined that pending characteristic information set corresponding with the pending purpose IP address;Wherein, it is described Pending characteristic information set is by accessing the history service message of the pending purpose equipment in preset number of days Characteristic information composition;Based on the pending characteristic information set, determine that the multiple trusted sources of pending purpose equipment are set Standby IP address;By the set of the IP address of the multiple trusted source devices, with being defined as the pending trusted sources IP Gather location;Store the pending credible source IP address set, and the pending purpose IP address with it is described The corresponding relation of pending credible source IP address set.
- 5. method as claimed in claim 4, it is characterised in that described based on the pending feature letter Breath set, the IP address of the multiple trusted source devices of pending purpose equipment is determined, including:After by source IP address to the characteristic information classification in the pending characteristic information set, according to every Category feature information calculates the predetermined number attribute information of each source IP address respectively;Predetermined number attribute information based on each source IP address, calculate the confidence area of each attribute information Between;If a source IP address has attribute information more than half to be in corresponding confidential interval, it is determined that The source IP address is the IP address of the trusted source devices of the pending purpose equipment.
- 6. method as claimed in claim 5, it is characterised in thatThe characteristic information of history service message includes:Source IP address, source port, the mesh of history service message IP address, destination interface and access time;The attribute information of each source IP address includes:Access total number of days, every of the pending purpose equipment It accesses the Average visits of the pending purpose equipment, accesses the flat of the pending purpose equipment Access interval and/or access the access time distribution of the pending purpose equipment.
- 7. method as claimed in claim 5, it is characterised in that described based on the pre- of each source IP address If quantity attribute information, the confidential interval of each attribute information is calculated, including:Predetermined number attribute information based on each source IP address, calculate the average value of each attribute information The average value and variance yields of each attribute information are utilized with variance yields, it is determined that the confidence area of each preset attribute Between.
- 8. method as claimed in claim 4, it is characterised in that also include:After receiving the pending service message of copy consistent with the pending service message, the pair is extracted The characteristic information of this pending service message;Using the characteristic information of the pending service message of the copy, the pending characteristic information collection is updated Close.
- 9. method as claimed in claim 8, it is characterised in that also include:Based on the pending characteristic information set after renewal, with redefining the pending trusted sources IP Gather location.
- 10. the method as described in claim 1, it is characterised in that obtaining with pending purpose IP Corresponding to location, after the pending service message comprising pending source IP address, in addition to:Judge the pending source IP address in the pending service message whether in blacklist;If the pending IP address is in the blacklist, it is determined that the pending service message is Attack message;Forbid the pending service message re-injection to the routing device.
- 11. method as claimed in claim 10, it is characterised in that also include:If it is determined that the pending source IP address is not in the blacklist, and, the pending source IP Address is not in the pending credible source IP address set, then the pending service message is carried out Speed limit processing.
- A kind of 12. service message processing system, it is characterised in that including:Multiple source devices, the optical splitter being connected with the multiple source device, the road being connected with the optical splitter By equipment and defensive equipment, the multiple purpose equipments being connected with the routing device;Pending source device in the multiple source device, for the pending mesh into multiple purpose equipments Equipment send pending service message;The pending service message includes treating for pending purpose equipment The pending source IP address of processing intent IP address and the pending source device;The optical splitter, for handling the pending service message, and by the pending service message Send to the routing device;The defensive equipment, for obtaining treat corresponding with pending purpose IP address from the routing device Processing business message;By the corresponding relation of purpose IP address and credible source IP address set, it is determined that with it is described Pending credible source IP address set corresponding to pending purpose IP address;If it is determined that the pending source IP Address is in the pending credible source IP address set, then by the pending service message re-injection extremely The routing device;The routing device, for receiving the pending service message of the defensive equipment re-injection, and by institute State pending service message and be forwarded to pending purpose equipment corresponding with the pending purpose IP address.
