CN114301709B - Message processing method and device, storage medium and computing equipment - Google Patents
Message processing method and device, storage medium and computing equipment Download PDFInfo
- Publication number
- CN114301709B CN114301709B CN202111670460.1A CN202111670460A CN114301709B CN 114301709 B CN114301709 B CN 114301709B CN 202111670460 A CN202111670460 A CN 202111670460A CN 114301709 B CN114301709 B CN 114301709B
- Authority
- CN
- China
- Prior art keywords
- target
- message
- probe
- analysis platform
- target data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000003672 processing method Methods 0.000 title abstract description 8
- 239000000523 sample Substances 0.000 claims abstract description 205
- 238000004458 analytical method Methods 0.000 claims abstract description 172
- 238000000034 method Methods 0.000 claims abstract description 87
- 230000008569 process Effects 0.000 claims abstract description 28
- 230000005540 biological transmission Effects 0.000 claims description 11
- 238000005516 engineering process Methods 0.000 abstract description 7
- 238000004590 computer program Methods 0.000 description 10
- 238000010586 diagram Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 7
- 230000003287 optical effect Effects 0.000 description 4
- 230000000694 effects Effects 0.000 description 3
- 238000001514 detection method Methods 0.000 description 2
- 238000005206 flow analysis Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Abstract
The application discloses a message processing method and device, a storage medium and a computing device. The method comprises the following steps: the probe performs matching analysis on the original flow according to the threat information library, and grabs a message set in the original flow; selecting a target message from the message set, wherein the target message is a message with the highest probability of threat information in the message set; and the probe processes the target message to obtain target data, wherein the target data is used for being sent to an analysis platform to analyze threat information. Through the method and the device, the problem that the performance of the probe is wasted due to the fact that the probe is used for grabbing messages in the related technology and full-flow message grabbing is needed is solved.
Description
Technical Field
The present invention relates to the field of network security, and in particular, to a method and apparatus for processing a packet, a storage medium, and a computing device.
Background
There are various threat flows in the network, and in general, network security devices are deployed inside an enterprise to perform flow analysis and threat detection. Traffic analysis and threat detection by threat intelligence are currently a common approach. For a network environment in which one analysis platform is deployed to manage a plurality of probes, most of the network environment is built-in threat information of the analysis platform, and after the probes send traffic to the analysis platform, the analysis platform performs comprehensive analysis according to built-in rules, algorithms and the like and generates threat events. Whereas for detected threat events, tracing and forensics are very important. Only the attack source and victim of the threat event are effectively traced to the manager for subsequent processing. When the message grabbing is carried out through the probe in the prior art, full-flow message grabbing is needed, and the problem of wasting the performance of the probe exists.
Aiming at the problem that the performance of the probe is wasted due to the fact that the message grabbing is carried out through the probe in the related technology and full-flow message grabbing is needed, no effective solution is proposed at present.
Disclosure of Invention
The main purpose of the present application is to provide a method and apparatus for processing a message, a storage medium, and a computing device, so as to solve the problem that in the related art, the message is captured by a probe, and full-flow message capture is required, resulting in wasting the performance of the probe.
In order to achieve the above object, according to one aspect of the present application, a method for processing a message is provided. The method comprises the following steps: the probe performs matching analysis on the original flow according to the threat information library, and grabs a message set in the original flow; selecting a target message from the message set, wherein the target message is a message with the highest probability of threat information in the message set; and the probe processes the target message to obtain target data, wherein the target data is used for being sent to an analysis platform to analyze threat information.
Further, after the probe processes the target message to obtain target data, the method further includes: the probe uploads the target data to the analysis platform; the analysis platform analyzes the target data uploaded by the probe and then reports a signal of a threat event; and acquiring a target message corresponding to the target data from the analysis platform according to the target data.
Further, before the probe matches the original flow according to the threat information library to obtain the target message, the method further includes: the probe sends a registration message to the analysis platform and establishes a corresponding TCP connection with the analysis platform, wherein the TCP connection is used for carrying out data transmission between the probe and the analysis platform; the analysis platform updates the threat information library according to a preset time period; and the analysis platform pushes the updated threat information library to all registered probes.
Further, the probe processes the target message to obtain target data, including: the probe names the target message according to a preset naming rule and stores the target message to a local place, wherein the file name of the target message at least comprises: UUID and timestamp; the probe takes the UUID and the timestamp as a Packet ID; the probe adds the Packet ID and the SN code of the probe to the target data; and uploading target data with the Packet ID and the SN code to an analysis platform by the probe.
Further, the naming of the target message by the probe according to a preset naming rule and saving the target message to the local includes: determining a storable space of the target file; and when the storage space occupied by the target message is smaller than the storable space, storing the target message in the target file.
Further, the method further comprises: and when the storage space occupied by the target message is not smaller than the storable space, creating a new file for storing the target message.
Further, before the target message corresponding to the target data is obtained from the analysis platform according to the target data, the method further includes: according to the SN code, determining a probe corresponding to the target data through the analysis platform; the analysis platform sends the Packet ID to the probe; the probe analyzes the Packet ID to obtain a UUID corresponding to the Packet ID and a timestamp corresponding to the Packet ID; inquiring to obtain a target file storing the target data according to the time stamp; inquiring in the target file according to the UUID and the timestamp to obtain a target message corresponding to the target data; and sending the target message corresponding to the target data to the analysis platform.
In order to achieve the above object, according to another aspect of the present application, there is provided a message processing apparatus. The device comprises: the capturing unit is used for carrying out matching analysis on the original flow by the probe according to the threat information library and capturing a message set in the original flow; a selecting unit, configured to select a target message from the message set, where the target message is a message with a maximum probability of belonging to threat information in the message set; the processing unit is used for processing the target message by the probe to obtain target data, wherein the target data is used for being sent to an analysis platform to analyze threat information.
Further, the apparatus further comprises: the sending unit is used for uploading the target data to the analysis platform after the target message is processed by the probe to obtain the target data; the reporting unit is used for reporting a signal of a threat event after the analysis platform analyzes the target data uploaded by the probe; the acquisition unit is used for acquiring the target message corresponding to the target data from the analysis platform according to the target data.
Further, the apparatus further comprises: the first sending unit is used for sending a registration message to the analysis platform by the probe before the probe matches the original flow according to the threat information library to obtain a target message, and establishing a corresponding TCP connection with the analysis platform, wherein the TCP connection is used for carrying out data transmission between the probe and the analysis platform; the updating unit is used for updating the threat information library according to a preset time period by the analysis platform; and the pushing unit is used for pushing the updated threat information library to all registered probes by the analysis platform.
Further, the processing unit includes: the first processing subunit is configured to name and store the target message to a local location according to a preset naming rule by using the probe, where a file name of the target message at least includes: UUID and timestamp; the second processing subunit is used for the probe to take the UUID and the timestamp as a Packet ID; an adding subunit, configured to add, by the probe, the Packet ID and an SN code of the probe to the target data; and the uploading subunit is used for uploading the target data with the Packet ID and the SN code to an analysis platform by the probe.
Further, the first processing subunit includes: the determining module is used for determining the storable space of the target file; and the storage module is used for storing the target message in the target file when the storage space occupied by the target message is smaller than the storable space.
Further, the apparatus further comprises: and the creation unit is used for creating a new file for storing the target message when the storage space occupied by the target message is not smaller than the storable space.
Further, the apparatus further comprises: the determining unit is used for determining a probe corresponding to the target data through the analysis platform according to the SN code before acquiring the target message corresponding to the target data from the analysis platform according to the target data; the second sending unit is used for sending the Packet ID to the probe by the analysis platform; the analysis unit is used for analyzing the Packet ID by the probe to obtain a UUID corresponding to the Packet ID and a timestamp corresponding to the Packet ID; the first query unit is used for querying and obtaining a target file storing the target data according to the time stamp; the first query unit is used for querying the target file according to the UUID and the timestamp to obtain a target message corresponding to the target data; and the third sending unit is used for sending the target message corresponding to the target data to the analysis platform.
To achieve the above object, according to another aspect of the present application, there is provided a computer-readable storage medium storing a program, wherein the program performs the method for processing a message as set forth in any one of the above.
To achieve the above object, according to another aspect of the present application, there is provided a processor, configured to execute a program, where the program executes the method for processing a packet according to any one of the above.
Through the application, the following steps are adopted: the probe performs matching analysis on the original flow according to the threat information library, and grabs a message set in the original flow; selecting a target message from the message set, wherein the target message is the message with the highest probability of threat information in the message set; the probe processes the target message to obtain target data, wherein the target data is used for being sent to an analysis platform to analyze threat information. Through the method and the device, the problem that the performance of the probe is wasted due to the fact that the probe is used for grabbing messages in the related technology and full-flow message grabbing is needed is solved. The probe is matched through the threat information library, the message is grabbed, and the message with the highest threat information probability is selected to be processed and sent to the analysis platform, so that the effect of improving the performance of the probe is achieved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application, illustrate and explain the application and are not to be construed as limiting the application. In the drawings:
fig. 1 is a flowchart of a method for processing a message according to an embodiment of the present application;
FIG. 2 is a flowchart of an alternative message processing method according to an embodiment of the present application;
fig. 3 is a schematic diagram of a message processing apparatus according to an embodiment of the present application.
Detailed Description
It should be noted that, in the case of no conflict, the embodiments and features in the embodiments may be combined with each other. The present application will be described in detail below with reference to the accompanying drawings in conjunction with embodiments.
In order to make the present application solution better understood by those skilled in the art, the following description will be made in detail and with reference to the accompanying drawings in the embodiments of the present application, it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, shall fall within the scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of the present application and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate in order to describe the embodiments of the present application described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
For convenience of description, the following will describe some terms or terms related to the embodiments of the present application:
UUID: universally Unique Identifier a universal unique identification code;
packet ID: a packet identifier;
SN: serial Number product Serial Number.
The present invention is described below in connection with preferred implementation steps, and fig. 1 is a flowchart of a method for processing a message according to an embodiment of the present application, as shown in fig. 1, where the method includes the following steps:
Step S101, the probe performs matching analysis on the original flow according to the threat information library, and grabs a message set in the original flow.
The probe performs matching analysis on the original flow according to the configured threat information library, and pre-grabs the messages which are possibly threat information in the original flow to obtain a message set.
Step S102, selecting a target message from the message set, wherein the target message is the message with the highest probability of threat information in the message set.
The probe screens the messages in the message set to obtain target messages, namely the messages with the highest probability of threat information in the message set, and discards other messages in the message set.
Step S103, the probe processes the target message to obtain target data, wherein the target data is used for being sent to an analysis platform to analyze threat information.
The probe processes the target message to obtain target data (i.e., metadata). The metadata is used for being sent to the analysis platform so that the analysis platform can conduct threat information analysis.
In summary, the probe performs threat information flow analysis and message grabbing, and compared with full flow grabbing packet storage, only the original message with the highest threat information probability is stored, so that the disk space is saved to a great extent, and the performance of the probe is improved.
Optionally, in the method for processing a message provided in the embodiment of the present application, after the probe processes the target message to obtain the target data, the method further includes: uploading target data to an analysis platform by the probe; analyzing the target data uploaded by the probe by the analysis platform, and reporting a signal of a threat event; and acquiring a target message corresponding to the target data from the analysis platform according to the target data.
For example, one analysis platform may have access to multiple probes, each of which uploads the processed metadata to the analysis platform. And the analysis platform performs overall analysis on the metadata uploaded by all the probes and reports a signal of a threat event. After the analysis platform reports the signal of the threat event, the target message downloading function is provided, and one-to-one downloading can be carried out on the target messages corresponding to all metadata on the analysis platform.
The method has the advantages that the function of downloading the target message on the analysis platform is provided for the threat event detected by the analysis platform, so that the attack source of the threat event can be effectively traced, and the problem that complete tracing cannot be performed on the analysis platform after the analysis platform comprehensively analyzes metadata uploaded by all probes to generate one threat event is solved.
Optionally, in the method for processing a message provided in the embodiment of the present application, before the probe matches the original traffic according to the threat information library to obtain the target message, the method further includes: the probe sends a registration message to the analysis platform and establishes a corresponding TCP connection with the analysis platform, wherein the TCP connection is used for carrying out data transmission between the probe and the analysis platform; the analysis platform updates the threat information library according to a preset time period; the analysis platform pushes the updated threat information library to all registered probes.
The probe sends a registration message to the analysis platform, and an encrypted TCP connection is established between the probe and the analysis platform for data transmission. After connection is established, the analysis platform pushes the threat information library to the probe, and the probe receives and installs the threat information library. And the probe periodically sends heartbeat messages to the analysis platform to keep alive the TCP connection. And periodically downloading and updating the threat information library from the cloud by the analysis platform, and pushing the new threat information library to all registered probes by the analysis platform after updating. And the probe is installed and updated to update the threat information library pushed by the analysis platform.
The probe performs configuration and update of the threat information library, and can perform matching analysis on the original flow more accurately so as to grasp the message accurately.
Optionally, in the method for processing a message provided in the embodiment of the present application, a probe processes a target message to obtain target data, including: the probe names and stores the target message to the local according to a preset naming rule, wherein the file name of the target message at least comprises: UUID and timestamp; the probe takes UUID and a timestamp as a Packet ID; the probe adds the Packet ID and the SN code of the probe to the target data; the probe uploads the target data with the Packet ID and SN code to the analysis platform.
After the probe obtains the target message, naming the target message according to a specific rule and storing the target message in a local place, wherein the naming rule needs to ensure that file names of all the target messages are different. The stored file name is UUID and the current system timestamp. For example, the current system time is 2021-09-15:19:20:54, then the corresponding timestamp is 1631704854000, and the current automatically generated UUID is 0d6ad54e-58cb-411e-90c3-dbc541aa7d33, so the name saved by the current target message is 0d6ad54e-58cb-411e-90c3-dbc541aa7d33+1631704854000. And takes the file name of the target message as the Packet ID. The Packet ID and the SN code of the probe are added to the metadata, and the metadata with the Packet ID and the SN code is uploaded to an analysis platform.
The accuracy of the subsequent target message downloading can be ensured through the SN code and the Packet ID of the probe.
Optionally, in the method for processing a message provided in the embodiment of the present application, naming and storing, by a probe, a target message according to a preset naming rule, where the naming and storing include: determining a storable space of the target file; and when the storage space occupied by the target message is smaller than the storable space, storing the target message in the target file.
And storing a plurality of target messages in one file when the target messages are stored. And setting the storable space of each file according to the actual conditions of the probe and the network flow. When the target message is stored, if the storage space occupied by the target message is smaller than the storable space of the file, the target message is stored in the file, otherwise, a new file is created to store the target message. And the name of the file is the timestamp in the name of the first message saved. For example, setting the storable space of the file storing the target message as a, and now storing the first target message, where the name of the first target message is 0d6ad54e-58cb-411e-90c3-dbc541aa7d33+163170485400, and the storage space occupied by the first target message is smaller than the storable space a of the file, storing the first target message in the file, and setting the name of the file as 163170485400.
The target message is saved by creating the file, so that the storage space can be saved, and the target message can be quickly inquired.
Optionally, in the method for processing a message provided in the embodiment of the present application, the method further includes: when the storage space occupied by the target message is not smaller than the storable space, a new file is created and used for storing the target message.
When the target message 0d6ad54e-58cb-411e-90c3-dbc541aa8b56+16317148555 needs to be saved, if the storage space occupied by the target message at this time is larger than the storable space of the file 1631714854000, a new file is created, and 0d6ad54e-58cb-411e-90c3-dbc541aa8b56+163171485555 is saved in the file.
Optionally, in the method for processing a message provided in the embodiment of the present application, before acquiring, according to target data, a target message corresponding to the target data from an analysis platform, the method further includes: according to the SN code, determining a probe corresponding to the target data through an analysis platform; the analysis platform sends the Packet ID to the probe; the probe analyzes the Packet ID to obtain a UUID corresponding to the Packet ID and a timestamp corresponding to the Packet ID; inquiring to obtain a target file for storing target data according to the time stamp; inquiring in the target file according to the UUID and the time stamp to obtain a target message corresponding to the target data; and sending the target message corresponding to the target data to an analysis platform.
The analysis platform determines a probe corresponding to metadata according to the SN code, when the probe receives a message downloading request of the analysis platform, the timestamp in the Packet ID sent by the analysis platform is analyzed, a timestamp file with the smallest difference value with the timestamp file is found in all files storing the messages, then a corresponding target message is found in the file according to the Packet ID, and the target message is returned to the analysis platform. For example, when the probe has three files for storing messages, the file names are respectively: 163170485400, 163170888888, 163176666666.
163170485400 stored messages are:
0d6ad54e-58cb-411e-90c3-dbc541aa7d33+163170485400
0d6ad54e-58cb-411e-90c3-dbc541aa7d55+163170486666
0d6ad54e-58cb-411e-90c3-dbc541aa7d77+163170487777
163170888888 stored messages are:
0d6ad54e-58cb-411e-90c3-dbc541aaaaaa+163170888888
0d6ad54e-58cb-411e-90c3-dbc541aaaaa4+163170888999
0d6ad54e-58cb-411e-90c3-dbc541aaaaa5+163170881000
163176666666 stored messages are:
0d6ad54e-58cb-411e-90c3-dbc541aabbcc+163176666666
0d6ad54e-58cb-411e-90c3-dbc541aabba1+163176666777
the probe receives a message downloading request of the analysis platform, the Packet ID is 0d6ad54e-58cb-411e-90c3-dbc541 aaaaaa4+ 163170888999, the probe analyzes a time stamp in the Packet ID, namely 163170888999, then files smaller than 163170888999, namely 163170485400 and 163170888888, are found out from the stored files, then the file with smaller difference value from the file is 163170888888, and the file is 163170888888. And then finding out a corresponding message 0d6ad54e-58cb-411e-90c3-dbc541 aaaaaa4+ 163170888999 according to the Packet ID at 163170888888, and returning the message to the analysis platform.
According to the message processing method provided by the embodiment of the application, the probe is used for carrying out matching analysis on the original flow according to the threat information library, and the message set in the original flow is grabbed; selecting a target message from the message set, wherein the target message is the message with the highest probability of threat information in the message set; the probe processes the target message to obtain target data, wherein the target data is used for being sent to an analysis platform to analyze threat information. Through the method and the device, the problem that the performance of the probe is wasted due to the fact that the probe is used for grabbing messages in the related technology and full-flow message grabbing is needed is solved. The probe is matched through the threat information library, the message is grabbed, and the message with the highest threat information probability is selected to be processed and sent to the analysis platform, so that the effect of improving the performance of the probe is achieved.
Fig. 2 is a flowchart of an alternative message processing method according to an embodiment of the present application. Network traffic is mirrored to the probe device (probes may be deployed at different locations depending on the network scenario). And the probe analyzes the original flow according to the threat information library to obtain a target message, and stores the target message. And processing the target message to obtain metadata. And sending the metadata to an analysis platform, and after the analysis platform receives the metadata sent by the plurality of probes, uniformly analyzing the metadata and reporting a signal of a threat event. The original message corresponding to each metadata can be downloaded on the analysis platform for threat tracing.
It should be noted that the steps illustrated in the flowcharts of the figures may be performed in a computer system such as a set of computer executable instructions, and that although a logical order is illustrated in the flowcharts, in some cases the steps illustrated or described may be performed in an order other than that illustrated herein.
The embodiment of the application also provides a message processing device, and it should be noted that the message processing device of the embodiment of the application can be used for executing the message processing method provided by the embodiment of the application. The following describes a message processing apparatus provided in an embodiment of the present application.
Fig. 3 is a schematic diagram of a message processing apparatus according to an embodiment of the present application. As shown in fig. 3, the apparatus includes: a grabbing unit 801, a selecting unit 802 and a processing unit 803.
And the grabbing unit 801 is used for carrying out matching analysis on the original flow by the probe according to the threat information library, and grabbing a message set in the original flow.
A selecting unit 802, configured to select a target message from the message set, where the target message is a message with a maximum probability of belonging to threat information in the message set.
And the processing unit 803 is used for processing the target message by the probe to obtain target data, wherein the target data is used for being sent to the analysis platform for threat information analysis.
According to the message processing device provided by the embodiment of the application, the grabbing unit 801 probes are used for carrying out matching analysis on the original flow according to the threat information library, and grabbing a message set in the original flow; the selecting unit 802 selects a target message from the message set, where the target message is a message with the highest probability of belonging to threat information in the message set; the processing unit 803 probes process the target message to obtain target data, wherein the target data is used for being sent to an analysis platform to analyze threat information, the problem that the performance of the probe is wasted due to the fact that the probe is required to perform full-flow message grabbing when the probe is used for performing message grabbing in the related technology is solved, the probe is matched through a threat information library to perform message grabbing, and the message with the largest threat information probability is selected to be processed and sent to the analysis platform, so that the effect of improving the performance of the probe is achieved.
Optionally, in the message processing apparatus provided in the embodiment of the present application, the apparatus further includes: the sending unit is used for uploading the target data to the analysis platform after the target message is processed by the probe to obtain the target data; the reporting unit is used for reporting a signal of a threat event after the analysis platform analyzes the target data uploaded by the probe; the acquisition unit is used for acquiring the target message corresponding to the target data from the analysis platform according to the target data.
Optionally, in the message processing apparatus provided in the embodiment of the present application, the apparatus further includes: the first sending unit is used for sending a registration message to the analysis platform by the probe before the probe matches the original flow according to the threat information library to obtain a target message, and establishing a corresponding TCP connection with the analysis platform, wherein the TCP connection is used for carrying out data transmission between the probe and the analysis platform; the updating unit is used for updating the threat information library according to a preset time period by the analysis platform; and the pushing unit is used for pushing the updated threat information library to all registered probes by the analysis platform.
Optionally, in the message processing apparatus provided in the embodiment of the present application, the processing unit includes: the first processing subunit is configured to name and store the target message to the local according to a preset naming rule by using the probe, where a file name of the target message at least includes: UUID and timestamp; the second processing subunit is used for taking the UUID and the timestamp as a Packet ID by the probe; an adding subunit, configured to add, by the probe, the Packet ID and the SN code of the probe to the target data; and the uploading subunit is used for uploading the target data with the Packet ID and the SN code to the analysis platform by the probe.
Optionally, in the packet processing device provided in the embodiment of the present application, the first processing subunit includes: the determining module is used for determining the storable space of the target file; and the storage module is used for storing the target message in the target file when the storage space occupied by the target message is smaller than the storable space.
Optionally, in the message processing apparatus provided in the embodiment of the present application, the apparatus further includes: and the creating unit is used for creating a new file for storing the target message when the storage space occupied by the target message is not smaller than the storable space.
Optionally, in the message processing apparatus provided in the embodiment of the present application, the apparatus further includes: the determining unit is used for determining a probe corresponding to the target data through the analysis platform according to the SN code before acquiring the target message corresponding to the target data from the analysis platform according to the target data; the second sending unit is used for sending the Packet ID to the probe by the analysis platform; the analysis unit is used for analyzing the Packet ID by the probe to obtain a UUID corresponding to the Packet ID and a timestamp corresponding to the Packet ID; the first query unit is used for querying and obtaining a target file for storing target data according to the time stamp; the second query unit is used for querying the target file to obtain a target message corresponding to the target data according to the UUID and the time stamp; and the third sending unit is used for sending the target message corresponding to the target data to the analysis platform.
The message processing device includes a processor and a memory, where the grabbing unit 801, the selecting unit 802, the processing unit 803, and the like are stored as program units, and the processor executes the program units stored in the memory to implement corresponding functions.
The processor includes a kernel, and the kernel fetches the corresponding program unit from the memory. The kernel can set one or more than one, and the processing work of the message is realized by adjusting the kernel parameters.
The memory may include volatile memory, random Access Memory (RAM), and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM), among other forms in computer readable media, the memory including at least one memory chip.
The embodiment of the invention provides a storage medium, on which a program is stored, which when executed by a processor, implements the method for processing a message.
The embodiment of the invention provides a processor which is used for running a program, wherein the program runs to execute the processing method of the message.
The embodiment of the invention provides equipment, which comprises a processor, a memory and a program stored in the memory and capable of running on the processor, wherein the processor realizes the following steps when executing the program: the probe performs matching analysis on the original flow according to the threat information library, and grabs a message set in the original flow; selecting a target message from the message set, wherein the target message is the message with the highest probability of threat information in the message set; the probe processes the target message to obtain target data, wherein the target data is used for being sent to an analysis platform to analyze threat information.
Optionally, after the probe processes the target message to obtain the target data, the method further includes: uploading target data to an analysis platform by the probe; analyzing the target data uploaded by the probe by the analysis platform, and reporting a signal of a threat event; and acquiring a target message corresponding to the target data from the analysis platform according to the target data.
Optionally, before the probe matches the original flow according to the threat information library to obtain the target message, the method further includes: the probe sends a registration message to the analysis platform and establishes a corresponding TCP connection with the analysis platform, wherein the TCP connection is used for carrying out data transmission between the probe and the analysis platform; the analysis platform updates the threat information library according to a preset time period; the analysis platform pushes the updated threat information library to all registered probes.
Optionally, the probe processes the target message to obtain target data, including: the probe names and stores the target message to the local according to a preset naming rule, wherein the file name of the target message at least comprises: UUID and timestamp; the probe takes UUID and a timestamp as a Packet ID; the probe adds the Packet ID and the SN code of the probe to the target data; the probe uploads the target data with the Packet ID and SN code to the analysis platform.
Optionally, the naming of the target message by the probe according to a preset naming rule and saving the target message to the local includes: determining a storable space of the target file; and when the storage space occupied by the target message is smaller than the storable space, storing the target message in the target file.
Optionally, the method further comprises: when the storage space occupied by the target message is not smaller than the storable space, a new file is created and used for storing the target message.
Optionally, before acquiring the target message corresponding to the target data from the analysis platform according to the target data, the method further includes: according to the SN code, determining a probe corresponding to the target data through an analysis platform; the analysis platform sends the Packet ID to the probe; the probe analyzes the Packet ID to obtain a UUID corresponding to the Packet ID and a timestamp corresponding to the Packet ID; inquiring to obtain a target file for storing target data according to the time stamp; inquiring in the target file according to the UUID and the time stamp to obtain a target message corresponding to the target data; and sending the target message corresponding to the target data to an analysis platform. The device herein may be a server, PC, PAD, cell phone, etc.
The present application also provides a computer program product adapted to perform, when executed on a data processing device, a program initialized with the method steps of: the probe performs matching analysis on the original flow according to the threat information library, and grabs a message set in the original flow; selecting a target message from the message set, wherein the target message is the message with the highest probability of threat information in the message set; the probe processes the target message to obtain target data, wherein the target data is used for being sent to an analysis platform to analyze threat information.
Optionally, after the probe processes the target message to obtain the target data, the method further includes: uploading target data to an analysis platform by the probe; analyzing the target data uploaded by the probe by the analysis platform, and reporting a signal of a threat event; and acquiring a target message corresponding to the target data from the analysis platform according to the target data.
Optionally, before the probe matches the original flow according to the threat information library to obtain the target message, the method further includes: the probe sends a registration message to the analysis platform and establishes a corresponding TCP connection with the analysis platform, wherein the TCP connection is used for carrying out data transmission between the probe and the analysis platform; the analysis platform updates the threat information library according to a preset time period; the analysis platform pushes the updated threat information library to all registered probes.
Optionally, the probe processes the target message to obtain target data, including: the probe names and stores the target message to the local according to a preset naming rule, wherein the file name of the target message at least comprises: UUID and timestamp; the probe takes UUID and a timestamp as a Packet ID; the probe adds the Packet ID and the SN code of the probe to the target data; the probe uploads the target data with the Packet ID and SN code to the analysis platform.
Optionally, the naming of the target message by the probe according to a preset naming rule and saving the target message to the local includes: determining a storable space of the target file; and when the storage space occupied by the target message is smaller than the storable space, storing the target message in the target file.
Optionally, the method further comprises: when the storage space occupied by the target message is not smaller than the storable space, a new file is created and used for storing the target message.
Optionally, before acquiring the target message corresponding to the target data from the analysis platform according to the target data, the method further includes: according to the SN code, determining a probe corresponding to the target data through an analysis platform; the analysis platform sends the Packet ID to the probe; the probe analyzes the Packet ID to obtain a UUID corresponding to the Packet ID and a timestamp corresponding to the Packet ID; inquiring to obtain a target file for storing target data according to the time stamp; inquiring in the target file according to the UUID and the time stamp to obtain a target message corresponding to the target data; and sending the target message corresponding to the target data to an analysis platform.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In one typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, etc., such as Read Only Memory (ROM) or flash RAM. Memory is an example of a computer-readable medium.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, read only optical disk read only memory (via CD-ROM), digital Versatile Disks (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises an element.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and changes may be made to the present application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc. which are within the spirit and principles of the present application are intended to be included within the scope of the claims of the present application.
Claims (12)
1. A method for processing a message, comprising:
the probe performs matching analysis on the original flow according to the threat information library, and grabs a message set in the original flow;
selecting a target message from the message set, wherein the target message is a message with the highest probability of threat information in the message set;
the probe processes the target message to obtain target data, wherein the target data is used for being sent to an analysis platform to analyze threat information;
wherein, after the probe processes the target message to obtain target data, the method further comprises:
the probe names the target message according to a preset naming rule and stores the target message to a local place, wherein the file name of the target message at least comprises: UUID and timestamp;
the probe takes the UUID and the timestamp as a Packet ID;
the probe adds the Packet ID and the SN code of the probe to the target data;
the probe uploads target data with the Packet ID and the SN code to an analysis platform;
after the probe processes the target message to obtain target data, the method further comprises:
According to the SN code, determining a probe corresponding to the target data through the analysis platform;
the analysis platform sends the Packet ID to the probe;
the probe analyzes the Packet ID to obtain a UUID corresponding to the Packet ID and a timestamp corresponding to the Packet ID;
inquiring to obtain a target file storing the target data according to the time stamp;
inquiring in the target file according to the UUID and the timestamp to obtain a target message corresponding to the target data;
sending a target message corresponding to the target data to the analysis platform;
and acquiring a target message corresponding to the target data from the analysis platform according to the target data.
2. The method of claim 1, wherein after the probe processes the target message to obtain target data, the method further comprises:
the probe uploads the target data to the analysis platform;
and after analyzing the target data uploaded by the probe, the analysis platform reports a signal of a threat event.
3. The method of claim 1, wherein before the probe matches the original traffic to obtain the target message according to the threat intelligence library, the method further comprises:
The probe sends a registration message to the analysis platform and establishes a corresponding TCP connection with the analysis platform, wherein the TCP connection is used for carrying out data transmission between the probe and the analysis platform;
the analysis platform updates the threat information library according to a preset time period;
and the analysis platform pushes the updated threat information library to all registered probes.
4. The method of claim 1, wherein the naming and storing the target message by the probe according to a preset naming rule includes:
determining a storable space of the target file;
and when the storage space occupied by the target message is smaller than the storable space, storing the target message in the target file.
5. The method according to claim 4, wherein the method further comprises:
and when the storage space occupied by the target message is not smaller than the storable space, creating a new file for storing the target message.
6. A message processing apparatus, comprising:
the capturing unit is used for carrying out matching analysis on the original flow by the probe according to the threat information library and capturing a message set in the original flow;
A selecting unit, configured to select a target message from the message set, where the target message is a message with a maximum probability of belonging to threat information in the message set;
the processing unit is used for processing the target message by the probe to obtain target data, wherein the target data is used for being sent to an analysis platform to analyze threat information;
wherein the apparatus further comprises: the first processing subunit is configured to, after the probe processes the target packet to obtain target data, name the target packet according to a preset naming rule by the probe and store the target packet to a local location, where a file name of the target packet at least includes: UUID and timestamp; the second processing subunit is used for the probe to take the UUID and the timestamp as a Packet ID; an adding subunit, configured to add, by the probe, the Packet ID and an SN code of the probe to the target data; the uploading subunit is used for uploading the target data with the Packet ID and the SN code to an analysis platform by the probe;
wherein the apparatus further comprises: the determining unit is used for determining a probe corresponding to the target data through the analysis platform according to the SN code before acquiring the target message corresponding to the target data from the analysis platform according to the target data; the second sending unit is used for sending the Packet ID to the probe by the analysis platform; the analysis unit is used for analyzing the Packet ID by the probe to obtain a UUID corresponding to the Packet ID and a timestamp corresponding to the Packet ID; the first query unit is used for querying and obtaining a target file storing the target data according to the time stamp; the second query unit is used for querying the target file according to the UUID and the timestamp to obtain a target message corresponding to the target data; the third sending unit is used for sending the target message corresponding to the target data to the analysis platform;
The apparatus further comprises: the acquisition unit is used for acquiring the target message corresponding to the target data from the analysis platform according to the target data.
7. The apparatus of claim 6, wherein the apparatus further comprises:
the sending unit is used for uploading the target data to the analysis platform after the target message is processed by the probe to obtain the target data;
and the reporting unit is used for reporting a signal of a threat event after the analysis platform analyzes the target data uploaded by the probe.
8. The apparatus of claim 6, wherein the apparatus further comprises:
the first sending unit is used for sending a registration message to the analysis platform by the probe before the probe matches the original flow according to the threat information library to obtain a target message, and establishing a corresponding TCP connection with the analysis platform, wherein the TCP connection is used for carrying out data transmission between the probe and the analysis platform;
the updating unit is used for updating the threat information library according to a preset time period by the analysis platform;
and the pushing unit is used for pushing the updated threat information library to all registered probes by the analysis platform.
9. The apparatus of claim 6, wherein the first processing subunit comprises:
the determining module is used for determining the storable space of the target file;
and the storage module is used for storing the target message in the target file when the storage space occupied by the target message is smaller than the storable space.
10. The apparatus of claim 9, wherein the apparatus further comprises:
and the creation unit is used for creating a new file for storing the target message when the storage space occupied by the target message is not smaller than the storable space.
11. A storage medium storing a program, wherein the program, when executed by a processor, implements the method of processing a message according to any one of claims 1 to 5.
12. A computing device comprising one or more processors configured to execute a program, wherein the program when executed by the processor implements the method of processing a message according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111670460.1A CN114301709B (en) | 2021-12-30 | 2021-12-30 | Message processing method and device, storage medium and computing equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111670460.1A CN114301709B (en) | 2021-12-30 | 2021-12-30 | Message processing method and device, storage medium and computing equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114301709A CN114301709A (en) | 2022-04-08 |
| CN114301709B true CN114301709B (en) | 2024-04-02 |
Family
ID=80974478
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111670460.1A Active CN114301709B (en) | 2021-12-30 | 2021-12-30 | Message processing method and device, storage medium and computing equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114301709B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103905261A (en) * | 2012-12-26 | 2014-07-02 | 中国电信股份有限公司 | Protocol characteristic library online updating method and system |
| CN107995162A (en) * | 2017-10-27 | 2018-05-04 | 深信服科技股份有限公司 | Network security sensory perceptual system, method and readable storage medium storing program for executing |
| CN109067815A (en) * | 2018-11-06 | 2018-12-21 | 深信服科技股份有限公司 | Attack Source Tracing method, system, user equipment and storage medium |
| CN112073437A (en) * | 2020-10-09 | 2020-12-11 | 腾讯科技(深圳)有限公司 | Multidimensional security threat event analysis method, device, equipment and storage medium |
| WO2021017614A1 (en) * | 2019-07-31 | 2021-02-04 | 平安科技(深圳)有限公司 | Threat intelligence data collection and processing method and system, apparatus, and storage medium |
| CN112788022A (en) * | 2020-12-31 | 2021-05-11 | 山石网科通信技术股份有限公司 | Flow abnormity detection method and device, storage medium and processor |
-
2021
- 2021-12-30 CN CN202111670460.1A patent/CN114301709B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103905261A (en) * | 2012-12-26 | 2014-07-02 | 中国电信股份有限公司 | Protocol characteristic library online updating method and system |
| CN107995162A (en) * | 2017-10-27 | 2018-05-04 | 深信服科技股份有限公司 | Network security sensory perceptual system, method and readable storage medium storing program for executing |
| CN109067815A (en) * | 2018-11-06 | 2018-12-21 | 深信服科技股份有限公司 | Attack Source Tracing method, system, user equipment and storage medium |
| WO2021017614A1 (en) * | 2019-07-31 | 2021-02-04 | 平安科技(深圳)有限公司 | Threat intelligence data collection and processing method and system, apparatus, and storage medium |
| CN112073437A (en) * | 2020-10-09 | 2020-12-11 | 腾讯科技(深圳)有限公司 | Multidimensional security threat event analysis method, device, equipment and storage medium |
| CN112788022A (en) * | 2020-12-31 | 2021-05-11 | 山石网科通信技术股份有限公司 | Flow abnormity detection method and device, storage medium and processor |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114301709A (en) | 2022-04-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10027553B2 (en) | Distributed system for self updating agents and analytics | |
| CN106982236B (en) | Information processing method, device and system | |
| US8762931B2 (en) | Generating an encoded package profile | |
| CN111935082B (en) | Network threat information correlation analysis system and method | |
| CN107169094B (en) | Information aggregation method and device | |
| US20220116287A1 (en) | Virtual network function bus-based auto-registration | |
| CN111478889B (en) | Alarm method and device | |
| CN111090440B (en) | Information processing method, system, device and storage medium | |
| CN106648839B (en) | Data processing method and device | |
| CN108228197B (en) | Method and device for installing software in cluster | |
| CN114301709B (en) | Message processing method and device, storage medium and computing equipment | |
| CN113067853A (en) | Data pushing method and device, electronic equipment and storage medium | |
| CN117389830A (en) | Cluster log acquisition method and device, computer equipment and storage medium | |
| CN110309028B (en) | Monitoring information acquisition method, service monitoring method, device and system | |
| CN110188081B (en) | Log data storage method and device based on cassandra database and computer equipment | |
| CN108228613B (en) | Data reading method and device | |
| CN111291127B (en) | Data synchronization method, device, server and storage medium | |
| US11082484B2 (en) | Load balancing system | |
| US11140183B2 (en) | Determining criticality of identified enterprise assets using network session information | |
| US20190158347A1 (en) | Distributed system for self updating agents and provides security | |
| CN109426559B (en) | Command issuing method and device, storage medium and processor | |
| CN107784040B (en) | File issuing method and device | |
| CN112579189A (en) | Configuration file updating method and device | |
| CN113114612B (en) | Determination method and device for distributed system call chain | |
| CN114090635A (en) | Data acquisition method for automatic protocol matching and key data extraction of edge terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |