CN113556265A

CN113556265A - Data processing method, computer device and readable storage medium

Info

Publication number: CN113556265A
Application number: CN202110796223.3A
Authority: CN
Inventors: 李高超; 孙浩; 毕慧; 李开科; 张伟; 刘立; 王晖; 石娜; 邹昕; 赵志伟; 李政; 程昊; 陈训逊
Original assignee: Dawning Network Technology Co ltd; National Computer Network and Information Security Management Center
Current assignee: Dawning Network Technology Co ltd; National Computer Network and Information Security Management Center
Priority date: 2021-07-14
Filing date: 2021-07-14
Publication date: 2021-10-26
Anticipated expiration: 2041-07-14
Also published as: CN113556265B

Abstract

The embodiment of the application provides a data processing method, computer equipment and a readable storage medium. The method comprises the following steps: the shunting board card acquires the network flow data of the target user from the server, generates a target flow data packet according to the network flow data and the indication field, and sends the target flow data packet to the calculation board card. The calculation board receives a target traffic data packet sent by the shunt board, acquires an indication field and network traffic data from the target traffic data packet, determines a target virtual processing unit according to the indication field, and sends the network traffic data to the target virtual processing unit. The method and the device can perform user rule matching and deep data analysis on the network flow data in one server, and reduce processing delay. And a virtual processing unit can be created on the computing board by utilizing a virtualization technology, so that the user capacity of the whole server can be expanded.

Description

Data processing method, computer device and readable storage medium

Technical Field

The present application relates to the field of computer technologies, and in particular, to a data processing method, a computer device, and a readable storage medium.

Background

At present, in the field of network traffic data analysis, a flow distribution server and an analysis server mainly analyze and process network traffic data generated when a user accesses a network, and identify network behaviors of the user according to analysis and processing results. For example, whether the user issues the sensitive word is identified according to the network traffic data.

In the prior art, network traffic data can only reach the analysis server from the offload server through forwarding of the switch or the router in the processing process, which increases the processing delay of the network traffic data and causes the efficiency of data processing to be limited. In addition, because the switch or the router exists on the processing path of the network traffic data, the number of fault points on the processing path is increased, and the processing efficiency of the network traffic data may also be affected.

Disclosure of Invention

The embodiment of the application provides a data processing method, a computer device and a readable storage medium, which can improve the processing efficiency of network traffic data.

In a first aspect, a data processing method is provided and applied to a traffic analysis server, where the traffic analysis server includes a splitter board and a computation board. The method comprises the following steps:

the method comprises the steps that a shunt board card obtains network flow data of a target user;

the shunt board card generates a target traffic data packet according to the network traffic data and the indication field; the indication field is used for indicating a target virtual processing unit, and the target virtual processing unit is a virtual processing unit which is used for analyzing the network behavior of a target user according to the network traffic data of the target user in the virtual processing unit operated by the computing board card;

and the shunt board card sends a target flow data packet to the calculation board card.

The method and the device can perform user rule matching and deep data analysis on the network flow data in one server, and reduce processing delay. In addition, the virtual processing unit is created on the computing board by using the virtualization technology, so that the user capacity of the whole server can be expanded. In a virtualization scenario, the offload board may encapsulate the indication field in the data packet to indicate a destination node of the data packet, that is, a destination virtual processing unit of the user traffic data, so as to implement accurate distribution of the traffic data to the virtual processing unit through the indication field. In addition, external forwarding paths of data are reduced, the number of possible fault points is also reduced, and the data processing efficiency is improved to the first degree.

With reference to the first aspect, in a possible implementation manner of the first aspect, the indication field includes N bits, and the N bits correspond to X virtual processing units of the computing board.

The application provides an implementation of an indication field, one bit corresponds to one or more virtual processing units, and the method can realize traffic forwarding with the virtual processing units as granularity and accurately indicate a certain virtual processing unit to process network traffic data of a user.

With reference to the first aspect, in a possible implementation manner of the first aspect, the indication field includes M bits, the M bits correspond to Y virtual local area networks, and each virtual local area network includes at least one virtual processing unit.

The application provides an implementation of the indication field, one bit corresponds to one or more virtual local area networks, and the broadcasting of the flow data in the local area networks can be realized.

With reference to the first aspect, in a possible implementation manner of the first aspect, the obtaining, by the offload board, network traffic data of a target user from a server includes:

the shunt board card obtains a plurality of external data packets; the plurality of external data packets include raw traffic data;

screening a target data packet which accords with the data characteristics from a plurality of external data packets according to the data characteristics of a target user; the destination data packet includes network traffic data for the destination user.

The application provides a concrete realization that the shunt board card obtains the user flow data, and the calculation board card captures the data packet of the user according to the user data characteristics, so that the network flow data of the user can be accurately extracted.

With reference to the first aspect, in a possible implementation manner of the first aspect, the generating, by the offload board, a target traffic data packet according to the network traffic data and the indication field includes:

determining a target virtual machine corresponding to the target user according to the corresponding relation between the user and the virtual machine;

setting a bit corresponding to the target virtual machine in the indication field as a preset effective value to obtain an updated indication field;

and performing outer-layer encapsulation processing on the target data packet according to the indication field to obtain the target flow data packet.

In the application, the shunting board card carries out outer layer packaging on the original data packet to obtain the target flow data packet, the original data packet does not need to be analyzed, and the processing load is reduced.

In a second aspect, a data processing method is provided, which is applied to a traffic analysis server, where the traffic analysis server includes a offload board and a computation board, and the method includes:

the method comprises the steps that a calculation board card receives a target flow data packet sent by a shunt board card, and an indication field and network flow data of a target user are obtained from the target flow data packet;

the computing board determines a target virtual processing unit corresponding to a target user from the virtual processing units running on the computing board according to the indication field;

and the computing board card determines a virtual network card associated with the target virtual processing unit and sends the network flow data to the target virtual processing unit, so that the target virtual processing unit performs network behavior analysis on a target user according to the network flow data.

The method and the device can perform user rule matching and deep data analysis on the network flow data in one server, and reduce processing delay. In addition, the virtual processing unit is created on the computing board by using the virtualization technology, so that the user capacity of the whole server can be expanded. In a virtualization scene, the computing board card realizes accurate distribution of flow data to the virtual machine according to the indication field.

With reference to the second aspect, in a possible implementation manner of the second aspect, the computing board determines a virtual network card associated with the target virtual processing unit, and transmits the network traffic data to the target virtual processing unit through the virtual network card associated with the computing board.

The application provides a specific implementation mode for issuing network flow data to a virtual processing unit by a computing board card.

With reference to the second aspect, in a possible implementation manner of the second aspect, the indication field includes N bits, and the N bits correspond to X virtual processing units of the computing board.

The application provides an implementation manner of an indication field, wherein one bit in the indication field corresponds to one or more virtual machines, and any one bit is used for indicating whether a virtual processing unit corresponding to the bit is a target virtual processing unit, so that traffic forwarding of virtual machine granularity can be realized, and a computing board can accurately determine a virtual machine to process network traffic data of a user according to the indication field.

