CN114124568A - Connection control method and system - Google Patents

Connection control method and system Download PDF

Info

Publication number
CN114124568A
CN114124568A CN202111487790.7A CN202111487790A CN114124568A CN 114124568 A CN114124568 A CN 114124568A CN 202111487790 A CN202111487790 A CN 202111487790A CN 114124568 A CN114124568 A CN 114124568A
Authority
CN
China
Prior art keywords
target
node
connection
service
risk
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111487790.7A
Other languages
Chinese (zh)
Inventor
曹凯
刘爱辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Construction Bank Corp
Original Assignee
China Construction Bank Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Construction Bank Corp filed Critical China Construction Bank Corp
Priority to CN202111487790.7A priority Critical patent/CN114124568A/en
Publication of CN114124568A publication Critical patent/CN114124568A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/23Clustering techniques
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1095Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/146Markers for unambiguous identification of a particular session, e.g. session cookie or URL-encoding

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Data Mining & Analysis (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Evolutionary Biology (AREA)
  • Evolutionary Computation (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Artificial Intelligence (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a connection control method and a system, wherein a target client acquires risk connection information of a target service node on target terminal equipment, the risk connection information at least comprises a node identifier of the target service node and a node identifier of the target connection node, and the target client sends the risk connection information to a server; the server side determines the connection risk between the target service node and the target connection node based on a predefined connection risk determination rule and risk connection information, and sends a blocking enabling instruction to the target client side if the connection risk is high; and the target client responds to the blocking enabling instruction and sends a blocking message to the target connection node so as to block the connection between the target service node and the target connection node. The invention can effectively realize the access control of the target service node, avoid influencing the service processing of the target service node, and ensure the service processing capacity and efficiency of the target service node, thereby ensuring the normal operation of the service.

Description

Connection control method and system
Technical Field
The invention relates to computer science and technology, in particular to a connection control method and a connection control system.
Background
With the development of computer science and technology, access control technology is continuously improved.
In the cloud-native era, the types of business nodes are increasingly diversified, such as virtual machines, physical machines, and containers. Under the cloud native architecture, the service nodes are rapid in deployment, high in flexibility and rapid in quantity, the IP and the flow of the intranet are rapidly increased and changed, and greater challenges are brought to access control of the service nodes in the intranet. Currently, in the prior art, a firewall is set and utilized to perform access control on a service node, that is, abnormal traffic occurring in the process of accessing the service node is identified, and a corresponding opposite terminal is restricted from continuing to access the service node.
However, the prior art cannot effectively realize the access control of the service node.
Disclosure of Invention
In view of the above problems, the present invention provides a connection control method and system for overcoming the above problems or at least partially solving the above problems, and the technical solution is as follows:
a connection control method comprising:
a target client acquires risk connection information of a target service node on target terminal equipment, wherein the target client is arranged on the target terminal equipment, and the risk connection information at least comprises a node identifier of the target service node and a node identifier of a target connection node;
the target client sends the risk connection information to the server;
the server side determines the connection risk between the target service node and the target connection node based on a predefined connection risk determination rule and the risk connection information;
if the connection risk is high risk, the server side sends a blocking enabling instruction to the target client side;
and the target client responds to the blocking enabling instruction and sends a blocking message to the target connection node so as to block the connection between the target service node and the target connection node.
Optionally, the determining, by the server, a connection risk between the target service node and the target connection node based on a predefined connection risk determination rule and the risk connection information includes:
the server side searches corresponding connection risks from a predefined node connection risk table based on the node identification of the target service node and the node identification of the target connection node; and node identifiers and connection risks of two connected nodes are correspondingly stored in the node connection risk table.
Optionally, the node identifier of the target service node is a first service identifier, the node identifier of the target connection node is a second service identifier, the first service identifier is an identifier of a service processed by the target service node, and the second service identifier is an identifier of a service processed by the target connection node.
Optionally, before the target client obtains the risk connection information of the target service node on the target terminal device, the method further includes:
the server side obtains flow information of a plurality of service nodes which are acquired and sent by a plurality of clients from a plurality of terminal devices respectively, each client is arranged on each terminal device respectively and comprises the target client, each terminal device is positioned in the same local area network, and the plurality of service nodes comprise the target service nodes and the target connection nodes;
the service end is based on the flow information of the plurality of service nodes, and clusters each service node according to the service type of the service processed by each service node to obtain at least one service node group;
the server sets corresponding service identification for each service node in each service node group;
and the server respectively returns each service identifier to each corresponding client.
Optionally, each service node is a container, and the traffic information includes a node identifier of the service node; the method for clustering the service nodes according to the service types of the services processed by the service nodes and based on the flow information of the service nodes by the server side to obtain at least one service node group comprises the following steps:
the server side determines a container mirror image corresponding to each service node based on the flow information of each service node;
and the server determines the service node corresponding to the same container mirror image as one service node group for processing the same type of service so as to obtain each service node group.
Optionally, the method further includes:
and when the target client side has a fault, the target client side stops sending the blocking message to the target connection node.
Optionally, the risk connection information further includes the number of times of access to the target service node by the target connection node within a predefined time, and the server determines the connection risk between the target service node and the target connection node based on a predefined connection risk determination rule and the risk connection information, including:
the server compares whether the access times are not less than a preset access time threshold, and if so, determines that the connection risk between the target service node and the target connection node is high risk; otherwise, determining the connection risk between the target service node and the target connection node as low risk.
A connection control system comprising: a target client and a server;
a target client acquires risk connection information of a target service node on target terminal equipment, wherein the target client is arranged on the target terminal equipment, and the risk connection information at least comprises a node identifier of the target service node and a node identifier of a target connection node;
the target client sends the risk connection information to the server;
the server side determines the connection risk between the target service node and the target connection node based on a predefined connection risk determination rule and the risk connection information;
if the connection risk is high risk, the server side sends a blocking enabling instruction to the target client side;
and the target client responds to the blocking enabling instruction and sends a blocking message to the target connection node so as to block the connection between the target service node and the target connection node.
Optionally, the server determines a connection risk between the target service node and the target connection node based on a predefined connection risk determination rule and the risk connection information, and sets the connection risk to be:
the server side searches corresponding connection risks from a predefined node connection risk table based on the node identification of the target service node and the node identification of the target connection node; and node identifiers and connection risks of two connected nodes are correspondingly stored in the node connection risk table.
Optionally, the node identifier of the target service node is a first service identifier, the node identifier of the target connection node is a second service identifier, the first service identifier is an identifier of a service processed by the target service node, and the second service identifier is an identifier of a service processed by the target connection node.
Optionally, before the target client obtains risk connection information of a target service node on a target terminal device, the server further obtains traffic information of a plurality of service nodes, which is acquired and sent by a plurality of clients from a plurality of terminal devices respectively, where each client is arranged on each terminal device, each client includes the target client, each terminal device is in the same local area network, and the plurality of service nodes include the target service node and the target connection node;
the service end is based on the flow information of the plurality of service nodes, and clusters each service node according to the service type of the service processed by each service node to obtain at least one service node group;
the server sets corresponding service identification for each service node in each service node group;
and the server respectively returns each service identifier to each corresponding client.
Optionally, each service node is a container, and the traffic information includes a node identifier of the service node; the service end is based on the flow information of the plurality of service nodes, clusters each service node according to the service type of the service processed by each service node to obtain at least one service node group, and is set as follows:
the server side determines a container mirror image corresponding to each service node based on the flow information of each service node;
and the server determines the service node corresponding to the same container mirror image as one service node group for processing the same type of service so as to obtain each service node group.
Optionally, when the target client fails, the target client further stops sending the blocking packet to the target connection node.
Optionally, the risk connection information further includes the number of times of access to the target service node by the target connection node within a predefined time length; the server side determines the connection risk between the target service node and the target connection node based on a predefined connection risk determination rule and the risk connection information, and the connection risk is set as follows:
the server compares whether the access times are not less than a preset access time threshold, and if so, determines that the connection risk between the target service node and the target connection node is high risk; otherwise, determining the connection risk between the target service node and the target connection node as low risk.
In the connection control method and system provided by this embodiment, the target client obtains risk connection information of the target service node on the target terminal device, the target client is set on the target terminal device, the risk connection information at least includes a node identifier of the target service node and a node identifier of the target connection node, the target client sends the risk connection information to the server, the server determines a connection risk between the target service node and the target connection node based on a predefined connection risk determination rule and the risk connection information, if the connection risk is high risk, the server sends a blocking enable instruction to the target client, and the target client sends a blocking message to the target connection node in response to the blocking enable instruction, so as to block the connection between the target service node and the target connection node. According to the method, the target client side is responsible for acquiring the risk connection information and executing the blocking strategy, and the server side is responsible for analyzing the risk connection information reported by the target client side and issuing the blocking strategy, so that the illegal access behaviors of the target connection node, such as possible access attacks on the target service node, can be identified, and the connection between the target service node and the target connection node can be blocked when the high risk of connection between the target connection node and the target service node is determined. The invention can effectively realize the access control of the target service node, avoid influencing the service processing of the target service node, and ensure the service processing capacity and efficiency of the target service node, thereby ensuring the normal operation of the service.
The foregoing description is only an overview of the technical solutions of the present invention, and the following detailed description of the present invention is provided to enable the technical means of the present invention to be more clearly understood, and to enable the above and other objects, features, and advantages of the present invention to be more clearly understood.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a signaling diagram illustrating a first connection control method according to an embodiment of the present invention;
fig. 2 is a signaling diagram illustrating a second connection control method according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram illustrating a first connection control system according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the invention are shown in the drawings, it should be understood that the invention can be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
As shown in fig. 1, the present embodiment proposes a first connection control method, which may include the steps of:
s101, a target client acquires risk connection information of a target service node on target terminal equipment, the target client is arranged on the target terminal equipment, and the risk connection information at least comprises a node identification of the target service node and a node identification of the target connection node;
the target client may be a client that is arranged on the target terminal device and is used for implementing access control on the target service node.
The target terminal device may be an electronic device, such as a server, a mobile phone, a tablet computer, and a desktop computer.
Alternatively, the target service node may be a service node, such as a virtual machine and a container, provided on the target terminal device.
Alternatively, the target service node may be the target terminal device itself.
The risky connection information may be information corresponding to risky connection performed by the target service node and the target connection node. The target connection node may be a node accessing the target service node for the risky connection with the target service node.
Optionally, the target connection node may be a service node in the same local area network as the target service node and configured to process the same type of service, may also be a service node in the same local area network and configured to process different types of services, and may also be a node in a different local area network from the target service node.
Specifically, the risk connection information may include a node identifier of the target service node and a node identifier of the target connection node.
Specifically, the target client may identify a risk connection occurring at a target service node on the target terminal device, and may obtain risk connection information corresponding to the risk connection.
Specifically, the target client may identify the risk connection occurring at the target service node and collect corresponding risk connection information according to the node connection protocol, the port and/or the access frequency of the relevant service node to the target service node, and other information on the target terminal device.
S102, the target client sends risk connection information to a server;
the server side can be used for analyzing the information sent by the target client side and sending the blocking strategy to the target client side.
Specifically, the target client may send the risk connection information to the server after obtaining the risk connection information.
S103, the server side determines the connection risk between the target service node and the target connection node based on a predefined connection risk determination rule and risk connection information;
specifically, after receiving the risk connection information, the server may determine the connection risk between the target service node and the target connection node according to a predefined connection risk determination rule and the risk connection information.
Optionally, the server searches for a corresponding connection risk from a predefined node connection risk table based on the node identifier of the target service node and the node identifier of the target connection node; the node connection risk table correspondingly stores node identifiers and connection risks of two connected nodes.
The node connection risk table may be a data table pre-prepared by a technician according to an actual situation. Specifically, when determining that the connection between two nodes has a high risk, a technician may record the node identifiers of the nodes and the high risk of the connection between the two nodes in a node connection risk table; specifically, when determining that a node has a high possibility of a network attack, the technician may determine the node as a high risk node, determine a connection between any node and the node as a high risk, and record the connection in the connection risk table.
Specifically, after receiving the risk connection information, the server may extract node identifiers of the target service node and the target connection node, and then search for a connection risk matched with the target service node and the target connection node in a node connection risk table. At this time, the connection risk determination rule may be a connection risk between the target service node and the target connection node, where the connection risk is determined to be the connection risk found in the node connection risk table.
Optionally, the risk connection information further includes the number of times that the target connection node accesses the target service node within a predefined time, and the server determines the connection risk between the target service node and the target connection node based on a predefined connection risk determination rule and the risk connection information, including:
the server compares whether the access times are not less than a preset access time threshold, and if so, determines that the connection risk between the target service node and the target connection node is high risk; otherwise, determining the connection risk between the target service node and the target connection node as low risk.
The risk connection information may further include information such as the number of accesses, access frequency, and specific access type of the target service node by the target connection node.
The predefined time period may be determined by a technician according to actual conditions, which is not limited by the present invention.
Specifically, the server may determine whether the target connection node has an illegal access behavior such as an access attack to the target service node by analyzing the risk connection information, so as to determine the connection risk between the target service node and the target connection node.
Specifically, the server may extract, from the risk connection information, the number of times that the target connection node accesses the target service node within a predefined time period, compare the number of times with a preset access number threshold, and if the number of times is not less than the access number threshold, determine that the risk of connection between the target service node and the target connection node is high; if the access times are less than the access times threshold, the connection risk of the target service node and the target connection node can be determined to be low risk or no risk.
S104, if the connection risk is high, the server side sends a blocking enabling instruction to the target client side;
specifically, when determining that the connection risk between the target service node and the target connection node is high risk, the server sends a blocking enabling instruction to the target client, that is, issues a blocking policy to the target client, so that the target client blocks the connection between the target service node and the target connection node, thereby implementing access control on the target service node, avoiding affecting the processing of the service by the target service node, and ensuring the service processing capability and efficiency of the target service node, thereby ensuring the normal operation of the service.
S105, the target client side responds to the blocking enabling instruction and sends a blocking message to the target connection node so as to block the connection between the target service node and the target connection node.
Specifically, after receiving the blocking enable instruction, the target client may block the connection between the target service node and the target connection node by sending a blocking packet to the target connection node.
Optionally, the target client may perform bypass blocking by sending a reset packet to the target connection node, and disconnect the connection between the target service node and the target connection node.
It should be noted that, in the prior art, traffic detection and connection blocking may be performed on a service node based on IP, so as to implement access control on a target service node. Specifically, the prior art may perform IP blocking by calling iptables on the terminal device. The iptables can be a firewall arranged on the terminal device and carried by the Linux operating system, and access control based on IP can be realized. Specifically, in the prior art, an independent firewall may be directly set on the terminal device, and access control to the service node is implemented based on the IP. However, in the prior art, in the process of realizing access control based on the IP, when the IP changes, the prior art is difficult to accurately capture and analyze, and the resources consumed by the terminal device are large. When IP blocking is performed by using iptables, performance bottlenecks may occur in iptables as the blocking policy is increased because iptables performance is limited.
The invention can identify the illegal access behaviors of the target connection node, such as possible access attack on the target service node, and the like by adopting a mode of performing communication cooperation between the target client and the server, namely a mode of acquiring risk connection information and executing a blocking strategy by the target client and a mode of analyzing the risk connection information reported by the target client and issuing the blocking strategy by the server, and can block the connection between the target service node and the target connection node when the high risk of connection between the target connection node and the target service node is determined. The invention can realize the access control of the target service node, avoid influencing the service processing of the target service node, and ensure the service processing capacity and efficiency of the target service node, thereby ensuring the normal operation of the service.
In the connection control method provided by this embodiment, a target client obtains risk connection information of a target service node on a target terminal device, the target client is set on the target terminal device, the risk connection information at least includes a node identifier of the target service node and a node identifier of the target connection node, the target client sends the risk connection information to a server, the server determines a connection risk between the target service node and the target connection node based on a predefined connection risk determination rule and the risk connection information, if the connection risk is high, the server sends a blocking enable instruction to the target client, and the target client sends a blocking message to the target connection node in response to the blocking enable instruction to block connection between the target service node and the target connection node. According to the method, the target client side is responsible for acquiring the risk connection information and executing the blocking strategy, and the server side is responsible for analyzing the risk connection information reported by the target client side and issuing the blocking strategy, so that the illegal access behaviors of the target connection node, such as possible access attacks on the target service node, can be identified, and the connection between the target service node and the target connection node can be blocked when the high risk of connection between the target connection node and the target service node is determined. The invention can effectively realize the access control of the target service node, avoid influencing the service processing of the target service node, and ensure the service processing capacity and efficiency of the target service node, thereby ensuring the normal operation of the service.
Based on the steps shown in fig. 1, the present embodiment proposes a second connection control method, as shown in fig. 2. In the method, the method may further include:
s201, when the target client side has a fault, the target client side stops sending the blocking message to the target connection node.
It should be noted that the target client may stop sending the blocking message to the target connection node when detecting that the target client has a fault, so as to avoid a situation that the target client cannot stop blocking the target connection node from connecting the target service node due to a possible failure that the target client cannot receive the blocking policy newly issued by the service node and cannot respond to the blocking policy newly issued by the service node when the blocking policy issued by the service node changes (for example, it is determined that the risk of connection between the target service connection node and the target connection node is no longer high, and the target client needs to be instructed to stop sending the blocking message to the target connection node), thereby avoiding processing the normal service by the target service node and ensuring the processing efficiency of the service.
According to the connection control method provided by the embodiment, the target client can stop sending the blocking message to the target connection node when detecting that the target client has a fault, so that the processing of the target service node on the normal service is further avoided, and the service processing efficiency is guaranteed.
Based on the steps shown in fig. 1, the present embodiment proposes a third connection control method. In the method, the node identifier of a target service node is a first service identifier, the node identifier of a target connection node is a second service identifier, the first service identifier is an identifier of a service processed by the target service node, and the second service identifier is an identifier of a service processed by the target connection node.
Specifically, the first service identifier and the second service identifier may be generated and sent to the target client by the server based on the traffic information collected by the target client from the target terminal device.
Optionally, before the target client obtains the risk connection information of the target service node on the target terminal device, the third connection control method may further include:
the method comprises the steps that a server side obtains flow information of a plurality of service nodes, which are acquired and sent by a plurality of clients from a plurality of terminal devices respectively, each client is arranged on each terminal device respectively, each client comprises a target client, each terminal device is located in the same local area network, and a plurality of service nodes comprise target service nodes and target connection nodes;
the method comprises the steps that a server side carries out clustering on service nodes according to flow information of a plurality of service nodes and service types of services processed by the service nodes to obtain at least one service node group;
the server sets corresponding service identification for each service node in each service node group;
and the service end returns each service identifier to each corresponding client end respectively.
Specifically, the plurality of terminal devices may be devices in the same local area network (e.g., an intranet). Each terminal device can be provided with a client. Each client can collect the traffic information of the service node from the terminal equipment where the client is located, and send the traffic information to the server. For example, for a first terminal device, the first terminal device may be provided with a first client, and the first client may collect traffic information of a corresponding service node on the first terminal device and send the traffic information to the server.
The traffic information may include data transmission information performed between a certain service node and other service nodes, such as node identification, access times, specific access types, and other information of the service node.
Optionally, when a certain terminal device itself can be used as a service node, a client arranged on the terminal device may collect flow information of the terminal device;
optionally, when a virtual machine or a container, etc. set in a certain terminal device is used as a service node, a client set on the terminal device may collect traffic information of the service node in the terminal device and send the traffic information to a server.
Specifically, when sending the traffic information to the server, the client may carry the client identifier of the client itself and send the traffic information to the server, so that when receiving the traffic information, the server may associate the traffic information with the client, and determine which client sent the traffic information specifically.
It can be understood that the server can receive the traffic information sent by all the clients, and can perform unified control management on all the clients.
Specifically, the server may analyze the traffic information sent by each client, and classify each service node according to the different service types, that is, the service nodes for processing the same type of service are classified into the same class. Specifically, the present invention can divide the service nodes for processing the same type of service into the same service node group to obtain a corresponding number of service node groups.
It will be appreciated that all service nodes in a service node group may be used for a service of a certain type.
Specifically, the service end may set a corresponding service identifier for the service node in each service node group, aiming at the service corresponding to each service node group. For example, for a first service node group that processes a first type of service and a second service node group that processes a second type of service, the server may set a first service identifier for all service nodes in the first service node group, and the server may set a second service identifier for all service nodes in the second service node group.
Specifically, the server may set a service identifier for a service node in a certain service node group, and then send the set service identifier to the corresponding client. For example, after setting a target service identifier for a target service node, the server may send the target service identifier to a target client; for another example, if the third service node is set on the third terminal device, and the client set on the third terminal device is the third client, the server may set a certain service identifier for the third service node, and then send the service identifier to the third client.
It should be noted that, the service end may perform service identifier on the service node to set a service role label for the service node.
Specifically, after receiving the service identifier, the client may determine the service identifier as a node identifier of the service node, and send the node identifier carried in the risk connection information to the server. After the server receives the risk connection information sent by the service nodes, if the risk connection information includes service identifiers of two service nodes (at this time, the target service node and the target connection node are service nodes in the same local area network), the server can perform role check and access authentication on the two service nodes according to a connection risk determination rule and the two service identifiers, and determine the connection risk of the two service nodes, so that access control of data transmission of the service nodes in the same local area network is realized, detection and blocking of the east-west flow of the intranet are realized, and the flow of the intranet is visible and controllable.
Optionally, in the fourth connection control method provided in this embodiment, each service node is a container, and the traffic information includes a node identifier of the service node; the above-mentioned serving side, based on the traffic information of multiple service nodes, clusters each service node according to the service type of the service processed by each service node, and obtains at least one service node group, which may include:
the server side determines a container mirror image corresponding to each service node based on the flow information of each service node;
the service end determines the service node corresponding to the same container mirror image as a service node group for processing the same type of service so as to obtain each service node group.
Specifically, when all the service nodes are containers, the server may determine, based on the traffic information sent by the client, each service node, that is, a container mirror image corresponding to a container, and then determine the service node pulled up by the same container mirror image as a service node for processing the same type of service, so that the service node pulled up by the same container mirror image may be determined as a service node group.
It can be understood that, if only a part of the service nodes in the plurality of service nodes are container nodes, the server may determine each container corresponding to the same container mirror image as a service node of the same type of service, and may determine each container corresponding to the same container mirror image as a service node group.
The connection control method provided by the embodiment can realize access control of data transmission of the service nodes in the same local area network, and realize detection and blocking of the flow of the intranet in the east-west direction, so that the flow of the intranet is visible and controllable.
Corresponding to the steps shown in fig. 1, the present embodiment proposes a first connection control system, as shown in fig. 3. The system may comprise a target client 101 and a server 102, wherein:
the method comprises the steps that a target client 101 obtains risk connection information of a target service node on target terminal equipment, the target client 101 is arranged on the target terminal equipment, and the risk connection information at least comprises a node identification of the target service node and a node identification of a target connection node;
the target client 101 sends the risk connection information to the server 102;
the server 102 determines the connection risk between the target service node and the target connection node based on a predefined connection risk determination rule and risk connection information;
if the connection risk is high risk, the server 102 sends a blocking enabling instruction to the target client 101;
the target client 101 sends a blocking message to the target connection node in response to the blocking enable instruction, so as to block the connection between the target service node and the target connection node.
It should be noted that, the introduction and execution processes of the target client 101 and the server 102 may refer to the relevant descriptions of steps S101, S102, S103, S104, and S105 in fig. 1, and are not described herein again.
Optionally, the server 102 determines a connection risk between the target service node and the target connection node based on a predefined connection risk determination rule and risk connection information, and sets the connection risk as:
the server 102 searches a corresponding connection risk from a predefined node connection risk table based on the node identification of the target service node and the node identification of the target connection node; the node connection risk table correspondingly stores node identifiers and connection risks of two connected nodes.
Optionally, the node identifier of the target service node is a first service identifier, the node identifier of the target connection node is a second service identifier, the first service identifier is an identifier of a service processed by the target service node, and the second service identifier is an identifier of a service processed by the target connection node.
Optionally, before the target client 101 obtains the risk connection information of the target service node on the target terminal device, the server 102 further obtains traffic information of a plurality of service nodes, which is acquired and sent by a plurality of clients from a plurality of terminal devices respectively, where each client is arranged on each terminal device, each client includes the target client 101, each terminal device is in the same local area network, and the plurality of service nodes include the target service node and the target connection node;
the server 102 clusters each service node according to the service type of the service processed by each service node based on the flow information of a plurality of service nodes to obtain at least one service node group;
the server 102 sets corresponding service identifiers for each service node in each service node group respectively;
the service end 102 returns each service identifier to each corresponding client.
Optionally, each service node is a container, and the traffic information includes a node identifier of the service node; the server 102 clusters each service node based on the traffic information of the plurality of service nodes according to the service type of the service processed by each service node to obtain at least one service node group, and sets as:
the server 102 determines a container mirror image corresponding to each service node based on the flow information of each service node;
the service end 102 determines the service node corresponding to the same container mirror image as a service node group for processing the same type of service, so as to obtain each service node group.
Optionally, when the target client 101 fails, the target client 101 also stops sending the blocking packet to the target connection node.
Optionally, the risk connection information further includes the number of times that the target connection node accesses the target service node within a predefined time length; the server 102 determines the connection risk between the target service node and the target connection node based on the predefined connection risk determination rule and the risk connection information, and sets the connection risk as follows:
the server 102 compares whether the access times are not less than a preset access time threshold, and if so, determines that the connection risk between the target service node and the target connection node is high risk; otherwise, determining the connection risk between the target service node and the target connection node as low risk.
The connection control system provided by the embodiment can effectively realize access control on the target service node, avoid influencing the service processing of the target service node, and ensure the service processing capacity and efficiency of the target service node, thereby ensuring the normal operation of the service.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in the process, method, article, or apparatus that comprises the element.
The above are merely examples of the present application and are not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.

Claims (10)

1. A connection control method, comprising:
a target client acquires risk connection information of a target service node on target terminal equipment, wherein the target client is arranged on the target terminal equipment, and the risk connection information at least comprises a node identifier of the target service node and a node identifier of a target connection node;
the target client sends the risk connection information to the server;
the server side determines the connection risk between the target service node and the target connection node based on a predefined connection risk determination rule and the risk connection information;
if the connection risk is high risk, the server side sends a blocking enabling instruction to the target client side;
and the target client responds to the blocking enabling instruction and sends a blocking message to the target connection node so as to block the connection between the target service node and the target connection node.
2. The connection control method according to claim 1, wherein the server determines the connection risk of the target service node and the target connection node based on a predefined connection risk determination rule and the risk connection information, and comprises:
the server side searches corresponding connection risks from a predefined node connection risk table based on the node identification of the target service node and the node identification of the target connection node; and node identifiers and connection risks of two connected nodes are correspondingly stored in the node connection risk table.
3. The connection control method according to claim 1, wherein the node identifier of the target service node is a first service identifier, the node identifier of the target connection node is a second service identifier, the first service identifier is an identifier of a service processed by the target service node, and the second service identifier is an identifier of a service processed by the target connection node.
4. The connection control method according to claim 3, wherein before the target client obtains risky connection information of a target service node on a target terminal device, the method further comprises:
the server side obtains flow information of a plurality of service nodes which are acquired and sent by a plurality of clients from a plurality of terminal devices respectively, each client is arranged on each terminal device respectively and comprises the target client, each terminal device is positioned in the same local area network, and the plurality of service nodes comprise the target service nodes and the target connection nodes;
the service end is based on the flow information of the plurality of service nodes, and clusters each service node according to the service type of the service processed by each service node to obtain at least one service node group;
the server sets corresponding service identification for each service node in each service node group;
and the server respectively returns each service identifier to each corresponding client.
5. The connection control method according to claim 4, wherein each of the service nodes is a container, and the traffic information includes a node identifier of the service node; the method for clustering the service nodes according to the service types of the services processed by the service nodes and based on the flow information of the service nodes by the server side to obtain at least one service node group comprises the following steps:
the server side determines a container mirror image corresponding to each service node based on the flow information of each service node;
and the server determines the service node corresponding to the same container mirror image as one service node group for processing the same type of service so as to obtain each service node group.
6. The connection control method according to claim 1, characterized in that the method further comprises:
and when the target client side has a fault, the target client side stops sending the blocking message to the target connection node.
7. The connection control method according to claim 1, wherein the risky connection information further includes a number of times that the target connection node visits the target service node within a predefined time period, and the determining, by the service node, a connection risk between the target service node and the target connection node based on a predefined connection risk determination rule and the risky connection information includes:
the server compares whether the access times are not less than a preset access time threshold, and if so, determines that the connection risk between the target service node and the target connection node is high risk; otherwise, determining the connection risk between the target service node and the target connection node as low risk.
8. A connection control system, comprising: a target client and a server;
a target client acquires risk connection information of a target service node on target terminal equipment, wherein the target client is arranged on the target terminal equipment, and the risk connection information at least comprises a node identifier of the target service node and a node identifier of a target connection node;
the target client sends the risk connection information to the server;
the server side determines the connection risk between the target service node and the target connection node based on a predefined connection risk determination rule and the risk connection information;
if the connection risk is high risk, the server side sends a blocking enabling instruction to the target client side;
and the target client responds to the blocking enabling instruction and sends a blocking message to the target connection node so as to block the connection between the target service node and the target connection node.
9. The connection control system according to claim 8, wherein the server determines the connection risk of the target service node and the target connection node based on a predefined connection risk determination rule and the risk connection information, and is configured to:
the server side searches corresponding connection risks from a predefined node connection risk table based on the node identification of the target service node and the node identification of the target connection node; and node identifiers and connection risks of two connected nodes are correspondingly stored in the node connection risk table.
10. The connection control system according to claim 8, wherein the node identifier of the target service node is a first service identifier, the node identifier of the target connection node is a second service identifier, the first service identifier is an identifier of a service processed by the target service node, and the second service identifier is an identifier of a service processed by the target connection node.
CN202111487790.7A 2021-12-07 2021-12-07 Connection control method and system Pending CN114124568A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111487790.7A CN114124568A (en) 2021-12-07 2021-12-07 Connection control method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111487790.7A CN114124568A (en) 2021-12-07 2021-12-07 Connection control method and system

Publications (1)

Publication Number Publication Date
CN114124568A true CN114124568A (en) 2022-03-01

Family

ID=80367658

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111487790.7A Pending CN114124568A (en) 2021-12-07 2021-12-07 Connection control method and system

Country Status (1)

Country Link
CN (1) CN114124568A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115934179A (en) * 2022-09-26 2023-04-07 贝壳找房(北京)科技有限公司 Service function control method and equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111131235A (en) * 2019-12-23 2020-05-08 杭州安恒信息技术股份有限公司 Safety maintenance method, device, equipment and storage medium of business system
CN111310196A (en) * 2020-05-09 2020-06-19 支付宝(杭州)信息技术有限公司 Risk identification method and device and electronic equipment
CN111738623A (en) * 2020-07-17 2020-10-02 支付宝(杭州)信息技术有限公司 Business risk detection method and device
CN112787985A (en) * 2019-11-11 2021-05-11 华为技术有限公司 Vulnerability processing method, management equipment and gateway equipment
CN113114647A (en) * 2021-04-01 2021-07-13 海尔数字科技(青岛)有限公司 Network security risk detection method and device, electronic equipment and storage medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112787985A (en) * 2019-11-11 2021-05-11 华为技术有限公司 Vulnerability processing method, management equipment and gateway equipment
CN111131235A (en) * 2019-12-23 2020-05-08 杭州安恒信息技术股份有限公司 Safety maintenance method, device, equipment and storage medium of business system
CN111310196A (en) * 2020-05-09 2020-06-19 支付宝(杭州)信息技术有限公司 Risk identification method and device and electronic equipment
CN112836218A (en) * 2020-05-09 2021-05-25 支付宝(杭州)信息技术有限公司 Risk identification method and device and electronic equipment
CN111738623A (en) * 2020-07-17 2020-10-02 支付宝(杭州)信息技术有限公司 Business risk detection method and device
CN113114647A (en) * 2021-04-01 2021-07-13 海尔数字科技(青岛)有限公司 Network security risk detection method and device, electronic equipment and storage medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115934179A (en) * 2022-09-26 2023-04-07 贝壳找房(北京)科技有限公司 Service function control method and equipment
CN115934179B (en) * 2022-09-26 2023-11-24 贝壳找房(北京)科技有限公司 Service function control method and equipment

Similar Documents

Publication Publication Date Title
CN110445770B (en) Network attack source positioning and protecting method, electronic equipment and computer storage medium
EP3072260B1 (en) Methods, systems, and computer readable media for a network function virtualization information concentrator
CN101803305B (en) Network monitoring device, network monitoring method, and network monitoring program
RU2562438C2 (en) Network system and network management method
CN111431881B (en) Method and device for trapping nodes based on windows operating system
CN108989151B (en) Flow collection method for network or application performance management
KR102155262B1 (en) Elastic honeynet system and method for managing the same
CN103763121A (en) Method and device for quickly issuing network configuration information
CN107800663B (en) Method and device for detecting flow offline file
US20120051263A1 (en) Network System, Network Management Server, and OAM Test Method
CN105119993A (en) Virtual machine deployment method and apparatus
CN114338068A (en) Multi-node vulnerability scanning method and device, electronic equipment and storage medium
CN102523209B (en) Dynamic adjustment method and device of safety inspection virtual machines
CN115484047A (en) Method, device, equipment and storage medium for identifying flooding attack in cloud platform
EP3096492B1 (en) Page push method and system
CN114124568A (en) Connection control method and system
CN106487598B (en) The more examples of isomery redundancy Snmp agreements realize system and its implementation
EP2975524B1 (en) Information processing device
US20180359279A1 (en) Automatic handling of device group oversubscription using stateless upstream network devices
CN110912887A (en) Bro-based APT monitoring system and method
CN108933706B (en) Method, device and system for monitoring data traffic
US11595419B2 (en) Communication monitoring system, communication monitoring apparatus, and communication monitoring method
CN110198246B (en) Method and system for monitoring flow
CN111385520B (en) Automatic networking method and device of video monitoring equipment
JP6476853B2 (en) Network monitoring system and method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination