CN111628984A - Information processing method, apparatus, device, medium, and program product - Google Patents

Information processing method, apparatus, device, medium, and program product Download PDF

Info

Publication number
CN111628984A
CN111628984A CN202010438841.6A CN202010438841A CN111628984A CN 111628984 A CN111628984 A CN 111628984A CN 202010438841 A CN202010438841 A CN 202010438841A CN 111628984 A CN111628984 A CN 111628984A
Authority
CN
China
Prior art keywords
data packet
information
feature
template
label
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010438841.6A
Other languages
Chinese (zh)
Other versions
CN111628984B (en
Inventor
张�浩
杨锦
徐涛
施佳杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qianxin Technology Group Co Ltd
Secworld Information Technology Beijing Co Ltd
Original Assignee
Qianxin Technology Group Co Ltd
Secworld Information Technology Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qianxin Technology Group Co Ltd, Secworld Information Technology Beijing Co Ltd filed Critical Qianxin Technology Group Co Ltd
Priority to CN202010438841.6A priority Critical patent/CN111628984B/en
Publication of CN111628984A publication Critical patent/CN111628984A/en
Application granted granted Critical
Publication of CN111628984B publication Critical patent/CN111628984B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/22Matching criteria, e.g. proximity measures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Evolutionary Computation (AREA)
  • Evolutionary Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Artificial Intelligence (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present disclosure provides an information processing method, apparatus, device, medium, and program product. The information processing method comprises the following steps: monitoring a data packet sent by terminal equipment; identifying the data packet and obtaining the characteristic information of the data packet; determining a first feature template matched with the feature information in a plurality of predetermined feature templates; and adding a label aiming at the first characteristic template to the address information of the terminal equipment, wherein the label is used as a basis for processing the data packet.

Description

Information processing method, apparatus, device, medium, and program product
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to an information processing method, apparatus, device, medium, and program product.
Background
Admission control techniques are used to prevent various hacking techniques from compromising enterprise security. For example, with Network Access Control (NAC) technology, authorized, legitimate, secure, and trustworthy terminal devices can be controlled to Access an enterprise Network, while unauthorized terminal devices cannot.
In an admission control scheme, a unified processing policy standard is generally established in advance. When the terminal equipment sends the data packet, the data packet sent by the terminal equipment is detected and processed based on a pre-established unified processing strategy standard. When the granularity of the processing policy criteria is large or the dimensionality is single, the data packet cannot be accurately processed, which may cause network security risks.
Disclosure of Invention
In view of the above, the present disclosure provides an information processing method, apparatus, device, medium, and program product capable of improving packet processing accuracy.
One aspect of the present disclosure provides an information processing method, including: monitoring a data packet sent by terminal equipment; identifying the data packet and obtaining the characteristic information of the data packet; determining a first feature template matched with the feature information in a plurality of predetermined feature templates; and adding a label aiming at the first characteristic template to the address information of the terminal equipment, wherein the label is used as a basis for processing the data packet sent by the terminal equipment.
According to an embodiment of the present disclosure, the tag for the first feature template has a validity period; the information processing method further includes: and in the case that a data packet with characteristic information matched with the first characteristic template is not monitored in the validity period, deleting the label which is added to the address information of the terminal device and aims at the first characteristic template.
According to an embodiment of the present disclosure, the information processing method further includes: and updating the validity period of the label aiming at the first characteristic template under the condition that the data packet of which the characteristic information is matched with the first characteristic template is monitored in the validity period.
According to an embodiment of the present disclosure, the information processing method further includes: and in the case that the characteristic information is monitored to be matched with a second characteristic template in the plurality of characteristic templates, adding a label aiming at the second characteristic template to the address information of the terminal equipment.
According to an embodiment of the present disclosure, the identifying the data packet and the obtaining the feature information of the data packet include: extracting basic information of the data packet; and identifying the data packet by adopting a deep detection technology, and obtaining the application information of the application program generating the data packet in the terminal equipment. Wherein the basic information includes at least one of: source address, source port, destination address, destination port.
According to an embodiment of the present disclosure, the information processing method further includes: determining a processing strategy aiming at the label according to the label added to the address information of the terminal equipment; and processing the monitored data packet according to the processing strategy.
Another aspect of the present disclosure provides an information processing apparatus including: the monitoring module is used for monitoring a data packet sent by the terminal equipment; the identification module is used for identifying the data packet and obtaining the characteristic information of the data packet; the template determining module is used for determining a first feature template matched with the feature information in a plurality of predetermined feature templates; and the label processing module is used for adding a label aiming at the first characteristic template to the address information of the terminal equipment, and the label is used as a basis for processing the data packet sent by the terminal equipment.
Another aspect of the present disclosure provides an electronic device, including: one or more processors; a storage device for storing one or more programs, wherein when the one or more programs are executed by the one processor, the one or more processors are caused to execute the above-described information processing method.
Another aspect of the present disclosure provides a computer-readable storage medium having stored thereon computer-executable instructions for implementing the information processing method as described above when executed.
Another aspect of the disclosure provides a computer program product comprising computer readable instructions. Wherein the computer readable instructions, when executed, are for performing the information processing method as described above.
According to the embodiment of the disclosure, the technical problem that the network security is hidden can be at least partially solved due to the fact that the processing mode is inaccurate when the unified processing strategy standard is adopted. By acquiring the feature information of the data packet and matching the feature template according to the feature information, the basis for processing the data packet can be conveniently determined according to the feature template, and the data packet can be processed by adopting a processing strategy with smaller granularity, so that the data packet is more targeted to be processed. The accuracy of packet processing can be improved.
Drawings
The foregoing and other objects, features and advantages of the disclosure will be apparent from the following description of embodiments of the disclosure, which proceeds with reference to the accompanying drawings, in which:
fig. 1 schematically illustrates an application scenario of an information processing method, apparatus, device, medium, and program product according to embodiments of the present disclosure;
fig. 2 schematically shows a flow chart of an information processing method according to a first exemplary embodiment of the present disclosure;
FIG. 3 schematically illustrates a flow chart for identifying a data packet to obtain characteristic information of the data packet according to an embodiment of the disclosure;
fig. 4 schematically shows a flow chart of an information processing method according to an exemplary embodiment two of the present disclosure;
fig. 5 schematically shows a flow chart of an information processing method according to a third exemplary embodiment of the present disclosure;
fig. 6 schematically shows a block diagram of the structure of an information processing apparatus according to an embodiment of the present disclosure; and
fig. 7 schematically shows a block diagram of an electronic device adapted to perform an information processing method according to an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.). Where a convention analogous to "A, B or at least one of C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B or C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
An embodiment of the present disclosure provides an information processing method, including: monitoring a data packet sent by terminal equipment; identifying the data packet and obtaining the characteristic information of the data packet; determining a first feature template matched with the feature information in a plurality of predetermined feature templates; and adding a label aiming at the first characteristic template to the address information of the terminal equipment, wherein the label is used as a basis for processing the data packet.
Fig. 1 schematically shows an application scenario of an information processing method, apparatus, device, medium, and program product according to embodiments of the present disclosure. It should be noted that fig. 1 is only an example of an application scenario in which the embodiments of the present disclosure may be applied to help those skilled in the art understand the technical content of the present disclosure, but does not mean that the embodiments of the present disclosure may not be applied to other devices, systems, environments or scenarios.
As shown in fig. 1, an application scenario 100 according to this embodiment may comprise terminal devices 101, 102, 103, a network access device (e.g. a switch) 104 and an admission server 105.
The terminal devices 101, 102, 103 may be various electronic devices, such as smart phones, tablets, portable computers, desktop computers, and the like. Various applications may be installed in the terminal apparatuses 101, 102, 103 to perform different functions. Illustratively, the terminal devices 101, 102, 103 need to transmit a request message in case it is desired to perform a predetermined operation. The network access device 104 receives the request message from the terminal device 101, 102, 103 and forwards the request message to the admission server 105 according to predefined routing rules. The admission server 105 performs a detection analysis on the data packets in the received request message to determine whether the terminal device (e.g., terminal device 101) that sent the request message is authentic. In the case where it is determined that the terminal apparatus 101 is authentic, a packet subsequently transmitted by the terminal apparatus 101 is processed to perform a predetermined operation. In the case where it is determined that the terminal apparatus 101 is not authentic, the terminal apparatus is prohibited from performing a predetermined operation, and for example, a packet subsequently transmitted by the terminal apparatus 101 may be discarded.
In an embodiment, the admission server 105 may also be used to determine whether to admit a terminal device 101, 102, 103 to access the network, for example. And after determining that the terminal device 101, 102, 103 is admitted to the network, monitoring the data packets sent by the admitted terminal device 101, 102, 103, and determining the processing policy performed on the data packets through the analysis of the data packets, such as discarding the data packets or admitting the data packets.
It should be noted that the information processing method according to the embodiment of the present disclosure may be performed by the admission server 105, for example. Accordingly, the information processing apparatus according to the embodiment of the present disclosure may be provided in the admission server 105.
It should be understood that the types and numbers of end devices, switches and admission servers in figure 1 are illustrative only. There may be various types and any number of terminal devices, switches and admission servers, as desired for the implementation.
The information processing method of the disclosed embodiment will be described in detail below with reference to fig. 2 to 5 in conjunction with the application scenario of fig. 1.
Fig. 2 schematically shows a flowchart of an information processing method according to a first exemplary embodiment of the present disclosure.
As shown in fig. 2, the information processing method may include, for example, operations S210 to S240.
In operation S210, a data packet transmitted by a terminal device is monitored. The admission server 105 may for example be provided with a monitoring interface for monitoring received data packets. Each time a packet is received, the following operations S220 to S240 are performed.
In operation S220, a packet is identified, and characteristic information of the packet is obtained.
According to the embodiment of the present disclosure, the characteristic information of the data packet may be obtained by parsing the data packet using a conventional method for parsing the data packet, for example. The characteristic information may characterize attribute information of the end device that sent the packet (e.g., source address, source port, etc.) and/or attribute information of the end device that received the packet (e.g., destination address, destination port, etc.).
In one embodiment, the characteristic information may also be changed, for example, as the operation information of the terminal device changes. For example, the characteristic information of the data packet transmitted when the terminal device runs the first application may be different from the characteristic information of the data packet transmitted when the terminal device runs the second application. The first application program and the second application program are two different application programs. In this embodiment, the characteristic information may reflect, for example, an operating state of the terminal device.
In an embodiment, the operation S220 can be implemented by a flow described in the following fig. 3, for example, and is not described in detail here.
In operation S230, a first feature template matching the feature information among a predetermined plurality of feature templates is determined.
According to an embodiment of the present disclosure, each of the predetermined plurality of feature templates may have at least one of the feature information of the aforementioned data packet, for example.
In an embodiment, the admission server 105 may, for example, be pre-constructed with a feature template for a predetermined application, and the feature template may, for example, have at least application information of the predetermined application. In order to facilitate matching with the feature template, the feature information in operation S220 may also include application information, for example. Operation S230 may be to determine a template including application information among feature information of the data packet among the plurality of feature templates as a first feature template.
In an embodiment, the admission server 105 may also be pre-configured with a feature template for a specific terminal device, for example, and the feature template may have at least an IP address uniquely characterizing the specific terminal device. In order to facilitate matching with the feature template, the feature information in operation S220 may include, for example, a source address (specifically, an IP address). Operation S230 may be to determine a template including a source address in the feature information of the data packet among the plurality of feature templates as a first feature template.
It will be appreciated that the information contained in the aforementioned feature templates is merely provided as an example to facilitate understanding of the present disclosure, and that the number and distribution of dimensions of the information contained in the feature templates may be configured as desired in the feature templates. The operation S230 may, for example, first calculate a matching degree between the feature information of the data packet and each of the plurality of feature templates. The determined first feature template is a feature template having a degree of matching with the feature information equal to or greater than a predetermined threshold.
It is understood that, for each data packet obtained by subsequent monitoring, operations S220 to S230 may be performed on each data packet to determine a feature template matching with each data packet.
In operation S240, a tag for the first feature template is added to the address information of the terminal device, and the tag is used as a basis for processing the data packet transmitted by the terminal device.
According to an embodiment of the present disclosure, for example, a plurality of feature templates may be assigned tags that uniquely characterize the feature template. The tag may reflect, for example, at least one of: the method comprises the steps of pre-constructing the time for obtaining the characteristic template, constructing the sequence of the obtained characteristic template, the application name or the terminal equipment identification number aimed at by the characteristic template and the like.
In operation S240, by adding the tag for the first feature template to the address information of the terminal device, the data packet sent by the terminal device may be processed according to the processing policy corresponding to the first feature template after the data packet sent by the terminal device is subsequently received. For example, if the application a installed in the terminal device is a suspicious application (an application that may harm the network), and the feature information of the data packet sent by the terminal device through the application a matches the first feature template. The processing policy corresponding to the first feature template may be to discard the data packet sent by the terminal device. For another example, if the application program B installed in the terminal device is a trusted application, the characteristic information of the data packet sent by the terminal device through the application program B matches the first characteristic template. The processing policy corresponding to the first characteristic template may be to enable the data packet sent by the terminal device to pass through, so that the application server connected to the admission server may respond to the data packet. It is to be understood that the processing strategy corresponding to the first feature template is only used as an example to facilitate understanding of the present disclosure, and the processing strategy corresponding to the feature template may be set according to actual requirements, which is not limited by the present disclosure.
In summary, since the feature information of the data packet can reflect the state of the terminal device to a certain extent, the data packet sent by the terminal device can be processed in a targeted manner by tagging the address information of the terminal device with a feature template matching the feature information, so that the processing accuracy of the data packet can be improved, and potential safety hazards can be avoided.
It is understood that the admission server may continuously monitor the data packets sent by the terminal device. After receiving the data packet subsequently, the tag added to the address information of the terminal device that sent the data packet may be used to process the subsequently received data packet.
In an embodiment, after the admission server subsequently monitors the data packets sent to the terminal device, operations S220 to S230 may be performed for each subsequently monitored data packet. In a case where it is monitored that the feature information matches a second feature template of the plurality of feature templates, a label for the second feature template is added to the address information of the terminal device by an operation similar to operation S240. When processing the data packet, the processing policy to be used is determined according to the tag currently existing with the address information of the terminal device, and for example, the processing policy may be determined according to the tag for the first feature template and the tag for the second feature template. By the embodiment, when the processing strategy aiming at the data packet sent by the terminal equipment is determined, the data packets sent by the terminal equipment at different stages can be comprehensively considered, so that the accuracy of the determined processing strategy can be improved, and the data packet which can bring potential safety hazard to the network can be effectively processed.
According to the embodiment of the present disclosure, in order to facilitate determination of the feature template matching with the feature information, the information processing method of the embodiment also needs to construct the feature template in advance, for example. Illustratively, the building process may include: for any application program, determining characteristic information of a data packet sent by the application program based on a sample data packet from the application program. For example, the characteristic information of the data packet sent by the application program may include: basic information and application information of a sample data packet derived from the application program. Then, based on the feature information of the application program, a feature template for the application program is constructed. The basic information of the sample data packet may be obtained by a conventional detection technique based on the data packet, and may include at least one of the following: a source IP address, a destination IP address, a source port, and a destination port; the application information of the sample data packet may be obtained by a deep detection technology based on the data packet, and may include at least one of the following: application name, application type, and application behavior parameters. It will be appreciated that feature information of multiple dimensions may be set in the feature template of the intended application to achieve finer security detection in admission control.
According to the embodiment of the disclosure, in order to determine the processing strategy more accurately, more dimensional feature information can be obtained, so as to match a more accurate feature template according to the more dimensional feature information. Therefore, a more accurate processing strategy is obtained through the more accurate characteristic template correspondence.
Fig. 3 schematically shows a flow chart for identifying a data packet to obtain characteristic information of the data packet according to an embodiment of the disclosure.
As shown in fig. 3, the operation of identifying the packet to obtain the characteristic information of the packet may include, for example, operations S321 to S322.
In operation S321, basic information of the packet is extracted.
In one embodiment, the basic information includes at least one of: source address, source port, destination address, destination port. The basic information can be obtained by parsing a packet, for example.
In operation S322, the data packet is identified by using a deep inspection technique, and application information of an application program that generates the data packet in the terminal device is obtained.
According to an embodiment of the present disclosure, the operation S322 may determine application information of an application program that generates the packet, for example, based on a Deep Packet Inspection (DPI) technique of the packet. The application information may refer to source application information for a data packet, one or more pieces of information characterizing an application that sent the data packet. For example, the application information may include at least one of: application name, application type, and application behavior parameters. Wherein the application behavior parameters may include, for example: downloading behavior parameters such as GET method, submitting behavior parameters such as POST method, etc.
In one embodiment, the extracted basic information in operation S321 and the application information obtained in operation S322 form feature information of the data packet.
According to the embodiment of the disclosure, if the operation information of the terminal device is changed with time, the operation information of the terminal device is changed with time. For example, the terminal device often runs the application a at the time t, but the application a is not running in a subsequent predetermined period, and the feature information of the data packet sent in the predetermined period no longer includes the application information of the application a, which may reflect to some extent that the terminal device no longer runs the application a. At this time, if the tag of the address information of the terminal device still includes the tag of the first feature template matching the feature information of the data packet sent by the terminal device through the application a, the tag of the first feature template is necessarily considered when determining the processing policy, which may possibly cause that the determined processing policy cannot accurately process the data packet sent by the terminal device. For example, if the application a is a suspicious application, the terminal device may run the trusted application B after a predetermined period of time after the time t if the application a has not been run. If the label of the first feature template is still considered, the admission server discards all data packets sent by the terminal device after a predetermined period of time, which may cause the application program B of the terminal device to fail to operate normally, and affect the user experience.
To avoid this technical problem, the label for each feature template may have a validity period, for example. The length of the validity period may be set according to actual requirements, for example, and the disclosure does not limit this. In one embodiment, the expiration period may be, for example, 1 hour, half an hour, a quarter hour, 10 minutes, or the like.
For example, the tag for the first feature template added to the address information of the terminal device has a validity period. In the validity period of the tag, if the feature information of the data packet sent by the terminal device is not successfully matched with the first feature template, the tag for the first feature template may be deleted, so that the admission server does not consider the tag for the first feature template when processing the subsequent monitored data packet.
Fig. 4 schematically shows a flowchart of an information processing method according to an exemplary embodiment two of the present disclosure.
As shown in fig. 4, the information processing method of the embodiment may further include operations S450 to S470 in addition to operations S210 to S240. After operation S240, operation S210 may be continuously performed to continuously monitor the data packet transmitted by the terminal device, and operations S450 to S470 may be simultaneously performed, for example.
In operation S450, it is determined whether a data packet whose feature information matches the first feature template is monitored during the validity period of the tag for the first feature template added to the address information of the terminal device.
If the data packet with the feature information matching the first feature template is monitored in the validity period, operation S460 is performed to update the validity period of the tag for the first feature template.
For example, assuming the validity period of the tag is 1 hour, if the admission server is at 12: 00 matches the first feature template, the tag a of the first feature template is added to the address information of the terminal device through operation S240. The validity period of the tag a is 12: 00-13: 00. the admission server then continues to monitor the data packets sent by the terminal device. If at 12: 30, if the monitored characteristic information of the data packet sent by the terminal device matches with the first characteristic template, the valid period of the tag a added to the address information of the terminal device is defined by 12: 00-13:00 updates to 12: 30-13: 30.
if the data packet matching the first feature template is not monitored within the validity period, operation S470 is performed to delete the tag for the first feature template added to the address information of the terminal device.
For example, the admission server then continues to monitor the data packets sent by the terminal device. If in the validity period 12 of tag a: 00-13:00, if the data packet which is not monitored and is matched with the first feature template is sent by the terminal device, deleting the label a on the address information of the terminal device.
Similarly, when there are a plurality of tags, such as tag a and tag b, on the address information of the terminal device, the length of the valid period of each tag is 1 hour. And the starting time of the valid period is the adding time of each label. The validity periods of the plurality of labels are not affected with each other, and are determined only according to the matching condition between the data packet of the terminal equipment received by the access server and the characteristic template.
According to the embodiment of the disclosure, after the data packet is received, the feature information is matched with the feature template, and the address information of the terminal device is labeled, the access server can process the data packet according to the label currently possessed by the address information of the terminal device.
Fig. 5 schematically shows a flowchart of an information processing method according to a third exemplary embodiment of the present disclosure.
As shown in fig. 5, the information processing method of this embodiment may include, for example, operations S580 to S590 in addition to operations S210 to S240. In order to ensure the accuracy of the processing policy, the operations S580 to S590 may be performed after the operation S240.
In an embodiment, operations S210 to S240 and S580 to S590 are performed by two different modules in the admission server. After the admission server monitors the data packet, the data packet is sent to the module performing the operations S210 to S240, and then the module performing the operations S210 to S240 pushes the data packet and the tag on the address information of the terminal device to the module performing the operations S580 to S590.
In operation S580, a processing policy for a tag is determined according to the tag added to the address information of the terminal device. In operation S590, the monitored data packet is processed according to the processing policy.
According to the embodiment of the present disclosure, the admission server may, for example, maintain a correspondence table between the tags and the processing policies in advance. The operation S580 may include: and determining a processing strategy corresponding to the label on the address information of the terminal equipment in the corresponding relation table as a processing strategy aiming at the label.
According to an embodiment of the present disclosure, the processing policy may include, for example, the aforementioned processing policy for discarding the packet, the processing policy for releasing the packet, and the like. After the processing strategy is determined, the data packet can be processed according to the processing strategy. For example, if the tag of the address information of the terminal device is a tag of the feature template matching the feature information (including the behavior parameter for accessing the home page of the browser application), the processing policy may include pushing an installation page of the browser application to the terminal device in response to the data packet, and the like.
In summary, the information processing method according to the embodiment of the present disclosure determines the processing policy according to the tag on the address information of the terminal device, and can process the data packet sent by the terminal device in a targeted manner, so as to improve the accuracy of the processing.
Fig. 6 schematically shows a block diagram of the structure of an information processing apparatus according to an embodiment of the present disclosure.
As shown in fig. 6, the information processing apparatus 600 may include, for example, a monitoring module 610, an identification module 620, a template determination module 630, and a tag processing module 640.
The monitoring module 610 is configured to monitor a data packet sent by a terminal device. In an embodiment, the monitoring module 610 may be configured to perform operation S210 described in fig. 2, for example, and is not described herein again.
The identification module 620 is configured to identify the data packet and obtain characteristic information of the data packet. In an embodiment, the identifying module 620 may be configured to perform operation S220 described in fig. 2, for example, and is not described herein again.
The template determination module 630 is configured to determine a first feature template matching the feature information from a predetermined plurality of feature templates. In an embodiment, the template determining module 630 may be configured to perform operation S230 described in fig. 2, for example, and is not described herein again.
The tag processing module 640 is configured to add a tag for the first feature template to the address information of the terminal device, where the tag is used as a basis for processing a data packet sent by the terminal device. In an embodiment, the tag processing module 640 may be configured to perform operation S240 described in fig. 2, for example, and is not described herein again.
According to an embodiment of the present disclosure, the label for the first feature template may have a validity period, for example. The label processing module 640 is further configured to delete the label for the first feature template added to the address information of the terminal device in the case that the data packet whose feature information matches the first feature template is not monitored in the validity period. In an embodiment, the tag processing module 640 may be further configured to execute operation S470 described in fig. 4, for example, which is not described herein again.
According to an embodiment of the present disclosure, the tag processing module 640 may be further configured to update the validity period of the tag for the first feature template, for example, in a case where a data packet whose feature information matches the first feature template is monitored during the validity period. In an embodiment, the tag processing module 640 may be further configured to perform operation S460 described in fig. 4, for example, which is not described herein again.
According to an embodiment of the present disclosure, the tag processing module 640 may be further configured to add a tag for a second feature template to the address information of the terminal device, for example, in a case where it is monitored that the feature information matches the second feature template of the plurality of feature templates.
According to an embodiment of the present disclosure, the identification module may include, for example, an extraction sub-module and an identification sub-module. The extraction submodule is used for extracting the basic information of the data packet. The identification submodule is used for identifying the data packet by adopting a deep detection technology and obtaining the application information of the application program generating the data packet in the terminal equipment. Wherein the basic information includes at least one of: source address, source port, destination address, destination port. In an embodiment, the extracting submodule and the identifying submodule may be, for example, respectively configured to perform operations S321 to S322 described in fig. 3, which are not described herein again.
According to an embodiment of the present disclosure, the information processing apparatus may further include, for example, a processing policy determination module and a packet processing module. The processing strategy determining module is used for determining a processing strategy aiming at the label according to the label added to the address information of the terminal equipment. And the data packet processing module is used for processing the monitored data packets according to the processing strategy. In an embodiment, the processing policy determining module and the packet processing module may be, for example, respectively configured to perform operations S580 to S590 described in fig. 5, which are not described herein again.
Any number of modules, sub-modules, units, sub-units, or at least part of the functionality of any number thereof according to embodiments of the present disclosure may be implemented in one module. Any one or more of the modules, sub-modules, units, and sub-units according to the embodiments of the present disclosure may be implemented by being split into a plurality of modules. Any one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in any other reasonable manner of hardware or firmware by integrating or packaging a circuit, or in any one of or a suitable combination of software, hardware, and firmware implementations. Alternatively, one or more of the modules, sub-modules, units, sub-units according to embodiments of the disclosure may be at least partially implemented as a computer program module, which when executed may perform the corresponding functions.
Fig. 7 schematically shows a block diagram of an electronic device adapted to perform an information processing method according to an embodiment of the present disclosure. The electronic device shown in fig. 7 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 7, an electronic device 700 according to an embodiment of the present disclosure includes a processor 701, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)702 or a program loaded from a storage section 708 into a Random Access Memory (RAM) 703. The processor 701 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 701 may also include on-board memory for caching purposes. The processor 701 may comprise a single processing unit or a plurality of processing units for performing the different actions of the method flows according to embodiments of the present disclosure.
In the RAM 703, various programs and data necessary for the operation of the electronic apparatus 700 are stored. The processor 701, the ROM702, and the RAM 703 are connected to each other by a bus 704. The processor 701 performs various operations of the method flows according to the embodiments of the present disclosure by executing programs in the ROM702 and/or the RAM 703. It is noted that the programs may also be stored in one or more memories other than the ROM702 and RAM 703. The processor 701 may also perform various operations of method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.
Electronic device 700 may also include input/output (I/O) interface 705, which input/output (I/O) interface 705 is also connected to bus 704, according to an embodiment of the present disclosure. The electronic device 700 may also include one or more of the following components connected to the I/O interface 705: an input portion 706 including a keyboard, a mouse, and the like; an output section 707 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage section 708 including a hard disk and the like; and a communication section 709 including a network interface card such as a LAN card, a modem, or the like. The communication section 709 performs communication processing via a network such as the internet. A drive 710 is also connected to the I/O interface 705 as needed. A removable medium 711 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 710 as necessary, so that a computer program read out therefrom is mounted into the storage section 708 as necessary.
According to embodiments of the present disclosure, method flows according to embodiments of the present disclosure may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable storage medium, the computer program containing program code for performing the method illustrated by the flow chart. In such an embodiment, the computer program can be downloaded and installed from a network through the communication section 709, and/or installed from the removable medium 711. The computer program performs the above-described functions defined in the electronic device of the embodiment of the present disclosure when executed by the processor 701. The systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
The present disclosure also provides a computer-readable storage medium, which may be contained in the apparatus/device/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, a computer-readable storage medium may include the ROM702 and/or the RAM 703 and/or one or more memories other than the ROM702 and the RAM 703 described above.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not expressly recited in the present disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present disclosure may be made without departing from the spirit or teaching of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.
The embodiments of the present disclosure have been described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used in advantageous combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the present disclosure, and such alternatives and modifications are intended to be within the scope of the present disclosure.

Claims (10)

1. An information processing method comprising:
monitoring a data packet sent by terminal equipment;
identifying the data packet and obtaining the characteristic information of the data packet;
determining a first feature template matched with the feature information in a predetermined plurality of feature templates; and
and adding a label aiming at the first characteristic template to the address information of the terminal equipment, wherein the label is used as a basis for processing a data packet sent by the terminal equipment.
2. The method of claim 1, wherein:
the label for the first feature template has a validity period;
the method further comprises the following steps: and deleting the label, which is added to the address information of the terminal equipment and aims at the first characteristic template, under the condition that the data packet of which the characteristic information is matched with the first characteristic template is not monitored in the validity period.
3. The method of claim 2, further comprising:
and updating the validity period of the label aiming at the first feature template under the condition that a data packet with feature information matched with the first feature template is received in the validity period.
4. The method of claim 1, further comprising:
and in the case that the characteristic information is monitored to be matched with a second characteristic template in the plurality of characteristic templates, adding a label aiming at the second characteristic template to the address information of the terminal equipment.
5. The method of claim 1, wherein identifying the data packet and obtaining characteristic information of the data packet comprises:
extracting basic information of the data packet; and
adopting a deep detection technology to identify the data packet, obtaining the application information of the application program generating the data packet in the terminal equipment,
wherein the basic information includes at least one of: source address, source port, destination address, destination port.
6. The method of claim 1, further comprising:
determining a processing strategy aiming at a label according to the label added to the address information of the terminal equipment; and
and processing the monitored data packet according to the processing strategy.
7. An information processing apparatus comprising:
the monitoring module is used for monitoring a data packet sent by the terminal equipment;
the identification module is used for identifying the data packet and obtaining the characteristic information of the data packet;
the template determining module is used for determining a first feature template matched with the feature information in a plurality of predetermined feature templates; and
and the label processing module is used for adding a label aiming at the first characteristic template to the address information of the terminal equipment, wherein the label is used as a basis for processing a data packet sent by the terminal equipment.
8. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
wherein the one or more programs, when executed by the one processor, cause the one or more processors to perform the information processing method of any one of claims 1-6.
9. A computer-readable storage medium having stored thereon executable instructions to be executed by a processor to perform the information processing method according to any one of claims 1 to 6.
10. A computer program product comprising computer readable instructions, wherein the computer readable instructions when executed are for performing the information processing method of any of claims 1-6.
CN202010438841.6A 2020-05-21 2020-05-21 Information processing method, device, equipment and medium Active CN111628984B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010438841.6A CN111628984B (en) 2020-05-21 2020-05-21 Information processing method, device, equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010438841.6A CN111628984B (en) 2020-05-21 2020-05-21 Information processing method, device, equipment and medium

Publications (2)

Publication Number Publication Date
CN111628984A true CN111628984A (en) 2020-09-04
CN111628984B CN111628984B (en) 2023-01-06

Family

ID=72261174

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010438841.6A Active CN111628984B (en) 2020-05-21 2020-05-21 Information processing method, device, equipment and medium

Country Status (1)

Country Link
CN (1) CN111628984B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2006191260A (en) * 2005-01-05 2006-07-20 Matsushita Electric Ind Co Ltd Packet filter device
US20100159879A1 (en) * 2008-12-19 2010-06-24 Jay Salkini Intelligent network access controller and method
CN104796406A (en) * 2015-03-20 2015-07-22 杭州华三通信技术有限公司 Method and device for identifying application
CN107547523A (en) * 2017-08-08 2018-01-05 新华三信息安全技术有限公司 Message processing method, device, the network equipment and machinable medium
CN109327530A (en) * 2018-10-31 2019-02-12 网易(杭州)网络有限公司 A kind of information processing method, device, electronic equipment and storage medium
CN109802945A (en) * 2018-12-25 2019-05-24 维沃移动通信有限公司 A kind of data transmission method and terminal device
CN109857577A (en) * 2019-01-28 2019-06-07 北京三快在线科技有限公司 Access control method, device, medium and electronic equipment

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2006191260A (en) * 2005-01-05 2006-07-20 Matsushita Electric Ind Co Ltd Packet filter device
US20100159879A1 (en) * 2008-12-19 2010-06-24 Jay Salkini Intelligent network access controller and method
CN104796406A (en) * 2015-03-20 2015-07-22 杭州华三通信技术有限公司 Method and device for identifying application
CN107547523A (en) * 2017-08-08 2018-01-05 新华三信息安全技术有限公司 Message processing method, device, the network equipment and machinable medium
CN109327530A (en) * 2018-10-31 2019-02-12 网易(杭州)网络有限公司 A kind of information processing method, device, electronic equipment and storage medium
CN109802945A (en) * 2018-12-25 2019-05-24 维沃移动通信有限公司 A kind of data transmission method and terminal device
CN109857577A (en) * 2019-01-28 2019-06-07 北京三快在线科技有限公司 Access control method, device, medium and electronic equipment

Also Published As

Publication number Publication date
CN111628984B (en) 2023-01-06

Similar Documents

Publication Publication Date Title
US8695027B2 (en) System and method for application security assessment
US20170083703A1 (en) Leveraging behavior-based rules for malware family classification
US9967265B1 (en) Detecting malicious online activities using event stream processing over a graph database
US10404753B2 (en) Method and apparatus for detecting security using an industry internet operating system
US8893278B1 (en) Detecting malware communication on an infected computing device
US9438623B1 (en) Computer exploit detection using heap spray pattern matching
US10148674B2 (en) Method for semi-supervised learning approach to add context to malicious events
CN111274583A (en) Big data computer network safety protection device and control method thereof
EP3178011B1 (en) Method and system for facilitating terminal identifiers
CN117714132A (en) System and method for filtering internet traffic through client fingerprint
US20150067832A1 (en) Client Side Phishing Avoidance
CN111131320B (en) Asset identification method, device, system and medium
CN112134897B (en) Network attack data processing method and device
CN109766694B (en) Program protocol white list linkage method and device of industrial control host
JPWO2014112185A1 (en) Attack analysis system, linkage device, attack analysis linkage method, and program
CN111163095B (en) Network attack analysis method, network attack analysis device, computing device, and medium
US11019096B2 (en) Combining apparatus, combining method, and combining program
CN111416811A (en) Unauthorized vulnerability detection method, system, equipment and storage medium
US10607011B1 (en) Method to detect zero-day malware applications using dynamic behaviors
US20170155683A1 (en) Remedial action for release of threat data
CN113190838A (en) Web attack behavior detection method and system based on expression
CN110909355A (en) Unauthorized vulnerability detection method, system, electronic device and medium
CN109088872B (en) Using method and device of cloud platform with service life, electronic equipment and medium
CN113259429A (en) Session keeping control method, device, computer equipment and medium
CN116319074B (en) Method and device for detecting collapse equipment based on multi-source log and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: 100044 2nd floor, building 1, yard 26, Xizhimenwai South Road, Xicheng District, Beijing

Applicant after: Qianxin Wangshen information technology (Beijing) Co.,Ltd.

Applicant after: Qianxin Technology Group Co.,Ltd.

Address before: 100097 No. 202, 203, 205, 206, 207, 208, 2nd floor, block D, No. 51, Kunming Hunan Road, Haidian District, Beijing

Applicant before: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc.

Applicant before: Qianxin Technology Group Co.,Ltd.

GR01 Patent grant
GR01 Patent grant