With reference to the second aspect, in a possible implementation manner of the second aspect, the determining, by the computing board, a target virtual processing unit corresponding to a target user according to the indication field includes:

and aiming at each bit in the N bits, if the value of the bit is a preset effective value, determining the virtual processing unit corresponding to the bit as a target virtual processing unit.

The application provides a specific implementation scheme for determining a target virtual processing unit according to the value of the bit, and the calculation board card can accurately judge whether a certain virtual processing unit is the target virtual processing unit according to the value of the bit in the indication field.

With reference to the second aspect, in a possible implementation manner of the second aspect, the sending, by the compute board, network traffic data to the target virtual processing unit specifically includes:

if the target user corresponds to a plurality of target virtual processing units, the computing board sends the network traffic data to the target virtual processing units in an alternative mode;

after the current virtual processing unit finishes processing the network traffic data, the current virtual processing unit is instructed to forward the network traffic data to the virtual network card corresponding to the next virtual processing unit, so that the next virtual processing unit performs network behavior analysis on the target user according to the network traffic data.

In the application, when the same piece of traffic data needs to be sent to a plurality of virtual processing units, the computing board card can realize the forwarding of the data among the virtual processing units by switching the virtual network card. In addition, in the mode, the computing board can realize data distribution to the virtual processing units without copying network flow data, and the data processing amount of the computing board is reduced.

and if the target user corresponds to a plurality of target virtual processing units, the calculation board card copies a plurality of network flow data according to the number of the target virtual processing units and respectively sends the network flow data to each target virtual processing unit.

In the application, when the same flow data needs to be sent to a plurality of virtual processing units, the plurality of data copies are carried out and processing of different virtual processing units is started at the same time, so that the whole processing time delay is saved.

With reference to the second aspect, in a possible implementation manner of the second aspect, the indication field includes M bits, the M bits correspond to Y virtual local area networks, and each virtual local area network includes at least one virtual processing unit.

The application provides an implementation manner of the indication field, one bit corresponds to one or more virtual local area networks, and the calculation board card can implement the broadcast of the flow data in the local area networks according to the indication field.

and aiming at each bit in the M bits, if the value of the bit is a preset effective value, determining all virtual processing units in the virtual local area network corresponding to the bit as target virtual processing units.

In the present application, another implementation scheme is provided for determining a target virtual processing unit according to a bit value, and the computing board can accurately determine whether a virtual processing unit in a certain virtual local area network is the target virtual processing unit according to a value of the bit in the indication field.

With reference to the second aspect, in a possible implementation manner of the second aspect, the determining, by the computing board, a virtual network card associated with the target virtual processing unit includes:

determining a virtual network card associated with the target virtual processing unit according to the configuration information; the configuration information includes a correspondence between a plurality of virtual processing units running on the computing board card and a plurality of virtual network cards of the computing board card.

The application provides a specific implementation scheme for determining a target virtual network card after receiving a target flow data packet, the computing board card can determine the virtual network card associated with the target virtual processing unit according to configuration information generated when a virtual machine is created, the virtual network card can be accurately matched, and accurate distribution of flow data is achieved.

With reference to the first aspect, in a possible implementation manner of the first aspect, the target virtual processing unit is a container or a virtual machine running on the compute board.

The application also provides a concrete implementation mode of the virtual processing unit. The computing board can create a plurality of virtual machines or containers to realize the processing of network flow data of different users, and the user capacity of the whole server is expanded.

In a third aspect, a computer device is provided, which includes a computing board and a shunting board;

the flow distribution board card is used for acquiring network flow data of a target user from the server, generating a target flow data packet according to the network flow data and the indication field, and sending the target flow data packet to the calculation board card; the indication field is used for indicating a target virtual processing unit in the calculation board card;

the calculation board card is used for receiving a target traffic data packet sent by the shunt board card and acquiring an indication field and network traffic data from the target traffic data packet; and determining a target virtual processing unit from the virtual processing units running on the computing board card according to the indication field, and transmitting network traffic data to the target virtual processing unit, so that the target virtual processing unit performs network behavior analysis on a target user according to the network traffic data.

In a fourth aspect, a computer-readable storage medium is provided, on which a computer program is stored, wherein the computer program, when executed by a processor, implements the steps of the method according to the first aspect, the second aspect, or any possible implementation manner of the first aspect and the second aspect.

In a fifth aspect, the present application further provides a computer device, including a memory and a processor, where the memory stores a computer program, and the processor implements the steps of the method according to the first aspect, the second aspect, or any implementation manner of the first aspect and the second aspect when executing the computer program.

A sixth aspect provides a shunt board card, including:

the device comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring network flow data of a target user;

the processing unit is used for generating a target flow data packet according to the network flow data and the indication field; the indication field is used for indicating a target virtual processing unit, and the target virtual processing unit is a virtual processing unit which is used for analyzing the network behavior of a target user according to the network traffic data in the computing board card;

and the sending unit is used for sending the target flow data packet to the calculation board card.

A seventh aspect provides a computing board, including:

the receiving unit is used for receiving a target traffic data packet sent by the shunting board card and acquiring an indication field and network traffic data of a target user from the target traffic data packet;

the processing unit is used for determining a target virtual processing unit corresponding to a target user from the virtual processing units running on the computing board card according to the indication field;

and the sending unit is used for sending the network traffic data to the target virtual processing unit so that the target virtual processing unit performs network behavior analysis on the target user according to the network traffic data.

The embodiment of the application provides a data processing method, computer equipment and a readable storage medium, which are used for carrying out deep data analysis on network traffic data by a computing board card after user rule matching is carried out on the network traffic data, so that the analysis and processing on the network traffic data can be realized in the same server, a data transmission path is reduced, processing time delay and power consumption are reduced, and the processing efficiency of the network traffic data is improved. A virtual machine technology is adopted to establish a plurality of virtual processing units on a computing board card, so that the user capacity of a flow analysis server is improved, and the processing efficiency of network flow data is improved to a certain extent. By arranging the computing board card, external forwarding paths of data are reduced, the number of possible fault points is reduced, and the data processing efficiency is improved to the first degree.

And in addition, after receiving the network traffic data of the user, obtaining a target traffic data packet of the target user according to the indication field and the network traffic data. The indication field can indicate the virtual processing unit corresponding to the target user, which virtual processing units can perform deep data analysis on the network traffic data of the target user after analyzing the target traffic data packet can be determined, accurate distribution of the target traffic data packet can be achieved based on the indication field, and the processing efficiency of the network traffic data is improved.

Drawings

FIG. 1 is a schematic diagram of a computer communication system provided by an embodiment of the present application;

FIG. 2 is a schematic diagram of a conventional network traffic data analysis;

fig. 3 is a schematic structural diagram of a traffic analysis server according to an embodiment of the present application;

fig. 4 is a schematic flowchart of a method for processing network traffic data according to an embodiment of the present application;

FIG. 5 is a schematic illustration of virtualization provided by an embodiment of the present application;

fig. 6 is a schematic flowchart of a data processing method according to an embodiment of the present application;

fig. 7 is a schematic diagram of a frame structure of an indication field according to an embodiment of the present application;

fig. 8 is a schematic diagram of a frame structure of an indication field according to an embodiment of the present application;

fig. 9 is a schematic flowchart of a data processing method according to an embodiment of the present application;

fig. 10 is a schematic diagram of data broadcasting provided by an embodiment of the present application;

fig. 11 is a schematic diagram of data forwarding provided in an embodiment of the present application;

fig. 12 is a schematic flowchart of a data processing method according to an embodiment of the present application;

FIG. 13 is a schematic structural diagram of a computer device provided in an embodiment of the present application;

fig. 14 is a schematic structural diagram of a shunt board card provided in the embodiment of the present application;

fig. 15 is a schematic structural diagram of a computing board provided in the embodiment of the present application.

Detailed Description

In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.

Fig. 1 is a schematic diagram of a computer communication system provided by the present application, the system comprising a user terminal 10, an operator server 20 and a third party application server 30. The terminal device 10 can access the third party application server 30 through the operator server 20, and specifically, the terminal device 10 sends a data packet to the operator server 20, where the data packet includes a network address of the third party application server 30 and an identifier of content to be accessed by the user. The identifier of the content to be accessed by the user may be a Uniform Resource Locator (URL).

The operator server 20 may store the data packet transmitted by the terminal device 10 to store the network traffic data of the user. The network traffic data may be data carried in a data packet sent by the terminal device 10, and may be, for example, a network address of the third-party application server 30 and an identifier of content to be accessed by the user.

In order to identify the network behavior of the user, the user internet behavior and the user demand are analyzed according to the identification result, and the network traffic data of the user can be analyzed. Fig. 2 is a schematic diagram of a conventional network traffic data analysis. Referring to fig. 2, the independent offload server and the analysis server are used to perform user rule matching and deep data analysis, respectively, and the network traffic data first arrives at the offload server to perform user rule matching, and then is subjected to deep data analysis by the analysis server. The user rule matching is to extract traffic data matched with a user from massive network traffic data according to a user rule (for example, an IP address, time, and the like of the user). And deep data analysis, namely analyzing the network flow data according to the service requirement and identifying the network behavior of the user. For example, sensitive word detection, application layer operations, etc. are performed based on traffic data.

In the existing processing process, the network traffic data can reach the analysis server only after being forwarded by the switch or the router, so that the processing time delay of the traffic data is increased, and the processing efficiency of the network traffic data is influenced. Because the switch or the router exists on the processing path of the network traffic data, the number of fault points on the processing path is increased, and the processing efficiency of the network traffic data may also be affected. In addition, an external optical module and an optical fiber line are required between the switch (or the router) and the analysis server, so that the overall deployment cost is increased.

Based on this, the application provides an integrated traffic analysis server, which can reduce the time delay of traffic processing, improve the processing efficiency of network traffic data, reduce the deployment cost, and is beneficial to deployment and implementation. Referring to fig. 3, the traffic analysis server provided by the present application includes a splitter board 301, a computation board 302, a switch board 303, and a management board 304.

The distribution board 301 provides an external interface of the entire traffic analysis server, and may receive network traffic data from an external device (e.g., an operator server). The shunt board card can also utilize a hardware network processing chip built in the shunt board card to carry out user rule matching on the network flow data, and extract the flow data which accords with the user rule.

The switch board 302 may implement data exchange between all boards inserted by the traffic analysis server, for example, is responsible for data interaction between the shunting board and the computation board.

The computing board 303 is internally provided with a Central Processing Unit (CPU), and the computing board 303 may perform deep data analysis on network traffic data of a user according to a service requirement (e.g., sensitive word recognition) by using the CPU, and recognize a network behavior of the user according to an analysis result. For example, the traffic analysis server obtains network traffic data from an operator server, and the computing board 303 performs analysis processing on the network traffic data of the user according to the service requirement of the operator.

And the management board 304 is configured to manage other boards inserted in the traffic analysis server. For example, the operating states of the shunting board 301 and the computing board 303 are sensed in real time, whether a data forwarding path between the shunting board 301 and the computing board 303 has a fault or not is detected, the existing fault path is dynamically switched, and the stability of data processing is ensured.

An embodiment of the present application provides a method for processing network traffic data, as shown in fig. 4, the method includes the following steps:

s1, the shunt board card receives the network flow data from the external device, extracts the network flow data matched with the user rule from the received network flow data according to the user rule, and sends the matched network flow data to the computing board card through the switch board card.

The traffic analysis server may provide a traffic analysis service for the external device, and the external device may be an operator server. In addition, the user rule is used to characterize the network traffic data of the user, and may be, for example, the time when the data was generated, the source IP address of the data, the destination IP address of the data, and the like. The embodiment of the present application does not limit the characteristics of the network traffic data, and any information related to the network traffic data of the user belongs to the characteristics of the network traffic data.

And S2, the computing board carries out deep data analysis on the received network traffic data according to the service requirement of the external equipment.

The service requirement of the external device, that is, the network traffic data analysis requirement of the external device, may be sensitive word detection, application layer operation monitoring, or the like, for example.

And S3, sending the result of the depth data analysis to the external equipment by the computing board.

In the method shown in fig. 4, the functions of the analysis server are integrated into a pluggable computing board, and the computing board and the splitter board can be plugged into the same server. The shunt board card receives the network flow data, the user rule matching is carried out on the network flow data, the network flow data are sent to the switch board card, the switch board card forwards the network flow data to the computing board card for deep data analysis, and therefore analysis and processing of the network flow data can be achieved in the same server, data transmission paths are reduced, processing time delay and power consumption are reduced, and processing efficiency of the network flow data is improved.

In one possible implementation, different network traffic analysis software is deployed on the computing board, and the deep data analysis is performed on the network traffic data of different users. However, the number of network traffic analysis software that can be deployed on the computing board is limited, and the board slots that can be provided by the traffic analysis server are also limited, so the number of users that can be served by the traffic analysis server is limited. In order to support traffic data analysis services of more users, a virtual machine technology may be adopted to create a plurality of virtual processing units on a computing board, and a plurality of network traffic analysis software may be run on the virtual processing units to implement network traffic data analysis of more users. By way of example, a virtual processing unit may be a virtual machine or a container. After the computing board creates the virtual processing unit, the corresponding relationship among the virtual processing unit, the user and the virtual network card can be maintained.

As shown in fig. 5, a plurality of virtual machines (or containers) are created on a computing board, different network traffic analysis software is run on each virtual machine (or container), the computing board may further maintain a plurality of virtual network cards (VF), and the computing board may transmit network traffic data to the virtual machines (or containers) through the virtual network cards to perform deep data analysis.

It should be noted that the computing board includes a physical network card (PF) that can support interaction between the computing board and other boards or devices, and the physical network card can transmit data to the CPU of the computing board for processing. The virtual network card can transmit data to the CPU of the computing board card for processing by using virtual equipment which is generated by a virtualization technology and has the same function as the physical network card. The virtual network card may share the same physical resources (e.g., physical network ports) as the physical network card.

The embodiment of the application provides a data processing method, which is suitable for a splitter board card in a traffic analysis server shown in fig. 3. As shown in fig. 6, the method comprises the steps of:

step 601, the shunt board card obtains network traffic data of a target user.

In specific implementation, the shunting board card can acquire network traffic data from an external server. The server may be a demand side of the traffic analysis service, and the traffic analysis server may provide the traffic analysis service for the server. An external server may also obtain network traffic data of the user. For example, the server may be an operator server or other servers, and the embodiment of the present application is not limited by this.

The target user can be a user to be monitored or analyzed by the server, and the splitter board card can extract the network traffic data of the target user from the network traffic data according to the user rule of the target user so as to identify the network behavior of the target user based on the network traffic data of the target user.

Step 602, the shunt board card generates a target traffic data packet according to the network traffic data of the target user and the indication field; the indication field is used for indicating a target virtual processing unit in the calculation board.

It should be noted that the shunting board card may obtain a corresponding relationship among the virtual processing unit, the user, and the virtual network card from the computing board card, and locally generate configuration information to record the corresponding relationship. The virtual processing unit corresponding to a certain user is used for analyzing the network behavior of the user according to the network traffic data of the user, and the virtual network card corresponding to the virtual processing unit is used for transmitting the network traffic data of the user to the virtual processing unit for deep data analysis.

After the splitter board obtains the network traffic data of the target user, the virtual processing unit corresponding to the target user, that is, the target virtual processing unit described above, may be determined according to the configuration information, where the target virtual processing unit is configured to execute a network traffic analysis service corresponding to the target user, and perform network behavior analysis on the target user according to the network traffic data of the target user.

The shunting board card can also determine an indication field according to the target processing unit. Further, the indication field and the network traffic data of the target user are encapsulated into a target traffic data packet, so that the network traffic data of the target user can be forwarded by forwarding the target traffic data packet.

In a specific implementation, after the computing board creates the virtual processing unit and the virtual network card, different identifiers (or numbers) are allocated to each virtual processing unit in the same Virtual Local Area Network (VLAN), and different VLAN IDs (virtual local area network IDs) may also be allocated to each virtual local area network maintained by the computing board. It should be noted that the bound virtual processing unit and the virtual network card correspond to the same identifier or VLAN id.

In one possible implementation, the indication field includes a valid value and an invalid value, the valid value is used to indicate that the virtual processing unit corresponding to the valid value is the target virtual processing unit, and the invalid value is used to indicate that the virtual processing unit corresponding to the invalid value is not the target virtual processing unit.

And step 603, the shunting board card sends a target flow data packet to the calculating board card.

In specific implementation, the shunting board sends a target traffic data packet of a target user to the computing board through the switching board.

In the data processing method provided by the embodiment of the application, the functions of the analysis server are integrated into a pluggable calculation board card, and the calculation board card and the splitter board card can be inserted into the same server. The shunt board card receives the network flow data, the user rule matching is carried out on the network flow data, the network flow data are sent to the switch board card, the switch board card forwards the network flow data to the computing board card for deep data analysis, and therefore analysis and processing of the network flow data can be achieved in the same server, data transmission paths are reduced, processing time delay and power consumption are reduced, and processing efficiency of the network flow data is improved. A virtual machine technology is adopted to establish a plurality of virtual processing units on a computing board card, so that the user capacity of a flow analysis server is improved, and the processing efficiency of network flow data is improved to a certain extent. By arranging the computing board card, external forwarding paths of data are reduced, the number of possible fault points is reduced, and the data processing efficiency is improved to the first degree.

In addition, the shunt board card re-encapsulates the network traffic data according to the indication field after receiving the network traffic data of the user, and obtains a target traffic data packet of the target user. The indication field can indicate the virtual processing unit corresponding to the target user, so that the computing board can analyze the target traffic data packet to determine which virtual processing units perform deep data analysis on the network traffic data of the target user, the accurate distribution of the target traffic data packet can be realized based on the indication field, and the processing efficiency of the network traffic data is improved.

The indication field related to the embodiment of the application has the following two implementation modes:

first, the computing board creates X virtual processing units for processing network traffic analysis services of X different users, and may indicate one or more virtual processing units in the X virtual processing units through a plurality of bits.

Illustratively, the indication field includes N bits, and the N bits correspond to X virtual processing units of the computing board. Any one bit in the N bits is used to indicate whether one or more virtual processing units corresponding to the bit are the target virtual processing unit. That is, N may be equal to X, and when N is equal to X, the N bits are in one-to-one correspondence with X (N) virtual processing units, and one bit is used to indicate whether one virtual processing unit corresponding to the bit is the target virtual processing unit. When N is not equal to X, one of the N bits may indicate whether the plurality of virtual processing units corresponding to the bit is the target virtual processing unit. It should be noted that, in the embodiment of the present application, the corresponding relationship between N bits and X virtual processing units is not limited, where N may be equal to X or may not be equal to X, and any scheme that indicates a virtual processing unit on a computing board through one or more bits belongs to the protection scope of the present application.

In a specific implementation, the value of each bit in the N bits is an effective value or an invalid value, and when the value of the bit is an effective value, it indicates that the virtual processing unit corresponding to the bit is used to execute the network traffic analysis service corresponding to the target user, that is, the virtual processing unit is the target virtual processing unit. On the contrary, if the value of the bit is an invalid value, it indicates that the virtual processing unit corresponding to the bit does not execute the network traffic analysis service corresponding to the target user, i.e. the virtual processing unit corresponding to the bit is not the target virtual processing unit. The effective value may be "1", the invalid value may be "0", specific values of the effective value and the invalid value are not limited in the embodiment of the present application, any value that can represent "effective" may be the effective value described in the embodiment of the present application, and any value that can represent "invalid" may be the invalid value described in the embodiment of the present application.

For example, referring to fig. 7, after the offload board obtains the data packet of the target user from the server, the offload board may encapsulate the indication field in the outer layer of the data packet to obtain the target traffic data packet of the target user. Referring to fig. 7, the indication field includes N bits, and the N bits correspond to N virtual machines created by the computing board one to one. For example, the ith bit in the N bits corresponds to the virtual machine numbered i. If the shunting board card determines that the target virtual processing unit is the virtual machine numbered i according to the configuration information, the value of the ith bit in the N bit is set as an effective value, and the values of the rest bits are set as invalid values.

Optionally, the indication field may further indicate a virtual local area network to which the target virtual processing unit belongs (hereinafter referred to as a target virtual local area network). Illustratively, the indication field may include a field indicating the target VLAN, for example, the indication field includes a P bit, and the P bit may be a binary value converted from the VLAN ID of the target VLAN or a bit indicating the target VLAN.

The application provides an implementation of an indication field, one bit corresponds to one virtual processing unit, and the method can realize traffic forwarding with the virtual processing unit as a granularity and accurately indicate a certain virtual processing unit to process network traffic data of a user.

Secondly, the virtual processing units created by the computing board card form Y virtual local area networks, and it can be indicated by multiple bits that the virtual processing units in one or more virtual local area networks in the M virtual local area networks are the target virtual units, that is, it is indicated by an indication field that the computing board card broadcasts the target traffic data packet of the target user in the virtual local area network.

That is, if the same network traffic data matches the user rules of multiple users, that is, the network traffic data needs to be sent to the virtual processing units bound to multiple users for processing, the target traffic data packet may be encapsulated according to the indication field to indicate that the computing board card broadcasts the target traffic data packet in the virtual lan.

Illustratively, the indication field includes M bits, and the M bits correspond to the Y virtual local area networks. Wherein, any one of the M bits is used to indicate whether one or more virtual local area networks corresponding to the bit are the target virtual processing unit. That is, M may be equal to Y, and when M is equal to Y, the M bits are in one-to-one correspondence with Y (M) virtual local area networks, and any one bit of the M bits is used to indicate whether the network virtual processing unit in the virtual local area corresponding to the bit is the target virtual processing unit. When M is not equal to Y, one of the M bits may indicate whether the processing unit in the plurality of virtual local area networks corresponding to the bit is the target virtual processing unit. It should be noted that, in the embodiment of the present application, the corresponding relationship between M bits and Y virtual processing units is not limited, M may be equal to Y or may not be equal to Y, and any scheme that indicates a virtual local area network through one or more bits belongs to the protection scope of the present application.

In a specific implementation, the value of each bit in the M bits is an effective value or an invalid value, and when the value of the bit is an effective value, it indicates that all the virtual processing units in the virtual local area network corresponding to the bit are used to execute the network traffic analysis service corresponding to the target user, that is, the target virtual processing unit is obtained. Conversely, if the value of the bit is an invalid value, it indicates that all the virtual processing units in the virtual local area network corresponding to the bit do not execute the network traffic analysis service corresponding to the target user, i.e., none of the virtual processing units in the virtual local area network corresponding to the bit is the target virtual processing unit.

For example, referring to fig. 8, after the offload board obtains the original data packet from the server, if one data packet hits the user rules of multiple users, the offload board may encapsulate a virtual local area network indicating the target traffic data packet to be broadcasted in an outer layer of the data packet, so as to obtain the target traffic data packet of the target user. Referring to fig. 8, the indication field includes M bits, and the M bits correspond to M virtual local area networks maintained on the computing board one to one. For example, the ith bit in Mbit corresponds to the virtual local area network numbered i. If the shunting board card determines that a certain virtual machine is a virtual processing unit corresponding to a target user according to the configuration information, and the number of the virtual local area network of the virtual machine is i, the value of the ith bit in the M bit is set to be an effective value, and the values of the rest bits are set to be invalid values, so that the broadcasting of a target flow data packet of the target user in the virtual local area network with the number of i is realized. Wherein the number of the virtual local area network may be a VLAN ID.

The embodiment of the application also provides an implementation of the indication field, and one bit corresponds to one virtual local area network, so that the broadcasting of the flow data in the local area network can be realized.

In a possible implementation manner, the offload board may obtain data packets of the target user from a server (other external server), where the data packets carry network traffic data such as a source IP address and a target IP address of the target user. Illustratively, the offload board obtains a plurality of external data packets; the external data packets may be data packets of a plurality of users accessing a network, and the original traffic data may be network traffic data of different users.

The shunting board card can screen a target data packet which accords with the data characteristics from a plurality of external data packets according to the data characteristics of the target user, wherein the target data packet comprises network flow data of the target user. The data characteristics of the target user, i.e. the user rules mentioned above, are used to characterize the characteristics of the network traffic data of the target user. For example, it may be the source IP address of the target user, the destination IP address, the port number of the target user, the browser used by the target user, the domain name of the target user, and the computer operating system used by the target user.

In one possible implementation manner, after the splitter board obtains an original data packet of a target user from a server, a target virtual machine corresponding to the target user is determined according to a corresponding relationship between the user and a virtual processing unit;

the shunting board card can also set a bit corresponding to the target virtual machine in the indication field to be a preset effective value to obtain an updated indication field.

Further, the offload board does not perform parsing on the data packet, but uses an outer-layer encapsulation technique (e.g., mac in mac) to generate the target traffic data packet in the outer-layer encapsulation indication field of the original data packet.

For example, the specific implementation manner of the foregoing splitter board generating the target traffic data packet according to the network traffic data and the indication field includes: and performing outer-layer encapsulation processing on the target data packet according to the indication field to obtain the target flow data packet.

The embodiment of the application provides a data processing method, which is suitable for a computing board in a traffic analysis server shown in fig. 3. As shown in fig. 9, the method comprises the steps of:

step 901, the calculation board receives a target traffic data packet sent by the shunting board, and acquires an indication field and network traffic data of a target user from the target traffic data packet.

The target traffic data packet is obtained by encapsulating the network traffic data and the indication field of the target user by the shunting board card, so that the network traffic data and the indication field of the target user can be obtained by analyzing the target traffic data packet by the computing board card.

In a possible implementation manner, the target traffic data packet is obtained by the airflow board card by using an outer layer encapsulation technology to encapsulate an indication field in an outer layer of an original data packet of the target user, the calculation board card can obtain the indication field in an outer layer encapsulation part (outer layer MAC address) of the target traffic data packet, and the original data packet of the target user can be obtained by removing the outer layer encapsulation part of the target traffic data packet, so that network traffic data of the target user can be obtained.

And step 902, the computing board determines a target virtual processing unit corresponding to the target user from the virtual processing units running on the computing board according to the indication field.

The indication field is used for indicating a target virtual processing unit, namely, a virtual processing unit capable of performing deep data analysis on network traffic data of a target user. The computing board can determine which virtual processing units in the virtual processing units operated by the computing board are the target virtual processing units indicated by the shunting board according to the indication fields.

In one possible implementation, the indication field includes a valid value and an invalid value, the valid value is used to indicate that the virtual processing unit corresponding to the valid value is the target virtual processing unit, and the invalid value is used to indicate that the virtual processing unit corresponding to the invalid value is not the target virtual processing unit. The computing board can determine which virtual processing units in the virtual processing units running on the computing board are the target virtual processing units according to the effective values in the indication fields.

Step 903, the computing board transmits the network traffic data to the target virtual processing unit, so that the target virtual processing unit performs network behavior analysis on the target user according to the network traffic data.

The virtual processing unit may perform data analysis and processing on the network traffic data of the target user to perform network behavior analysis, and may obtain behavior characteristics of the target user performing network access, where the behavior characteristics include, but are not limited to, an inbound path of the user, an inbound page of the user, a common path of sites browsed by the user, a dwell time of each access, an exit page of the user, an access path, an inbound page, an exit page, and the like.

In the data processing method provided by the embodiment of the application, the functions of the analysis server are integrated into a pluggable calculation board card, and the calculation board card and the splitter board card can be inserted into the same server. The shunt board card receives the network flow data, the user rule matching is carried out on the network flow data, the network flow data are sent to the switch board card, the switch board card forwards the network flow data to the computing board card for deep data analysis, and therefore analysis and processing of the network flow data can be achieved in the same server, data transmission paths are reduced, processing time delay and power consumption are reduced, and processing efficiency of the network flow data is improved.

In addition, a virtual machine technology is adopted to create a plurality of virtual processing units on the computing board, and a plurality of network traffic analysis software can be run on the virtual processing units, so that network traffic data analysis of more users is realized. The computing board card can process the network flow data analysis service of multiple users in parallel, the user capacity of the flow analysis server is improved, and the processing efficiency of the network flow data is also improved to a certain extent.

In one possible implementation, the computing board may transmit data to the virtual processing unit through the virtual network card. Illustratively, the specific implementation of sending the network traffic data to the target virtual processing unit by the computing board includes:

and the computing board card determines a virtual network card associated with the target virtual processing unit and transmits the network flow data to the target virtual processing unit through the virtual network card.

It should be noted that, after the computing board creates the virtual processing unit, the corresponding relationship between the virtual processing unit and the virtual network card may be maintained, and the virtual network card corresponding to the virtual processing unit is used to transmit the received data to the virtual processing unit for performing depth data analysis. The virtual network card associated with the target virtual processing unit may be considered as a virtual network card corresponding to the target virtual processing unit.

After the computing board determines the target virtual processing unit according to the indication field, a virtual network card corresponding to the target virtual processing unit can be determined according to the maintained corresponding relation, so that network flow data of a target user can be transmitted to the target virtual processing unit through the virtual network card.

In the embodiment of the present application, based on the two implementation manners of the indication field, the computing board may implement network traffic data distribution of virtual processing unit granularity and network data distribution of virtual local area network granularity according to the indication field. The method comprises the following specific steps:

first, the computing board includes X virtual processing units, the indication field includes N bits, and the N bits correspond to the X virtual processing units. Wherein one of the N bits corresponds to one or more virtual processing units. That is, N may be equal to X, i.e., N bits correspond one-to-one to X (N) virtual processing units. Specifically, the N bits may be bits in a source address field (e.g., BDA) in a mac imamac header of the target traffic packet.

The above-mentioned specific implementation of the N bits is described with reference to the foregoing, and the frame format of the N bits in the target traffic data packet refers to fig. 7 and the description related to fig. 7, which are not described herein again.

Specifically, the computing board may determine the target virtual processing unit according to N bits in the target traffic data packet. For example, the specific implementation of the computing board determining the target virtual processing unit corresponding to the target user according to the indication field includes:

Illustratively, the calculation board traverses and judges the value of each bit in the N bits, and judges whether the virtual processing unit corresponding to the bit is the target virtual processing unit according to the value of each bit. For example, assume that the ith bit in the N bits corresponds to the virtual machine numbered i. If the value of the ith bit in the N bits is an effective value, the calculation board card determines the virtual machine with the number of i as a target virtual processing unit, and if the value of the ith bit in the N bits is an invalid value, the virtual machine with the number of i is not the target virtual processing unit.

Second, the indication field includes M bits, the M bits correspond to the Y virtual local area networks, and any one of the M bits is used to indicate whether a virtual processing unit in one or more virtual local area networks corresponding to the bit is a target virtual processing unit. That is, M may be equal to Y, i.e., M bits correspond one-to-one to Y (M) dummy processing units. Specifically, the M bits may be bits in a local area network ID field (e.g., VLAN) in the mac imamac header of the target traffic packet.

The above-mentioned specific implementation of the M bits is described with reference to the foregoing, and the frame format of the M bits in the target traffic data packet refers to fig. 8 and the description related to fig. 8, which is not described herein again.

In one possible implementation, the computing board may determine the target virtual processing unit according to M bits in the target traffic data packet. For example, the specific implementation of the computing board determining the target virtual processing unit corresponding to the target user according to the indication field includes: and aiming at each bit in the M bits, if the value of the bit is a preset effective value, determining all virtual processing units in the virtual local area network corresponding to the bit as target virtual processing units.

Illustratively, the calculation board traverses and judges a value of each bit in the M bits, and judges whether a virtual processing unit in the virtual local area network corresponding to the bit is a target virtual processing unit according to the value of each bit, that is, whether a target traffic data packet is broadcast in the virtual local area network corresponding to the bit. For example, assume that the ith bit in the M bit corresponds to the virtual local area network numbered i. If the value of the ith bit in the M bit is an effective value, the computing board determines that the virtual processing unit in the virtual local area network with the number of i is a target virtual processing unit, and if the value of the ith bit in the M bit is an invalid value, the virtual machine in the virtual local area network with the number of i is not the target virtual processing unit.

For example, referring to fig. 10, 8 virtual machines are created by the computing board, and virtual machine 1 to virtual machine 4 belong to VLAN 1 (VLAN 1), and virtual machine 5 to virtual machine 8 belong to VLAN 2 (VLAN 2). The indication field includes 2 bits, which correspond to VLAN 1 and VLAN 2, respectively.

The virtual machines 1 to 8 are respectively bound to the VFs 1 to 8. Assuming that the virtual machines corresponding to the user 1 are virtual machine 1 to virtual machine 4, the 2 bits included in the first field may be "10". And after the calculation board card receives the target flow data packet from the shunting board card, analyzing the target flow data packet to acquire the 2-bit indication field and the network flow data of the user 1. The computing board card broadcasts the user 1's network traffic data within VLAN 1.

In the embodiment of the application, if one network traffic data hits multiple user rules, the network traffic data needs to be sent to multiple virtual processing units for deep data analysis, and the computing board can realize distribution of the network traffic data in the following two ways:

first, if the indication field indicates multiple virtual processing units, the computing board may further control network traffic data to be forwarded between each target virtual processing unit, so that each target virtual processing unit may perform deep data analysis on the network traffic data of the target user.

Illustratively, if a target user corresponds to a plurality of target virtual processing units, the computing board sends network traffic data to the target virtual processing units in an alternative manner;

It can be understood that, if the values of W bits of the N bits are valid values, W bits correspond to W virtual processing units. The computing board card firstly transmits the network flow data of the target user to one of the W virtual processing units.

In addition, after the ith virtual processing unit in the W virtual processing units corresponding to the W bits finishes processing the network traffic data, the computing board instructs the ith virtual processing unit to forward the network traffic data to the virtual network card corresponding to the (i + 1) th virtual processing unit in the W virtual processing units, so that the (i + 1) th virtual processing unit performs network behavior analysis on the target user according to the network traffic data.

For example, referring to fig. 11, 5 virtual machines are created by the computing board, the indication field includes 5 bits and corresponds to virtual machine 1, virtual machine 2, virtual machine 3, virtual machine 4, and virtual machine 5, and virtual machine 1, virtual machine 2, virtual machine 3, virtual machine 4, and virtual machine 5 are bound to VF1, VF2, VF3, VF4, and VF5, respectively. Assuming that the virtual machines corresponding to user 1 are virtual machine 1 and virtual machine 4, the 5 bits included in the first field may be "10010". And after the calculation board card receives the target flow data packet from the shunting board card, analyzing the target flow data packet to acquire the 5-bit indication field and the network flow data of the user 1. The computing board first sends the network traffic data of the user 1 to the VF1, and the VF1 may transfer the network traffic data of the user 1 to the virtual machine 1 for processing. After the virtual machine 1 completes processing of the network traffic data of the user 1, the computing board instructs the virtual machine 1 to send the network traffic data of the user 1 to the VF4, and the VF4 may transmit the network traffic data of the user 1 to the virtual machine 4 for processing.

In this way, the computing board can realize data distribution to the plurality of virtual processing units without copying network traffic data, and the data processing amount of the computing board is reduced.

Second, if the indication field indicates multiple virtual processing units, the computing board may copy multiple copies of the network traffic data, so that each target virtual processing unit may process the network traffic data of the target user in parallel.

For example, if a target user corresponds to a plurality of target virtual processing units, the computing board copies a plurality of network traffic data according to the number of the target virtual processing units, and sends the network traffic data to each target virtual processing unit.

It can be understood that if the values of W (integer greater than 2) bits of the N bits are valid values, W bits correspond to W virtual processing units. The computing board card firstly copies W parts of network traffic data of target users and respectively sends the W parts of network traffic data to the W virtual processing units.

In this implementation manner, when the same traffic data needs to be sent to multiple virtual processing units, multiple copies of the data can be copied and processing of different virtual processing units can be started in parallel, so that the overall processing delay is saved.

In one possible implementation manner, after the computing board creates the virtual processing unit, the corresponding relationship among the virtual processing unit, the user, and the virtual network card may be maintained. Optionally, a virtual local area network corresponding to each virtual processing unit may also be maintained. Specifically, the VLAN ID of the virtual processing unit may be recorded to record the virtual local area network to which the virtual processing unit belongs.

For example, the computing board maintains the corresponding relationship through configuration information, where the configuration information may include the corresponding relationship between a plurality of virtual processing units running on the computing board and a plurality of virtual network cards of the computing board. Based on this, the foregoing specific implementation of determining, by the computing board, the virtual network card associated with the target virtual processing unit includes: and determining the virtual network card associated with the target virtual processing unit according to the configuration information.

In one possible implementation manner, the computing board creates the VF (i.e., the virtual network card described above) by using the SR-IOV hard pass technology, and the switch built in the computing board can implement switching between the VF and the PF, and also can implement switching between different VFs.

Taking deployment of a virtual machine as an example, after the computing board creates the virtual machine, the interface of the VF and the application installed on the virtual machine may be bound, so as to implement the binding between the virtual machine and the VF. By using the binding relationship between the virtual machine and the VF, the network traffic data of the target user can be transmitted to the corresponding virtual machine through the VF bound with the user program of the target user for processing. The application program is used for analyzing network behaviors according to the network traffic data.

Taking deployment of the container as an example, after the container is created by the computing board, isolation between the containers is performed through a net namespace, a network interface of the VF is allocated to a network space of the container, and the container is started in a privileged mode, so that binding between an application program in the container and the VF can be realized.

In a possible implementation manner, after the computation board receives the target traffic data packet sent by the shunting board, if an indication field in the target traffic data packet does not match a certain virtual processing unit running on the computation board, the target traffic data packet may be sent to a physical network card of the computation board. The physical network card can send the target flow data packet to the CPU for processing.

The embodiment of the application provides a data processing method, which is suitable for a traffic analysis server shown in fig. 3. As shown in fig. 12, the method includes the steps of:

step 1201, the shunting board card obtains the network traffic data of the target user from the server, and generates a target traffic data packet according to the network traffic data and the indication field.

The indication field is used for indicating a target virtual processing unit, and the target virtual processing unit is used for carrying out network behavior analysis on a target user according to network traffic data of the target user.

Step 1202, the shunt board sends the target traffic data packet to the computation board.

In specific implementation, the shunting board sends the target traffic data packet to the calculation board through the switching board.

Step 1203, the calculation board receives a target traffic data packet sent by the shunting board, and acquires the indication field and the network traffic data from the target traffic data packet.

In specific implementation, the calculation board may perform parsing on the target traffic data packet, and obtain the indication field from an outer encapsulation packet header of the target traffic data packet.

Step 1204, the computing board determines a target virtual processing unit according to the indication field, and sends network traffic data to the target virtual processing unit.

In a specific implementation, the computing board may determine a virtual network card associated with the target virtual processing unit, send network traffic data to the virtual network card associated with the target virtual processing unit, and transmit the network traffic data to the target virtual processing unit through the virtual network card.

In specific implementation, the calculation board identifies which bits in the indication field are taken as valid values, and determines the virtual processing unit corresponding to the bit taken as the valid value as a target virtual processing unit. The specific implementation manner refers to the foregoing description, and is not described herein again.

The computing board card can also determine the virtual network card bound by the target virtual processing unit according to the corresponding relation between the virtual processing unit and the virtual network card.

Optionally, the method shown in fig. 12 may further include:

and step 1205, the target virtual processing unit of the computing board card performs network behavior analysis on the target user according to the network traffic data.

In a specific implementation, an application installed on the target virtual processing unit may perform deep analysis on the network traffic data to obtain a result of network behavior analysis, for example, detect whether network content issued by a user includes a sensitive word.

The embodiment of the present application further provides an integrated traffic analysis server, and the structure of the integrated traffic analysis server may refer to fig. 3. The flow analysis server comprises a shunting board card and a calculation board card.

The flow distribution board card is used for acquiring network flow data of a target user from an external server, generating a target flow data packet according to the network flow data and the indication field, and sending the target flow data packet to the calculation board card; the indication field is used for indicating a target virtual processing unit, and the target virtual processing unit is used for carrying out network behavior analysis on a target user according to the network traffic data of the target user;

the calculation board card is used for receiving a target traffic data packet sent by the shunt board card and acquiring an indication field and network traffic data from the target traffic data packet; and determining a target virtual processing unit according to the indication field, determining a virtual network card associated with the target virtual processing unit, and transmitting network flow data to the target virtual processing unit through the virtual network card, so that the target virtual processing unit performs network behavior analysis on a target user according to the network flow data.

An embodiment of the present application further provides a computer device, where the computer device may be the data source device described above. The internal structure thereof may be as shown in fig. 13. The computer device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer device may store configuration information, rights information, and the like. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement the steps performed by the server in the method shown in fig. 6 in the embodiment of the present application.

By way of example, the computer program when executed by a processor implements: acquiring network flow data of a target user;

generating a target flow data packet according to the network flow data and the indication field; the indication field is used for indicating a target virtual processing unit, and the target virtual processing unit is a virtual processing unit which is used for analyzing the network behavior of a target user according to the network traffic data of the target user in the virtual processing unit operated by the computing board card;

and sending the target flow data packet to the calculation board card.

In one embodiment, the indication field includes N bits, and the N bits correspond to X virtual processing units of the compute board.

In one embodiment, the indication field includes M bits, the M bits corresponding to Y virtual local area networks, each virtual local area network including at least one virtual processing unit.

By way of example, the computer program when executed by a processor implements:

acquiring a plurality of external data packets; the plurality of external data packets include raw traffic data;

By way of example, the computer program when executed by a processor implements: determining a target virtual machine corresponding to the target user according to the corresponding relation between the user and the virtual machine;

In one embodiment, the target virtual processing unit is a container or virtual machine running on a compute board.

In one embodiment, the computer program when executed by a processor implements: receiving a target traffic data packet sent by a shunting board card, and acquiring an indication field and network traffic data of a target user from the target traffic data packet;

and according to the indication field, determining a target virtual processing unit corresponding to the target user from the virtual processing units running on the computing board card, and transmitting network traffic data to the target virtual processing unit, so that the target virtual processing unit performs network behavior analysis on the target user according to the network traffic data.

In one embodiment, the computer program when executed by a processor implements: and determining a virtual network card associated with the target virtual processing unit, and transmitting network flow data to the target virtual processing unit through the virtual network card.

In one embodiment, the computer program when executed by a processor implements: and aiming at each bit in the N bits, if the value of the bit is a preset effective value, determining the virtual processing unit corresponding to the bit as a target virtual processing unit.

In one embodiment, the computer program when executed by a processor implements: if the target user corresponds to a plurality of target virtual processing units, network flow data is sent to the target virtual processing units in an alternative mode;

In one embodiment, the computer program when executed by a processor implements:

and if the target user corresponds to a plurality of target virtual processing units, copying a plurality of network traffic data according to the number of the target virtual processing units, and respectively sending the network traffic data to each target virtual processing unit.

In one embodiment, the computer program when executed by a processor implements: and aiming at each bit in the M bits, if the value of the bit is a preset effective value, determining all virtual processing units in the virtual local area network corresponding to the bit as target virtual processing units.

In one embodiment, the computer program when executed by a processor implements: determining a virtual network card associated with the target virtual processing unit according to the configuration information; the configuration information includes a correspondence between a plurality of virtual processing units running on the computing board card and a plurality of virtual network cards of the computing board card.

The embodiment of the present application further provides a shunt board card, as shown in fig. 14, the shunt board card includes: acquisition unit 1401, processing unit 1402, and transmission unit 1403.

An obtaining unit 1401, configured to obtain network traffic data of a target user;

a processing unit 1402, configured to generate a target traffic data packet according to the network traffic data and the indication field; the indication field is used for indicating a target virtual processing unit, and the target virtual processing unit is a virtual processing unit which is used for analyzing the network behavior of a target user according to the network traffic data in the computing board card;

a sending unit 1403, configured to send the target traffic data packet to the computing board.

An embodiment of the present application further provides a computing board, as shown in fig. 15, the computing board includes: a reception unit 1501, a processing unit 1502, and a transmission unit 1503.

A receiving unit 1501, configured to receive a target traffic data packet sent by a offload board, and obtain an indication field and network traffic data of a target user from the target traffic data packet;

the processing unit 1502 determines a target virtual processing unit corresponding to a target user from the virtual processing units running on the computing board according to the indication field;

the sending unit 1503 is configured to send the network traffic data to the target virtual processing unit, so that the target virtual processing unit performs network behavior analysis on the target user according to the network traffic data.

It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database or other medium used in the embodiments provided herein can include at least one of non-volatile and volatile memory. Non-volatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical storage, or the like. Volatile Memory can include Random Access Memory (RAM) or external cache Memory. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), among others.

The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.

The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims

1. A data processing method is applied to a traffic analysis server, wherein the traffic analysis server comprises a shunting board card and a computing board card, and the method comprises the following steps:

the shunting board card acquires network flow data of a target user;

the shunting board card generates a target flow data packet according to the network flow data and the indication field; the indication field is used for indicating a target virtual processing unit, and the target virtual processing unit is a virtual processing unit which is used for analyzing the network behavior of the target user according to the network traffic data in the computing board;

and the shunting board card sends the target flow data packet to the calculation board card.

2. The method of claim 1, wherein the indication field comprises N bits, and wherein the N bits correspond to X virtual processing units of the compute board.

3. The method of claim 1, wherein the indication field comprises M bits, and wherein the M bits correspond to Y virtual local area networks, each virtual local area network comprising at least one virtual processing unit.

4. A data processing method is applied to a traffic analysis server, wherein the traffic analysis server comprises a shunting board card and a computing board card, and the method comprises the following steps:

the calculation board card receives a target traffic data packet sent by the shunt board card, and acquires an indication field and network traffic data of a target user from the target traffic data packet;

and the computing board card determines a target virtual processing unit corresponding to the target user from virtual processing units running on the computing board card according to the indication field, and sends the network traffic data to the target virtual processing unit, so that the target virtual processing unit performs network behavior analysis on the target user according to the network traffic data.

5. The method of claim 4, wherein the indication field comprises N bits, the N bits corresponding to X virtual processing units of the compute board,

the determining, by the computing board, the target virtual processing unit corresponding to the target user according to the indication field includes:

and for each bit in the N bits, if the value of the bit is a preset effective value, determining that the virtual processing unit corresponding to the bit is the target virtual processing unit.

6. The method of claim 4, wherein sending the network traffic data to the target virtual processing unit comprises:

after the current virtual processing unit finishes processing the network traffic data, the current virtual processing unit is instructed to forward the network traffic data to a virtual network card corresponding to a next virtual processing unit, so that the next virtual processing unit performs network behavior analysis on the target user according to the network traffic data.

7. The method of claim 4, wherein the indication field comprises M bits, wherein the M bits correspond to Y virtual local area networks, and wherein any one of the M bits is used to indicate whether the virtual processing unit in the virtual local area network to which the bit corresponds is the target virtual processing unit,

and for each bit in the M bits, if the value of the bit is a preset effective value, determining that all the virtual processing units in the virtual local area network corresponding to the bit are the target virtual processing units.

8. The method of claim 4, wherein the target virtual processing unit is a container or a virtual machine running on the compute board.

9. A computer device is characterized by comprising a calculation board card and a shunt board card;

the shunting board card is used for acquiring network traffic data of a target user, generating a target traffic data packet according to the network traffic data and the indication field, and sending the target traffic data packet to the computing board card; the indication field is used for indicating a target virtual processing unit in the computing board card;

the computation board card is configured to receive the target traffic data packet sent by the offload board card, and obtain the indication field and the network traffic data from the target traffic data packet; and determining the target virtual processing unit from the virtual processing units running on the computing board card according to the indication field, and sending the network traffic data to the virtual processing unit, so that the target virtual processing unit performs network behavior analysis on the target user according to the network traffic data.

10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 8.