CN111431930A - Flow cleaning method and related equipment - Google Patents

Flow cleaning method and related equipment Download PDF

Info

Publication number
CN111431930A
CN111431930A CN202010281260.6A CN202010281260A CN111431930A CN 111431930 A CN111431930 A CN 111431930A CN 202010281260 A CN202010281260 A CN 202010281260A CN 111431930 A CN111431930 A CN 111431930A
Authority
CN
China
Prior art keywords
information
flow
server
specific message
type
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010281260.6A
Other languages
Chinese (zh)
Inventor
黄准
饶俊涛
王方宁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Accelink Technologies Co Ltd
Original Assignee
Accelink Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Accelink Technologies Co Ltd filed Critical Accelink Technologies Co Ltd
Priority to CN202010281260.6A priority Critical patent/CN111431930A/en
Publication of CN111431930A publication Critical patent/CN111431930A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention discloses a flow cleaning method and related equipment; wherein the method comprises the following steps: the method comprises the steps that a shunting device receives first flow output by a first network side device; sending the received first flow to a server so that the server can extract the characteristic information of the specific message; cleaning the received first flow according to a flow cleaning rule; the flow cleaning rule is generated based on first information sent by a server; the first information at least comprises the characteristic information of a specific message; and sending the cleaned first flow to the second network side equipment. Therefore, the flow threatening the network security can be intercepted and blocked in time, and the real-time and comprehensive network security maintenance is realized.

Description

Flow cleaning method and related equipment
Technical Field
The invention relates to the technical field of network security, in particular to a flow cleaning method and related equipment.
Background
In the process of transmitting traffic (here, traffic may be understood as network data flow) between different network-side devices, there are often some traffic threatening network security, and in this case, the traffic threatening network security is not expected to be transmitted to the opposite-side device. In practical application, a flow cleaning method is generally adopted to filter the flow threatening the network security so as to intercept and block the flow threatening the network security.
However, the method for cleaning the traffic in the related art cannot intercept and block the traffic threatening the network security in time.
Disclosure of Invention
In view of this, embodiments of the present invention are intended to provide a traffic cleaning method and related devices, which can intercept and block traffic threatening network security in time.
The technical scheme of the embodiment of the invention is realized as follows:
The embodiment of the invention provides a flow cleaning method, which is applied to flow distribution equipment and comprises the following steps:
Receiving first flow output by first network side equipment;
Sending the received first flow to a server so that the server can extract the characteristic information of the specific message;
Cleaning the received first flow according to a flow cleaning rule; the flow cleaning rule is generated based on first information sent by a server; the first information at least comprises the characteristic information of a specific message;
And sending the cleaned first flow to the second network side equipment.
In the above scheme, the method further comprises:
Receiving second information sent by the server; the second information is generated by the server by utilizing the characteristic information of the specific message extracted from the first flow sent by the shunting equipment;
And updating the flow cleaning rule based on the second information.
In the foregoing solution, the updating the traffic cleansing rule based on the second information includes:
When the type of the feature information of the specific message contained in the second information is determined to be the first type, adding the feature information of the specific message received this time in the flow cleaning rule generated last time to obtain an updated flow cleaning rule;
Alternatively, the first and second electrodes may be,
When the type of the feature information of the specific message contained in the second information is determined to be the second type, deleting the feature information of the specific message received this time from the traffic cleaning rule generated last time to obtain an updated traffic cleaning rule; wherein the first type and the second type are different.
The embodiment of the invention provides a flow cleaning method, which is applied to a server and comprises the following steps:
Screening out a specific message from the second flow;
Extracting characteristic information from the specific message and generating first information;
And sending the first information to the shunting equipment so that the shunting equipment generates a flow cleaning rule based on the first information.
In the above scheme, the method further comprises:
Receiving a first flow sent by a shunting device;
Screening out a specific message from the first flow;
Extracting characteristic information from the specific message and generating second information;
And sending the second information to the shunting equipment so that the shunting equipment updates the flow cleaning rule based on the second information.
In the foregoing solution, the second information further includes a type of feature information of a specific packet, and the method further includes:
When determining that the extracted characteristic information of the specific message does not exist in the database, storing the extracted characteristic information of the specific message into the database;
Obtaining the type of the characteristic information of the corresponding specific message based on the characteristic information of the specific message stored in the database;
When the second information is generated, the method further includes:
And generating the second information based on the characteristic information of the corresponding specific message and the type of the characteristic information of the specific message.
In the foregoing solution, the obtaining the type of the feature of the corresponding specific packet based on the feature information of the specific packet stored in the database includes:
Comparing the extracted characteristic information of the specific message with the data in the database;
And when determining that the characteristic information of the extracted characteristic message does not exist in the database, marking the type of the extracted characteristic information as a first type.
In the scheme, when the extracted feature information of the feature message is stored in the database, the corresponding storage time is recorded;
The obtaining of the type of the feature of the corresponding specific packet based on the feature information of the specific packet stored in the database includes:
And determining the interval between the first saving time and the current time by a first time, and marking the type of the characteristic information of the specific message corresponding to the first saving time in the database as a second type.
An embodiment of the present invention further provides a flow dividing apparatus, including:
The first receiving unit is used for receiving a first flow output by first network side equipment;
The first sending unit is used for sending the received first flow to a server so that the server can extract the characteristic information of the specific message;
The cleaning unit is used for cleaning the received first flow according to the flow cleaning rule; the flow cleaning rule is generated based on first information sent by a server; the first information at least comprises the characteristic information of a specific message;
And the first sending unit is further configured to send the cleaned first traffic to the second network-side device.
An embodiment of the present invention further provides a server, including:
The screening unit is used for screening out a specific message from the second traffic;
The generating unit is used for extracting characteristic information from the specific message and generating first information;
And the second sending unit is used for sending the first information to the shunting equipment so that the shunting equipment generates a flow cleaning rule based on the first information.
The embodiment of the invention discloses a flow cleaning method and related equipment; the method comprises the following steps: the method comprises the steps that a shunting device receives first flow output by a first network side device; sending the received first flow to a server so that the server can extract the characteristic information of the specific message; cleaning the received first flow according to a flow cleaning rule; the flow cleaning rule is generated based on first information sent by a server; the first information at least comprises the characteristic information of a specific message; and sending the cleaned first flow to the second network side equipment. In the embodiment of the invention, in the process of transmitting the flow between two network side devices, when the shunting device receives the flow sent by one network side device, the flow is sent to the server, so that the server can extract the flow threatening network security from the flow; meanwhile, the flow distribution equipment cleans according to a flow cleaning rule generated by the relevant information of the flow threatening the network security provided by the server, and sends the cleaned flow to the other network side equipment; that is to say, the shunt device in the embodiment of the present invention is connected in series between two network side devices, so that before traffic is transmitted from one network side device to another network side device, traffic threatening network security has been cleaned, and a cleaning rule of the shunt device is formed by information fed back in real time after a server performs security analysis on the traffic, so that the traffic threatening network security can be intercepted and blocked in time, thereby implementing real-time and comprehensive network security maintenance.
Drawings
Fig. 1 is a schematic diagram of a connection relationship between a monitoring side and two network side devices of a network monitoring system in the related art;
FIG. 2 is a schematic diagram of a connection relationship between a monitoring side and two network side devices of a network monitoring system in an embodiment of the present invention;
FIG. 3 is a schematic flow chart illustrating an implementation of a side flow cleaning method for a flow diversion device according to an embodiment of the present invention;
Fig. 4 is a schematic diagram illustrating a connection relationship between a protection device and two network side devices and a shunting device according to an embodiment of the present invention;
Fig. 5 is a schematic diagram of a connection relationship between two off switches and two network-side devices and shunt devices in the protection apparatus according to the embodiment of the present invention;
FIG. 6a is a diagram of an exemplary TLV format according to the present invention;
FIG. 6b is a diagram illustrating a field in the second information for characterizing the type of the feature information according to an embodiment of the present invention;
FIG. 7 is a schematic diagram illustrating an implementation flow of a server-side traffic cleaning method according to an embodiment of the present invention;
Fig. 8 is a schematic flow chart illustrating an implementation process of updating a traffic cleaning rule based on second information by the flow distribution device in the embodiment of the present invention;
Fig. 9 is a schematic structural diagram of a shunting device provided in an embodiment of the present invention;
Fig. 10 is a schematic structural diagram of a server according to an embodiment of the present invention;
Fig. 11 is a schematic diagram of a hardware composition structure of a shunting device according to an embodiment of the present invention;
Fig. 12 is a schematic diagram of a hardware component structure of a server according to an embodiment of the present invention.
Detailed Description
In order to make the technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some embodiments of the present invention, but not all embodiments.
In practical applications, a network monitoring system is generally used to perform specific traffic cleansing operations to filter out traffic that threatens network security. The network monitoring system includes: a shunting device and a server; the flow distribution equipment is used for copying and sending an input flow to the server; the server is used for carrying out security analysis on the flow sent by the shunting equipment.
As shown in fig. 1, the network monitoring system in the related art is connected in parallel with two network-side devices, and the two network-side devices are transmitted in a single direction. That is to say, the traffic between the two network side devices is not transmitted through the splitter device, but the data is copied to the splitter device through the downlink interface of the optical splitter device, and then the data is filtered and split by the splitter device, and the service data is sent to the server for data analysis. Under the topology structure, the network monitoring system and the two network side devices can not be linked in real time, and the network security threat can not be intercepted and blocked in time. Here, the main function of the optical splitter is to distribute downstream data, and the optical splitter has an upstream interface and a plurality of downstream interfaces, and signals from the upstream optical interface are distributed to all the downstream optical interfaces for transmission.
Based on this, in each embodiment of the present invention, in the process of traffic transmission between two network side devices, when the offloading device receives traffic sent by one network side device, the offloading device sends the traffic to the server, so that the server extracts traffic threatening network security from the traffic; meanwhile, the flow distribution equipment cleans according to a flow cleaning rule generated by the relevant information of the flow threatening the network security provided by the server, and sends the cleaned flow to the other network side equipment; that is to say, the shunt device in the embodiment of the present invention is connected in series between two network side devices, so that before traffic is transmitted from one network side device to another network side device, traffic threatening network security has been cleaned, and a cleaning rule of the shunt device is formed by information fed back in real time after a server performs security analysis on the traffic, so that the traffic threatening network security can be intercepted and blocked in time, thereby implementing real-time and comprehensive network security maintenance.
Before describing the traffic cleansing method according to the embodiment of the present invention, a network monitoring system for performing the traffic cleansing method according to the embodiment of the present invention is introduced. The network monitoring system in the embodiment of the invention comprises a shunting device and a server; the flow distribution equipment is used for filtering the flow and sending the flow to the server while completing the forwarding of the bidirectional flow between the two network side equipment; the flow distribution equipment generates a cleaning rule by using the characteristic information of the threat source fed back by the server so as to clean the flow by using the cleaning rule; the server is used for screening the flow threatening the network security and feeding back the characteristic information of the threat source to the shunting equipment. In addition, the shunting device also forwards the traffic threatening the network security to a designated port so as to further analyze or discard the traffic threatening the network security. The structural connection relationship between the network monitoring system and the two network side devices in the implementation of the present invention is shown in fig. 2. In fig. 2, the shunt device is serially connected between two network side devices as an independent node, so that traffic sent by any one of the two network side devices can reach the other network side device only through the shunt device.
Based on the network monitoring system, an embodiment of the present invention provides a traffic cleaning method, and fig. 3 is a schematic flow chart illustrating an implementation of the traffic cleaning method according to the embodiment of the present invention. As shown in fig. 3, the method is applied to a shunting device, and includes the following steps:
Step 301: receiving a first flow output by first network side equipment;
Step 302: sending the received first flow to a server so that the server can extract the characteristic information of the specific message;
Step 303: cleaning the received first flow according to a flow cleaning rule; the flow cleaning rule is generated based on first information sent by a server; the first information at least comprises the characteristic information of a specific message;
Step 304: and sending the cleaned first flow to the second network side equipment.
In step 301, the traffic output by the first network-side device is directly transmitted to the offloading device.
In practical application, in order to enhance the link reliability, a protection device may be added to the front end of the offloading device, and the connection manner between the protection device and the two network side devices and the offloading device is as shown in fig. 4.
Based on this, in an embodiment, when it is determined that the shunt device works abnormally, a notification is sent to the protection device, so that the protection device switches the switch, and the traffic output by the first network-side device is directly transmitted to the second network-side device after the switch is switched.
In practical application, the core components of the protection device are two optical switches, and the connection relationship between the two optical switches and the two network side devices and the shunt device is shown in fig. 5. When the shunt device works abnormally (such as power interruption, device failure, communication interruption, and the like), the switch automatically switches to the bypass mode (that is, endpoints on both sides of an arrow at the position of a dotted arrow in fig. 5 are connected together), and at the moment, the flow between the devices on the two network sides is transmitted through the switch with the closed bypass, so that the flow transmission between the devices on the two network sides is not affected.
It should be noted that, as can also be seen from the connection relationship in fig. 5, in the embodiment of the present invention, traffic between two network-side devices can be transmitted in two directions.
in step 302, in actual application, the specific message may be a sensitive message that threatens Network security, such as a message containing contents of a potential attack website, a phishing website, and the like, and the characteristic information of the specific message may be characteristic field information that is carried in the characteristic message and can be used to identify the message, such as AN Internet Protocol (IP) quintuple (where the IP quintuple refers to a set of five elements, i.e., a source IP Address, a source port, a destination IP Address, a destination port, and a transport layer Protocol), a Virtual local Area Network (vlan, Virtual L Area Network), a Media Access Control Address (MAC), and the like.
In practical applications, the number of the servers can include multiple servers, so that security analysis tasks of different types of traffic can be processed simultaneously, and processing pressure of a single server is relieved. It is understood that when the processing power of the server is strong enough, one server may be used to process the security analysis task of all traffic.
Based on this, in an embodiment, the sending the received first traffic to the server includes: classifying the received first traffic according to a preset rule, and respectively sending each type of traffic in the classified traffic to a corresponding server in a plurality of servers.
Here, the preset rule may be a type of a message service in the traffic. In actual application, the server comprises a plurality of servers; the plurality of servers correspond to different services, respectively. And classifying the messages in the first flow according to the types of the message services, and distributing the classified flows to servers corresponding to different services.
In step 303, in practical application, the offloading device needs to establish a session mechanism with the server to receive the first information sent by the server. In practical applications, there are various ways for the offloading device to establish the communication session mechanism with the server, and this is not limited here.
In an embodiment, the offloading device interacts with the server based on a simple network management protocol, SNMP.
In practical application, the shunting device may adopt an SNMP module and establish a session mechanism with the server in a manner of adding an independent Object Identifier (OID) node; at the moment, the server only needs to integrate the SNMP module, and does not need to additionally develop a protocol module. SNMP is a standard protocol of an application layer, and the protocol is mature, perfect and simple to use.
in an embodiment, the first information is encoded in a Type, length, Value (tlv) message format.
in practical application, after extracting feature information which can be used for identifying data messages, such as IP quintuple, V L AN, MAC, and the like of sensitive messages threatening network security, the server combines the feature information into a message according to a tlv format, and feeds back the message to a offloading device through the session mechanism, so as to flexibly process random combinations of ethernet feature fields, such as IP quintuple to quintuple and V L AN, MAC, and the like.
In actual application, the flow distribution device may generate the flow cleaning rule according to the first information sent by the server.
Based on this, in an embodiment, the method further comprises:
Receiving first information sent by a server;
And generating the flow cleaning rule based on the first information.
Here, the first information at least includes feature information of a specific packet extracted from traffic output by the first network-side device, that is, feature field information that is carried in a sensitive packet that poses a threat to network security and is used to identify the packet.
In practical application, according to the first information, a specific implementation manner of generating the flow cleaning rule may be: and generating a soft table for recording the flow filtering rule according to the characteristic field information in the first information, and calling a cleaning Process (FP) module interface in the shunting equipment to generate the flow cleaning rule after format conversion.
In step 304, the cleaned traffic is directly sent to the second network side device.
In practical application, after the traffic cleansing rule is generated, the flow distribution device may further update the traffic cleansing rule according to the feature information of the specific packet extracted from the first traffic, which is fed back by the server.
Based on this, in an embodiment, the method further comprises:
Receiving second information sent by the server; the second information is generated by the server by utilizing the characteristic information of the specific message extracted from the first flow sent by the shunting equipment;
Updating the traffic cleansing rule based on the second information.
Here, the second information at least includes feature information of a specific packet extracted from the first traffic output to the first network-side device, that is, feature field information that is carried in a sensitive packet that poses a threat to network security and is used to identify the packet.
In an embodiment, the updating the traffic cleansing rule based on the second information includes:
When the type of the feature information of the specific message contained in the second information is determined to be the first type, adding the feature information of the specific message received this time in the flow cleaning rule generated last time to obtain an updated flow cleaning rule;
Alternatively, the first and second electrodes may be,
When the type of the feature information of the specific message contained in the second information is determined to be the second type, deleting the feature information of the specific message received this time from the traffic cleaning rule generated last time to obtain an updated traffic cleaning rule; wherein the first type and the second type are different.
the second information is a new type, that is, the characteristic information of the fixed packet contained in the information is represented as needing to be added into the formed cleaning rule, the second type is a deletion type, that is, the characteristic information of the fixed packet contained in the information is represented as needing to be deleted from the formed cleaning rule, it needs to be noted that the second information can be encoded by adopting a T L V format, and as shown in FIG. 6b, the value of the CMSG represents the type corresponding to the characteristic information of the specific packet.
in practical application, the shunting device monitors and receives SNMP messages, analyzes specified OID and then analyzes Ethernet feature information such as IP quintuple, VLAN, MAC and the like and types corresponding to the feature information according to a T L V format, records the feature information of the feature information in the second information into a soft table of a flow filtering rule if the field value of the type of the feature information of the specific message is characterized in the second information, and generates AN updated flow cleaning rule if the field value of the type of the feature information of the specific message is characterized in the second information, and deletes the feature information of the second information from the soft table of the flow filtering rule and generates the updated flow cleaning rule if the field value of the type of the feature information of the specific message is characterized in the second information, and if the value of the CMSG judges that the type is a deletion type.
In practical application, the shunting device may also manage and update the soft table of the formed traffic filtering rule by itself, for example, when the feature information of each specific packet is recorded in the soft table of the traffic filtering rule, the time of the recording is recorded, polling check is performed, when the duration of the feature information of a specific packet recorded in the soft table of the traffic filtering rule reaches a preset duration, the shunting device deletes the feature information of the specific packet from the soft table of the traffic filtering rule, and then a new traffic cleaning rule is generated. That is to say, the feature information of the deletion-type feature packet may also be detected and found by the offloading device and the corresponding traffic cleansing rule is updated.
According to the traffic cleaning method provided by the embodiment of the invention, a shunting device receives a first traffic output by a first network side device; sending the received first flow to a server so that the server can extract the characteristic information of the specific message; cleaning the received first flow according to a flow cleaning rule; the flow cleaning rule is generated based on first information sent by a server; the first information at least comprises the characteristic information of a specific message; and sending the cleaned first flow to the second network side equipment. In the embodiment of the invention, in the process of transmitting the flow between two network side devices, when the shunting device receives the flow sent by one network side device, the flow is sent to the server, so that the server can extract the flow threatening network security from the flow; meanwhile, the flow distribution equipment cleans according to a flow cleaning rule generated by the relevant information of the flow threatening the network security provided by the server, and sends the cleaned flow to the other network side equipment; that is to say, the shunt device in the embodiment of the present invention is connected in series between two network side devices, so that before traffic is transmitted from one network side device to another network side device, traffic threatening network security has been cleaned, and a cleaning rule of the shunt device is formed by information fed back in real time after a server performs security analysis on the traffic, so that the traffic threatening network security can be intercepted and blocked in time, thereby implementing real-time and comprehensive network security maintenance.
Correspondingly, an embodiment of the present invention further provides a flow cleaning method, and fig. 7 is a schematic flow chart illustrating an implementation of the flow cleaning method according to the embodiment of the present invention. As shown in fig. 7, the method is applied to a server, and includes the following steps:
Step 701: screening out a specific message from the second flow;
Step 702: extracting characteristic information from the specific message and generating first information;
Step 703: and sending the first information to the shunting equipment so that the shunting equipment generates a flow cleaning rule based on the first information.
In step 701, in practical application, the second traffic may be traffic that is sent to the server by the offloading device and is directly forwarded from the network-side device; the second traffic may also be traffic that the server has acquired according to other means.
The specific message may be a sensitive message that threatens network security, such as a message containing contents of a potential attack website, a phishing website, and the like. In practical application, the server may screen out a specific message from the network in the received traffic according to a preset algorithm (e.g., setting a sensitive keyword).
in step 702, the feature information of the specific packet may be feature field information that is carried in the feature packet and can be used to identify the packet, such as IP quintuple, V L AN, or MAC.
The feature information is encoded to generate first information.
in an embodiment, the first information is encoded in a tlv message format.
In step 703, the server needs to establish a session mechanism with the offloading device to send the first information to the offloading device. In practical applications, there are various ways for the server to establish the communication session with the offloading device, which is not limited herein.
In an embodiment, the server and the offloading device interact based on SNMP.
In actual application, after the flow cleansing rule has been generated by the flow distribution device in step 703, the server may further extract the feature of the new specific packet from the cleansed flow, and send the feature of the new specific packet to the flow distribution device, so that the flow distribution device updates the flow cleansing rule based on the feature of the new specific packet.
Based on this, in an embodiment, the method further comprises:
Receiving a first flow sent by a shunting device; screening out a specific message from the first flow;
Extracting characteristic information from the specific message and generating second information;
And sending the second information to the shunting equipment so that the shunting equipment updates the flow cleaning rule based on the second information.
Here, the second traffic is first traffic received by the server from the offloading device, where the first traffic is received after the second traffic. The second information at least includes feature information of a specific message extracted from traffic that is output by the first network-side device after being cleaned, that is, feature field information that is carried in a sensitive message that threatens network security and can be used to identify the message.
In an embodiment, the second information further includes a type of feature information of a specific packet, and the method further includes:
When determining that the extracted characteristic information of the specific message does not exist in the database, storing the extracted characteristic information of the specific message into the database;
Obtaining the type of the characteristic information of the corresponding specific message based on the characteristic information of the specific message stored in the database;
When the second information is generated, the method further includes:
And generating the second information based on the characteristic information of the corresponding specific message and the type of the characteristic information of the specific message.
In practical application, the server compares the feature information of the feature message extracted from the acquired flow with the feature information stored in the database every time, and when the feature information of the extracted specific message does not exist in the database, the feature information of the extracted specific message is stored in the database to form a dynamically updated feature information database of the sensitive message which threatens the network security. Here, the second information includes feature information of the specific packet and a type corresponding to the feature information of the specific packet.
In an embodiment, the obtaining, based on the feature information of the specific packet stored in the database, a type of a feature of the corresponding specific packet includes:
Comparing the extracted characteristic information of the specific message with the data in the database;
And when determining that the characteristic information of the extracted characteristic message does not exist in the database, marking the type of the extracted characteristic information as a first type.
Here, the first type is a new type, that is, the feature information representing the fixed packet included in the information is required to be added to the already formed cleaning rule. The feature information of the specific packet extracted this time can be understood as feature information of the specific packet extracted from the traffic forwarded by the shunting device at one time currently being processed by the server.
In practical application, the server compares the feature information of the feature message extracted from the flow forwarded by the flow distribution equipment each time with the feature information of the existing feature message in the database, when the database does not exist, the feature information of the nonexistent feature message is considered to need to be newly added into the cleaning rule, and at the moment, the type of the nonexistent feature message is marked as a first type.
In one embodiment, when the extracted features of the feature message are stored in the database, the corresponding storage time is recorded;
The obtaining of the type of the feature of the corresponding specific packet based on the feature of the specific packet stored in the database includes:
And determining the interval between the first saving time and the current time by a first time, and marking the type of the characteristic information of the specific message corresponding to the first saving time in the database as a second type.
Here, the second type is a deletion type, that is, the characteristic information characterizing the fixed packet included in the information is that the fixed packet needs to be deleted from the already formed cleansing rule. The first saving time represents a time when the feature information of a certain specific message is saved in the database, and the current time can be understood as a time when the server is currently processing the feature information extraction of the specific message.
In practical application, the server supports independent configuration and management of the aging period T0x of the feature information of each specific packet, specifically: when the feature information of the feature message extracted from the traffic forwarded by the flow distribution equipment each time is stored in the database, the storage time is recorded, the difference between the strategy issuing time and the current time T1x is inquired and calculated one by one in each polling period, the comparison is carried out with T0x, when the T1x is greater than or equal to T0x, the feature information of the corresponding specific message is considered to be deleted from the cleaning rule, and the type of the feature information of the corresponding specific message is marked as a second type.
In practical applications, the server may further determine whether the characteristic information of the specific packet in the database is the deletion type according to other criteria (e.g., a change in a preset algorithm for screening the specific packet).
According to the flow cleaning method provided by the embodiment of the invention, the server screens out the specific message from the second flow; extracting characteristic information from the specific message and generating first information; and sending the first information to the shunting equipment so that the shunting equipment generates a flow cleaning rule based on the first information. Therefore, in the embodiment of the invention, the server can receive the flow from the shunting equipment, perform safety analysis on the flow and feed the flow back to the shunting equipment at the same time, so that the shunting equipment generates the flow cleaning rule, and thus, the shunting equipment can intercept and block the flow threatening network safety in time, thereby realizing real-time and comprehensive network safety maintenance.
The present invention will be described in further detail with reference to the following practical application scenarios.
in practical application, when a network monitoring system is used for executing flow, no cleaning rule is formed in a shunting device, at this time, first flow output by a first network side device is forwarded to a server through the shunting device, and because certain time delay exists in safety analysis of the server, the shunting device must clean received flow output by the first network side device based on a current cleaning rule, therefore, for the current cleaning rule, the server screens out a specific message from second flow (the second flow is flow obtained earlier than the first flow forwarded by the shunting device and can be a random initial flow of the server itself), extracts characteristic information from the screened out specific message, generates first information according to a T L V format by using the extracted characteristic information, screens out the first information in a message mode and sends the first information to the shunting device, generates a cleaned message rule based on the first information, cleans the received flow according to a generated flow cleaning rule, sends the cleaned flow to a second network side, and continuously extracts the cleaned specific message from the second flow, and sends the cleaned message to the second network side, and the cleaned flow.
In practical application, the specific implementation flow of updating the flow cleaning rule by the flow distribution device based on the second information is shown in fig. 8.
Step 801: receiving second information sent by the server;
In practical application, the shunting device receives the SNMP message by monitoring. When step 801 is completed, the process proceeds to step 802.
Step 802: analyzing the second information;
and resolving the specified OID, resolving Ethernet feature information such as IP quintuple, VL AN, MAC and the like and the type corresponding to the feature information according to the T L V format, and turning to a step 803 when the step 802 is finished.
Step 803: judging the type corresponding to the characteristic information in the second information;
Here, it can be understood that whether the washing strategy needs to be added is determined according to the type. If the type corresponding to the feature information in the second information is the first type, the feature information in the second information needs to be added to the cleaning strategy, and at this time, the step 804 is executed; if the type corresponding to the feature information in the second information is the second type, that is, the feature information in the second information needs to be excluded from the cleaning policy, then step 805 is performed.
Step 804: adding the characteristic information in the second information into the flow cleaning rule;
In practical application, the feature information in the second information is stored in the soft table of the traffic filtering rule, and the flow cleaning rule is updated by calling the FP module interface of the switch chip after format conversion, at this time, the updating process is finished, and the process proceeds to step 807.
Step 805: judging whether a record of the characteristic information in the second information exists in a soft table of the flow filtering rule;
Searching records in a soft table of the traffic filtering rule, and if records corresponding to the characteristic information still exist in the soft table, representing that the characteristic information is deleted from the soft table needing the traffic filtering rule; at this point, go to step 806; when the record corresponding to the feature information does not exist in the soft table, at this time, the updating process is ended, and the step 807 is executed;
Step 806: deleting the characteristic information in the second information from the flow cleaning rule;
In actual application, the feature information in the second information is deleted from the record of the soft table of the traffic filtering rule, the cleaning rule is updated, at this time, the updating process is ended, and the process proceeds to step 808.
Step 807: the update flow is stopped.
In the embodiment of the invention, a communication mechanism is established between the shunting equipment and the server, the shunting equipment identifies the characteristics of the sensitive data message fed back by the server, automatically generates the flow cleaning and filtering rule, and intercepts and blocks the sensitive data in the network, thereby automatically and accurately cleaning the sensitive data in the network flow in real time.
In order to implement the method according to the embodiment of the present invention, an embodiment of the present invention further provides a shunting device 900, fig. 9 is a structural diagram of the shunting device 900 according to the embodiment of the present invention, and as shown in fig. 9, the shunting device 900 includes:
A first receiving unit 901, configured to receive a first traffic output by a first network-side device;
A first sending unit 902, configured to send the received first traffic to a server, so that the server extracts feature information of a specific packet;
A cleaning unit 903, configured to clean the received first traffic according to a traffic cleaning rule; the flow cleaning rule is generated based on first information sent by a server; the first information at least comprises the characteristic information of a specific message;
The first sending unit 902 is further configured to send the cleaned first traffic to the second network-side device.
In an embodiment, the shunting device 900 further includes a second generating unit, configured to:
Receiving first information sent by a server;
And generating the flow cleaning rule based on the first information.
In an embodiment, the shunting device 900 further includes an updating unit configured to:
Receiving second information sent by the server; the second information is generated by the server by utilizing the characteristic information of the specific message extracted from the first flow sent by the shunting equipment;
And updating the flow cleaning rule based on the second information.
In an embodiment, the update unit is specifically configured to:
When the type of the feature information of the specific message contained in the second information is determined to be the first type, adding the feature information of the specific message received this time in the flow cleaning rule generated last time to obtain an updated flow cleaning rule;
Alternatively, the first and second electrodes may be,
When the type of the feature information of the specific message contained in the second information is determined to be the second type, deleting the feature information of the specific message received this time from the traffic cleaning rule generated last time to obtain an updated traffic cleaning rule; wherein the first type and the second type are different.
In an embodiment, the first sending unit 902 is specifically configured to:
Classifying the received first traffic according to a preset rule, and respectively sending each type of traffic in the classified traffic to a corresponding server in a plurality of servers.
In practical applications, the first receiving unit 901, the second generating unit, the first sending unit 902, the cleaning unit 903, and the updating unit may be implemented by a processor in the shunting device 900 in combination with a communication interface.
It should be noted that: in the above embodiment, when performing information processing, the splitting apparatus is only illustrated by dividing each program module, and in practical applications, the processing may be distributed to different program modules according to needs, that is, the internal structure of the device is divided into different program modules to complete all or part of the processing described above. In addition, the embodiments of the flow cleaning method for the shunt device and the shunt device side provided by the embodiments belong to the same concept, and specific implementation processes thereof are detailed in the embodiments of the methods and are not described herein again.
In order to implement the method according to the embodiment of the present invention, an embodiment of the present invention further provides a server 1000, fig. 10 is a structural diagram of the server 1000 according to the embodiment of the present invention, and as shown in fig. 9, the server 1000 includes:
A screening unit 1001, configured to screen a specific packet from the second traffic;
A first generating unit 1002, configured to extract feature information from the specific packet, and generate first information;
A second sending unit 1003, configured to send the first information to the offloading device, so that the offloading device generates a traffic cleaning rule based on the first information.
In an embodiment, the server 1000 further includes a second receiving unit, configured to:
Receiving a first flow sent by a shunting device;
The screening unit 1001 is further configured to screen a specific packet from the second traffic;
The first generating unit 1002 is further configured to extract feature information from a specific message, and generate second information;
The second sending unit 1003 is further configured to send the second information to the offloading device, so that the offloading device updates a traffic cleaning rule based on the second information.
In an embodiment, the second information further includes a type of feature information of a specific packet, and the server 1000 further includes a determining unit configured to:
When determining that the extracted characteristic information of the specific message does not exist in the database, storing the extracted characteristic information of the specific message into the database;
Obtaining the type of the characteristic information of the corresponding specific message based on the characteristic information of the specific message stored in the database;
The first generating unit 1002 is specifically configured to generate the second information based on the feature information of the corresponding specific packet and the type of the feature information of the specific packet.
In an embodiment, the determining unit is specifically configured to:
Comparing the extracted characteristic information of the specific message with the data in the database;
And when determining that the characteristic information of the extracted characteristic message does not exist in the database, marking the type of the extracted characteristic information as a first type.
In one embodiment, when the extracted feature information of the feature message is stored in a database, the corresponding storage time is recorded;
The determining unit is specifically configured to:
And determining the interval between the first saving time and the current time by a first time, and marking the type of the characteristic information of the specific message corresponding to the first saving time in the database as a second type.
In practical applications, the screening unit 1001, the first generating unit 1002, the second transmitting unit 1003, the second receiving unit, and the determining unit may be implemented by a processor in the server 1000 in combination with a communication interface.
It should be noted that: in the above embodiment, the server is only exemplified by the division of the program modules when performing information processing, and in practical applications, the processing may be distributed to different program modules according to needs, that is, the internal structure of the device may be divided into different program modules to complete all or part of the processing described above. In addition, the embodiments of the traffic cleaning method for the server and the server side provided by the embodiments belong to the same concept, and specific implementation processes thereof are detailed in the embodiments of the method and are not described herein again.
Based on the hardware implementation of the program module, and in order to implement the method on the shunting device side in the embodiment of the present invention, an embodiment of the present invention further provides a shunting device, as shown in fig. 11, where the shunting device 1100 includes:
A first communication interface 1101 capable of performing information interaction with a server;
The first processor 1102 is connected to the first communication interface 1101 to implement information interaction with a server, and is configured to execute a method provided by one or more technical solutions of the shunting device side when running a computer program. And the computer program is stored on the first memory 1103.
Specifically, the first processor 1102 is configured to send and receive a message to a server through the first communication interface 1101.
It should be noted that: specific processing procedures of the first processor 1102 and the first communication interface 1101 are described in detail in an embodiment of a method for cleaning a flow on a side of a shunting device, and are not described herein again.
Of course, in practice, the various components of the shunt device 1100 are coupled together by the bus system 1104. It is understood that the bus system 1104 is used to enable communications among the components for connection. The bus system 1104 includes a power bus, a control bus, and a status signal bus in addition to the data bus. For clarity of illustration, however, the various buses are designated as the bus system 1104 in FIG. 11.
The first memory 1103 in the embodiments of the present invention is used to store various types of data to support the operation of the shunting device 1100. Examples of such data include: any computer program for operating on the shunt device 1100.
The method disclosed in the above embodiments of the present invention can be applied to the first processor 1102, or implemented by the first processor 1102. The first processor 1102 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be implemented by integrated logic circuits of hardware or instructions in the form of software in the first processor 1102. The first Processor 1102 may be a general purpose Processor, a Digital Signal Processor (DSP), or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, etc. The first processor 1102 may implement or perform the methods, steps, and logic blocks disclosed in embodiments of the present invention. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed by the embodiment of the invention can be directly implemented by a hardware decoding processor, or can be implemented by combining hardware and software modules in the decoding processor. The software module may be located in a storage medium located in the first memory 1103, and the first processor 1102 reads the information in the first memory 1103 and performs the steps of the foregoing method in combination with the hardware thereof.
in an exemplary embodiment, the shunting Device 1100 may be implemented by one or more Application Specific Integrated Circuits (ASICs), DSPs, Programmable logic devices (plds), Complex Programmable logic devices (CP L ds), Field Programmable Gate Arrays (FPGAs), general purpose processors, controllers, Micro Controllers (MCUs), microprocessors (microprocessors), or other electronic components for performing the aforementioned methods.
Based on the hardware implementation of the program modules, and in order to implement the method on the server side in the embodiment of the present invention, as shown in fig. 12, the server 1200 includes:
A second communication interface 1201 capable of performing information interaction with the distribution device;
The second processor 1202 is connected to the second communication interface 1201 to implement information interaction with the offloading device, and is configured to execute a method provided by one or more technical solutions of the network device side when running a computer program. And the computer program is stored on the second memory 1203.
Specifically, the second processor 1202 is configured to send and receive a packet to and from a offloading device through the second communication interface 1201.
It should be noted that: specific processing procedures of the second processor 1202 and the second communication interface 1201 are detailed in the embodiment of the server-side traffic cleansing method, and are not described herein again.
Of course, in actual practice, the various components in the server 1200 are coupled together by a bus system 1204. It is understood that the bus system 1204 is used to enable connective communication between these components. The bus system 1204 includes a power bus, a control bus, and a status signal bus, in addition to a data bus. For clarity of illustration, however, the various buses are labeled as bus system 1204 in fig. 12.
The second memory 1203 in the embodiment of the present invention is used for storing various types of data to support the operation of the server 1200. Examples of such data include: any computer program for operating on server 1200.
The method disclosed in the above embodiments of the present invention may be applied to the second processor 1202, or implemented by the second processor 1202. The second processor 1202 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in the form of software in the second processor 1202. The second processor 1202 described above may be a general purpose processor, a DSP, or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. The second processor 1202 may implement or perform the methods, steps and logic blocks disclosed in the embodiments of the present invention. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed by the embodiment of the invention can be directly implemented by a hardware decoding processor, or can be implemented by combining hardware and software modules in the decoding processor. The software modules may be located in a storage medium located in the second memory 1203, and the second processor 1202 reads the information in the second memory 1203 to implement the steps of the foregoing method in combination with its hardware.
in an exemplary embodiment, the server 1200 may be implemented by one or more ASICs, DSPs, plds, CP L ds, FPGAs, general-purpose processors, controllers, MCUs, microprocessors, or other electronic components for performing the aforementioned methods.
the non-volatile Memory may be a Read-Only Memory (ROM), a Programmable Read-Only Memory (PROM), an erasable Programmable Read-Only Memory (EPROM), an electrically erasable Programmable Read-Only Memory (EEPROM), a magnetic Random Access Memory (FRAM), a magnetic surface Memory (Flash), an optical Disc, or a Compact Disc Read-Only Memory (CD-ROM, Flash Memory), a Dynamic Random Access Memory (SDRAM), or a Dynamic Random Access Memory (SDRAM).
In order to implement the method of the embodiment of the present invention, an embodiment of the present invention further provides a network monitoring system, where the system includes: shunting equipment and a server; the specific processing procedures of the offloading device and the server are described in detail above, and are not described herein again.
In an exemplary embodiment, the present invention further provides a storage medium, specifically a computer-readable storage medium, for example, a first memory 1103 storing a computer program, where the computer program is executable by the first processor 1102 of the flow distribution device 1100, so as to complete the steps of the flow distribution device side method. For another example, the second memory 1203 may be configured to store a computer program that is executable by the second processor 1202 of the server 1200 to perform the steps of the server-side method. The computer readable storage medium may be Memory such as FRAM, ROM, PROM, EPROM, EEPROM, Flash Memory, magnetic surface Memory, optical disk, or CD-ROM.
It should be noted that: "first," "second," and the like are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order.
In addition, the technical solutions described in the embodiments of the present invention may be arbitrarily combined without conflict.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention.

Claims (10)

1. A flow cleaning method is characterized by being applied to a flow dividing device, and comprises the following steps:
Receiving a first flow output by first network side equipment;
Sending the received first flow to a server so that the server can extract the characteristic information of the specific message;
Cleaning the received first flow according to a flow cleaning rule; the flow cleaning rule is generated based on first information sent by a server; the first information at least comprises the characteristic information of a specific message;
And sending the cleaned first flow to the second network side equipment.
2. The method of claim 1, further comprising:
Receiving second information sent by the server; the second information is generated by the server by utilizing the characteristic information of the specific message extracted from the first flow sent by the shunting equipment;
And updating the flow cleaning rule based on the second information.
3. The method of claim 2, wherein updating traffic cleansing rules based on the second information comprises:
When the type of the feature information of the specific message contained in the second information is determined to be the first type, adding the feature information of the specific message received this time in the flow cleaning rule generated last time to obtain an updated flow cleaning rule;
Alternatively, the first and second electrodes may be,
When the type of the feature information of the specific message contained in the second information is determined to be the second type, deleting the feature information of the specific message received this time from the traffic cleaning rule generated last time to obtain an updated traffic cleaning rule; wherein the first type and the second type are different.
4. A traffic cleaning method is applied to a server, and the method comprises the following steps:
Screening out a specific message from the second flow;
Extracting characteristic information from the specific message and generating first information;
And sending the first information to the shunting equipment so that the shunting equipment generates a flow cleaning rule based on the first information.
5. The method of claim 4, further comprising:
Receiving a first flow sent by a shunting device;
Screening out a specific message from the first flow;
Extracting characteristic information from the specific message and generating second information;
And sending the second information to the shunting equipment so that the shunting equipment updates the flow cleaning rule based on the second information.
6. The method of claim 5, wherein the second information further includes a type of feature information of a specific packet, the method further comprising:
When determining that the extracted characteristic information of the specific message does not exist in the database, storing the extracted characteristic information of the specific message into the database;
Obtaining the type of the characteristic information of the corresponding specific message based on the characteristic information of the specific message stored in the database;
When the second information is generated, the method further includes:
And generating the second information based on the characteristic information of the corresponding specific message and the type of the characteristic information of the specific message.
7. The method according to claim 6, wherein obtaining the type of the feature of the corresponding specific packet based on the feature information of the specific packet stored in the database comprises:
Comparing the extracted characteristic information of the specific message with the data in the database;
And when determining that the characteristic information of the extracted characteristic message does not exist in the database, marking the type of the extracted characteristic information as a first type.
8. The method according to claim 6, wherein when the feature information of the extracted feature message is stored in the database, the corresponding storage time is recorded;
The obtaining of the type of the feature of the corresponding specific packet based on the feature information of the specific packet stored in the database includes:
And determining the interval between the first saving time and the current time by a first time, and marking the type of the characteristic information of the specific message corresponding to the first saving time in the database as a second type.
9. A splitter apparatus, comprising:
The first receiving unit is used for receiving a first flow output by first network side equipment;
The first sending unit is used for sending the received first flow to a server so that the server can extract the characteristic information of the specific message;
The cleaning unit is used for cleaning the received first flow according to the flow cleaning rule; the flow cleaning rule is generated based on first information sent by a server; the first information at least comprises the characteristic information of a specific message;
And the first sending unit is further configured to send the cleaned first traffic to the second network-side device.
10. A server, comprising:
The screening unit is used for screening out a specific message from the second traffic;
The first generating unit is used for extracting characteristic information from the specific message and generating first information;
And the second sending unit is used for sending the first information to the shunting equipment so that the shunting equipment generates a flow cleaning rule based on the first information.
CN202010281260.6A 2020-04-10 2020-04-10 Flow cleaning method and related equipment Pending CN111431930A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010281260.6A CN111431930A (en) 2020-04-10 2020-04-10 Flow cleaning method and related equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010281260.6A CN111431930A (en) 2020-04-10 2020-04-10 Flow cleaning method and related equipment

Publications (1)

Publication Number Publication Date
CN111431930A true CN111431930A (en) 2020-07-17

Family

ID=71553803

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010281260.6A Pending CN111431930A (en) 2020-04-10 2020-04-10 Flow cleaning method and related equipment

Country Status (1)

Country Link
CN (1) CN111431930A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111966675A (en) * 2020-08-28 2020-11-20 恒瑞通(福建)信息技术有限公司 Fixed asset investment project data cleaning method and terminal

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060059163A1 (en) * 2004-08-20 2006-03-16 Enterasys Networks, Inc. System, method and apparatus for traffic mirror setup, service and security in communication networks
CN103856579A (en) * 2014-03-03 2014-06-11 国家电网公司 Dynamic recognition method for intelligent substation network device topology based on MAC address matching
CN104680303A (en) * 2014-12-17 2015-06-03 国家电网公司 Construction method for SNMP (simple network management protocol)-based business index monitoring system
CN106357685A (en) * 2016-10-28 2017-01-25 北京神州绿盟信息安全科技股份有限公司 Method and device for defending distributed denial of service attack
CN107239581A (en) * 2017-07-07 2017-10-10 小草数语(北京)科技有限公司 Data cleaning method and device
CN107453956A (en) * 2017-09-15 2017-12-08 北京百卓网络技术有限公司 The method of communications network system, diverter device and its fast access into network
CN107579770A (en) * 2017-09-15 2018-01-12 通鼎互联信息股份有限公司 Communications network system, diverter device and its method for accessing one-way transport network
CN107749798A (en) * 2017-09-15 2018-03-02 通鼎互联信息股份有限公司 Communications network system, diverter device and its method for accessing transmitted in both directions network
CN110147364A (en) * 2019-04-15 2019-08-20 平安普惠企业管理有限公司 Data cleaning method, device, equipment and storage medium
CN110471913A (en) * 2019-07-31 2019-11-19 北京慧萌信安软件技术有限公司 A kind of data cleaning method and device

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060059163A1 (en) * 2004-08-20 2006-03-16 Enterasys Networks, Inc. System, method and apparatus for traffic mirror setup, service and security in communication networks
CN103856579A (en) * 2014-03-03 2014-06-11 国家电网公司 Dynamic recognition method for intelligent substation network device topology based on MAC address matching
CN104680303A (en) * 2014-12-17 2015-06-03 国家电网公司 Construction method for SNMP (simple network management protocol)-based business index monitoring system
CN106357685A (en) * 2016-10-28 2017-01-25 北京神州绿盟信息安全科技股份有限公司 Method and device for defending distributed denial of service attack
CN107239581A (en) * 2017-07-07 2017-10-10 小草数语(北京)科技有限公司 Data cleaning method and device
CN107453956A (en) * 2017-09-15 2017-12-08 北京百卓网络技术有限公司 The method of communications network system, diverter device and its fast access into network
CN107579770A (en) * 2017-09-15 2018-01-12 通鼎互联信息股份有限公司 Communications network system, diverter device and its method for accessing one-way transport network
CN107749798A (en) * 2017-09-15 2018-03-02 通鼎互联信息股份有限公司 Communications network system, diverter device and its method for accessing transmitted in both directions network
CN110147364A (en) * 2019-04-15 2019-08-20 平安普惠企业管理有限公司 Data cleaning method, device, equipment and storage medium
CN110471913A (en) * 2019-07-31 2019-11-19 北京慧萌信安软件技术有限公司 A kind of data cleaning method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
胡继志: "电子通信系统中的分流控制器设计与实现分析", 《无线互联科技》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111966675A (en) * 2020-08-28 2020-11-20 恒瑞通(福建)信息技术有限公司 Fixed asset investment project data cleaning method and terminal

Similar Documents

Publication Publication Date Title
US9967165B2 (en) Methods, systems, and computer readable media for packet monitoring in a virtual environment
CN108900374B (en) Data processing method and device applied to DPI equipment
US20090168645A1 (en) Automated Network Congestion and Trouble Locator and Corrector
US11570107B2 (en) Method and system for triggering augmented data collection on a network device based on traffic patterns
CN109561072B (en) Link detection method and system
CN111431930A (en) Flow cleaning method and related equipment
CN110932975B (en) Flow table issuing method, data forwarding method and device and electronic equipment
US10904123B2 (en) Trace routing in virtual networks
CN111131135B (en) Data transmission method, system, computer readable storage medium and electronic device
US11362927B2 (en) Methods, switch and frame capture managing module for managing ethernet frames
CN111695148B (en) Security filtering method and device for self-learning of network node
KR102066555B1 (en) Method, apparatus and computer program for tracking traffic using software defined networking
CN115221020A (en) Log rule judgment method, system, storage medium and equipment
CN116248605A (en) Fault processing method, device, equipment and storage medium
CN116192932A (en) Service processing method, device, electronic equipment and storage medium
CN110891002A (en) Outlet server flow monitoring method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20210514

Address after: 430205 No. 1 Tan Hu Road, Tibet Dragon Island Development Area, Jiangxia District, Wuhan, Hubei

Applicant after: WUHAN ACCELINK TECHNOLOGIES Co.,Ltd.

Applicant after: Accelink Technologies Co.,Ltd.

Address before: 430205 No. 1 Tan Hu Road, Tibet Dragon Island Development Area, Jiangxia District, Wuhan, Hubei

Applicant before: WUHAN ACCELINK TECHNOLOGIES Co.,Ltd.

TA01 Transfer of patent application right
RJ01 Rejection of invention patent application after publication

Application publication date: 20200717

RJ01 Rejection of invention patent application after publication