CN112165447B - WAF equipment-based network security monitoring method, system and electronic device - Google Patents
WAF equipment-based network security monitoring method, system and electronic device Download PDFInfo
- Publication number
- CN112165447B CN112165447B CN202010847754.6A CN202010847754A CN112165447B CN 112165447 B CN112165447 B CN 112165447B CN 202010847754 A CN202010847754 A CN 202010847754A CN 112165447 B CN112165447 B CN 112165447B
- Authority
- CN
- China
- Prior art keywords
- message
- tcp
- server
- waf
- matched
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 50
- 238000012544 monitoring process Methods 0.000 title abstract description 8
- 238000001514 detection method Methods 0.000 claims abstract description 84
- 230000004044 response Effects 0.000 claims description 55
- 230000008569 process Effects 0.000 claims description 20
- 238000004590 computer program Methods 0.000 claims description 15
- 238000012545 processing Methods 0.000 claims description 13
- 230000009471 action Effects 0.000 claims description 10
- 230000006855 networking Effects 0.000 abstract description 11
- 238000005516 engineering process Methods 0.000 abstract description 3
- 230000005540 biological transmission Effects 0.000 description 24
- 230000006854 communication Effects 0.000 description 18
- 238000004891 communication Methods 0.000 description 15
- 238000010586 diagram Methods 0.000 description 10
- 230000008901 benefit Effects 0.000 description 4
- 230000001360 synchronised effect Effects 0.000 description 4
- 230000006870 function Effects 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 108010001267 Protein Subunits Proteins 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L1/00—Arrangements for detecting or preventing errors in the information received
- H04L1/12—Arrangements for detecting or preventing errors in the information received by using return channel
- H04L1/16—Arrangements for detecting or preventing errors in the information received by using return channel in which the return channel carries supervisory signals, e.g. repetition request signals
- H04L1/1607—Details of the supervisory signal
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
Abstract
The application relates to a network security monitoring method, a system and an electronic device based on WAF equipment, wherein the network security monitoring method based on the WAF equipment comprises the following steps: acquiring a plurality of TCP messages; matching each TCP message with the local proxy information; if the TCP message is not matched with the local agent information, the unmatched TCP message is sent to other WAF equipment through a session synchronization interface; and if the TCP messages are matched with the local proxy information, carrying out security detection on all the matched TCP messages to obtain security detection results of HTTP request data packets corresponding to the TCP messages. By the method and the device, the problem that the WAF equipment in the related technology cannot provide comprehensive protection for the server when deployed in an asymmetric networking is solved.
Description
Technical Field
The present disclosure relates to the field of network security technologies, and in particular, to a network security monitoring method, system, and electronic device based on WAF equipment.
Background
Network security devices are typically deployed in the user network as "man-in-the-middle" roles. In the network communication process, network security devices such as WAF and the like need to perform deep analysis processing on HTTP request data packets so as to obtain complete HTTP protocol contents. Because the HTTP request packets are sent packet by packet based on the TCP protocol, proxy for the HTTP request packets is required to obtain the complete HTTP protocol content, thereby providing comprehensive network security. If the HTTP request packet is not proxied, only a single TCP packet can be detected, so that the complete HTTP protocol content cannot be obtained, which can cause the problem of poor protection performance of the WAF device.
In the related art, when the WAF device is deployed in the asymmetric networking, the HTTP request packet can only be safely monitored in a packet-by-packet detection manner, so that the complete HTTP protocol content cannot be analyzed, the protection performance of the WAF device is poor, and thus, the comprehensive protection cannot be provided for the server.
At present, aiming at the problem that the WAF equipment cannot provide comprehensive protection for a server when deployed in an asymmetric networking in the related art, no effective solution has been proposed yet.
Disclosure of Invention
The embodiment of the application provides a network security monitoring method, a network security monitoring system and an electronic device based on WAF equipment, which are used for at least solving the problem that the WAF equipment in the related art cannot provide comprehensive protection for a server when being deployed in an asymmetric networking.
In a first aspect, an embodiment of the present application provides a network security detection method based on a WAF device, where the method includes:
acquiring a plurality of TCP messages;
matching each TCP message with the local proxy information;
if the TCP message is not matched with the local agent information, the unmatched TCP message is sent to other WAF equipment through a session synchronization interface;
and if the TCP message is matched with the local proxy information, carrying out security detection on all matched TCP messages to obtain security detection results of a plurality of TCP messages corresponding to HTTP request data packets.
In some of these embodiments, the method further comprises:
and if the TCP message is matched with the local proxy information, extracting target characteristic information from the TCP message, and updating the local proxy information according to the target characteristic data.
In some of these embodiments, the destination characteristic data includes a source IP, a destination IP, a source port, a destination port, a SEQ sequence number, and an ACK sequence number.
In some embodiments, the performing security detection on all the matched TCP packets to obtain security detection results of HTTP request packets corresponding to a plurality of the TCP packets includes:
determining a SOCKET corresponding to the TCP message according to the source IP, the destination IP, the source port and the destination port, and storing the TCP message in a linked list of the SOCKET;
controlling the process corresponding to the SOCKET to carry out packet receiving treatment on the TCP message;
and carrying out security detection on all the TCP messages which are subjected to the packet receiving processing to obtain security detection results of the HTTP request data packets corresponding to a plurality of TCP messages.
In some embodiments, before said matching each of said TCP messages with the home agent information, the method further comprises:
Judging whether each TCP message is a message sent to a server or a message sent by the server;
if the TCP message is a message sent to the server or a message sent by the server, matching the TCP message with the local proxy information;
and if the message is not the message sent to the server or the message sent by the server, executing a preset action to process the TCP message.
In some embodiments, after performing security detection on all the matched TCP packets to obtain security detection results of HTTP request packets corresponding to a plurality of the TCP packets, the method further includes:
sending a SYN message to a server, and receiving a SYN-ACK message replied by the server;
matching the SYN-ACK message with the local agent information;
and sending the HTTP request data packets corresponding to the TCP messages to a server according to the matching result.
In some embodiments, the sending the HTTP request packet corresponding to the plurality of TCP packets to the server according to the matching result includes:
if the SYN-ACK message is matched with the local proxy information, a first local session is carried out according to the SYN-ACK message Wen Pipei, and an ACK message is sent to the server through the first local session;
And sending HTTP request data packets corresponding to the TCP messages to the server through the first local session.
In some of these embodiments, the method further comprises:
and if the SYN-ACK message is not matched with the local agent information, the SYN-ACK message is sent to other WAF equipment through a session synchronization interface.
In some embodiments, after sending the plurality of TCP packets to the server corresponding to the HTTP request packet, the method further includes:
receiving an HTTP response message sent by the server;
matching the HTTP response message with the local agent information, and if the HTTP response message is not matched with the local agent information, sending the HTTP response message to other WAF devices through a session synchronization interface;
and if the HTTP response message is matched with the local proxy information, a second local session is performed according to the HTTP response message Wen Pipei, and the HTTP response message is sent to the client through the second local session.
In a second aspect, an embodiment of the present application provides a network security detection system based on a WAF device, including: a client, a server, and a plurality of WAF devices disposed between the client and the server, wherein:
Each WAF device is provided with a session synchronization interface and a security service interface, and the session synchronization interfaces of a plurality of WAF devices are connected through a network cable;
each WAF device is used for receiving the TCP message through the secure service interface, carrying out security detection on the TCP message matched with the local proxy information, and transmitting the TCP message not matched with the local proxy information to other WAF devices through the session synchronization interface.
In some of these embodiments, the IP addresses of the session sync interfaces of multiple of the WAF devices are in the same network segment.
In a third aspect, an embodiment of the present application provides an electronic device, including a memory, a processor, and a computer program stored on the memory and capable of running on the processor, where the processor implements the WAF device-based network security detection method according to the first aspect when executing the computer program.
In a fourth aspect, embodiments of the present application provide a storage medium having stored thereon a computer program which, when executed by a processor, implements a WAF device-based network security detection method as described in the first aspect above.
Compared with the related art, the network security monitoring method, the system and the electronic device based on the WAF equipment provided by the embodiment of the application are realized by acquiring a plurality of TCP messages; matching each TCP message with the local proxy information; if the TCP message of the application is not matched with the local agent information of the application, the TCP message of the application which is not matched is sent to other WAF equipment through a session synchronous interface; if the TCP message is matched with the local proxy information, security detection is carried out on all matched TCP messages to obtain security detection results of a plurality of HTTP request data packets corresponding to the TCP message, and the problem that WAF equipment in the related technology cannot provide comprehensive protection for a server when being deployed in asymmetric networking is solved.
The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more thorough understanding of the other features, objects, and advantages of the application.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute an undue limitation to the application. In the drawings:
fig. 1 is a flowchart of a network security detection method based on WAF equipment according to an embodiment of the present application;
fig. 2 is a flowchart of security detection for all matched TCP packets in the embodiment of the present application;
FIG. 3 is a flowchart of determining whether each TCP message is related to a server according to an embodiment of the present application;
fig. 4 is a flowchart of sending HTTP request packets corresponding to a plurality of TCP packets to a server according to an embodiment of the present application;
fig. 5 is a flowchart of sending an HTTP response message to a client in an embodiment of the present application;
FIG. 6 is a schematic structural diagram of a networking model according to an embodiment of the present application;
fig. 7 is a hardware block diagram of a terminal of a network security detection method based on WAF equipment according to an embodiment of the present application;
fig. 8 is a block diagram of a network security detection system based on WAF device according to an embodiment of the present application;
Fig. 9 is a block diagram of a network security detection device based on WAF equipment according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described and illustrated below with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden on the person of ordinary skill in the art based on the embodiments provided herein, are intended to be within the scope of the present application. Moreover, it should be appreciated that while such a development effort might be complex and lengthy, it would nevertheless be a routine undertaking of design, fabrication, or manufacture for those of ordinary skill having the benefit of this disclosure, and thus should not be construed as having the benefit of this disclosure.
Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the application. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is to be expressly and implicitly understood by those of ordinary skill in the art that the embodiments described herein can be combined with other embodiments without conflict.
Unless defined otherwise, technical or scientific terms used herein should be given the ordinary meaning as understood by one of ordinary skill in the art to which this application belongs. Reference to "a," "an," "the," and similar terms herein do not denote a limitation of quantity, but rather denote the singular or plural. The terms "comprising," "including," "having," and any variations thereof, are intended to cover a non-exclusive inclusion; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to only those steps or elements but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. The terms "connected," "coupled," and the like in this application are not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. The term "plurality" as used herein means greater than or equal to two. "and/or" describes an association relationship of an association object, meaning that there may be three relationships, e.g., "a and/or B" may mean: a exists alone, A and B exist together, and B exists alone. The terms "first," "second," "third," and the like, as used herein, are merely distinguishing between similar objects and not representing a particular ordering of objects.
The various techniques described herein may be applied, but are not limited to, network security detection systems and devices.
Fig. 1 is a flowchart of a network security detection method based on WAF equipment according to an embodiment of the present application, as shown in fig. 1, where the flowchart includes the following steps:
step S110, a plurality of TCP messages are acquired.
It should be noted that, after the TCP connection is completed between the client and the WAF device through the three-way handshake, the WAF device starts to receive the HTTP request packet sent by the TCP proxy client, and because the field of the HTTP request information in the HTTP request packet is longer, the HTTP request information needs to be divided into multiple TCP packets for transmission.
Step S120, each TCP message is matched with the local proxy information.
The home agent information indicates characteristic information of the history communication packet recorded in the WAF device. The historical communication message comprises a TCP message, a SYN-ACK message and an ACK message. And matching the information in the TCP message with the characteristic information in the historical communication message to verify whether the WAF device is a target transmission device of the TCP message.
Step S130, if the TCP message is not matched with the local agent information, the unmatched TCP message is sent to other WAF devices through the session synchronization interface.
When there are multiple WAF devices in the communication system, if the TCP packet is not matched with the local proxy information, the unmatched TCP packet is sequentially sent to all the other WAF devices except the device through the session synchronization interface. If a certain WAF device receives TCP messages forwarded by other WAF devices from a session synchronization interface, the WAF device matches the TCP messages with the local proxy information, if the TCP messages are not matched with the local proxy information, logs are recorded, and the TCP messages are discarded.
And step S140, if the TCP message is matched with the local proxy information, carrying out security detection on all matched TCP messages to obtain security detection results of HTTP request data packets corresponding to a plurality of TCP messages.
It should be noted that, since there are multiple WAF devices in the whole communication system, after the WAF device receives a TCP packet, it needs to match the TCP packet with the home agent information to verify whether the WAF device is a target transmission device of the TCP packet.
If the TCP message is not matched with the local agent information, determining that the WAF device is not the target transmission device of the TCP message, and sending the TCP message to other WAF devices through a session synchronization interface; if the TCP message is matched with the local proxy information, determining that the WAF device is a target transmission device of the TCP message, and performing security detection on all matched TCP messages to obtain security detection results of HTTP request data packets corresponding to a plurality of TCP messages.
Acquiring a plurality of TCP messages through the steps S110 to S140; matching each TCP message with the local proxy information; if the TCP message is not matched with the local agent information, the unmatched TCP message is sent to other WAF equipment through a session synchronization interface; and if the TCP messages are matched with the local proxy information, carrying out security detection on all the matched TCP messages to obtain security detection results of HTTP request data packets corresponding to the TCP messages. According to the embodiment, each TCP message is matched with the local proxy information, if the TCP message is not matched with the local proxy information, the unmatched TCP message is sent to other WAF devices through the session synchronous interface, so that the problem that when the WAF devices are deployed in an asymmetric networking mode, the network is not enabled due to the fact that the information of the WAF devices is inconsistent is avoided, the WAF devices can analyze complete HTTP request information, safety detection is conducted on the complete HTTP request information, the protection performance of the WAF devices is improved, comprehensive protection is provided for the server, and the problem that the server cannot be provided with the comprehensive protection when the WAF devices are deployed in the asymmetric networking mode in the related art is solved.
It should be noted that the asymmetric networking list represents a networking mode in which two or more network links between the client and the server can communicate.
In some embodiments, if the TCP message matches the local proxy information, the target feature information is extracted from the TCP message, and the local proxy information is updated according to the target feature data.
In some of these embodiments, the destination characteristic data includes a source IP, a destination IP, a source port, a destination port, a SEQ sequence number, and an ACK sequence number.
In some embodiments, before acquiring a TCP message, the WAF device receives a SYN message sent by a client, extracts target feature information such as a source IP, a destination IP, a source port, a destination port, an SEQ serial number, and the like from the SYN message, and stores the target feature information as local proxy information; sending SYN-ACK message to the corresponding client, and updating the local proxy information according to the target characteristic information in the SYN-ACK message; all messages received subsequently need to be matched with the local agent information, and if the messages are matched, the messages are considered to be processed by the local machine.
In some embodiments, fig. 2 is a flowchart of security detection for all matched TCP packets in the embodiments of the present application, as shown in fig. 2, where the process includes the following steps:
step S210, according to the source IP, the destination IP, the source port and the destination port, determining SOCKET corresponding to the TCP message, and storing the TCP message in a linked list of the SOCKET.
Socks (i.e., SOCKETs) are used as a process communication mechanism of BSD UNIX to describe IP addresses and ports, and are handles of a communication chain, which can be used to implement communication between different virtual machines or different computers.
Step S220, the corresponding process of SOCKET is controlled to carry out the packet receiving processing on the TCP message.
Specifically, according to the source IP, the destination IP, the source port and the destination port of the TCP message, the established SOCKET of the host is queried, and the TCP message is hung on a packet receiving queue corresponding to the SOCKET, so that a process corresponding to the SOCKET is controlled to receive the TCP message.
Step S230, carrying out security detection on all TCP messages which are subjected to the packet receiving processing, and obtaining security detection results of HTTP request data packets corresponding to a plurality of TCP messages.
Through the steps S210 to S230, according to the source IP, the destination IP, the source port and the destination port, the SOCKET corresponding to the TCP packet is determined, and the TCP packet is stored in the linked list of the SOCKET; controlling a process corresponding to the SOCKET to carry out packet receiving treatment on the TCP message; and carrying out security detection on all the TCP messages which finish the packet receiving processing to obtain security detection results of the HTTP request data packets corresponding to the plurality of TCP messages. According to the embodiment, after all TCP messages are waited for to finish the package receiving processing, safety detection is carried out on all TCP messages which finish the package receiving processing, so that safety detection is carried out on complete HTTP request information, the protection performance of WAF equipment can be improved, and comprehensive protection is provided for a server.
In some embodiments, fig. 3 is a flowchart of determining whether each TCP packet is related to a server according to an embodiment of the present application, and as shown in fig. 3, the flowchart includes the following steps:
step S310, judging whether each TCP message is a message sent to the server or a message sent by the server.
In step S320, if the TCP packet is a packet sent to the server or a packet sent by the server, the TCP packet is matched with the home agent information.
Step S330, if the message is not the message sent to the server or the message sent by the server, the preset action is executed to process the TCP message.
The preset actions include at least one of discarding, forwarding, alerting, and logging.
Through the steps S310 to S330, it is determined whether each TCP packet is a packet sent to the server or a packet sent by the server; if the TCP message is a message sent to the server or a message sent by the server, matching the TCP message with the local proxy information; if the message is not the message sent to the server or the message sent by the server, executing the preset action to process the TCP message. According to the embodiment, whether each TCP message is a message sent to the server or sent by the server is judged, if the junk message is received, a discarding action can be executed, if the attack message is received, an alarm action can be executed, and a log is recorded, so that the protection performance of WAF equipment can be further improved, and further more comprehensive protection is provided for the server.
In some embodiments, fig. 4 is a flowchart of sending HTTP request packets corresponding to a plurality of TCP packets to a server according to an embodiment of the present application, and as shown in fig. 4, the flowchart includes the following steps:
step S410, a SYN message is sent to the server, and a SYN-ACK message replied by the server is received.
Step S420, the SYN-ACK message is matched with the local agent information.
And step S430, according to the matching result, sending the HTTP request data packets corresponding to the TCP messages to the server.
Through the steps S410 to S430, the SYN-ACK message is matched with the home agent information, and the HTTP request data packets corresponding to the multiple TCP messages are sent to the server according to the matching result, so that the situation that when the SYN-ACK message communicated between other WAF devices and the server is received, the communication between the other WAF devices and the server is interrupted can be avoided, and the reliability of the information transmission service in the network communication process is improved.
In some embodiments, if the SYN-ACK message matches the home agent information, then a first local session is performed according to the SYN-ACK message Wen Pipei, and an ACK message is sent to the server through the first local session; and sending the HTTP request data packets corresponding to the TCP messages to the server through the first local session.
In some embodiments, if the SYN-ACK message does not match the home agent information, the SYN-ACK message is sent to the other WAF device via the session synchronization interface.
In some embodiments, fig. 5 is a flowchart of sending an HTTP response message to a client in an embodiment of the present application, and as shown in fig. 5, the flowchart includes the following steps:
step S510, receiving HTTP response message sent by the server.
Step S520, the HTTP response message is matched with the local agent information, and if the HTTP response message is not matched with the local agent information, the HTTP response message is sent to other WAF devices through the session synchronization interface.
In step S530, if the HTTP response message matches the home agent information, the HTTP response message is sent to the client according to the second local session of the HTTP response message Wen Pipei and through the second local session.
Specifically, the HTTP response message may be matched to a second local session established when the WAF and the client transmit the HTTP request packet, and the HTTP response message is sent to the corresponding client through the second local session.
Through the steps S510 to S530, by matching the HTTP response message with the local proxy information, it is possible to avoid a situation that when the HTTP response message communicated between the other WAF device and the server is received, the HTTP response message cannot be matched to the second local session according to the HTTP response message, thereby causing interruption of communication; by sending the HTTP response message to the corresponding client according to the second local session of the HTTP response message Wen Pipei and through the second local session, the problem that the HTTP response message is sent to other clients in error when a plurality of clients exist in the communication system can be avoided, and the reliability of the information transmission service in the network communication process is further improved.
The embodiments of the present application are described and illustrated below by way of specific examples.
Fig. 6 is a schematic structural diagram of a networking model in an embodiment of the present application, and as shown in fig. 6, the embodiment is described by taking two WAF devices in a communication system as an example.
(1) Two network links between the client and the server can be used for communication, namely a network link where the network 1 is located and a network link where the network 2 is located, the WAF device 1 is arranged on the network link where the network 1 is located, the WAF device 2 is arranged on the network link where the network 2 is located, and the WAF device 1 and the WAF device 2 are connected through a session synchronous interface.
(2) The client sends a SYN message, the WAF device 1 judges that the SYN message is a message related to the server through the WAF device 1, local proxy information is updated according to the SYN message, a local proxy process is entered, and the WAF device 1 sends a SYN-ACK message to the client; after receiving the SYN-ACK message, the client sends an ACK message, and the ACK message enters the WAF device 1 through a network link where the network 1 is located. The WAF device 1 determines that the ACK packet is a packet related to the server, and can match the home agent information, and enter the home agent flow.
(3) The client divides the HTTP request packet into a plurality of TCP messages and transmits the TCP messages to WAF device 1. After the WAF device 1 receives a plurality of TCP messages, it determines whether each TCP message is a message related to the server, and matches the TCP message related to the server with the local proxy information. And after the matching of all the TCP messages is completed, carrying out security detection on all the TCP messages matched with the local proxy information to obtain security detection results of a plurality of TCP messages corresponding to HTTP request data packets. If the HTTP request data packet is detected to be normal, the HTTP request data packet needs to be forwarded to a server.
(4) The WAF device 1 sends SYN message to the server; the server sends a SYN-ACK message to WAF device 2. The WAF device 2 judges the SYN-ACK message to be a message related to the server, matches the SYN-ACK message with the local proxy information, fails to match the SYN-ACK message with the local proxy information, and sends the SYN-ACK message to the WAF device 1 through a session synchronization interface. The WAF device 1 receives the SYN-ACK message from the session synchronization interface, matches the SYN-ACK message with a first local session corresponding to the SYN-ACK message, and sends the ACK message to the server through the first local session.
(5) The WAF device 1 sends an HTTP request packet to a server, and the server generates an HTTP response message according to the received HTTP request packet, and sends the HTTP response message to the WAF device 2. After receiving the HTTP response message, the WAF device 2 determines that the HTTP response message is a message related to the server, but fails to match proxy information, and sends the HTTP response message to the WAF device 1 through the session synchronization interface. The WAF device 1 receives the HTTP response message from the session synchronization interface, matches the HTTP response message to the first local session according to the HTTP response message, and sends the HTTP response message to the client through the first local session.
It should be noted that the steps illustrated in the above-described flow or flow diagrams of the figures may be performed in a computer system, such as a set of computer-executable instructions, and that, although a logical order is illustrated in the flow diagrams, in some cases, the steps illustrated or described may be performed in an order other than that illustrated herein. For example, referring to fig. 1, the execution order of step S130 and step S140 may be interchanged, i.e., step S130 may be executed first, and then step S140 may be executed; step S140 may be performed first, and then step S130 may be performed. For another example, in connection with fig. 3, the order of step S320 and step S330 may also be interchanged.
The method embodiment provided in this embodiment may be executed in a terminal, a computer or a similar computing device. Taking the operation on the terminal as an example, fig. 7 is a block diagram of the hardware structure of the terminal of the network security detection method based on the WAF device according to the embodiment of the application. As shown in fig. 7, the terminal 70 may include one or more (only one is shown in fig. 7) processors 702 (the processor 702 may include, but is not limited to, a microprocessor MCU or a processing device such as a programmable logic device FPGA) and a memory 704 for storing data, and optionally a transmission device 706 for communication functions and an input-output device 708. It will be appreciated by those skilled in the art that the structure shown in fig. 7 is merely illustrative and is not intended to limit the structure of the terminal. For example, the terminal 70 may also include more or fewer components than shown in fig. 7, or have a different configuration than shown in fig. 7.
The memory 704 may be used to store a computer program, for example, a software program of application software and a module, such as a computer program corresponding to the WAF device-based network security detection method in the embodiment of the present application, and the processor 702 executes the computer program stored in the memory 704 to perform various functional applications and data processing, that is, implement the method described above. Memory 704 may include high-speed random access memory, but may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 704 may further include memory located remotely from the processor 702, which may be connected to the terminal 70 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 706 is used to receive or transmit data via a network. The specific examples of the network described above may include a wireless network provided by a communication provider of the terminal 70. In one example, the transmission device 706 includes a network adapter (Network Interface Controller, simply referred to as NIC) that can connect to other network devices through a base station to communicate with the internet. In one example, the transmission device 706 may be a Radio Frequency (RF) module, which is configured to communicate with the internet wirelessly.
Fig. 8 is a block diagram of a network security detection system based on the WAF device 30 according to an embodiment of the disclosure, and as shown in fig. 8, the network security detection system 100 based on the WAF device 30 includes: a client 10, a server 20, and a plurality of WAF devices 30 disposed between the client 10 and the server 20, wherein:
each WAF device 30 is provided with a session synchronization interface 31 (not shown in fig. 8) and a security service interface 32 (not shown in fig. 8), and the session synchronization interfaces 31 of the plurality of WAF devices 30 are connected by a network cable;
each WAF device 30 is configured to receive a TCP packet through the secure service interface 32, perform security detection on a TCP packet that matches the home agent information, and transmit a TCP packet that does not match the home agent information to other WAF devices 30 through the session synchronization interface 31.
It should be noted that only 3 WAF devices are shown in fig. 8, and the rest of the WAF devices are not shown in fig. 8. The WAF device 30-based network security detection system 100 may have more than 3 WAF devices, possibly 6 WAF devices or 7 WAF devices, and the present embodiment does not limit the number of WAF devices.
In some of these embodiments, the IP addresses of session synchronization interfaces 31 of multiple WAF devices 30 are in the same network segment.
In some embodiments, WAF device 30 is further configured to extract target feature information from the TCP message if the TCP message matches the local proxy information, and update the local proxy information according to the target feature data; the target feature data includes a source IP, a destination IP, a source port, a destination port, a SEQ sequence number, and an ACK sequence number.
In some embodiments, WAF device 30 is further configured to determine socks corresponding to the TCP packets according to the source IP, the destination IP, the source port, and the destination port, and store the TCP packets in a linked list of socks; controlling a process corresponding to the SOCKET to carry out packet receiving treatment on the TCP message; and carrying out security detection on all the TCP messages which finish the packet receiving processing to obtain security detection results of the HTTP request data packets corresponding to the plurality of TCP messages.
In some embodiments, WAF device 30 is further configured to determine whether each TCP packet is a packet addressed to server 20 or a packet sent by server 20; if the TCP message is a message sent to the server 20 or a message sent by the server 20, matching the TCP message with the local proxy information; if the message is not the message sent to the server 20 or the message sent by the server 20, a preset action is executed to process the TCP message.
In some embodiments, WAF device 30 is further configured to send a SYN message to server 20, and receive a SYN-ACK message replied to server 20; matching the SYN-ACK message with the local agent information; and according to the matching result, sending the HTTP request data packets corresponding to the TCP messages to the server 20.
In some embodiments, WAF device 30 is further configured to, if the SYN-ACK message matches the home agent information, send an ACK message to server 20 according to the first local session and according to SYN-ACK message Wen Pipei; the HTTP request packets corresponding to the plurality of TCP packets are sent to the server 20 through the first local session.
In some embodiments, the WAF device 30 is further configured to send the SYN-ACK message to other WAF devices 30 through the session synchronization interface 31 if the SYN-ACK message does not match the home agent information.
In some embodiments, WAF device 30 is further configured to receive an HTTP response message sent by server 20; matching the HTTP response message with the local agent information, and if the HTTP response message is not matched with the local agent information, sending the HTTP response message to other WAF devices 30 through a session synchronization interface 31; if the HTTP response message matches the home agent information, the second local session is performed according to the HTTP response message Wen Pipei, and the HTTP response message is sent to the client 10 through the second local session.
The embodiment also provides a network security detection device based on the WAF device, which is used for implementing the foregoing embodiments and preferred embodiments, and is not described in detail. As used below, the terms "module," "unit," "sub-unit," and the like may be a combination of software and/or hardware that implements a predetermined function. While the means described in the following embodiments are preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
Fig. 9 is a block diagram of a network security detection device based on a WAF device according to an embodiment of the disclosure, and as shown in fig. 9, the network security detection device 900 based on a WAF device includes:
the obtaining module 910 obtains a plurality of TCP packets.
And a matching module 930, configured to match each TCP packet with the home agent information.
And the forwarding module 950 is configured to send the mismatched TCP packet to other WAF devices through the session synchronization interface if the TCP packet is not matched with the home agent information.
And the detection module 960 is configured to perform security detection on all the matched TCP messages if the TCP messages are matched with the home agent information, so as to obtain security detection results of HTTP request packets corresponding to the plurality of TCP messages.
In some of these embodiments, the WAF device-based network security detection apparatus further includes an update module 940;
and the updating module 940 is configured to extract the target feature information from the TCP packet and update the local proxy information according to the target feature data if the TCP packet matches the local proxy information.
In some of these embodiments, the destination characteristic data includes a source IP, a destination IP, a source port, a destination port, a SEQ sequence number, and an ACK sequence number.
In some embodiments, the detection module 940 includes a storage unit, a packet receiving unit, and a detection unit, where:
and the storage unit is used for determining the SOCKET corresponding to the TCP message according to the source IP, the destination IP, the source port and the destination port and storing the TCP message in a linked list of the SOCKET.
And the packet receiving unit is used for controlling the process corresponding to the SOCKET to receive the TCP message.
And the detection unit is used for carrying out security detection on all the TCP messages which finish the packet receiving processing to obtain security detection results of the HTTP request data packets corresponding to the TCP messages.
In some embodiments, the WAF device-based network security detection apparatus further includes a determination module 960;
a judging module 960, configured to judge whether each TCP packet is a packet sent to the server or a packet sent by the server; if the TCP message is a message sent to the server or a message sent by the server, matching the TCP message with the local proxy information; if the message is not the message sent to the server or the message sent by the server, executing the preset action to process the TCP message.
In some embodiments, the WAF device-based network security detection apparatus further includes a transmission module 970, the transmission module 970 including a transceiver unit, a matching unit, and a transmission unit, wherein:
and the receiving and transmitting unit is used for sending the SYN message to the server and receiving the SYN-ACK message replied by the server.
And the matching unit is used for matching the SYN-ACK message with the local agent information.
And the transmission unit is used for sending the HTTP request data packets corresponding to the plurality of TCP messages to the server according to the matching result.
In some of these embodiments, the transmission unit comprises a first transmission subunit;
a first transmission subunit, configured to, if the SYN-ACK packet matches the home agent information, perform a first local session according to the SYN-ACK packet Wen Pipei, and send an ACK packet to the server through the first local session; and sending the HTTP request data packets corresponding to the TCP messages to the server through the first local session.
In some of these embodiments, the transmission unit comprises a second transmission subunit;
and the second transmission subunit is used for sending the SYN-ACK message to other WAF devices through the session synchronous interface if the SYN-ACK message is not matched with the local agent information.
In some embodiments, the transmission module 970 is further configured to receive an HTTP response message sent by the server; matching the HTTP response message with the local agent information, and if the HTTP response message is not matched with the local agent information, transmitting the HTTP response message to other WAF devices through a session synchronization interface; if the HTTP response message matches the home agent information, then the second local session is performed according to the HTTP response message Wen Pipei, and the HTTP response message is sent to the client through the second local session.
The above-described respective modules may be functional modules or program modules, and may be implemented by software or hardware. For modules implemented in hardware, the various modules described above may be located in the same processor; or the above modules may be located in different processors in any combination.
The present embodiment also provides an electronic device comprising a memory having stored therein a computer program and a processor arranged to run the computer program to perform the steps of any of the method embodiments described above.
Optionally, the electronic apparatus may further include a transmission device and an input/output device, where the transmission device is connected to the processor, and the input/output device is connected to the processor.
Alternatively, in the present embodiment, the above-described processor may be configured to execute the following steps by a computer program:
s1, acquiring a plurality of TCP messages.
S2, each TCP message is matched with the local proxy information.
And S3, if the TCP message is not matched with the local agent information, sending the unmatched TCP message to other WAF devices through a session synchronization interface.
And S4, if the TCP message is matched with the local proxy information, carrying out security detection on all matched TCP messages to obtain security detection results of HTTP request data packets corresponding to a plurality of TCP messages.
It should be noted that, specific examples in this embodiment may refer to examples described in the foregoing embodiments and alternative implementations, and this embodiment is not repeated herein.
In addition, in combination with the network security detection method based on the WAF device in the above embodiment, the embodiments of the present application may provide a storage medium to be implemented. The storage medium has a computer program stored thereon; the computer program when executed by a processor implements any of the WAF device-based network security detection methods of the above embodiments.
It should be understood by those skilled in the art that the technical features of the above embodiments may be combined in any manner, and for brevity, all of the possible combinations of the technical features of the above embodiments are not described, however, they should be considered as being within the scope of the description provided herein, as long as there is no contradiction between the combinations of the technical features.
The foregoing examples represent only a few embodiments of the present application, which are described in more detail and are not to be construed as limiting the scope of the invention. It should be noted that it would be apparent to those skilled in the art that various modifications and improvements could be made without departing from the spirit of the present application, which would be within the scope of the present application. Accordingly, the scope of protection of the present application is to be determined by the claims appended hereto.
Claims (9)
1. A network security detection method based on WAF equipment, the method comprising:
acquiring a plurality of TCP messages;
matching each TCP message with the local proxy information;
if the TCP message is not matched with the local agent information, the unmatched TCP message is sent to other WAF equipment through a session synchronization interface;
if the TCP message is matched with the local proxy information, carrying out security detection on all matched TCP messages to obtain security detection results of HTTP request data packets corresponding to a plurality of TCP messages;
before said matching each of said TCP messages with the home agent information, said method further comprises:
judging whether each TCP message is a message sent to a server or a message sent by the server;
if the TCP message is a message sent to the server or a message sent by the server, matching the TCP message with the local proxy information;
if the message is not the message sent to the server or the message sent by the server, executing a preset action to process the TCP message;
the method further comprises the steps of:
If the TCP message is matched with the local proxy information, extracting target characteristic information from the TCP message, and updating the local proxy information according to the target characteristic data, wherein the target characteristic data comprises a source IP, a target IP, a source port, a target port, an SEQ serial number and an ACK serial number;
the step of carrying out security detection on all the matched TCP messages to obtain security detection results of the HTTP request data packets corresponding to a plurality of TCP messages comprises the following steps:
determining a SOCKET corresponding to the TCP message according to the source IP, the destination IP, the source port and the destination port, and storing the TCP message in a linked list of the SOCKET;
controlling the process corresponding to the SOCKET to carry out packet receiving treatment on the TCP message;
and carrying out security detection on all the TCP messages which are subjected to the packet receiving processing to obtain security detection results of the HTTP request data packets corresponding to a plurality of TCP messages.
2. The method according to claim 1, wherein after performing security detection on all matched TCP packets to obtain security detection results of HTTP request packets corresponding to a plurality of TCP packets, the method further comprises:
sending a SYN message to a server, and receiving a SYN-ACK message replied by the server;
Matching the SYN-ACK message with the local agent information;
and sending the HTTP request data packets corresponding to the TCP messages to a server according to the matching result.
3. The method according to claim 2, wherein the sending the HTTP request packets corresponding to the plurality of TCP packets to the server according to the matching result includes:
if the SYN-ACK message is matched with the local proxy information, a first local session is carried out according to the SYN-ACK message Wen Pipei, and an ACK message is sent to the server through the first local session;
and sending HTTP request data packets corresponding to the TCP messages to the server through the first local session.
4. A method according to claim 3, characterized in that the method further comprises:
and if the SYN-ACK message is not matched with the local agent information, the SYN-ACK message is sent to other WAF equipment through a session synchronization interface.
5. The method according to claim 2, wherein after sending a plurality of the TCP packets corresponding to HTTP request packets to a server, the method further comprises:
receiving an HTTP response message sent by the server;
matching the HTTP response message with the local agent information, and if the HTTP response message is not matched with the local agent information, sending the HTTP response message to other WAF devices through a session synchronization interface;
And if the HTTP response message is matched with the local proxy information, a second local session is performed according to the HTTP response message Wen Pipei, and the HTTP response message is sent to the client through the second local session.
6. A WAF device-based network security detection system, comprising: a client, a server, and a plurality of WAF devices disposed between the client and the server, wherein:
each WAF device is provided with a session synchronization interface and a security service interface, and the session synchronization interfaces of a plurality of WAF devices are connected through a network cable;
each WAF device is used for receiving a TCP message through the secure service interface, carrying out security detection on the TCP message matched with the local proxy information, and transmitting the TCP message not matched with the local proxy information to other WAF devices through the session synchronization interface;
each WAF device is used for receiving TCP messages through the secure service interface and judging whether each TCP message is a message sent to a server or a message sent by the server;
if the TCP message is a message sent to the server or a message sent by the server, matching the TCP message with the local proxy information;
If the message is not the message sent to the server or the message sent by the server, executing a preset action to process the TCP message;
if the TCP message is matched with the local proxy information, extracting target characteristic information from the TCP message, and updating the local proxy information according to the target characteristic data, wherein the target characteristic data comprises a source IP, a target IP, a source port, a target port, an SEQ serial number and an ACK serial number;
the step of carrying out security detection on all the matched TCP messages to obtain security detection results of the HTTP request data packets corresponding to a plurality of TCP messages comprises the following steps:
determining a SOCKET corresponding to the TCP message according to the source IP, the destination IP, the source port and the destination port, and storing the TCP message in a linked list of the SOCKET;
controlling the process corresponding to the SOCKET to carry out packet receiving treatment on the TCP message;
and carrying out security detection on all the TCP messages which are subjected to the packet receiving processing to obtain security detection results of the HTTP request data packets corresponding to a plurality of TCP messages.
7. The system of claim 6, wherein IP addresses of session synchronization interfaces of a plurality of said WAF devices are in a same network segment.
8. An electronic device comprising a memory and a processor, wherein the memory has stored therein a computer program, the processor being arranged to run the computer program to perform the WAF device based network security detection method of any one of claims 1 to 5.
9. A storage medium having a computer program stored therein, wherein the computer program is configured to perform the WAF device-based network security detection method of any one of claims 1 to 5 when run.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010847754.6A CN112165447B (en) | 2020-08-21 | 2020-08-21 | WAF equipment-based network security monitoring method, system and electronic device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010847754.6A CN112165447B (en) | 2020-08-21 | 2020-08-21 | WAF equipment-based network security monitoring method, system and electronic device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112165447A CN112165447A (en) | 2021-01-01 |
| CN112165447B true CN112165447B (en) | 2023-12-19 |
Family
ID=73859662
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010847754.6A Active CN112165447B (en) | 2020-08-21 | 2020-08-21 | WAF equipment-based network security monitoring method, system and electronic device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112165447B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112866238B (en) * | 2021-01-15 | 2022-07-05 | 杭州迪普科技股份有限公司 | Session control method and device |
| CN113271305B (en) * | 2021-05-17 | 2022-04-22 | 新华三信息安全技术有限公司 | Attack detection method and device and web application level intrusion prevention system WAF |
| CN113630417B (en) * | 2021-08-12 | 2023-09-26 | 杭州安恒信息安全技术有限公司 | WAF-based data transmission method, WAF-based data transmission device, WAF-based electronic device and storage medium |
| CN114070596A (en) * | 2021-11-10 | 2022-02-18 | 上海钧正网络科技有限公司 | Performance optimization method, system, terminal and medium of Web application protection system |
| CN116192533B (en) * | 2023-04-24 | 2023-07-21 | 远江盛邦(北京)网络安全科技股份有限公司 | WAF deployment system, WAF deployment method, WAF deployment equipment and WAF deployment medium |
Citations (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1941777A (en) * | 2002-11-28 | 2007-04-04 | 株式会社Ntt都科摩 | Communication control apparatus, firewall apparatus, and data communication method |
| CN101572700A (en) * | 2009-02-10 | 2009-11-04 | 中科正阳信息安全技术有限公司 | Method for defending HTTP Flood distributed denial-of-service attack |
| CN101656677A (en) * | 2009-09-18 | 2010-02-24 | 杭州迪普科技有限公司 | Message diversion processing method and device |
| CN102821099A (en) * | 2012-07-24 | 2012-12-12 | 北京星网锐捷网络技术有限公司 | Message forwarding method, message forwarding equipment and message forwarding system |
| CN103997479A (en) * | 2013-02-17 | 2014-08-20 | 杭州华三通信技术有限公司 | Asymmetric service IP proxy method and equipment |
| CN105516080A (en) * | 2015-11-24 | 2016-04-20 | 网宿科技股份有限公司 | Processing method, apparatus, and system for TCP connection |
| CN105959313A (en) * | 2016-06-29 | 2016-09-21 | 杭州迪普科技有限公司 | Method and device for preventing HTTP proxy attack |
| CN106789993A (en) * | 2016-12-09 | 2017-05-31 | 锐捷网络股份有限公司 | TCP agent method and device |
| CN107181605A (en) * | 2016-03-09 | 2017-09-19 | 阿里巴巴集团控股有限公司 | Message detecting method and system, contents extraction device, flow matches device |
| WO2017161938A1 (en) * | 2016-03-22 | 2017-09-28 | 华为技术有限公司 | Packet transmission method and device |
| CN107770193A (en) * | 2017-11-17 | 2018-03-06 | 新华三信息安全技术有限公司 | A kind of rule matching method, device, firewall box and storage medium |
| CN107872368A (en) * | 2017-11-22 | 2018-04-03 | 杭州华为数字技术有限公司 | Detection method, device and the terminal of gateway accessibility in a kind of network node cluster |
| CN108259294A (en) * | 2017-02-28 | 2018-07-06 | 新华三技术有限公司 | Message processing method and device |
| CN110098981A (en) * | 2019-04-29 | 2019-08-06 | 厦门网宿有限公司 | TCP connection method, network delay determine method, apparatus and server |
| CN111130982A (en) * | 2019-12-31 | 2020-05-08 | 迈普通信技术股份有限公司 | Message forwarding method and device, gateway equipment and readable storage medium |
| CN111385270A (en) * | 2018-12-29 | 2020-07-07 | 北京奇虎科技有限公司 | WAF-based network attack detection method and device |
-
2020
- 2020-08-21 CN CN202010847754.6A patent/CN112165447B/en active Active
Patent Citations (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1941777A (en) * | 2002-11-28 | 2007-04-04 | 株式会社Ntt都科摩 | Communication control apparatus, firewall apparatus, and data communication method |
| CN101572700A (en) * | 2009-02-10 | 2009-11-04 | 中科正阳信息安全技术有限公司 | Method for defending HTTP Flood distributed denial-of-service attack |
| CN101656677A (en) * | 2009-09-18 | 2010-02-24 | 杭州迪普科技有限公司 | Message diversion processing method and device |
| CN102821099A (en) * | 2012-07-24 | 2012-12-12 | 北京星网锐捷网络技术有限公司 | Message forwarding method, message forwarding equipment and message forwarding system |
| CN103997479A (en) * | 2013-02-17 | 2014-08-20 | 杭州华三通信技术有限公司 | Asymmetric service IP proxy method and equipment |
| CN105516080A (en) * | 2015-11-24 | 2016-04-20 | 网宿科技股份有限公司 | Processing method, apparatus, and system for TCP connection |
| CN107181605A (en) * | 2016-03-09 | 2017-09-19 | 阿里巴巴集团控股有限公司 | Message detecting method and system, contents extraction device, flow matches device |
| WO2017161938A1 (en) * | 2016-03-22 | 2017-09-28 | 华为技术有限公司 | Packet transmission method and device |
| CN105959313A (en) * | 2016-06-29 | 2016-09-21 | 杭州迪普科技有限公司 | Method and device for preventing HTTP proxy attack |
| CN106789993A (en) * | 2016-12-09 | 2017-05-31 | 锐捷网络股份有限公司 | TCP agent method and device |
| CN108259294A (en) * | 2017-02-28 | 2018-07-06 | 新华三技术有限公司 | Message processing method and device |
| CN107770193A (en) * | 2017-11-17 | 2018-03-06 | 新华三信息安全技术有限公司 | A kind of rule matching method, device, firewall box and storage medium |
| CN107872368A (en) * | 2017-11-22 | 2018-04-03 | 杭州华为数字技术有限公司 | Detection method, device and the terminal of gateway accessibility in a kind of network node cluster |
| CN111385270A (en) * | 2018-12-29 | 2020-07-07 | 北京奇虎科技有限公司 | WAF-based network attack detection method and device |
| CN110098981A (en) * | 2019-04-29 | 2019-08-06 | 厦门网宿有限公司 | TCP connection method, network delay determine method, apparatus and server |
| CN111130982A (en) * | 2019-12-31 | 2020-05-08 | 迈普通信技术股份有限公司 | Message forwarding method and device, gateway equipment and readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112165447A (en) | 2021-01-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112165447B (en) | WAF equipment-based network security monitoring method, system and electronic device | |
| CN107864228B (en) | Connection establishment method and system in content distribution network | |
| US10355961B2 (en) | Network traffic capture analysis | |
| US9491261B1 (en) | Remote messaging protocol | |
| CN106817264B (en) | Method, device and system for detecting link fault | |
| US9800593B2 (en) | Controller for software defined networking and method of detecting attacker | |
| US10594844B2 (en) | Method and system for wireless network bilateral accelerated transmission | |
| CN110011892B (en) | Communication method of virtual private network and related device | |
| US20110047261A1 (en) | Information communication apparatus, information communication method, and program | |
| WO2015027049A1 (en) | Connectivity services application programming interface | |
| CN103227777B (en) | A kind of dpd of preventing detects the method unsuccessfully causing ipsec tunnel to shake | |
| JP5273001B2 (en) | COMMUNICATION SYSTEM, TERMINAL DEVICE, COMMUNICATION METHOD, AND COMMUNICATION PROGRAM | |
| CN107623752B (en) | Network management method and device based on link layer | |
| WO2019085923A1 (en) | Data processing method and device, and computer | |
| CN112152880A (en) | Link health detection method and device | |
| JP2022079634A (en) | Communication relay device and data relay method | |
| US11516294B2 (en) | Switch device, monitoring method and monitoring program | |
| CN111935108B (en) | Cloud data security access control method and device, electronic device and storage medium | |
| CN112887312B (en) | Slow protocol message processing method and related device | |
| EP3414877A1 (en) | Technique for transport protocol selection and setup of a connection between a client and a server | |
| CN113872949B (en) | Address resolution protocol response method and related device | |
| CN112929417B (en) | Message processing method and device | |
| WO2022041827A1 (en) | Transmission method and apparatus for mobile network detection information, and storage medium | |
| CN111225015B (en) | Method and device for realizing remote FTP transmission | |
| CN113746807A (en) | Block chain node point support cryptographic algorithm communication detection method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |