CN114301709A - Message processing method and device, storage medium and processor - Google Patents
Message processing method and device, storage medium and processor Download PDFInfo
- Publication number
- CN114301709A CN114301709A CN202111670460.1A CN202111670460A CN114301709A CN 114301709 A CN114301709 A CN 114301709A CN 202111670460 A CN202111670460 A CN 202111670460A CN 114301709 A CN114301709 A CN 114301709A
- Authority
- CN
- China
- Prior art keywords
- target
- message
- probe
- packet
- analysis platform
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 13
- 239000000523 sample Substances 0.000 claims abstract description 193
- 238000004458 analytical method Methods 0.000 claims abstract description 162
- 238000000034 method Methods 0.000 claims abstract description 73
- 230000008569 process Effects 0.000 claims abstract description 19
- 230000005540 biological transmission Effects 0.000 claims description 9
- 238000005516 engineering process Methods 0.000 abstract description 7
- 238000004590 computer program Methods 0.000 description 10
- 238000010586 diagram Methods 0.000 description 10
- 230000006870 function Effects 0.000 description 7
- 230000000694 effects Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000001514 detection method Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000008859 change Effects 0.000 description 1
- 238000005206 flow analysis Methods 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The application discloses a message processing method and device, a storage medium and a processor. The method comprises the following steps: the probe performs matching analysis on the original flow according to a threat information library, and captures a message set in the original flow; selecting a target message from the message set, wherein the target message is the message with the highest probability of belonging to threat intelligence in the message set; the probe processes the target message to obtain target data, wherein the target data is used for being sent to an analysis platform to analyze threat information. Through the method and the device, the problem that the performance of the probe is wasted due to the fact that the full-flow message grabbing is needed when the message grabbing is carried out through the probe in the related technology is solved.
Description
Technical Field
The present application relates to the field of network security, and in particular, to a method and an apparatus for processing a packet, a storage medium, and a processor.
Background
Various kinds of threat traffic exist in a network, and generally, network security equipment is deployed inside an enterprise to perform traffic analysis and threat detection. Traffic analysis and threat detection through threat reports is a commonly used means at present. For a network environment in which one analysis platform is deployed to manage a plurality of probes, threat information is mostly built in the analysis platform at present, after the probes send flow to the analysis platform, the analysis platform performs comprehensive analysis according to built-in rules, algorithms and the like, and threat events are generated. For a detected threat event, traceability and forensics are important. Only if the attack root and the victim of the threat event are effectively traced, the administrator can perform subsequent processing. When messages are grabbed through a probe in the prior art, full-flow message grabbing is needed, and the problem of probe performance waste exists.
Aiming at the problem that the performance of a probe is wasted due to the fact that full-flow message grabbing is needed when a message is grabbed through the probe in the related technology, an effective solution is not provided at present.
Disclosure of Invention
The main object of the present application is to provide a method and an apparatus for processing a message, a storage medium, and a processor, so as to solve the problem in the related art that the performance of a probe is wasted due to the fact that full-flow message capturing is required when a probe captures a message.
In order to achieve the above object, according to an aspect of the present application, a method for processing a packet is provided. The method comprises the following steps: the probe performs matching analysis on the original flow according to a threat information library, and captures a message set in the original flow; selecting a target message from the message set, wherein the target message is the message with the highest probability of belonging to threat intelligence in the message set; the probe processes the target message to obtain target data, wherein the target data is used for being sent to an analysis platform to analyze threat information.
Further, after the probe processes the target packet to obtain target data, the method further includes: the probe uploads the target data to the analysis platform; after the analysis platform analyzes the target data uploaded by the probe, a signal of a threat event is reported; and acquiring a target message corresponding to the target data from the analysis platform according to the target data.
Further, before the probe matches the original flow according to the threat information library to obtain the target message, the method further comprises: the probe sends a registration message to the analysis platform and establishes a corresponding TCP connection with the analysis platform, wherein the TCP connection is used for data transmission between the probe and the analysis platform; the analysis platform updates the threat intelligence library according to a preset time period; the analysis platform pushes the updated threat intelligence repository to all registered probes.
Further, the processing, by the probe, the target packet to obtain target data includes: the probe names the target message according to a preset naming rule and stores the target message to the local, wherein the file name of the target message at least comprises: a UUID and a timestamp; the probe takes the UUID and the timestamp as a Packet ID; the probe adds the Packet ID and the SN code of the probe to the target data; and the probe uploads the target data with the Packet ID and the SN code to an analysis platform.
Further, the probe names the target message according to a preset naming rule and stores the target message to the local, including: determining a storable space of a target file; and when the storage space occupied by the target message is smaller than the storable space, storing the target message in the target file.
Further, the method further comprises: and when the storage space occupied by the target message is not less than the storable space, creating a new file for storing the target message.
Further, before obtaining a target packet corresponding to the target data from the analysis platform according to the target data, the method further includes: determining a probe corresponding to the target data through the analysis platform according to the SN code; the analysis platform sends the Packet ID to the probe; the probe analyzes the Packet ID to obtain a UUID corresponding to the Packet ID and a timestamp corresponding to the Packet ID; according to the timestamp, inquiring to obtain a target file for storing the target data; according to the UUID and the timestamp, inquiring in the target file to obtain a target message corresponding to the target data; and sending the target message corresponding to the target data to the analysis platform.
In order to achieve the above object, according to another aspect of the present application, there is provided a message processing apparatus. The device includes: the capturing unit is used for the probe to perform matching analysis on the original flow according to the threat information library and capture a message set in the original flow; a selecting unit, configured to select a target packet from the packet set, where the target packet is a packet in the packet set with a highest probability of belonging to threat information; and the processing unit is used for processing the target message by the probe to obtain target data, wherein the target data is used for being sent to an analysis platform so as to analyze threat information.
Further, the apparatus further comprises: the sending unit is used for uploading the target data to the analysis platform by the probe after the probe processes the target message to obtain the target data; the reporting unit is used for reporting a signal of a threat event after the analysis platform analyzes the target data uploaded by the probe; and the acquisition unit is used for acquiring the target message corresponding to the target data from the analysis platform according to the target data.
Further, the apparatus further comprises: the system comprises a first sending unit, a second sending unit and a third sending unit, wherein the first sending unit is used for sending a registration message to an analysis platform by a probe before the probe matches an original flow according to a threat information library to obtain a target message and establishing a corresponding TCP connection with the analysis platform, and the TCP connection is used for data transmission between the probe and the analysis platform; the updating unit is used for updating the threat information library by the analysis platform according to a preset time period; and the pushing unit is used for pushing the updated threat information library to all the registered probes by the analysis platform.
Further, the processing unit includes: the first processing subunit is configured to name the target packet according to a preset naming rule by the probe and store the target packet locally, where a file name of the target packet at least includes: a UUID and a timestamp; the second processing subunit is used for enabling the probe to take the UUID and the timestamp as a Packet ID; an adding subunit, configured to add, by the probe, the Packet ID and an SN code of the probe to the target data; and the uploading subunit is used for uploading the target data with the Packet ID and the SN code to an analysis platform by the probe.
Further, the first processing subunit includes: the determining module is used for determining the storable space of the target file; and the storage module is used for storing the target message in the target file when the storage space occupied by the target message is smaller than the storable space.
Further, the apparatus further comprises: and the creating unit is used for creating a new file for storing the target message when the storage space occupied by the target message is not less than the storable space.
Further, the apparatus further comprises: a determining unit, configured to determine, according to the SN code, a probe corresponding to the target data through the analysis platform before acquiring, according to the target data, a target packet corresponding to the target data from the analysis platform; a second sending unit, configured to send the Packet ID to the probe by the analysis platform; the analyzing unit is used for analyzing the Packet ID by the probe to obtain a UUID corresponding to the Packet ID and a timestamp corresponding to the Packet ID; the first query unit is used for querying and obtaining a target file storing the target data according to the timestamp; the first query unit is used for querying the target file to obtain a target message corresponding to the target data according to the UUID and the timestamp; and the third sending unit is used for sending the target message corresponding to the target data to the analysis platform.
In order to achieve the above object, according to another aspect of the present application, there is provided a computer-readable storage medium storing a program, wherein the program executes the method of processing a message according to any one of the above.
In order to achieve the above object, according to another aspect of the present application, there is provided a processor configured to execute a program, where the program executes to perform the message processing method according to any one of the above items.
Through the application, the following steps are adopted: the probe performs matching analysis on the original flow according to a threat information library, and captures a message set in the original flow; selecting a target message from the message set, wherein the target message is the message with the highest probability of belonging to threat intelligence in the message set; and processing the target message by the probe to obtain target data, wherein the target data is used for being sent to an analysis platform for threat information analysis. Through the method and the device, the problem that the performance of the probe is wasted due to the fact that the full-flow message grabbing is needed when the message grabbing is carried out through the probe in the related technology is solved. The probe is matched through the threat information library, message grabbing is carried out, and the message with the maximum threat information probability is selected to be processed and uploaded to the analysis platform, so that the effect of improving the performance of the probe is achieved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this application, illustrate embodiments of the application and, together with the description, serve to explain the application and are not intended to limit the application. In the drawings:
fig. 1 is a flowchart of a message processing method according to an embodiment of the present application;
fig. 2 is a flowchart of an alternative message processing method provided in an embodiment of the present application;
fig. 3 is a schematic diagram of a message processing apparatus according to an embodiment of the present application.
Detailed Description
It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict. The present application will be described in detail below with reference to the embodiments with reference to the attached drawings.
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only partial embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It should be understood that the data so used may be interchanged under appropriate circumstances such that embodiments of the application described herein may be used. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
For convenience of description, some terms or expressions referred to in the embodiments of the present application are explained below:
UUID: universal Unique Identifier code of universal Unique Identifier;
packet ID: a packet identifier;
SN: serial Number product Serial Number.
The present invention is described below with reference to preferred implementation steps, and fig. 1 is a flowchart of a message processing method provided in an embodiment of the present application, and as shown in fig. 1, the method includes the following steps:
and S101, the probe performs matching analysis on the original flow according to the threat information library, and captures a message set in the original flow.
The probe carries out matching analysis on the original flow according to the configured threat information library, and carries out pre-grabbing on the messages which may be the threat information in the original flow to obtain a message set.
And S102, selecting a target message from the message set, wherein the target message is the message with the highest probability of belonging to threat intelligence in the message set.
The probe screens the messages in the message set to obtain target messages, namely the messages with the highest probability of threat intelligence in the message set, and discards other messages in the message set.
And step S103, processing the target message by the probe to obtain target data, wherein the target data is used for being sent to an analysis platform for threat information analysis.
The probe processes the target message to obtain target data (i.e. metadata). metadata is used to send to the analytics platform for threat intelligence analysis.
In conclusion, the probe is used for carrying out threat information flow analysis and message capture, comparing with full-flow packet capture storage, only storing the original message with the maximum threat information probability, saving the disk space to a great extent and improving the performance of the probe.
Optionally, in the method for processing a message provided in this embodiment of the present application, after the probe processes the target message to obtain the target data, the method further includes: the probe uploads the target data to an analysis platform; after analyzing the target data uploaded by the probe by the analysis platform, reporting a signal of a threat event; and acquiring a target message corresponding to the target data from the analysis platform according to the target data.
For example, one analysis platform may have access to multiple probes, and each probe uploads the processed metadata to the analysis platform. And the analysis platform carries out overall analysis on metadata uploaded by all the probes and reports signals of the threat events. After the analysis platform reports the signal of the threat event, a target message downloading function is provided, and all target messages corresponding to metadata can be downloaded one to one on the analysis platform.
For the threat events detected by the analysis platform, a function of downloading target messages on the analysis platform is provided, so that the attack source of the threat events can be effectively traced, and the problem that the analysis platform cannot completely trace the source after the analysis platform comprehensively analyzes the metadata uploaded by all probes to generate a threat event is solved.
Optionally, in the method for processing a message provided in this embodiment of the present application, before the probe matches the original traffic according to the threat intelligence library to obtain the target message, the method further includes: the probe sends a registration message to the analysis platform and establishes a corresponding TCP connection with the analysis platform, wherein the TCP connection is used for data transmission between the probe and the analysis platform; updating a threat information library by the analysis platform according to a preset time period; the analysis platform pushes the updated threat intelligence repository to all registered probes.
The probe sends a registration message to the analysis platform, and an encrypted TCP connection is established between the probe and the analysis platform for data transmission. After the connection is established, the analysis platform pushes the threat intelligence library to the probe, and the probe receives and installs the threat intelligence library. The probe sends heartbeat messages to the analysis platform at regular time to carry out TCP connection keep-alive. And the analysis platform periodically downloads the updated threat information base from the cloud, and after updating, the analysis platform pushes the new threat information base to all the registered probes. And the probe is installed and updated with the threat information library pushed by the analysis platform.
The probe configures and updates the threat information library, and can more accurately perform matching analysis on the original flow so as to accurately capture the message.
Optionally, in the method for processing a message provided in the embodiment of the present application, the processing, by the probe, the target message to obtain target data includes: the probe names a target message according to a preset naming rule and stores the target message to the local, wherein the file name of the target message at least comprises: a UUID and a timestamp; the probe takes the UUID and the timestamp as a Packet ID; the probe adds the Packet ID and the SN code of the probe into the target data; and the probe uploads the target data with the Packet ID and the SN code to an analysis platform.
After the probe obtains the target message, naming the target message according to a specific rule and storing the target message locally, wherein the naming rule needs to ensure that the file names of all the target messages are different. The file name saved is UUID and current system timestamp. For example, if the current system time is 2021-09-1519: 20:54, the corresponding timestamp is 1631704854000, and the UUID automatically generated this time is 0d6ad54e-58cb-411e-90c3-dbc541aa7d33, so that the name stored in the target packet this time is 0d6ad54e-58cb-411e-90c3-dbc541aa7d33+ 1631704854000. And the file name of the target message is taken as the Packet ID. The Packet ID and the SN code of the probe are added into the metadata, and the metadata with the Packet ID and the SN code is uploaded to an analysis platform.
The accuracy of downloading the subsequent target message can be ensured through the SN code and the Packet ID of the probe.
Optionally, in the method for processing a message provided in this embodiment of the present application, the probe names a target message according to a preset naming rule and stores the target message locally, including: determining a storable space of a target file; and when the storage space occupied by the target message is smaller than the storable space, storing the target message in the target file.
When the target message is stored, a plurality of target messages are stored in one file. And setting the storable space of each file according to the actual conditions of the probe and the network traffic. When the target message is stored, if the storage space occupied by the target message is smaller than the storable space of the file, the target message is stored in the file, otherwise, a new file is created to store the target message. And the name of the file is the timestamp in the name of the first message to be stored. For example, setting the storable space of the file storing the target packet to be a, now the first target packet needs to be stored, where the name of the first target packet is 0d6ad54e-58cb-411e-90c3-dbc541aa7d33+163170485400, and the storage space occupied by the first target packet is smaller than the storable space a of the file, then the first target packet is stored in the file, and the name of the file is set to be 163170485400.
The target message is stored by creating the file, so that the storage space can be saved, and the target message can be quickly inquired.
Optionally, in the method for processing a packet provided in the embodiment of the present application, the method further includes: and when the storage space occupied by the target message is not less than the storable space, creating a new file for storing the target message.
When the target message 0d6ad54e-58cb-411e-90c3-dbc541aa8b56+16317148555 needs to be saved, if the storage space occupied by the target message is larger than the storable space of the file 1631714854000 at the moment, a new file is created, and 0d6ad54e-58cb-411e-90c3-dbc541aa8b56+163171485555 is saved in the file.
Optionally, in the method for processing a packet provided in this embodiment of the present application, before obtaining, according to the target data, a target packet corresponding to the target data from the analysis platform, the method further includes: determining a probe corresponding to the target data through an analysis platform according to the SN code; the analysis platform sends the Packet ID to the probe; the probe analyzes the Packet ID to obtain a UUID corresponding to the Packet ID and a timestamp corresponding to the Packet ID; according to the time stamp, inquiring to obtain a target file for storing target data; according to the UUID and the timestamp, a target message corresponding to target data is inquired and obtained from a target file; and sending the target message corresponding to the target data to an analysis platform.
And the analysis platform determines a probe corresponding to the metadata according to the SN code, when the probe receives a message downloading request of the analysis platform, the probe analyzes a timestamp in a Packet ID sent by the analysis platform, finds a timestamp file which is less than or equal to the timestamp file and has the smallest difference with the timestamp file from all files for storing the message, finds a corresponding target message from the file according to the Packet ID, and returns the target message to the analysis platform. For example, the probe has three files for storing messages at this time, and the file names are respectively: 163170485400, 163170888888, 163176666666.
163170485400 the stored messages are:
0d6ad54e-58cb-411e-90c3-dbc541aa7d33+163170485400
0d6ad54e-58cb-411e-90c3-dbc541aa7d55+163170486666
0d6ad54e-58cb-411e-90c3-dbc541aa7d77+163170487777
163170888888 the stored messages are:
0d6ad54e-58cb-411e-90c3-dbc541aaaaaa+163170888888
0d6ad54e-58cb-411e-90c3-dbc541aaaaa4+163170888999
0d6ad54e-58cb-411e-90c3-dbc541aaaaa5+163170881000
163176666666 the stored messages are:
0d6ad54e-58cb-411e-90c3-dbc541aabbcc+163176666666
0d6ad54e-58cb-411e-90c3-dbc541aabba1+163176666777
the probe receives a message downloading request of an analysis platform, the Packet ID is 0d6ad54e-58cb-411e-90c3-dbc541aaaa 4+163170888999, the probe analyzes the timestamp in the Packet ID, namely 163170888999, then finds files, namely 163170485400 and 163170888888, which are smaller than 163170888999 in the stored files, and then finds a file, namely 163170888888, which is smaller in difference value with the probe in the stored files, in 163170888888. Then, finding out the corresponding message 0d6ad54e-58cb-411e-90c3-dbc541aaaa 4+163170888999 at 163170888888 according to the Packet ID, and returning the message to the analysis platform.
According to the message processing method provided by the embodiment of the application, the original flow is subjected to matching analysis through the probe according to the threat information library, and a message set in the original flow is captured; selecting a target message from the message set, wherein the target message is the message with the highest probability of belonging to threat intelligence in the message set; and processing the target message by the probe to obtain target data, wherein the target data is used for being sent to an analysis platform for threat information analysis. Through the method and the device, the problem that the performance of the probe is wasted due to the fact that the full-flow message grabbing is needed when the message grabbing is carried out through the probe in the related technology is solved. The probe is matched through the threat information library, message grabbing is carried out, and the message with the maximum threat information probability is selected to be processed and uploaded to the analysis platform, so that the effect of improving the performance of the probe is achieved.
Fig. 2 is a flowchart of an optional message processing method according to an embodiment of the present application. Network traffic is mirrored to the probe device (probes may be deployed at different locations depending on different network scenarios). And the probe obtains a target message after analyzing the original flow according to the threat information library, and stores the target message. And processing the target message to obtain metadata. And transmitting the metadata to an analysis platform, and after receiving the metadata transmitted by the probes, the analysis platform uniformly analyzes the metadata and then reports a signal of the threat event. And downloading the original message corresponding to each metadata on the analysis platform for threat tracing.
It should be noted that the steps illustrated in the flowcharts of the figures may be performed in a computer system such as a set of computer-executable instructions and that, although a logical order is illustrated in the flowcharts, in some cases, the steps illustrated or described may be performed in an order different than presented herein.
The embodiment of the present application further provides a message processing apparatus, and it should be noted that the message processing apparatus according to the embodiment of the present application may be used to execute the message processing method according to the embodiment of the present application. The following describes a message processing apparatus according to an embodiment of the present application.
Fig. 3 is a schematic diagram of a message processing apparatus according to an embodiment of the present application. As shown in fig. 3, the apparatus includes: a grabbing unit 801, a selecting unit 802 and a processing unit 803.
And the capturing unit 801 is used for the probe to perform matching analysis on the original flow according to the threat information library and capture the message set in the original flow.
The selecting unit 802 is configured to select a target packet from the packet set, where the target packet is a packet in the packet set that has a highest probability of belonging to threat information.
And the processing unit 803 is configured to process the target packet by the probe to obtain target data, where the target data is used to send to the analysis platform for threat information analysis.
The message processing device provided by the embodiment of the application performs matching analysis on the original flow according to the threat information library through the probe of the grabbing unit 801, and grabs a message set in the original flow; the selecting unit 802 selects a target message from the message set, wherein the target message is a message with the highest probability of threat intelligence in the message set; the processing unit 803 processes the target message by the probe to obtain target data, wherein the target data is used for being sent to an analysis platform for threat information analysis, the problem that the performance of the probe is wasted due to the fact that the message is grabbed by the probe in the related technology and the full-flow message grabbing is needed is solved, the probe is matched through a threat information library for message grabbing, and the message with the maximum threat information probability is selected for processing and uploading to the analysis platform, so that the effect of improving the performance of the probe is achieved.
Optionally, in the message processing apparatus provided in this embodiment of the present application, the apparatus further includes: the sending unit is used for uploading the target data to the analysis platform by the probe after the probe processes the target message to obtain the target data; the reporting unit is used for reporting a signal of a threat event after the analysis platform analyzes the target data uploaded by the probe; and the acquisition unit is used for acquiring the target message corresponding to the target data from the analysis platform according to the target data.
Optionally, in the message processing apparatus provided in this embodiment of the present application, the apparatus further includes: the system comprises a first sending unit, a second sending unit and a third sending unit, wherein the first sending unit is used for sending a registration message to an analysis platform by a probe before the probe matches the original flow according to a threat information library to obtain a target message and establishing a corresponding TCP connection with the analysis platform, and the TCP connection is used for data transmission between the probe and the analysis platform; the updating unit is used for updating the threat information library by the analysis platform according to a preset time period; and the pushing unit is used for pushing the updated threat information library to all the registered probes by the analysis platform.
Optionally, in the message processing apparatus provided in this embodiment of the present application, the processing unit includes: the first processing subunit is used for the probe to name the target message according to a preset naming rule and store the target message to the local, wherein the file name of the target message at least comprises: a UUID and a timestamp; the second processing subunit is used for enabling the probe to take the UUID and the timestamp as a Packet ID; the adding subunit is used for adding the Packet ID and the SN code of the probe into the target data by the probe; and the uploading subunit is used for uploading the target data with the Packet ID and the SN code to the analysis platform by the probe.
Optionally, in the message processing apparatus provided in this embodiment of the present application, the first processing subunit includes: the determining module is used for determining the storable space of the target file; and the storage module is used for storing the target message in the target file when the storage space occupied by the target message is smaller than the storable space.
Optionally, in the message processing apparatus provided in this embodiment of the present application, the apparatus further includes: and the creating unit is used for creating a new file for storing the target message when the storage space occupied by the target message is not less than the storable space.
Optionally, in the message processing apparatus provided in this embodiment of the present application, the apparatus further includes: the determining unit is used for determining the probe corresponding to the target data through the analysis platform according to the SN code before acquiring the target message corresponding to the target data from the analysis platform according to the target data; the second sending unit is used for sending the Packet ID to the probe by the analysis platform; the analyzing unit is used for analyzing the Packet ID by the probe to obtain a UUID corresponding to the Packet ID and a timestamp corresponding to the Packet ID; the first query unit is used for querying and obtaining a target file storing target data according to the timestamp; the second query unit is used for querying a target message corresponding to the target data in the target file according to the UUID and the timestamp; and the third sending unit is used for sending the target message corresponding to the target data to the analysis platform.
The message processing device comprises a processor and a memory, wherein the capturing unit 801, the selecting unit 802, the processing unit 803 and the like are stored in the memory as program units, and the processor executes the program units stored in the memory to realize corresponding functions.
The processor comprises a kernel, and the kernel calls the corresponding program unit from the memory. The kernel can be set to be one or more than one, and the processing work of the message is realized by adjusting the kernel parameters.
The memory may include volatile memory in a computer readable medium, Random Access Memory (RAM) and/or nonvolatile memory such as Read Only Memory (ROM) or flash memory (flash RAM), and the memory includes at least one memory chip.
The embodiment of the invention provides a storage medium, wherein a program is stored on the storage medium, and the program realizes the message processing method when being executed by a processor.
The embodiment of the invention provides a processor, which is used for running a program, wherein the processing method of the message is executed when the program runs.
The embodiment of the invention provides equipment, which comprises a processor, a memory and a program which is stored on the memory and can run on the processor, wherein the processor executes the program and realizes the following steps: the probe performs matching analysis on the original flow according to a threat information library, and captures a message set in the original flow; selecting a target message from the message set, wherein the target message is the message with the highest probability of belonging to threat intelligence in the message set; and processing the target message by the probe to obtain target data, wherein the target data is used for being sent to an analysis platform for threat information analysis.
Optionally, after the probe processes the target packet to obtain target data, the method further includes: the probe uploads the target data to an analysis platform; after analyzing the target data uploaded by the probe by the analysis platform, reporting a signal of a threat event; and acquiring a target message corresponding to the target data from the analysis platform according to the target data.
Optionally, before the probe matches the original traffic according to the threat intelligence library to obtain the target message, the method further includes: the probe sends a registration message to the analysis platform and establishes a corresponding TCP connection with the analysis platform, wherein the TCP connection is used for data transmission between the probe and the analysis platform; updating a threat information library by the analysis platform according to a preset time period; the analysis platform pushes the updated threat intelligence repository to all registered probes.
Optionally, the processing, by the probe, the target packet to obtain target data includes: the probe names a target message according to a preset naming rule and stores the target message to the local, wherein the file name of the target message at least comprises: a UUID and a timestamp; the probe takes the UUID and the timestamp as a Packet ID; the probe adds the Packet ID and the SN code of the probe into the target data; and the probe uploads the target data with the Packet ID and the SN code to an analysis platform.
Optionally, the probe names the target message according to a preset naming rule and stores the target message locally, including: determining a storable space of a target file; and when the storage space occupied by the target message is smaller than the storable space, storing the target message in the target file.
Optionally, the method further comprises: and when the storage space occupied by the target message is not less than the storable space, creating a new file for storing the target message.
Optionally, before obtaining the target packet corresponding to the target data from the analysis platform according to the target data, the method further includes: determining a probe corresponding to the target data through an analysis platform according to the SN code; the analysis platform sends the Packet ID to the probe; the probe analyzes the Packet ID to obtain a UUID corresponding to the Packet ID and a timestamp corresponding to the Packet ID; according to the time stamp, inquiring to obtain a target file for storing target data; according to the UUID and the timestamp, a target message corresponding to target data is inquired and obtained from a target file; and sending the target message corresponding to the target data to an analysis platform. The device herein may be a server, a PC, a PAD, a mobile phone, etc.
The present application further provides a computer program product adapted to perform a program for initializing the following method steps when executed on a data processing device: the probe performs matching analysis on the original flow according to a threat information library, and captures a message set in the original flow; selecting a target message from the message set, wherein the target message is the message with the highest probability of belonging to threat intelligence in the message set; and processing the target message by the probe to obtain target data, wherein the target data is used for being sent to an analysis platform for threat information analysis.
Optionally, after the probe processes the target packet to obtain target data, the method further includes: the probe uploads the target data to an analysis platform; after analyzing the target data uploaded by the probe by the analysis platform, reporting a signal of a threat event; and acquiring a target message corresponding to the target data from the analysis platform according to the target data.
Optionally, before the probe matches the original traffic according to the threat intelligence library to obtain the target message, the method further includes: the probe sends a registration message to the analysis platform and establishes a corresponding TCP connection with the analysis platform, wherein the TCP connection is used for data transmission between the probe and the analysis platform; updating a threat information library by the analysis platform according to a preset time period; the analysis platform pushes the updated threat intelligence repository to all registered probes.
Optionally, the processing, by the probe, the target packet to obtain target data includes: the probe names a target message according to a preset naming rule and stores the target message to the local, wherein the file name of the target message at least comprises: a UUID and a timestamp; the probe takes the UUID and the timestamp as a Packet ID; the probe adds the Packet ID and the SN code of the probe into the target data; and the probe uploads the target data with the Packet ID and the SN code to an analysis platform.
Optionally, the probe names the target message according to a preset naming rule and stores the target message locally, including: determining a storable space of a target file; and when the storage space occupied by the target message is smaller than the storable space, storing the target message in the target file.
Optionally, the method further comprises: and when the storage space occupied by the target message is not less than the storable space, creating a new file for storing the target message.
Optionally, before obtaining the target packet corresponding to the target data from the analysis platform according to the target data, the method further includes: determining a probe corresponding to the target data through an analysis platform according to the SN code; the analysis platform sends the Packet ID to the probe; the probe analyzes the Packet ID to obtain a UUID corresponding to the Packet ID and a timestamp corresponding to the Packet ID; according to the time stamp, inquiring to obtain a target file for storing target data; according to the UUID and the timestamp, a target message corresponding to target data is inquired and obtained from a target file; and sending the target message corresponding to the target data to an analysis platform.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). The memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (via CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in the process, method, article, or apparatus that comprises the element.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The above are merely examples of the present application and are not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.
Claims (10)
1. A method for processing a message is characterized by comprising the following steps:
the probe performs matching analysis on the original flow according to a threat information library, and captures a message set in the original flow;
selecting a target message from the message set, wherein the target message is the message with the highest probability of belonging to threat intelligence in the message set;
the probe processes the target message to obtain target data, wherein the target data is used for being sent to an analysis platform to analyze threat information.
2. The method of claim 1, wherein after the probe processes the target packet to obtain target data, the method further comprises:
the probe uploads the target data to the analysis platform;
after the analysis platform analyzes the target data uploaded by the probe, a signal of a threat event is reported;
and acquiring a target message corresponding to the target data from the analysis platform according to the target data.
3. The method of claim 1, wherein before the probe matches the original traffic to obtain the target message according to a threat intelligence repository, the method further comprises:
the probe sends a registration message to the analysis platform and establishes a corresponding TCP connection with the analysis platform, wherein the TCP connection is used for data transmission between the probe and the analysis platform;
the analysis platform updates the threat intelligence library according to a preset time period;
the analysis platform pushes the updated threat intelligence repository to all registered probes.
4. The method of claim 2, wherein the processing of the target packet by the probe to obtain target data comprises:
the probe names the target message according to a preset naming rule and stores the target message to the local, wherein the file name of the target message at least comprises: a UUID and a timestamp;
the probe takes the UUID and the timestamp as a Packet ID;
the probe adds the Packet ID and the SN code of the probe to the target data;
and the probe uploads the target data with the Packet ID and the SN code to an analysis platform.
5. The method according to claim 4, wherein the probe names and stores the target packet locally according to a preset naming rule, and the method comprises:
determining a storable space of a target file;
and when the storage space occupied by the target message is smaller than the storable space, storing the target message in the target file.
6. The method of claim 5, further comprising:
and when the storage space occupied by the target message is not less than the storable space, creating a new file for storing the target message.
7. The method according to claim 4, wherein before obtaining the target packet corresponding to the target data from the analysis platform according to the target data, the method further comprises:
determining a probe corresponding to the target data through the analysis platform according to the SN code;
the analysis platform sends the Packet ID to the probe;
the probe analyzes the Packet ID to obtain a UUID corresponding to the Packet ID and a timestamp corresponding to the Packet ID;
according to the timestamp, inquiring to obtain a target file for storing the target data;
according to the UUID and the timestamp, inquiring in the target file to obtain a target message corresponding to the target data;
and sending the target message corresponding to the target data to the analysis platform.
8. A message processing apparatus, comprising:
the capturing unit is used for the probe to perform matching analysis on the original flow according to the threat information library and capture a message set in the original flow;
a selecting unit, configured to select a target packet from the packet set, where the target packet is a packet in the packet set with a highest probability of belonging to threat information;
and the processing unit is used for processing the target message by the probe to obtain target data, wherein the target data is used for being sent to an analysis platform so as to analyze threat information.
9. A storage medium characterized by storing a program, wherein the program executes the method of processing a message according to any one of claims 1 to 7.
10. A processor, characterized in that the processor is configured to execute a program, wherein the program executes the message processing method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111670460.1A CN114301709B (en) | 2021-12-30 | 2021-12-30 | Message processing method and device, storage medium and computing equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111670460.1A CN114301709B (en) | 2021-12-30 | 2021-12-30 | Message processing method and device, storage medium and computing equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114301709A true CN114301709A (en) | 2022-04-08 |
| CN114301709B CN114301709B (en) | 2024-04-02 |
Family
ID=80974478
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111670460.1A Active CN114301709B (en) | 2021-12-30 | 2021-12-30 | Message processing method and device, storage medium and computing equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114301709B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103905261A (en) * | 2012-12-26 | 2014-07-02 | 中国电信股份有限公司 | Protocol characteristic library online updating method and system |
| CN107995162A (en) * | 2017-10-27 | 2018-05-04 | 深信服科技股份有限公司 | Network security sensory perceptual system, method and readable storage medium storing program for executing |
| CN109067815A (en) * | 2018-11-06 | 2018-12-21 | 深信服科技股份有限公司 | Attack Source Tracing method, system, user equipment and storage medium |
| CN112073437A (en) * | 2020-10-09 | 2020-12-11 | 腾讯科技(深圳)有限公司 | Multidimensional security threat event analysis method, device, equipment and storage medium |
| WO2021017614A1 (en) * | 2019-07-31 | 2021-02-04 | 平安科技(深圳)有限公司 | Threat intelligence data collection and processing method and system, apparatus, and storage medium |
| CN112788022A (en) * | 2020-12-31 | 2021-05-11 | 山石网科通信技术股份有限公司 | Flow abnormity detection method and device, storage medium and processor |
-
2021
- 2021-12-30 CN CN202111670460.1A patent/CN114301709B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103905261A (en) * | 2012-12-26 | 2014-07-02 | 中国电信股份有限公司 | Protocol characteristic library online updating method and system |
| CN107995162A (en) * | 2017-10-27 | 2018-05-04 | 深信服科技股份有限公司 | Network security sensory perceptual system, method and readable storage medium storing program for executing |
| CN109067815A (en) * | 2018-11-06 | 2018-12-21 | 深信服科技股份有限公司 | Attack Source Tracing method, system, user equipment and storage medium |
| WO2021017614A1 (en) * | 2019-07-31 | 2021-02-04 | 平安科技(深圳)有限公司 | Threat intelligence data collection and processing method and system, apparatus, and storage medium |
| CN112073437A (en) * | 2020-10-09 | 2020-12-11 | 腾讯科技(深圳)有限公司 | Multidimensional security threat event analysis method, device, equipment and storage medium |
| CN112788022A (en) * | 2020-12-31 | 2021-05-11 | 山石网科通信技术股份有限公司 | Flow abnormity detection method and device, storage medium and processor |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114301709B (en) | 2024-04-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8762931B2 (en) | Generating an encoded package profile | |
| CN111935082B (en) | Network threat information correlation analysis system and method | |
| US20170250854A1 (en) | Distribued system for self updating agents and analytics | |
| CN111478889A (en) | Alarm method and device | |
| CN110941632A (en) | Database auditing method, device and equipment | |
| CN111353136B (en) | Method and device for processing operation request | |
| CN109951326B (en) | Data processing method, device, storage medium and processor | |
| CN112165451A (en) | APT attack analysis method, system and server | |
| CN117389830A (en) | Cluster log acquisition method and device, computer equipment and storage medium | |
| CN111327466A (en) | Alarm analysis method, system, equipment and medium | |
| CN113806169A (en) | Method and device for processing business exception | |
| CN110188537B (en) | Data separation storage method and device, storage medium and electronic device | |
| CN114301709B (en) | Message processing method and device, storage medium and computing equipment | |
| CN109542920B (en) | Data transmission method, device, medium and electronic equipment | |
| CN111104212A (en) | Scheduling task execution method and device, electronic equipment and storage medium | |
| CN112559118A (en) | Application data migration method and device, electronic equipment and storage medium | |
| CN112445504A (en) | Equipment firmware upgrading method, device and system | |
| CN115664992A (en) | Network operation data processing method and device, electronic equipment and medium | |
| CN115757318A (en) | Log query method and device, storage medium and electronic equipment | |
| CN107422991B (en) | Storage strategy management system | |
| CN111988356B (en) | File transmission method, equipment and medium | |
| CN109462592B (en) | Data sharing method, device, equipment and storage medium | |
| CN109426559B (en) | Command issuing method and device, storage medium and processor | |
| CN112579189A (en) | Configuration file updating method and device | |
| US20200028897A1 (en) | Load balancing system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |