CN112584383B

CN112584383B - Intelligent firewall configuration method and device based on multiple network ports of wireless network equipment

Info

Publication number: CN112584383B
Application number: CN202110217750.4A
Authority: CN
Inventors: 曾庆初; 高华辰
Original assignee: Yichen Shenzhen Technology Co ltd
Current assignee: Yichen Shenzhen Technology Co ltd
Priority date: 2021-02-26
Filing date: 2021-02-26
Publication date: 2021-06-11
Anticipated expiration: 2041-02-26
Also published as: CN112584383A

Abstract

The invention discloses an intelligent firewall configuration method and device based on multiple network ports of wireless network equipment, and relates to the technical field of network configuration. The invention comprises the following steps: responding to an external network configuration protocol data packet sent by an upper-level router, and intercepting the external network configuration protocol data packet on a Forward chain configured by local wireless network equipment according to a first preset rule; in response to an intranet configuration protocol data packet sent by local terminal equipment, intercepting the intranet configuration protocol data packet on a Prerouting chain configured by local wireless network equipment according to a second preset rule; and the operation of the access indication is determined according to whether the access destination address is matched with the address pre-configured by the local terminal equipment, compared with the prior art that the LAN interface and the WAN interface only can carry out network transmission on one side respectively responsible for the LAN interface and the WAN interface, the steps can provide an intelligent firewall configuration scheme based on multiple network ports of the wireless network equipment with wider application range.

Description

Intelligent firewall configuration method and device based on multiple network ports of wireless network equipment

Technical Field

The invention relates to the technical field of network configuration, in particular to an intelligent firewall configuration method and device based on multiple network ports of wireless network equipment.

Background

At present, wireless network devices generally include WAN interfaces and LAN interfaces, and as some production environments change, the number of local terminal devices connected to the LAN interfaces and the number of upper-level routes connected to the WAN interfaces are more and more, and at the same time, the number of the local terminal devices and the upper-level routes connected to the WAN interfaces are not fixed, so that the existing wireless network devices can only set a large number of interfaces in order to meet the device access number required by users, but not all the production environments are the same, which may cause that the interfaces of the wireless network devices are sometimes not enough, and sometimes the interfaces are idle. In the center of the prior art, the firewall acts as a security barrier and also becomes an obstacle to the mutual conversion between the WAN interface and the LAN interface.

In view of this, it is necessary for those skilled in the art to provide an intelligent firewall configuration scheme based on multiple network ports of a wireless network device, which has a wider application range.

Disclosure of Invention

The invention aims to provide an intelligent firewall configuration method and device based on multiple network ports of wireless network equipment.

In a first aspect, an embodiment of the present invention provides an intelligent firewall configuration method based on multiple network ports of a wireless network device, which is applied to a local wireless network device, where the local wireless network device includes multiple bridge interfaces, and the local wireless network device is in communication connection with a local terminal device and an upper-level router through the bridge interfaces, and the method includes:

responding to an external network configuration protocol data packet sent by an upper-level router, intercepting the external network configuration protocol data packet on a Forward link configured by local wireless network equipment according to a first preset rule, and configuring an external network IP address for the local terminal equipment by the upper-level router through the external network configuration protocol data packet;

responding to an intranet configuration protocol data packet sent by local terminal equipment, intercepting the intranet configuration protocol data packet on a Prerouting chain configured by the local wireless network equipment according to a second preset rule, and acquiring an intranet IP address of the local terminal equipment by an upper-level router through the intranet configuration protocol data packet;

acquiring an access instruction of local terminal equipment, wherein the access instruction comprises an access destination address;

when the access destination address is not matched with the address pre-configured by the local terminal equipment, carrying out network address conversion on the access destination address;

and when the access destination address is matched with the address pre-configured by the local terminal equipment, executing corresponding operation according to the access instruction.

Optionally, when the access destination address matches an address preconfigured in the local terminal device, performing a corresponding operation according to the access instruction, including:

acquiring a current access instruction;

determining a first association relationship between the content indicative of the access indication and the content indicative of the historical characteristic access indication, comprising: respectively constructing a knowledge graph tree of each indication parameter in the access indication and the historical characteristic access indication to obtain a plurality of first elements and a plurality of second elements, and determining a first association value between each first element and each second element to obtain a first association relation, wherein the historical characteristic access indication is determined based on access operation in a historical time period;

processing the historical characteristic access indication and the access indication according to the first incidence relation to obtain a target indication parameter;

determining a second association relationship between the indication content of the target indication quantity and the indication content of the access indication, comprising: respectively constructing a knowledge graph tree of each indication parameter in the access indication and the target indication parameters to obtain a plurality of third elements and a plurality of fourth elements, and determining a second association value between each third element and each fourth element to obtain a second association relation;

determining a second preset weight of each indication parameter in the access indication with respect to each indication parameter in the target indication parameters based on the second correlation value, wherein the second preset weight is used for reflecting the credibility of each indication parameter in the access indication to each indication parameter in the target indication parameters;

according to the second preset weight and the generation time of the indication parameters in the target indication parameters, determining undetermined indication parameters from the target indication parameters to obtain a second undetermined indication parameter set, wherein the indication content of the access indication comprises: an indication mark of each known indication parameter in the access indication and the generation time in the access indication; the indication content of the target indication parameter comprises: the indication mark of each indication parameter in the target indication parameters and the generation time in the target indication parameters;

determining a second target indication parameter from the second set of pending indication parameters based on the known indication parameters and the operation timing in the access indication;

and generating corresponding indication parameters at corresponding positions in the access indication based on the operation time sequence and the indication marks corresponding to the second target indication parameters so as to carry out indication parameter inspection on the access indication and obtain an access indication result.

Optionally, the content of the indication of the access indication includes: an indication mark of each known indication parameter in the access indication and the generation time in the access indication; the indication content of the historical feature access indication comprises: the method for obtaining the target indication parameter includes the following steps that an indication mark of each indication parameter in the historical characteristic access indication and generation time in the historical characteristic access indication are processed according to a first incidence relation, and the target indication parameter is obtained, and the method includes the following steps:

extracting undetermined indication parameters meeting the access indication space constraint from the historical characteristic access indication to obtain a first undetermined indication parameter set;

determining a first preset weight of each indication parameter in the access indication relative to each indication parameter in the historical characteristic access indication based on the first correlation value, wherein the first preset weight is used for reflecting the credibility of each indication parameter in the access indication to each indication parameter in the historical characteristic access indication;

determining corresponding undetermined indication parameters from the first to-be-determined indication parameter set according to the sequence of the first preset weight from high to low, and using the undetermined indication parameters as first target indication parameters;

and generating corresponding indication parameters at corresponding positions in the access indication according to the generation time of the first target indication parameters in the historical characteristic access indication and the indication marks corresponding to the first target points to obtain the target indication parameters.

Optionally, obtaining the current access indication includes:

acquiring a current known indication parameter;

determining an initial access indication based at least on a current known indication quantity;

and performing characteristic association processing on the initial access indication through a self-attention mechanism to obtain the access indication.

Optionally, performing feature association processing on the initial access indication through a self-attention mechanism to obtain an access indication, including:

constructing a knowledge graph tree of known indication parameters in the initial access indication;

determining a correlation value between every two known indication parameters in the initial access indication according to the knowledge graph tree of the known indication parameters;

determining a third preset weight of each known indicator in the initial access indication relative to other known indicators based on a correlation value between every two known indicators, wherein the third preset weight is used for reflecting the credibility of each indicator in the initial access indication to other known indicators in the initial access indication;

and adjusting the knowledge graph tree of the known indication parameters in the initial access indication according to the third preset weight to obtain the access indication.

Optionally, determining the historical feature access indication based on the access operations within the historical time period comprises:

acquiring access operation in a historical time period;

constructing a plurality of historical access instructions according to preset access time nodes and access operations;

aligning a plurality of historical access instructions according to time, determining an instruction parameter with the highest frequency of occurrence under the same operation node from the aligned plurality of historical access instructions, and constructing and obtaining a target historical access instruction according to the instruction parameter with the highest frequency of occurrence under the same operation node;

and performing characteristic association processing on the target historical access indication through a self-attention mechanism to obtain a historical characteristic access indication.

Optionally, performing feature association processing on the target historical access instruction through a self-attention mechanism to obtain a historical feature access instruction, including:

constructing a knowledge graph tree of each indication parameter in the target historical access indication;

determining a correlation value between every two indication parameters in the target historical access indication according to the knowledge graph tree of each indication parameter;

determining a fourth preset weight of each indication parameter in the target historical access indication relative to other indication parameters based on a correlation value between every two indication parameters, wherein the fourth preset weight is used for reflecting the credibility of each indication parameter in the target historical access indication to other indication parameters in the indication;

and adjusting the knowledge graph tree of the indication parameters in the target historical access indication according to the fourth preset weight to obtain the historical feature access indication.

acquiring access operation in a historical time period;

and processing the plurality of historical access instructions through an attention mechanism to obtain historical characteristic access instructions.

In a second aspect, an embodiment of the present invention provides an intelligent firewall configuration apparatus based on multiple network ports of a wireless network device, which is applied to a local wireless network device, where the local wireless network device includes multiple bridge interfaces, and the local wireless network device is in communication connection with a local terminal device and an upper-level router through the bridge interfaces, and the apparatus includes:

the response module is used for responding to an external network configuration protocol data packet sent by an upper-level router, intercepting the external network configuration protocol data packet on a Forward chain configured by the local wireless network equipment according to a first preset rule, and configuring an external network IP address for the local terminal equipment by the upper-level router through the external network configuration protocol data packet; responding to an intranet configuration protocol data packet sent by local terminal equipment, intercepting the intranet configuration protocol data packet on a Prerouting chain configured by the local wireless network equipment according to a second preset rule, and acquiring an intranet IP address of the local terminal equipment by an upper-level router through the intranet configuration protocol data packet;

the acquisition module is used for acquiring an access instruction of the local terminal equipment, wherein the access instruction comprises an access destination address;

the execution module is used for carrying out network address conversion on the access destination address when the access destination address is not matched with the address pre-configured by the local terminal equipment; and when the access destination address is matched with the address pre-configured by the local terminal equipment, executing corresponding operation according to the access instruction.

Optionally, the execution module is specifically configured to:

acquiring a current access instruction; determining a first association relationship between the content indicative of the access indication and the content indicative of the historical characteristic access indication, comprising: respectively constructing a knowledge graph tree of each indication parameter in the access indication and the historical characteristic access indication to obtain a plurality of first elements and a plurality of second elements, and determining a first association value between each first element and each second element to obtain a first association relation, wherein the historical characteristic access indication is determined based on access operation in a historical time period; processing the historical characteristic access indication and the access indication according to the first incidence relation to obtain a target indication parameter; determining a second association relationship between the indication content of the target indication quantity and the indication content of the access indication, comprising: respectively constructing a knowledge graph tree of each indication parameter in the access indication and the target indication parameters to obtain a plurality of third elements and a plurality of fourth elements, and determining a second association value between each third element and each fourth element to obtain a second association relation; determining a second preset weight of each indication parameter in the access indication with respect to each indication parameter in the target indication parameters based on the second correlation value, wherein the second preset weight is used for reflecting the credibility of each indication parameter in the access indication to each indication parameter in the target indication parameters; according to the second preset weight and the generation time of the indication parameters in the target indication parameters, determining undetermined indication parameters from the target indication parameters to obtain a second undetermined indication parameter set, wherein the indication content of the access indication comprises: an indication mark of each known indication parameter in the access indication and the generation time in the access indication; the indication content of the target indication parameter comprises: the indication mark of each indication parameter in the target indication parameters and the generation time in the target indication parameters; determining a second target indication parameter from the second set of pending indication parameters based on the known indication parameters and the operation timing in the access indication; and generating corresponding indication parameters at corresponding positions in the access indication based on the operation time sequence and the indication marks corresponding to the second target indication parameters so as to carry out indication parameter inspection on the access indication and obtain an access indication result.

Compared with the prior art, the beneficial effects provided by the invention comprise: by adopting the intelligent firewall configuration method and device based on the multiple network ports of the wireless network equipment, which are provided by the embodiment of the invention, the external network configuration protocol data packet is intercepted on a Forward chain configured by the local wireless network equipment according to a first preset rule by responding to the external network configuration protocol data packet sent by the upper-level router, and the upper-level router configures an external network IP address for the local terminal equipment through the external network configuration protocol data packet; then responding to an intranet configuration protocol data packet sent by the local terminal equipment, intercepting the intranet configuration protocol data packet on a Prerouting chain configured by the local wireless network equipment according to a second preset rule, and acquiring an intranet IP address of the local terminal equipment by the upper-level router through the intranet configuration protocol data packet; then obtaining an access instruction of the local terminal equipment, wherein the access instruction comprises an access destination address; then when the access destination address is not matched with the address pre-configured by the local terminal equipment, carrying out network address conversion on the access destination address; and then when the access destination address is matched with the address pre-configured by the local terminal equipment, corresponding operation is executed according to the access instruction, and through the steps, the data packet on the relevant chain of the firewall is skillfully intercepted, so that the intelligent firewall configuration scheme based on the multiple network ports of the wireless network equipment with wider application range is realized.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required to be used in the embodiments will be briefly described below. It is appreciated that the following drawings depict only certain embodiments of the invention and are therefore not to be considered limiting of its scope. For a person skilled in the art, it is possible to derive other relevant figures from these figures without inventive effort.

Fig. 1 is an interaction diagram of an intelligent firewall configuration system based on multiple network ports of a wireless network device according to an embodiment of the present invention;

fig. 2 is a schematic flowchart illustrating steps of a method for configuring an intelligent firewall based on multiple network ports of a wireless network device according to an embodiment of the present invention;

fig. 3 is a schematic structural diagram of an intelligent firewall configuration apparatus based on multiple network ports of a wireless network device according to an embodiment of the present invention;

fig. 4 is a schematic structural diagram of a computer device according to an embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention. It is to be understood that the embodiments described are only a few embodiments of the present invention, and not all embodiments. The components of embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.

Thus, the following detailed description of the embodiments of the present invention, presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.

Furthermore, the terms "first," "second," and the like are used merely to distinguish one description from another, and are not to be construed as indicating or implying relative importance.

In the description of the present invention, it is also to be noted that, unless otherwise explicitly stated or limited, the terms "disposed" and "connected" are to be interpreted broadly, and for example, "connected" may be a fixed connection, a detachable connection, or an integral connection; can be mechanically or electrically connected; the connection may be direct or indirect via an intermediate medium, and may be a communication between the two elements. The specific meanings of the above terms in the present invention can be understood by those skilled in the art according to specific situations.

The following detailed description of embodiments of the invention refers to the accompanying drawings.

Fig. 1 is an interaction diagram of an intelligent firewall configuration system based on multiple network ports of a wireless network device according to an embodiment of the present disclosure. The intelligent firewall configuration system based on the multiple network ports of the wireless network device can comprise a local wireless network device 10, and a local terminal device 20 and an upper-level router 30 which are in communication connection with the local wireless network device 10 through multiple bridge ports. The intelligent firewall configuration system based on multiple network ports of the wireless network device shown in fig. 1 is only one possible example, and in other possible embodiments, the intelligent firewall configuration system based on multiple network ports of the wireless network device may also include only one of the components shown in fig. 1 or may also include other components.

In this embodiment, the local terminal device 20 may comprise a mobile device, a tablet computer, a laptop computer, etc., or any combination thereof. In some embodiments, the mobile device may include a smart home device, a wearable device, a smart mobile device, a virtual reality device, an augmented reality device, or the like, or any combination thereof. In some embodiments, the smart home devices may include control devices of smart electrical devices, smart monitoring devices, smart televisions, smart cameras, and the like, or any combination thereof. In some embodiments, the wearable device may include a smart bracelet, a smart lace, smart glass, a smart helmet, a smart watch, a smart garment, a smart backpack, a smart accessory, or the like, or any combination thereof. In some embodiments, the smart mobile device may include a smartphone, a personal digital assistant, a gaming device, and the like, or any combination thereof. In some embodiments, the virtual reality device and/or the augmented reality device may include a virtual reality helmet, virtual reality glass, a virtual reality patch, an augmented reality helmet, augmented reality glass, an augmented reality patch, or the like, or any combination thereof. For example, the virtual reality device and/or augmented reality device may include various virtual reality products and the like.

In this embodiment, the local wireless network device 10, the local terminal device 20, and the upper level router 30 in the intelligent firewall configuration system based on multiple network ports of the wireless network device may execute the intelligent firewall configuration method based on multiple network ports of the wireless network device through cooperation, which is described in the following method embodiment, and the specific steps of executing the local wireless network device 10, the local terminal device 20, and the upper level router 30 may refer to the detailed description of the following method embodiment.

To solve the technical problem in the foregoing background, fig. 2 is a schematic flowchart of a method for configuring an intelligent firewall based on multiple network ports of a wireless network device according to an embodiment of the present disclosure, where the method for configuring an intelligent firewall based on multiple network ports of a wireless network device according to the present embodiment may be executed by the local wireless network device 10 shown in fig. 1, and the method for configuring an intelligent firewall based on multiple network ports of a wireless network device is described in detail below.

Step 201, in response to the extranet configuration protocol packet sent by the upper level router 30, intercepting the extranet configuration protocol packet on a Forward chain configured by the local wireless network device 10 according to a first preset rule.

The upper level router 30 configures an IP address of the external network for the local terminal 20 through an IP packet.

Step 202, in response to the intranet configuration protocol data packet sent by the local terminal device 20, intercepting the intranet configuration protocol data packet on the forwarding chain configured by the local wireless network device 10 according to a second preset rule.

The upper level router 30 obtains the intranet IP address of the local terminal device 20 through the intranet configuration protocol data packet.

Step 203, obtaining an access instruction of the local terminal device 20, where the access instruction includes an access destination address.

In step 204, when the access destination address does not match the address pre-configured by the local terminal device 20, the network address translation is performed on the access destination address.

Step 205, when the access destination address matches with the address pre-configured by the local terminal device 20, the corresponding operation is executed according to the access instruction.

In the embodiment of the present invention, all ports are divided into separate vlans, and then are uniformly bound to one bridge interface br-LAN, and the br-LAN is used as both a LAN port and a WAN port, that is, the local wireless network device 10 may configure a plurality of bridge interfaces. In order to implement the above configuration, it is necessary to solve the problem that in the prior art, the local wireless network device 10 itself has a DHCP server, and allocates an IP address to a host (i.e., the local terminal device 20) accessed on the LAN side through a br-LAN bridge interface, and the WAN interface is connected to the upper level router 30, and if the upper level router 30 also has a DHCP server, the IP address of the WAN interface is also acquired through the br-LAN bridge interface.

Optionally, the DHCP server intercepting the upper-level route transmits the IP address to the LAN-side host through the br-LAN interface, and as can be seen from the above figure, after the DHCP packet is judged by the route, the firewall FORWARD chain can be taken, so we only need to intercept all DHCP packets on the FORWARD chain (the route itself br-LAN interface obtains the IP, and can go to the INPUT chain, and there is no conflict), and the first preset rule of us in the route is as follows:

iptables-I FORWARD 1-m physdev-is-bridged-p udp-dport 67-j DROP (this rule intercepts DHCP request packet).

iptables-I FORWARD 1-m physdev-is-bridged-p udp-sport 67-j DROP (this rule intercepts DHCP response packet).

Corresponding rules can appear in a FORWARD chain of a firewall filter table, secondly, a DHCP server on an interception router LAN side allocates IP to a superior route, and according to a trend table of a firewall, a DHCP data packet of an IP address is acquired by intercepting an external network in a PREROUTING chain, wherein a second preset rule in the route is as follows:

iptables -t mangle -I PREROUTING 1 -m physdev --physdev-in eth3 -p udp --dport 67 -j DROP。

(here, it must be judged which port is connected to the external network, we assume that the eth3 port is connected to the external network, and the following rules are as above, and we use a method to judge which port is connected to the external network, starting from the first port when the WAN port acquires the IP address, shielding the ICMP packet of the first port in the firewall, then going to the PING upper gateway, if PING can be enabled, then shielding the next port in the same way until one of the ports cannot be PING enabled, and proving that the port is connected to the external network.) the PREROUTING chain of the firewall mangle table also configures the response rule.

And the NAT conversion between the internal and external networks is mainly to prevent the NAT address camouflage as accessing the external network when the host computer on the LAN side is mutually accessed, so that when the MASQUERIADE rule is set down, we only need to add a judgment condition, and when the destination address of the access is not the IP on the LAN side, the address conversion can be carried out:

iptables -A zone_wan_postrouting ! -d 192.168.71.0/24 -j MASQUERADE。

when the mutual access between the hosts on the LAN side is judged to be clear, the corresponding operation can be executed according to whether the mutual access between the hosts on the LAN side is clear or not.

Through the steps, the problems that the LAN side host computer is prevented from acquiring the IP of the external network, and the internal network DHCP server is prevented from allocating the IP address to the external network are solved, and the scheme of information configuration of the firewall based on the multi-network-port non-LAN-WAN intelligent blind plugging function of the wireless network equipment is realized.

In order to clearly describe the scheme provided by the present invention, when the access destination address matches the address pre-configured by the local terminal device 20, the corresponding operation is performed according to the access instruction, which includes:

sub-step 205-1, obtaining a current access indication.

The current time period may be a period of time, such as a day, an hour, etc., during which the user's access indication needs to be detected. The access indication is an instruction for interaction between different terminal devices, which needs to be detected, and may include one or more indication parameters of known content. In practical applications, the indication parameter may be input by a user in advance, or may be processed by a computer device in advance.

In some embodiments, the access indication may be subjected to feature association processing through a self-attention mechanism, and this time, the fusion performs initial completion of the access indication based on the network address parameter recorded in the current access indication, so as to strengthen spatial association of known indication parameters under each operation node. That is, when obtaining the current access instruction, the following process may be included:

(1) the current known indicator is obtained.

(2) An initial access indication is determined based at least on the current known indication quantity.

(3) And performing characteristic association processing on the initial access indication through a self-attention mechanism to obtain the access indication.

In one embodiment, in the access indication constituted by the currently known indication parameters, there may be no indication parameter in some time slices, and a weighted summation may be performed through features of several peripheral points during initial completion, so that the obtained new indication parameter serves as an initial completion of the point.

The time and the local terminal address are discrete expressions, so that the gradient updating is not beneficial to deep learning. Therefore, in the present embodiment, the network address parameter indicating the parameter is converted into the "word" in the sentence during natural language processing, the time information indicating the parameter is converted into the "position order" in the sentence, and each discrete value is hidden into a high-dimensional continuous vector so as to directly participate in the subsequent network calculation.

That is, in some embodiments, when obtaining the access indication by performing the feature association process on the initial access indication through the self-attention mechanism, the following process may be included:

(1) and constructing a knowledge-graph tree of known indication parameters in the initial access indication.

(2) And determining the association value between every two known indicating parameters in the initial access indication according to the knowledge-graph tree of the known indicating parameters.

(3) And determining a third preset weight of each known indicator in the initial access indicator relative to other known indicators based on the correlation value between the known indicators.

And the third preset weight is used for reflecting the credibility of each indicator in the initial access indication to other known indicators in the access indication.

(4) And adjusting the knowledge graph tree of the known indication parameters in the initial access indication according to the third preset weight to obtain the access indication.

When the knowledge graph tree of the known indication parameters in the initial access indication is constructed, a time characterization vector and an access destination address characterization vector of each indication parameter can be specifically and respectively constructed, and then the knowledge graph tree of each indication parameter is obtained by adding the time characterization vector and the access destination address characterization vector of each indication parameter and processing the sum.

Since the original time element and the access destination address characterization vector are not really one dimension, for example, the time may be (hour, minute), the local terminal address is the network protocol address, and so on. Therefore, the same dimension vector can be obtained by assigning a same number of neurons through a simple neural network. For example, the time token vector of each point and the access destination address token vector knowledge graph can be directly tree into the same dimension, for example, the time token vector is the order position of the point in the access indication, the first point is "1", and the local terminal address is the ID of a grid.

When the initial access instruction is subjected to feature association processing, a self-attention mechanism is introduced to obtain a feature which needs important attention from the initial access instruction, namely a so-called attention focus, more attention resources are invested for the feature to obtain more detailed information of a target which needs attention, and other useless information is suppressed to select more critical information of a knowledge graph tree of the current access instruction from the many information, so that each instruction parameter and the relationship between the instruction parameters are better expressed.

When the method is implemented, firstly, an embedded vector indicating a parameter network protocol address (namely a local terminal address) and an embedded vector indicating the position (namely time) of a parameter in an access instruction are constructed for the access instruction, then the embedded vectors are input into a multi-head attention self-learning module to self-learn the relation between the indicated parameters in the access instruction, and then multi-head vector aggregation and standardization are carried out on output vectors. When vector polymerization is carried out, a concat method in Python can be adopted to carry out transverse splicing or longitudinal splicing on the vectors to obtain spliced vectors. In performing vector normalization, the output vector may be normalized using the softmax activation function to convert the components to a value between [0,1 ].

In the attention mechanism, each indicator has 3 different vectors, which are respectively a Query vector (Q), a Key vector (K) and a Value vector (V), and each has a length of 64. They are obtained by multiplying the word's embedded vector X by three different weight matrices WQ, WK, WV through 3 different weight matrices. The three weight matrices WQ, WK, and WV have the same size, for example, the size may be: 512x 64.

In specific implementation, the input indication parameters can be converted into embedded vectors, and then three vectors of Q, K and V are obtained according to the embedded vectors. Each indicator is calculated as a correlation score (representing a correlation value) with the other indicators, i.e. socre = Q × K. For the stabilization of the gradient, each score may be numerically normalized with the activation function softmax. And multiplying the normalized Value points by the Value vector V of each indication parameter to obtain a weighted score V of each input vector, and adding to obtain a final output result: and Z = sum (V) as an input indication parameter attention vector, and the attention vector is processed to obtain a preset weight corresponding to each indication parameter.

A sub-step 205-2 of determining a first association between the content of the indication of the access indication and the content of the indication of the historical characteristic access indication, comprises: respectively constructing a knowledge graph tree of each indication parameter in the access indication and the historical characteristic access indication to obtain a plurality of first elements and a plurality of second elements, and determining a first association value between each first element and each second element to obtain a first association relation, wherein the historical characteristic access indication is determined based on access operation in a historical time period.

In this embodiment, the historical feature access indication is the same as the cycle length of the access indication. E.g., all a day, a certain time period of the day (e.g., 8:00 to 20:00 on thursday), etc. The content of the indication of the access indication may include: an indication flag for each known indication parameter in the access indication, and a generation time in the access indication. The indication content of the historical feature access indication comprises: an indicator for each indicator in the historical characteristic access indication, and a generation time in the historical characteristic access indication. The indicator may be an address of the local terminal 20, such as network protocol address information. The generation time may then characterize the timing information of the indicator quantity in the access indication.

When determining the first association relationship between the indication content of the access indication and the indication content of the historical feature access indication, a knowledge-graph tree of each indication parameter in the access indication and the historical feature access indication may be specifically constructed, a plurality of first elements and a plurality of second elements are obtained, then a first association value between each first element and each second element is determined, and the first association relationship between the indication content of the access indication and the indication content of the historical feature access indication is determined based on the first association value.

In this embodiment, there may be various ways to determine the historical feature access indication based on the access operations within the historical time period. For example, in one embodiment, determining the historical feature access indication based on access operations over a historical period of time includes:

(1) access operations within a historical time period are collected.

(2) And constructing a plurality of historical access instructions according to the preset access time nodes and the access operation.

(3) And aligning the plurality of historical access instructions according to time, determining an instruction parameter with the highest occurrence frequency under the same operation node from the aligned plurality of historical access instructions, and constructing and obtaining a target historical access instruction according to the instruction parameter with the highest occurrence frequency under the same operation node.

(4) And performing characteristic association processing on the target historical access indication through a self-attention mechanism to obtain a historical characteristic access indication.

Specifically, the processing may be performed on a long-term history access instruction access operation. Wherein the historical period may be the past month, the past week, etc. For example, if the historical period is the past month, the preset access time node may be one day.

Since the historical access indication also has sparseness, a frequent mode in the mining history can be adopted, that is, the access indication point with the largest occurrence frequency of each operation node of the historical access indication is extracted to form a target historical access indication. For example, there are currently three days of historical access directions, such as access directions P1, P2, P (m-1). Wherein, the access indication P (m-1) represents the access indication of any day except the access indications P1 and P2 in the historical period, and m is an integer larger than 2. The access indication P1 contains known indication parameters T5, T9, T13; the access indication P2 contains known indication parameters T3, T7, T11; the access indicator P (m-1) contains known indicator quantities T1, T5, T9, T13, T16. Firstly, the access instructions of the user every day are aligned according to time, and then the local terminal address with the highest access frequency of each operation node is extracted to obtain the target historical access instruction. Since the historical access indications such as P1, P2 and P (m-1) come from different days and spatial association is weakened, feature association processing is carried out on the historical access indications through a self-attention mechanism so as to select information which is more critical to the knowledge-graph tree of the historical access indications from a plurality of information.

In this embodiment, when the historical feature access indication is obtained by performing feature association processing on the target historical access indication through the self-attention mechanism, a knowledge graph tree of each indication parameter in the target historical access indication can be specifically constructed, then determining the correlation value between every two indication parameters in the target historical access indication according to the knowledge-graph tree of each indication parameter, and determining a fourth preset weight of each indication parameter in the target historical access indication with respect to fourth preset weights of other indication parameters based on the correlation value between every two indication parameters, wherein, the fourth preset weight is used for reflecting the credibility of each indication parameter in the target historical access indication to other indication parameters in the access indication thereof, and finally, and adjusting the knowledge graph tree of the indication parameters in the target historical access indication according to the fourth preset weight to obtain the historical feature access indication.

When the knowledge graph tree of the indication parameters in the target historical access indication is constructed, a time characterization vector and an access destination address characterization vector of each indication parameter can be specifically and respectively constructed, and then the knowledge graph tree of each indication parameter is obtained by adding the time characterization vector and the access destination address characterization vector of each indication parameter and processing the sum.

During specific implementation, the historical access indication can be constructed into an embedded vector in which the access indication parameters point to the embedded vector and an embedded vector indicating the position of the access indication parameters, then the embedded vector is input into the multi-head attention self-learning module to learn the relation between the access indication parameters, and the output vector is subjected to multi-head vector aggregation and standardization to perform multi-head vector aggregation and standardization. And then, transmitting the output result to the next stage through a feedforward neural network, and outputting the enhancement vector (namely the historical characteristic access indication) after the historical access indication is obtained and self-learned.

In an embodiment, when determining the historical feature access indication based on the access operation in the historical time period, specifically, the determining may include:

(1) access operations within a historical time period are collected.

(3) And processing the plurality of historical access instructions through an attention mechanism to obtain historical characteristic access instructions.

Specifically, the attention mechanism can be directly utilized to perform internal processing on a plurality of historical access instructions obtained by dividing according to preset access time nodes so as to obtain characteristics needing important attention in the historical access instructions, more attention resources are put into the characteristics so as to obtain more detailed information of a target needing attention and suppress other useless information, and more information which is more critical to a knowledge graph tree of the historical access instructions is selected from the mass information.

And a substep 205-3 of processing the historical characteristic access indication and the access indication according to the first association relationship to obtain a target indication parameter.

In practical application, due to observation sparsity, the access indication obtained based on the known indication parameters has low reliability, so that the access indication and the historical feature access indication can be processed by an attention mechanism, and the information meeting the spatial constraint in the current time period is extracted by explicitly using the features of the historical access indication. That is, when the historical feature access indication and the access indication are processed according to the first association relationship, the undetermined indication parameter meeting the access indication space constraint may be extracted from the historical feature access indication to obtain a first set of to-be-determined indication parameters, and then the access indication is processed according to the first association relationship and the first set of to-be-determined indication parameters, so as to obtain the target indication parameter.

Further, when the access indication is processed according to the first association relationship and the first set of parameters to be specified, the first target indication parameter may be determined from the first set of parameters to be specified based on the first association relationship, and the indication parameter information of the access indication is adjusted according to the first target indication parameter, so as to obtain the target indication parameter. In an embodiment, when the indicator information of the access indicator is adjusted according to the first target indicator, the method may specifically include the following steps:

(1) and determining a first preset weight of each indication parameter in the access indication relative to each indication parameter in the historical characteristic access indication based on the first correlation value, wherein the first preset weight is used for reflecting the credibility of each indication parameter in the access indication to each indication parameter in the historical characteristic access indication.

(2) And determining corresponding undetermined indication parameters from the first to-be-determined indication parameter set according to the sequence of the first preset weight from high to low, wherein the undetermined indication parameters serve as first target indication parameters.

(3) And generating corresponding indication parameters at corresponding positions in the access indication according to the generation time of the first target indication parameters in the historical characteristic access indication and the indication marks corresponding to the first target points.

Wherein, the indication mark may be an address of the local terminal device 20, such as network protocol address information; the generation time may then characterize the timing information of the first target indication quantity in the historical characteristic access indication.

Specifically, based on the magnitude of the preset weight of each indication parameter in the access indication with respect to each indication parameter in the historical feature access indication, an indication parameter to be detected and focused by the access indication is determined from the first set of indication parameters to be determined, and based on the characteristics (i.e., time information and spatial network address parameters) of the screened indication parameters in the historical feature access indication, a corresponding position determined in the access indication is used for constructing a new indication parameter.

The access indication and the historical characteristic access indication can be simultaneously input into a multi-head vector decoding and coding attention learning module to learn the relation of each indication parameter between the access indications, and the output vector is subjected to multi-head vector aggregation and standardization. And then, transmitting the output result to the next stage through a feedforward neural network, and outputting the access indication (namely the target indication parameter) after the content of the fused historical access indication is obtained.

A sub-step 205-4 of determining a second association between the indicative content of the target indicative quantity and the indicative content of the access indication, comprising: and respectively constructing a knowledge graph tree of each indication parameter in the access indication and the target indication parameters to obtain a plurality of third elements and a plurality of fourth elements, and determining a second association value between each third element and each fourth element to obtain a second association relation.

In this embodiment, the content of the instruction of the access instruction includes: an indication mark of each known indication parameter in the access indication and the generation time in the access indication; the indication content of the target indication parameter comprises: the indication mark of each indication parameter in the target indication parameters and the generation time in the target indication parameters. The indicator may be an address of the local terminal 20, such as network protocol address information. The generation time may then characterize the timing information of the indicator quantity in the access indication.

When determining the second association relationship between the indication content of the target indication parameter and the indication content of the access indication, a knowledge graph tree of each indication parameter of the access indication and the target indication parameter may be specifically and respectively constructed to obtain a plurality of third elements and a plurality of fourth elements, then a second association value between each third element and each fourth element is determined, and a second association relationship between the indication content of the target indication parameter and the indication content of the access indication is determined based on the second association value.

A substep 205-5, determining a second preset weight of each indicator in the access indicator with respect to each indicator in the target indicators based on the second correlation value, wherein the second preset weight is used for reflecting the credibility of each indicator in the access indicator to each indicator in the target indicators;

substep 205-6, determining undetermined indication parameters from the target indication parameters according to the second preset weight and the generation time of the indication parameters in the target indication parameters to obtain a second undetermined indication parameter set, wherein the instruction content of the access indication comprises: an indication mark of each known indication parameter in the access indication and the generation time in the access indication; the indication content of the target indication parameter comprises: the indication mark of each indication parameter in the target indication parameters and the generation time in the target indication parameters;

sub-step 205-7 of determining a second target indicator from the second set of pending indicators based on the known indicators and the operating timing in the access indicator;

and a sub-step 205-8, based on the indication mark corresponding to the operation timing and the second target indication parameter, generating a corresponding indication parameter at a corresponding position in the access indication, so as to perform indication parameter check on the access indication, and obtain an access indication result.

The examination is to complement the missing indication parameters, and the target indication parameters output by the encoding module and the original access indication are processed by a mutual attention mechanism to output an access indication result. In some embodiments, when performing the indicated parameter check on the access indication according to the second association relationship and the operation timing of the indicated parameter in the access indication to obtain the access indication result, the method may specifically include:

(1) and determining undetermined indication parameters from the target indication parameters according to the second incidence relation and the generation time of the indication parameters in the target indication parameters to obtain a second undetermined indication parameter set.

(2) And according to the operation time sequence and the second undetermined indication parameter set, performing indication parameter inspection on the access indication to obtain an access indication result.

Specifically, when the undetermined indication parameters are determined from the target indication parameters according to the second association relationship and the generation time of the indication parameters in the target indication parameters to obtain a second undetermined indication parameter set, a second preset weight of each indication parameter in the access indication with respect to each indication parameter in the target indication parameters can be determined based on the second association value, wherein the second preset weight is used for reflecting the credibility of each indication parameter in the access indication to each indication parameter in the target indication parameters. And then, according to the second preset weight and the generation time of the indication parameters in the target indication parameters, determining undetermined indication parameters from the target indication parameters to obtain a second undetermined indication parameter set.

When the access indication is subjected to indication parameter verification according to the operation timing sequence and the second undetermined indication parameter set, a second target indication parameter can be determined from the second undetermined indication parameter set based on the known indication parameter and the operation timing sequence in the access indication, and then a corresponding indication parameter is generated at a corresponding position in the access indication based on the indication mark corresponding to the operation timing sequence and the second target indication parameter, so that the indication parameter verification is performed on the access indication.

The access indication and the target indication parameter can be simultaneously input into a multi-head vector decoding and coding attention learning module to learn the relation of each indication parameter between the access indications, and the output vector is subjected to multi-head vector aggregation and standardization. And then, the output result is transmitted to the next stage through a feedforward neural network to carry out vector aggregation and standardization, normalization processing is carried out on the output vector through a normalization function (such as a softmax activation function), an indication parameter corresponding to the normalized component is selected as output, and the enhanced access indication (namely the access indication result) is obtained.

In the scheme, the operation time sequence of the access indication point is used as one input of the input attention mechanism, the access indication fused with the historical information is used as the other input of the attention mechanism, the operation time sequence of the indication parameter in the access indication result and the missing indication parameter are subjected to attention mechanism processing, and a complementary value of the missing indication parameter is obtained. The complementary value is a characteristic component, which represents an index of the missing indication parameter in the entire indication parameter set, and a unique address point of the actual local terminal device 20, that is, the address of the local terminal device 20 of the indication parameter, can be searched according to the index.

In a specific calculation, the missing indication parameter may be represented by a special character "unknown", and its feature may be understood as a vector of all 0 s.

For example, the user has access instructions for four days in total, the historical access instructions for the first three days are dense, the access instructions for the fourth day are sparse, and the user wants to learn the historical access instructions for the first three days to estimate the local terminal device 20 that has not accessed the access instructions for the fourth day. Then the visit indication on the fourth day could be targeted, taking a point every 10 minutes, changing the visit indication to a sentence, e.g. visit 9:00 a.m. and finish about 10:00 a.m., then the visit indication is a 6 word sentence, taking a sample of 10 minutes. But since the access indications are relatively sparse, where some words may not be present, these absent words need to be learned from the historical access indications. On the other hand, the historical visit indication for the first three days is not necessarily 9:00 to 10:00 this time, the historical data can therefore be sampled every 10 minutes according to its time of day, then in the order of its arrangement in the sentence, and with the timing of the fourth day's indicative parameter operation as input to complement the fourth day's access indication.

According to the method provided by the embodiment of the invention, the historical characteristic access instruction and the access instruction are processed to obtain a target indication parameter by acquiring the current access instruction and according to the first incidence relation between the indication content of the access instruction and the indication content of the historical characteristic access instruction; and according to a second incidence relation between the indication content of the target indication parameter and the indication content of the access indication and the operation time sequence of the indication parameter in the access indication, carrying out indication parameter inspection on the access indication to obtain an access indication result. According to the scheme, missing value completion of access instructions is carried out on similar access instructions through learning of user access instructions, so that the consistency of the instruction parameter information in the access instructions is improved; in addition, the relevance between the indication parameter characteristics in the access indication is combined, the relevance is utilized to promote the attention to useful information and reduce the attention to useless information, the accuracy of the access indication completion information is promoted, so that corresponding operation can be executed according to the access result finally, and the interaction safety between the local terminal devices 20 is improved.

An intelligent firewall configuration apparatus 110 based on multiple network ports of a wireless network device in an embodiment of the present invention is applied to a local wireless network device 10, where the local wireless network device 10 includes multiple bridge interfaces, and the local wireless network device 10 is in communication connection with a local terminal device 20 and an upper level router 30 through the bridge interfaces, please refer to fig. 3 in combination, and the apparatus includes:

a response module 1101, configured to respond to an external network configuration protocol data packet sent by the upper level router 30, intercept the external network configuration protocol data packet on a Forward link configured by the local wireless network device 10 according to a first preset rule, where the upper level router 30 configures an external network IP address for the local terminal device 20 through the external network configuration protocol data packet; in response to the intranet configuration protocol data packet sent by the local terminal device 20, the intranet configuration protocol data packet is intercepted on the Prerouting chain configured by the local wireless network device 10 according to the second preset rule, and the upper level router 30 obtains the intranet IP address of the local terminal device 20 through the intranet configuration protocol data packet.

An obtaining module 1102, configured to obtain an access instruction of the local terminal device 20, where the access instruction includes an access destination address.

An executing module 1103, configured to perform network address translation on the access destination address when the access destination address does not match an address pre-configured by the local terminal device 20; when the access destination address matches an address pre-configured by the local terminal device 20, the corresponding operation is performed according to the access instruction.

Further, the execution module 1103 is specifically configured to:

Further, the content of the indication of the access indication includes: an indication mark of each known indication parameter in the access indication and the generation time in the access indication; the indication content of the historical feature access indication comprises: the execution module 1103 is further specifically configured to:

extracting undetermined indication parameters meeting the access indication space constraint from the historical characteristic access indication to obtain a first undetermined indication parameter set; determining a first preset weight of each indication parameter in the access indication relative to each indication parameter in the historical characteristic access indication based on the first correlation value, wherein the first preset weight is used for reflecting the credibility of each indication parameter in the access indication to each indication parameter in the historical characteristic access indication; determining corresponding undetermined indication parameters from the first to-be-determined indication parameter set according to the sequence of the first preset weight from high to low, and using the undetermined indication parameters as first target indication parameters; and generating corresponding indication parameters at corresponding positions in the access indication according to the generation time of the first target indication parameters in the historical characteristic access indication and the indication marks corresponding to the first target points to obtain the target indication parameters.

Further, the executing module 1103 is further specifically configured to:

acquiring a current known indication parameter; determining an initial access indication based at least on a current known indication quantity; and performing characteristic association processing on the initial access indication through a self-attention mechanism to obtain the access indication.

Further, the executing module 1103 is further specifically configured to:

constructing a knowledge graph tree of known indication parameters in the initial access indication; determining a correlation value between every two known indication parameters in the initial access indication according to the knowledge graph tree of the known indication parameters; determining a third preset weight of each known indicator in the initial access indication relative to other known indicators based on a correlation value between every two known indicators, wherein the third preset weight is used for reflecting the credibility of each indicator in the initial access indication to other known indicators in the initial access indication; and adjusting the knowledge graph tree of the known indication parameters in the initial access indication according to the third preset weight to obtain the access indication.

Further, the executing module 1103 is further specifically configured to:

acquiring access operation in a historical time period; constructing a plurality of historical access instructions according to preset access time nodes and access operations; aligning a plurality of historical access instructions according to time, determining an instruction parameter with the highest frequency of occurrence under the same operation node from the aligned plurality of historical access instructions, and constructing and obtaining a target historical access instruction according to the instruction parameter with the highest frequency of occurrence under the same operation node; and performing characteristic association processing on the target historical access indication through a self-attention mechanism to obtain a historical characteristic access indication.

Further, the executing module 1103 is further specifically configured to:

constructing a knowledge graph tree of each indication parameter in the target historical access indication; determining a correlation value between every two indication parameters in the target historical access indication according to the knowledge graph tree of each indication parameter; determining a fourth preset weight of each indication parameter in the target historical access indication relative to other indication parameters based on a correlation value between every two indication parameters, wherein the fourth preset weight is used for reflecting the credibility of each indication parameter in the target historical access indication to other indication parameters in the indication; and adjusting the knowledge graph tree of the indication parameters in the target historical access indication according to the fourth preset weight to obtain the historical feature access indication.

Further, the executing module 1103 is further specifically configured to:

acquiring access operation in a historical time period; constructing a plurality of historical access instructions according to preset access time nodes and access operations; and processing the plurality of historical access instructions through an attention mechanism to obtain historical characteristic access instructions.

It should be noted that, for the implementation principle of the foregoing intelligent firewall configuration apparatus 110 based on multiple network ports of a wireless network device, reference may be made to the implementation principle of the foregoing intelligent firewall configuration method based on multiple network ports of a wireless network device, and details are not described here again. It should be understood that the division of the modules of the above apparatus is only a logical division, and the actual implementation may be wholly or partially integrated into one physical entity or may be physically separated. And these modules can be realized in the form of software called by processing element; or may be implemented entirely in hardware; and part of the modules can be realized in the form of calling software by the processing element, and part of the modules can be realized in the form of hardware. For example, the intelligent firewall configuration apparatus 110 based on multiple network ports of a wireless network device may be a processing element that is set up separately, or may be implemented by being integrated in a chip of the apparatus, or may be stored in a memory of the apparatus in the form of program code, and a processing element of the apparatus calls and executes the function of the obtaining module 1102. Other modules are implemented similarly. In addition, all or part of the modules can be integrated together or can be independently realized. The processing element described herein may be an integrated circuit having signal processing capabilities. In implementation, each step of the above method or each module above may be implemented by an integrated logic circuit of hardware in a processor element or an instruction in the form of software.

For example, the above modules may be one or more integrated circuits configured to implement the above methods, such as: one or more Application Specific Integrated Circuits (ASICs), or one or more microprocessors (DSPs), or one or more Field Programmable Gate Arrays (FPGAs), among others. For another example, when some of the above modules are implemented in the form of a processing element scheduler code, the processing element may be a general-purpose processor, such as a Central Processing Unit (CPU) or other processor that can call program code. As another example, these modules may be integrated together, implemented in the form of a system-on-a-chip (SOC).

The embodiment of the present invention provides a computer device 100, where the computer device 100 includes a processor and a non-volatile memory storing computer instructions, and when the computer instructions are executed by the processor, the computer device 100 executes the foregoing intelligent firewall configuration apparatus 110 based on multiple network ports of a wireless network device. As shown in fig. 4, fig. 4 is a block diagram of a computer device 100 according to an embodiment of the present invention. The computer device 100 includes an intelligent firewall configuration apparatus 110 based on multiple network ports of a wireless network device, a memory 111, a processor 112, and a communication unit 113.

To facilitate the transfer or interaction of data, the elements of the memory 111, the processor 112 and the communication unit 113 are electrically connected to each other, directly or indirectly. For example, the components may be electrically connected to each other via one or more communication buses or signal lines. The intelligent firewall configuration apparatus 110 based on multiple network ports of a wireless network device includes at least one software function module which can be stored in a memory 111 in the form of software or firmware (firmware) or solidified in an Operating System (OS) of the computer device 100. The processor 112 is configured to execute the intelligent firewall configuration apparatus 110 based on multiple network ports of the wireless network device stored in the memory 111, for example, a software function module and a computer program included in the intelligent firewall configuration apparatus 110 based on multiple network ports of the wireless network device.

The embodiment of the invention provides a readable storage medium, which includes a computer program, and when the computer program runs, the computer device 100 where the readable storage medium is located is controlled to execute the foregoing intelligent firewall configuration method based on multiple network ports of a wireless network device.

In summary, according to the method and the device for configuring an intelligent firewall based on multiple network ports of a wireless network device provided by the embodiments of the present invention, an extranet configuration protocol data packet is intercepted on a Forward chain configured by a local wireless network device according to a first preset rule by responding to the extranet configuration protocol data packet sent by an upper level router, and the upper level router configures an extranet IP address for the local terminal device through the extranet configuration protocol data packet; then responding to an intranet configuration protocol data packet sent by the local terminal equipment, intercepting the intranet configuration protocol data packet on a Prerouting chain configured by the local wireless network equipment according to a second preset rule, and acquiring an intranet IP address of the local terminal equipment by the upper-level router through the intranet configuration protocol data packet; then obtaining an access instruction of the local terminal equipment, wherein the access instruction comprises an access destination address; then when the access destination address is not matched with the address pre-configured by the local terminal equipment, carrying out network address conversion on the access destination address; and then when the access destination address is matched with the address pre-configured by the local terminal equipment, corresponding operation is executed according to the access instruction, and through the steps, the data packet on the relevant chain of the firewall is skillfully intercepted, so that the intelligent firewall configuration scheme based on the multiple network ports of the wireless network equipment with wider application range is realized.

The foregoing description, for purpose of explanation, has been described with reference to specific embodiments. However, the illustrative discussions above are not intended to be exhaustive or to limit the disclosure to the precise forms disclosed. Many modifications and variations are possible in light of the above teaching. The embodiments were chosen and described in order to best explain the principles of the disclosure and its practical applications, to thereby enable others skilled in the art to best utilize the disclosure and various embodiments with various modifications as are suited to the particular use contemplated.

Claims

1. An intelligent firewall configuration method based on multiple network ports of a wireless network device is applied to a local wireless network device, the local wireless network device comprises multiple bridge interfaces, and the local wireless network device, a local terminal device and an upper-level router are in communication connection through the bridge interfaces, and the method comprises the following steps:

responding to an external network configuration protocol data packet sent by the upper-level router, intercepting the external network configuration protocol data packet on a Forward chain configured by the local wireless network equipment according to a first preset rule, wherein the upper-level router configures an external network IP address for the local terminal equipment through the external network configuration protocol data packet;

responding to an intranet configuration protocol data packet sent by the local terminal equipment, intercepting the intranet configuration protocol data packet on a Prerouting chain configured by the local wireless network equipment according to a second preset rule, wherein the upper-level router acquires an intranet IP address of the local terminal equipment through the intranet configuration protocol data packet;

acquiring an access instruction of the local terminal equipment, wherein the access instruction comprises an access destination address;

when the access destination address is not the local terminal equipment side IP, performing network address conversion on the access destination address;

when the access destination address is matched with the address pre-configured by the local terminal equipment, executing corresponding operation according to the access instruction;

when the access destination address is matched with the address pre-configured by the local terminal equipment, executing corresponding operation according to the access instruction, wherein the operation comprises the following steps:

acquiring a current access instruction;

determining a first association relationship between the content indicative of the access indication and the content indicative of the historical feature access indication, comprising: respectively constructing a knowledge graph tree of each indication parameter in the access indication and the historical characteristic access indication to obtain a plurality of first elements and a plurality of second elements, and determining a first association value between each first element and each second element to obtain the first association relation, wherein the historical characteristic access indication is determined based on access operation in a historical time period;

determining a second association relationship between the indication content of the target indication quantity and the indication content of the access indication, including: respectively constructing a knowledge graph tree of each indication parameter in the access indication and the target indication parameters to obtain a plurality of third elements and a plurality of fourth elements, and determining a second association value between each third element and each fourth element to obtain a second association relation;

determining undetermined indication parameters from the target indication parameters according to the second preset weight and the generation time of the indication parameters in the target indication parameters to obtain a second undetermined indication parameter set, wherein the indication content of the access indication comprises: an indication mark of each known indication parameter in the access indication and the generation time in the access indication; the indication content of the target indication parameter comprises: the indication mark of each indication parameter in the target indication parameters and the generation time in the target indication parameters;

determining a second target indicator from the second set of pending indicators based on the known indicators and the operating timing in the access indicator;

and generating corresponding indication parameters at corresponding positions in the access indication based on the operation time sequence and the indication marks corresponding to the second target indication parameters, so as to carry out indication parameter inspection on the access indication and obtain an access indication result.

2. The method of claim 1, wherein the indication of the access indication comprises: an indication mark of each known indication parameter in the access indication and the generation time in the access indication; the indication content of the historical feature access indication comprises: the processing the historical feature access indication and the access indication according to the first association relationship to obtain a target indication parameter includes:

extracting undetermined indication parameters meeting the access indication space constraint from the historical feature access indication to obtain a first undetermined indication parameter set;

determining corresponding undetermined indication parameters from the first to-be-determined indication parameter set according to the sequence of the first preset weight from high to low, wherein the undetermined indication parameters serve as first target indication parameters; and generating corresponding indication parameters at corresponding positions in the access indication according to the generation time of the first target indication parameters in the historical characteristic access indication and the indication marks corresponding to the first target points to obtain target indication parameters.

3. The method of claim 1, wherein obtaining the current access indication comprises:

acquiring a current known indication parameter;

4. The method according to claim 3, wherein the performing a feature association process on the initial access indication through a self-attention mechanism to obtain an access indication comprises:

constructing a knowledge-graph tree of known indication parameters in the initial access indication; determining a correlation value between every two known indicating parameters in the initial access indication according to the knowledge graph tree of the known indicating parameters;

determining a third preset weight of each known indicator in the initial access indication relative to other known indicators based on a correlation value between every two known indicators, wherein the third preset weight is used for reflecting the credibility of each indicator in the initial access indication to the other known indicators in the indication;

5. The method of claim 1, wherein determining a historical feature access indication based on access operations over a historical period of time comprises:

acquiring access operation in a historical time period;

constructing a plurality of historical access instructions according to preset access time nodes and the access operation;

aligning the plurality of historical access instructions according to time, determining an indication parameter with the highest occurrence frequency under the same operation node from the aligned plurality of historical access instructions, and constructing and obtaining a target historical access instruction according to the indication parameter with the highest occurrence frequency under the same operation node;

6. The method according to claim 5, wherein the performing feature association processing on the target historical access indication through the self-attention mechanism to obtain the historical feature access indication comprises:

determining a fourth preset weight of each indication parameter in the target historical access indication relative to other indication parameters based on a correlation value between every two indication parameters, wherein the fourth preset weight is used for reflecting the credibility of each indication parameter in the target historical access indication to the other indication parameters in the indication thereof;

and adjusting the knowledge graph tree of the indication parameters in the target historical access indication according to the fourth preset weight to obtain a historical feature access indication.

7. The method of claim 1, wherein determining a historical feature access indication based on access operations over a historical period of time comprises:

acquiring access operation in a historical time period;

and processing the plurality of historical access indications through an attention mechanism to obtain historical characteristic access indications.

8. An intelligent firewall configuration device based on multiple network ports of a wireless network device is applied to a local wireless network device, the local wireless network device comprises multiple bridge interfaces, the local wireless network device is in communication connection with a local terminal device and an upper-level router through the bridge interfaces, and the device comprises:

a response module, configured to respond to an external network configuration protocol data packet sent by the upper level router, intercept the external network configuration protocol data packet on a Forward link configured by the local wireless network device according to a first preset rule, where the upper level router configures an external network IP address for the local terminal device through the external network configuration protocol data packet; responding to an intranet configuration protocol data packet sent by the local terminal equipment, intercepting the intranet configuration protocol data packet on a Prerouting chain configured by the local wireless network equipment according to a second preset rule, wherein the upper-level router acquires an intranet IP address of the local terminal equipment through the intranet configuration protocol data packet;

an obtaining module, configured to obtain an access instruction of the local terminal device, where the access instruction includes an access destination address;

the execution module is used for carrying out network address conversion on the access destination address when the access destination address is not the local terminal equipment side IP; when the access destination address is matched with the address pre-configured by the local terminal equipment, executing corresponding operation according to the access instruction;

the execution module is specifically configured to:

acquiring a current access instruction; determining a first association relationship between the content indicative of the access indication and the content indicative of the historical feature access indication, comprising: respectively constructing a knowledge graph tree of each indication parameter in the access indication and the historical characteristic access indication to obtain a plurality of first elements and a plurality of second elements, and determining a first association value between each first element and each second element to obtain the first association relation, wherein the historical characteristic access indication is determined based on access operation in a historical time period; processing the historical characteristic access indication and the access indication according to the first incidence relation to obtain a target indication parameter; determining a second association relationship between the indication content of the target indication quantity and the indication content of the access indication, including: respectively constructing a knowledge graph tree of each indication parameter in the access indication and the target indication parameters to obtain a plurality of third elements and a plurality of fourth elements, and determining a second association value between each third element and each fourth element to obtain a second association relation; determining a second preset weight of each indication parameter in the access indication with respect to each indication parameter in the target indication parameters based on the second correlation value, wherein the second preset weight is used for reflecting the credibility of each indication parameter in the access indication to each indication parameter in the target indication parameters; determining undetermined indication parameters from the target indication parameters according to the second preset weight and the generation time of the indication parameters in the target indication parameters to obtain a second undetermined indication parameter set, wherein the indication content of the access indication comprises: an indication mark of each known indication parameter in the access indication and the generation time in the access indication; the indication content of the target indication parameter comprises: the indication mark of each indication parameter in the target indication parameters and the generation time in the target indication parameters; determining a second target indicator from the second set of pending indicators based on the known indicators and the operating timing in the access indicator; and generating corresponding indication parameters at corresponding positions in the access indication based on the operation time sequence and the indication marks corresponding to the second target indication parameters, so as to carry out indication parameter inspection on the access indication and obtain an access indication result.