CN110798402B - Service message processing method, device, equipment and storage medium - Google Patents
Service message processing method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN110798402B CN110798402B CN201911048091.5A CN201911048091A CN110798402B CN 110798402 B CN110798402 B CN 110798402B CN 201911048091 A CN201911048091 A CN 201911048091A CN 110798402 B CN110798402 B CN 110798402B
- Authority
- CN
- China
- Prior art keywords
- message
- service message
- identifier
- service
- analysis node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/302—Route determination based on requested QoS
- H04L45/306—Route determination based on the nature of the carried application
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/38—Flow based routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Abstract
The application discloses a service message processing method, a device, equipment and a storage medium, belonging to the technical field of Internet, wherein the method comprises the following steps: receiving message identifications sent by all analysis nodes in a bypass traffic analysis system; acquiring a first message identifier; and if a second message identifier matched with the first message identifier exists in the received message identifiers, sending matching result information to a target analysis node in the bypass traffic analysis system, wherein the matching result information is used for routing the first service message and the second service message to the same analysis node in the bypass traffic analysis system for processing. The technical scheme provided by the embodiment of the application ensures that the request message and the response message belonging to the same session can be routed to the same analysis node for processing, solves the technical problems in the related art, and improves the detection capability of the bypass flow analysis system on the session-based network attack.
Description
Technical Field
The embodiment of the application relates to the technical field of internet, in particular to a method, a device, equipment and a storage medium for processing a service message.
Background
As people enter the information age, networks have become indispensable information carriers in people's daily life, however, networks are also attacked and destroyed by some malicious organizations while bringing convenience to people.
In order to deal with network attacks, enterprises generally use a network traffic analysis system to perform statistics, analysis and defense on network traffic, and the network traffic analysis system takes on the network traffic analysis and defense functions of the enterprises. The network traffic analysis system can be divided into the following two types according to the deployment mode: a serial analysis system and a bypass traffic analysis system. The bypass traffic analysis system uses mirror traffic for analysis, and generally copies a service message to the bypass traffic analysis system by using an optical splitter on an enterprise ingress switch, and then analyzes and processes the service message by using an analysis node in the bypass traffic analysis system. The bypass flow analysis system has the advantages that the service side is unaware, the service function is not influenced after the service side is changed or has a fault, the expansibility is strong, and the deployment is flexible, so that some large Internet companies generally adopt the bypass flow analysis system to realize the network flow analysis and defense functions.
A plurality of analysis nodes are typically included in a bypass traffic analysis system to implement a distributed network traffic analysis function. When a service message is distributed to different analysis nodes for processing, a request message and a response message belonging to the same session may be distributed to different analysis nodes, and each analysis node performs analysis independently, which results in that a session-based network attack cannot be effectively detected. That is, the bypass traffic analysis system has insufficient detection capability for session-based cyber attacks.
Disclosure of Invention
The embodiment of the application provides a service message processing method, a service message processing device, service message processing equipment and a storage medium, which can be used for solving the technical problem that the detection capability of a bypass traffic analysis system on session-based network attacks in the related art is insufficient. The technical scheme is as follows:
in one aspect, an embodiment of the present application provides a method for processing a service message, where the method includes:
receiving message identifiers sent by each analysis node in a bypass traffic analysis system, wherein the bypass traffic analysis system comprises n analysis nodes, and n is an integer greater than 1;
acquiring a first message identifier, wherein the first message identifier is any one of the received message identifiers;
if a second message identifier matched with the first message identifier exists in the received message identifiers, sending matching result information to a target analysis node in the bypass traffic analysis system, wherein the matching result information is used for routing the first service message and the second service message to the same analysis node in the bypass traffic analysis system for processing;
wherein, the message identifier of the first service message is the first message identifier, and the message identifier of the second service message is the second message identifier; the two service messages corresponding to the two matched message identifications are the request message and the response message belonging to the same session.
On the other hand, an embodiment of the present application provides a method for processing a service message, where the method includes:
acquiring a first service message;
generating a first message identifier, wherein the first message identifier is a message identifier of the first service message;
sending the first message identifier to a matching server, wherein the matching server is used for sending matching result information to a target analysis node in a bypass traffic analysis system under the condition of acquiring a second message identifier matched with the first message identifier, and the matching result information is used for routing the first service message and the second service message to the same analysis node in the bypass traffic analysis system for processing;
wherein the message identifier of the second service message is the second message identifier; the two service messages corresponding to the two matched message identifications are the request message and the response message belonging to the same session.
In another aspect, an embodiment of the present application provides a service message processing apparatus, where the apparatus includes:
the system comprises an identifier receiving module, a message identifier sending module and a message identifier sending module, wherein the identifier receiving module is used for receiving message identifiers sent by all analysis nodes in a bypass traffic analysis system, the bypass traffic analysis system comprises n analysis nodes, and n is an integer greater than 1;
the identification acquisition module is used for acquiring a first message identification, wherein the first message identification is any one of the received message identifications;
a result sending module, configured to send matching result information to a target analysis node in the bypass traffic analysis system if a second message identifier matching the first message identifier exists in the received message identifiers, where the matching result information is used to route the first service message and the second service message to the same analysis node in the bypass traffic analysis system for processing; wherein the message identifier of the first service message is the first message identifier, and the message identifier of the second service message is the second message identifier; the two service messages corresponding to the two matched message identifications are the request message and the response message belonging to the same session.
In another aspect, an embodiment of the present application provides a service message processing apparatus, where the apparatus includes:
the message acquisition module is used for acquiring a first service message;
an identifier generating module, configured to generate a first message identifier, where the first message identifier is a message identifier of the first service message;
the identification sending module is used for sending the first message identification to a matching server, the matching server is used for sending matching result information to a target analysis node in a bypass traffic analysis system under the condition that a second message identification matched with the first message identification is obtained, and the matching result information is used for routing the first service message and the second service message to the same analysis node in the bypass traffic analysis system for processing; wherein the message identifier of the second service message is the second message identifier; the two service messages corresponding to the two matched message identifications are the request message and the response message belonging to the same session.
In a further aspect, an embodiment of the present application provides a computer device, where the computer device includes a processor and a memory, where the memory stores at least one instruction, at least one program, a code set, or a set of instructions, and the at least one instruction, the at least one program, the code set, or the set of instructions is loaded and executed by the processor to implement the foregoing business message processing method.
Optionally, the computer device is a matching server or an analysis node.
In a further aspect, the present application provides a computer-readable storage medium, where at least one instruction, at least one program, a code set, or a set of instructions is stored in the storage medium, and the at least one instruction, the at least one program, the code set, or the set of instructions is loaded and executed by a processor to implement the above-mentioned service message processing method.
In a further aspect, an embodiment of the present application provides a computer program product, where the computer program product is used to implement the service message processing method described above when being executed by a processor.
The technical scheme provided by the embodiment of the application can bring the following beneficial effects:
after the first message identifier and the second message identifier which are matched are found from the received message identifiers, matching result information is sent to a target analysis node in the bypass flow analysis system, and the matching result information is used for routing the first service message and the second service message to the same analysis node in the bypass flow analysis system for processing, so that the request message and the response message which belong to the same session can be routed to the same analysis node for processing, the technical problem in the related technology is solved, and the detection capability of the bypass flow analysis system on the session-based network attack is improved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a schematic illustration of an implementation environment provided by an embodiment of the present application;
fig. 2 illustrates a diagram of a distribution node sending a traffic message to an analysis node;
fig. 3 illustrates a schematic diagram of another optical splitting node sending a traffic message to an analysis node;
fig. 4 is a flowchart of a service message processing method according to an embodiment of the present application;
FIG. 5 is a diagram illustrating an interactive process of a request message and a response message;
fig. 6 is a flowchart of a service message processing method according to another embodiment of the present application;
fig. 7 is a flowchart of a service message processing method according to another embodiment of the present application;
fig. 8 is a flowchart of a service message processing method according to another embodiment of the present application;
fig. 9 is a flowchart of a service message processing method according to another embodiment of the present application;
fig. 10 is a block diagram of a service message processing apparatus according to an embodiment of the present application;
fig. 11 is a block diagram of a service message processing apparatus according to another embodiment of the present application;
fig. 12 is a block diagram of a service message processing apparatus according to another embodiment of the present application;
FIG. 13 is a block diagram of a computer device according to an embodiment of the present application.
Detailed Description
To make the objects, technical solutions and advantages of the present application more clear, embodiments of the present application will be described in further detail below with reference to the accompanying drawings.
Referring to fig. 1, a schematic diagram of an implementation environment provided by an embodiment of the present application is shown. The implementation environment may include: a terminal 10, a traffic server 20, a bypass traffic analysis system 30 (comprising a splitting node and a plurality of analysis nodes) and a matching server 40.
The terminal 10 may be an electronic device such as a mobile phone, a tablet Computer, a game console, an e-book reader, a multimedia playing device, a wearable device, a PC (Personal Computer), and the like.
Optionally, a client of the target application is installed in the terminal 10, and the target application may implement the designed service function, for example, the target application may be a video application, a social application, an instant messaging application, a game application, an information application, a reading application, a shopping application, a music application, and the like, which is not limited in this embodiment of the present application.
The service server 20 is used to provide background services for clients of target applications in the terminal 10. For example, the business server 20 may be a backend server for the target application described above. The service server 20 may be a server, a server cluster composed of a plurality of servers, or a cloud computing service center.
In the embodiment of the present application, data including service messages is transmitted between the terminal 10 and the service server 20 through the network. Data may be transmitted between the terminal 10 and the service server 20 based on a Protocol, such as HTTP (HyperText Transfer Protocol). HTTP is the most widely used application layer protocol at present, and because of the wide use of HTTP, network attack based on HTTP protocol has become the most commonly adopted attack method, and seriously threatens the production safety of enterprises. An HTTP session (session) may include a request message and a response message. For example, the terminal 10 transmits a request message to the service server 20, and the service server 20 transmits a response message corresponding to the request message to the terminal.
In this embodiment, a session may refer to a communication interaction between two devices during a particular uninterrupted period of operation. During a session, all messages transmitted between two devices belong to the session. In the embodiment of the present application, a session refers to a communication interaction between the terminal 10 and the service server 20 for transmitting a service message, and one session may include a request and response interaction, that is, one session includes one request message and one response message.
The bypass traffic analysis system 30 is a system for performing security analysis on the traffic message. The bypass traffic analysis system 30 includes a light splitting node and n analysis nodes, where n is an integer greater than 1. The optical splitting node may also be referred to as an optical splitter or an optical splitting device, and is configured to copy a service message transmitted between the terminal 10 and the service server 20, and distribute the service message to different analysis nodes for processing. The number of the analysis nodes is multiple, and the analysis nodes are used for realizing a distributed network traffic analysis function. Optionally, the plurality of analysis nodes may be deployed in the same IDC (Internet Data Center), or may be deployed in a plurality of different IDCs, that is, in a cross-IDC deployment manner, and each IDC may include one or more analysis nodes. The analysis node may be any computer device with processing and storage capabilities, such as a server.
It has been described above that when distributing a traffic message to different analysis nodes for processing, a request message and a response message belonging to the same session may be distributed to different analysis nodes. For example, as shown in fig. 2, an HTTP request message and an HTTP response message belonging to the same HTTP session are distributed to two different analysis nodes, wherein the HTTP request message is transmitted to the analysis node 1, the HTTP response message is distributed to the analysis node 2, and the analysis node 1 and the analysis node 2 belong to the same IDC. That is, the HTTP request message and the HTTP response message belonging to the same HTTP session are distributed to two different analysis nodes in the same IDC. For another example, as shown in fig. 3, an HTTP request message and an HTTP response message belonging to the same HTTP session are distributed to two different analysis nodes, wherein the HTTP request message is sent to the analysis node 1, the HTTP response message is distributed to the analysis node 2, the analysis node 1 and the analysis node 2 belong to two different IDCs, the analysis node 1 belongs to IDC 1, and the analysis node 2 belongs to IDC 2. That is, the HTTP request message and the HTTP response message belonging to the same HTTP session are distributed to two analysis nodes in two different IDCs.
The matching server 40 is used to match service messages belonging to the same session. For example, if the service message is a request message, the matching server 40 matches a response message belonging to the same session as the request message; if the service message is a response message, the matching server 40 matches a request message belonging to the same session as the response message. For a request message and a response message belonging to the same session, the response message is a reply to the request message. Alternatively, the matching server 40 and the analysis nodes of the bypass traffic analysis system 30 may communicate over a network.
Alternatively, the number of the matching servers 40 may be one or more. Illustratively, the number of matching servers 40 is m, and m is an integer greater than 1. It should be noted that, if the number of the matching servers 40 is multiple, the corresponding matching server 40 is selected for the service message by using a uniform consistent hash method, and one or more virtual nodes are added to balance the load between different matching servers 40, so as to ensure load balance between the matching servers 40.
Referring to fig. 4, a flowchart of a method for processing a service message according to an embodiment of the present application is shown. The execution subject of the method may be the matching server 40 of the implementation environment shown in fig. 1. The method may comprise the following steps (401-403):
The message identification is a unique identifier of the service message for uniquely identifying a service message. The service message in the embodiment of the present application refers to a session-based service message, and the service message belonging to the same session includes a request message and a response message.
In one possible embodiment, if the session is transmitted based on TCP/IP (Transmission Control Protocol/Internet Protocol), the message identifier includes quintuple information of the service message. Optionally, the five-tuple information of the request message includes a source IP address, a source port number, a destination IP address, a destination port number, and a response number (Ack number); the five-tuple information of the response message includes a destination IP address, a destination port number, a source IP address, a source port number, and a sequence number (Seq number).
For a request message and a response message belonging to the same session, the five-tuple information corresponding to the request message is the same as the five-tuple information corresponding to the response message. Exemplarily, referring to fig. 5 in combination, in the same session, the source IP address of the request message 51 is 1.1.1.1, the source port number is 5566, the destination IP address is 2.2.2.2, the destination port number is 80, and the response number (Ack number) is 7000; the response message 52 has a destination IP address of 1.1.1.1, a destination port number of 5566, a source IP address of 2.2.2.2, a source port number of 80, and a sequence number (Seq number) of 7000.
In another possible embodiment, the Message identifier includes a Digest of quintuple information of the service Message, where the Digest may be generated by using a Message Digest Algorithm according to the quintuple information, for example, by using a hash Algorithm or an MD5 (Message-Digest Algorithm, fifth edition) Algorithm to generate the Digest. It should be noted that, since the quintuple information corresponding to the service messages belonging to the same session is the same, the digests of the quintuple information corresponding to the service messages belonging to the same session are also the same.
The first message identification is any one of the message identifications received by the matching server. After receiving each message identifier, the matching server may select a message identifier according to a predetermined rule to perform processing, so as to find whether a matched message identifier exists.
And the matching result information is used for routing the first service message and the second service message to the same analysis node in the bypass flow analysis system for processing. The message identifier of the first service message is a first message identifier, and the message identifier of the second service message is a second message identifier; the two service messages corresponding to the two matched message identifications are the request message and the response message belonging to the same session.
In this embodiment of the present application, the matching server searches, according to the first message identifier, whether a second message identifier matching with the first message identifier exists in each received message identifier. Optionally, the first message identifier includes quintuple information (denoted as first quintuple information) of the first service message, and the matching server searches whether there is quintuple information (denoted as second quintuple information) that is the same as the first quintuple information in each received message identifier, where the first quintuple information matches the second quintuple information. In another possible embodiment, the first message identifier includes a digest of five-tuple information of the first service message (denoted as a first digest), and the matching server searches whether a digest identical to the first digest (denoted as a second digest) exists in each received message identifier, and the first digest and the second digest are matched.
And after finding the matched first message identifier and second message identifier, the matching server sends matching result information to a target analysis node in the bypass traffic analysis system. In this embodiment, it is assumed that the first analysis node is an analysis node where the first service message is located, and the second analysis node is an analysis node where the second service message is located.
In one example, the target analysis node is a first analysis node. And the matching server sends matching result information to a first analysis node in the bypass traffic analysis system, wherein the matching result information comprises a first message identifier and a node identifier of a second analysis node. And after receiving the configuration result information, the first analysis node acquires the first service message according to the first message identifier, and then sends the first service message to the second analysis node according to the node identifier of the second analysis node. And the second analysis node acquires a second service message corresponding to a second message identifier matched with the first message identifier according to the message identifier (namely the first message identifier) of the first service message, and then processes the first service message and the second service message. By the method, the first service message and the second service message belonging to the same session are routed to the same analysis node (namely, the second analysis node) for processing.
In another example, the target analysis node is a second analysis node. And the matching server sends matching result information to a second analysis node in the bypass traffic analysis system, wherein the matching result information comprises the second message identifier and the node identifier of the first analysis node. And after receiving the configuration result information, the second analysis node acquires a second service message according to the second message identifier, and then sends the second service message to the first analysis node according to the node identifier of the first analysis node. And the first analysis node acquires the first service message corresponding to the first message identifier matched with the second message identifier according to the message identifier (namely, the second message identifier) of the second service message, and then processes the first service message and the second service message. By the above method, the first service message and the second service message belonging to the same session are routed to the same analysis node (i.e. the first analysis node) for processing.
In yet another example, the target analysis node includes a first analysis node and a second analysis node. The matching server sends first matching result information to a first analysis node in a bypass traffic analysis system, and sends second matching result information to a second analysis node in the bypass traffic analysis system, wherein the first matching result information comprises a first message identifier and a node identifier of the third analysis node, and the second matching result information comprises the second message identifier and the node identifier of the third analysis node. Wherein the third analysis node is another analysis node in the bypass traffic analysis system different from the first analysis node and the second analysis node. And after receiving the configuration result information, the first analysis node acquires a first service message according to the first message identifier, and then sends the first service message to the third analysis node according to the node identifier of the third analysis node. And after receiving the configuration result information, the second analysis node acquires a second service message according to the second message identifier, and then sends the second service message to the third analysis node according to the node identifier of the third analysis node. And the third analysis node processes the first service message and the second service message. By the method, the first service message and the second service message belonging to the same session are routed to the same analysis node (namely, the third analysis node) for processing.
In the embodiment of the present application, the node identifier is a unique identifier of the analysis node, and different analysis nodes have different node identifiers. For example, the node identification may be an IP address.
In this embodiment of the application, a specific process of processing a service message by an analysis node is not limited, and the analysis node performs analysis processing on the service message to detect whether a network attack exists, such as SQL (Structured Query Language) injection, XSS (Cross Site Scripting) attack, CSRF (Cross-Site Request Forgery) attack, oscillatory wave, and other network attacks.
In addition, if the received message identifications do not have the second message identification matched with the first message identification, the matching server determines that the first message identification fails to be matched and selects other message identifications for matching.
To sum up, in the technical solution provided in this embodiment of the present application, after finding the first message identifier and the second message identifier that match with each other from the received message identifiers, the matching result information is sent to the target analysis node in the bypass traffic analysis system, where the matching result information is used to route the first service message and the second service message to the same analysis node in the bypass traffic analysis system for processing, so as to ensure that the request message and the response message that belong to the same session can be routed to the same analysis node for processing, thereby solving the technical problem in the related art, and improving the detection capability of the bypass traffic analysis system for the network attack based on the session.
In addition, the service messages belonging to the same session are matched by utilizing the characteristic that the five-tuple information of the service messages belonging to the same session is the same, so that the matching accuracy is ensured.
Referring to fig. 6, a flowchart of a service message processing method according to another embodiment of the present application is shown. The execution subject of the method may be the matching server 40 of the implementation environment shown in fig. 1. The method can comprise the following steps (601-605):
step 601, receiving message identifiers sent by each analysis node in the bypass traffic analysis system.
Optionally, the matching server receives matching requests sent by the respective analysis nodes. The matching request includes at least one piece of mapping information including a message identification, a data volume, and a node identification. That is, each piece of mapping information includes a message identifier of a service message, a data volume of the service message, and a node identifier of an analysis node where the service message is located.
The first data amount refers to a data amount of the first service message, and the second data amount refers to a data amount of the second service message.
The method for matching the second message identifier with the first message identifier by the matching server is introduced in step 403 in the embodiment of fig. 4, and is not described herein again.
The first analysis node is the analysis node where the first service message is located. The matching result information sent by the matching server to the first analysis node comprises the first message identifier and the node identifier of the second analysis node. Wherein the second analysis node is an analysis node where the second service message is located.
And after receiving the configuration result information, the first analysis node acquires the first service message according to the first message identifier, and then sends the first service message to the second analysis node according to the node identifier of the second analysis node. And the second analysis node acquires a second service message corresponding to a second message identifier matched with the first message identifier according to the message identifier (namely the first message identifier) of the first service message, and then processes the first service message and the second service message. By the method, the first service message and the second service message belonging to the same session are routed to the same analysis node (namely, the second analysis node) for processing.
The second analysis node is the analysis node where the second service message is located. And the matching result information sent to the second analysis node by the matching server comprises the second message identifier and the node identifier of the first analysis node. And after receiving the configuration result information, the second analysis node acquires a second service message according to the second message identifier, and then sends the second service message to the first analysis node according to the node identifier of the first analysis node. And the first analysis node acquires the first service message corresponding to the first message identifier matched with the second message identifier according to the message identifier (namely, the second message identifier) of the second service message, and then processes the first service message and the second service message. By the method, the first service message and the second service message belonging to the same session are routed to the same analysis node (namely, the first analysis node) for processing.
In addition, if the first data amount is equal to the second data amount, the matching server may execute step 604 to send the matching result information to the first analysis node in the bypass traffic analysis system, or execute step 605 to send the matching result information to the second analysis node in the bypass traffic analysis system, which is not limited in this embodiment of the present application.
To sum up, in the technical solution provided in the embodiment of the present application, matching result information is selected to be sent to an analysis node where a service message with a smaller data volume is located according to the data volume of the service message, so that when two service messages belonging to the same session are routed to the same analysis node, the service message with the smaller data volume is sent, and the service message with the larger data volume does not need to be sent, thereby saving transmission resources between analysis nodes and also contributing to improvement of transmission efficiency.
Referring to fig. 7, a flowchart of a service message processing method according to an embodiment of the present application is shown. The execution subject of the method may be an analysis node in the implementation environment shown in fig. 1. The method can comprise the following steps (701-703):
The first service message may be a request message or a response message.
Step 702 generates a first message identification.
The first message identification is a message identification of the first service message and is used for uniquely identifying the first service message. Optionally, the analysis node generates a corresponding first message identifier according to the first service message.
In one possible implementation, the first message identifier is five-tuple information of the first service message. Optionally, the first service message includes quintuple information, and the analysis node acquires the quintuple information included in the first service message to obtain the first message identifier. In another possible implementation manner, in order to improve the matching efficiency of the matching server on the message identifier and help save transmission resources required by the analysis node to send the message identifier to the matching server, the first message identifier is a digest of five-tuple information of the first service message. Optionally, the digest may be generated by using a message digest algorithm according to the quintuple information of the first service message, for example, by using a hash algorithm or an MD5 algorithm for the quintuple information to generate the digest. The data volume compression of the message identifier is realized by generating the digest of the quintuple information as the message identifier, wherein the quintuple information can comprise 28 bytes, but the digest of the quintuple information only needs 8 bytes.
It should be noted that, when the first service message is a request message, the five-tuple information includes a source IP address, a source port number, a destination IP address, a destination port number, and a response number (Ack number); when the first service message is a response message, the five-tuple information includes a destination IP address, a destination port number, a source IP address, a source port number, and a sequence number (Seq number).
And the matching server is used for sending matching result information to a target analysis node in the bypass flow analysis system under the condition of acquiring a second message identifier matched with the first message identifier, wherein the matching result information is used for routing the first service message and the second service message to the same analysis node in the bypass flow analysis system for processing. And the second message identifier is a message identifier corresponding to the second service message.
In a possible embodiment, the number of matching servers is 1, and the analysis node sends the first message identifier to the matching server.
In another possible implementation, the number of matching servers is m, where m is a positive integer greater than 1. Optionally, the analysis node selects a target matching server to which the first message identifier is sent from the m matching servers according to the digest of the five-tuple information of the first service message, and then sends the first message identifier to the target matching server. It should be noted that, for two service messages belonging to the same session, the corresponding two quintuple information are the same, that is, the digests of the corresponding two quintuple information are also the same, so that the two service messages belonging to the same session are effectively guaranteed to be sent to the same matching server by the above method.
Optionally, the first analysis node may further send a matching request to the matching server, where the matching request includes the first message identifier, the first data size, and the node identifier of the first analysis node. Through the method, after the matching server finds the second message identifier matched with the first message identifier, the data volume of the first service message and the data volume of the second service message can be compared, and the service node to which the matching result information is sent is selected based on the data volume.
The steps executed by the matching server after receiving the matching request are introduced in the embodiments of fig. 4 and fig. 6, and are not described herein again.
To sum up, in the technical solution provided in this embodiment of the present application, a service server generates a message identifier of a service message, and sends the message identifier to a matching server, and after finding a first message identifier and a second message identifier that match from among received message identifiers, the matching server sends matching result information to a target analysis node in a bypass traffic analysis system, where the matching result information is used to route the first service message and the second service message to a same analysis node in the bypass traffic analysis system for processing, thereby ensuring that a request message and a response message belonging to a same session can be routed to the same analysis node for processing, solving the technical problems in the related art, and improving the detection capability of the bypass traffic analysis system for network attacks based on the session.
In addition, the digest of the quintuple information is selected as the message identifier, so that the data volume of the message identifier is effectively compressed, the matching efficiency of the matching server to the message identifier is improved, and the transmission resource required by the analysis node for sending the message identifier to the matching server is saved.
In addition, for the condition that the number of the matching servers is multiple, the corresponding service message is sent to the appropriate matching server according to the abstract of the quintuple information, so that the service message of the same session is ensured to exist in the same matching server, and the matching success probability is improved.
Referring to fig. 8, a flowchart of a service message processing method according to another embodiment of the present application is shown. The execution subject of the method may be an analysis node in the implementation environment shown in fig. 1. The method may comprise the following steps (801-806):
The steps 801 to 803 are the same as the steps 701 to 703 in the embodiment of fig. 7, and are specifically referred to the embodiment of fig. 7, which is not described herein again.
And step 804, receiving the matching result information sent by the matching server.
The matching result information includes a first message identifier and a node identifier of a second analysis node, where the second analysis node is an analysis node where the second service message is located. The second service message and the first service message belong to the same session, that is, if the first service message is a request message, the second service message is a response message; if the first service message is a response message, the second service message is a request message.
Of course, the matching server also has a result of matching failure, and in this case, the matching server does not send matching result information to the analysis node.
Optionally, the step 803 further includes the following steps:
1. and if the second service message which belongs to the same session with the first service message is not matched within the preset time length, determining that the first service message fails to be matched.
Optionally, the preset time duration is determined by the analysis node according to an actual situation, and may be 10ms, 20ms, or 30ms, and the like, which is not limited in this embodiment of the application. It should be noted that, when the analysis node where the first service message is located does not receive the matching result information sent by the matching server or the second service message sent by the second analysis node within the preset time length, the analysis node determines that the matching of the first service message fails. In addition, the preset duration may be set to be timed when the analysis node sends the first message identifier.
2. And counting the number of the service messages failing to be matched.
The analysis node may count the number of service messages that fail a match to provide a technician for analysis. For example, when the number of service messages failing to match exceeds a certain ratio, a problem may occur in the service logic, and a technician is required to perform troubleshooting.
Optionally, after receiving the configuration result information, the first analysis node obtains a first service message according to the first message identifier, and sends the first service message to the second analysis node according to the node identifier of the second analysis node, further, the second analysis node obtains, according to the first message identifier of the first service message, a second service message corresponding to a second message identifier that matches the first message identifier, and then performs security analysis on the first service message and the second service message. By the method, the first service message and the second service message belonging to the same session are routed to the same analysis node (namely, the second analysis node) for processing.
In this embodiment of the present application, a specific process of processing a service message by an analysis node is not limited, and the analysis node performs analysis processing on the service message to detect whether a network attack exists, such as a DOS attack, SQL injection, XSS (Cross Site Scripting) attack, CSRF (Cross-Site Request forge) attack, an oscillatory wave, and other network attacks.
To sum up, in the technical scheme provided in the embodiment of the present application, two service messages belonging to the same session are sent to the same analysis node through the matching result information of the matching server, so that the difficulty of performing security analysis by the analysis node is reduced, and the detection capability of the bypass traffic analysis system is improved.
In addition, with reference to fig. 9, taking attack detection and analysis performed on the HTTP session by the bypass traffic analysis system as an example, a technical solution of the present application is introduced and described:
step 91, the first analysis node sends quintuple information of the HTTP request message to the matching server;
step 92, the second analysis node sends the quintuple information of the HTTP response message to the matching server;
step 93, the matching server matches the quintuple information of the HTTP request message and the HTTP response message; if the quintuple information of the HTTP request message and the HTTP response message is the same, matching is successful, and the HTTP request message and the HTTP response message belong to the same session;
step 94, after the matching is successful, the matching server sends matching result information to the first analysis node, wherein the matching result information comprises quintuple information of the HTTP request message and a node identifier (such as an IP address) of the second analysis node;
step 95, the first analysis node sends the HTTP request message to a second analysis node according to the matching result information;
step 96, the second analysis node processes the HTTP request message and the HTTP response message.
The following are embodiments of the apparatus of the present application that may be used to perform embodiments of the method of the present application. For details which are not disclosed in the embodiments of the apparatus of the present application, reference is made to the embodiments of the method of the present application.
Referring to fig. 10, a block diagram of a service message processing apparatus according to an embodiment of the present application is shown. The device has the function of realizing the service message processing method of the matching server side. The functions can be realized by hardware, and can also be realized by hardware executing corresponding software. The device can be a matching server or be arranged in the matching server. The apparatus 1000 may include: an identity receiving module 1010, an identity obtaining module 1020, and a result sending module 1030.
The identifier receiving module 1010 is configured to receive a message identifier sent by each analysis node in a bypass traffic analysis system, where the bypass traffic analysis system includes n analysis nodes, and n is an integer greater than 1.
An identifier obtaining module 1020, configured to obtain a first message identifier, where the first message identifier is any one of the received message identifiers.
A result sending module 1030, configured to send matching result information to a target analysis node in the bypass traffic analysis system if a second message identifier matching the first message identifier exists in the received message identifiers, where the matching result information is used to route the first service message and the second service message to the same analysis node in the bypass traffic analysis system for processing; wherein the message identifier of the first service message is the first message identifier, and the message identifier of the second service message is the second message identifier; the two service messages corresponding to the two matched message identifications are the request message and the response message which belong to the same session.
In an exemplary embodiment, the result sending module 1030 is configured to send the matching result information to a first analysis node in the bypass traffic analysis system, where the matching result information includes the first message identifier and a node identifier of a second analysis node; or sending the matching result information to a second analysis node in the bypass traffic analysis system, wherein the matching result information comprises the second message identifier and the node identifier of the first analysis node; or sending first matching result information to a first analysis node in the bypass traffic analysis system, and sending second matching result information to a second analysis node in the bypass traffic analysis system, where the first matching result information includes the first message identifier and a node identifier of a third analysis node, and the second matching result information includes the second message identifier and a node identifier of the third analysis node; the first analysis node is an analysis node where the first service message is located, the second analysis node is an analysis node where the second service message is located, and the third analysis node is another analysis node different from the first analysis node and the second analysis node in the bypass traffic analysis system.
In an exemplary embodiment, the result sending module 1030 is further configured to obtain a first data volume and a second data volume, where the first data volume refers to a data volume of the first service message, and the second data volume refers to a data volume of the second service message; if the first data volume is smaller than the second data volume, sending the matching result information to a first analysis node in the bypass traffic analysis system, wherein the matching result information comprises the first message identifier and a node identifier of a second analysis node; if the first data volume is larger than the second data volume, sending the matching result information to a second analysis node in the bypass traffic analysis system, wherein the matching result information comprises the second message identifier and the node identifier of the first analysis node; the first analysis node is an analysis node where the first service message is located, and the second analysis node is an analysis node where the second service message is located.
In an exemplary embodiment, the message identification includes five tuple information of the service message; the quintuple information of the request message comprises a source IP address, a source port number, a destination IP address, a destination port number and a response number; the five-tuple information of the response message includes a destination IP address, a destination port number, a source IP address, a source port number, and a sequence number.
In an exemplary embodiment, the message identification includes a digest of five tuple information of the service message; the quintuple information of the request message comprises a source IP address, a source port number, a destination IP address, a destination port number and a response number; the five-tuple information of the response message includes a destination IP address, a destination port number, a source IP address, a source port number, and a sequence number.
To sum up, in the technical solution provided in this embodiment of the present application, after finding the first message identifier and the second message identifier that match with each other from the received message identifiers, the matching result information is sent to the target analysis node in the bypass traffic analysis system, where the matching result information is used to route the first service message and the second service message to the same analysis node in the bypass traffic analysis system for processing, so as to ensure that the request message and the response message that belong to the same session can be routed to the same analysis node for processing, thereby solving the technical problem in the related art, and improving the detection capability of the bypass traffic analysis system for the network attack based on the session.
Referring to fig. 11, a block diagram of a service message processing apparatus according to another embodiment of the present application is shown. The device has the function of realizing the service message processing method at the analysis node side. The functions can be realized by hardware, and can also be realized by hardware executing corresponding software. The device has the function of realizing the service message processing method. The apparatus 1100 may include: a message acquisition module 1110, an identity generation module 1120, and an identity transmission module 1130.
The message obtaining module 1110 is configured to obtain the first service message.
An identifier generating module 1120, configured to generate a first message identifier, where the first message identifier is a message identifier of the first service message.
An identifier sending module 1130, configured to send the first message identifier to a matching server, where the matching server is configured to send matching result information to a target analysis node in a bypass traffic analysis system when a second message identifier matching the first message identifier is obtained, where the matching result information is used to route the first service message and the second service message to the same analysis node in the bypass traffic analysis system for processing; wherein the message identifier of the second service message is the second message identifier; the two service messages corresponding to the two matched message identifications are the request message and the response message belonging to the same session.
In an exemplary embodiment, the identifier generating module 1120 is configured to obtain five-tuple information of the first service message, so as to obtain the first message identifier; or, acquiring quintuple information of the first service message; generating an abstract of the quintuple information to obtain the first message identifier; when the first service message is the request message, the quintuple information comprises a source Internet Protocol (IP) address, a source port number, a destination IP address, a destination port number and a response number; and when the first service message is the response message, the five-tuple information comprises a destination IP address, a destination port number, a source IP address, a source port number and a sequence number.
In an exemplary embodiment, the identifier sending module 1130 is configured to send a matching request to the matching server, where the matching request includes the first message identifier, the first data size, and a node identifier of the first analysis node; wherein the first data volume is a data volume of the first service message, and the first analysis node is an analysis node where the first service message is located.
In an exemplary embodiment, as shown in fig. 12, the apparatus 1100 further comprises: a result receiving module 1140 and a message sending module 1150.
A result receiving module 1140, configured to receive the matching result information sent by the matching server, where the matching result information includes the first message identifier and a node identifier of a second analysis node, and the second analysis node is an analysis node where the second service message is located.
A message sending module 1150, configured to send the first service message to the second analysis node.
In an exemplary embodiment, the number of matching servers is m, and m is an integer greater than 1; as shown in fig. 12, the apparatus 1100 further comprises: a target selection module 1160.
A target selection module 1160, configured to select a target matching server to which the first message identifier is sent from the m matching servers according to the digest of the five-tuple information of the first service message; when the first service message is the request message, the five-tuple information comprises a source IP address, a source port number, a destination IP address, a destination port number and a response number; and when the first service message is the response message, the five-tuple information comprises a destination IP address, a destination port number, a source IP address, a source port number and a sequence number.
In an exemplary embodiment, as shown in fig. 12, the apparatus 1100 further comprises: a failure determination module 1170, and a quantity statistics module 1180.
A failure determining module 1170, configured to determine that the first service message fails to match if the second service message that belongs to the same session as the first service message is not matched within a preset time length.
And a quantity counting module 1180, configured to count the quantity of the service messages that fail to be matched.
To sum up, in the technical solution provided in this embodiment of the present application, a service server generates a message identifier of a service message, and sends the message identifier to a matching server, and after finding a first message identifier and a second message identifier that match from among received message identifiers, the matching server sends matching result information to a target analysis node in a bypass traffic analysis system, where the matching result information is used to route the first service message and the second service message to a same analysis node in the bypass traffic analysis system for processing, thereby ensuring that a request message and a response message belonging to a same session can be routed to the same analysis node for processing, solving the technical problems in the related art, and improving the detection capability of the bypass traffic analysis system for network attacks based on the session.
Referring to fig. 13, a block diagram of a computer device according to an embodiment of the present application is shown. The computer device may be configured to implement the service processing method provided in the above embodiment. The computer device may be the matching server as described above, or may be an analysis node. Specifically, the method comprises the following steps:
the computer device 1300 includes a Processing Unit (e.g., a CPU (Central Processing Unit), a GPU (Graphics Processing Unit), an FPGA (Field Programmable Gate Array), etc.) 1301, a system Memory 1304 including a RAM (Random Access Memory) 1302 and a ROM (Read Only Memory) 1303, and a system bus 1305 connecting the system Memory 1304 and the Central Processing Unit 1301. The computer device 1300 also includes a basic I/O system (Input/Output) 1306 to facilitate information transfer between devices within the computer device, and a mass storage device 1307 for storing an operating system 1313, application programs 1314 and other program modules 1312.
The basic input/output system 1306 includes a display 1308 for displaying information and an input device 1309, such as a mouse, keyboard, etc., for a user to input information. Wherein the display 1308 and input device 1309 are connected to the central processing unit 1301 through an input output controller 1310 connected to the system bus 1305. The basic input/output system 1306 may also include an input/output controller 1310 for receiving and processing input from a number of other devices, such as a keyboard, mouse, or electronic stylus. Similarly, the input-output controller 1310 also provides output to a display screen, a printer, or other type of output device.
The mass storage device 1307 is connected to the central processing unit 1301 through a mass storage controller (not shown) connected to the system bus 1305. The mass storage device 1307 and its associated computer-readable media provide non-volatile storage for the computer device 1300. That is, the mass storage device 1307 may include a computer-readable medium (not shown) such as a hard disk or CD-ROM (Compact disk Read-Only Memory) drive.
Without loss of generality, the computer readable media may comprise computer storage media and communication media. Computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. Computer storage media includes RAM, ROM, EPROM (Erasable Programmable Read Only Memory), EEPROM (Electrically Erasable Programmable Read Only Memory), flash Memory or other solid state Memory technology, CD-ROM, DVD (Digital Video Disc), or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices. Of course, those skilled in the art will appreciate that the computer storage media is not limited to the foregoing. The system memory 1104 and mass storage device 1307 described above may collectively be referred to as memory.
The computer device 1300 may also operate as a remote computer connected to a network via a network, such as the internet, according to embodiments of the present application. That is, the computer device 1300 may be connected to the network 1312 through the network interface unit 1311, which is connected to the system bus 1305, or may be connected to other types of networks or remote computer systems (not shown) using the network interface unit 1311.
The memory also includes at least one instruction, at least one program, set of codes, or set of instructions stored in the memory and configured to be executed by one or more processors to implement the business process methods described above.
In an embodiment of the present application, a computer-readable storage medium is further provided, where at least one instruction, at least one program, a code set, or a set of instructions is stored in the storage medium, and when executed by a processor, the at least one instruction, the at least one program, the code set, or the set of instructions implements the service processing method.
Optionally, the computer-readable storage medium may include: read Only Memory (ROM), random Access Memory (RAM), solid State Drive (SSD), or optical disc. The Random Access Memory may include a Resistance Random Access Memory (ReRAM) and a Dynamic Random Access Memory (DRAM).
In an exemplary embodiment, a computer program product is also provided, which, when executed by a processor, is configured to implement the above-mentioned service processing method.
It should be understood that reference herein to "a plurality" means two or more. "and/or" describes the association relationship of the associated objects, meaning that there may be three relationships, e.g., a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. In addition, the step numbers described herein only show an exemplary possible execution sequence among the steps, and in some other embodiments, the steps may also be executed out of the numbering sequence, for example, two steps with different numbers are executed simultaneously, or two steps with different numbers are executed in a reverse order to the illustrated sequence, which is not limited in this application.
The above description is only exemplary of the application and should not be taken as limiting the application, and any modifications, equivalents, improvements and the like that are made within the spirit and principle of the application should be included in the protection scope of the application.
Claims (11)
1. A service message processing method is characterized in that the method is applied to a system comprising a bypass flow analysis system and a matching server, wherein the bypass flow analysis system comprises n analysis nodes, and n is an integer greater than 1; the method comprises the following steps:
the matching server receives message identifications sent by the analysis nodes;
the matching server determines that the message identifier of the second service message matched with the message identifier of the first service message exists in the received message identifiers; the message identifier of the first service message is any one of the received message identifiers, and the first service message and the second service message are a request message and a response message belonging to the same session;
the matching server acquires the data volume of the first service message and the data volume of the second service message;
if the data volume of the first service message is smaller than that of the second service message, the matching server sends matching result information to a first analysis node, wherein the matching result information comprises a message identifier of the first service message and a node identifier of a second analysis node, and the matching result information is used for routing the first service message and the second service message to the second analysis node for processing so as to detect whether a network attack exists or not; the first analysis node acquires the first service message according to the message identifier included in the matching result information, and sends the first service message to the second analysis node according to the node identifier included in the matching result information;
if the data volume of the first service message is greater than that of the second service message, the matching server sends matching result information to a second analysis node, wherein the matching result information comprises a message identifier of the second service message and a node identifier of the first analysis node, and the matching result information is used for routing the first service message and the second service message to the first analysis node for processing so as to detect whether a network attack exists; the second analysis node acquires the second service message according to the message identifier included in the matching result information, and sends the second service message to the first analysis node according to the node identifier included in the matching result information;
the first analysis node is an analysis node where the first service message is located, and the second analysis node is an analysis node where the second service message is located.
2. The method of claim 1, wherein the message identifier of the first service message comprises five tuple information of the first service message; the message identifier of the second service message comprises five-tuple information of the second service message;
the quintuple information of the first service message comprises a source Internet Protocol (IP) address, a source port number, a destination IP address, a destination port number and a response number; the quintuple information of the second service message includes a destination IP address, a destination port number, a source IP address, a source port number, and a sequence number.
3. The method of claim 1, wherein the message identifier of the first service message comprises a digest of five tuple information of the first service message; the message identifier of the second service message comprises a digest of five-tuple information of the second service message;
the five-tuple information of the first service message comprises a source IP address, a source port number, a destination IP address, a destination port number and a response number; the quintuple information of the second service message includes a destination IP address, a destination port number, a source IP address, a source port number, and a sequence number.
4. The method according to claim 1, wherein before the matching server receives the message identifier sent by each of the analysis nodes, the method further comprises:
the first analysis node acquires the first service message;
the first analysis node generates a message identifier of the first service message;
and the first analysis node sends the message identifier of the first service message to the matching server.
5. The method of claim 4, wherein the first analysis node generating the message identifier for the first traffic message comprises:
the first analysis node acquires quintuple information of the first service message;
and the first analysis node generates an abstract of the quintuple information to obtain the message identifier of the first service message.
6. The method of claim 4, wherein sending, by the first analysis node, the message identifier of the first service message to the matching server comprises:
and the first analysis node sends a matching request to the matching server, wherein the matching request comprises the message identifier of the first service message, the data volume of the first service message and the node identifier of the first analysis node.
7. The method of claim 4, wherein the number of matching servers is m, and the m is an integer greater than 1;
before the first analysis node sends the message identifier of the first service message to the matching server, the method further includes:
and the first analysis node selects a target matching server to which the message identifier of the first service message is sent from the m matching servers according to the abstract of the quintuple information of the first service message.
8. The method of claim 4, wherein after the first analysis node sends the message identifier of the first service message to the matching server, the method further comprises:
the first analysis node determines that the second service message which belongs to the same session with the first service message is not matched within a preset time length;
the first analysis node determines that the first service message fails to be matched;
and the first analysis node counts the number of the service messages which fail to be matched.
9. A service message processing apparatus, characterized in that the apparatus comprises:
the system comprises an identifier receiving module, a message identifier sending module and a message identifier sending module, wherein the identifier receiving module is used for receiving message identifiers sent by all analysis nodes in a bypass traffic analysis system, the bypass traffic analysis system comprises n analysis nodes, and n is an integer greater than 1;
an identifier obtaining module, configured to obtain, from each received message identifier, a message identifier of a first service message, where the message identifier of the first service message is any one of the received message identifiers;
a result sending module, configured to obtain a data volume of the first service message and a data volume of the second service message when a message identifier of the second service message that matches the message identifier of the first service message exists in the received message identifiers; the first service message and the second service message are a request message and a response message belonging to the same session;
the result sending module is further configured to send matching result information to a first analysis node when the data volume of the first service message is smaller than the data volume of the second service message, where the matching result information includes a message identifier of the first service message and a node identifier of a second analysis node, and the matching result information is used to route the first service message and the second service message to the second analysis node for processing, so as to detect whether a network attack exists;
the result sending module is further configured to send matching result information to a second analysis node when the data volume of the first service message is greater than the data volume of the second service message, where the matching result information includes a message identifier of the second service message and a node identifier of a first analysis node, and the matching result information is used to route the first service message and the second service message to the first analysis node for processing, so as to detect whether a network attack exists;
the first analysis node is an analysis node where the first service message is located, and the second analysis node is an analysis node where the second service message is located.
10. A computer device comprising a processor and a memory, the memory having stored therein at least one program which is loaded and executed by the processor to implement the method of any of claims 1 to 8.
11. A computer-readable storage medium, in which at least one program is stored, which is loaded and executed by a processor to perform the method according to any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911048091.5A CN110798402B (en) | 2019-10-30 | 2019-10-30 | Service message processing method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911048091.5A CN110798402B (en) | 2019-10-30 | 2019-10-30 | Service message processing method, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110798402A CN110798402A (en) | 2020-02-14 |
| CN110798402B true CN110798402B (en) | 2023-04-07 |
Family
ID=69442231
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911048091.5A Active CN110798402B (en) | 2019-10-30 | 2019-10-30 | Service message processing method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110798402B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113595927A (en) * | 2021-07-30 | 2021-11-02 | 北京天空卫士网络安全技术有限公司 | Method and device for processing mirror flow in bypass mode |
| CN113905080A (en) * | 2021-09-27 | 2022-01-07 | 深信服科技股份有限公司 | Management method, device, system and storage medium |
| CN114553583B (en) * | 2022-03-01 | 2024-01-30 | 恒安嘉新(北京)科技股份公司 | Network security analysis system, method, equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101945407A (en) * | 2010-10-22 | 2011-01-12 | 东南大学 | Load balancing method for content monitoring of mobile service |
| JP2011034511A (en) * | 2009-08-05 | 2011-02-17 | Nec Corp | Message transmitting and receiving system, message transmitting and receiving method, message relay server, and message transmission and reception program |
| CN106330785A (en) * | 2015-06-17 | 2017-01-11 | 深圳市腾讯计算机系统有限公司 | Method and device for selecting service node |
| CN108206788A (en) * | 2016-12-16 | 2018-06-26 | 中国移动通信有限公司研究院 | The business recognition method and relevant device of a kind of flow |
| CN108683598A (en) * | 2018-04-20 | 2018-10-19 | 武汉绿色网络信息服务有限责任公司 | A kind of asymmetrical network flow processing method and processing unit |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TW201006175A (en) * | 2008-07-31 | 2010-02-01 | Ibm | Method, apparatus, and computer program product for testing a network system |
| CN101494555B (en) * | 2008-12-15 | 2014-03-26 | 国网浙江省电力公司丽水供电公司 | Screen method and equipment for processing on-line database behaviors of giga-above network |
| CN101572701B (en) * | 2009-02-10 | 2013-11-20 | 中科信息安全共性技术国家工程研究中心有限公司 | Security gateway system for resisting DDoS attack for DNS service |
| KR101502490B1 (en) * | 2013-10-18 | 2015-03-13 | 주식회사 케이티 | Subscibe terminal and security farm node for monitoring network traffic |
| CN104052679B (en) * | 2014-06-03 | 2016-05-11 | 腾讯科技(深圳)有限公司 | The load-balancing method of network traffics and device |
| CN106656922A (en) * | 2015-10-30 | 2017-05-10 | 阿里巴巴集团控股有限公司 | Flow analysis based protective method and device against network attack |
-
2019
- 2019-10-30 CN CN201911048091.5A patent/CN110798402B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2011034511A (en) * | 2009-08-05 | 2011-02-17 | Nec Corp | Message transmitting and receiving system, message transmitting and receiving method, message relay server, and message transmission and reception program |
| CN101945407A (en) * | 2010-10-22 | 2011-01-12 | 东南大学 | Load balancing method for content monitoring of mobile service |
| CN106330785A (en) * | 2015-06-17 | 2017-01-11 | 深圳市腾讯计算机系统有限公司 | Method and device for selecting service node |
| CN108206788A (en) * | 2016-12-16 | 2018-06-26 | 中国移动通信有限公司研究院 | The business recognition method and relevant device of a kind of flow |
| CN108683598A (en) * | 2018-04-20 | 2018-10-19 | 武汉绿色网络信息服务有限责任公司 | A kind of asymmetrical network flow processing method and processing unit |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110798402A (en) | 2020-02-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Xu et al. | Am I eclipsed? A smart detector of eclipse attacks for Ethereum | |
| CN109194680B (en) | Network attack identification method, device and equipment | |
| CN110798402B (en) | Service message processing method, device, equipment and storage medium | |
| US10097566B1 (en) | Identifying targets of network attacks | |
| US9917850B2 (en) | Deterministic reproduction of client/server computer state or output sent to one or more client computers | |
| CN111625593B (en) | Block chain-based data processing method and device and computer equipment | |
| WO2020258912A1 (en) | Blockchain consensus method, device and system | |
| US11032311B2 (en) | Methods for detecting and mitigating malicious network activity based on dynamic application context and devices thereof | |
| CN113055188B (en) | Data processing method, device, equipment and storage medium | |
| CN111885050B (en) | Data storage method and device based on block chain network, related equipment and medium | |
| WO2020037781A1 (en) | Anti-attack method and device for server | |
| CN109525684B (en) | Message forwarding method and device | |
| US11916935B1 (en) | Systems and methods for detecting malware domain names | |
| KR20190029486A (en) | Elastic honeynet system and method for managing the same | |
| CN110266650A (en) | The recognition methods of Conpot industry control honey jar | |
| CN114827161B (en) | Service call request sending method and device, electronic equipment and readable storage medium | |
| CN110619022B (en) | Node detection method, device, equipment and storage medium based on block chain network | |
| CN112351082A (en) | Current limiting method and device for HTTP request message | |
| CN111597537B (en) | Block chain network-based certificate issuing method, related equipment and medium | |
| CN110798529B (en) | Data processing method, block chain link point equipment and computer storage medium | |
| US20210105299A1 (en) | Method and system for defending an http flood attack | |
| US10992702B2 (en) | Detecting malware on SPDY connections | |
| US11658821B2 (en) | Cybersecurity guard for core network elements | |
| Bégassat et al. | Handel: Practical Multi-Signature Aggregation for Large Byzantine Committees | |
| CN107113280A (en) | A kind of network control method and virtual switch |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: DE Ref document number: 40020200 Country of ref document: HK |
|
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |