CN112152854B - Information processing method and device - Google Patents
Information processing method and device Download PDFInfo
- Publication number
- CN112152854B CN112152854B CN202011021690.0A CN202011021690A CN112152854B CN 112152854 B CN112152854 B CN 112152854B CN 202011021690 A CN202011021690 A CN 202011021690A CN 112152854 B CN112152854 B CN 112152854B
- Authority
- CN
- China
- Prior art keywords
- detector
- node
- information
- address
- policy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000010365 information processing Effects 0.000 title claims abstract description 36
- 238000003672 processing method Methods 0.000 title claims abstract description 22
- 238000001514 detection method Methods 0.000 claims abstract description 29
- 238000000034 method Methods 0.000 claims abstract description 26
- 230000005540 biological transmission Effects 0.000 claims abstract description 19
- 230000006854 communication Effects 0.000 claims description 58
- 238000004891 communication Methods 0.000 claims description 56
- 238000003860 storage Methods 0.000 claims description 9
- 230000005856 abnormality Effects 0.000 claims 2
- 238000012423 maintenance Methods 0.000 description 14
- 230000006870 function Effects 0.000 description 12
- 238000012545 processing Methods 0.000 description 12
- 238000004590 computer program Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 9
- 230000000903 blocking effect Effects 0.000 description 3
- 238000010276 construction Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 230000002776 aggregation Effects 0.000 description 1
- 238000004220 aggregation Methods 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/04—Network management architectures or arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0893—Assignment of logical groups to network elements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the application discloses an information processing method and device, which are used for improving the efficiency of network security detection. The method comprises the following steps: the controller receives first information sent by a detector on a first node of the plurality of nodes; the controller generates a first policy based on the first information, and sends the first policy to the detector on the first node, so that the detector determines whether to block data transmission between different terminal devices in the first node based on the first policy.
Description
Technical Field
The present application relates to the field of network communications, and in particular, to an information processing method and apparatus.
Background
With the construction of information network security, most enterprises and organizations have entered an overall layout stage from safe local construction, various network security devices are deployed in various network nodes, for the enterprises and organizations, more and more terminal devices are accessed in the network, and it becomes more difficult to discover assets of the whole network in real time; secondly, network traffic is larger and larger, so that the detection efficiency of the security detection equipment arranged on the network aggregation layer is lower, and the network security detection efficiency is lower; finally, enterprises and organizations also need more operators to manage increasingly large networks, resulting in higher and higher operating and maintenance costs.
Disclosure of Invention
The embodiment of the application provides an information processing method and device, which are used for solving the problems of difficult timely identifying the whole network asset, low network security detection efficiency and high operation and maintenance cost in the prior art.
In a first aspect, an embodiment of the present application provides an information processing method, where the method is applied to a distributed network, where the distributed network includes a controller and a plurality of nodes, and a detector is set on each of the plurality of nodes, and the method includes:
the controller receives first information sent by a detector on a first node of the plurality of nodes, wherein the first node is any node of the plurality of nodes;
the controller generates a first policy based on the first information, and sends the first policy to the detector on the first node, so that the detector determines whether to interrupt data transmission between different terminal devices in the first node based on the first policy.
Optionally, the first information includes: a first IP address, a first MAC address, and a communication protocol between different ones of the plurality of terminal devices in the first node.
Optionally, the method further comprises: the controller receives a second IP address of the detector on the first node, the second IP address for the controller to send the first policy to the detector on the first node based on the second IP address.
Optionally, the method further comprises: the controller receives second information sent by the detector on the first node, wherein the second information is log information generated after the detector on the first node determines whether to interrupt data transmission between different terminal devices in the first node according to the first strategy.
Optionally, after the controller receives the second information sent by the detector on the first node, the method further includes: the controller analyzes the second information, converts the second information into prompt information, and displays the prompt information in a view interface of the controller.
In a second aspect, an embodiment of the present application provides an information processing apparatus including:
the control module is used for receiving first information sent by the detector on the first node;
the control module is further configured to generate a first policy based on the first information, and send the first policy to the detector on the first node;
the detection module is used for sending the first information to the control module;
the detection module is further configured to determine whether to interrupt data transmission between different terminal devices within the first node based on the first policy.
Optionally, the detection module is further configured to obtain, through self-learning, a first IP address of each of the plurality of terminal devices, a first MAC address, and a communication protocol between different terminal devices in the plurality of terminal devices.
Optionally, the control module is further configured to receive a second IP address of the detector on the first node, where the second IP address is used for the controller to send the first policy to the detector on the first node based on the second IP address.
Optionally, the control module is further configured to: and receiving second information sent by the detector on the first node, wherein the second information is log information generated after the detector on the first node determines whether to interrupt data transmission between different terminal devices in the first node according to the first strategy.
Optionally, the control module is further configured to analyze the second information, convert the second information into a prompt message, and display the prompt message in a view interface of the controller.
In a third aspect, an embodiment of the present application provides an information processing apparatus including:
a memory for storing computer instructions;
and a processor coupled to the memory for executing computer instructions in the memory to perform the method as provided in the first aspect above when the computer instructions are executed.
In a fourth aspect, embodiments of the present application provide a computer readable storage medium storing computer instructions that, when run on a computer, cause the computer to perform a method as provided in the first aspect above.
In a fifth aspect, embodiments of the present application provide a computer program product which, when run on a computer, causes the computer to perform the method as provided in the first aspect above.
In the embodiment of the application, the detectors are arranged on each node of the distributed network, the controller is arranged in the network center, and under the condition that network communication is normal, the operation and maintenance personnel only need to intensively configure the detection strategies of each detector on the controller. The technical scheme realizes the separation of control and detection during the network security detection, thereby improving the efficiency of network security monitoring and reducing the operation and maintenance cost.
Drawings
Fig. 1 is a schematic view of a scenario of an information processing method according to an embodiment of the present application;
fig. 2 is a schematic diagram of a scenario of communication between terminal devices according to an embodiment of the present application;
fig. 3 is a schematic flow chart of an information processing method according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of an information processing apparatus according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of another information processing apparatus according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application more clear, the technical solutions of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application. It is apparent that the described embodiments are some embodiments of the technical solution of the present application, but not all embodiments. All other embodiments, based on the embodiments described in the present document, which can be obtained by a person skilled in the art without any creative effort, are within the scope of protection of the technical solutions of the present application.
In the prior art, when the network security detection is performed on the distributed network, network security equipment needs to be arranged on each node, and meanwhile, each security equipment needs operation and maintenance personnel to perform on-site operation and maintenance. Meanwhile, the security equipment deployed in the network has complex service, and the security equipment cannot fully play the role due to the limitation of hardware of each node.
In view of this, an embodiment of the present application provides an information processing method, which is mainly applied to a distributed network, where a controller is provided in the distributed network, a detector is provided on each of a plurality of nodes in the distributed network, each node may include a plurality of terminal devices, each detector uploads address information and a communication protocol of a detected terminal device to the controller, the controller establishes a first policy according to the received information, and then the detector performs security detection on communications between terminal devices included in a node corresponding to the detector according to the first policy. By the method, an Paiyun-dimension personnel on each node can be prevented from carrying out field operation of the network security equipment, operation and maintenance personnel only need to be arranged at the place where the controller is located, and the controller is used for controlling a plurality of detectors, namely a plurality of nodes, so that waste of manpower and material resources is avoided. At the same time, the controllers and the detectors are arranged at different positions in the distributed network, so that the traffic of each node can be greatly reduced, and the detectors on each node can better play a role.
The following describes the technical scheme provided by the embodiment of the application with reference to the attached drawings.
Referring to fig. 1, a schematic view of a scenario of an information processing method according to an embodiment of the present application is provided.
Fig. 1 shows a distributed network architecture in which the controller is arranged in a central node 101, the detectors 1, 2 and 3 are arranged in the network segments of nodes 102, 103 and 104, respectively, and in addition to this, a plurality of terminal devices are arranged under each node, respectively, wherein terminal device 1, terminal device 2 and terminal device 3 are arranged under node 102, terminal device 4 is arranged under node 103, and terminal device 5 is arranged under node 104. In the figure, the controller and the detector realize mutual transmission of information such as data packets, commands, logs and the like through an application programming (Application Programming Interface, API) interface. In the embodiment of the application, the controller is mainly responsible for centralized management and state monitoring of each terminal device and the detector in the distributed network, and is also responsible for forwarding the strategy to the detector in the figure; the detector is arranged on a node of the distributed network and is responsible for intrusion detection and firewall, when the detector is accessed into the current network, the self-learning function mode can be started so as to acquire the address information and the communication protocol of each terminal device under the node in real time, and meanwhile, the detector is also responsible for detecting data flow generated when the terminal devices communicate, and correspondingly processing the communication between the terminal devices according to the received strategy.
The communication process between the terminal devices in fig. 1 may be shown in fig. 2, fig. 2 is a schematic flow chart of the communication between the terminal device 2 and the terminal device 3 in fig. 1, and the communication between the other terminal devices in fig. 1 all follows the method described in fig. 2. In the figure, the detector 1 is integrated on a node, when the terminal device 2 communicates with the terminal device 3, firstly the terminal device 2 sends a data packet to the detector 1 on the node, then the data packet is sent to the terminal device 3 through the detector 1, and the principle of sending the data packet to the terminal device 1 by the terminal device 3 is similar to that above.
It should be noted that the above-mentioned application scenarios are only shown for facilitating understanding of the spirit and principles of the present application, and the present application examples are not limited in this respect. Rather, embodiments of the present application may be applied to any scenario where applicable.
Referring to fig. 3, a flow chart of an information processing method according to an embodiment of the present application may be applicable to the scenarios shown in fig. 1 and fig. 2, and specifically, the method includes the following steps:
step S301: the detector detects the first information.
Wherein the first information comprises a first internet protocol address (Internet Protocol Address, IP address), a first medium access control address (Media Access Control Address, MAC address) and a communication protocol between the terminal devices for each of all the terminal devices under the node where the detector is located. The first IP address consists of two parts, a network address for routing and a host address for determining a single terminal device within the network, the first MAC address for determining the location of the terminal device, the MAC address being a unique network identification for each terminal device in the network, and in some embodiments the detector may identify the specific vendor of the terminal device from an organization unique identifier (Organizationally Unique Identifier, OUI) of the first 24 bits of the MAC address, and then designate the terminal device as a vendor_post 24 bit identifier. The communication protocol for communication between the terminal devices may include: hypertext transfer protocol (Hyper Text Transfer Protocol, HTTP), transmission control protocol (Transmission Control Protocol, TCP), user datagram protocol (User Datagram Protocol, UDP), etc., the present application is not limited in any way.
In a possible embodiment, each network segment is respectively provided with a detector, so that the naming of the terminal equipment is prevented from being repeated, and confusion is caused among different terminal equipment.
In one possible implementation, each detector establishes a local asset/protocol table for holding address information and communication protocols of the terminal devices under the detector. In some embodiments, the detector may store the name, IP address, MAC address, and communication protocol of the same terminal device, where the name of the terminal device is the vendor_post 24-bit identifier described above. After the saving is completed, when detecting that a new terminal device or communication protocol needs to be saved in the local asset/protocol table, the inquiry function of the database in the detector can firstly judge whether the terminal device or the communication protocol exists in the local asset/protocol table.
Specifically, when detecting a new terminal device, judging whether the terminal device is stored in a local asset table, if not, naming the terminal device in a naming mode which is a manufacturer_post 24-bit identifier, and after naming, storing the terminal device in the local asset table by a detector, otherwise, not storing the terminal device; when a new communication protocol is detected, judging whether the communication protocol is stored in a local protocol table, if not, identifying the communication protocol according to the destination port number of the communication protocol or the communication protocol content matching, and storing the communication protocol in the local protocol table, otherwise, not storing the communication protocol.
Step S302: the detector sends the first information and the IP address of the detector to the controller.
When the detector is connected to the distributed network, the detector can start a self-learning function mode, in which the detector automatically acquires the IP addresses, the MAC addresses and the communication protocols of all terminal devices under the node where the detector is located, and uploads the acquired information to the controller through the API in real time. Meanwhile, the detector also uploads the IP address of the detector to the controller through the API interface. The communication interface between the detector and the controller may be any north interface, which is not limited in the embodiment of the present application.
After receiving the first information uploaded by the detector and the IP address of the detector, the controller performs de-duplication processing on all the information and stores the information in a local corresponding extensible markup language (Extensible Markup Language, XML) file. In one possible embodiment, the user may also manually enter the corresponding first information or the IP address of the detector in the controller, thereby adding a new terminal device or detector to the corresponding XML folder.
In some embodiments, after receiving the first information uploaded by the detector or the IP address of the detector, the controller may display the name of the terminal device in the first information and information such as a communication protocol in an asset page of a view interface of the controller, and similarly, the controller may display the IP address of the detector or information such as a product manufacturer in a detector page of the view interface of the controller.
Step S303: a first policy is generated based on the first information.
After the controller obtains the IP address of each detector, the address information of the corresponding terminal device under each detector, and the communication protocol between the terminal devices, the controller can know the topology relationship and the communication protocol of the whole network through the view interface of the controller, and then the first policy can be generated according to the topology relationship and the communication protocol of the network. The first policy mainly comprises two parts of information of the terminal device and a communication protocol, for example, policy 1: pc1- > pc2 telnet (where pc1, pc2 are terminal devices and telnet is a communication protocol), sends data to terminal device pc2 for terminal device pc1 and uses telnet as a communication policy of the communication protocol.
In one possible implementation, a policy definition user interface exists in the controller that can support user-defined first policies; in another possible implementation manner, a policy library exists in the controller, a plurality of security policy rules exist in the policy library, and the controller can automatically match the corresponding first policy according to the type of the terminal device and the type of the communication protocol. For example, when the controller sends the policy to the detector 1, it can be known that there are three terminal devices in the nodes corresponding to the detector 1 according to the first information received by the controller, and the policies corresponding to the three terminal devices can be found in the policy repository according to the IP addresses or MAC addresses of the three terminal devices.
Step S304: the controller sends a first policy to the detector.
In a possible implementation manner, the first policy may be sent to all the detectors, so that all the detectors detect the communication process of the terminal device in the network according to the content of the first policy, and in practical application, the first policy may also be sent to a single detector or a part of the detectors, which is not limited in any way by the embodiment of the present application.
Step S305: the detector determines whether to interrupt data transmission between different terminal devices within the first node based on the first policy.
Taking fig. 1 as an example, if a TCP communication is to be detected in a local area network where the detector 1 is located, it is known that there are three terminal devices in the local asset table corresponding to the detector 1, where all three terminal devices can access each other through the TCP protocol, but the terminal device 2 and the terminal device 3 are located in the local area network where the detector 1 is located, and the terminal device 1 is outside the local area network. The detector 1 receives a first policy sent by the controller, where the first policy includes names, IP addresses, and MAC addresses corresponding to the terminal device 2 and the terminal device 3, and also includes names of HTTP protocols. When the terminal device 2 sends a data packet to the terminal device 3 through the TCP protocol, the data stream can be matched with the first policy received by the detector 1, so that after the detector 1 receives the data packet sent by the terminal device 2, the data packet is sent to the terminal device 3, and communication between the terminal device 2 and the terminal device 3 is realized. However, when the terminal device 1 transmits a data packet to the terminal device 2 through the TCP protocol, the terminal device 1 is not in the terminal device rank corresponding to the first policy, and therefore, the communication between the terminal device 1 and the terminal device 2 does not match the first policy, and the detector 1 receives the data packet transmitted by the terminal device 1 and performs discard processing, thereby blocking the communication between the terminal device 1 and the terminal device 2.
Step S306: the detector sends the second information to the controller.
After the detector performs permission or blocking processing on the communication between the terminal devices according to the first strategy, the detector automatically generates a corresponding log, wherein the log is the second information, and then the detector uploads the log (the second information) to the controller through a system log (Syslog) interface.
Step S307: the controller analyzes the second information, converts the second information into prompt information and displays the prompt information in the view interface.
Taking fig. 1 as an example, when the terminal device 2 and the terminal device 3 communicate with each other, the detector 1 receives a data packet sent by the terminal device 2, and after the data packet is transmitted to the terminal device 3, a first log is generated in the detector 1; when the terminal device 1 and the terminal device 2 communicate with each other, the detector 1 receives a packet transmitted from the terminal device 1, discards the packet, and the detector 1 generates a second log. After the detector 1 uploads the first log and the second log to the controller, the controller analyzes the first log, converts the first log into event information, displays the event information in a view interface of a detection result of the controller, and an operation and maintenance person can know that data packets are transmitted between the terminal equipment 2 and the terminal equipment 3 through observing the view interface; and the controller analyzes the second log, converts the second log into alarm information, and displays the alarm information in a view interface of a detection result of the controller, so that an operator can know that the terminal equipment 1 is illegal equipment and tries to access a local area network where the detector 1 is positioned by observing the view interface. Therefore, operation and maintenance personnel can clearly know potential safety hazards possibly existing in the current distributed network environment through the view interface and timely implement corresponding measures.
The following describes in detail a method of information processing provided by the present application in connection with a specific embodiment and fig. 1.
The detector 1 acquires the IP address, MAC address, and communication protocols TCP and HTTP at the time of communication between the terminal device 1, the terminal device 2, and the terminal device 3, respectively. Similarly, the detector 2 acquires the IP address, MAC address and terminal device communication protocol UDP of the terminal device 4, and the detector 3 acquires the IP address, MAC address and Secure Shell protocol (SSH protocol) of the terminal device 5. The three detectors identify the specific vendor of the terminal device based on the first 24 bits of the organization unique identifier of each terminal device's MAC address, respectively, and then designate the terminal device as vendor_last 24 bits identifier. At the same time, each detector establishes a local asset/protocol table for storing address information and communication protocols of the terminal devices under the detector. For example, the local asset table in detector 1 is shown in table 1:
TABLE 1
Terminal equipment name | IP address | MAC address |
PC1_12-34-56 | 192.168.1.6 | 00-e0-cd-12-34-56 |
PC2_12-34-57 | 192.168.0.7 | 00-e0-fc-12-34-57 |
PC3_12-34-58 | 192.168.0.8 | 00-e0-mg-12-34-58 |
For example, the local protocol table in the detector 1 is shown in Table 2
TABLE 2
Port (port)<—>Port (port) | Protocol(s) |
PC1_12-34-56<—>PC2_12-34-57 | HTTP |
PC1_12-34-56<—>PC3_12-34-58 | HTTP |
PC2_12-34-57<—>PC3_12-34-58 | TCP |
When the detector 1 detects the IP address of the terminal device 2 again as 192.168.0.7, it is judged by the inquiry function of the database in the detector that the terminal device 2 already exists in the local asset table of the detector 1, and thus the detector 1 does not add the relevant information of the terminal device 2. The detector 1, the detector 2 and the detector 3 respectively send the detected first information and the IP address of the detector to a central controller, and the controller receives the first information and the IP address of the detector uploaded by the three detectors respectively, performs de-duplication processing on all the information and stores the information in a local corresponding XML file. The user configures different communication strategies for the three detectors in the strategy definition user interface according to the related information of the terminal equipment and the communication protocol currently existing in the controller, wherein the strategy for the detector 1 is that the equipment in the local area network where the detector 1 is located can communicate with each other, namely, the terminal equipment 2 and the terminal equipment 3 can communicate with each other, and the terminal equipment 1 cannot communicate with the terminal equipment 2 and the terminal equipment 3. Therefore, the policy sent to the detector 1 includes the names or address information corresponding to the terminal device 2 and the terminal device 3, and the controller synchronously sends the IP addresses, MAC addresses and corresponding communication protocols of the terminal device 2 and the terminal device 3 related to the policy to the detector 1 at the same time, so as to reduce the synchronous delay between the detector 1 and the controller and improve the performance of the whole structure. When the terminal device 2 sends a data packet to the terminal device 3 through the TCP protocol, the data stream can be matched with the first policy received by the detector 1, so that after the detector 1 receives the data packet sent by the terminal device 2, the data packet is sent to the terminal device 3, and communication between the terminal device 2 and the terminal device 3 is realized. However, when the terminal device 1 transmits a data packet to the terminal device 2 through the HTTP protocol, the terminal device 1 is not in the terminal device rank corresponding to the first policy, and therefore, the communication between the terminal device 1 and the terminal device 2 does not match the first policy, and the detector 1 receives the data packet transmitted by the terminal device 1 and performs discard processing, thereby blocking the communication between the terminal device 1 and the terminal device 2. When the terminal equipment 2 and the terminal equipment 3 communicate, the detector 1 receives a data packet sent by the terminal equipment 2 and sends the data packet to the terminal equipment 3, and then a first log is generated in the detector 1; when the terminal device 1 and the terminal device 2 communicate with each other, the detector 1 receives a packet transmitted from the terminal device 1, discards the packet, and the detector 1 generates a second log. After the detector 1 uploads the first log and the second log to the controller, the controller analyzes the first log, converts the first log into event information, displays the event information in a view interface of a detection result of the controller, and an operation and maintenance person can know that data packets are transmitted between the terminal equipment 2 and the terminal equipment 3 through observing the view interface; and the controller analyzes the second log, converts the second log into alarm information, and displays the alarm information in a view interface of a detection result of the controller, so that an operator can know that the terminal equipment 1 is illegal equipment and tries to access a local area network where the detector 1 is positioned by observing the view interface. Therefore, operation and maintenance personnel can clearly know potential safety hazards possibly existing in the current distributed network environment through the view interface and timely implement corresponding measures. When a user wants to modify one of the three detectors, the user can directly find the corresponding detector through the view interface and configure a new detection strategy for the information of the terminal equipment under the detector. By the method, operation and maintenance personnel only need to intensively configure detection strategies of all the detectors on the controller, so that the operation and maintenance personnel are reduced, the operation and maintenance cost is reduced, and the efficiency of information processing is improved.
Based on the same inventive concept, the embodiment of the application provides an information processing device, which can realize the functions corresponding to the information processing method. The information processing apparatus may be a hardware structure, a software module, or a hardware structure plus a software module. The image processing device may be implemented by a chip system, which may be constituted by a chip, or may include a chip and other discrete devices. Referring to fig. 4, the apparatus includes a control module 401 and a detection module 402, wherein:
a control module 401, configured to receive first information sent by a detector on the first node;
the control module 401 is further configured to generate a first policy based on the first information, and send the first policy to the detector on the first node;
a detection module 402, configured to send the first information to the control module 401;
the detection module 402 is further configured to determine whether to interrupt data transmission between different terminal devices within the first node based on the first policy.
Optionally, the detecting module 402 is further configured to detect a first IP address of each of the plurality of terminal devices, a first MAC address, and a communication protocol between different terminal devices in the plurality of terminal devices.
Optionally, the control module 401 is further configured to receive a second IP address of the detector on the first node, where the second IP address is used for the controller to send the first policy to the detector on the first node based on the second IP address.
Optionally, the control module 401 is further configured to: and receiving second information sent by the detector on the first node, wherein the second information is log information generated after the detector on the first node determines whether to interrupt data transmission between different terminal devices in the first node according to the first strategy.
Optionally, the control module 401 is further configured to analyze the second information, convert the second information into a prompt message, and display the prompt message in a view interface of the controller.
All relevant contents of each step related to the foregoing embodiment of the information processing method may be cited in the functional description of the functional module corresponding to the information processing apparatus in the embodiment of the present application, which is not described herein.
The division of the modules in the embodiments of the present application is schematically only one logic function division, and there may be another division manner in actual implementation, and in addition, each functional module in each embodiment of the present application may be integrated in one processor, or may exist separately and physically, or two or more modules may be integrated in one module. The integrated modules may be implemented in hardware or in software functional modules.
Referring to fig. 5, based on the same inventive concept, an embodiment of the present application provides an information processing apparatus, which includes at least one processor 501, where the processor 501 is configured to execute a computer program stored in a memory, to implement steps of an information processing method according to the embodiment of the present application, as shown in fig. 3.
In the alternative, processor 501 may be a general purpose processor such as a Central Processing Unit (CPU), digital signal processor, application specific integrated circuit, field programmable gate array or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, and may implement or perform the methods, steps, and logic blocks disclosed in embodiments of the present application. The general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the information processing method disclosed in connection with the embodiments of the present application may be directly embodied as a hardware processor executing, or may be executed by a combination of hardware and software modules in the processor.
Optionally, the information processing apparatus may further include a memory 502 connected to the at least one processor 501, where the memory 502 stores instructions executable by the at least one processor 501, and where the at least one processor 501 may execute the steps included in the foregoing information processing method by executing the instructions stored in the memory 502.
The specific connection medium between the processor 501 and the Memory 502 is not limited in the embodiment of the present application, and the Memory 502 may include at least one type of storage medium, for example, flash Memory, hard disk, multimedia card, card Memory, random access Memory (Random Access Memory, RAM), static random access Memory (Static Random Access Memory, SRAM), programmable Read Only Memory (Programmable Read Only Memory, PROM), read Only Memory (ROM), charged erasable programmable Read Only Memory (Electrically Erasable Programmable Read-Only Memory, EEPROM), magnetic Memory, magnetic disk, optical disk, and the like. Memory 502 is any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited to such. The memory 502 in embodiments of the present application may also be circuitry or any other device capable of performing storage functions for storing program instructions and/or data.
The code corresponding to the information processing method described in the foregoing embodiment may be cured into the chip by programming the processor 501, so that the chip can execute the steps of the foregoing information processing method when running, and how to program the processor 501 into the design is a technology known to those skilled in the art is not repeated here. The physical devices corresponding to the control module 401 and the detection module 402 may be the aforementioned processor 501. The information processing apparatus may be used to perform the method provided by the embodiment shown in fig. 3. Therefore, for the functions that can be implemented by the functional modules in the device, reference may be made to the corresponding description in the embodiment shown in fig. 3, which is not repeated.
Based on the same inventive concept, embodiments of the present application also provide a computer-readable storage medium storing computer instructions that, when run on a computer, cause the computer to perform the steps of the information processing method as described above.
In some possible embodiments, aspects of the information processing method provided by the present application may also be implemented in the form of a program product, which includes a program code for causing a detection device to perform the steps in the information processing method according to the various exemplary embodiments of the application described above in this specification, when the program product is run on an electronic device.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present application without departing from the spirit or scope of the application. Thus, it is intended that the present application also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.
Claims (8)
1. An information processing method, wherein the method is applied to a distributed network, the distributed network includes a controller and a plurality of nodes, and a detector is set on each node in the plurality of nodes, and the method includes:
the controller receives first information sent by a detector on a first node of the plurality of nodes and address information of the detector on the first node, wherein the first node is any node of the plurality of nodes;
the controller generates a first policy based on the first information and the address information, and sends the first policy to the detector on the first node, so that the detector determines whether to block data transmission between different terminal devices in the first node based on the first policy, wherein the first policy comprises information of the different terminal devices in the first node and a communication protocol;
the controller receives second information sent by the detector on the first node, wherein the second information is log information generated after the detector on the first node determines whether to block data transmission between different terminal devices in the first node according to the first strategy, so that the abnormality is found based on the log information, and the log information indicates that data transmission is successful or data transmission fails.
2. The method of claim 1, wherein the first information comprises:
the detector on the first node obtains a first IP address, a first MAC address of each of a plurality of terminal devices and a communication protocol between different terminal devices of the plurality of terminal devices through self-learning.
3. The method of claim 1, wherein the method further comprises:
the controller receives a second IP address of the detector on the first node, the second IP address for the controller to send the first policy to the detector on the first node based on the second IP address.
4. An information processing apparatus, characterized by comprising:
the control module is used for receiving first information sent by the detector on the first node and address information of the detector on the first node;
the control module is further configured to generate a first policy based on the first information and the address information, and send the first policy to the detector on the first node, where the first policy includes information of different terminal devices in the first node and a communication protocol;
the detection module is used for sending the first information to the control module;
the detection module is further used for determining whether to block data transmission between different terminal devices in the first node based on the first policy;
the detection module is further configured to receive second information sent by the detector on the first node, where the second information is log information generated after the detector on the first node determines whether to block data transmission between different terminal devices in the first node according to the first policy, so that based on the log information, an abnormality is found, and the log information indicates that data transmission is successful or data transmission fails.
5. The apparatus of claim 4, wherein the detection module is further configured to obtain, by self-learning, a first IP address for each of a plurality of terminal devices, a first MAC address, and a communication protocol between different ones of the plurality of terminal devices.
6. The apparatus of claim 4, wherein the control module is further to receive a second IP address of the detector on the first node, the second IP address to use for the control module to send the first policy to the detector on the first node based on the second IP address.
7. An information processing apparatus, characterized by comprising:
a memory for storing computer instructions;
a processor connected to the memory for executing computer instructions in the memory and for performing the method of any of claims 1 to 3 when the computer instructions are executed.
8. A computer-readable storage medium comprising,
the computer readable storage medium stores computer instructions which, when run on a computer, cause the computer to perform the method of any one of claims 1 to 3.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011021690.0A CN112152854B (en) | 2020-09-25 | 2020-09-25 | Information processing method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011021690.0A CN112152854B (en) | 2020-09-25 | 2020-09-25 | Information processing method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112152854A CN112152854A (en) | 2020-12-29 |
CN112152854B true CN112152854B (en) | 2023-11-07 |
Family
ID=73896950
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202011021690.0A Active CN112152854B (en) | 2020-09-25 | 2020-09-25 | Information processing method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112152854B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112671797B (en) * | 2020-12-31 | 2022-07-15 | 长扬科技(北京)有限公司 | Safety protection method and system for DNP3 protocol |
Citations (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103051557A (en) * | 2012-12-27 | 2013-04-17 | 华为技术有限公司 | Data stream processing method and system, controller and switching equipment |
WO2014101398A1 (en) * | 2012-12-24 | 2014-07-03 | 华为技术有限公司 | Software defined network based data processing method, node and system |
CN104363280A (en) * | 2014-11-13 | 2015-02-18 | 浪潮(北京)电子信息产业有限公司 | Cluster monitoring management method and system based on two-channel transmission |
CN104468253A (en) * | 2013-09-23 | 2015-03-25 | 中兴通讯股份有限公司 | Deep packet inspection control method and device |
CN104580168A (en) * | 2014-12-22 | 2015-04-29 | 华为技术有限公司 | Method, device and system for processing attack data packages |
CN105323162A (en) * | 2015-09-29 | 2016-02-10 | 深圳市安冠科技有限公司 | Internet of Things routing system and method |
WO2017016162A1 (en) * | 2015-07-29 | 2017-02-02 | 中国科学院沈阳自动化研究所 | Method for controlling transmission security of industrial communications flow based on sdn architecture |
CN108353022A (en) * | 2015-11-05 | 2018-07-31 | 华为技术有限公司 | A kind of processing method of data message, apparatus and system |
CN109413110A (en) * | 2018-12-19 | 2019-03-01 | 武汉思普崚技术有限公司 | A kind of method and system of the managing main frame strategy based on firewall policy linkage |
CN110098957A (en) * | 2019-04-04 | 2019-08-06 | 北京市天元网络技术股份有限公司 | Big data analysis system based on network log |
CN110445770A (en) * | 2019-07-18 | 2019-11-12 | 平安科技(深圳)有限公司 | Attack Source positioning and means of defence, electronic equipment and computer storage medium |
CN110636086A (en) * | 2019-11-13 | 2019-12-31 | 国家电网有限公司 | Network protection test method and device |
CN110932878A (en) * | 2018-09-20 | 2020-03-27 | 中国移动通信有限公司研究院 | Management method, equipment and system of distributed network |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160127417A1 (en) * | 2014-10-29 | 2016-05-05 | SECaaS Inc. | Systems, methods, and devices for improved cybersecurity |
-
2020
- 2020-09-25 CN CN202011021690.0A patent/CN112152854B/en active Active
Patent Citations (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2014101398A1 (en) * | 2012-12-24 | 2014-07-03 | 华为技术有限公司 | Software defined network based data processing method, node and system |
CN103051557A (en) * | 2012-12-27 | 2013-04-17 | 华为技术有限公司 | Data stream processing method and system, controller and switching equipment |
CN104468253A (en) * | 2013-09-23 | 2015-03-25 | 中兴通讯股份有限公司 | Deep packet inspection control method and device |
CN104363280A (en) * | 2014-11-13 | 2015-02-18 | 浪潮(北京)电子信息产业有限公司 | Cluster monitoring management method and system based on two-channel transmission |
CN104580168A (en) * | 2014-12-22 | 2015-04-29 | 华为技术有限公司 | Method, device and system for processing attack data packages |
WO2017016162A1 (en) * | 2015-07-29 | 2017-02-02 | 中国科学院沈阳自动化研究所 | Method for controlling transmission security of industrial communications flow based on sdn architecture |
CN106411820A (en) * | 2015-07-29 | 2017-02-15 | 中国科学院沈阳自动化研究所 | Industrial communication flow transmission safety control method based on SDN architecture |
CN105323162A (en) * | 2015-09-29 | 2016-02-10 | 深圳市安冠科技有限公司 | Internet of Things routing system and method |
CN108353022A (en) * | 2015-11-05 | 2018-07-31 | 华为技术有限公司 | A kind of processing method of data message, apparatus and system |
CN110932878A (en) * | 2018-09-20 | 2020-03-27 | 中国移动通信有限公司研究院 | Management method, equipment and system of distributed network |
CN109413110A (en) * | 2018-12-19 | 2019-03-01 | 武汉思普崚技术有限公司 | A kind of method and system of the managing main frame strategy based on firewall policy linkage |
CN110098957A (en) * | 2019-04-04 | 2019-08-06 | 北京市天元网络技术股份有限公司 | Big data analysis system based on network log |
CN110445770A (en) * | 2019-07-18 | 2019-11-12 | 平安科技(深圳)有限公司 | Attack Source positioning and means of defence, electronic equipment and computer storage medium |
CN110636086A (en) * | 2019-11-13 | 2019-12-31 | 国家电网有限公司 | Network protection test method and device |
Non-Patent Citations (1)
Title |
---|
基于安全网关的联动防护控制与管理;张贺然;中国优秀硕士学位论文全文数据库;全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN112152854A (en) | 2020-12-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9906557B2 (en) | Dynamically generating a packet inspection policy for a policy enforcement point in a centralized management environment | |
US9479450B2 (en) | Resolving communication collisions in a heterogeneous network | |
WO2017100365A1 (en) | Directing data traffic between intra-server virtual machines | |
EP4272115A1 (en) | Device classification using machine learning models | |
EP4078413B1 (en) | Increasing data availability | |
US12009986B2 (en) | Proactive inspection technique for improved classification | |
CN104506370A (en) | Management method and management device for non-network-management system | |
US20230421466A1 (en) | Generating network system maps based on network traffic | |
CN112152854B (en) | Information processing method and device | |
CN112532658B (en) | Cloud network escape event scanning method and device and computer readable storage medium | |
CN113630301B (en) | Data transmission method, device and equipment based on intelligent decision and storage medium | |
CN109617972B (en) | Connection establishing method and device, electronic equipment and storage medium | |
CN105763463B (en) | Method and device for transmitting link detection message | |
US9985862B2 (en) | MEP configuration method and network device | |
CN112994942B (en) | SDN control method and device | |
CN114567678A (en) | Resource calling method and device of cloud security service and electronic equipment | |
CN114978563A (en) | Method and device for blocking IP address | |
CN114244755B (en) | Asset detection method, device, equipment and storage medium | |
US20240007384A1 (en) | Configurable network traffic parser | |
CN111193722B (en) | Linux kernel based accelerated forwarding method, device, equipment and medium | |
CN113965386B (en) | Industrial control protocol message processing method, device, equipment and storage medium | |
CN109150609B (en) | Security group configuration method for standardized naming of openstack network system | |
CN110011820B (en) | Method and device for connecting systems and computer storage medium | |
CN101702716B (en) | Method and device for preventing authenticated user from being attacked | |
CN117353957A (en) | Data processing method and related device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |