CN113452691B - Service flow detection method and device, server and storage medium - Google Patents

Service flow detection method and device, server and storage medium Download PDF

Info

Publication number
CN113452691B
CN113452691B CN202110706482.2A CN202110706482A CN113452691B CN 113452691 B CN113452691 B CN 113452691B CN 202110706482 A CN202110706482 A CN 202110706482A CN 113452691 B CN113452691 B CN 113452691B
Authority
CN
China
Prior art keywords
cluster
detection device
safety detection
service
determining
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110706482.2A
Other languages
Chinese (zh)
Other versions
CN113452691A (en
Inventor
鲍昀
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Weikun Shanghai Technology Service Co Ltd
Original Assignee
Weikun Shanghai Technology Service Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Weikun Shanghai Technology Service Co Ltd filed Critical Weikun Shanghai Technology Service Co Ltd
Priority to CN202110706482.2A priority Critical patent/CN113452691B/en
Publication of CN113452691A publication Critical patent/CN113452691A/en
Application granted granted Critical
Publication of CN113452691B publication Critical patent/CN113452691B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/02Topology update or discovery
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/306Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Technology Law (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Alarm Systems (AREA)

Abstract

The application discloses a service flow detection method and device, a server and a storage medium, wherein the method comprises the following steps: the method comprises the steps of determining a plurality of safety detection device clusters of a service type based on the service type carried by first service flow, determining the sequence of processing the first service flow by each safety detection device cluster based on the cluster load capacity of each safety detection device cluster, determining target safety detection devices in each safety detection device cluster based on service flow attributes, further determining a forwarding path of the first service flow, sequentially forwarding the first service flow to each safety detection device in the forwarding path based on the forwarding path, and further sending the first service flow to a service processing node after receiving a safety detection result returned by each safety detection device. By adopting the method and the device, the safety detection equipment through which the service flow needs to pass can be flexibly selected, so that the safety detection efficiency of the service flow is improved.

Description

Service flow detection method and device, server and storage medium
Technical Field
The present application relates to the field of traffic monitoring technologies, and in particular, to a method and an apparatus for detecting traffic, a server, and a storage medium.
Background
The existing service flow detection scheme mainly includes that a safety detection device is connected to a service link in series, the safety detection device detects service flow from an external network in real time in the series connection mode, and when the safety rule alarm triggered by the detected service flow is detected, the service flow is intercepted, so that real-time detection and protection of the service flow are realized. However, because the existing scheme adopts the serial mode, when there is a fault in the safety detection device in the service link, the whole service link cannot work normally, and in addition, when there are multiple safety detection devices in the service link, the service traffic can only be processed by each safety detection device in sequence according to the position relationship of each safety detection device in the service link, and the safety detection device through which the service traffic needs to pass cannot be flexibly selected, thereby resulting in low safety detection efficiency of the service traffic.
Disclosure of Invention
The application provides a service flow detection method and device, a server and a storage medium, which can improve the safety detection efficiency of service flow and have high flexibility and strong applicability.
In a first aspect, the present application provides a method for detecting service traffic, including:
receiving a first service flow, wherein the first service flow carries a service type and a service flow attribute;
determining a plurality of safety detection equipment clusters of the service type, and determining the cluster load capacity of each safety detection equipment cluster;
determining the sequence of processing the first service flow by each safety detection equipment cluster based on the cluster load capacity of each safety detection equipment cluster;
determining target safety detection equipment in each safety detection equipment cluster based on the service flow attribute;
determining a forwarding path of the first service flow according to the sequence of processing the first service flow by each security detection equipment cluster and target security detection equipment in each security detection equipment cluster;
sequentially forwarding the first service flow to each safety detection device in the forwarding path based on the forwarding path, and confirming that a safety detection result returned by a second safety detection device positioned in front of the first safety detection device in the forwarding path is received before forwarding the first service flow to the first safety detection device in the forwarding path;
and after receiving each safety detection result returned by each safety detection device in the forwarding path, sending a first service flow to the service processing node according to each safety detection result.
With reference to the first aspect, in a possible implementation manner, the determining a cluster load amount of each security detection device cluster includes:
acquiring historical cluster load capacity of each safety detection equipment cluster in each sub-time period in each period in a preset time period, and determining the predicted cluster load capacity of each safety detection equipment cluster in each sub-time period based on the historical cluster load capacity;
and determining the cluster load capacity of each safety detection equipment cluster based on the time of receiving the first service flow and the predicted cluster load capacity of each safety detection equipment cluster in each sub-time period.
With reference to the first aspect, in a possible implementation manner, determining, based on a cluster load of each security detection device cluster, an order in which each security detection device cluster processes the first service traffic includes:
arranging and combining the plurality of safety detection equipment clusters to obtain a plurality of groups of safety detection equipment clusters;
acquiring cluster load variable quantity and service flow processing time length of each safety detection equipment cluster, and determining cluster load quantity of each safety detection equipment cluster when first service flow is processed in each group of safety detection equipment cluster on the basis of the cluster load quantity, the cluster load variable quantity and the service flow processing time length of each safety detection equipment cluster;
determining the total cluster load of each group of safety detection device clusters based on the cluster load of each safety detection device cluster when processing the first service flow in each group of safety detection device cluster;
and determining a cluster sequence corresponding to a group of safety detection device clusters with the minimum total cluster load in the plurality of groups of safety detection device clusters as the sequence of processing the first service flow by each safety detection device cluster.
With reference to the first aspect, in a possible implementation manner, determining a target security detection device in a security detection device cluster based on a service traffic attribute includes:
performing hash calculation on the service flow attribute to obtain a hash value of the service flow attribute, and determining a target index value of the service flow attribute according to the hash value;
and determining the safety detection equipment with the preset index range including the target index value in each safety detection equipment cluster as the target safety detection equipment in each safety detection equipment cluster, wherein the preset index ranges of the safety detection equipment in each safety detection equipment cluster are different.
With reference to the first aspect, in a possible implementation manner, determining multiple security detection device clusters of a service type includes:
determining a preset mapping relation where a security level consistent with a security level corresponding to a service type is located in a preset mapping relation table between each security level and each security detection equipment cluster as a target mapping relation;
and determining the plurality of safety detection equipment clusters in the target mapping relation as a plurality of safety detection equipment clusters of the service type.
With reference to the first aspect, in a possible implementation manner, determining a forwarding path of a first service traffic according to an order in which each security detection device cluster processes the first service traffic and a target security detection device in each security detection device cluster, includes:
determining the sequence of processing the first service flow by each safety detection equipment cluster as the sequence of processing the first service flow by the target safety detection equipment in each safety detection equipment cluster;
and determining a forwarding path of the first service flow according to the sequence of processing the first service flow by the target safety detection equipment in each safety detection equipment cluster.
With reference to the first aspect, in one possible implementation manner, the service traffic attribute includes an ip address, a URL domain name, or a mac address.
With reference to the first aspect, in one possible implementation, the method further includes:
and under the condition that the security detection result is not received, the first service flow is not forwarded to the first security detection device any more.
In a second aspect, the present application provides a service traffic detection apparatus, including:
the receiving module is used for receiving a first service flow, and the first service flow carries a service type and a service flow attribute;
the first determining module is used for determining a plurality of safety detection equipment clusters of the service types and determining the cluster load capacity of each safety detection equipment cluster;
the second determining module is used for determining the sequence of processing the first service flow by each safety detection equipment cluster based on the cluster load of each safety detection equipment cluster;
the third determining module is used for determining target safety detection equipment in each safety detection equipment cluster based on the service flow attribute;
a fourth determining module, configured to determine a forwarding path of the first service traffic according to an order in which each security detection device cluster processes the first service traffic and a target security detection device in each security detection device cluster;
the first forwarding module is used for sequentially forwarding the first service traffic to each safety detection device in the forwarding path based on the forwarding path, and confirming that the received safety detection result returned by a second safety detection device positioned in front of the first safety detection device in the forwarding path is received before the first service traffic is forwarded to the first safety detection device in the forwarding path;
and the second forwarding module is used for sending the first service flow to the service processing node according to each safety detection result after receiving each safety detection result returned by each safety detection device in the forwarding path.
In a third aspect, the present application provides a server, including a processor, a memory, and a transceiver, where the processor, the memory, and the transceiver are connected to each other, where the memory is used to store a computer program that supports the service traffic detection apparatus to execute the service traffic detection method, and the computer program includes program instructions; the processor is configured to invoke the program instructions to execute the service flow detection method as described in the first aspect of the present application.
In a fourth aspect, the present application provides a computer-readable storage medium having a computer program stored thereon, the computer program comprising program instructions; the program instructions described above, when executed by a processor, cause the processor to perform a method of traffic detection as described above in the first aspect of the present application.
In the application, the server may determine, based on a service type carried by a first service flow, a plurality of safety detection device clusters of the service type, determine, based on a cluster load of each safety detection device cluster, an order in which each safety detection device cluster processes the first service flow, determine, based on a service flow attribute, a target safety detection device in each safety detection device cluster, further determine a forwarding path of the first service flow, sequentially forward, based on the forwarding path, the first service flow to each safety detection device in the forwarding path, and further send, after receiving a safety detection result returned by each safety detection device, the first service flow to the service processing node. By adopting the method and the device, the safety detection equipment through which the service flow needs to pass can be flexibly selected, so that the safety detection efficiency of the service flow is improved.
Drawings
In order to more clearly illustrate the technical solutions of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
Fig. 1 is a schematic architecture diagram of a service traffic detection system provided in the present application;
fig. 2 is a schematic flow chart of a service traffic detection method provided in the present application;
fig. 3 is a schematic structural diagram of a service flow detection device provided in the present application;
fig. 4 is a schematic structural diagram of a server provided in the present application.
Detailed Description
The technical solutions in the present application will be described clearly and completely with reference to the accompanying drawings in the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In order to solve the problem of low safety detection efficiency of the service traffic, the application provides a service traffic detection method, which can determine a forwarding path of the first service traffic based on a service type and a service traffic attribute carried by the first service traffic, sequentially forward the first service traffic to each safety detection device in the forwarding path based on the forwarding path, and then send the first service traffic to a service processing node after receiving a safety detection result returned by each safety detection device, so that the safety detection devices through which the service traffic needs to pass can be flexibly selected, and the safety detection efficiency of the service traffic is improved.
The service flow detection method provided by the application can be suitable for a service flow detection system, and the system comprises a server, a plurality of safety detection equipment clusters and a service processing node cluster. Referring to fig. 1, fig. 1 is a schematic diagram of an architecture of a service traffic detection system provided in the present application. As shown in fig. 1, the architecture diagram includes a server 100, security detection device clusters 101 and …, a security detection device cluster 10n, where n is an integer greater than 1, and a service processing node cluster 200. The security detection device cluster 101 may include a plurality of security detection devices, as shown in fig. 1, specifically, the security detection devices 1011 and … and a security detection device 101 x; …, respectively; the security detection device cluster 10n may include a plurality of security detection devices, as shown in fig. 1, and specifically may include security detection devices 10n1, … and security detection device 10 ny. The cluster of service processing nodes 200 may include a plurality of service processing nodes.
Each Of the security detection devices in the server 100, the security detection device clusters 101, …, and 10n, and each Of the service processing nodes in the service processing node cluster 200 may be a computer device, including a mobile phone, a tablet computer, a notebook computer, a palmtop computer, a mobile internet device (MID, mobile internet device), a Point Of Sale (POS) machine, a wearable device (e.g., a smart watch, a smart bracelet, etc.), and the like.
In the service traffic detection method provided by the present application, the server 100 receives a first service traffic from an external network, where the first service traffic carries a service type and a service traffic attribute. First, the server 100 determines, according to a service type carried by a first service traffic, a plurality of security detection device clusters of the service type, which are, for example, the security detection device cluster 101 and the security detection device cluster 103. Then, the server 100 determines a cluster load amount of the security detection device cluster 101 and a cluster load amount of the security detection device cluster 103, and determines an order in which the security detection device cluster 101 and the security detection device cluster 103 process the first service traffic based on the cluster load amount of the security detection device cluster 101 and the cluster load amount of the security detection device cluster 103. The server 100 determines a first target security detection device from the security detection device cluster 101 and a second target security detection device from the security detection device cluster 103 based on the service traffic attribute carried by the first service traffic. Further, the server 100 determines a forwarding path of the first service traffic according to the sequence in which the security detection device cluster 101 and the security detection device cluster 103 process the first service traffic, and the first target security detection device and the second target security detection device. Then, assuming that the forwarding path of the first service traffic is to be forwarded to the second target security detection device and then to the first target security detection device, the server 100 forwards the first service traffic to the second target security detection device, and the second target security detection device performs security detection on the first service traffic and returns a security detection result to the server 100. The security detection result here indicates that the first traffic passes the security detection. The server 100 forwards the first service traffic to the first target security detection device when receiving the security detection result returned by the second target security detection device, and the first target security detection device performs security detection on the first service traffic and returns the security detection result to the server 100. The server 100 sends the first traffic flow to the first service processing node in the service processing node cluster 200, when receiving the security detection result returned by the first target security detection device.
For convenience of description, the service traffic detection method provided by the present application will be exemplified with reference to fig. 2 by taking a server as an execution subject.
Fig. 2 is a schematic flow chart of the service traffic detection method provided in the present application. As shown in fig. 2, the method provided by the present application may include the following steps:
s101, receiving a first service flow.
Specifically, the server receives a first service traffic from the external network, where the first service traffic carries a service type and a service traffic attribute, and the service traffic attribute may include an ip address, a URL domain name, or a mac address of the service traffic.
S102, determining a plurality of safety detection equipment clusters of the service types, and determining the cluster load of each safety detection equipment cluster.
In some possible embodiments, the server may determine a plurality of security detection device clusters of the service type based on the security level corresponding to the service type and a preset mapping relationship table between each security level and each security detection device cluster.
Specifically, the server determines a preset mapping relationship in which a security level consistent with a security level corresponding to the service type is located in a preset mapping relationship table (as shown in table 1) as a target mapping relationship, and determines a plurality of security detection device clusters in the target mapping relationship as a plurality of security detection device clusters of the service type.
Table 1 preset mapping relationship table between each security level and each security detection device cluster
Presetting mapping relation Level of security Safety detection equipment cluster
First mapping relation First level A、C
Second mapping relation Second stage B、C
Third mapping relation Three-stage A、B、C
Illustratively, the security detection device cluster a includes a Waf, which belongs to a security application firewall and mainly performs seven layers of security detection on http requests; the security detection equipment cluster B comprises Ips, wherein the Ips belongs to next-generation firewall equipment and is mainly used for performing security detection on the flow of 3 layers and 4 layers; the safety detection equipment cluster C comprises a sky eye which is mainly used for analyzing and detecting based on threat information.
For example, assuming that the security level corresponding to the service type of the first service traffic is two levels, the second mapping relationship where the security level in the preset mapping relationship table is two levels is determined as a target mapping relationship, and the security detection device clusters B and C in the target mapping relationship are determined as security detection device clusters of the service type of the first service traffic.
Then, the server determines the cluster load of each safety detection device cluster.
In some possible embodiments, the server determines a current cluster load amount of each of the plurality of safety detection device clusters of the service type of the first service traffic, and determines the current cluster load amount of each safety detection device cluster as the cluster load amount of each safety detection device cluster.
In other possible embodiments, the server obtains historical cluster load amounts of each security detection device cluster in each sub-time period in each cycle (e.g., each day) within a preset time period (e.g., one week, one month, one quarter, etc.), and determines a predicted cluster load amount of each security detection device cluster in each sub-time period based on the historical cluster load amounts; and determining the cluster load capacity of each safety detection device cluster based on the time of receiving the first service flow and the predicted cluster load capacity of each safety detection device cluster in each sub-time period.
For example, assume that the plurality of security detection device clusters of the traffic type of the first traffic flow are security detection device clusters B and C. The server obtains historical cluster load amounts of a first time period (such as 0 point to 8 points), a second time period (8 points to 16 points) and a third time period (16 points to 24 points) in each day in a previous week (5 month 23 days to 5 month 29 days) from the current time, and calculates an average value of total historical cluster load amounts of a security detection device cluster B in the first time period in the week as a predicted cluster load amount of B in the first time period. Then, the server may determine, according to 9 th point and 15 th point of the time when the first service traffic is received, the predicted cluster load amount of B in the second time period as the cluster load amount of B, and determine the predicted cluster load amount of C in the second time period as the cluster load amount of C.
And S103, determining the sequence of processing the first service flow by each safety detection equipment cluster based on the cluster load of each safety detection equipment cluster.
In some possible embodiments, the server determines the order in which the clusters of the security detection devices process the first service traffic according to a principle that the smaller the cluster load is, the earlier the order in which the clusters process the first service traffic is.
In other feasible embodiments, the server performs permutation and combination on a plurality of safety detection device clusters to obtain a plurality of groups of safety detection device clusters; acquiring cluster load variable quantity and service flow processing time of each safety detection equipment cluster, and determining the cluster load quantity of each safety detection equipment cluster when processing first service flow in each group of safety detection equipment cluster based on the cluster load quantity, the cluster load variable quantity and the service flow processing time of each safety detection equipment cluster; determining the total cluster load of each group of safety detection device clusters based on the cluster load of each safety detection device cluster when processing the first service flow in each group of safety detection device cluster; and determining a cluster sequence corresponding to a group of safety detection device clusters with the minimum total cluster load in the plurality of groups of safety detection device clusters as the sequence of processing the first service flow by each safety detection device cluster. The cluster load capacity of each safety detection device cluster is the current cluster load capacity of each safety detection device cluster, the service flow processing time of each safety detection device cluster can be the average time required for each safety detection device cluster to process different types of service flows, and the cluster load variable quantity of each safety detection device cluster can be the load capacity which can be reduced after each safety detection device cluster finishes processing one service flow.
For example, assume that the plurality of clusters of security detection devices of the traffic type of the first traffic flow are B and C. And the server carries out permutation and combination on the safety detection equipment clusters B and C to obtain a first group of safety detection equipment clusters { B, C } and a second group of safety detection equipment clusters { C, B }. And then, the server acquires the variable quantity of the first cluster load of the B, the processing time of the first service flow, the variable quantity of the second cluster load of the C, the processing time of the second service flow, the cluster load of the B when the B processes the first service flow in the second group of security detection equipment clusters { C, B } is determined based on the variable quantity of the cluster load of the B, the current cluster load and the processing time of the service flow of the C, and the cluster load of the C when the C processes the first service flow in the first group of security detection equipment clusters { B, C } is determined based on the variable quantity of the cluster load of the C, the current cluster load and the processing time of the service flow of the B.
Assuming that the variable quantity of the cluster load of B is 5%, the processing time of the first service traffic is 10s, the current load capacity is 80%, the variable quantity of the cluster load of C is 10%, the processing time of the second service traffic is 20s, and the current load capacity is 40%, the server may calculate, according to the variable quantity of the cluster load of B being 5%, the processing time of the first service traffic being 10s, the processing time of the second service traffic being 20s, and the current load capacity being 80%, the cluster load quantity of B processing the first service traffic in the second group of security detection device clusters { C, B } is 80% - (20/10) × 5% (-70%), and further the cluster load quantities of C and B processing the first service traffic in the second group of security detection device clusters { C, B } are 40% and 70%, respectively. It can be understood that C needs 20s to process one service flow, B needs 10s to process one service flow, when C finishes processing the first service flow, B finishes processing two service flows, and B finishes processing one service flow, the cluster load of B can be reduced by 5%, so when B starts processing the first service flow, the cluster load is 70%. Similarly, the server calculates, according to the cluster load variable of C being 10%, the processing time of the first service traffic being 10s, the processing time of the second service traffic being 20s, and the current load amount being 40%, that the cluster load amount of C when processing the first service traffic in the first group of security detection device clusters { B, C } is 40% - (10/20) × 10% ═ 35%.
Then, the server may calculate a total cluster load amount of the first set of safety detection device clusters to be 115% according to cluster load amounts (i.e., 80% and 35%) when B and C process the first service traffic in the first set of safety detection device clusters { B, C }, and calculate a total cluster load amount of the second set of safety detection device clusters to be 110% according to cluster load amounts (i.e., 40% and 70%) when C and B process the first service traffic in the second set of safety detection device clusters { C, B }. Furthermore, the server determines a cluster sequence corresponding to the second group of security detection device clusters { C, B } with the minimum total cluster load in the first group of security detection device clusters { B, C } and the second group of security detection device clusters { C, B }, that is, a sequence from C to B, as a sequence in which the security device detection clusters B and C process the first service traffic.
And S104, determining target safety detection equipment in each safety detection equipment cluster based on the service flow attribute.
In some feasible embodiments, the server performs hash calculation on the service flow attribute to obtain a hash value of the service flow attribute, and determines a target index value of the service flow attribute according to the hash value; and determining the safety detection equipment with a preset index range including a target index value in the safety detection equipment cluster as target safety detection equipment in the safety detection equipment cluster, wherein the preset index ranges of the safety detection equipment in the safety detection equipment cluster are different, and the service flow attribute can comprise an ip address, a URL domain name or a mac address and the like of service flow.
Specifically, the server performs hash calculation on the service flow attribute carried by the first service flow to obtain a hash value of the service flow attribute, and uses the last bit of the hash value of the service flow attribute as a target index value of the service flow attribute. Traversing each safety detection device cluster corresponding to the service type, determining the safety detection device with the preset index range including the target index value in each safety detection device cluster as the target safety detection device corresponding to each safety detection device cluster, and further determining one target safety detection device from each safety detection device cluster. It can be understood that the server may balance the load of the traffic flowing through to each security detection device in the security detection device cluster through the hash algorithm, and reduce the performance pressure of each security detection device.
For example, assuming that a target index value of a service traffic attribute carried by a first service traffic is 2, a security detection device cluster a includes a security detection device a1 and a security detection device a2, a preset index range of the security detection device a1 is 0-4, a preset index range of the security detection device a2 is 5-9, and since the preset index range of the security detection device a1 is 0-4 and includes the target index value 2, the server determines the security detection device a1 as a target security detection device in the security detection device cluster a.
And S105, determining a forwarding path of the first service flow according to the sequence of processing the first service flow by each safety detection device cluster and the target safety detection devices in each safety detection device cluster.
In some possible embodiments, the server determines, as the sequence in which the target security detection devices in each security detection device cluster process the first service traffic, the sequence in which each security detection device cluster processes the first service traffic, and then determines the forwarding path of the first service traffic according to the sequence in which each target security detection device processes the first service traffic. Specifically, after determining the sequence of processing the first service traffic by the target security detection device in each security detection device cluster, the server determines the sequence of processing the first service traffic by the target security detection device in each security detection device cluster as the forwarding path of the first service traffic.
For example, assuming that the order in which the security detection device clusters B and C process the first traffic flow is C first and then B, the target security detection device in the security detection device cluster B is B1, and the target security detection device in the security detection device cluster C is C3, the server determines that the order in which the target security detection devices B1 and C3 process the first traffic flow is C3 first and then B1 second, and determines C3 first and then B1 as the forwarding path of the first traffic flow.
And S106, sequentially forwarding the first service flow to each safety detection device in the forwarding path based on the forwarding path, and confirming that a safety detection result returned by a second safety detection device positioned in front of the first safety detection device in the forwarding path is received before forwarding the first service flow to the first safety detection device in the forwarding path.
And the safety detection result indicates that the first service flow passes the safety detection.
For example, assuming that the forwarding path is c3 and then b1, the server forwards the first service traffic to the security detection device c3, and c3 performs security detection on the received first service traffic and returns a security detection result to the server when the first service traffic passes the security detection. When receiving the security detection result returned by c3, the server forwards the first service traffic to b1, and b1 performs security detection on the received first service traffic and returns the security detection result to the server when the first service traffic passes the security detection.
For another example, assuming that the forwarding path is c3 and then b1, the server forwards the first service traffic to the security inspection device c3, and c3 performs security inspection on the received first service traffic and returns a security inspection result to the server when the first service traffic passes the security inspection. The server starts timing after forwarding the first service traffic to c3, and after a preset time length, when it is determined that the security detection result returned by c3 is not received yet, the server does not forward the first service traffic to b1 any more, thereby implementing interception of the service traffic with security risk, so that the service link (for example, the link formed by the server 100 and the service processing node cluster 200 in fig. 1) can still operate normally.
And S107, after receiving each safety detection result returned by each safety detection device in the forwarding path, sending the first service flow to the service processing node according to each safety detection result.
In a feasible implementation manner, the server sends the first service traffic to the service processing node under the condition that it is confirmed that the security detection result returned by each security detection device in the forwarding path is received, so that it can be ensured that the service traffic sent to the service processing nodes in the service link is the service traffic without security risk, and further, it can be ensured that the service processing node can work normally.
In the application, a plurality of safety detection device clusters of a service type can be determined based on the service type carried by a first service flow, the sequence of processing the first service flow by each safety detection device cluster is determined based on the cluster load capacity of each safety detection device cluster, a target safety detection device in each safety detection device cluster is determined based on the service flow attribute, a forwarding path of the first service flow is further determined, the first service flow is sequentially forwarded to each safety detection device in the forwarding path based on the forwarding path, and the first service flow is sent to a service processing node after a safety detection result returned by each safety detection device is received. By the aid of the concept of safety detection equipment clusters, extremely high redundancy and high reliability uninterrupted operation can be guaranteed, and uninterrupted and non-inductive operation of services can be guaranteed no matter when equipment fails or is in operation and maintenance. In addition, the security detection device cluster is logically connected in series through a physical bypass, namely the security detection device cluster is not located in a service link, so that the problem of single-point failure of the device in the series connection mode in the prior art can be effectively solved.
Based on the description of the above method embodiment, the present application further provides a service traffic detection device, which may be a server in the above method embodiment. Please refer to fig. 3, which is a schematic structural diagram of a service traffic detection apparatus provided in the present application. As shown in fig. 3, the traffic flow detection apparatus 3 may include: a receiving module 31, a first determining module 32, a second determining module 33, a third determining module 34, a fourth determining module 35, a first forwarding module 36 and a second forwarding module 37.
A receiving module 31, configured to receive a first service traffic, where the first service traffic carries a service type and a service traffic attribute;
the first determining module 32 is configured to determine a plurality of security detection device clusters of the service type, and determine a cluster load of each security detection device cluster;
a second determining module 33, configured to determine, based on a cluster load of each safety detection device cluster, an order in which each safety detection device cluster processes the first service traffic;
a third determining module 34, configured to determine, based on the service traffic attribute, a target security detection device in each security detection device cluster;
a fourth determining module 35, configured to determine a forwarding path of the first service traffic according to the order in which the security detection device clusters process the first service traffic and the target security detection devices in the security detection device clusters;
a first forwarding module 36, configured to forward the first service traffic to each security detection device in the forwarding path in sequence based on the forwarding path, and before forwarding the first service traffic to the first security detection device in the forwarding path, confirm that a security detection result returned by a second security detection device located before the first security detection device in the forwarding path has been received;
the second forwarding module 37 is configured to send the first service traffic to the service processing node according to each security detection result after receiving each security detection result returned by each security detection device in the forwarding path.
In some possible embodiments, the first determining module 32 includes:
an obtaining and determining unit 321, configured to obtain a historical cluster load amount of each safety detection device cluster in each sub-time period in each period within a preset time period, and determine a predicted cluster load amount of each safety detection device cluster in each sub-time period based on the historical cluster load amount;
the first determining unit 322 is configured to determine a cluster load amount of each safety detection device cluster based on the time when the first service traffic is received and the predicted cluster load amount of each safety detection device cluster in each sub-time period.
In some possible embodiments, the second determining module 33 is configured to:
arranging and combining the plurality of safety detection equipment clusters to obtain a plurality of groups of safety detection equipment clusters;
acquiring cluster load variable quantity and service flow processing time length of each safety detection equipment cluster, and determining cluster load quantity of each safety detection equipment cluster when first service flow is processed in each group of safety detection equipment cluster on the basis of the cluster load quantity, the cluster load variable quantity and the service flow processing time length of each safety detection equipment cluster;
determining the total cluster load of each group of safety detection device clusters based on the cluster load of each safety detection device cluster when processing the first service flow in each group of safety detection device cluster;
and determining a cluster sequence corresponding to a group of safety detection device clusters with the minimum total cluster load in the plurality of groups of safety detection device clusters as the sequence of processing the first service flow by each safety detection device cluster.
In some possible embodiments, the third determining module 34 includes:
a calculation determining unit 341, configured to perform hash calculation on the service traffic attribute to obtain a hash value of the service traffic attribute, and determine a target index value of the service traffic attribute according to the hash value;
the second determining unit 342 is configured to determine, as a target security detection device in the security detection device cluster, a security detection device in which a preset index range includes a target index value, where the preset index ranges of the security detection devices in the security detection device cluster are different from each other.
In some possible embodiments, the first determining module 32 is configured to:
determining a preset mapping relation where a security level consistent with a security level corresponding to a service type is located in a preset mapping relation table between each security level and each security detection equipment cluster as a target mapping relation;
and determining the plurality of safety detection equipment clusters in the target mapping relation as a plurality of safety detection equipment clusters of the service type.
In some possible embodiments, the fourth determining module is configured to:
determining the sequence of processing the first service flow by each safety detection equipment cluster as the sequence of processing the first service flow by the target safety detection equipment in each safety detection equipment cluster;
and determining a forwarding path of the first service flow according to the sequence of processing the first service flow by the target safety detection equipment in each safety detection equipment cluster.
In some possible embodiments, the traffic attributes include ip addresses, URL domain names, or mac addresses.
It is understood that the service flow detection device 3 is used to implement the steps performed by the server in the embodiment of fig. 2. As to the specific implementation manner and corresponding beneficial effects of the functional blocks included in the service traffic detection apparatus 3 in fig. 3, reference may be made to the specific description of the embodiment in fig. 2, which is not described herein again.
The traffic flow detection device 3 in the embodiment shown in fig. 3 can be implemented by the server 400 shown in fig. 4. Please refer to fig. 4, which is a schematic structural diagram of a server provided in the present application. As shown in fig. 4, the server 400 may include: one or more processors 401, memory 402, and a transceiver 403. The processor 401, memory 402 and transceiver 403 are connected by a bus 404. Wherein the transceiver 403 is configured to receive or transmit data, and the memory 402 is configured to store a computer program, which includes program instructions; processor 401 is configured to execute program instructions stored in memory 402 to perform the following operations:
receiving a first service flow, wherein the first service flow carries a service type and a service flow attribute;
determining a plurality of safety detection equipment clusters of the service type, and determining the cluster load capacity of each safety detection equipment cluster;
determining the sequence of processing the first service flow by each safety detection equipment cluster based on the cluster load capacity of each safety detection equipment cluster;
determining target safety detection equipment in each safety detection equipment cluster based on the service flow attribute;
determining a forwarding path of the first service flow according to the sequence of processing the first service flow by each security detection equipment cluster and target security detection equipment in each security detection equipment cluster;
sequentially forwarding the first service flow to each safety detection device in the forwarding path based on the forwarding path, and confirming that a safety detection result returned by a second safety detection device positioned in front of the first safety detection device in the forwarding path is received before forwarding the first service flow to the first safety detection device in the forwarding path;
and after receiving each safety detection result returned by each safety detection device in the forwarding path, sending a first service flow to the service processing node according to each safety detection result.
In some possible embodiments, the processor 401, in one possible embodiment, determines a cluster load amount of each security detection device cluster, including:
acquiring historical cluster load capacity of each safety detection equipment cluster in each sub-time period in each period in a preset time period, and determining the predicted cluster load capacity of each safety detection equipment cluster in each sub-time period based on the historical cluster load capacity;
and determining the cluster load capacity of each safety detection equipment cluster based on the time of receiving the first service flow and the predicted cluster load capacity of each safety detection equipment cluster in each sub-time period.
In some possible embodiments, in a possible embodiment, the determining, by the processor 401, an order in which each security detection device cluster processes the first service traffic based on a cluster load of each security detection device cluster includes:
arranging and combining the plurality of safety detection equipment clusters to obtain a plurality of groups of safety detection equipment clusters;
acquiring cluster load variable quantity and service flow processing time of each safety detection equipment cluster, and determining the cluster load quantity of each safety detection equipment cluster when processing first service flow in each group of safety detection equipment cluster based on the cluster load quantity, the cluster load variable quantity and the service flow processing time of each safety detection equipment cluster;
determining the total cluster load of each group of safety detection device clusters based on the cluster load of each safety detection device cluster when processing the first service flow in each group of safety detection device cluster;
and determining a cluster sequence corresponding to a group of safety detection device clusters with the minimum total cluster load in the plurality of groups of safety detection device clusters as the sequence of processing the first service flow by each safety detection device cluster.
In some possible embodiments, in a possible embodiment, the processor 401 determines, based on the service traffic attribute, a target security detection device in each security detection device cluster, including:
performing hash calculation on the service flow attribute to obtain a hash value of the service flow attribute, and determining a target index value of the service flow attribute according to the hash value;
and determining the safety detection equipment of which the preset index range comprises the target index value in each safety detection equipment cluster as the target safety detection equipment in each safety detection equipment cluster, wherein the preset index ranges of the safety detection equipment in each safety detection equipment cluster are different.
In some possible embodiments, the processor 401, in one possible embodiment, determines a plurality of security detection device clusters of a service type, including:
determining a preset mapping relation where a security level consistent with a security level corresponding to a service type is located in a preset mapping relation table between each security level and each security detection equipment cluster as a target mapping relation;
and determining the plurality of safety detection equipment clusters in the target mapping relation as a plurality of safety detection equipment clusters of the service type.
In some possible embodiments, in a possible embodiment, the determining, by the processor 401, a forwarding path of the first traffic according to the order in which the security detection device clusters process the first traffic and the target security detection devices in the security detection device clusters includes:
determining the sequence of processing the first service flow by each safety detection equipment cluster as the sequence of processing the first service flow by the target safety detection equipment in each safety detection equipment cluster;
and determining a forwarding path of the first service flow according to the sequence of processing the first service flow by the target safety detection equipment in each safety detection equipment cluster.
In some possible embodiments, the processor 401 may further include a service traffic attribute, which includes an ip address, a URL domain name, or a mac address.
Further, here, it is to be noted that: the present application further provides a computer-readable storage medium, and the computer-readable storage medium stores the aforementioned computer program executed by the traffic flow detection apparatus 3, and the computer program includes program instructions, and when the processor executes the program instructions, the description of the traffic flow detection method in the embodiment corresponding to fig. 2 can be performed, so that details are not repeated here. In addition, the beneficial effects of the same method are not described in detail. For technical details not disclosed in embodiments of the computer-readable storage medium referred to in the present application, reference is made to the description of embodiments of the method of the present application. As an example, program instructions may be deployed to be executed on one computing device or on multiple computing devices at one site or distributed across multiple sites and interconnected by a communication network, which may comprise a block chain system.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.
The method and the related device provided by the application are described by referring to the method flow chart and/or the structure schematic diagram provided by the application, and each flow and/or block of the method flow chart and/or the structure schematic diagram and the combination of the flow and/or block in the flow chart and/or the block diagram can be realized by computer program instructions. These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block or blocks.
The above disclosure is only for the purpose of illustrating the preferred embodiments of the present application and is not to be construed as limiting the scope of the present application, so that the present application is not limited thereto, and all equivalent variations and modifications can be made to the present application.

Claims (10)

1. A method for detecting service flow is characterized by comprising the following steps:
receiving a first service flow, wherein the first service flow carries a service type and a service flow attribute;
determining a plurality of safety detection equipment clusters of the service type, and determining the cluster load capacity of each safety detection equipment cluster;
determining the order of processing the first service flow by each safety detection equipment cluster based on the cluster load capacity of each safety detection equipment cluster;
determining target safety detection equipment in each safety detection equipment cluster based on the service flow attribute;
determining a forwarding path of the first service traffic according to the sequence of processing the first service traffic by each security detection device cluster and a target security detection device in each security detection device cluster;
sequentially forwarding the first service traffic to each safety detection device in the forwarding path based on the forwarding path, and confirming that a safety detection result returned by a second safety detection device positioned in front of the first safety detection device in the forwarding path is received before forwarding the first service traffic to the first safety detection device in the forwarding path;
and after receiving each safety detection result returned by each safety detection device in the forwarding path, sending the first service flow to a service processing node according to each safety detection result.
2. The method of claim 1, wherein the determining a cluster load amount of each security detection device cluster comprises:
acquiring historical cluster load capacity of each safety detection equipment cluster in each sub-time period in each period in a preset time period, and determining predicted cluster load capacity of each safety detection equipment cluster in each sub-time period based on the historical cluster load capacity;
determining the cluster load capacity of each safety detection device cluster based on the time of receiving the first service flow and the predicted cluster load capacity of each safety detection device cluster in each sub-time period.
3. The method according to claim 1, wherein the determining, based on the cluster load amount of each security detection device cluster, an order in which each security detection device cluster processes the first traffic flow includes:
the plurality of safety detection equipment clusters are arranged and combined to obtain a plurality of groups of safety detection equipment clusters;
acquiring cluster load variable quantity and service flow processing time of each safety detection equipment cluster, and determining the cluster load quantity of each safety detection equipment cluster when processing the first service flow in each group of safety detection equipment cluster based on the cluster load quantity, the cluster load variable quantity and the service flow processing time of each safety detection equipment cluster;
determining a total cluster load capacity of each group of safety detection device clusters based on the cluster load capacity of each safety detection device cluster when the first service traffic is processed in each group of safety detection device clusters;
and determining a cluster sequence corresponding to a group of safety detection device clusters with the minimum total cluster load in the plurality of groups of safety detection device clusters as the sequence of processing the first service flow by each safety detection device cluster.
4. The method according to claim 1, wherein the determining the target security detection device in each security detection device cluster based on the service traffic attribute comprises:
performing hash calculation on the service flow attribute to obtain a hash value of the service flow attribute, and determining a target index value of the service flow attribute according to the hash value;
and determining the safety detection equipment with the preset index range including the target index value in each safety detection equipment cluster as the target safety detection equipment in each safety detection equipment cluster, wherein the preset index ranges of the safety detection equipment in each safety detection equipment cluster are different.
5. The method of claim 1, wherein the determining the plurality of clusters of security detection devices for the traffic type comprises:
determining a preset mapping relation where a security level consistent with a security level corresponding to the service type is located in a preset mapping relation table between each security level and each security detection equipment cluster as a target mapping relation;
and determining the plurality of safety detection equipment clusters in the target mapping relation as a plurality of safety detection equipment clusters of the service type.
6. The method according to claim 1, wherein the determining a forwarding path of the first traffic flow according to the order in which the security detection device clusters process the first traffic flow and a target security detection device in the security detection device clusters comprises:
determining the sequence of processing the first service traffic by each security detection device cluster as the sequence of processing the first service traffic by a target security detection device in each security detection device cluster;
and determining a forwarding path of the first service flow according to the sequence of processing the first service flow by the target safety detection equipment in each safety detection equipment cluster.
7. The method according to any of claims 1-6, wherein the traffic attributes comprise ip addresses, URL domain names, or mac addresses.
8. A traffic flow detection device, comprising:
the receiving module is used for receiving a first service flow, and the first service flow carries a service type and a service flow attribute;
the first determining module is used for determining a plurality of safety detection equipment clusters of the service type and determining the cluster load capacity of each safety detection equipment cluster;
a second determining module, configured to determine, based on a cluster load of each security detection device cluster, an order in which each security detection device cluster processes the first service traffic;
a third determining module, configured to determine, based on the service traffic attribute, target security detection devices in each security detection device cluster;
a fourth determining module, configured to determine a forwarding path of the first service traffic according to the order in which the security detection device clusters process the first service traffic and a target security detection device in each security detection device cluster;
a first forwarding module, configured to forward the first service traffic to each security detection device in the forwarding path in sequence based on the forwarding path, and before forwarding the first service traffic to a first security detection device in the forwarding path, confirm that a security detection result returned by a second security detection device located before the first security detection device in the forwarding path is received;
and the second forwarding module is used for sending the first service flow to a service processing node according to each safety detection result after receiving each safety detection result returned by each safety detection device in the forwarding path.
9. A server, comprising a processor, a memory and a transceiver, the processor, the memory and the transceiver being interconnected, wherein the transceiver is configured to receive or transmit data, the memory is configured to store program code, and the processor is configured to invoke the program code to perform the method of any of claims 1-7.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program which is executed by a processor to implement the method of any one of claims 1-7.
CN202110706482.2A 2021-06-24 2021-06-24 Service flow detection method and device, server and storage medium Active CN113452691B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110706482.2A CN113452691B (en) 2021-06-24 2021-06-24 Service flow detection method and device, server and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110706482.2A CN113452691B (en) 2021-06-24 2021-06-24 Service flow detection method and device, server and storage medium

Publications (2)

Publication Number Publication Date
CN113452691A CN113452691A (en) 2021-09-28
CN113452691B true CN113452691B (en) 2022-09-16

Family

ID=77812560

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110706482.2A Active CN113452691B (en) 2021-06-24 2021-06-24 Service flow detection method and device, server and storage medium

Country Status (1)

Country Link
CN (1) CN113452691B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114039774B (en) * 2021-11-08 2024-02-09 天融信雄安网络安全技术有限公司 Blocking method, detection method and device for malicious PE program

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8626820B1 (en) * 2003-01-21 2014-01-07 Peer Fusion, Inc. Peer to peer code generator and decoder for digital systems
CN104834599A (en) * 2015-04-24 2015-08-12 百度在线网络技术(北京)有限公司 WEB security detection method and device
CN107948087A (en) * 2017-12-07 2018-04-20 锐捷网络股份有限公司 A kind of method and apparatus of load balancing
CN108985556A (en) * 2018-06-06 2018-12-11 北京百度网讯科技有限公司 Method, apparatus, equipment and the computer storage medium of flow scheduling
CN110347501A (en) * 2019-06-20 2019-10-18 北京大米科技有限公司 A kind of service testing method, device, storage medium and electronic equipment

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9106689B2 (en) * 2011-05-06 2015-08-11 Lockheed Martin Corporation Intrusion detection using MDL clustering

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8626820B1 (en) * 2003-01-21 2014-01-07 Peer Fusion, Inc. Peer to peer code generator and decoder for digital systems
CN104834599A (en) * 2015-04-24 2015-08-12 百度在线网络技术(北京)有限公司 WEB security detection method and device
CN107948087A (en) * 2017-12-07 2018-04-20 锐捷网络股份有限公司 A kind of method and apparatus of load balancing
CN108985556A (en) * 2018-06-06 2018-12-11 北京百度网讯科技有限公司 Method, apparatus, equipment and the computer storage medium of flow scheduling
CN110347501A (en) * 2019-06-20 2019-10-18 北京大米科技有限公司 A kind of service testing method, device, storage medium and electronic equipment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
机关无线网络安全检测系统的设计与实现;张璇;《CNKI》;20180715;全文 *

Also Published As

Publication number Publication date
CN113452691A (en) 2021-09-28

Similar Documents

Publication Publication Date Title
JP6716727B2 (en) Streaming data distributed processing method and apparatus
US9537747B2 (en) Publish/subscribe overlay network control system
CN104967652A (en) Event subscription method, apparatus and system
Xia et al. Performance and availability modeling of ITSystems with data backup and restore
CN112737800B (en) Service node fault positioning method, call chain generating method and server
CN113452691B (en) Service flow detection method and device, server and storage medium
CN113938407A (en) Data center network fault detection method and device based on in-band network telemetry system
CN112217847A (en) Micro service platform, implementation method thereof, electronic device and storage medium
CN108847952A (en) Method, device and system for processing request link context
CN110838932A (en) Network current limiting method and device and electronic equipment
CN106385334A (en) Call-center system and abnormality detection and self-recovery method therefor
CN111160661B (en) Method, system and equipment for optimizing reliability of power communication network
US11889244B2 (en) Passive optical network for utility infrastructure resiliency
CN116112418A (en) Positioning method and device for route leakage, electronic equipment and storage medium
CN114915638B (en) Method and apparatus for network management and computer readable medium
EP4324173A1 (en) Convergence function to avoid micro-loops
CN108683561B (en) Site state detection method and device
CN104168192A (en) Rerouting method and device in fault network
EP2945314B1 (en) Distributed flow processing system fault tolerance method, nodes and system
CN111651845B (en) Power distribution network fault positioning method and device, electronic equipment and storage medium
CN102647424B (en) Data transmission method and data transmission device
US10931796B2 (en) Diffusing packets to identify faulty network apparatuses in multipath inter-data center networks
CN112637053B (en) Method and device for determining backup forwarding path of route
CN108075852A (en) Acquisition methods, device, electronic equipment and the storage medium of network standard time
CN108243113A (en) The method and device of Random Load equilibrium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant