CN113872918A - Network traffic classification method, equipment, storage medium and device - Google Patents

Network traffic classification method, equipment, storage medium and device Download PDF

Info

Publication number
CN113872918A
CN113872918A CN202010616036.8A CN202010616036A CN113872918A CN 113872918 A CN113872918 A CN 113872918A CN 202010616036 A CN202010616036 A CN 202010616036A CN 113872918 A CN113872918 A CN 113872918A
Authority
CN
China
Prior art keywords
network traffic
responded
classification
information
rule
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010616036.8A
Other languages
Chinese (zh)
Inventor
刘耀
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Suzhou 360 Intelligent Security Technology Co Ltd
Original Assignee
Suzhou 360 Intelligent Security Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Suzhou 360 Intelligent Security Technology Co Ltd filed Critical Suzhou 360 Intelligent Security Technology Co Ltd
Priority to CN202010616036.8A priority Critical patent/CN113872918A/en
Publication of CN113872918A publication Critical patent/CN113872918A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Theoretical Computer Science (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Artificial Intelligence (AREA)
  • Evolutionary Biology (AREA)
  • Evolutionary Computation (AREA)
  • Physics & Mathematics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to the technical field of network traffic classification, and discloses a network traffic classification method, equipment, a storage medium and a device. The method comprises the steps that when an application layer receives network traffic to be responded, the network traffic to be responded is transmitted to a kernel layer; classifying the network traffic to be responded by a preset classification rule in the kernel layer to obtain a classification result, wherein the preset classification rule is generated based on the virtual patch file uploaded by the application layer; and when the classification result is non-malicious traffic, the application layer responds to the network traffic to be responded, so that a virtual patch file is set in the kernel layer, the kernel layer can access all data, the classified full coverage can be ensured, and then the network traffic to be responded is classified through the virtual patch file, so that the more effective network security protection of the virtual patch is improved.

Description

Network traffic classification method, equipment, storage medium and device
Technical Field
The present invention relates to the field of virtual patch technologies, and in particular, to a method, device, storage medium, and apparatus for classifying network traffic.
Background
Virtual patches are a solution that can relieve developers from patch management dilemma. Virtual patch technology is intended to change or eliminate vulnerabilities by controlling the input or output of affected applications, and also to support early versions of an application through virtual patches if they are no longer supported by the vendor.
The traditional virtual patch is mainly identified in a user mode, but as the authority of the user mode is lower, all traffic cannot be intercepted, so that network security defense cannot be performed more safely.
Disclosure of Invention
The invention mainly aims to provide a network traffic classification method, equipment, a storage medium and a device, and aims to solve the problem of how to improve the more effective network security protection of virtual patches.
In order to achieve the above object, the present invention provides a network traffic classification method, which includes the following steps:
when the application layer receives the network traffic to be responded, transmitting the network traffic to be responded to the kernel layer;
classifying the network traffic to be responded by a preset classification rule in the kernel layer to obtain a classification result, wherein the preset classification rule is generated based on the virtual patch file uploaded by the application layer;
and when the classification result is non-malicious traffic, the application layer responds to the network traffic to be responded.
Optionally, the preset classification rule is a field matching rule;
classifying the network traffic to be responded by a preset classification rule in the kernel layer to obtain a classification result, wherein the classification result comprises the following steps:
and classifying the network traffic to be responded by using a field matching rule in the kernel layer to obtain a classification result.
Optionally, the classifying the network traffic to be responded by the field matching rule in the kernel layer to obtain a classification result includes:
acquiring preset classification field information;
analyzing the network traffic to be responded to obtain analyzed field information to be responded;
matching the preset classification field information with the field information to be responded to so as to judge whether the field information to be responded contains the preset classification field information;
and when the field information to be responded contains the preset classification field information, obtaining a classification result according to the preset classification field information.
Optionally, the matching the preset classification field information with the field information to be responded includes:
combining the preset classification field information to obtain a preset classification field information set;
regular expression rule information is obtained, matching rule construction is carried out on the preset classification field information set according to the regular expression rule information, and a matching regular expression is generated;
and matching the field information to be responded according to the matching regular expression.
Optionally, the preset classification rule is a feature matching rule;
classifying the network traffic to be responded by a preset classification rule in the kernel layer to obtain a classification result, wherein the classification result comprises the following steps:
and classifying the network traffic to be responded by the feature matching rules in the kernel layer to obtain a classification result.
Optionally, the classifying the network traffic to be responded by the feature matching rule in the kernel layer to obtain a classification result includes:
analyzing the network traffic to be responded to obtain analyzed data to be responded;
obtaining corresponding response characteristic information according to the data to be responded;
and classifying the network traffic to be responded according to the response characteristic information to obtain a classification result.
Optionally, the preset classification rule is a link matching rule;
classifying the network traffic to be responded by a preset classification rule in the kernel layer to obtain a classification result, wherein the classification result comprises the following steps:
and classifying the network traffic to be responded by a link matching rule in the kernel layer to obtain a classification result.
Optionally, the classifying the network traffic to be responded by the link matching rule in the kernel layer to obtain a classification result includes:
analyzing the network traffic to be responded to obtain analyzed link information;
extracting source address information of request information in the link information and destination address information of the request information to be responded in the link information;
determining the type of a preset address according to the source address information, judging whether the destination address information belongs to the type of the preset address, and obtaining a judgment result;
and obtaining a classification result according to the judgment result.
Optionally, when the application layer receives the network traffic to be responded, transmitting the network traffic to be responded to the kernel layer includes:
when the application layer receives the network traffic to be responded, the network traffic attribute analysis is carried out on the network traffic to be responded to obtain a traffic attribute result;
obtaining a corresponding communication protocol type according to the flow attribute result;
when the communication protocol type is a preset protocol type, recombining the network traffic to be responded to obtain recombined network traffic to be responded;
and transmitting the recombined network traffic to be responded to the kernel layer.
Optionally, when the communication protocol type is a preset protocol type, the recombining the to-be-responded network traffic to obtain a recombined to-be-responded network traffic includes:
when the communication protocol type is a preset protocol type, counting the current length information of the network traffic to be responded;
carrying out fragment identification on the network traffic to be responded according to the current length information to obtain fragmented network traffic;
extracting the recombination number information in the network flow of the fragments;
and recombining the network traffic of the fragments according to the recombination number information to obtain the recombined network traffic to be responded.
Optionally, the performing fragment identification on the network traffic to be responded according to the current length information to obtain fragmented network traffic includes:
acquiring a preset length threshold;
comparing the current length information with the preset length threshold value to judge whether the current length information reaches the preset length threshold value;
and when the current length information reaches the preset length threshold, taking the network traffic to be responded corresponding to the preset length threshold as fragmented network traffic.
Optionally, when the application layer receives the network traffic to be responded, transmitting the network traffic to be responded to the kernel layer includes:
when the application layer receives the network traffic to be responded, calling a preset receiving function, wherein the preset receiving function is connected with the application layer and the kernel layer;
and transmitting the network traffic to be responded to the kernel layer according to the preset receiving function.
Optionally, the invoking a preset receiving function when the application layer receives the network traffic to be responded includes:
when the application layer receives the network traffic to be responded, comparing the network traffic to be responded with a preset protocol keyword;
obtaining the protocol type of the network traffic to be responded according to the comparison result;
and calling a corresponding preset receiving function according to the protocol type of the network flow to be responded.
Optionally, before the preset classification rule in the kernel layer classifies the network traffic to be responded, and a classification result is obtained, the method further includes:
calling a preset hook function in a kernel layer, and extracting filtering rule information in the preset hook function;
and taking the filtering rule information as a preset classification rule.
Optionally, before the filtering rule information is used as a preset classification rule, the method further includes:
acquiring a virtual patch file uploaded by an application layer, and calling a patch generator according to the virtual patch file;
packaging the filtering rule information through the patch generator to obtain packaged filtering rule information;
the step of using the filtering rule information as a preset classification rule includes:
and taking the packaged filtering rule information as a preset classification rule.
Optionally, before the packaged filtering rule information is used as a preset classification rule, the method further includes:
acquiring version information of the encapsulated filtering rule information and current version information corresponding to a preset classification rule in the kernel layer;
judging whether the version information of the packaged filtering rule information is higher than the current version information;
and when the version information of the packaged filtering rule information is higher than the current version information, executing the step of taking the packaged filtering rule information as a preset classification rule.
In addition, to achieve the above object, the present invention further provides a network traffic classification apparatus, including:
the transmission module is used for transmitting the network traffic to be responded to the kernel layer when the application layer receives the network traffic to be responded;
the classification module is used for classifying the network traffic to be responded by a preset classification rule in the kernel layer to obtain a classification result, wherein the preset classification rule is generated based on the virtual patch file uploaded by the application layer;
and the response module is used for responding to the network traffic to be responded by the application layer when the classification result is the non-malicious traffic.
Optionally, the preset classification rule is a field matching rule;
the classification module is further configured to classify the network traffic to be responded according to the field matching rule in the kernel layer, so as to obtain a classification result.
In addition, to achieve the above object, the present invention further provides a network traffic classification device, including: a memory, a processor and a network traffic classification program stored on the memory and running on the processor, the network traffic classification program when executed by the processor implementing the steps of the network traffic classification method as described above.
Furthermore, to achieve the above object, the present invention further provides a storage medium having a network traffic classification program stored thereon, wherein the network traffic classification program, when executed by a processor, implements the steps of the network traffic classification method as described above.
According to the technical scheme provided by the invention, when the application layer receives the network traffic to be responded, the network traffic to be responded is transmitted to the kernel layer; classifying the network traffic to be responded by a preset classification rule in the kernel layer to obtain a classification result, wherein the preset classification rule is generated based on the virtual patch file uploaded by the application layer; and when the classification result is non-malicious traffic, the application layer responds to the network traffic to be responded, so that a virtual patch file is set in the kernel layer, the kernel layer can access all data, the classified full coverage can be ensured, and then the network traffic to be responded is classified through the virtual patch file, so that the more effective network security protection of the virtual patch is improved.
Drawings
Fig. 1 is a schematic structural diagram of a network traffic classification device in a hardware operating environment according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating a network traffic classification method according to a first embodiment of the present invention;
fig. 3 is a schematic structural diagram of an OSI model of an embodiment of a network traffic classification method of the present invention;
FIG. 4 is a flowchart illustrating a network traffic classification method according to a second embodiment of the present invention;
FIG. 5 is a flowchart illustrating a network traffic classification method according to a third embodiment of the present invention;
fig. 6 is a block diagram of a network traffic classification device according to a first embodiment of the present invention.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The main technical terms related to the embodiments of the present application include:
the HTTP protocol: hypertext Transfer Protocol, HyperText Transfer Protocol, is the most widely used network Transfer Protocol on the Internet.
The OSI model: open System Interconnection Reference Model, Open System Interconnection communication Reference Model.
The TCP protocol: transmission Control Protocol, a transport Control Protocol, is a connection-oriented, reliable, and byte stream-based transport layer communication Protocol.
UDP protocol: user Datagram Protocol (UDP) is a connectionless transport layer Protocol in the OSI reference model, providing a transaction-oriented simple unreliable information transfer service, and is used to process data packets like the TCP Protocol, and both are located at the transport layer and at the upper layer of the IP Protocol in the OSI model.
IP protocol: internet Protocol, Internet interconnection Protocol.
VPatch: the patch generator is a free patch generator and is used for generating small patch files, and old versions can be upgraded to new versions.
The hook function: the hook function is a part of a Windows message processing mechanism, and by setting a hook, an application program can filter all messages and events at a system level and access messages which cannot be accessed under normal conditions. The essence of a hook is a program that handles system messages, which are put on the system through system calls.
Protocol stack: protocol stack, also called Protocol stack, is a specific software implementation of a computer network Protocol suite. One protocol in a suite of protocols is typically designed for only one purpose, which may make the design easier. Since each protocol module usually has to communicate with two other protocol modules above and below, they can usually be imagined as layers in a protocol stack. The lowest level of protocols always describes physical interactions with the hardware. Each advanced level adds more features. The user application is only handling the top-most protocol.
Referring to fig. 1, fig. 1 is a schematic structural diagram of a network traffic classification device in a hardware operating environment according to an embodiment of the present invention.
As shown in fig. 1, the network traffic classification device may include: a processor 1001, such as a Central Processing Unit (CPU), a communication bus 1002, a user interface 1003, a network interface 1004, and a memory 1005. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), the optional user interface 1003 may also include a standard wired interface and a wireless interface, and the wired interface of the user interface 1003 may be a Universal Serial Bus (USB) interface in the present invention. The network interface 1004 may optionally include a standard wired interface as well as a wireless interface (e.g., WI-FI interface). The Memory 1005 may be a high speed Random Access Memory (RAM); or a stable Memory, such as a Non-volatile Memory (Non-volatile Memory), and may be a disk Memory. The memory 1005 may alternatively be a storage device separate from the processor 1001.
Those skilled in the art will appreciate that the configuration shown in fig. 1 does not constitute a limitation of the network traffic classification device and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components.
As shown in fig. 1, a memory 1005, which is a type of computer storage medium, may include an operating system, a network communication module, a user interface module, and a network traffic classification program therein.
In the network traffic classification device shown in fig. 1, the network interface 1004 is mainly used for connecting to a background server and performing data communication with the background server; the user interface 1003 is mainly used for connecting peripheral equipment; the network traffic classification device calls a network traffic classification program stored in the memory 1005 through the processor 1001, and executes the network traffic classification method provided by the embodiment of the present invention.
Based on the hardware structure, the embodiment of the network traffic classification method is provided.
Referring to fig. 2, fig. 2 is a flowchart illustrating a network traffic classification method according to a first embodiment of the present invention.
In a first embodiment, the network traffic classification method includes the steps of:
step S10: and when the application layer receives the network traffic to be responded, transmitting the network traffic to be responded to the kernel layer.
It should be noted that, the main execution body of the present embodiment is a network traffic classification device, and may also be other devices that can implement the same or similar functions.
In this embodiment, the application layer is an application layer in the OSI model, the kernel layer is a protocol layer where a program running in a kernel mode is located, the kernel mode and the user mode are two running levels of the operating system, and when the program runs in a privilege level of 3, it can be called as running in the user mode. Because this is the lowest privilege level, which is the privilege level of normal user process operation, most of the programs directly faced by the user are all run in the user mode, and when the program runs in the privilege level 0, it can be called as run in the kernel mode, and the program running in the user mode cannot directly access the kernel data structure and the program of the operating system. When a program is executed in a system, most of the time is in a user mode, the program is switched to a kernel mode when the program needs an operating system to help complete some tasks which the operating system does not have authority and capability to complete, such as operating hardware and the like, because the memory space and objects which can be accessed by a process are limited when the program is executed in the user mode, the processor which is occupied with the program can be preempted, and the processor which is occupied with the program can access all the memory space and objects when the program is executed in the kernel mode, and the processor which is occupied with the program is not allowed to be preempted, so that all network traffic which is currently used can be obtained through the kernel layer, as shown in the schematic diagram of the OSI model structure shown in fig. 3, which includes an application layer, a presentation layer, a session layer and the like, and the protocol types which are correspondingly supported by each layer.
In a specific implementation, the monitoring software may be set in an application layer or a kernel layer by presetting the monitoring software, and the network traffic to be responded is set by the preset monitoring software, where the preset monitoring software may be third-party monitoring software, such as monitoring APP, and may also be monitoring software in other forms, which is not limited in this embodiment.
Step S20: and classifying the network traffic to be responded by a preset classification rule in the kernel layer to obtain a classification result, wherein the preset classification rule is generated based on the virtual patch file uploaded by the application layer.
In a specific implementation, the preset classification rule may be at least one of a field matching rule, a feature matching rule, and a link matching rule, and the network traffic to be responded is classified by the preset classification rule in the kernel layer, so as to obtain a classification result, where the classification result is malicious traffic or non-malicious traffic, and may also be a classification result in other forms, such as an undetermined state.
In this embodiment, the preset classification rule is set in the kernel layer, so that all network traffic is classified and processed, and the security of network monitoring is improved.
It can be understood that the preset classification rule is generated based on the virtual patch file uploaded by the application layer, that is, the preset classification rule can be generated by writing the virtual patch file through the application layer by a user, so that the user can set the preset classification rule according to actual requirements, and the purpose of improving the flexibility of the preset classification rule is achieved.
In a specific implementation, the preset classification rule is a field matching rule, and the step S20 includes:
classifying the network traffic to be responded by the field matching rule in the kernel layer to obtain a classification result, which specifically comprises the following steps:
acquiring preset classification field information; analyzing the network traffic to be responded to obtain analyzed field information to be responded; matching the preset classification field information with the field information to be responded to so as to judge whether the field information to be responded contains the preset classification field information; and when the field information to be responded contains the preset classification field information, obtaining a classification result according to the preset classification field information.
It should be noted that the preset classification field information is a feature field input by a user, and filtering of network traffic to be responded is implemented according to the feature field input by the user, for example, fields such as "redirection" and other field information are also available.
In a specific implementation, the matching the preset classification field information with the field information to be responded includes:
combining the preset classification field information to obtain a preset classification field information set; regular expression rule information is obtained, matching rule construction is carried out on the preset classification field information set according to the regular expression rule information, and a matching regular expression is generated; and matching the field information to be responded according to the matching regular expression.
In this embodiment, in order to implement the separation of network flows to be responded, matching is performed through regular expressions, classification is implemented through matching results, and since the filtering conditions input by users are multiple, filtering is performed in batches through the filtering conditions, which greatly affects the efficiency of data processing, regular expressions are generated for the user filtering conditions, and data matching is performed through the regular expressions, for example, user input redirection, address modification, and the like, the generated regular expression is [ pcre: ] "(redirection | address modification)"; and the data matching is carried out through the regular expression, so that the data processing efficiency is improved.
Specifically, the preset classification field information is combined to obtain a preset classification field information set, for example, user input redirection, address modification and the like, the "redirection" and the "address modification" are combined to obtain a preset classification field information set, for example, (redirection | address modification), and also combination in other forms, which is not limited in this embodiment, and in order to implement establishment of a matching regular expression, regular expression rule information is obtained, where the regular expression rule information may be data structure information, for example, [ pcre: "×"; x represents a preset classification field information set, and may also be a data structure of another form, which is not limited in this embodiment, and a matching rule is built for the preset classification field information set according to the regular expression rule information to generate a matching regular expression, that is, the generated regular expression is [ pcre: ] (redirection | address modification) ]; matching the field information to be responded according to the matching regular expression, so as to improve the data processing efficiency, and besides performing data matching by using the regular expression, other matching modes can be used, which is not limited in this embodiment.
As another embodiment, the preset classification rule is a feature matching rule; the step S20 includes:
classifying the network traffic to be responded by the feature matching rules in the kernel layer to obtain a classification result, which specifically comprises the following steps:
analyzing the network traffic to be responded to obtain analyzed data to be responded; obtaining corresponding response characteristic information according to the data to be responded; and classifying the network traffic to be responded according to the response characteristic information to obtain a classification result.
The embodiment mainly classifies the network traffic based on response characteristic information, wherein the response characteristic information includes at least one of mandatory installation characteristic information, difficult uninstallation characteristic information, browser hijacking characteristic information and malicious uninstallation characteristic information, wherein, the forced installation refers to the action of installing software on a user computer or other terminals without explicitly prompting users or without user permission, the difficult uninstallation refers to the fact that a universal uninstalling mode is not provided, or under the condition of not being influenced by other software and being damaged by people, the behavior of the active program still exists after the software is unloaded, the browser hijacking means that the user does not have permission, the browser or other related settings of the user are modified, the user is forced to access a specific website or the user cannot surf the internet normally, and the malicious unloading means that the user is not explicitly prompted, the user does not have permission, or misguided, the user is deceived to unload the behavior of other software, and the like.
In the specific implementation, feature recognition is carried out according to the data to be responded, whether the data to be responded accords with feature information of malicious flow or not is judged, corresponding response feature information is obtained when the data to be responded accords with the feature information of the malicious flow, the network flow to be responded is classified according to the response feature information, a classification result is obtained, and therefore network flow recognition is carried out based on the response feature information, and accuracy of the feature recognition is improved.
As another embodiment, the preset classification rule is a link matching rule; the step S20 includes:
classifying the network traffic to be responded by the link matching rule in the kernel layer to obtain a classification result, which specifically comprises the following steps:
analyzing the network traffic to be responded to obtain analyzed link information; extracting source address information of request information in the link information and destination address information of the request information to be responded in the link information; determining the type of a preset address according to the source address information, judging whether the destination address information belongs to the type of the preset address, and obtaining a judgment result; and obtaining a classification result according to the judgment result.
The embodiment mainly classifies the network traffic based on the link matching rule, and because the malicious traffic has a traffic tampering behavior, that is, destination address information is modified into a preset malicious address, so that behavior data of a user is intercepted, and therefore, behavior verification can be performed through the link address, and the security of network monitoring is improved.
In the specific implementation, whether the source address information of the request information in the link information and the destination address information of the request information to be responded in the link information belong to the same kind is judged by extracting the source address information of the request information in the link information and the destination address information of the request information to be responded in the link information, when the source address information of the request information in the link information and the destination address information of the request information to be responded belong to the same kind, it is indicated that the network address is not tampered with the address, the network traffic to be responded is non-malicious traffic, correspondingly, when the source address information of the request information in the link information and the destination address information of the request information to be responded do not belong to the same kind, it is indicated that the network address is tampered with the address, and the network traffic to be responded is malicious traffic, therefore, the identification of the network traffic to be responded is realized, and the accuracy of malicious traffic identification is improved.
In a specific implementation, a preset address type is determined according to the source address information, whether the destination address information belongs to the preset address type is judged, for example, the source address information is subjected to type identification, a network address with the source address information being a hospital type is obtained, specifically, IP range information can be obtained according to the source address information, corresponding type information is determined according to the IP range information, generally, request information of a hospital website generally corresponds to request information of other hospital websites, and if the source address information and the destination address information of link information do not belong to the same type, website information may be tampered, so that accuracy of malicious traffic identification is further improved.
Step S30: and when the classification result is non-malicious traffic, the application layer responds to the network traffic to be responded.
The embodiment is mainly used for filtering input traffic, patching virtual patches on an application layer, calling a corresponding recvmsg function according to a protocol type finally through system calling when an application program of the application layer receives network data, then copying user traffic to a user space, and performing vpatch hook before copying data, wherein a hook function needs to match a characteristic field transmitted by a user according to the protocol type, so that regular matching is completed, and traffic filtering is realized.
According to the scheme, when the application layer receives the network traffic to be responded, the network traffic to be responded is transmitted to the kernel layer; classifying the network traffic to be responded by a preset classification rule in the kernel layer to obtain a classification result, wherein the preset classification rule is generated based on the virtual patch file uploaded by the application layer; and when the classification result is non-malicious traffic, the application layer responds to the network traffic to be responded, so that a virtual patch file is set in the kernel layer, the kernel layer can access all data, the classified full coverage can be ensured, and then the network traffic to be responded is classified through the virtual patch file, so that the more effective network security protection of the virtual patch is improved.
Referring to fig. 4, fig. 4 is a flowchart illustrating a network traffic classification method according to a second embodiment of the present invention, and the second embodiment of the network traffic classification method according to the present invention is proposed based on the first embodiment illustrated in fig. 2.
In the second embodiment, the step S10 includes:
step S101, when the application layer receives the network traffic to be responded, the network traffic attribute analysis is carried out on the network traffic to be responded, and a traffic attribute result is obtained.
In this embodiment, the network traffic attribute is a communication protocol used by the network traffic, and a communication protocol type of the current network traffic can be obtained by analyzing the network traffic attribute of the network traffic to be responded, because each communication protocol has a different data processing manner, for example, a TCP communication protocol uses a segment form for data transmission, but a UDP communication protocol uses a stream form for data transmission, and when the communication protocol type of the current network traffic is TCP, the network traffic needs to be recombined and restored, so that a real situation of the current network traffic is obtained, and accuracy of classification is improved.
And step S102, obtaining a corresponding communication protocol type according to the flow attribute result.
In the specific implementation, the data structure analysis can be performed on the network traffic to be responded, and as the TCP communication protocol and other communication protocols have a set of protocol structures belonging to the TCP communication protocol and other communication protocols, the corresponding communication protocol type is obtained by analyzing the network traffic.
And step S103, when the communication protocol type is a preset protocol type, recombining the network traffic to be responded to obtain the recombined network traffic to be responded.
It should be noted that the preset protocol type is a TCP protocol type, and may also be another communication protocol type that needs to perform data segmentation in order to avoid data overflow during data transmission.
It can be understood that, in order to obtain the real situation of the current network traffic, when the preset protocol type is the TCP protocol type, the network traffic to be responded is recombined to obtain the recombined network traffic to be responded, thereby ensuring the ordering of data transmission.
And step S104, transmitting the recombined network traffic to be responded to the kernel layer.
In one embodiment, step S103 includes:
when the communication protocol type is a preset protocol type, counting the current length information of the network traffic to be responded; carrying out fragment identification on the network traffic to be responded according to the current length information to obtain fragmented network traffic; extracting the recombination number information in the network flow of the fragments; and recombining the network traffic of the fragments according to the recombination number information to obtain the recombined network traffic to be responded.
In this embodiment, when the communication protocol type is a TCP protocol type, it indicates that there is fragmented network traffic in the current network traffic, so that firstly, the fragmented network traffic needs to be identified from the current network traffic to obtain the fragmented network traffic, and since the fragmented network traffic carries numbering information, reassembly can be performed through the numbering information, thereby implementing ordering of transmission data, specifically: extracting the recombination number information in the network flow of the fragments; and recombining the network traffic of the fragments according to the recombination number information to obtain the recombined network traffic to be responded, thereby realizing the reduction of fragment data and improving the accuracy of traffic identification.
In an embodiment, the performing fragment identification on the network traffic to be responded according to the current length information to obtain fragmented network traffic includes:
acquiring a preset length threshold; comparing the current length information with the preset length threshold value to judge whether the current length information reaches the preset length threshold value; and when the current length information reaches the preset length threshold, taking the network traffic to be responded corresponding to the preset length threshold as fragmented network traffic.
In this embodiment, in order to identify fragmented network traffic, length analysis is performed according to current network data, where the preset length threshold is a maximum traffic length that can be received by a receiving terminal according to destination address information, and when the current traffic length reaches the maximum received traffic length, fragmentation is performed, and transmission is performed in a next sequence time period, so as to avoid that traffic that can be borne by the receiving terminal is smaller than transmitted traffic, and then the fragmented traffic reaches the maximum traffic length that can be received by the receiving terminal, therefore, by determining whether the current length information reaches the preset length threshold, a network traffic to be responded corresponding to the preset length threshold is taken as the fragmented network traffic, thereby implementing identification of fragmented network traffic.
According to the scheme, the network traffic to be responded is subjected to fragmentation identification through the current length information to obtain fragmented network traffic, the fragmented network traffic is recombined according to the recombination number information in the fragmented network traffic to obtain recombined network traffic to be responded, the fragmented network traffic is restored to obtain real information of the network traffic, the orderliness of a TCP end is achieved, the connection state is tracked, fragmented protocol header data is supported, and the purpose of accuracy of network traffic analysis is achieved.
Referring to fig. 5, fig. 5 is a flowchart illustrating a network traffic classification method according to a third embodiment of the present invention, which is proposed based on the first embodiment or the second embodiment.
In the third embodiment, the step S10 includes:
step S105, when the application layer receives the network flow to be responded, a preset receiving function is called, wherein the preset receiving function is connected with the application layer and the kernel layer.
In this embodiment, the preset receiving function may be a recvmsg function, or may also be another function for implementing a receiving function.
And step S106, transmitting the network flow to be responded to the kernel layer according to the preset receiving function.
In specific implementation, the network traffic to be responded of the application layer can be transmitted to the kernel layer through the recvmsg function, so that the network traffic to be responded is classified through preset classification rules in the kernel layer, the classification comprehensiveness is achieved, and the situation that the data of the kernel layer cannot be accessed due to the permission problem is avoided.
In one embodiment, the step S105 includes:
when the application layer receives the network traffic to be responded, comparing the network traffic to be responded with a preset protocol keyword; obtaining the protocol type of the network traffic to be responded according to the comparison result; and calling a corresponding preset receiving function according to the protocol type of the network flow to be responded.
In this embodiment, in order to ensure the flexibility of reception, since the receiving functions corresponding to each transport communication protocol are different, the network traffic to be responded may be compared with the preset protocol keyword; obtaining the protocol type of the network traffic to be responded according to the comparison result; in this embodiment, the preset protocol keyword may be an information segmentation keyword, and may further include other keywords, which are not limited in this embodiment, because the TCP is segmented in the information transmission process, the corresponding communication protocol type is obtained according to whether the information is segmented, that is, the corresponding recvmsg function is called according to the protocol type, so that correct reception of the network traffic is ensured.
In an embodiment, before the step S20, the method further includes:
calling a preset hook function in a kernel layer, and extracting filtering rule information in the preset hook function; and taking the filtering rule information as a preset classification rule.
In this embodiment, the preset hook function may be a hook function, and may also be a korean formula in other forms.
In an embodiment, before the filter rule information is used as the preset classification rule, the method further includes:
acquiring a virtual patch file uploaded by an application layer, and calling a patch generator according to the virtual patch file; packaging the filtering rule information through the patch generator to obtain packaged filtering rule information; the step of using the filtering rule information as a preset classification rule includes: and taking the packaged filtering rule information as a preset classification rule.
It should be noted that the patch generator may be a VPatch patch generator, or may also be a patch generator in other forms, which is not limited in this embodiment, and the VPatch patch generator is described as an example, and in order to generate a preset classification rule according to a virtual patch file, specifically, the filtering rule information is encapsulated by the patch generator to obtain the encapsulated filtering rule information, so as to implement setting of a virtual patch by the kernel layer.
In an embodiment, before the step of using the encapsulated filtering rule information as the preset classification rule, the method further includes:
acquiring version information of the encapsulated filtering rule information and current version information corresponding to a preset classification rule in the kernel layer; judging whether the version information of the packaged filtering rule information is higher than the current version information; and when the version information of the packaged filtering rule information is higher than the current version information, executing the step of taking the packaged filtering rule information as a preset classification rule.
In this embodiment, when the virtual patch is driven in, because the current version information is stored in the kernel layer, if the current version information is not determined, and is directly updated, if the current version information is higher than the preset classification rule, an invalid update occurs, and in this case, the update of the version is not facilitated, but the processing efficiency of the data is adversely affected, so that the version information of the virtual patch needs to be determined, and the update is performed only when the version information is higher than the current version information, thereby improving the efficiency of patch update.
In addition, an embodiment of the present invention further provides a storage medium, where the storage medium stores a network traffic classification program, and the network traffic classification program, when executed by a processor, implements the steps of the terminal network access method described above.
Since the storage medium adopts all technical solutions of all the embodiments, at least all the beneficial effects brought by the technical solutions of the embodiments are achieved, and no further description is given here.
In addition, referring to fig. 6, an embodiment of the present invention further provides a network traffic classification apparatus, where the network traffic classification apparatus includes:
the transmission module 10 is configured to transmit the network traffic to be responded to the kernel layer when the application layer receives the network traffic to be responded.
In this embodiment, the application layer is an application layer in the OSI model, the kernel layer is a protocol layer where a program running in a kernel mode is located, the kernel mode and the user mode are two running levels of the operating system, and when the program runs in a privilege level of 3, it can be called as running in the user mode. Because this is the lowest privilege level, which is the privilege level of normal user process operation, most of the programs directly faced by the user are all run in the user mode, and when the program runs in the privilege level 0, it can be called as run in the kernel mode, and the program running in the user mode cannot directly access the kernel data structure and the program of the operating system. When a program is executed in a system, most of the time is in a user mode, the program is switched to a kernel mode when the program needs an operating system to help complete some tasks which the operating system does not have authority and capability to complete, such as operating hardware and the like, because the memory space and objects which can be accessed by a process are limited when the program is executed in the user mode, the processor which is occupied with the program can be preempted, and the processor which is occupied with the program can access all the memory space and objects when the program is executed in the kernel mode, and the processor which is occupied with the program is not allowed to be preempted, so that all network traffic which is currently used can be obtained through the kernel layer, as shown in the schematic diagram of the OSI model structure shown in fig. 3, which includes an application layer, a presentation layer, a session layer and the like, and the protocol types which are correspondingly supported by each layer.
In a specific implementation, the monitoring software may be set in an application layer or a kernel layer by presetting the monitoring software, and the network traffic to be responded is set by the preset monitoring software, where the preset monitoring software may be third-party monitoring software, such as monitoring APP, and may also be monitoring software in other forms, which is not limited in this embodiment.
The classification module 20 is configured to classify the network traffic to be responded by a preset classification rule in the kernel layer to obtain a classification result, where the preset classification rule is generated based on the virtual patch file uploaded by the application layer.
In a specific implementation, the preset classification rule may be at least one of a field matching rule, a feature matching rule, and a link matching rule, and the network traffic to be responded is classified by the preset classification rule in the kernel layer, so as to obtain a classification result, where the classification result is malicious traffic or non-malicious traffic, and may also be a classification result in other forms, such as an undetermined state.
In this embodiment, the preset classification rule is set in the kernel layer, so that all network traffic is classified and processed, and the security of network monitoring is improved.
It can be understood that the preset classification rule is generated based on the virtual patch file uploaded by the application layer, that is, the preset classification rule can be generated by writing the virtual patch file through the application layer by a user, so that the user can set the preset classification rule according to actual requirements, and the purpose of improving the flexibility of the preset classification rule is achieved.
In a specific implementation, the preset classification rule is a field matching rule, and the step S20 includes:
classifying the network traffic to be responded by the field matching rule in the kernel layer to obtain a classification result, which specifically comprises the following steps:
acquiring preset classification field information; analyzing the network traffic to be responded to obtain analyzed field information to be responded; matching the preset classification field information with the field information to be responded to so as to judge whether the field information to be responded contains the preset classification field information; and when the field information to be responded contains the preset classification field information, obtaining a classification result according to the preset classification field information.
It should be noted that the preset classification field information is a feature field input by a user, and filtering of network traffic to be responded is implemented according to the feature field input by the user, for example, fields such as "redirection" and other field information are also available.
In a specific implementation, the matching the preset classification field information with the field information to be responded includes:
combining the preset classification field information to obtain a preset classification field information set; regular expression rule information is obtained, matching rule construction is carried out on the preset classification field information set according to the regular expression rule information, and a matching regular expression is generated; and matching the field information to be responded according to the matching regular expression.
In this embodiment, in order to implement the separation of network flows to be responded, matching is performed through regular expressions, classification is implemented through matching results, and since the filtering conditions input by users are multiple, filtering is performed in batches through the filtering conditions, which greatly affects the efficiency of data processing, regular expressions are generated for the user filtering conditions, and data matching is performed through the regular expressions, for example, user input redirection, address modification, and the like, the generated regular expression is [ pcre: ] "(redirection | address modification)"; and the data matching is carried out through the regular expression, so that the data processing efficiency is improved.
Specifically, the preset classification field information is combined to obtain a preset classification field information set, for example, user input redirection, address modification and the like, the "redirection" and the "address modification" are combined to obtain a preset classification field information set, for example, (redirection | address modification), and also combination in other forms, which is not limited in this embodiment, and in order to implement establishment of a matching regular expression, regular expression rule information is obtained, where the regular expression rule information may be data structure information, for example, [ pcre: "×"; x represents a preset classification field information set, and may also be a data structure of another form, which is not limited in this embodiment, and a matching rule is built for the preset classification field information set according to the regular expression rule information to generate a matching regular expression, that is, the generated regular expression is [ pcre: ] (redirection | address modification) ]; matching the field information to be responded according to the matching regular expression, so as to improve the data processing efficiency, and besides performing data matching by using the regular expression, other matching modes can be used, which is not limited in this embodiment.
As another embodiment, the preset classification rule is a feature matching rule; the step S20 includes:
classifying the network traffic to be responded by the feature matching rules in the kernel layer to obtain a classification result, which specifically comprises the following steps:
analyzing the network traffic to be responded to obtain analyzed data to be responded; obtaining corresponding response characteristic information according to the data to be responded; and classifying the network traffic to be responded according to the response characteristic information to obtain a classification result.
The embodiment mainly classifies the network traffic based on response characteristic information, wherein the response characteristic information includes at least one of mandatory installation characteristic information, difficult uninstallation characteristic information, browser hijacking characteristic information and malicious uninstallation characteristic information, wherein, the forced installation refers to the action of installing software on a user computer or other terminals without explicitly prompting users or without user permission, the difficult uninstallation refers to the fact that a universal uninstalling mode is not provided, or under the condition of not being influenced by other software and being damaged by people, the behavior of the active program still exists after the software is unloaded, the browser hijacking means that the user does not have permission, the browser or other related settings of the user are modified, the user is forced to access a specific website or the user cannot surf the internet normally, and the malicious unloading means that the user is not explicitly prompted, the user does not have permission, or misguided, the user is deceived to unload the behavior of other software, and the like.
In the specific implementation, feature recognition is carried out according to the data to be responded, whether the data to be responded accords with feature information of malicious flow or not is judged, corresponding response feature information is obtained when the data to be responded accords with the feature information of the malicious flow, the network flow to be responded is classified according to the response feature information, a classification result is obtained, and therefore network flow recognition is carried out based on the response feature information, and accuracy of the feature recognition is improved.
As another embodiment, the preset classification rule is a link matching rule; the step S20 includes:
classifying the network traffic to be responded by the link matching rule in the kernel layer to obtain a classification result, which specifically comprises the following steps:
analyzing the network traffic to be responded to obtain analyzed link information; extracting source address information of request information in the link information and destination address information of the request information to be responded in the link information; determining the type of a preset address according to the source address information, judging whether the destination address information belongs to the type of the preset address, and obtaining a judgment result; and obtaining a classification result according to the judgment result.
The embodiment mainly classifies the network traffic based on the link matching rule, and because the malicious traffic has a traffic tampering behavior, that is, destination address information is modified into a preset malicious address, so that behavior data of a user is intercepted, and therefore, behavior verification can be performed through the link address, and the security of network monitoring is improved.
In the specific implementation, whether the source address information of the request information in the link information and the destination address information of the request information to be responded in the link information belong to the same kind is judged by extracting the source address information of the request information in the link information and the destination address information of the request information to be responded in the link information, when the source address information of the request information in the link information and the destination address information of the request information to be responded belong to the same kind, it is indicated that the network address is not tampered with the address, the network traffic to be responded is non-malicious traffic, correspondingly, when the source address information of the request information in the link information and the destination address information of the request information to be responded do not belong to the same kind, it is indicated that the network address is tampered with the address, and the network traffic to be responded is malicious traffic, therefore, the identification of the network traffic to be responded is realized, and the accuracy of malicious traffic identification is improved.
In a specific implementation, a preset address type is determined according to the source address information, whether the destination address information belongs to the preset address type is judged, for example, the source address information is subjected to type identification, a network address with the source address information being a hospital type is obtained, specifically, IP range information can be obtained according to the source address information, corresponding type information is determined according to the IP range information, generally, request information of a hospital website generally corresponds to request information of other hospital websites, and if the source address information and the destination address information of link information do not belong to the same type, website information may be tampered, so that accuracy of malicious traffic identification is further improved.
A response module 30, configured to, when the classification result is non-malicious traffic, respond, by the application layer, to the network traffic to be responded.
The embodiment is mainly used for filtering input traffic, patching virtual patches on an application layer, calling a corresponding recvmsg function according to a protocol type finally through system calling when an application program of the application layer receives network data, then copying user traffic to a user space, and performing vpatch hook before copying data, wherein a hook function needs to match a characteristic field transmitted by a user according to the protocol type, so that regular matching is completed, and traffic filtering is realized.
According to the scheme, when the application layer receives the network traffic to be responded, the network traffic to be responded is transmitted to the kernel layer; classifying the network traffic to be responded by a preset classification rule in the kernel layer to obtain a classification result, wherein the preset classification rule is generated based on the virtual patch file uploaded by the application layer; and when the classification result is non-malicious traffic, the application layer responds to the network traffic to be responded, so that a virtual patch file is set in the kernel layer, the kernel layer can access all data, the classified full coverage can be ensured, and then the network traffic to be responded is classified through the virtual patch file, so that the more effective network security protection of the virtual patch is improved.
Further, the preset classification rule is a field matching rule;
the classification module 20 is further configured to classify the network traffic to be responded according to the field matching rule in the kernel layer, so as to obtain a classification result.
Further, the classification module 20 is further configured to obtain preset classification field information;
analyzing the network traffic to be responded to obtain analyzed field information to be responded;
matching the preset classification field information with the field information to be responded to so as to judge whether the field information to be responded contains the preset classification field information;
and when the field information to be responded contains the preset classification field information, obtaining a classification result according to the preset classification field information.
The classification module 20 is further configured to combine the preset classification field information to obtain a preset classification field information set;
regular expression rule information is obtained, matching rule construction is carried out on the preset classification field information set according to the regular expression rule information, and a matching regular expression is generated;
and matching the field information to be responded according to the matching regular expression.
Further, the preset classification rule is a feature matching rule;
the classification module 20 is further configured to classify the network traffic to be responded according to the feature matching rule in the kernel layer, so as to obtain a classification result.
Further, the classification module 20 is further configured to analyze the network traffic to be responded to obtain analyzed data to be responded;
obtaining corresponding response characteristic information according to the data to be responded;
and classifying the network traffic to be responded according to the response characteristic information to obtain a classification result.
Further, the preset classification rule is a link matching rule;
the classification module 20 is further configured to classify the network traffic to be responded according to the link matching rule in the kernel layer, so as to obtain a classification result.
Further, the classification module 20 is further configured to analyze the network traffic to be responded to obtain analyzed link information;
extracting source address information of request information in the link information and destination address information of the request information to be responded in the link information;
determining the type of a preset address according to the source address information, judging whether the destination address information belongs to the type of the preset address, and obtaining a judgment result;
and obtaining a classification result according to the judgment result.
Further, the transmission module 10 is further configured to, when the application layer receives the network traffic to be responded, perform network traffic attribute analysis on the network traffic to be responded to obtain a traffic attribute result;
obtaining a corresponding communication protocol type according to the flow attribute result;
when the communication protocol type is a preset protocol type, recombining the network traffic to be responded to obtain recombined network traffic to be responded;
and transmitting the recombined network traffic to be responded to the kernel layer.
Further, the transmission module 10 is further configured to, when the communication protocol type is a preset protocol type, count current length information of the network traffic to be responded;
carrying out fragment identification on the network traffic to be responded according to the current length information to obtain fragmented network traffic;
extracting the recombination number information in the network flow of the fragments;
and recombining the network traffic of the fragments according to the recombination number information to obtain the recombined network traffic to be responded.
Further, the transmission module 10 is further configured to obtain a preset length threshold;
comparing the current length information with the preset length threshold value to judge whether the current length information reaches the preset length threshold value;
and when the current length information reaches the preset length threshold, taking the network traffic to be responded corresponding to the preset length threshold as fragmented network traffic.
Further, the transmission module 10 is further configured to call a preset receiving function when the application layer receives the network traffic to be responded, where the preset receiving function connects the application layer and the kernel layer;
and transmitting the network traffic to be responded to the kernel layer according to the preset receiving function.
Further, the transmission module 10 is further configured to compare the network traffic to be responded with a preset protocol keyword when the application layer receives the network traffic to be responded;
obtaining the protocol type of the network traffic to be responded according to the comparison result;
and calling a corresponding preset receiving function according to the protocol type of the network flow to be responded.
Further, the classification module 20 is further configured to call a preset hook function in the kernel layer, and extract filtering rule information in the preset hook function;
and taking the filtering rule information as a preset classification rule.
Further, the classification module 20 is further configured to obtain a virtual patch file uploaded by an application layer, and call a patch generator according to the virtual patch file;
packaging the filtering rule information through the patch generator to obtain packaged filtering rule information;
and taking the packaged filtering rule information as a preset classification rule.
Further, the classification module 20 is further configured to obtain version information of the encapsulated filtering rule information and current version information corresponding to a preset classification rule in the kernel layer;
and judging whether the version information of the packaged filtering rule information is higher than the current version information.
The network traffic classification device provided by the invention adopts all technical schemes of all the embodiments, so that the network traffic classification device at least has all the beneficial effects brought by the technical schemes of the embodiments.
The invention provides a1 a network traffic classification method, which comprises the following steps:
when the application layer receives the network traffic to be responded, transmitting the network traffic to be responded to the kernel layer;
classifying the network traffic to be responded by a preset classification rule in the kernel layer to obtain a classification result, wherein the preset classification rule is generated based on the virtual patch file uploaded by the application layer;
and when the classification result is non-malicious traffic, the application layer responds to the network traffic to be responded.
A2, the method of A1, wherein the preset classification rule is a field matching rule;
classifying the network traffic to be responded by a preset classification rule in the kernel layer to obtain a classification result, wherein the classification result comprises the following steps:
and classifying the network traffic to be responded by using a field matching rule in the kernel layer to obtain a classification result.
A3, the method as in a2, the classifying the network traffic to be responded to by the field matching rule in the kernel layer to obtain a classification result, including:
acquiring preset classification field information;
analyzing the network traffic to be responded to obtain analyzed field information to be responded;
matching the preset classification field information with the field information to be responded to so as to judge whether the field information to be responded contains the preset classification field information;
and when the field information to be responded contains the preset classification field information, obtaining a classification result according to the preset classification field information.
A4, the method of A3, the matching the preset classification field information with the field information to be responded, comprising:
combining the preset classification field information to obtain a preset classification field information set;
regular expression rule information is obtained, matching rule construction is carried out on the preset classification field information set according to the regular expression rule information, and a matching regular expression is generated;
and matching the field information to be responded according to the matching regular expression.
A5, the method of A1, wherein the preset classification rule is a feature matching rule;
classifying the network traffic to be responded by a preset classification rule in the kernel layer to obtain a classification result, wherein the classification result comprises the following steps:
and classifying the network traffic to be responded by the feature matching rules in the kernel layer to obtain a classification result.
A6, the method as in a5, the classifying the network traffic to be responded by the feature matching rule in the kernel layer to obtain a classification result, including:
analyzing the network traffic to be responded to obtain analyzed data to be responded;
obtaining corresponding response characteristic information according to the data to be responded;
and classifying the network traffic to be responded according to the response characteristic information to obtain a classification result.
A7, the method of A1, wherein the preset classification rule is a link matching rule;
classifying the network traffic to be responded by a preset classification rule in the kernel layer to obtain a classification result, wherein the classification result comprises the following steps:
and classifying the network traffic to be responded by a link matching rule in the kernel layer to obtain a classification result.
A8, the method as in a7, the classifying the network traffic to be responded to by the link matching rule in the kernel layer to obtain a classification result, including:
analyzing the network traffic to be responded to obtain analyzed link information;
extracting source address information of request information in the link information and destination address information of the request information to be responded in the link information;
determining the type of a preset address according to the source address information, judging whether the destination address information belongs to the type of the preset address, and obtaining a judgment result;
and obtaining a classification result according to the judgment result.
A9, the method according to any one of a1 to A8, wherein the transmitting the network traffic to be responded to the kernel layer when the application layer receives the network traffic to be responded to includes:
when the application layer receives the network traffic to be responded, the network traffic attribute analysis is carried out on the network traffic to be responded to obtain a traffic attribute result;
obtaining a corresponding communication protocol type according to the flow attribute result;
when the communication protocol type is a preset protocol type, recombining the network traffic to be responded to obtain recombined network traffic to be responded;
and transmitting the recombined network traffic to be responded to the kernel layer.
A10, as in the method of a9, when the communication protocol type is a preset protocol type, the recombining the network traffic to be responded to obtain a recombined network traffic to be responded includes:
when the communication protocol type is a preset protocol type, counting the current length information of the network traffic to be responded;
carrying out fragment identification on the network traffic to be responded according to the current length information to obtain fragmented network traffic;
extracting the recombination number information in the network flow of the fragments;
and recombining the network traffic of the fragments according to the recombination number information to obtain the recombined network traffic to be responded.
A11, as in the method of a10, the performing fragmentation identification on the network traffic to be responded according to the current length information to obtain fragmented network traffic includes:
acquiring a preset length threshold;
comparing the current length information with the preset length threshold value to judge whether the current length information reaches the preset length threshold value;
and when the current length information reaches the preset length threshold, taking the network traffic to be responded corresponding to the preset length threshold as fragmented network traffic.
A12, the method according to any one of a1 to A8, wherein the transmitting the network traffic to be responded to the kernel layer when the application layer receives the network traffic to be responded to includes:
when the application layer receives the network traffic to be responded, calling a preset receiving function, wherein the preset receiving function is connected with the application layer and the kernel layer;
and transmitting the network traffic to be responded to the kernel layer according to the preset receiving function.
A13, the method as in a12, wherein the calling the preset receiving function when the application layer receives the network traffic to be responded includes:
when the application layer receives the network traffic to be responded, comparing the network traffic to be responded with a preset protocol keyword;
obtaining the protocol type of the network traffic to be responded according to the comparison result;
and calling a corresponding preset receiving function according to the protocol type of the network flow to be responded.
A14, the method according to any one of a1 to A8, wherein before the classifying the network traffic to be responded by the preset classification rule in the kernel layer and obtaining the classification result, the method further includes:
calling a preset hook function in a kernel layer, and extracting filtering rule information in the preset hook function;
and taking the filtering rule information as a preset classification rule.
A15, the method of A14, wherein before the step of using the filter rule information as the preset classification rule, the method further comprises:
acquiring a virtual patch file uploaded by an application layer, and calling a patch generator according to the virtual patch file;
packaging the filtering rule information through the patch generator to obtain packaged filtering rule information;
the step of using the filtering rule information as a preset classification rule includes:
and taking the packaged filtering rule information as a preset classification rule.
A16, the method as in a15, wherein before the step of using the packaged filtering rule information as the preset classification rule, the method further comprises:
acquiring version information of the encapsulated filtering rule information and current version information corresponding to a preset classification rule in the kernel layer;
judging whether the version information of the packaged filtering rule information is higher than the current version information;
and when the version information of the packaged filtering rule information is higher than the current version information, executing the step of taking the packaged filtering rule information as a preset classification rule.
In addition, to achieve the above object, the present invention further provides B17, a network traffic classification device, including:
the transmission module is used for transmitting the network traffic to be responded to the kernel layer when the application layer receives the network traffic to be responded;
the classification module is used for classifying the network traffic to be responded by a preset classification rule in the kernel layer to obtain a classification result, wherein the preset classification rule is generated based on the virtual patch file uploaded by the application layer;
and the response module is used for responding to the network traffic to be responded by the application layer when the classification result is the non-malicious traffic.
B18, the device as in B17, wherein the preset classification rule is a field matching rule;
the classification module is further configured to classify the network traffic to be responded according to the field matching rule in the kernel layer, so as to obtain a classification result.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.

Claims (10)

1. A network traffic classification method is characterized by comprising the following steps:
when the application layer receives the network traffic to be responded, transmitting the network traffic to be responded to the kernel layer;
classifying the network traffic to be responded by a preset classification rule in the kernel layer to obtain a classification result, wherein the preset classification rule is generated based on the virtual patch file uploaded by the application layer;
and when the classification result is non-malicious traffic, the application layer responds to the network traffic to be responded.
2. The method for classifying network traffic according to claim 1, wherein the preset classification rule is a field matching rule;
classifying the network traffic to be responded by a preset classification rule in the kernel layer to obtain a classification result, wherein the classification result comprises the following steps:
and classifying the network traffic to be responded by using a field matching rule in the kernel layer to obtain a classification result.
3. The method of classifying network traffic according to claim 2,
the classifying the network traffic to be responded by the field matching rule in the kernel layer to obtain a classification result, including:
acquiring preset classification field information;
analyzing the network traffic to be responded to obtain analyzed field information to be responded;
matching the preset classification field information with the field information to be responded to so as to judge whether the field information to be responded contains the preset classification field information;
and when the field information to be responded contains the preset classification field information, obtaining a classification result according to the preset classification field information.
4. The method for classifying network traffic according to claim 3, wherein the matching the preset classification field information with the field information to be responded includes:
combining the preset classification field information to obtain a preset classification field information set;
regular expression rule information is obtained, matching rule construction is carried out on the preset classification field information set according to the regular expression rule information, and a matching regular expression is generated;
and matching the field information to be responded according to the matching regular expression.
5. The method for classifying network traffic according to claim 1, wherein the preset classification rule is a feature matching rule;
classifying the network traffic to be responded by a preset classification rule in the kernel layer to obtain a classification result, wherein the classification result comprises the following steps:
and classifying the network traffic to be responded by the feature matching rules in the kernel layer to obtain a classification result.
6. The method according to claim 5, wherein the classifying the network traffic to be responded according to the feature matching rule in the kernel layer to obtain a classification result comprises:
analyzing the network traffic to be responded to obtain analyzed data to be responded;
obtaining corresponding response characteristic information according to the data to be responded;
and classifying the network traffic to be responded according to the response characteristic information to obtain a classification result.
7. The method for classifying network traffic according to claim 1, wherein the preset classification rule is a link matching rule;
classifying the network traffic to be responded by a preset classification rule in the kernel layer to obtain a classification result, wherein the classification result comprises the following steps:
and classifying the network traffic to be responded by a link matching rule in the kernel layer to obtain a classification result.
8. A network traffic classification device, characterized in that the network traffic classification device comprises:
the transmission module is used for transmitting the network traffic to be responded to the kernel layer when the application layer receives the network traffic to be responded;
the classification module is used for classifying the network traffic to be responded by a preset classification rule in the kernel layer to obtain a classification result, wherein the preset classification rule is generated based on the virtual patch file uploaded by the application layer;
and the response module is used for responding to the network traffic to be responded by the application layer when the classification result is the non-malicious traffic.
9. A network traffic classification device, characterized in that the network traffic classification device comprises: memory, a processor and a network traffic classification program stored on the memory and running on the processor, which when executed by the processor implements the steps of the network traffic classification method according to any of claims 1 to 7.
10. A storage medium having stored thereon a network traffic classification program which, when executed by a processor, implements the steps of the network traffic classification method according to any one of claims 1 to 7.
CN202010616036.8A 2020-06-30 2020-06-30 Network traffic classification method, equipment, storage medium and device Pending CN113872918A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010616036.8A CN113872918A (en) 2020-06-30 2020-06-30 Network traffic classification method, equipment, storage medium and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010616036.8A CN113872918A (en) 2020-06-30 2020-06-30 Network traffic classification method, equipment, storage medium and device

Publications (1)

Publication Number Publication Date
CN113872918A true CN113872918A (en) 2021-12-31

Family

ID=78981549

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010616036.8A Pending CN113872918A (en) 2020-06-30 2020-06-30 Network traffic classification method, equipment, storage medium and device

Country Status (1)

Country Link
CN (1) CN113872918A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114726633A (en) * 2022-04-14 2022-07-08 中国电信股份有限公司 Flow data processing method and device, storage medium and electronic equipment
CN115426135A (en) * 2022-08-12 2022-12-02 中国电信股份有限公司 Method, device and equipment for processing flow detection rules and detecting network flow

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103327025A (en) * 2013-06-28 2013-09-25 北京奇虎科技有限公司 Method and device for network access control
CN106302515A (en) * 2016-09-08 2017-01-04 杭州迪普科技有限公司 A kind of method and apparatus of web portal security protection
CN107733837A (en) * 2016-08-11 2018-02-23 杭州迪普科技股份有限公司 Method for detecting abnormality and device based on application layer Network Abnormal message
KR20180130196A (en) * 2017-05-29 2018-12-07 아주대학교산학협력단 Method and apparatus for security in network device
WO2020071962A1 (en) * 2018-10-05 2020-04-09 Общество с ограниченной ответственностью "Алгоритм" System for classifying traffic
CN111277570A (en) * 2020-01-10 2020-06-12 中电长城网际系统应用有限公司 Data security monitoring method and device, electronic equipment and readable medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103327025A (en) * 2013-06-28 2013-09-25 北京奇虎科技有限公司 Method and device for network access control
CN107733837A (en) * 2016-08-11 2018-02-23 杭州迪普科技股份有限公司 Method for detecting abnormality and device based on application layer Network Abnormal message
CN106302515A (en) * 2016-09-08 2017-01-04 杭州迪普科技有限公司 A kind of method and apparatus of web portal security protection
KR20180130196A (en) * 2017-05-29 2018-12-07 아주대학교산학협력단 Method and apparatus for security in network device
WO2020071962A1 (en) * 2018-10-05 2020-04-09 Общество с ограниченной ответственностью "Алгоритм" System for classifying traffic
CN111277570A (en) * 2020-01-10 2020-06-12 中电长城网际系统应用有限公司 Data security monitoring method and device, electronic equipment and readable medium

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114726633A (en) * 2022-04-14 2022-07-08 中国电信股份有限公司 Flow data processing method and device, storage medium and electronic equipment
CN114726633B (en) * 2022-04-14 2023-10-03 中国电信股份有限公司 Traffic data processing method and device, storage medium and electronic equipment
CN115426135A (en) * 2022-08-12 2022-12-02 中国电信股份有限公司 Method, device and equipment for processing flow detection rules and detecting network flow
CN115426135B (en) * 2022-08-12 2023-12-12 中国电信股份有限公司 Processing of flow detection rules, and network flow detection method, device and equipment

Similar Documents

Publication Publication Date Title
US11550911B2 (en) Multi-representational learning models for static analysis of source code
US10552610B1 (en) Adaptive virtual machine snapshot update framework for malware behavioral analysis
US10192052B1 (en) System, apparatus and method for classifying a file as malicious using static scanning
US8726387B2 (en) Detecting a trojan horse
US11816214B2 (en) Building multi-representational learning models for static analysis of source code
US20230155980A1 (en) Methods and apparatus for emerging use case support in user space networking
CN108768960B (en) Virus detection method, device, storage medium and computer equipment
US20050038832A1 (en) Application error recovery using solution database
CN109672580A (en) Full link monitoring method, apparatus, terminal device and storage medium
CN112181541A (en) Data processing method and device, electronic equipment and storage medium
US20220083326A1 (en) Upgrading method and system, server, and terminal device
US10445158B2 (en) Computer readable storage media for dynamic service deployment and methods and systems for utilizing same
CN106790291B (en) Intrusion detection prompting method and device
CN113872918A (en) Network traffic classification method, equipment, storage medium and device
US8732694B2 (en) Method and system for performing services in server and client of client/server architecture
CN111193716A (en) Service data calling method and device, computer equipment and storage medium
CN107979573B (en) Risk information detection method, system and server
CN1818876A (en) System and method for executing a process on a microprocessor-enabled device
CN113312577A (en) Webpage resource processing method and device, electronic equipment and storage medium
CN110752963B (en) Event processing method and device, storage medium and electronic device
CN115694998A (en) Security detection method and device, electronic equipment and storage medium
US11968228B2 (en) Early malware detection in on-the-fly security sandboxes using recursive neural networks (RNNs)to capture relationships in behavior sequences on data communication networks
CN109960928B (en) Method and system for processing suspicious file
CN110098980B (en) Network debugging method and device, computer equipment and storage medium
CN113836529A (en) Process detection method, device, storage medium and computer equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination