CN111935108B - Cloud data security access control method and device, electronic device and storage medium - Google Patents

Cloud data security access control method and device, electronic device and storage medium Download PDF

Info

Publication number
CN111935108B
CN111935108B CN202010721695.8A CN202010721695A CN111935108B CN 111935108 B CN111935108 B CN 111935108B CN 202010721695 A CN202010721695 A CN 202010721695A CN 111935108 B CN111935108 B CN 111935108B
Authority
CN
China
Prior art keywords
data
data packet
preset
analysis module
data traffic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010721695.8A
Other languages
Chinese (zh)
Other versions
CN111935108A (en
Inventor
牟向阳
范渊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN202010721695.8A priority Critical patent/CN111935108B/en
Publication of CN111935108A publication Critical patent/CN111935108A/en
Application granted granted Critical
Publication of CN111935108B publication Critical patent/CN111935108B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application relates to a cloud data security access control method and device, an electronic device and a storage medium. The cloud data security access control method comprises the following steps: receiving a session request, wherein the session request carries a data packet to be forwarded; under the condition that a management tunnel is established between a local server and a preset security analysis module, analyzing and detecting the data traffic of a data packet in the preset security analysis module to obtain a security rating result of the data traffic of the data packet; and under the condition that the security rating result of the data traffic of the data packet is abnormal data traffic, calling a preset forwarding strategy, and forwarding the data packet to be forwarded according to the preset forwarding strategy. Through the method and the device, the problems that a cloud data center in the related technology lacks of dynamic monitoring protection capability and is difficult to prejudge and protect unknown virus threats are solved, and the beneficial effect of effectively analyzing and protecting the virus threats by means of cloud characteristics and dynamic adjustment strategies is achieved.

Description

Cloud data security access control method and device, electronic device and storage medium
Technical Field
The present application relates to the field of computer technologies, and in particular, to a cloud data security access control method and apparatus, an electronic apparatus, and a storage medium.
Background
With the rapid development of cloud computing, it is a trend to build a cloud data center. In the current cloud computing field, more and more massive data and more difficult virus threats to discover are generated, and the traditional equipment is difficult to meet the security requirements while ensuring the performance requirements. Meanwhile, although the existing cloud security generation has enabled the security capability on the cloud, the cloud security products in the related technology still follow the architecture logic of the traditional security products, mostly only virtualization is performed, the deployment mode is complex, and meanwhile, the cloud data center in the related technology lacks the dynamic monitoring and protection capability and is difficult to prejudge and protect against unknown virus threats.
At present, an effective solution is not provided aiming at the problems that a cloud data center in the related technology lacks dynamic monitoring and protection capability and is difficult to prejudge and protect against unknown virus threats.
Disclosure of Invention
The embodiment of the application provides a cloud data security access control method, a cloud data security access control device, an electronic device and a storage medium, and at least solves the problems that a cloud data center in the related technology lacks dynamic monitoring protection capability and is difficult to prejudge and protect unknown virus threats.
In a first aspect, an embodiment of the present application provides a cloud data security access control method, including:
receiving a session request, wherein the session request carries a data packet to be forwarded;
under the condition that a management tunnel is established between a local server and a preset security analysis module, analyzing and detecting the data traffic of the data packet in the preset security analysis module to obtain a security rating result of the data traffic of the data packet;
and calling a preset forwarding strategy under the condition that the safety rating result of the data traffic of the data packet is abnormal data traffic, and forwarding the data packet to be forwarded according to the preset forwarding strategy.
In some embodiments, in a case where the local server and the preset security analysis module do not establish a management tunnel, the control method includes:
and analyzing and detecting the data traffic of the data packet through a local server to obtain a security rating result of the data traffic of the data packet.
In some embodiments, the obtaining the security rating result of the data traffic of the data packet by analyzing and detecting the data traffic of the data packet in the preset security analysis module includes:
the preset security analysis module acquires a source and destination address of data traffic of the data packet;
the preset security analysis module detects abnormal source and destination addresses in the source and destination addresses and judges whether the number of the abnormal source and destination addresses is larger than a preset threshold value or not;
determining the data traffic of the data packet as first abnormal data traffic under the condition that the number of the abnormal source and destination addresses is judged to be larger than a preset threshold value;
determining the data traffic of the data packet as second abnormal data traffic under the condition that the number of the abnormal source and destination addresses is judged to be smaller than a preset threshold value;
and under the condition that the abnormal source and destination addresses are not detected, determining the data flow of the data packet as normal flow.
In some embodiments, the preset security analysis module detecting an abnormal source destination address in the source destination addresses includes:
the preset security analysis module detects C/S data for TCP connection interaction based on the source and destination addresses and acquires external connection behavior data, wherein the external connection behavior data comprises first external connection behavior data detected based on TCP connection behaviors and second external connection behavior data detected based on TCP connection contents;
the preset safety analysis module detects abnormal external connection behaviors in the external connection behavior data generated by each source and destination address, and determines the source and destination address as an abnormal source and destination address under the condition that the abnormal external connection behaviors are detected in the external connection behavior data.
In some embodiments, the pre-setting forwarding policy includes blocking data traffic forwarding, and when a security rating result of data traffic of the data packet is abnormal data traffic, invoking the pre-setting forwarding policy, and forwarding the data packet to be forwarded according to the pre-setting forwarding policy includes: and blocking the data flow forwarding of the data packet to be forwarded under the condition that the data flow of the data packet is determined to be a first abnormal data flow.
In some embodiments, when the security rating result of the data traffic of the data packet is abnormal data traffic, invoking a preset forwarding policy, and forwarding the data packet to be forwarded according to the preset forwarding policy includes: and under the condition that the data traffic of the data packet is determined to be second abnormal data traffic, forwarding the data traffic of the data packet to be forwarded, and performing analysis and detection on the data traffic of the data packet in the preset security analysis module to obtain a security rating result of the data traffic of the data packet until the data traffic of the data packet is first abnormal data traffic or normal data traffic.
In some embodiments, the establishing, by the local server, the management tunnel with the preset security analysis module includes:
the local server receives a discovery request response message sent by the security analysis module, wherein the discovery request response message carries the preset security analysis module requested to be discovered by the local server;
the local server selects the preset security analysis module according to the discovery request response message and sends a request to establish a connection message;
the local server detects a management tunnel creation result in a join response message sent by the security analysis module, wherein the join response message carries the preset security analysis module requesting to establish connection in the request establishment connection message sent by the local server;
and the local server determines whether a management tunnel is established between the local server and the preset security analysis module or not according to the creation result of the management tunnel, wherein the creation result of the management tunnel comprises the creation failure and the creation success.
In a second aspect, an embodiment of the present application provides a cloud data security access control apparatus, including: a receiving module, configured to receive a session request, where the session request carries a data packet to be forwarded;
the safety analysis module is used for analyzing and detecting the data traffic of the data packet through the preset safety analysis module under the condition that a management tunnel is established between the local server and the preset safety analysis module, so as to obtain a safety rating result of the data traffic of the data packet;
and the processing module is used for calling a preset forwarding strategy under the condition that the safety rating result of the data traffic of the data packet is abnormal data traffic, and forwarding the data packet to be forwarded according to the preset forwarding strategy.
In a third aspect, an embodiment of the present application provides an electronic apparatus, which includes a memory and a processor, where the memory stores a computer program, and the processor is configured to execute the computer program to perform the cloud data security access control method according to the first aspect.
In a third aspect, an embodiment of the present application provides a storage medium, where a computer program is stored in the storage medium, where the computer program is configured to execute the cloud data security access control method according to the first aspect when running.
Compared with the related art, the cloud data security access control method, the cloud data security access control device, the electronic device and the storage medium provided by the embodiment of the application receive the session request, wherein the session request carries the data packet to be forwarded; under the condition that a management tunnel is established between a local server and a preset security analysis module, analyzing and detecting the data traffic of a data packet in the preset security analysis module to obtain a security rating result of the data traffic of the data packet; and under the condition that the security rating result of the data traffic of the data packet is abnormal data traffic, calling a preset forwarding strategy, and forwarding the data packet to be forwarded according to the preset forwarding strategy. Through the method and the device, the problems that a cloud data center in the related technology lacks dynamic monitoring and protection capability and is difficult to prejudge and protect unknown virus threats are solved, and effective analysis and protection on the virus threats are realized by means of cloud characteristics and dynamic adjustment strategies.
The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more thorough understanding of the application.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a block diagram of a hardware structure of a terminal of a cloud data security access control method according to an embodiment of the present invention;
fig. 2 is a flowchart of a cloud data security access control method according to an embodiment of the present application;
FIG. 3 is a flow diagram of managing tunnel establishment in accordance with the present application;
FIG. 4 is a system architecture diagram for performing secure access to cloud data in accordance with an embodiment of the present application;
fig. 5 is a block diagram of a structure of a detection apparatus for a cloud data security access control method according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more clearly understood, the present application is described and illustrated below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of and not restrictive on the broad application. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments provided in the present application without any inventive step are within the scope of protection of the present application.
It is obvious that the drawings in the following description are only examples or embodiments of the application, and that it is also possible for a person skilled in the art to apply the application to other similar contexts on the basis of these drawings without inventive effort. Moreover, it should be appreciated that in the development of any such actual implementation, as in any engineering or design project, numerous implementation-specific decisions must be made to achieve the developers' specific goals, such as compliance with system-related and business-related constraints, which may vary from one implementation to another.
Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the specification. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is to be expressly and implicitly understood by one of ordinary skill in the art that the embodiments described herein may be combined with other embodiments without conflict.
Unless defined otherwise, technical or scientific terms referred to herein shall have the ordinary meaning as understood by those of ordinary skill in the art to which this application belongs. Reference to "a," "an," "the," and similar words throughout this application are not to be construed as limiting in number, and may refer to the singular or the plural. The use of the terms "including," "comprising," "having," and any variations thereof herein, is meant to cover a non-exclusive inclusion; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or elements, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. Reference to "connected," "coupled," and the like in this application is not intended to be limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. The term "plurality" as used herein means two or more. "and/or" describes the association relationship of the associated object, indicating that there may be three relationships, for example, "a and/or B" may indicate: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. Reference herein to the terms "first," "second," "third," and the like, are merely to distinguish similar objects and do not denote a particular ordering for the objects.
Various technologies described in this application may be used for data forwarding in the field of cloud computing.
Before describing and explaining embodiments of the present application, a description will be given of the related art used in the present application as follows:
the SDN controller is an application program in a Software Defined Network (SDN) and is responsible for flow control; the SDN controller is based on the OpenFlow protocol and functions to tell the switches where to send packets.
The Transmission Control Protocol (TCP) is a connection-oriented, reliable transport layer communication Protocol based on a byte stream. TCP uses a three-way handshake protocol to establish a connection before data transmission, and the main processes are: after the client sends a connection request of a synchronization Sequence number (SYN), the server receives the request and then responds to SYN + ACK (Acknowledge character), and the client receives the response and then responds to ACK.
The procedure of TCP three-way handshake is as follows:
the client SENDs a SYN (SEQ = x) message to the server, and enters a SYN _ SEND state.
The server side receives the SYN message and responds to a SYN (SEQ = y) ACK (ACK = x + 1) message to enter a SYN _ RECV state.
The client receives the SYN message of the server and responds an ACK (ACK = y + 1) message to enter into an Established state.
The method provided by the embodiment can be executed in a terminal, a computer or a similar operation device. Taking an operation on a terminal as an example, fig. 1 is a hardware structure block diagram of a terminal of the cloud data security access control method according to the embodiment of the present invention. As shown in fig. 1, the terminal may include one or more (only one shown in fig. 1) processors 102 (the processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA) and a memory 104 for storing data, and optionally, a transmission device 106 for communication functions and an input-output device 108. It will be understood by those skilled in the art that the structure shown in fig. 1 is only an illustration and is not intended to limit the structure of the terminal. For example, the terminal may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
The memory 104 may be used to store computer programs, for example, software programs and modules of application software, such as a computer program corresponding to the cloud data security access control method in the embodiment of the present invention, and the processor 102 executes various functional applications and data processing by running the computer programs stored in the memory 104, that is, implements the method described above. The memory 104 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor 102, which may be connected to the terminal over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used to receive or transmit data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the terminal. In one example, the transmission device 106 includes a Network adapter (NIC) that can be connected to other Network devices through a base station to communicate with the internet. In one example, the transmission device 106 may be a Radio Frequency (RF) module, which is used to communicate with the internet in a wireless manner.
The present embodiment provides a cloud data security access control method, and fig. 2 is a flowchart of a cloud data security access control method according to an embodiment of the present application, and as shown in fig. 2, the flowchart includes the following steps:
step S201, receiving a session request, where the session request carries a data packet to be forwarded.
In this embodiment, an execution main body for receiving the session request is a virtual machine, the virtual machine includes a local server, a cloud security implementation module, and a cloud security management module, where the session request carries a data packet to be forwarded, and the data packet is data traffic of a service layer, and the data traffic of the service layer is issued to a virtual switch in a virtual switch core layer through a flow table according to an SDN controller of the virtual switch core layer, and then the virtual switch loads the data traffic in the session request and sends the data traffic to the virtual machine. In this embodiment, the service layer includes a VM server (cloud host) and a VPC in the cloud, and when the VM server initiates a link, data traffic is forwarded to a cloud security implementation module in the virtual machine through a virtual switch.
Step S202, under the condition that the local server and the preset security analysis module establish a management tunnel, analyzing and detecting the data traffic of the data packet in the preset security analysis module to obtain a security rating result of the data traffic of the data packet.
In this embodiment, after a data packet arrives at a virtual machine, under a condition that a management tunnel is established between a local server and a preset security analysis module, the local server reserves a received session request, and simultaneously uploads a portion of a data packet image in the session request to the preset security analysis module. And the local server transmits data with the preset security analysis module through the management tunnel. After the preset security analysis module receives the data packet, the preset security analysis module analyzes the data traffic of the data packet, obtains a security rating result of the data traffic, and returns the security rating result to the local server through the management tunnel. The preset security analysis module in this embodiment is deployed on a certain hardware gateway device of the internet, and meanwhile, the preset security analysis module enables the preset security analysis module to accurately detect security rating results of data traffic of different data packets through real-time updated virus characteristics and behavior records.
Step S203, in the case that the security rating result of the data traffic of the data packet is abnormal data traffic, invoking a preset forwarding policy, and forwarding the data packet to be forwarded according to the preset forwarding policy.
In this embodiment, the local server is deployed as an audit node for quantity traffic forwarding, and meanwhile, the local server forwards the quantity traffic inside and outside the cloud to the external network through the local server by using a preset forwarding policy (policy routing). After a safety rating result of data traffic of the data packet is detected through a preset safety analysis module, forwarding the traffic included in the data by adopting a forwarding strategy corresponding to the safety rating result. In this embodiment, the data traffic of the data packet includes normal data traffic and abnormal data traffic corresponding to the security rating result, where the normal data traffic is forwarded according to a forwarding mode and a forwarding node (a common node) in the prior art, and the corresponding abnormal data traffic is forwarded by using a local server through a preset forwarding policy, where the preset forwarding policy includes blocking data traffic forwarding, maintaining data traffic to be forwarded through the local server, and continuously uploading the data packet to a preset security analysis module for checking until a check result of the data traffic is the normal data traffic or a data traffic corresponding to the blocking data traffic forwarding, and in this embodiment, blocking data traffic corresponding to the data traffic forwarding means that the abnormal data traffic in the data packet exceeds a preset threshold.
Through the steps S201 to S203, receiving a session request, where the session request carries a data packet to be forwarded; under the condition that a management tunnel is established between a local server and a preset security analysis module, analyzing and detecting the data traffic of a data packet in the preset security analysis module to obtain a security rating result of the data traffic of the data packet; the method has the advantages that the preset forwarding strategy is called under the condition that the safety rating result of the data flow of the data packet is abnormal data flow, the data packet to be forwarded is forwarded according to the preset forwarding strategy, the problems that the cloud data center is large in forwarding and safety equipment load pressure, and the dynamic monitoring and protection capability of known or unknown viruses is insufficient are solved, cloud characteristics and dynamic adjustment strategies are achieved, and the beneficial effect of effective analysis and protection of virus threats is achieved.
It should be noted that, in this embodiment, the local server relates to a cloud security implementation module and a cloud security management module, the preset security analysis module relates to a cloud security analysis module, and data interaction between the local server and the preset security analysis module relates to a management tunnel.
The cloud security implementation module, the cloud security management module, the cloud security analysis module and the management tunnel are further described as follows:
the cloud security implementation module includes the following capabilities: firstly, routing forwarding, namely forwarding a data packet to a certain interface according to a destination address, a routing strategy and the like of the data packet; secondly, the SDN controller is docked, the function of docking the SDN controller is achieved, and the functions of issuing, inquiring, reporting states and the like of the table items are achieved by establishing a safety channel with the SDN controller and performing OpenFlow message interaction; thirdly, connecting a cloud security management module (audit node); meanwhile, when the cloud security analysis module is unavailable, the cloud security implementation module locally analyzes the TCP connection, the communication connection state is judged through the TCP message header, the communication content is analyzed according to data carried by TCP, and the connection condition is judged by comparing a local feature library.
And the cloud security management module is used for carrying out corresponding automatic configuration on the cloud security implementation module according to the analysis result sent by the cloud security analysis module. Meanwhile, the cloud security management module performs data interaction with the cloud security analysis module through the management tunnel.
The cloud security analysis module, when the cloud security analysis module is available, when data flow realized module (audit node) through the cloud security and forwarded, the data flow mirror image that will forward is uploaded to the cloud security analysis module and is analyzed, and the cloud security analysis module sets for different grade standards according to the analysis result, returns for the cloud security realization module, and the cloud security analysis module carries out the analysis and includes following content:
based on the detection of the behavior: after a VM server in a cloud is infected with a virus, the data of the server and a client are interacted through TCP connection, a feature library of a cloud security analysis module updates the behavior feature of the known virus in real time, the matched TCP connection is detected according to the behavior feature in the feature library, and the behavior of the known virus in external connection is analyzed; meanwhile, for unknown TCP connection behaviors, analysis is carried out by referring to relevant characteristics of known viruses according to the indexes of time characteristics, flow characteristics and frequency characteristics, and unknown virus abnormal external connection behaviors with strong disguise are identified.
Based on the detection of the content: after the normal TCP connection three-way handshake is completed, the cloud security analysis module judges the communication connection state according to the TCP message header, analyzes the communication content, the externally connected address and the port according to the data carried by the TCP, compares the communication content with the externally connected interactive data content of the virus program in the cloud security analysis module feature library, and identifies the detection of the abnormal externally connected behavior of the virus.
And the cloud security analysis module and the cloud security management module are communicated through the management tunnel, so that management and network monitoring of the cloud security analysis module are realized.
In some embodiments, when the local server and the preset security analysis module do not establish a management tunnel, the method further includes the following steps: and analyzing and detecting the data flow of the data packet through the local server to obtain a safety rating result of the data flow of the data packet.
In this embodiment, when the preset security analysis module is unavailable and/or the management tunnel is not established, the data traffic of the data packet is analyzed, detected and transferred to the local server, that is, transferred to the cloud security implementation module for execution.
In some embodiments, the analyzing and detecting the data traffic of the data packet in the preset security analysis module to obtain the security rating result of the data traffic of the data packet includes the following steps:
the preset security analysis module obtains a source and a destination address of data flow of the data packet.
The preset safety analysis module detects abnormal source destination addresses in the source destination addresses and judges whether the number of the abnormal source destination addresses is larger than a preset threshold value or not.
And under the condition that the number of the abnormal source and destination addresses is judged to be larger than a preset threshold value, determining the data traffic of the data packet as first abnormal data traffic.
And under the condition that the number of the abnormal source and destination addresses is judged to be smaller than the preset threshold value, determining the data traffic of the data packet as second abnormal data traffic.
And under the condition that the abnormal source and destination addresses are not detected, determining the data flow of the data packet as normal flow.
In this embodiment, when the preset security analysis module performs detection and analysis on the data traffic of the data packet, the data traffic is detected through source and destination addresses of different data traffic, specifically, when all the source and destination addresses of the data traffic of the data packet are detected as normal, the data traffic of the data packet is determined as normal, when more than 50% of the source and destination addresses of the data traffic of the data packet are detected as abnormal, the data traffic of the data packet is determined as a first abnormal data traffic, and when less than 50% of the source and destination addresses of the data traffic of the data packet are detected as abnormal, the data traffic of the data packet is determined as a second abnormal data traffic.
In some embodiments, the preset security analysis module detecting an abnormal source destination address in the source destination addresses includes the following steps:
the preset security analysis module detects C/S data for TCP connection interaction based on a source address and a destination address, and obtains external connection behavior data, wherein the external connection behavior data comprises first external connection behavior data detected based on TCP connection behavior and second external connection behavior data detected based on TCP connection content.
And the preset security analysis module detects abnormal external connection behaviors in the external connection behavior data generated by each source destination address, and determines the source destination address as an abnormal source destination address under the condition of detecting that the abnormal external connection behaviors exist in the external connection behavior data.
It should be noted that, in this embodiment, the analyzing performed by the preset security analysis module includes the following contents:
based on the detection of the behavior: after a VM server in the cloud is infected with a virus, the data of the server and a client are interacted through TCP connection, a feature library of a preset security analysis module updates the behavior features of the known virus in real time, and the matched TCP connection is detected according to the behavior features in the feature library to analyze the external connection behavior of the known virus; meanwhile, for unknown TCP connection behaviors, analysis is carried out by referring to relevant characteristics of known viruses according to the indexes of time characteristics, flow characteristics and frequency characteristics, and unknown virus abnormal external connection behaviors with strong disguise are identified.
Based on the detection of the content: after the normal TCP connection three-way handshake is completed, the preset security analysis module judges the communication connection state according to the TCP message header, analyzes the communication content, the externally connected address and the port according to the data carried by the TCP, compares the communication content, the externally connected address and the port with the external connection interactive data content of the virus program in the feature library of the preset security analysis module, and identifies the detection of the abnormal externally connected behavior of the virus.
In some embodiments, the step of presetting the forwarding policy includes blocking data traffic forwarding, and when the security rating result of the data traffic of the data packet is abnormal data traffic, the step of calling the preset forwarding policy, and forwarding the data packet to be forwarded according to the preset forwarding policy includes the following steps: and blocking the data traffic forwarding of the data packet to be forwarded under the condition that the data traffic of the data packet is determined to be the first abnormal data traffic.
In some embodiments, the step of presetting the forwarding policy includes blocking data traffic forwarding, and when the security rating result of the data traffic of the data packet is abnormal data traffic, the step of calling the preset forwarding policy, and forwarding the data packet to be forwarded according to the preset forwarding policy further includes the steps of: and under the condition that the data flow of the data packet is determined to be the second abnormal data flow, forwarding the data flow of the data packet to be forwarded, and performing analysis and detection on the data flow of the data packet in a preset security analysis module to obtain a security rating result of the data flow of the data packet until the data flow of the data packet is the first abnormal data flow or the normal data flow.
In some embodiments, the establishing, by the local server, the management tunnel with the preset security analysis module includes the following steps:
the local server receives a discovery request response message sent by the security analysis module, wherein the discovery request response message carries a preset security analysis module requested to be discovered by the local server.
And the local server selects a preset security analysis module according to the discovery request response message and sends a request to establish a connection message.
The local server detects a management tunnel creation result in a join response message sent by the security analysis module, wherein the join response message carries a preset security analysis module which requests to establish connection in a request connection establishment message sent by the local server.
And the local server determines whether the local server and the preset security analysis module establish a management tunnel according to the management tunnel creation result, wherein the management tunnel creation result comprises creation failure and creation success.
In this embodiment, if the preset security analysis module does not receive the heartbeat message within 45s, an alarm process is performed, and the data traffic security rating detection is transferred to a local server (cloud security implementation module) for processing.
Fig. 3 is a flowchart of managing tunnel establishment according to the present application, and as shown in fig. 3, the managing tunnel establishment procedure includes the following steps:
and the local server sends a Discovery request message to the preset security analysis module.
And after receiving the Discovery request message, the preset security analysis module replies a Discovery response message to the local server.
And after receiving the Discovery response message of the preset security analysis module, the local server selects the preset security analysis module according to the content carried in the message.
And the local server sends a Join request message to the selected preset security analysis module.
And the preset security analysis module checks whether to provide service for the local server or not according to the message content, and replies a Join response message.
If the local server receives the Join response message with the Result Code as failure, the tunnel is not established; if the local server receives the Join response message with the Result Code being successful, the local server and the preset security analysis module successfully establish the tunnel.
And after the management tunnel is established, sending heartbeat messages every 30s for maintaining the state of the tunnel.
Fig. 4 is a system architecture diagram for performing secure access to cloud data according to an embodiment of the present application. As shown in fig. 4, a cloud data security access control method executed by using the system framework diagram of the present application includes the following steps:
and (3) system deployment: the method comprises the steps that a VPC server and a VM server are arranged on a business layer, an SDN controller and a virtual switch (VSwitch) are arranged on a virtual switch core layer, an exchange device A and an exchange device B are arranged on a hardware core layer, and meanwhile, a gateway device A and a gateway B are respectively arranged on the exchange device A and the exchange device B and communicated with the Internet; the gateway device A and the switching device A are set as common nodes, the switching device B and the gateway device B are called audit nodes (corresponding to local servers), and the cloud security implementation module and the cloud security management module are deployed in a physical server of the switching device B, namely the local server; the cloud security analysis module (corresponding to the preset security analysis module) is positioned at a certain node of the Internet; after the system architecture is deployed, the cloud security management module (corresponding to the local server) and the cloud security analysis module can establish a management tunnel.
And the SDN controller issues a flow table to a virtual switch (VSwitch), and configures a forwarding rule for default forwarding of all data flows from the side B of the switching equipment.
And configuring a policy route on the B side of the switching equipment, and forwarding all data traffic sent by a virtual switch (VSwitch) to a cloud security implementation module.
When the VPC in the cloud initiates connection, all data traffic is forwarded to a cloud security implementation module (corresponding to a local server), and under the condition that a management tunnel is established, the cloud security implementation module reserves a received session request and sends a to-be-forwarded data packet carried by the session request to a cloud security analysis module.
After the data packet arrives at the cloud security analysis module, the data traffic of the data packet is analyzed, and the analysis result is divided into three types, namely normal data traffic, first abnormal data traffic and second abnormal data traffic. And returning the analysis result to the cloud security management module (corresponding to the local server) through the management tunnel.
The cloud security management module (corresponding to the local server) processes the analysis results of the data traffic of the received different data packets: when the analysis result is normal data traffic, calling an API (application programming interface) of the SDN controller, issuing a flow table to a virtual switch (VSwitch), and determining that a corresponding data traffic forwarding path is forwarding by adopting a common node consisting of a gateway device A and a switching device A; when the analysis result is the first abnormal data traffic, a preset forwarding strategy is issued to a local server (corresponding to the local server), the forwarding of the data traffic is blocked, and an administrator is informed in a preset mode; and when the analysis result is the second abnormal data traffic, the data traffic is kept forwarded by the local server, and the data is continuously uploaded to the cloud security analysis module until the data traffic analysis result is the normal data traffic or the first abnormal data traffic, and the data traffic analysis result is informed to an administrator in a preset mode.
When the management tunnel is not established, analyzing the data flow at the cloud security implementation module (corresponding to the local server), and performing the processing steps of data analysis according to the cloud security analysis module.
According to the control method for the safe access of the cloud data in the steps, the load pressure of common node conversion is reduced by independently deploying the audit nodes, and the original network architecture of the cloud data center is not changed; meanwhile, by means of cloud characteristics and a dynamic adjustment strategy, known and unknown virus threats can be effectively analyzed and protected, and viruses are prevented from spreading to other hosts in the VPC on the original common node.
It should be noted that the steps illustrated in the above-described flow diagrams or in the flow diagrams of the figures may be performed in a computer system, such as a set of computer-executable instructions, and that, although a logical order is illustrated in the flow diagrams, in some cases, the steps illustrated or described may be performed in an order different than presented herein.
The present embodiment further provides a cloud data security access control apparatus, which is used to implement the foregoing embodiments and preferred embodiments, and the description of the apparatus is omitted here. As used hereinafter, the terms "module," "unit," "subunit," and the like may implement a combination of software and/or hardware for a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 5 is a block diagram of a cloud data security access control apparatus according to an embodiment of the present application, and as shown in fig. 5, the apparatus includes:
the receiving module 51 is configured to receive a session request, where the session request carries a data packet to be forwarded.
And the security analysis module 52 is coupled to the receiving module 51, and configured to, under the condition that the local server establishes a management tunnel with the preset security analysis module, analyze and detect the data traffic of the data packet in the preset security analysis module, and obtain a security rating result of the data traffic of the data packet.
And the processing module 53 is coupled to the security analysis module 52, and configured to invoke a preset forwarding policy when the security rating result of the data traffic of the data packet is abnormal data traffic, and forward the data packet to be forwarded according to the preset forwarding policy.
In some embodiments, in a case that the local server and the preset security analysis module do not establish a management tunnel, the processing module 53 is further configured to perform analysis and detection on the data traffic of the data packet, so as to obtain a security rating result of the data traffic of the data packet.
In some embodiments, the security analysis module 52 is configured to obtain a source address and a destination address of data traffic of the data packet; detecting abnormal source and destination addresses in the source and destination addresses, and judging whether the number of the abnormal source and destination addresses is greater than a preset threshold value or not; determining the data traffic of the data packet as first abnormal data traffic under the condition that the number of the abnormal source and destination addresses is judged to be larger than a preset threshold; determining the data traffic of the data packet as second abnormal data traffic under the condition that the number of the abnormal source and destination addresses is judged to be smaller than a preset threshold value; and under the condition that the abnormal source and destination addresses are not detected, determining the data flow of the data packet to be normal flow.
In some embodiments, the security analysis module 52 is configured to obtain the external connection behavior data based on the C/S data of the TCP connection interaction performed at the source and destination addresses, where the external connection behavior data includes a first external connection behavior data detected based on the TCP connection behavior and a second external connection behavior data detected based on the TCP connection content; and detecting abnormal external connection behaviors in the external connection behavior data generated by each source target address, and determining the source target address as an abnormal source target address under the condition of detecting that the abnormal external connection behaviors exist in the external connection behavior data.
In some embodiments, the preset forwarding policy includes blocking data traffic forwarding, and the processing module 53 is configured to block data traffic forwarding of a data packet to be forwarded when it is determined that the data traffic of the data packet is the first abnormal data traffic.
It should be noted that the above modules may be functional modules or program modules, and may be implemented by software or hardware. For a module implemented by hardware, the above modules may be located in the same processor; or the modules may be located in different processors in any combination.
The present embodiment also provides an electronic device, comprising a memory having a computer program stored therein and a processor configured to run the computer program to perform the steps of any of the method embodiments described above.
Optionally, the electronic apparatus may further include a transmission device and an input/output device, wherein the transmission device is connected to the processor, and the input/output device is connected to the processor.
Optionally, in this embodiment, the processor may be configured to execute the following steps by a computer program:
s1, receiving a session request, wherein the session request carries a data packet to be forwarded.
And S2, under the condition that the local server and the preset security analysis module establish a management tunnel, analyzing and detecting the data traffic of the data packet in the preset security analysis module to obtain a security rating result of the data traffic of the data packet.
And S3, calling a preset forwarding strategy under the condition that the safety rating result of the data traffic of the data packet is abnormal data traffic, and forwarding the data packet to be forwarded according to the preset forwarding strategy.
It should be noted that, for specific examples in this embodiment, reference may be made to examples described in the foregoing embodiments and optional implementations, and details of this embodiment are not described herein again.
In addition, in combination with the cloud data security access control method in the foregoing embodiment, the embodiment of the present application may be implemented by providing a storage medium. The storage medium having stored thereon a computer program; when executed by a processor, the computer program implements the cloud data security access control method in any of the above embodiments.
It should be understood by those skilled in the art that various features of the above-described embodiments can be combined in any combination, and for the sake of brevity, all possible combinations of features in the above-described embodiments are not described in detail, but rather, all combinations of features which are not inconsistent with each other should be construed as being within the scope of the present disclosure.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent application shall be subject to the appended claims.

Claims (7)

1. A cloud data security access control method is characterized by comprising the following steps:
receiving a session request, wherein the session request carries a data packet to be forwarded;
under the condition that a management tunnel is established between a local server and a preset security analysis module, analyzing and detecting the data traffic of the data packet through the preset security analysis module to obtain a security rating result of the data traffic of the data packet;
under the condition that the security rating result of the data traffic of the data packet is abnormal data traffic, calling a preset forwarding strategy, and forwarding the data packet to be forwarded according to the preset forwarding strategy;
the method for obtaining the security rating result of the data traffic of the data packet by analyzing and detecting the data traffic of the data packet through the preset security analysis module under the condition that the local server and the preset security analysis module establish a management tunnel includes:
the preset security analysis module acquires a source destination address of data traffic of the data packet, detects an abnormal source destination address in the source destination address, and judges whether the number of the abnormal source destination addresses is greater than a preset threshold value;
determining the data traffic of the data packet as first abnormal data traffic under the condition that the number of the abnormal source and destination addresses is judged to be larger than a preset threshold value;
determining the data traffic of the data packet as second abnormal data traffic under the condition that the number of the abnormal source and destination addresses is judged to be smaller than a preset threshold value;
determining the data flow of the data packet as normal flow under the condition that the abnormal source and destination address is not detected;
the method for forwarding the data packet to be forwarded according to the preset forwarding policy includes the following steps:
blocking the data flow forwarding of the data packet to be forwarded under the condition that the data flow of the data packet is determined to be a first abnormal data flow;
and under the condition that the data flow of the data packet is determined to be the second abnormal data flow, forwarding the data flow of the data packet to be forwarded, and performing analysis and detection on the data flow of the data packet through the preset security analysis module to obtain a security rating result of the data flow of the data packet until the data flow of the data packet is the first abnormal data flow or the normal data flow.
2. The cloud data security access control method according to claim 1, wherein in a case that a management tunnel is not established between the local server and the preset security analysis module, the control method includes:
and analyzing and detecting the data flow of the data packet through a local server to obtain a security rating result of the data flow of the data packet.
3. The cloud data security access control method of claim 1, wherein the detecting, by the preset security analysis module, the abnormal source destination address in the source destination address comprises:
the preset security analysis module detects C/S data for TCP connection interaction based on the source and destination addresses and acquires external connection behavior data, wherein the external connection behavior data comprises first external connection behavior data detected based on TCP connection behaviors and second external connection behavior data detected based on TCP connection contents;
the preset safety analysis module detects abnormal external connection behaviors in the external connection behavior data generated by each source and destination address, and determines the source and destination address as an abnormal source and destination address under the condition that the abnormal external connection behaviors are detected in the external connection behavior data.
4. The cloud data security access control method of claim 1, wherein establishing the management tunnel between the local server and the preset security analysis module comprises:
the local server receives a discovery request response message sent by the security analysis module, wherein the discovery request response message carries the preset security analysis module requested to be discovered by the local server;
the local server selects the preset security analysis module according to the discovery request response message and sends a request to establish a connection message;
the local server detects a management tunnel creation result in a join response message sent by the security analysis module, wherein the join response message carries the preset security analysis module requesting connection establishment in the request establishment connection message sent by the local server;
and the local server determines whether a management tunnel is established between the local server and the preset security analysis module or not according to the creation result of the management tunnel, wherein the creation result of the management tunnel comprises the creation failure and the creation success.
5. A cloud data security access control apparatus, comprising:
a receiving module, configured to receive a session request, where the session request carries a data packet to be forwarded;
the safety analysis module is used for analyzing and detecting the data traffic of the data packet through the preset safety analysis module under the condition that a management tunnel is established between the local server and the preset safety analysis module, so as to obtain a safety rating result of the data traffic of the data packet;
the processing module is used for calling a preset forwarding strategy under the condition that the safety rating result of the data traffic of the data packet is abnormal data traffic, and forwarding the data packet to be forwarded according to the preset forwarding strategy;
the method for obtaining the security rating result of the data traffic of the data packet by analyzing and detecting the data traffic of the data packet through the preset security analysis module under the condition that the local server and the preset security analysis module establish a management tunnel includes:
the preset security analysis module acquires a source destination address of data traffic of the data packet, detects an abnormal source destination address in the source destination address, and judges whether the number of the abnormal source destination addresses is greater than a preset threshold value;
determining the data traffic of the data packet as first abnormal data traffic under the condition that the number of the abnormal source and destination addresses is judged to be larger than a preset threshold value;
determining the data traffic of the data packet as second abnormal data traffic under the condition that the number of the abnormal source and destination addresses is judged to be smaller than a preset threshold value;
determining the data flow of the data packet as normal flow under the condition that the abnormal source and destination address is not detected;
the method for forwarding the data packet to be forwarded according to the preset forwarding strategy includes the following steps:
blocking the data traffic forwarding of the data packet to be forwarded under the condition that the data traffic of the data packet is determined to be first abnormal data traffic;
and under the condition that the data traffic of the data packet is determined to be second abnormal data traffic, forwarding the data traffic of the data packet to be forwarded, and performing analysis and detection on the data traffic of the data packet through the preset security analysis module to obtain a security rating result of the data traffic of the data packet until the data traffic of the data packet is first abnormal data traffic or normal data traffic.
6. An electronic device comprising a memory and a processor, wherein the memory stores a computer program, and the processor is configured to execute the computer program to perform the cloud data security access control method according to any one of claims 1 to 4.
7. A storage medium having stored therein a computer program, wherein the computer program is arranged to execute the cloud data security access control method of any of claims 1 to 4 when executed.
CN202010721695.8A 2020-07-24 2020-07-24 Cloud data security access control method and device, electronic device and storage medium Active CN111935108B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010721695.8A CN111935108B (en) 2020-07-24 2020-07-24 Cloud data security access control method and device, electronic device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010721695.8A CN111935108B (en) 2020-07-24 2020-07-24 Cloud data security access control method and device, electronic device and storage medium

Publications (2)

Publication Number Publication Date
CN111935108A CN111935108A (en) 2020-11-13
CN111935108B true CN111935108B (en) 2023-02-28

Family

ID=73315388

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010721695.8A Active CN111935108B (en) 2020-07-24 2020-07-24 Cloud data security access control method and device, electronic device and storage medium

Country Status (1)

Country Link
CN (1) CN111935108B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112422554B (en) * 2020-11-17 2023-04-07 杭州安恒信息技术股份有限公司 Method, device, equipment and storage medium for detecting abnormal traffic external connection
CN112528285B (en) * 2020-12-18 2022-01-25 南方电网电力科技股份有限公司 Security protection method and device for cloud computing platform, electronic equipment and storage medium

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4063771B2 (en) * 2004-01-06 2008-03-19 Necアクセステクニカ株式会社 Router
CN103051605B (en) * 2012-11-21 2016-06-29 国家计算机网络与信息安全管理中心 A kind of data package processing method, device and system
CN105282169B (en) * 2015-11-04 2018-08-24 中国电子科技集团公司第四十一研究所 Ddos attack method for early warning based on SDN controller threshold values and its system
CN105959282A (en) * 2016-04-28 2016-09-21 杭州迪普科技有限公司 Protection method and device for DHCP attack
CN109413001B (en) * 2017-08-15 2021-06-22 东软集团股份有限公司 Method and device for carrying out security protection on interactive data in cloud computing system
CN108718298B (en) * 2018-04-28 2021-05-25 北京奇安信科技有限公司 Malicious external connection flow detection method and device
CN110493165A (en) * 2018-06-29 2019-11-22 厦门白山耘科技有限公司 Automatically determine the method, apparatus and Network Intrusion Detection System of hostile network process
CN110224947A (en) * 2019-06-05 2019-09-10 东软集团股份有限公司 Message processing method, device and equipment in a kind of multicore repeater system
CN110830484A (en) * 2019-11-13 2020-02-21 深圳市信锐网科技术有限公司 Data message processing method and device, intranet switch and storage medium
CN111147285B (en) * 2019-12-07 2022-11-15 杭州安恒信息技术股份有限公司 Cloud security product unified management method
CN111147287B (en) * 2019-12-10 2023-04-07 网络通信与安全紫金山实验室 Network simulation method and system in SDN scene

Also Published As

Publication number Publication date
CN111935108A (en) 2020-11-13

Similar Documents

Publication Publication Date Title
US9491189B2 (en) Revival and redirection of blocked connections for intention inspection in computer networks
CN107864228B (en) Connection establishment method and system in content distribution network
Qi et al. Assessing container network interface plugins: Functionality, performance, and scalability
US11902139B2 (en) Diagnosing and resolving issues in a network using probe packets
EP3188450B1 (en) Reducing false alarms when using network keep-alive messages
US9621412B2 (en) Method for guaranteeing service continuity in a telecommunication network and system thereof
US8811190B2 (en) Maximum transmission unit (MTU) size discovery mechanism and method for data-link layers
Shi et al. NDNLP: A link protocol for NDN
CN112165447B (en) WAF equipment-based network security monitoring method, system and electronic device
CN112751733B (en) Link detection method, device, equipment, system and switch
CN112491700B (en) Network path adjustment method, system, device, electronic equipment and storage medium
CN111935108B (en) Cloud data security access control method and device, electronic device and storage medium
US11233694B2 (en) Method and device for processing communication path
CN111682989B (en) Method, device and system for detecting port link state
WO2019080592A1 (en) Method and device for sending messages
CN103986638A (en) Method and device for binding multiple public network links for ADVPN tunnel
US20240163160A1 (en) Diagnosing intermediary network nodes
CN108173810B (en) Method and device for transmitting network data
EP3545651B1 (en) Service function chaining and overlay transport loop prevention
CN112910704B (en) Local area network system, method and device supporting dynamic self-adaptive network configuration
CN114465742B (en) Network security protection method and protection equipment
CN107104892A (en) The method and apparatus of network acceleration
CN111147386B (en) Method, electronic device and computer readable medium for handling data transmission congestion
CN114765589A (en) Network testing method, device and storage medium
WO2020048622A1 (en) A method, apparatus & computer program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant