CN107347051B

CN107347051B - Service message processing method and system

Info

Publication number: CN107347051B
Application number: CN201610294119.3A
Authority: CN
Inventors: 李晗
Original assignee: Alibaba Group Holding Ltd
Current assignee: Alibaba Group Holding Ltd
Priority date: 2016-05-05
Filing date: 2016-05-05
Publication date: 2021-02-05
Anticipated expiration: 2036-05-05
Also published as: CN107347051A

Abstract

The application provides a service message processing method and a system, wherein the method comprises the steps of obtaining a service message to be processed, which corresponds to a target IP address to be processed and contains a source IP address to be processed; determining a to-be-processed trusted source IP address set corresponding to the to-be-processed target IP address according to the corresponding relation between the target IP address and the trusted source IP address set; and if the source IP address to be processed is judged to be in the source IP address set to be processed, the service message to be processed is reinjected to the routing equipment. According to the method and the device, the accuracy rate of the source IP address set obtained in a big data mode is very high, so that the normal message can be prevented from being killed by mistake in the process of cleaning the attack message in the service message.

Description

Service message processing method and system

Technical Field

The present application relates to the field of communications technologies, and in particular, to a method and a system for processing a service packet.

Background

With the continuous progress of network technology, network attacks are increasing in the network field. At present, Distributed Denial of Service (DDoS) attacks have become a serious attack tool among many network attacks. The DDoS attack principle is to know the resource bottleneck of the destination device in advance, and the attack device sends a large amount of attack messages to consume bottleneck resources, so that the destination device cannot process a large amount of attack messages and is broken down. In order to prevent DDoS attacks, a defense device may be added to an original system architecture to block DDoS attacks.

Fig. 1 is a schematic diagram of a conventional network system. As can be seen from the figure, the system comprises a source device 11, a routing device 12, a defense device 13 and a destination device 14. Wherein, the source device comprises a normal device and an attack device. The service message sent by the source device to the routing device includes both the attack message sent by the attack device and the normal message sent by the normal device. The defense device can filter the attack message according to the cleaning strategy and finally send the normal message to the target device.

At present, various defense strategies exist, and research shows that the current defense strategy is determined by a small amount of service messages or is manually set by technicians through experience, so that the current defense strategy is not accurate; also, normal messages may be mistakenly killed. For example, a common cleaning policy for defense devices is a message rate limiting method. The working principle of the message speed limiting method is that the protocol type (for convenience of calling, the subsequent protocol type is called as the preset protocol type) frequently used by the attack equipment is set in the defense equipment in advance, and then the service message is filtered according to the preset protocol type. Since both the attack message and the normal message can use the preset protocol type, filtering the service message according to the method can kill a part of the normal message by mistake.

Therefore, a new method for processing a service packet is needed, so that the attack packet in the service packet can be cleaned and the normal packet can be protected from being killed by mistake.

Disclosure of Invention

The application provides a method and a system for processing a service message, which can prevent a normal message from being killed by mistake in the process of cleaning an attack message in the service message.

In order to achieve the above object, the present application provides the following technical means:

a service message processing method comprises the following steps:

acquiring a to-be-processed service message which corresponds to a to-be-processed target IP address and contains a to-be-processed source IP address;

determining a to-be-processed trusted source IP address set corresponding to the to-be-processed target IP address according to the corresponding relation between the target IP address and the trusted source IP address set;

and if the source IP address to be processed is judged to be in the source IP address set to be processed, the service message to be processed is reinjected to the routing equipment, and the routing equipment forwards the service message to be processed to the target equipment to be processed corresponding to the target IP address to be processed.

Preferably, the acquiring the service packet to be processed corresponding to the destination IP address to be processed includes:

and dragging the service message to be processed corresponding to the destination IP address to be processed in the routing equipment.

Preferably, the to-be-processed trusted source IP address set is a set of IP addresses of a plurality of trusted source devices determined based on the characteristic information of the historical service packet accessing the to-be-processed destination device.

Preferably, determining a set of IP addresses of a plurality of trusted source devices based on the feature information of the historical service packet accessing the destination device to be processed includes:

determining a set of to-be-processed characteristic information corresponding to the to-be-processed destination IP address; the feature information set to be processed consists of feature information of historical service messages which access the target equipment to be processed within preset days;

determining IP addresses of a plurality of credible source devices of the target device to be processed based on the set of characteristic information to be processed;

determining a set of IP addresses of the plurality of trusted source devices as the set of the trusted source IP addresses to be processed;

and storing the to-be-processed source IP address set and the corresponding relation between the to-be-processed target IP address and the to-be-processed source IP address set.

Preferably, the determining the IP addresses of the multiple trusted source devices of the destination device to be processed based on the set of feature information to be processed includes:

after the feature information in the feature information set to be processed is classified according to the source IP addresses, respectively calculating a preset number of attribute information of each source IP address according to each type of feature information;

calculating a confidence interval of each attribute information based on the preset number of attribute information of each source IP address;

and if more than half of attribute information of one source IP address is in the corresponding confidence interval, determining the source IP address as the IP address of the credible source equipment of the target equipment to be processed.

Preferably, the characteristic information of the historical service packet includes: the source IP address, the source port, the destination IP address, the destination port and the access time of the historical service message;

the attribute information of each source IP address includes: the total number of days for accessing the target device to be processed, the average number of accesses for accessing the target device to be processed each day, the average access interval for accessing the target device to be processed, and/or the distribution of access times for accessing the target device to be processed.

Preferably, the calculating the confidence interval of each attribute information based on the preset number of attribute information of each source IP address includes:

calculating an average value and a variance value of each attribute information based on a preset number of attribute information of each source IP address;

and determining a confidence interval of each preset attribute by using the average value and the variance value of each attribute information.

Preferably, the [ mean-3 variance, mean +3 variance ] of each preset attribute is determined as the confidence interval of each preset attribute.

Preferably, the method further comprises the following steps:

after receiving a duplicate to-be-processed service message consistent with the to-be-processed service message, extracting the characteristic information of the duplicate to-be-processed service message;

and updating the feature information set to be processed by utilizing the feature information of the duplicate service message to be processed.

Preferably, the method further comprises the following steps:

and re-determining the to-be-processed trusted source IP address set based on the updated to-be-processed characteristic information set.

Preferably, after acquiring the service packet to be processed corresponding to the destination IP address to be processed and including the source IP address to be processed, the method further includes:

judging whether the IP address of the source to be processed in the service message to be processed is in a blacklist or not;

if the IP address to be processed is in the blacklist, determining the service message to be processed as an attack message;

and forbidding the service message to be processed from being reinjected to the routing equipment.

Preferably, the method further comprises the following steps:

and if the to-be-processed source IP address is judged not to be in the blacklist and the to-be-processed source IP address is not in the to-be-processed source IP address set, performing speed-limiting processing on the to-be-processed service message.

A service message processing system, comprising:

the system comprises a plurality of source devices, an optical splitter connected with the source devices, a routing device and a defense device connected with the optical splitter, and a plurality of destination devices connected with the routing device;

the source equipment to be processed in the source equipment is used for sending a service message to be processed to the destination equipment to be processed in the destination equipment; the service message to be processed comprises a destination IP address to be processed of a destination device to be processed and a source IP address to be processed of a source device to be processed;

the optical splitter is configured to process the service packet to be processed, and send the service packet to be processed to the routing device;

the defense device is used for acquiring a service message to be processed corresponding to a destination IP address to be processed from the routing device; determining a to-be-processed trusted source IP address set corresponding to the to-be-processed target IP address according to the corresponding relation between the target IP address and the trusted source IP address set; if the IP address of the source to be processed is judged to be in the IP address set of the trusted source to be processed, the service message to be processed is reinjected to the routing equipment;

the routing device is configured to receive the service packet to be processed, which is reinjected by the defense device, and forward the service packet to be processed to a destination device to be processed, which corresponds to the destination IP address to be processed.

Preferably, the defense device comprises a cleaning device and an analysis device; the analysis equipment is connected with the optical splitter, and the cleaning equipment is connected with the routing equipment and the analysis equipment;

the analysis device is used for determining a credible source IP address set of each destination device based on the characteristic information of the historical service message of the destination device accessed by the source devices, which is sent by the optical splitter, and storing the corresponding relation between the destination IP address and the credible source IP address set;

the cleaning equipment is used for acquiring a to-be-processed trusted source IP address set corresponding to the to-be-processed target IP address in the analysis equipment according to the corresponding relation between the target IP address and the trusted source IP address set; acquiring a to-be-processed service message which corresponds to a to-be-processed destination IP address and contains a to-be-processed source IP address from the routing equipment; and if the IP address of the source to be processed in the service message to be processed is judged to be in the IP address set of the information source to be processed, the service message to be processed is reinjected to the routing equipment.

Preferably, the analysis apparatus comprises: a preprocessing server, an analysis server and a database device;

the preprocessing server is used for determining a set of characteristic information to be processed corresponding to a destination IP address to be processed; the feature information set to be processed consists of feature information of historical service messages which access the target equipment to be processed within preset days; the historical service message is a duplicate service message after the splitter duplicates the original service message sent to the target equipment to be processed by the source equipment;

the analysis server is used for determining IP addresses of a plurality of credible source devices of the target device to be processed based on the characteristic information set to be processed; determining a set of IP addresses of the plurality of trusted source devices as the set of the trusted source IP addresses to be processed;

the database device is used for storing the to-be-processed source IP address set and the corresponding relation between the to-be-processed destination IP address and the to-be-processed source IP address set.

Preferably, the specific process of the analysis server executing the step of determining the IP addresses of the multiple trusted source devices of the destination device to be processed based on the set of feature information to be processed includes:

after classifying the feature information in the feature information set to be processed according to the source IP address, respectively calculating a preset number of attribute information of each source IP address according to each type of feature information; calculating a confidence interval of each attribute information based on the preset number of attribute information of each source IP address; and if more than half of attribute information of one source IP address is in the corresponding confidence interval, determining the source IP address as the IP address of the credible source equipment of the target equipment to be processed.

Preferably, the step of the analysis server executing a preset number of attribute information based on each source IP address and calculating a confidence interval of each attribute information specifically includes:

and determining a confidence interval of each preset attribute by using the average value and the variance value of each attribute information. Specifically, the method can be as follows: and determining the [ mean-3-variance value, mean + 3-variance value ] of each preset attribute as a confidence interval of each preset attribute.

Preferably, the optical splitter processes the service packet to be processed, and is specifically configured to copy the service packet to be processed to obtain a duplicate service packet to be processed, and send the duplicate service packet to be processed to the preprocessing server;

the preprocessing server is further configured to receive the duplicate to-be-processed service packet, extract feature information of the duplicate to-be-processed service packet, and update the to-be-processed feature information set by using the feature information of the duplicate to-be-processed service packet;

the analysis server is used for re-determining the to-be-processed trusted source IP address set based on the updated to-be-processed characteristic information set; and updating the IP address set of the to-be-processed trusted sources in the database equipment.

Preferably, the database device of the analysis device is further configured to store a blacklist including a plurality of attack source IP addresses;

the cleaning device is further configured to determine whether a source IP address to be processed in the service message to be processed is in the blacklist; if the IP address to be processed is in the blacklist, determining the service message to be processed as an attack message; and forbidding the service message to be processed from being reinjected to the routing equipment.

Preferably, the cleaning device is further configured to perform speed-limiting processing on the service packet to be processed if it is determined that the source IP address to be processed is not in the blacklist and the source IP address to be processed is not in the source IP address set to be processed.

From the above technical content, it can be seen that the present application has the following beneficial effects:

the application provides a service message processing method; after receiving a to-be-processed service message containing a to-be-processed destination IP address, the method and the device can determine a to-be-processed source IP address set corresponding to the to-be-processed destination IP address, and then judge whether the to-be-processed source IP address in the to-be-processed service message is in the to-be-processed source IP address set. If so, indicating that the to-be-processed source equipment which sends the to-be-processed service message is the credible source equipment, and further determining that the to-be-processed service message is a normal message. In order to ensure normal passing of normal messages, the service message to be processed is reinjected to the routing equipment and forwarded to the destination equipment to be processed by the routing equipment.

It can be understood that the accuracy of obtaining the set of the IP addresses of the trusted sources through the big data mode is very high. Therefore, the method and the device can prevent the normal message from being killed by mistake in the process of cleaning the attack message in the service message.

Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.

Fig. 1 is a schematic structural diagram of a service packet processing system in the prior art;

fig. 2 is a schematic structural diagram of a service packet processing system disclosed in an embodiment of the present application;

fig. 3 is a flowchart of a service packet processing method disclosed in the embodiment of the present application;

fig. 4 is a flowchart of another service packet processing method disclosed in the embodiment of the present application;

fig. 5 is a flowchart of another service packet processing method disclosed in the embodiment of the present application;

fig. 6 is a flowchart of another service packet processing method disclosed in the embodiment of the present application;

fig. 7 is a flowchart of another service packet processing method disclosed in the embodiment of the present application;

fig. 8 is a flowchart of another service packet processing method disclosed in the embodiment of the present application;

fig. 9 is a schematic structural diagram of another service packet processing system disclosed in the embodiment of the present application;

fig. 10 is a schematic structural diagram of another service packet processing system disclosed in the embodiment of the present application;

fig. 11 is a schematic structural diagram of another service packet processing system disclosed in the embodiment of the present application.

Detailed Description

The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.

In order to make the technical terms of the present application clear to those skilled in the art, terms appearing in the present application are explained and illustrated below:

service messages: the data units exchanged and transmitted in the network, i.e. the data blocks that the station has to send at once. The message contains complete data information to be sent, and the length of the message is not consistent and is not limited and can be changed.

Attack message: and the service message is sent by the attack terminal and can cause certain influence on a receiving party.

And (4) normal message: and the service message is sent by a normal terminal and cannot cause certain influence on a receiving party.

A source device: and a sender of the service message.

The target device comprises: and a receiver of the service message.

A light splitter: a component optical splitter for constructing the Ethernet passive optical network copies optical data for monitoring after the data is transmitted by optical fiber. Roughly speaking, the concept of the optical splitter is similar to a 'tee', namely the original flow is normally passed, and meanwhile, the flow is divided into two branches for analysis and use by monitoring equipment.

The defense equipment comprises: and the equipment is provided with a software program for defending against the attack message.

3 σ criterion: in a normal distribution, σ represents the standard deviation and μ represents the mean. The 3 σ criterion indicates that: the probability of the numerical distribution in (μ - σ, μ + σ) is 0.6826; the probability of the numerical distribution in (μ -2 σ, μ +2 σ) is 0.9544; the probability of the numerical distribution in (μ -3 σ, μ +3 σ) was 0.9974. Therefore, it can be considered that the reasonable values of the numerical values are almost all concentrated in the (mu-3 sigma, mu +3 sigma) interval, and the possibility of exceeding the range only accounts for less than 0.3%.

In order to make the application scenario of the present application clear to those skilled in the art, the service processing system provided in the present application is first introduced. The service processing system specifically comprises: a plurality of source devices 21, a routing device 22 and a defending device 23 connected to the plurality of source devices 21, a plurality of destination devices 24 connected to the routing device 22. The routing device 22 provided in this embodiment may be a core router.

The service message processing system is provided with a plurality of destination devices, the application can clean the service messages accessing each destination device, and at the moment, the IP address of each destination device needs to be set in the defense device. If the service message accessing a destination device is desired to be cleaned, the IP address of the destination device is set in the defense device.

Since the processing procedures of the defense device for accessing each destination device service packet are all consistent, the present application only takes one to-be-processed destination device among the plurality of destination devices as an example for description. In addition, the service processing system has a plurality of source devices, and the processing procedure for accessing the to-be-processed destination device by each source device is also consistent, so that the detailed description is only given on the processing procedure for accessing the to-be-processed destination device by the to-be-processed source device.

The specific processing of the defense apparatus is described in detail below. The application provides a service message processing method, which is applied to defense equipment shown in fig. 2. As shown in fig. 3, the method specifically includes the following steps:

step S301: and acquiring a service message to be processed, which corresponds to the target IP address to be processed and contains the source IP address to be processed.

After the source device to be processed sends the service message to be processed accessing the destination device to be processed, the service message to be processed reaches the routing device. In order to indicate the source, the destination, and the time of the service packet to be processed, the service packet to be processed includes the source IP address and the source port of the source device to be processed, the destination IP address and the destination port of the destination device to be processed, and the time for the source device to be processed to send the service packet to be processed, which is hereinafter referred to as access time.

In this embodiment, the to-be-processed destination IP address of the to-be-processed destination device is set in the defense device, which indicates that the service packet accessing the to-be-processed destination device may have a normal packet and may also have an abnormal packet. Therefore, the service packet to be processed needs to be pulled from the routing device to the defense device, so as to further determine the service packet to be processed.

It can be understood that all the service messages of all the source devices accessing all the destination devices will reach the routing device, and each service message includes the IP address of the source device and the IP address of the destination device. Therefore, the defense device can match the IP address to be processed with the target IP in each service message on the routing device, so as to obtain the service message with the target IP address as the target IP address to be processed, namely obtain the service message for accessing the target device to be processed.

Step S302: and determining a to-be-processed trusted source IP address set corresponding to the to-be-processed target IP address according to the corresponding relation between the target IP address and the trusted source IP address set.

It can be understood that, since the service messages sent by the trusted source device are all normal messages. Therefore, if it is determined that the source device sending the service packet is the trusted source device, it may be determined that the service packet sent by the source device is a normal packet. However, there are many destination devices in a business system, and the trusted source device of each destination device is not as different. Therefore, the defense device may determine in advance or in real time a trusted source device set of each destination device, and construct a correspondence between the destination device and the trusted source device set.

Because the destination device and the source device can be uniquely identified by the IP address, the corresponding relationship between the destination device and the trusted source device set is constructed, that is, the corresponding relationship between the destination IP address and the trusted source IP address set is constructed. After the defense device determines the trusted source device set of each destination device, that is, the trusted source IP address set of each destination IP address, each destination IP address is stored in correspondence with each trusted source IP address set.

The method and the device determine the set of the credible source IP addresses of each destination device by accessing the big data (a large amount of historical service messages) of each destination device. Due to the universality and universality of the big data, the set of trusted source IP addresses of each destination device determined by analyzing the big data is accurate. The detailed determination process will be described in detail in the following embodiments, and will not be described herein again.

After receiving the service message to be processed, the defense device searches a to-be-processed trusted source IP address set corresponding to the to-be-processed target IP address according to the corresponding relation between the stored target IP address and the trusted source IP address set.

Step S303: and judging that the source IP address to be processed is in the source IP address set to be processed. If yes, go to step S304; otherwise, the process proceeds to step S305.

Because the to-be-processed trusted source IP address set contains the IP addresses of all the trusted source devices of the to-be-processed IP address, whether the source IP address of the to-be-processed source device is in the to-be-processed trusted source IP address set can be judged so as to determine whether the to-be-processed service message is a normal message.

Step S304: and if the IP address of the source to be processed in the service message to be processed is judged to be in the IP address set of the information source to be processed, the service message to be processed is reinjected to the routing equipment. And forwarding the IP address to the destination device to be processed corresponding to the destination IP address to be processed by the routing device.

If the to-be-processed source IP address in the to-be-processed service message is judged to be in the to-be-processed trusted source IP address set, the to-be-processed source device is a trusted source device of the to-be-processed destination device, and the to-be-processed service message sent by the to-be-processed source device is a normal message. Therefore, the service packet to be processed, which is drawn from the routing device, is reinjected to the routing device, so that the routing device forwards the service packet to be processed to the destination device to be processed.

Step S305: and if the IP address of the source to be processed in the service message to be processed is judged not to be in the IP address set of the source to be processed, executing other processing processes.

If the to-be-processed source IP address in the to-be-processed service message is judged not to be in the to-be-processed trusted source IP address set, the to-be-processed source device is not the trusted source device of the to-be-processed destination device, and the to-be-processed service message sent by the to-be-processed source device is abnormal.

Through the technical characteristics, the application has the following beneficial effects:

It can be understood that the accuracy of obtaining the set of the IP addresses of the trusted sources through the big data mode is very high. Therefore, the attack message in the service message can be cleaned, and meanwhile, the normal message can be prevented from being killed by mistake.

Since the boundary of the normal packet attack packet cannot be completely determined in practical application, for the defense device, the service packet can be divided into three types: normal messages, attack messages, and featureless messages (i.e., service messages that are not certain as normal messages or abnormal messages). The embodiment shown in fig. 3 is a process for determining a normal message. Therefore, the method can also comprise the process of determining the attack message.

The attack device is sharable for all destination devices; that is, one attacking device is an attacking device for all destination devices. Therefore, the defense device may include a blacklist for indicating the IP addresses of the attack sources.

After step S301 obtains the service packet to be processed corresponding to the destination device to be processed, as shown in fig. 4, the method further includes:

step S401: judging whether the IP address of the source to be processed in the service message to be processed is in the blacklist or not; if yes, the process proceeds to step S402, otherwise, other processing procedures are executed.

In order to determine whether the source device to be processed is an attack device, the IP address of the source device to be processed may be obtained from the service packet to be processed. And then, comparing the IP address of the source to be processed with each IP address in the blacklist to judge whether the IP address of the source to be processed exists in the blacklist.

Step S402: and if the IP address to be processed is in the blacklist, determining the service message to be processed as an attack message.

If the IP address to be processed is in the blacklist, the target device to be processed is the attack device, and the service message to be processed sent by the target device to be processed is the attack message.

Step S403: and forbidding the service message to be processed from being reinjected to the routing equipment.

In order to protect the target device to be processed, after the service message to be processed is determined to be the attack message, the service message to be processed is prohibited from being reinjected to the routing device, so that the routing device cannot send the service message to be processed to the target device to be processed, and the target device to be processed cannot receive the service message to be processed.

Step S404: and (4) other treatment processes.

The embodiments of fig. 3 and 4 described above are performed in no chronological order. That is, the embodiment shown in fig. 3 may be executed first, and it is determined whether the service packet to be processed is a normal packet, and if the service packet is a normal packet, the embodiment shown in fig. 4 does not need to be executed; if not, the embodiment shown in fig. 4 is executed again to determine whether the service packet to be processed is an attack packet.

Or, the embodiment shown in fig. 4 may be executed first, to determine whether the service packet to be processed is an attack packet, and if the service packet is an attack packet, the embodiment shown in fig. 3 does not need to be executed; if not, the embodiment shown in fig. 3 is executed again to determine whether the service packet to be processed is a normal packet.

If it is found that the service packet to be processed is neither a normal packet nor an attack packet through the embodiments of fig. 3 and fig. 4, it indicates that the service packet to be processed is a featureless packet; that is, the IP address set of the source to be processed and the blacklist do not store the IP address of the source to be processed, and it is not determined whether the service packet to be processed is a normal packet or an attack packet. Therefore, the speed limit processing is carried out on the service message to be processed. Namely, if the source IP address to be processed is not in the blacklist and the source IP address to be processed is not in the set of the source IP address to be processed, the speed limit processing is performed on the service packet to be processed.

The specific execution process of the speed limit processing may be to perform packet loss processing on the to-be-processed service packet sent by the to-be-processed source device, so as to reduce the rate of sending the to-be-processed service packet by the to-be-processed source device.

The detailed implementation of the defensive device determining the set of trusted source IP addresses of each destination device is described in detail below. It can be understood that, in the service packet processing system, each of the plurality of source devices may access the destination device, some of the plurality of source devices accessing the destination device are trusted source devices, and some of the plurality of source devices accessing the destination device are non-trusted source devices. Therefore, whether each source device is a trusted source device of the destination device can be determined based on the characteristic information of the service message of the destination device accessed by each source device.

For this purpose, first, a feature information set of a service packet of each source device accessing the destination device needs to be determined. The detailed implementation process is as follows:

in order to achieve the purpose of determining the trusted source IP address set of each destination device by using big data, the defense device needs to acquire a large number of historical service packets accessing each destination device, so as to obtain feature information of each historical service packet.

The defense device can obtain the characteristic information of the historical service messages accessing each target device, and for convenience of control, the defense device can construct a characteristic information set for each target device. And storing the characteristic information of the historical service message accessing the destination equipment in a characteristic information set. And constructing a corresponding relation between the destination IP address of the destination device and the characteristic information set for subsequent use.

It can be understood that, for each destination device, the larger the number of the feature information in the feature information set is, the larger the number of the historical service messages is; the more accurate the calculation of the set of trusted source IP addresses of the destination device. However, the greater the amount of feature information, the lower the defensive device processing rate. Therefore, in a normal situation, a technician may preset a preset number of days, and the defense device only obtains the feature information of the historical service messages within the preset number of days, that is, the feature information set of each destination device only includes the feature information of the historical service messages within the preset number of days. The preset number of days may be determined according to actual conditions, and is not limited herein.

After determining the feature information set of each source device, it is determined whether each source device is a trusted source device of the destination device according to the feature information set of each source device. The following describes a process in which the defense device determines a set of trusted source IP addresses for each destination device based on a set of characteristic information for each destination device.

For each destination device, the process of determining the trusted source IP address is consistent, and therefore, the present application only takes the pending destination device among the multiple destination devices as an example, and describes in detail the process of determining the set of pending trusted source IP addresses of the pending destination device.

As shown in fig. 5, the method specifically includes the following steps:

step S501: and determining a set of to-be-processed characteristic information corresponding to the to-be-processed destination IP address.

The defense device stores the corresponding relation between each destination IP address and the characteristic information set, so that the to-be-processed characteristic information set corresponding to the to-be-processed destination device can be searched according to the to-be-processed destination IP address. The feature information set to be processed comprises feature information of a plurality of historical service messages. The plurality of historical service messages may include service messages sent by the plurality of source devices to the target device to be processed within a preset number of days.

The characteristic information comprises a source IP address, a source port, a destination IP address, a destination port and access time of the historical service message; and the historical service message is a duplicate service message after the splitter duplicates the original service message sent to the target device to be processed by the source device.

Step S502: and determining the IP addresses of a plurality of credible source devices of the target device to be processed based on the set of the characteristic information to be processed.

And determining the IP addresses of a plurality of source devices of the target device to be processed in a plurality of source devices indicated by the characteristic information set to be processed based on the characteristic information set to be processed.

Step S503: and determining the set of the IP addresses of the plurality of trusted source devices as the set of the trusted source IP addresses to be processed.

Step S504: and storing the corresponding relation between the target IP address to be processed of the target equipment to be processed and the IP address set of the information source to be processed.

After determining the IP addresses of the multiple trusted source devices of the destination device to be processed, the IP addresses of the multiple trusted source devices may be aggregated to form the set of IP addresses of the trusted source devices to be processed. The correspondence between the destination IP address to be processed and the set of trusted source IP addresses to be processed is constructed and stored for use in the embodiment shown in fig. 3.

The detailed implementation process of determining the IP addresses of the multiple trusted source devices of the destination device to be processed based on the set of characteristic information to be processed in step S502 in fig. 5 is described in detail below. As shown in fig. 6, the following contents are specifically included:

step S601: after the feature information in the feature information set to be processed is classified according to the source IP addresses, the preset quantity of attribute information of each source IP address is respectively calculated according to each type of feature information. The feature information set to be processed includes feature information of historical service messages sent by a plurality of source devices.

The applicant of the present application finds that it is possible to determine whether a source device is a trusted source device of a to-be-processed destination device through attribute information of each source device. Therefore, the attribute information of the source device can be calculated when the set of feature information to be processed is acquired. The attribute information is predetermined by a technician, and when the technician determines 5 pieces of attribute information, the predetermined number is 5 pieces. When the technician determines 3 pieces of attribute information, the preset number is 3. It can be understood that the greater the amount of the attribute information, the more accurately it can be determined whether the source device is a trusted source device of the to-be-processed destination device.

The specific attribute information specifically includes: the total number of days for accessing the target device to be processed, the average number of accesses for accessing the target device to be processed each day, the average access interval for accessing the target device to be processed, and/or the distribution of access times for accessing the target device to be processed.

The feature information set to be processed comprises the feature information corresponding to each source device within the preset number of days, so the feature information in the feature information set to be processed can be classified according to the source IP address. After the classification, the feature information group corresponding to each source device in the preset number of days, that is, the feature information group corresponding to each source IP address in the preset number of days, can be obtained.

Each attribute information determination process is described in detail below for a feature information group corresponding to a source IP address:

(1) and when the attribute information is the total number of days for accessing the target equipment to be processed, determining the access date of each characteristic information through the access time of each characteristic information in the characteristic information group. Then, counting the number of different access dates, thereby determining the total number of days for the source equipment corresponding to the source IP address to access the target equipment to be processed; and use Day_iAnd (4) showing.

(2) And when the attribute information is the average access times of accessing the target equipment to be processed every day, calculating the total times of accessing the target equipment to be processed in the same date through the access time in each piece of characteristic information. Then, calculating the sum of the total times of different dates; taking the quotient of the sum and the preset number of days as the average access times of the source equipment for accessing the target equipment to be processed every day; and adopts Countperday_iAnd (4) showing.

(3) And when the attribute information is the average access interval for accessing the target equipment to be processed, calculating the access intervals of two adjacent characteristic information and calculating the superposition value of all the access intervals after sequencing the characteristic information groups according to time through the access time of each characteristic information in the new characteristic group. Determining the quotient of the superposition value and the total number of the access intervals as an average access interval for accessing the target equipment to be processed; and adopt an Interval_iAnd (4) showing.

(4) When the attribute information is the access time distribution for accessing the target equipment to be processed, determining the access time distribution for accessing the target equipment to be processed according to the access time of each piece of feature information in the feature information group; and adopts Access time_iAnd (4) showing.

In the four attribute information, i is a natural number, i is greater than or equal to 1 and less than or equal to N, and N is the number of source IP addresses obtained after the feature information sets to be processed are classified, namely the number of source devices.

Step S602: and calculating a confidence interval of each attribute information based on the preset number of attribute information of each source IP address.

Each attribute information has a reasonable interval, and if the attribute information of a source device is in the confidence interval corresponding to the attribute information, the attribute information of the source device is reasonable.

The present embodiment applies a 3 σ criterion to the confidence interval for determining each attribute information. The specific implementation process of this step is described below, and as shown in fig. 7, the specific implementation process specifically includes the following steps:

step 701: and calculating the average value and the variance value of each attribute information based on the preset number of attribute information of each source IP address.

If the letter X represents the attribute information, the process of calculating the average value and the variance value of the attribute information is as follows:

the calculation formula for calculating the average value of the attribute information is:

the calculation formula for calculating the variance value of the attribute information is as follows:

in the above two formulas, N is the total number of source devices.

Through the above calculation formula, the mean and variance of each attribute information can be determined. See the following detailed attribute information representation:

(1) when the attribute information is the total days Day for accessing the target equipment to be processed_iTime, calculate the average of the total days

And a variance value Day σ.

(2) When the attribute information is the average access times Countperday for accessing the target equipment to be processed every day_iCalculating the average value of the average access times

And the variance value countetray σ.

(3) When the attribute information is the average access Interval of the access to the target equipment to be processed_iCalculating the average value of the average access interval

And the variance value Interval σ.

(4) When the attribute information is access time distribution of the access time for accessing the target equipment to be processed_iComputing an average of the access time distribution

And the variance value access time σ.

Step 702: and determining a confidence interval of each preset attribute by using the average value and the variance value of each attribute information.

The following provides a specific implementation: and determining the [ mean-3-variance value, mean + 3-variance value ] of each preset attribute as a confidence interval of each preset attribute.

(1) When the attribute information is the total days Day for accessing the target equipment to be processed_iWhen, the confidence interval is

(2) When the attribute information is the average number of visits per day countper day_iWhen the current is over; confidence interval of

(3) When the attribute information is the average access Interval of the access to the target equipment to be processed_iWhen, the confidence interval is

(4) When the attribute information is access time distribution of the access time for accessing the target equipment to be processed_iTime of day, access time distributionReasonable interval:

of course, the confidence interval of each preset attribute may also be determined in other manners, for example, [ mean-2 × variance, mean +2 × variance ], [ mean-1 × variance, mean +1 × variance ], and the like, which are not described herein again.

Step S603: and if more than half of attribute information of one source IP address is in the corresponding confidence interval, determining the source IP address as the IP address of the credible source equipment of the target equipment to be processed.

And aiming at each source IP address, matching each attribute information with the confidence interval corresponding to the attribute information. If the attribute information is in the confidence interval, the attribute information is normal, and if the attribute information is not in the confidence interval, the attribute information is abnormal.

Taking four attribute information as an example, if 3 pieces of attribute information of one source device are located in the corresponding confidence intervals, it is indicated that the source device is a trusted source device of the destination device. The IP address of the trusted source device may be added to the set of pending trusted IP addresses of the pending destination device.

For example, taking the attribute information as the total number of days for accessing the target device to be processed as an example, the signaling interval is 3 to 6 days when the preset number of days is 7 days. The number of days for which the source device accesses the pending destination device is 5 days, which indicates that the total days attribute of the source device is normal. If the number of days of a source device accessing the to-be-processed destination device is 7 days, the total number of days attribute of the source device is abnormal.

And judging all the source equipment to determine all the credible source equipment of the target equipment to be processed. And determining the set of the IP addresses of all the credible source equipment as the set of the credible IP addresses to be processed of the target equipment to be processed.

The above is a process of determining a set of trusted source IP addresses based on the characteristic information of historical service messages in preset days. As shown in fig. 8, the method further includes:

step S801: and after receiving the duplicate service message to be processed consistent with the service message to be processed, extracting the characteristic information of the duplicate service message to be processed.

In the process that the source device continuously accesses the destination device, the defense device also continuously updates the characteristic information set of each destination device. For example, the defense device may receive the duplicate pending service packet, and extract feature information of the duplicate pending service packet therefrom.

Step S802: and updating the feature information set to be processed by utilizing the feature information of the duplicate service message to be processed.

And updating the characteristic information of the duplicate service message to be processed to a set of characteristic information to be processed of the target equipment to be processed. Of course, other source devices accessing the service packet of the destination device to be processed may also update the feature information of the service packet to the feature information set to be processed according to the process shown in fig. 8.

Since the feature information set to be processed only accesses the feature information of the historical service message of the target device to be processed for the preset number of days, taking 7 days as an example, when the feature information of a new day updates the feature information set to be processed, the feature information of the last day in time in the feature information set to be processed is deleted.

The defense device can re-determine the set of the to-be-processed trusted source IP addresses based on the updated set of the to-be-processed characteristic information. So as to ensure that the IP address set of the to-be-processed trusted source of the to-be-processed destination equipment is updated in real time at any time.

For example, the defense device may operate once a day, so as to determine the latest set of to-be-processed trusted source IP addresses of the to-be-processed destination device according to the updated set of to-be-processed feature information. Therefore, the embodiment shown in fig. 3 can determine whether the pending service packet sent by the pending source device is normal according to the latest pending trusted source IP address set of the pending destination device, so as to have a higher accuracy.

The present application provides a scenario embodiment of a service packet processing system, as shown in fig. 9, specifically including:

a plurality of source devices 100, an optical splitter 200 connected to the plurality of source devices 100, a routing device 300 and a defense device 400 connected to the optical splitter 200, and a plurality of destination devices 500 connected to the routing device 300. The routing device 300 provided in this embodiment may be a core router.

The source device 100 to be processed in the multiple source devices is configured to send a service packet to be processed to the destination device 500 to be processed in the multiple destination devices. The service message to be processed comprises a destination IP address to be processed of a destination device to be processed and a source IP address to be processed of a source device to be processed.

The optical splitter 200 is configured to process the service packet to be processed, and send the service packet to be processed to the routing device 300.

The optical splitter can receive original service messages sent by a plurality of source devices, and copy the original service messages to obtain duplicate service messages. Then, the duplicate service message is sent to the defense device, and the original service message is sent to the routing device. In the method, the routing equipment and the defense equipment both need the service messages, so that the original service messages are copied by adopting the optical splitter, and two identical service messages are obtained. Therefore, the purpose that both the routing equipment and the defense equipment can obtain the service message is achieved.

The defense device 400 is configured to obtain, from the routing device, a pending service packet that pulls a destination IP address corresponding to a pending destination IP address; determining a to-be-processed trusted source IP address set corresponding to the to-be-processed target IP address according to the corresponding relation between the target IP address and the trusted source IP address set; and if the to-be-processed source IP address in the to-be-processed service message is determined to be in the to-be-processed trusted source IP address set, the to-be-processed service message is reinjected to the routing device 300.

The IP address set of the trusted source to be processed is a set of IP addresses of a plurality of trusted source devices of the target device to be processed, which is determined based on the characteristic information of the historical service message accessing the target device to be processed.

The routing device 300 is configured to receive the service packet to be processed, which is reinjected by the defense device, and forward the service packet to be processed to the destination device 500 to be processed, which corresponds to the destination IP address to be processed.

Specific implementations of the defense apparatus 400 are described in detail below:

as shown in fig. 10, the defense device includes a cleaning device 410 and an analysis device 420; wherein the analyzing device is connected to the optical splitter 200, and the cleaning device 410 is connected to the routing device 300 and the analyzing device 420.

The analysis device 420 is configured to determine a trusted source IP address set of each destination device based on feature information of a historical service packet of the destination device accessed by multiple source devices sent by the optical splitter, and store a corresponding relationship between a destination IP address and the trusted source IP address set.

The cleaning device 410 is configured to obtain, in the analysis device, a to-be-processed trusted source IP address set corresponding to the to-be-processed destination IP address according to a correspondence between the destination IP address and the trusted source IP address set; acquiring a to-be-processed service message which corresponds to a to-be-processed destination IP address and contains a to-be-processed source IP address from the routing equipment; and if the to-be-processed source IP address in the to-be-processed service message is determined to be in the to-be-processed trusted source IP address set, the to-be-processed service message is reinjected to the routing device 300.

As shown in fig. 11, the analyzing device 420 specifically includes: preprocessing server 421, analysis server 422, and database device 423.

The processing procedure of each part in the analysis device 420 is described in detail by taking the determination of the corresponding relationship between the destination IP address to be processed and the set of the IP addresses of the trusted sources to be processed as an example.

The preprocessing server 421 is configured to determine a set of to-be-processed feature information corresponding to a to-be-processed destination IP address; the feature information set to be processed consists of feature information of historical service messages which access the target equipment to be processed within preset days; the historical service message is a duplicate service message after the splitter duplicates the original service message sent to the target device to be processed by the source device.

The characteristic information comprises a source IP address, a source port, a destination IP address, a destination port and access time of the historical service message.

The analysis server 422 is configured to determine, based on the set of to-be-processed feature information, IP addresses of multiple trusted source devices of the to-be-processed destination device; and determining the set of the IP addresses of the plurality of trusted source devices as the set of the to-be-processed trusted source IP addresses.

The database device 423 is configured to store the to-be-processed trusted source IP address set, and a correspondence between the to-be-processed destination IP address of the to-be-processed destination device and the to-be-processed trusted source IP address set.

In fig. 11, a specific process of the analysis server 422 executing the step of determining the IP addresses of the multiple trusted source devices of the destination device to be processed based on the set of feature information to be processed includes:

Wherein, the attribute information of each source IP address comprises: the total number of days for accessing the target device to be processed, the average number of accesses for accessing the target device to be processed each day, the average access interval for accessing the target device to be processed, and/or the distribution of access times for accessing the target device to be processed.

In fig. 11, the step of the analysis server 422 executing the preset number of attribute information based on each source IP address to calculate the confidence interval of each attribute information specifically includes:

calculating an average value and a variance value of each attribute information based on a preset number of attribute information of each source IP address; and determining the [ mean-3-variance value, mean + 3-variance value ] of each preset attribute as a confidence interval of each preset attribute.

In the system shown in fig. 9, the optical splitter 200 processes the service packet to be processed, and is specifically configured to copy the service packet to be processed to obtain a duplicate service packet to be processed, and send the duplicate service packet to be processed to the preprocessing server.

The preprocessing server 421 is further configured to receive the duplicate to-be-processed service packet, extract feature information of the duplicate to-be-processed service packet, and update the to-be-processed feature information set by using the feature information of the duplicate to-be-processed service packet.

The analysis server 422 is configured to re-determine the to-be-processed trusted source IP address set based on the updated to-be-processed feature information set; and updates the set of trusted source IP addresses to be processed in the database device 423.

In addition, the database device 423 of the analysis device 420 is further configured to store a blacklist including a plurality of attack source IP addresses.

The cleaning device 410 is further configured to determine whether a source IP address to be processed in the service message to be processed is in the blacklist; if the IP address to be processed is in the blacklist, determining the service message to be processed as an attack message; and forbidding the service message to be processed from being reinjected to the routing equipment.

The cleaning device 410 is further configured to perform speed-limiting processing on the service packet to be processed if it is determined that the source IP address to be processed is not in the blacklist and the source IP address to be processed is not in the source IP address set to be processed.

From the technical content, the application has the following beneficial effects:

the application provides a service message processing system. After receiving a to-be-processed service message containing a to-be-processed destination IP address, the method and the device can determine a to-be-processed source IP address set corresponding to the to-be-processed destination IP address, and then judge whether the to-be-processed source IP address in the to-be-processed service message is in the to-be-processed source IP address set. If so, indicating that the to-be-processed source equipment which sends the to-be-processed service message is the credible source equipment, and further determining that the to-be-processed service message is a normal message. In order to ensure normal passing of normal messages, the service message to be processed is reinjected to the routing equipment and forwarded to the destination equipment to be processed by the routing equipment.

The functions described in the method of the present embodiment, if implemented in the form of software functional units and sold or used as independent products, may be stored in a storage medium readable by a computing device. Based on such understanding, part of the contribution to the prior art of the embodiments of the present application or part of the technical solution may be embodied in the form of a software product stored in a storage medium and including several instructions for causing a computing device (which may be a personal computer, a server, a mobile computing device or a network device) to execute all or part of the steps of the method described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.

The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other.

The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims

1. A method for processing service messages is characterized by comprising the following steps:

if the IP address of the source to be processed is judged to be in the IP address set of the trusted source to be processed, the service message to be processed is reinjected to the routing equipment;

the IP addresses of a plurality of credible source devices of the target device to be processed in the IP address set of the credible source to be processed are determined according to the following modes: after classifying the feature information in the feature information set to be processed according to the source IP address, respectively calculating a preset number of attribute information of each source IP address according to each type of feature information; calculating a confidence interval of each attribute information based on the preset number of attribute information of each source IP address; and if more than half of attribute information of one source IP address is in the corresponding confidence interval, determining the source IP address as the IP address of the credible source equipment of the target equipment to be processed.

2. The method according to claim 1, wherein the obtaining the pending service packet corresponding to the pending destination IP address comprises:

3. The method of claim 1, wherein the set of trusted source IP addresses to be processed is a set of IP addresses of a plurality of trusted source devices determined based on characteristic information of historical traffic packets accessing the destination device to be processed.

4. The method of claim 3, wherein determining a set of IP addresses of a plurality of trusted source devices based on characteristic information of historical traffic packets accessing the destination device to be processed comprises:

5. The method of claim 4,

the attribute information of each source IP address includes: the total number of days for accessing the target equipment to be processed, the average access times for accessing the target equipment to be processed each day, the average access interval for accessing the target equipment to be processed and/or the access time distribution for accessing the target equipment to be processed; wherein, the characteristic information of the historical service message includes: the source IP address, the source port, the destination IP address, the destination port and the access time of the historical service message.

6. The method of claim 5, wherein the calculating the confidence interval for each attribute information based on the preset number of attribute information for each source IP address comprises:

and calculating the average value and the variance value of each attribute information based on the preset number of attribute information of each source IP address, and determining the confidence interval of each attribute information by using the average value and the variance value of each attribute information.

7. The method of claim 4, further comprising:

8. The method of claim 7, further comprising:

9. The method according to claim 1, wherein after acquiring the pending service packet corresponding to the pending destination IP address and including the pending source IP address, the method further comprises:

if the source IP address to be processed is in the blacklist, determining the service message to be processed as an attack message;

10. The method of claim 9, further comprising:

11. A system for processing service messages, comprising:

the routing device is used for receiving the service message to be processed which is reinjected by the defense device and forwarding the service message to be processed to the target device to be processed corresponding to the target IP address to be processed;

12. The system of claim 11, wherein the defense device comprises a cleaning device and an analysis device; the analysis equipment is connected with the optical splitter, and the cleaning equipment is connected with the routing equipment and the analysis equipment;

13. The system of claim 12, wherein the analysis device comprises: a preprocessing server, an analysis server and a database device;

14. The system of claim 13,

the database device of the analysis device is also used for storing a blacklist containing a plurality of attack source IP addresses;

the cleaning device is further configured to determine whether a source IP address to be processed in the service message to be processed is in the blacklist; if the source IP address to be processed is in the blacklist, determining the service message to be processed as an attack message; and forbidding the service message to be processed from being reinjected to the routing equipment.

15. The system of claim 14,

and the cleaning equipment is also used for carrying out speed limit processing on the service message to be processed if the IP address of the source to be processed is judged not to be in the blacklist and the IP address of the source to be processed is not in the information source IP address set to be processed.