CN113556265B

CN113556265B - Data processing method, computer device, and readable storage medium

Info

Publication number: CN113556265B
Application number: CN202110796223.3A
Authority: CN
Inventors: 李高超; 孙浩; 毕慧; 李开科; 张伟; 刘立; 王晖; 石娜; 邹昕; 赵志伟; 李政; 程昊; 陈训逊
Original assignee: Dawning Network Technology Co ltd; National Computer Network and Information Security Management Center
Current assignee: Dawning Network Technology Co ltd; National Computer Network and Information Security Management Center
Priority date: 2021-07-14
Filing date: 2021-07-14
Publication date: 2024-02-20
Anticipated expiration: 2041-07-14
Also published as: CN113556265A

Abstract

The embodiment of the application provides a data processing method, computer equipment and a readable storage medium, wherein the method is applied to a flow analysis server (comprising a flow distribution board card and a computing board card). The method comprises the following steps: the distribution board card acquires network flow data of the target user from the server, generates a target flow data packet according to the network flow data and the indication field, and sends the target flow data packet to the calculation board card. The computing board card receives a target flow data packet sent by the splitter board card, acquires an indication field and network flow data from the target flow data packet, determines a target virtual processing unit according to the indication field, and sends the network flow data to the target virtual processing unit. The method and the system can perform user rule matching and depth data analysis of the network flow data in one server, and reduce processing time delay. The virtual processing unit can be created on the computing board card by using a virtualization technology, so that the user capacity of the whole server can be expanded.

Description

Data processing method, computer device, and readable storage medium

Technical Field

The present disclosure relates to the field of computer technologies, and in particular, to a data processing method, a computer device, and a readable storage medium.

Background

At present, in the field of network traffic data analysis, a shunt server and an analysis server are used for analyzing and processing network traffic data generated by a user accessing a network, and the network behavior of the user is identified according to the analysis and processing result. For example, whether the user publishes a sensitive word is identified based on the network traffic data.

In the prior art, network traffic data can reach an analysis server from a distribution server only through the forwarding of a switch or a router in the processing process, so that the processing time delay of the network traffic data is increased, and the data processing efficiency is limited. In addition, because a switch or a router exists on the processing path of the network traffic data, fault points on the processing path are increased, and the processing efficiency of the network traffic data can be affected.

Disclosure of Invention

The embodiment of the application provides a data processing method, computer equipment and a readable storage medium, which can improve the processing efficiency of network traffic data.

In a first aspect, a data processing method is provided, where the method is applied to a traffic analysis server, and the traffic analysis server includes a splitter card and a computing card. The method comprises the following steps:

the method comprises the steps that a splitter card obtains network flow data of a target user;

The flow distribution board card generates a target flow data packet according to the network flow data and the indication field; the indication field is used for indicating a target virtual processing unit, wherein the target virtual processing unit is a virtual processing unit which performs network behavior analysis on a target user according to network flow data of the target user in the virtual processing units operated by the computing board;

and the distribution board card sends the target flow data packet to the calculation board card.

The method and the system can perform user rule matching and depth data analysis of the network flow data in one server, and reduce processing time delay. In addition, the virtual processing unit is created on the computing board card by using the virtualization technology, so that the user capacity of the whole server can be expanded. In the virtualization scenario, the splitter card may encapsulate the indication field in the data packet to indicate a destination node of the data packet, that is, a destination virtual processing unit of the user traffic data, so as to implement accurate distribution of the traffic data to the virtual processing unit through the indication field. In addition, the external forwarding paths of the data are reduced, the number of possible fault points is also reduced, and the data processing efficiency is improved to a first degree.

With reference to the first aspect, in one possible implementation manner of the first aspect, the indication field includes N bits, where the N bits correspond to X virtual processing units of the computing board.

The application provides an implementation of an indication field, wherein one bit corresponds to one or more virtual processing units, so that traffic forwarding with the virtual processing units as granularity can be realized, and a certain virtual processing unit is accurately indicated to process network traffic data of a user.

With reference to the first aspect, in a possible implementation manner of the first aspect, the indication field includes M bits, where the M bits correspond to Y virtual local area networks, and each virtual local area network includes at least one virtual processing unit therein.

The application provides an implementation of an indication field, wherein one bit corresponds to one or more virtual local area networks, and broadcasting of traffic data in the local area networks can be achieved.

With reference to the first aspect, in one possible implementation manner of the first aspect, the obtaining, by the splitter card, network traffic data of the target user from the server includes:

the method comprises the steps that a plurality of external data packets are obtained through a splitter card; the plurality of external data packets includes original traffic data;

screening target data packets conforming to the data characteristics from a plurality of external data packets according to the data characteristics of the target user; the target data packet includes network traffic data of the target user.

The utility model provides a shunt integrated circuit board obtains user flow data's concrete realization, and the computing integrated circuit board snatchs user's data package according to user data characteristic, can accurately draw user's network flow data.

With reference to the first aspect, in a possible implementation manner of the first aspect, the generating, by the splitter card, a target traffic data packet according to the network traffic data and the indication field includes:

determining a target virtual machine corresponding to the target user according to the corresponding relation between the user and the virtual machine;

setting a bit corresponding to the target virtual machine in the indication field as a preset effective value to obtain an updated indication field;

and performing outer layer encapsulation processing on the target data packet according to the indication field to obtain the target traffic data packet.

In the method, the flow distribution board card performs outer packaging on the original data packet to obtain the target flow data packet, the original data packet is not required to be analyzed, and the processing load is reduced.

In a second aspect, a data processing method is provided, applied to a flow analysis server, where the flow analysis server includes a splitter board and a computing board, and the method includes:

the computing board card receives a target flow data packet sent by the distributing board card, and acquires an indication field and network flow data of a target user from the target flow data packet;

determining a target virtual processing unit corresponding to a target user from virtual processing units running on the computing board card according to the indication field;

The computing board card determines a virtual network card associated with the target virtual processing unit, and sends the network flow data to the target virtual processing unit, so that the target virtual processing unit performs network behavior analysis on a target user according to the network flow data.

The method and the system can perform user rule matching and depth data analysis of the network flow data in one server, and reduce processing time delay. In addition, the virtual processing unit is created on the computing board card by using the virtualization technology, so that the user capacity of the whole server can be expanded. In the virtualization scene, the computing board realizes accurate distribution of flow data to the virtual machine according to the indication field.

With reference to the second aspect, in one possible implementation manner of the second aspect, the computing board determines a virtual network card associated with the target virtual processing unit, and transfers network traffic data to the target virtual processing unit through the virtual network card associated with the target virtual processing unit.

The application provides a specific implementation mode for a computing board to send network flow data to a virtual processing unit.

With reference to the second aspect, in a possible implementation manner of the second aspect, the indication field includes N bits, where the N bits correspond to X virtual processing units of the computing board.

The application provides an implementation manner of the indication field, one bit in the indication field corresponds to one or more virtual machines, any bit is used for indicating whether a virtual processing unit corresponding to the bit is a target virtual processing unit, so that flow forwarding of the granularity of the virtual machines can be realized, and the computing board can accurately determine a certain virtual machine to process network flow data of a user according to the indication field.

With reference to the second aspect, in a possible implementation manner of the second aspect, the determining, by the computing board, a target virtual processing unit corresponding to the target user according to the indication field includes:

for each bit in the N bits, if the value of the bit is a preset effective value, determining the virtual processing unit corresponding to the bit as a target virtual processing unit.

The application provides a specific implementation scheme for determining a target virtual processing unit according to the value of a bit, and the computing board card can accurately judge whether a certain virtual processing unit is the target virtual processing unit according to the value of the bit in an indication field.

With reference to the second aspect, in one possible implementation manner of the second aspect, the sending, by the computing board, network traffic data to the target virtual processing unit specifically includes:

If the target user corresponds to a plurality of target virtual processing units, the computing board card sends the network flow data to the target virtual processing units in a mode of selection;

after the current virtual processing unit finishes processing the network flow data, the current virtual processing unit is instructed to forward the network flow data to a virtual network card corresponding to the next virtual processing unit, so that the next virtual processing unit performs network behavior analysis on the target user according to the network flow data.

In the application, when the same flow data needs to be sent to a plurality of virtual processing units, the computing board card can realize the forwarding of the data among the virtual processing units by switching the virtual network cards. In addition, the computing board card in the mode can realize data distribution to a plurality of virtual processing units without copying network flow data, and the data processing capacity of the computing board card is reduced.

if the target user corresponds to a plurality of target virtual processing units, the computing board card copies a plurality of network flow data according to the number of the target virtual processing units and sends the network flow data to each target virtual processing unit respectively.

In the method, when the same flow data needs to be sent to a plurality of virtual processing units, the plurality of data are copied and the processing of different virtual processing units is started at the same time, so that the whole processing time delay is saved.

With reference to the second aspect, in a possible implementation manner of the second aspect, the indication field includes M bits, where the M bits correspond to Y virtual local area networks, and each virtual local area network includes at least one virtual processing unit therein.

The application provides an implementation mode of the indication field, one bit corresponds to one or more virtual local area networks, and the computing board card can realize broadcasting of flow data in the local area networks according to the indication field.

With reference to the second aspect, in one possible implementation manner of the second aspect, the determining, by the computing board, a target virtual processing unit corresponding to the target user according to the indication field includes:

for each bit in the M bits, if the value of the bit is a preset effective value, determining all virtual processing units in the virtual local area network corresponding to the bit as target virtual processing units.

In the application, another implementation scheme for determining the target virtual processing unit according to the bit value is provided, and the computing board card can accurately judge whether the virtual processing unit in a certain virtual local area network is the target virtual processing unit according to the bit value in the indication field.

With reference to the second aspect, in a possible implementation manner of the second aspect, the determining, by the computing board, a virtual network card associated with the target virtual processing unit includes:

determining a virtual network card associated with the target virtual processing unit according to the configuration information; the configuration information comprises the corresponding relation between a plurality of virtual processing units running on the computing board card and a plurality of virtual network cards of the computing board card.

The method and the device for determining the target virtual network card after receiving the target flow data packet can determine the virtual network card associated with the target virtual processing unit according to configuration information generated when the virtual machine is created, can be accurately matched with the virtual network card, and achieve accurate distribution of flow data.

With reference to the first aspect, in one possible implementation manner of the first aspect, the target virtual processing unit is a container or a virtual machine running on a computing board.

The application also provides a specific implementation mode of the virtual processing unit. The computing board card can create a plurality of virtual machines or containers to process network flow data of different users, and the user capacity of the whole server is expanded.

In a third aspect, a computer device is provided, comprising a computing board and a splitter board;

The distribution board card is used for acquiring network flow data of the target user from the server, generating a target flow data packet according to the network flow data and the indication field, and sending the target flow data packet to the calculation board card; the indication field is used for indicating a target virtual processing unit in the computing board card;

the computing board card is used for receiving the target flow data packet sent by the distributing board card and acquiring the indication field and the network flow data from the target flow data packet; and determining a target virtual processing unit from the virtual processing units running on the computing board card according to the indication field, and transmitting network traffic data to the target virtual processing unit, so that the target virtual processing unit performs network behavior analysis on a target user according to the network traffic data.

In a fourth aspect, a computer readable storage medium is provided, on which a computer program is stored, characterized in that the computer program, when executed by a processor, implements the steps of the method according to the first aspect, the second aspect or any one of the possible implementations of the first aspect and the second aspect.

In a fifth aspect, the present application further provides a computer device, including a memory and a processor, where the memory stores a computer program, and the processor implements the steps of the method described in the first aspect, the second aspect, or any implementation manner of the first aspect and the second aspect when the processor executes the computer program.

In a sixth aspect, there is provided a splitter plate card comprising:

the acquisition unit is used for acquiring network flow data of the target user;

the processing unit is used for generating a target flow data packet according to the network flow data and the indication field; the indication field is used for indicating a target virtual processing unit, and the target virtual processing unit is a virtual processing unit for analyzing network behaviors of a target user according to network flow data in the computing board card;

and the sending unit is used for sending the target flow data packet to the computing board card.

In a seventh aspect, a computing board is provided, comprising:

the receiving unit is used for receiving the target flow data packet sent by the distribution board card and acquiring the indication field and the network flow data of the target user from the target flow data packet;

the processing unit is used for determining a target virtual processing unit corresponding to the target user from the virtual processing units running on the computing board card according to the indication field;

and the sending unit is used for sending the network traffic data to the target virtual processing unit so that the target virtual processing unit can analyze the network behavior of the target user according to the network traffic data.

The embodiment of the application provides a data processing method, computer equipment and a readable storage medium, which are used for carrying out deep data analysis by a computing board card after carrying out user rule matching on network traffic data, so that the analysis processing on the network traffic data can be realized in the same server, the data transmission path is reduced, the processing time delay and the power consumption are reduced, and the processing efficiency of the network traffic data is improved. A plurality of virtual processing units are created on the computing board card by adopting a virtual mechanization technology, so that the user capacity of the flow analysis server is improved, and the processing efficiency of network flow data is also improved to a certain extent. By arranging the computing board card, the external forwarding paths of the data are reduced, the number of possible fault points is also reduced, and the data processing efficiency is improved to a first degree.

In addition, the target flow data packet of the target user is obtained according to the indication field and the network flow data after the network flow data of the user is received. The indication field can indicate the virtual processing units corresponding to the target user, which virtual processing units can determine to perform depth data analysis on the network flow data of the target user after analyzing the target flow data packet, and based on the indication field, the accurate distribution of the target flow data packet can be realized, so that the processing efficiency of the network flow data is improved.

Drawings

Fig. 1 is a schematic diagram of a computer communication system according to an embodiment of the present application;

FIG. 2 is a schematic diagram illustrating analysis of network traffic data according to the prior art;

fig. 3 is a schematic structural diagram of a flow analysis server according to an embodiment of the present application;

fig. 4 is a flow chart of a method for processing network traffic data according to an embodiment of the present application;

FIG. 5 is a virtualization schematic provided in an embodiment of the present application;

FIG. 6 is a schematic flow chart of a data processing method according to an embodiment of the present disclosure;

fig. 7 is a schematic frame structure of an indication field according to an embodiment of the present application;

fig. 8 is a schematic frame structure of an indication field according to an embodiment of the present application;

FIG. 9 is a schematic flow chart of a data processing method according to an embodiment of the present disclosure;

fig. 10 is a schematic diagram of data broadcasting according to an embodiment of the present application;

fig. 11 is a schematic diagram of data forwarding according to an embodiment of the present application;

FIG. 12 is a flow chart of a data processing method according to an embodiment of the present disclosure;

fig. 13 is a schematic structural diagram of a computer device according to an embodiment of the present application;

fig. 14 is a schematic structural diagram of a splitter plate card according to an embodiment of the present disclosure;

fig. 15 is a schematic structural diagram of a computing board card according to an embodiment of the present application.

Detailed Description

In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application.

Fig. 1 is a schematic diagram of a computer communication system provided herein, the system comprising a user terminal 10, an operator server 20 and a third party application server 30. The terminal device 10 may access the third party application server 30 through the operator server 20, and in particular, the terminal device 10 sends a data packet to the operator server 20, where the data packet includes the network address of the third party application server 30 and an identification of the content to be accessed by the user. Wherein the identification of the content to be accessed by the user may be a uniform resource locator (uniform resource locator, URL).

The operator server 20 may store data packets transmitted by the terminal device 10 to store network traffic data of the user. The network traffic data may be data carried in a data packet sent by the terminal device 10, for example, may be a network address of the third party application server 30 and an identifier of the content to be accessed by the user.

In order to identify the network behavior of the user, so as to analyze the network surfing behavior and the requirement of the user according to the identification result, the network traffic data of the user can be analyzed. Fig. 2 is a schematic diagram illustrating analysis of network traffic data according to the prior art. Referring to fig. 2, user rule matching and depth data analysis are performed by using an independent distribution server and an analysis server, respectively, network traffic data first reaches the distribution server to perform user rule matching, and then the analysis server performs depth data analysis. Wherein the user rule matching extracts traffic data matching the user from the massive network traffic data according to the user rule (e.g., IP address, time, etc. of the user). And analyzing the network flow data according to the service requirement to identify the network behavior of the user. For example, sensitive word detection, application layer operations are performed based on traffic data, and the like.

In the existing processing process, the network traffic data can reach the analysis server only after being forwarded by the switch or the router, so that the time delay of traffic data processing is increased, and the processing efficiency of the network traffic data is affected. Because the switch or the router exists on the processing path of the network traffic data, fault points on the processing path are increased, and the processing efficiency of the network traffic data can be affected. In addition, an external optical module and an optical fiber line are required between the switch (or the router) and the analysis server, so that the overall deployment cost is increased.

Based on the above, the integrated flow analysis server provided by the application can reduce the time delay of flow processing, improve the processing efficiency of network flow data, reduce the deployment cost and facilitate deployment implementation. Referring to fig. 3, the flow analysis server provided in the present application includes a splitter board 301, a computing board 302, a switch board 303, and a management board 304.

The splitter card 301 provides an external interface to the overall traffic analysis server, and may receive network traffic data from an external device (e.g., an operator server). The flow distribution board card can also utilize a hardware network processing chip arranged in the flow distribution board card to carry out user rule matching on network flow data, and flow data conforming to the user rule is extracted.

The switch board 302 may implement data exchange between all boards inserted by the traffic analysis server, for example, it is responsible for data exchange between the splitter board and the computing board.

The computing board 303 is internally provided with a central processing unit (central processing unit, CPU), and the computing board 303 can utilize the CPU to perform deep data analysis on network traffic data of the user according to service requirements (for example, sensitive word recognition) and recognize network behaviors of the user according to analysis results. For example, the traffic analysis server obtains network traffic data from the operator server, and the computing board 303 performs analysis processing on the network traffic data of the user according to the service requirement of the operator.

The management board 304 is used for managing other boards inserted on the traffic analysis server. For example, the operation states of the splitter board 301 and the computing board 303 are perceived in real time, whether a fault exists in a data forwarding path between the splitter board 301 and the computing board 303 is detected, and the existing fault path is dynamically switched, so that the stability of data processing is ensured.

An embodiment of the present application provides a method for processing network traffic data, as shown in fig. 4, where the method includes the following steps:

S1, the distribution board card receives network flow data from external equipment, extracts the network flow data matched with the user rule from the received network flow data according to the user rule, and sends the matched network flow data to the computing board card through the switching board card.

The traffic analysis server may provide traffic analysis services for external devices, which may be operator servers. In addition, the user rules are used to characterize the user's network traffic data, which may be, for example, the time of data generation, the source IP address of the data, the destination IP address of the data, etc. The embodiment of the present application does not limit the characteristics of the network traffic data, and any information related to the network traffic data of the user belongs to the characteristics of the network traffic data.

S2, the computing board carries out deep data analysis on the received network flow data according to the service requirements of the external equipment.

The service requirement of the external device, that is, the network traffic data analysis requirement of the external device, may be, for example, sensitive word detection, application layer operation monitoring, etc.

And S3, the computing board card sends the depth data analysis result to the external equipment.

In the method shown in fig. 4, the functions of the analysis server are integrated into a pluggable computing board, which may be plugged into the same server as the splitter board. The distribution board card receives the network flow data, the network flow data is sent to the exchange board card after being subjected to user rule matching, and then the exchange board card forwards the network flow data to the calculation board card for deep data analysis, so that the analysis processing of the network flow data can be realized in the same server, the data transmission path is reduced, the processing time delay and the power consumption are reduced, and the processing efficiency of the network flow data is improved.

In one possible implementation, different network traffic analysis software is deployed on the computing board, and depth data analysis is performed on network traffic data of different users respectively. But the amount of network traffic analysis software that can be deployed on the computing board is limited, so the board slots that the traffic analysis server can provide are limited, and thus the number of users that the traffic analysis server can serve is limited. In order to support traffic data analysis services of more users, a virtual mechanization technology can be used to create multiple virtual processing units on a computing board card, and multiple network traffic analysis software can be run on the virtual processing units to realize network traffic data analysis of more users. By way of example, the virtual processing unit may be a virtual machine or a container. After the computing board card creates the virtual processing unit, the corresponding relationship among the virtual processing unit, the user and the virtual network card can be maintained.

As shown in fig. 5, a plurality of virtual machines (or containers) are created on a computing board, and different network traffic analysis software is run on each virtual machine (or container), and the computing board can also maintain a plurality of virtual network cards (VFs), through which the computing board can transmit network traffic data to the virtual machines (or containers) for deep data analysis.

It should be noted that, the computing board card includes a physical network card (PF) capable of supporting interaction between the computing board card and other boards and devices, and the physical network card can transmit data to the CPU of the computing board card for processing. The virtual network card uses the virtual equipment which is generated by the virtualization technology and has the same function as the physical network card, and can also transmit the data to the CPU of the computing board card for processing. The virtual network card may share the same physical resources (e.g., physical ports) as the physical network card.

The embodiment of the application provides a data processing method, which is suitable for a flow distribution board card in a flow analysis server shown in fig. 3. As shown in fig. 6, the method comprises the steps of:

and 601, acquiring network flow data of a target user by the splitter board card.

In a specific implementation, the splitter card can acquire network traffic data from an external server. The server may be a party that needs the traffic analysis service, and the traffic analysis server may provide the traffic analysis service for the server. The external server may also obtain network traffic data for the user. For example, the server may be an operator server, or may be another server, which is not limited in comparison to the embodiment of the present application.

The target user may be a user that the server needs to monitor or analyze, and the splitter card may extract network traffic data of the target user from the network traffic data according to user rules of the target user, so as to identify network behavior of the target user based on the network traffic data of the target user.

Step 602, generating a target flow data packet by the splitter board card according to the network flow data of the target user and the indication field; the indication field is used for indicating a target virtual processing unit in the computing board card.

It should be noted that, the splitter board may obtain the corresponding relationship among the virtual processing unit, the user and the virtual network card from the computing board, and generate the configuration information locally to record the corresponding relationship. The virtual processing unit corresponding to a certain user is used for analyzing the network behavior of the user according to the network flow data of the user, and the virtual network card corresponding to the virtual processing unit is used for transmitting the network flow data of the user to the virtual processing unit for deep data analysis.

After the splitter board card obtains the network traffic data of the target user, the virtual processing unit corresponding to the target user, that is, the target virtual processing unit described above, may be determined according to the configuration information, where the target virtual processing unit is configured to execute the network traffic analysis service corresponding to the target user, and perform network behavior analysis on the target user according to the network traffic data of the target user.

The manifold card may also determine an indication field based on the target processing unit. Further, the indication field and the network traffic data of the target user are encapsulated into a target traffic data packet, so that the forwarding of the network traffic data of the target user can be realized through forwarding the target traffic data packet.

In a specific implementation, after the computing board creates the virtual processing unit and the virtual network card, different identifiers (or numbers) are allocated to each virtual processing unit in the same virtual local area network (virtual local area network, VLAN), and different VLAN IDs (virtual local area network IDs) may also be allocated to each virtual local area network maintained by the computing board. It should be noted that the bound virtual processing unit and virtual network card correspond to the same identifier or VLAN id.

In one possible implementation, the indication field includes a valid value and an invalid value, the valid value is used to indicate that the virtual processing unit corresponding to the valid value is the target virtual processing unit, and the invalid value is used to indicate that the virtual processing unit corresponding to the invalid value is not the target virtual processing unit.

And 603, the flow distribution board sends a target flow data packet to the computing board.

In the specific implementation, the splitter board card sends the target flow data packet of the target user to the computing board card through the switching board card.

In the data processing method provided by the embodiment of the application, the function of the analysis server is integrated on a pluggable computing board, and the computing board and the splitter board can be inserted in the same server. The distribution board card receives the network flow data, the network flow data is sent to the exchange board card after being subjected to user rule matching, and then the exchange board card forwards the network flow data to the calculation board card for deep data analysis, so that the analysis processing of the network flow data can be realized in the same server, the data transmission path is reduced, the processing time delay and the power consumption are reduced, and the processing efficiency of the network flow data is improved. A plurality of virtual processing units are created on the computing board card by adopting a virtual mechanization technology, so that the user capacity of the flow analysis server is improved, and the processing efficiency of network flow data is also improved to a certain extent. By arranging the computing board card, the external forwarding paths of the data are reduced, the number of possible fault points is also reduced, and the data processing efficiency is improved to a first degree.

In addition, after receiving the network flow data of the user, the flow distribution board card repackages the network flow data according to the indication field to obtain a target flow data packet of the target user. The indication field can indicate the virtual processing units corresponding to the target user, so that the computing board can analyze the target flow data packet to determine which virtual processing units are used for carrying out depth data analysis on the network flow data of the target user, and can realize the accurate distribution of the target flow data packet based on the indication field, thereby improving the processing efficiency of the network flow data.

The indication field according to the embodiment of the application has the following two implementation manners:

first, the computing card creates X virtual processing units for processing network traffic analysis traffic for X different users, one or more of which may be indicated by a plurality of bits.

Illustratively, the indication field includes N bits, where the N bits correspond to X virtual processing units of the computing board. Any one bit of the N bits is used to indicate whether one or more virtual processing units corresponding to the bit is the target virtual processing unit. That is, N may be equal to X, and when N is equal to X, the N bits correspond one-to-one to X (N) virtual processing units, and one bit is used to indicate whether or not one virtual processing unit corresponding to the bit is a target virtual processing unit. When N is not equal to X, one bit of the N bits may indicate whether or not the plurality of virtual processing units corresponding to the bit is a target virtual processing unit. It should be noted that, in the embodiment of the present application, the correspondence between N bits and X virtual processing units is not limited, N may be equal to X, or may not be equal to X, and any scheme of indicating a virtual processing unit on a computing board through one or more bits belongs to the protection scope of the present application.

In a specific implementation, the value of each bit in the N bits is an effective value or an invalid value, and when the value of the bit is an effective value, it indicates that the virtual processing unit corresponding to the bit is used for executing the network traffic analysis service corresponding to the target user, that is, the target virtual processing unit. If the value of the bit is an invalid value, it indicates that the virtual processing unit corresponding to the bit does not execute the network traffic analysis service corresponding to the target user, that is, the virtual processing unit corresponding to the bit is not the target virtual processing unit. The valid value may be "1", the invalid value may be "0", the specific values of the valid value and the invalid value are not limited in the embodiment of the present application, any value that may represent "valid" may be a valid value described in the embodiment of the present application, and any value that may represent "invalid" may be an invalid value described in the embodiment of the present application.

For example, referring to fig. 7, after the splitter card obtains the data packet of the target user from the server, the indication field may be encapsulated in the outer layer of the data packet to obtain the target traffic data packet of the target user. Referring to fig. 7, the indication field includes N bits (bits), which are in one-to-one correspondence with N virtual machines created by the computing card. For example, the ith bit in the N bits corresponds to the virtual machine numbered i. If the splitter card determines that the target virtual processing unit is the virtual machine with the number i according to the configuration information, setting the value of the ith bit in the N bits as an effective value, and setting the values of the rest bits as invalid values.

Optionally, the indication field may also indicate a virtual local area network to which the target virtual processing unit belongs (hereinafter referred to as a target virtual local area network). The indication field may include a field indicating the target virtual local area network, for example, the indication field includes a P bit, where the P bit may be a binary value converted from a VLAN ID of the target virtual local area network, or may be a bit indicating the target virtual local area network.

The application provides an implementation of an indication field, wherein one bit corresponds to one virtual processing unit, so that traffic forwarding with the virtual processing unit as granularity can be realized, and a certain virtual processing unit is accurately indicated to process network traffic data of a user.

And secondly, the virtual processing units created by the computing board card form Y virtual local area networks, and one or more virtual processing units in the virtual local area networks in the M virtual local area networks can be indicated to be the target virtual unit through a plurality of bits, namely, the computing board card is indicated to broadcast the target flow data packet of the target user in the virtual local area network through an indication field.

That is, if the same network traffic data matches the user rules of multiple users, that is, the network traffic data needs to be sent to the virtual processing units bound by multiple users for processing, the target traffic data packet may be encapsulated according to the indication field, so as to indicate the computing board card to broadcast the target traffic data packet in the virtual local area network.

Illustratively, the indication field includes M bits, where M bits correspond to the Y virtual lans. Any one bit of the M bits is used to indicate whether one or more virtual local area networks corresponding to the bit is the target virtual processing unit. That is, M may be equal to Y, and when M is equal to Y, the M bits are in one-to-one correspondence with Y (M) virtual local area networks, and any one of the M bits is used to indicate whether the network virtual processing unit in the virtual local area corresponding to the bit is the target virtual processing unit. When M is not equal to Y, one bit of the M bits may indicate whether a processing unit in the plurality of virtual local area networks corresponding to the bit is a target virtual processing unit. It should be noted that, in the embodiment of the present application, the correspondence between M bits and Y virtual processing units is not limited, M may be equal to Y, or may not be equal to Y, and any scheme of indicating a virtual local area network through one or more bits belongs to the protection scope of the present application.

In a specific implementation, the value of each bit in the M bits is an effective value or an invalid value, and when the value of the bit is an effective value, it indicates that all virtual processing units in the virtual local area network corresponding to the bit are used for executing the network traffic analysis service corresponding to the target user, that is, the target virtual processing unit. If the value of the bit is an invalid value, it indicates that all the virtual processing units in the virtual local area network corresponding to the bit do not execute the network traffic analysis service corresponding to the target user, that is, none of the virtual processing units in the virtual local area network corresponding to the bit is the target virtual processing unit.

For example, referring to fig. 8, after the splitter card obtains an original data packet from the server, if one data packet hits the user rules of multiple users, the virtual local area network that indicates the broadcast of the target traffic data packet by the indication field may be encapsulated at the outer layer of the data packet, so as to obtain the target traffic data packet of the target user. Referring to fig. 8, the indication field includes M bits (bits) that are in one-to-one correspondence with M virtual local area networks maintained on the computing board card. For example, the ith bit in Mbit corresponds to virtual local area network numbered i. If the splitter card determines that a certain virtual machine is a virtual processing unit corresponding to a target user according to the configuration information, the virtual local area network number of the virtual machine is i, the value of the ith bit in the M bits is set as an effective value, the values of the rest bits are set as invalid values, and broadcasting of the target flow data packet of the target user in the virtual local area network with the number of i is achieved. Wherein the number of the virtual local area network may be a VLAN ID.

The embodiment of the application also provides an implementation of the indication field, one bit corresponds to one virtual local area network, and broadcasting of the flow data in the local area network can be realized.

In one possible implementation, the card may obtain packets of the target user from a server (other external server), where the packets carry network traffic data such as the source IP address, the target IP address, etc. of the target user. Illustratively, the splitter card obtains a plurality of external data packets; the external data packets may be data packets of the network accessed by the users, and the original traffic data may be network traffic data of different users.

The splitter card can screen target data packets conforming to the data characteristics from a plurality of external data packets according to the data characteristics of the target users, wherein the target data packets comprise network flow data of the target users. The data characteristics of the target user, namely the user rules, are used for characterizing the characteristics of the network traffic data of the target user. For example, the source IP address, destination IP address, port number, browser, domain name, and computer operating system of the target user.

In a possible implementation manner, after obtaining an original data packet of a target user from a server, a splitter card determines a target virtual machine corresponding to the target user according to a corresponding relation between the user and a virtual processing unit;

the splitter card can set the bit corresponding to the target virtual machine in the indication field as a preset effective value to obtain an updated indication field.

Further, the bypass board does not perform parsing operation on the data packet, but uses an outer encapsulation technique (e.g., mac in mac) to generate the target traffic data packet described above in the outer encapsulation indication field of the original data packet.

For example, the specific implementation manner of generating the target traffic data packet by the splitter card according to the network traffic data and the indication field includes: and performing outer layer encapsulation processing on the target data packet according to the indication field to obtain the target traffic data packet.

The embodiment of the application provides a data processing method which is suitable for a computing board card in a flow analysis server shown in fig. 3. As shown in fig. 9, the method comprises the steps of:

step 901, a computing board receives a target flow data packet sent by a splitter board, and obtains an indication field and network flow data of a target user from the target flow data packet.

The target flow data packet is a data packet obtained by encapsulating the network flow data and the indication field of the target user by the distribution board, so that the network flow data and the indication field of the target user can be obtained by analyzing the target flow data packet by the calculation board.

In one possible implementation manner, the target traffic data packet is obtained by the air flow board card in an outer encapsulation indication field of an original data packet of the target user by adopting an outer encapsulation technology, the computing board card can obtain the indication field in an outer encapsulation part (an outer MAC address) of the target traffic data packet, and the original data packet of the target user can be obtained by removing the outer encapsulation part of the target traffic data packet, so that network traffic data of the target user can be obtained.

And 902, determining a target virtual processing unit corresponding to the target user from the virtual processing units running on the computing board card according to the indication field.

The indication field is used for indicating the target virtual processing unit, namely the virtual processing unit capable of performing depth data analysis on the network traffic data of the target user. The computing board card can determine which virtual processing units are target virtual processing units indicated by the splitter board card from the virtual processing units operated by the computing board card according to the indication field.

In one possible implementation, the indication field includes a valid value and an invalid value, the valid value is used to indicate that the virtual processing unit corresponding to the valid value is the target virtual processing unit, and the invalid value is used to indicate that the virtual processing unit corresponding to the invalid value is not the target virtual processing unit. The computing board may determine which virtual processing units are target virtual processing units from among the virtual processing units running on the computing board based on the valid values in the indication field.

And 903, the computing board card transmits the network traffic data to the target virtual processing unit, so that the target virtual processing unit performs network behavior analysis on the target user according to the network traffic data.

The virtual processing unit may perform data analysis and processing on the network traffic data of the target user to perform network behavior analysis, and may obtain behavior characteristics of the target user for network access, where the behavior characteristics include, but are not limited to, inbound paths of the user, inbound pages of the user, common paths of the user browsing sites, residence time of each access, exit pages of the user, access paths, inbound pages, exit pages, and the like.

In the data processing method provided by the embodiment of the application, the function of the analysis server is integrated on a pluggable computing board, and the computing board and the splitter board can be inserted in the same server. The distribution board card receives the network flow data, the network flow data is sent to the exchange board card after being subjected to user rule matching, and then the exchange board card forwards the network flow data to the calculation board card for deep data analysis, so that the analysis processing of the network flow data can be realized in the same server, the data transmission path is reduced, the processing time delay and the power consumption are reduced, and the processing efficiency of the network flow data is improved.

In addition, a plurality of virtual processing units are created on the computing board card by adopting a virtual mechanization technology, and a plurality of network flow analysis software can be run on the virtual processing units so as to realize the analysis of network flow data of more users. The computing board card can process the network traffic data analysis service of multiple users in parallel, so that the user capacity of the traffic analysis server is improved, and the processing efficiency of the network traffic data is also improved to a certain extent.

In one possible implementation, the computing card may communicate data to the virtual processing unit over a virtual network card. Exemplary, the specific implementation of the computing board card sending network traffic data to the target virtual processing unit includes:

and the computing board card determines a virtual network card associated with the target virtual processing unit, and transmits the network flow data to the target virtual processing unit through the virtual network card.

It should be noted that, after the computing board card creates the virtual processing unit, the corresponding relationship between the virtual processing unit and the virtual network card may be maintained, where the virtual network card corresponding to the virtual processing unit is used to transfer the received data to the virtual processing unit for performing depth data analysis. The virtual network card associated with the target virtual processing unit may be regarded as a virtual network card corresponding to the target virtual processing unit.

After the computing board card determines the target virtual processing unit according to the indication field, the virtual network card corresponding to the target virtual processing unit can be determined according to the maintained corresponding relation, so that network flow data of the target user can be transmitted to the target virtual processing unit through the virtual network card.

In this embodiment of the present application, based on the two implementation manners of the indication field described above, the computing board may implement network traffic data distribution with a granularity of a virtual processing unit and network data distribution with a granularity of a virtual local area network according to the indication field. The method comprises the following steps:

First, the computing board card includes X virtual processing units, and the indication field includes N bits, where the N bits correspond to the X virtual processing units. Wherein one of the N bits corresponds to one or more virtual processing units. That is, N may be equal to X, i.e., N bits are in one-to-one correspondence with X (N) virtual processing units. Specifically, the N bits may be bits in a source address field (e.g., BDA) in a macincac header of the target traffic packet.

The specific implementation of the above N bits refers to the foregoing, and the frame format of the N bits in the target traffic packet refers to fig. 7 and the foregoing description about fig. 7 is not repeated herein.

Specifically, the computing board may determine the target virtual processing unit from N bits in the target traffic packet. The specific implementation of determining, by the computing board, the target virtual processing unit corresponding to the target user according to the indication field includes:

The computing board traverses and judges the value of each bit in the N bits, and judges whether the virtual processing unit corresponding to each bit is a target virtual processing unit according to the value of the bit. For example, assume that the ith bit in the N bits corresponds to the virtual machine numbered i. If the value of the ith bit in the N bit is an effective value, the computing board card determines the virtual machine with the number i as a target virtual processing unit, and if the value of the ith bit in the N bit is an ineffective value, the virtual machine with the number i is not the target virtual processing unit.

Second, the indication field includes M bits, where the M bits correspond to Y virtual local area networks, and any one bit of the M bits is used to indicate whether a virtual processing unit in one or more virtual local area networks corresponding to the bit is a target virtual processing unit. That is, M may be equal to Y, i.e., M bits correspond one-to-one with Y (M) virtual processing units. Specifically, the M bits may be bits in a local area network ID field (e.g., VLAN) in a macincac header of the target traffic packet.

The specific implementation of the foregoing M bits refers to the foregoing, and the frame format of the M bits in the target traffic packet refers to fig. 8 and the foregoing description about fig. 8 is not repeated herein.

In one possible implementation, the computing board may determine the target virtual processing unit from M bits in the target traffic data packet. The specific implementation of determining, by the computing board, the target virtual processing unit corresponding to the target user according to the indication field includes: for each bit in the M bits, if the value of the bit is a preset effective value, determining all virtual processing units in the virtual local area network corresponding to the bit as target virtual processing units.

The computing board traverses and judges the value of each bit in the M bits, and judges whether the virtual processing unit in the virtual local area network corresponding to the bit is a target virtual processing unit or not according to the value of each bit, namely whether the target flow data packet is broadcasted in the virtual local area network corresponding to the bit. For example, assume that the ith bit in the M bits corresponds to the virtual local area network numbered i. If the value of the ith bit in the M bit is an effective value, the computing board card determines a virtual processing unit in the virtual local area network with the number of i as a target virtual processing unit, and if the value of the ith bit in the M bit is an invalid value, the virtual machine in the virtual local area network with the number of i is not the target virtual processing unit.

For example, referring to fig. 10, the computing card creates 8 virtual machines, virtual machines 1 to 4 belong to VLAN 1 (virtual local area network 1), and virtual machines 5 to 8 belong to VLAN 2 (virtual local area network 2). The indication field includes 2 bits, corresponding to VLAN 1 and VLAN 2, respectively.

The virtual machines 1 to 8 are respectively bound with the VFs 1 to 8. Assuming that the virtual machines corresponding to the user 1 are virtual machines 1 to 4, the 2 bits included in the first field may be "10". After receiving the target flow data packet from the splitter board, the computing board analyzes the target flow data packet to obtain the 2bit indication field and the network flow data of the user 1. The computing card broadcasts user 1's network traffic data within VLAN 1.

In this embodiment of the present application, if a piece of network traffic data hits a plurality of user rules, the network traffic data needs to be sent to a plurality of virtual processing units to perform deep data analysis, and the computing board card may implement distribution of the network traffic data in the following two ways:

first, if the indication field indicates multiple virtual processing units, the computing board card may also control forwarding of network traffic data between each target virtual processing unit, so that each target virtual processing unit may perform deep data analysis on network traffic data of a target user.

For example, if the target user corresponds to a plurality of target virtual processing units, the computing board card sends the network traffic data to the target virtual processing units in a selective manner;

It is understood that if the value of W bits in the N bits is a valid value, the W bits correspond to W virtual processing units. The computing board card firstly transmits the network traffic data of the target user to one of the W virtual processing units.

In addition, after the ith virtual processing unit in the W virtual processing units corresponding to the W bits processes the network traffic data, the computing board instructs the ith virtual processing unit to forward the network traffic data to the virtual network card corresponding to the (i+1) th virtual processing unit in the W virtual processing units, so that the (i+1) th virtual processing unit performs network behavior analysis on the target user according to the network traffic data.

For example, referring to FIG. 11, the computing card creates 5 virtual machines, the indication field includes 5 bits corresponding to virtual machine 1, virtual machine 2, virtual machine 3, virtual machine 4, and virtual machine 5, respectively, virtual machine 1, virtual machine 2, virtual machine 3, virtual machine 4, and virtual machine 5 binding with VF1, VF2, VF3, VF4, and VF5, respectively. Assuming that the virtual machines corresponding to user 1 are virtual machine 1 and virtual machine 4, the 5 bits included in the first field may be "10010". After receiving the target flow data packet from the splitter board, the computing board analyzes the target flow data packet to obtain the 5bit indication field and the network flow data of the user 1. The computing board card firstly transmits the network traffic data of the user 1 to the VF1, and the VF1 can transmit the network traffic data of the user 1 to the virtual machine 1 for processing. After the virtual machine 1 finishes processing the network traffic data of the user 1, the computing board instructs the virtual machine 1 to send the network traffic data of the user 1 to the VF4, and the VF4 may transfer the network traffic data of the user 1 to the virtual machine 4 for processing.

In the mode, the computing board card can realize data distribution to a plurality of virtual processing units without copying network flow data, and the data processing capacity of the computing board card is reduced.

Second, if the indication field indicates multiple virtual processing units, the computing board card can copy multiple copies of network traffic data, so that each target virtual processing unit can process the network traffic data of the target user in parallel.

For example, if the target user corresponds to a plurality of target virtual processing units, the computing board copies a plurality of network traffic data according to the number of the target virtual processing units, and sends the network traffic data to each target virtual processing unit.

It will be appreciated that if the value of W (an integer greater than 2) bits in the N bits is a valid value, the W bits correspond to W virtual processing units. The computing board card firstly copies the network flow data of the W target users and respectively sends the W network flow data to the W virtual processing units.

In the implementation mode, when the same flow data needs to be sent to a plurality of virtual processing units, the processing of different virtual processing units can be started by copying a plurality of data in parallel, and the overall processing time delay is saved.

In one possible implementation manner, after the computing board creates the virtual processing unit, the corresponding relationship among the virtual processing unit, the user and the virtual network card may be maintained. Optionally, a virtual local area network corresponding to each virtual processing unit may also be maintained. Specifically, the VLAN ID of the virtual processing unit may be recorded to record the virtual local area network to which the virtual processing unit belongs.

The computing board card maintains the correspondence relationship according to configuration information, and the configuration information may include correspondence relationships between a plurality of virtual processing units running on the computing board card and a plurality of virtual network cards of the computing board card. Based on this, the foregoing description relates to a specific implementation of determining, by a computing board, a virtual network card associated with a target virtual processing unit, including: and determining the virtual network card associated with the target virtual processing unit according to the configuration information.

In one possible implementation, the computing board creates a VF (i.e., the virtual network card described above) by using an SR-IOV hard pass-through technology, and the switch built in the computing board can implement switching between the VF and the PF, and also can implement switching between different VFs.

Taking deployment of a virtual machine as an example, after the computing board creates the virtual machine, the interface of the VF and an application program installed on the virtual machine can be bound to realize the binding of the virtual machine and the VF. By utilizing the binding relation between the virtual machine and the VF, the network flow data of the target user can be transmitted to the corresponding virtual machine for processing through the VF bound with the user program of the target user. The application program is used for analyzing the network behavior according to the network traffic data.

Taking the deployment container as an example, after the computing board creates the container, the isolation between the containers is performed through a netNamespace (namespaces), the network interface of the VF is distributed to the network space of the container, and the container is started in a privileged mode, so that the binding between the application program in the container and the VF can be realized.

In one possible implementation manner, after the computing board receives the target flow data packet sent by the splitter board, if the indication field in the target flow data packet is not matched with a certain virtual processing unit running on the computing board, the target flow data packet may be sent to a physical network card of the computing board. The physical network card can send the target flow data packet to the CPU for processing.

The embodiment of the application provides a data processing method, which is suitable for a flow analysis server shown in fig. 3. As shown in fig. 12, the method includes the steps of:

step 1201, the splitter card obtains network traffic data of the target user from the server, and generates a target traffic data packet according to the network traffic data and the indication field.

The indication field is used for indicating a target virtual processing unit, and the target virtual processing unit is used for analyzing network behaviors of the target user according to network flow data of the target user.

Step 1202, the splitter card sends a target traffic packet to the compute card.

In the specific implementation, the splitter board card sends the target flow data packet to the computing board card through the switching board card.

Step 1203, the computing board receives the target traffic data packet sent by the splitter board, and obtains the indication field and the network traffic data from the target traffic data packet.

In a specific implementation, the computing board card can analyze and process the target flow data packet, and obtain the indication field from the outer layer encapsulation packet header of the target flow data packet.

And 1204, determining a target virtual processing unit by the computing board card according to the indication field, and sending network flow data to the target virtual processing unit.

In a specific implementation, the computing board card can determine a virtual network card associated with the target virtual processing unit, send network flow data to the virtual network card associated with the target virtual processing unit, and transmit the network flow data to the target virtual processing unit through the virtual network card.

In a specific implementation, the computing board identifies which bits in the indication field have valid values, and determines a virtual processing unit corresponding to the bits having valid values as a target virtual processing unit. The specific implementation manner is described in the foregoing, and is not described herein in detail.

The computing board card can also determine the virtual network card bound by the target virtual processing unit according to the corresponding relation between the virtual processing unit and the virtual network card.

Optionally, the method shown in fig. 12 may further include:

and 1205, the target virtual processing unit of the computing board analyzes the network behavior of the target user according to the network flow data.

In a specific implementation, an application program installed on the target virtual processing unit can perform deep analysis on the network traffic data to obtain a network behavior analysis result, for example, detect whether the network content issued by the user contains a sensitive word.

The embodiment of the application also provides an integrated flow analysis server, and the structure of the integrated flow analysis server can be shown by referring to the foregoing fig. 3. The flow analysis server comprises a flow distribution board card and a calculation board card.

The distribution board card is used for acquiring network flow data of a target user from an external server, generating a target flow data packet according to the network flow data and the indication field, and sending the target flow data packet to the calculation board card; the indication field is used for indicating a target virtual processing unit, and the target virtual processing unit is used for analyzing the network behavior of the target user according to the network flow data of the target user;

The computing board card is used for receiving the target flow data packet sent by the distributing board card and acquiring the indication field and the network flow data from the target flow data packet; and determining a target virtual processing unit according to the indication field, determining a virtual network card associated with the target virtual processing unit, and transmitting network flow data to the target virtual processing unit through the virtual network card, so that the target virtual processing unit performs network behavior analysis on a target user according to the network flow data.

The embodiment of the application also provides a computer device, which can be the data source device. The internal structure thereof can be shown in fig. 13. The computer device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The database of the computer device may store configuration information, rights information, etc. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement the steps performed by the server in the method shown in fig. 6 in the embodiment of the present application.

By way of example, the computer program is executed by a processor to implement: acquiring network flow data of a target user;

generating a target flow data packet according to the network flow data and the indication field; the indication field is used for indicating a target virtual processing unit, wherein the target virtual processing unit is a virtual processing unit which performs network behavior analysis on a target user according to network flow data of the target user in the virtual processing units operated by the computing board;

and sending the target flow data packet to the computing board card.

In one embodiment, the indication field includes N bits corresponding to X virtual processing units of the computing card.

In one embodiment, the indication field comprises M bits corresponding to Y virtual local area networks, each virtual local area network comprising at least one virtual processing unit.

By way of example, the computer program is executed by a processor to implement:

acquiring a plurality of external data packets; the plurality of external data packets includes original traffic data;

By way of example, the computer program is executed by a processor to implement: determining a target virtual machine corresponding to the target user according to the corresponding relation between the user and the virtual machine;

In one embodiment, the target virtual processing unit is a container or virtual machine running on a computing board.

In one embodiment, the computer program is executed by a processor to implement: receiving a target flow data packet sent by a flow distribution board card, and acquiring an indication field and network flow data of a target user from the target flow data packet;

and determining a target virtual processing unit corresponding to the target user from the virtual processing units running on the computing board card according to the indication field, and transmitting network flow data to the target virtual processing unit, so that the target virtual processing unit analyzes the network behavior of the target user according to the network flow data.

In one embodiment, the computer program is executed by a processor to implement: and determining a virtual network card associated with the target virtual processing unit, and transmitting network flow data to the target virtual processing unit through the virtual network card.

In one embodiment, the computer program is executed by a processor to implement: for each bit in the N bits, if the value of the bit is a preset effective value, determining the virtual processing unit corresponding to the bit as a target virtual processing unit.

In one embodiment, the computer program is executed by a processor to implement: if the target user corresponds to a plurality of target virtual processing units, the network flow data is sent to the target virtual processing units in a selective mode;

In one embodiment, the computer program is executed by a processor to implement:

and if the target user corresponds to a plurality of target virtual processing units, copying a plurality of network flow data according to the number of the target virtual processing units, and respectively transmitting the network flow data to each target virtual processing unit.

In one embodiment, the computer program is executed by a processor to implement: for each bit in the M bits, if the value of the bit is a preset effective value, determining all virtual processing units in the virtual local area network corresponding to the bit as target virtual processing units.

In one embodiment, the computer program is executed by a processor to implement: determining a virtual network card associated with the target virtual processing unit according to the configuration information; the configuration information comprises the corresponding relation between a plurality of virtual processing units running on the computing board card and a plurality of virtual network cards of the computing board card.

The embodiment of the application further provides a splitter board, as shown in fig. 14, including: acquisition unit 1401, processing unit 1402, and transmission unit 1403.

An acquiring unit 1401, configured to acquire network traffic data of a target user;

a processing unit 1402, configured to generate a target traffic data packet according to the network traffic data and the indication field; the indication field is used for indicating a target virtual processing unit, and the target virtual processing unit is a virtual processing unit for analyzing network behaviors of a target user according to network flow data in the computing board card;

a transmitting unit 1403 is configured to transmit the target traffic packet to the computing board.

The embodiment of the application further provides a computing board card, as shown in fig. 15, including: a receiving unit 1501, a processing unit 1502, and a transmitting unit 1503.

A receiving unit 1501, configured to receive a target traffic packet sent by a splitter card, and obtain an indication field and network traffic data of a target user from the target traffic packet;

The processing unit 1502 determines, according to the indication field, a target virtual processing unit corresponding to the target user from the virtual processing units running on the computing board card;

and the sending unit 1503 is configured to send the network traffic data to the target virtual processing unit, so that the target virtual processing unit performs network behavior analysis on the target user according to the network traffic data.

Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, or the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory. By way of illustration, and not limitation, RAM can be in the form of a variety of forms, such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), and the like.

The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.

The above examples merely represent a few embodiments of the present application, which are described in more detail and are not to be construed as limiting the scope of the invention. It should be noted that it would be apparent to those skilled in the art that various modifications and improvements could be made without departing from the spirit of the present application, which would be within the scope of the present application. Accordingly, the scope of protection of the present application is to be determined by the claims appended hereto.

Claims

1. A data processing method, applied to a traffic analysis server, the traffic analysis server including a distribution board card, a calculation board card, and a management board card, the method comprising:

the distribution board card extracts network flow data of a target user from the received network flow data according to user rules of the target user;

the distribution board card performs outer packaging processing on the network flow data of the target user according to the indication field to obtain a target flow data packet of the target user; the indication field is used for indicating a target virtual processing unit and a virtual local area network to which the target virtual processing unit belongs, wherein the target virtual processing unit is a virtual processing unit in the computing board card for analyzing network behaviors of the target user according to the network flow data;

The flow dividing board card sends the target flow data packet to the computing board card;

the distribution board card indicates the computing board card to broadcast the target flow data packet in the virtual local area network;

the management board card is used for sensing the running states of the distribution board card and the calculation board card in real time, detecting whether a fault exists in a data forwarding path between the distribution board card and the calculation board card, and dynamically switching the existing fault path.

2. The method of claim 1, wherein the indication field comprises N bits corresponding to X virtual processing units of the computing board.

3. The method of claim 1, wherein the indication field comprises M bits corresponding to Y virtual local area networks, each virtual local area network comprising at least one virtual processing unit therein.

4. A data processing method, applied to a traffic analysis server, the traffic analysis server including a distribution board card, a calculation board card, and a management board card, the method comprising:

the computing board card receives a target flow data packet sent by the distribution board card, and acquires an indication field and network flow data of a target user from the target flow data packet; the target flow data packet is obtained by performing outer layer encapsulation processing on the network flow data of the target user by the splitter plate card according to the indication field; the network flow data of the target user are extracted from the received network flow data by the splitter plate card according to the user rule of the target user;

The computing board card determines a target virtual processing unit corresponding to the target user and a virtual local area network to which the target virtual processing unit belongs from virtual processing units running on the computing board card according to the indication field, and sends the network flow data to the target virtual processing unit in the virtual local area network by broadcasting the target flow data packet in the virtual local area network, so that the target virtual processing unit analyzes network behavior of the target user according to the network flow data;

5. The method of claim 4, wherein the indication field comprises N bits corresponding to X virtual processing units of the computing board,

the computing board card determines a target virtual processing unit corresponding to the target user according to the indication field, and comprises:

and determining a virtual processing unit corresponding to each bit in the N bits as the target virtual processing unit if the value of the bit is a preset effective value.

6. The method of claim 4, wherein said sending the network traffic data to the target virtual processing unit comprises:

if the target user corresponds to a plurality of target virtual processing units, the computing board card sends the network flow data to the target virtual processing units in a selective mode;

after the current virtual processing unit finishes processing the network flow data, the current virtual processing unit is instructed to forward the network flow data to a virtual network card corresponding to a next virtual processing unit, so that the next virtual processing unit performs network behavior analysis on the target user according to the network flow data.

7. The method of claim 4, wherein the indication field includes M bits corresponding to Y virtual local area networks, any one of the M bits being used to indicate whether a virtual processing unit in the virtual local area network to which the bit corresponds is the target virtual processing unit,

And for each bit in the M bits, if the value of the bit is a preset effective value, determining that all virtual processing units in the virtual local area network corresponding to the bit are the target virtual processing units.

8. The method of claim 4, wherein the target virtual processing unit is a container or virtual machine running on the computing board.

9. A computer device, comprising a computing board card, a splitter board card and a management board card;

the distribution board card is used for extracting network flow data of a target user from received network flow data according to user rules of the target user, performing outer packaging processing on the network flow data according to an indication field, obtaining a target flow data packet of the target user, and sending the target flow data packet to the computing board card so as to indicate the computing board card to broadcast the target flow data packet; the indication field is used for indicating a target virtual processing unit in the computing board card and a virtual local area network to which the target virtual processing unit belongs;

the computing board card is used for receiving the target flow data packet sent by the flow dividing board card and acquiring the indication field and the network flow data from the target flow data packet; determining the target virtual processing unit and a virtual local area network to which the target virtual processing unit belongs from virtual processing units running on the computing board according to the indication field, and sending the network traffic data to the target virtual processing unit in the virtual local area network by broadcasting the target traffic data packet in the virtual local area network, so that the target virtual processing unit performs network behavior analysis on the target user according to the network traffic data;

10. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 8.