- 13. system as claimed in claim 12, it is characterised in that the defensive equipment is set including cleaning Standby and analytical equipment;Wherein, the analytical equipment is connected with the optical splitter, the cleaning equipment and institute Routing device is stated with the analytical equipment to be connected;The analytical equipment, multiple source devices for being sent based on the optical splitter access purpose equipment The characteristic information of history service message, it is determined that the credible source IP address set of each purpose equipment, Yi Jicun Store up purpose IP address and the corresponding relation of credible source IP address set;The cleaning equipment, for pressing purpose IP address and credible source IP address collection in the analytical equipment The corresponding relation of conjunction, obtain pending credible source IP address collection corresponding with the pending purpose IP address Close;Obtained from the routing device corresponding with pending purpose IP address, comprising pending source IP The pending service message of location;If it is determined that the pending source IP address in the pending service message is in In the pending credible source IP address set, then by the pending service message re-injection to the route Equipment.
- 14. system as claimed in claim 13, it is characterised in that the analytical equipment includes:Pre- place Manage server, Analysis server and database facility;Wherein, the preprocessing server, it is corresponding with pending purpose IP address pending for determining Characteristic information set;Wherein, the pending characteristic information set is treated described in being accessed in preset number of days Manage the characteristic information composition of the history service message of purpose equipment;The history service message is the light splitting Device replicates source device and sent to the replica service report after the original service message of the pending purpose equipment Text;The Analysis server, for based on the pending characteristic information set, determining described pending The IP address of the multiple trusted source devices of purpose equipment;And by the collection of the IP address of the multiple trusted source devices Close, be defined as the pending credible source IP address set;The database facility, for storing the pending credible source IP address set, and described treat Processing intent IP address and the corresponding relation of the pending credible source IP address set.
- 15. system as claimed in claim 14, it is characterised in thatThe database facility of the analytical equipment, it is additionally operable to the black name that storage includes multiple attack source IP address It is single;The then cleaning equipment, it is additionally operable to judge the pending source IP address in the pending service message Whether in the blacklist;If the pending IP address is in the blacklist, it is determined that institute It is attack message to state pending service message;The pending service message re-injection to the route is forbidden to set It is standby.
- 16. system as claimed in claim 15, it is characterised in thatThe cleaning equipment, it is additionally operable to if it is determined that the pending source IP address is not in the blacklist, And the pending source IP address is not in the pending credible source IP address set, then to described Pending service message carries out speed limit processing.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610294119.3A CN107347051B (en) | 2016-05-05 | 2016-05-05 | Service message processing method and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610294119.3A CN107347051B (en) | 2016-05-05 | 2016-05-05 | Service message processing method and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107347051A true CN107347051A (en) | 2017-11-14 |
CN107347051B CN107347051B (en) | 2021-02-05 |
Family
ID=60253854
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610294119.3A Active CN107347051B (en) | 2016-05-05 | 2016-05-05 | Service message processing method and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107347051B (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107896232A (en) * | 2017-12-27 | 2018-04-10 | 北京奇艺世纪科技有限公司 | A kind of IP address appraisal procedure and device |
CN110324295A (en) * | 2018-03-30 | 2019-10-11 | 阿里巴巴集团控股有限公司 | A kind of defence method and device of domain name system extensive aggression |
CN111756679A (en) * | 2019-03-29 | 2020-10-09 | 北京数安鑫云信息技术有限公司 | Log analysis method and device, storage medium and computer equipment |
CN114221906A (en) * | 2021-11-11 | 2022-03-22 | 百度在线网络技术(北京)有限公司 | Flow control method and device, electronic equipment and storage medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2001038999A1 (en) * | 1999-11-23 | 2001-05-31 | Escom Corporation | Electronic message filter having a whitelist database and a quarantining mechanism |
CN101431449A (en) * | 2008-11-04 | 2009-05-13 | 中国科学院计算技术研究所 | Network flux cleaning system |
CN102413105A (en) * | 2010-09-25 | 2012-04-11 | 杭州华三通信技术有限公司 | Method and device for preventing attack of challenge collapsar (CC) |
CN103593609A (en) * | 2012-08-16 | 2014-02-19 | 阿里巴巴集团控股有限公司 | Trustworthy behavior recognition method and device |
CN104468631A (en) * | 2014-12-31 | 2015-03-25 | 国家电网公司 | Network intrusion identification method based on anomaly flow and black-white list library of IP terminal |
-
2016
- 2016-05-05 CN CN201610294119.3A patent/CN107347051B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2001038999A1 (en) * | 1999-11-23 | 2001-05-31 | Escom Corporation | Electronic message filter having a whitelist database and a quarantining mechanism |
CN101431449A (en) * | 2008-11-04 | 2009-05-13 | 中国科学院计算技术研究所 | Network flux cleaning system |
CN102413105A (en) * | 2010-09-25 | 2012-04-11 | 杭州华三通信技术有限公司 | Method and device for preventing attack of challenge collapsar (CC) |
CN103593609A (en) * | 2012-08-16 | 2014-02-19 | 阿里巴巴集团控股有限公司 | Trustworthy behavior recognition method and device |
CN104468631A (en) * | 2014-12-31 | 2015-03-25 | 国家电网公司 | Network intrusion identification method based on anomaly flow and black-white list library of IP terminal |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107896232A (en) * | 2017-12-27 | 2018-04-10 | 北京奇艺世纪科技有限公司 | A kind of IP address appraisal procedure and device |
CN107896232B (en) * | 2017-12-27 | 2020-04-03 | 北京奇艺世纪科技有限公司 | IP address evaluation method and device |
CN110324295A (en) * | 2018-03-30 | 2019-10-11 | 阿里巴巴集团控股有限公司 | A kind of defence method and device of domain name system extensive aggression |
CN110324295B (en) * | 2018-03-30 | 2022-04-12 | 阿里云计算有限公司 | Defense method and device for domain name system flooding attack |
CN111756679A (en) * | 2019-03-29 | 2020-10-09 | 北京数安鑫云信息技术有限公司 | Log analysis method and device, storage medium and computer equipment |
CN114221906A (en) * | 2021-11-11 | 2022-03-22 | 百度在线网络技术(北京)有限公司 | Flow control method and device, electronic equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN107347051B (en) | 2021-02-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109218281B (en) | Intent-based network security policy modification | |
CN107292183B (en) | A kind of data processing method and equipment | |
CN107315968B (en) | A kind of data processing method and equipment | |
US10057296B2 (en) | Detecting and managing abnormal data behavior | |
CN107347051A (en) | A kind of service message processing method and system | |
CN102075404A (en) | Message detection method and device | |
CN202663444U (en) | Cloud safety data migration model | |
CN107528712A (en) | The determination of access rights, the access method of the page and device | |
CN108965324A (en) | A kind of anti-brush method of short message verification code, terminal, server, equipment and medium | |
CN104618853B (en) | A kind of information push method, apparatus and system | |
CN100452714C (en) | Method for providing interconnected network access control and/or entering user into interconnected network and its equipment | |
CN106874371A (en) | A kind of data processing method and device | |
CN107547523A (en) | Message processing method, device, the network equipment and machinable medium | |
CN113098852A (en) | Log processing method and device | |
CA3180341A1 (en) | Threat mitigation system and method | |
CN113158192A (en) | Batch construction and management method and system for anti-detection online social network virtual users | |
CN107995199A (en) | The port speed constraint method and device of the network equipment | |
CN115840965B (en) | Information security guarantee model training method and system | |
CN107483508B (en) | Message filtering method, device, equipment and storage medium | |
CN106533891A (en) | Information processing method based on groups and device | |
CN105991630B (en) | A kind of shared access detection method and device | |
CN106998327A (en) | A kind of connection control method and device | |
CN108449252B (en) | Dump method and device for access log | |
Ethilu et al. | Improving Performance and Efficiency of Software Defined Networking by Identifying Malicious Switches through Deep Learning Model | |
CN103763324A (en) | Method for monitoring virus procedure spreading equipment and server |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |