CN114866316A - Security protection method, device, equipment, storage medium and program product - Google Patents

Security protection method, device, equipment, storage medium and program product Download PDF

Info

Publication number
CN114866316A
CN114866316A CN202210476255.XA CN202210476255A CN114866316A CN 114866316 A CN114866316 A CN 114866316A CN 202210476255 A CN202210476255 A CN 202210476255A CN 114866316 A CN114866316 A CN 114866316A
Authority
CN
China
Prior art keywords
port
quintuple information
target
transport layer
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210476255.XA
Other languages
Chinese (zh)
Other versions
CN114866316B (en
Inventor
徐国坤
石志鑫
王妍
官宇
李敏
黄伟庆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN202210476255.XA priority Critical patent/CN114866316B/en
Publication of CN114866316A publication Critical patent/CN114866316A/en
Application granted granted Critical
Publication of CN114866316B publication Critical patent/CN114866316B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a safety protection method, a device, equipment, a storage medium and a program product, comprising the following steps: performing log analysis on each target session log of a target time period to obtain five-tuple information corresponding to each target session log, wherein the five-tuple information comprises: a source IP address, a source port, a destination IP address, a destination port and a transport layer protocol; performing cluster analysis on a quintuple information set corresponding to each transport layer protocol to obtain N target quintuple information in each quintuple information set, wherein the quintuple information set comprises one or more quintuple information; and obtaining each service port of each transport layer protocol based on the source port and the destination port in the N pieces of target five-tuple information, and writing the service port and a source IP address and a destination IP address corresponding to the service port into a white list.

Description

Security protection method, device, equipment, storage medium and program product
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a security protection method, apparatus, device, storage medium, and program product.
Background
The boundary safety protection refers to that the external program is monitored to enter the computer, and the virus can be judged to be safe or unsafe before running, so that the safety protection of the local computer is guaranteed to the maximum extent.
At present, a white list policy of the boundary safety protection device mainly adopts a manual configuration mode, and the application scenario requires that an administrator is very familiar with information such as a communication relationship between an access subject and an access object, network topology and the like, so that great challenges are provided for the administrator. Firstly, when facing complex, old and other network environments, a security administrator cannot clearly sort and configure the white list strategy in a short time; secondly, when the network environment changes, and application scenarios such as addition and offline of the access subject and the access object occur, the administrator needs to manually update the policy, the operation process is very complicated, and the normal access requirement of the service user is possibly influenced due to unreasonable policy configuration caused by improper operation.
Therefore, how to configure the white list more reasonably and achieve effective security protection has become an urgent problem to be solved in the industry.
Disclosure of Invention
The invention provides a safety protection method, a safety protection device, safety protection equipment, a storage medium and a program product, which are used for solving the defect that white list configuration is unreasonable in the prior art.
The invention provides a safety protection method, which comprises the following steps:
performing log analysis on each target session log of a target time period to obtain five-tuple information corresponding to each target session log, wherein the five-tuple information comprises: a source IP address, a source port, a destination IP address, a destination port and a transport layer protocol;
performing cluster analysis on a quintuple information set corresponding to each transport layer protocol to obtain N target quintuple information in each quintuple information set, wherein the quintuple information set comprises one or more quintuple information;
and obtaining each service port of each transport layer protocol based on the source port and the destination port in the N pieces of target five-tuple information, and writing the service port and a source IP address and a destination IP address corresponding to the service port into a white list.
According to a security protection method provided by the present invention, after obtaining five tuple information corresponding to each target session log, the method further includes:
classifying the quintuple information based on the transport layer protocols to obtain an initial quintuple information set corresponding to each transport layer protocol;
and removing the repeated source IP address and the repeated destination IP address in each initial quintuple information set to obtain the quintuple information set corresponding to each transmission protocol layer.
According to a security protection method provided by the present invention, the clustering analysis is performed on the quintuple information sets corresponding to each transport layer protocol to obtain N target quintuple information in each quintuple information set, including:
calculating the clustering distance between each quintuple information and other quintuple information in the quintuple information set based on the source IP address and the target IP address of each quintuple information in the quintuple information set;
and obtaining N groups of target quintuple information in each quintuple information set based on the clustering distance, wherein N is a positive integer.
According to the safety protection method provided by the invention, each service port of each transport layer protocol is obtained based on the source port and the destination port in the N target five-tuple information, including;
writing the source port and the destination port in each five-tuple information set into a port statistical table corresponding to a transport layer protocol of each five-tuple information set;
and taking the destination port or the source port with the maximum port number in the port statistical table as a service port corresponding to the transport layer protocol to obtain the service port of each transport layer protocol, and deleting the service port in the port statistical table to obtain a target port statistical table.
According to the safety protection method provided by the present invention, after obtaining the target port statistical table, the method further comprises:
under the condition that the number of the processed ports in the port statistical table is smaller than a preset threshold value, taking a destination port or a source port with the largest port number in the target port statistical table as a service port corresponding to the transport layer protocol, and deleting the service port in the target port statistical table until the number of the processed ports in the port statistical table is larger than or equal to the preset threshold value, so as to obtain each service port of each transport layer protocol;
the processed ports refer to a source port and a destination port which are determined as service ports.
The invention also provides a safety protection device, comprising:
the analysis module is used for performing log analysis on each target session log of a target time period to obtain five-tuple information corresponding to each target session log, wherein the five-tuple information comprises: a source IP address, a source port, a destination IP address, a destination port and a transport layer protocol;
the analysis module is used for carrying out clustering analysis on a quintuple information set corresponding to each transport layer protocol to obtain N target quintuple information in each quintuple information set, wherein the quintuple information set comprises one or more quintuple information;
and the protection module is used for obtaining each service port of each transport layer protocol based on the source port and the destination port in the N pieces of target five-tuple information, and writing the source IP address and the destination IP address corresponding to the service port and the service port into a white list.
Optionally, the apparatus is further configured to:
classifying the quintuple information based on the transport layer protocols to obtain an initial quintuple information set corresponding to each transport layer protocol;
and removing the repeated source IP address and the repeated destination IP address in each initial quintuple information set to obtain the quintuple information set corresponding to each transmission protocol layer.
The invention also provides an electronic device, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor executes the program to realize the safety protection method.
The invention also provides a non-transitory computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements a method of safeguarding as described in any of the above.
The invention also provides a computer program product comprising a computer program which, when executed by a processor, implements a method of safeguarding as described in any of the above.
According to the safety protection method, device, equipment, storage medium and program product provided by the invention, quintuple information is obtained after log analysis is carried out on a target session log in a target time period, the obtained quintuple information set is subjected to cluster analysis, the target quintuple information in the quintuple information is screened out, then the target quintuple information is analyzed in a recursive mode, a reliable service port is effectively screened out, the service port and a corresponding IP address are written into a white list, and the white list can be automatically generated and updated after the network environment is changed. The safety and the quality of communication in the network are improved, and the problems of complicated configuration and improper operation of an administrator are solved.
Drawings
In order to more clearly illustrate the technical solutions of the present invention or the prior art, the drawings needed for the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
Fig. 1 is a schematic flow chart of a safety protection method according to an embodiment of the present application;
fig. 2 is a schematic diagram of a white list policy generation process provided in an embodiment of the present application;
fig. 3 is a schematic diagram illustrating a service port processing flow according to an embodiment of the present application;
FIG. 4 is a schematic structural view of a safety shield apparatus according to an embodiment of the present disclosure;
fig. 5 is a schematic structural diagram of an electronic device provided in the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the related technology, based on the actual requirements of repeated, complicated and error-prone white list strategy configuration of the boundary safety protection equipment, an intelligent analysis algorithm based on a flow log is provided to complete automatic learning of the white list strategy, and then the learned strategy is automatically configured in the boundary safety protection equipment, so that heavy and complex work of an administrator is greatly reduced. However, the existing method cannot clearly determine the access request subject and the access object, which may result in a large amount of repeated white list policies after self-learning, for example, the access subject 192.168.100.2 actively initiates a request to the 80 server port of the access object 192.168.100.3, but since the source port of the access subject is dynamically changed, the white list policies automatically learned may be 192.168.100.2:5567- >192.168.100.3:80, 192.168.100.2:5568- >192.168.100.3:80, 192.168.100.2:5569- >192.168.100.3:80, etc., since the algorithm cannot determine which are the source ports and which are the destination ports, the number of policies automatically learned is huge, and since the source ports are dynamic, the service access relationship may not be performed normally due to automatic configuration of the policies.
Fig. 1 is a schematic flow chart of a safety protection method provided in an embodiment of the present application, as shown in fig. 1, including:
step 110, performing log analysis on each target session log of a target time period to obtain five-tuple information corresponding to each target session log, wherein the five-tuple information comprises: a source IP address, a source port, a destination IP address, a destination port and a transport layer protocol;
specifically, the target time period described in the embodiment of the present application may be a preset time period, or may be a preset time period after detecting that the network environment is changed.
The target session log described in the embodiment of the present application may specifically be to collect traffic flowing through the network boundary security protection device, and preprocess the collected data to form various session logs, where each target session log may include a TCP session, a UDP session, an ICMP session, and the like, and after each target session log is obtained, it may be preliminarily stored to facilitate subsequent analysis.
In the embodiment of the present application, each target session log of a target time period is obtained to perform source IP address analysis, source port analysis, destination IP address analysis, destination port analysis, and transport layer protocol analysis, so as to obtain five tuple information corresponding to each target session, where each five tuple information includes: source IP address, source port, destination IP address, destination port, and transport layer protocol.
Step 120, performing cluster analysis on quintuple information sets corresponding to each transport layer protocol to obtain N target quintuple information in each quintuple information set, wherein the quintuple information set comprises one or more quintuple information;
specifically, in the embodiment of the present application, five tuple information sets are classified based on a communication protocol, that is, five tuple information of the same transport layer protocol is gathered together and analyzed, so that a five tuple information set corresponding to each transport layer protocol is obtained.
In the embodiment of the application, after the quintuple information set corresponding to each transport layer protocol is obtained, IP information clustering analysis is further performed on the quintuple information set, so that N groups of target quintuple information with reliable data in the quintuple information set are screened.
Step 130, based on the source port and the destination port in the N pieces of target five-tuple information, obtaining each service port of each transport layer protocol, and writing a source IP address and a destination IP address corresponding to the service port and the service port into a white list.
Specifically, in this embodiment of the present application, the source ports and the destination ports in the N pieces of target five-tuple information corresponding to each transport layer protocol may be counted, then the counted ports are sorted in a descending order, the port with the maximum port number obtained through traversal each time is used as a service port, and the traversal is continued to obtain each service port of each transport layer protocol.
In the embodiment of the present application, after obtaining each service port of each transport layer protocol, the IP address and the port corresponding to the port are further written into the white list along with the transport layer protocol.
According to the safety protection method, device, equipment, storage medium and program product provided by the invention, quintuple information is obtained after log analysis is carried out on a target session log in a target time period, the obtained quintuple information set is subjected to cluster analysis, the target quintuple information in the quintuple information is screened out, then the target quintuple information is analyzed in a recursive mode, a reliable service port is effectively screened out, the service port and a corresponding IP address are written into a white list, and the white list can be automatically generated and updated after the network environment is changed. The safety and the quality of communication in the network are improved, and the problems of complicated configuration and improper operation of an administrator are solved.
Optionally, after obtaining the five-tuple information corresponding to each target session log, the method further includes:
classifying the quintuple information based on the transport layer protocols to obtain an initial quintuple information set corresponding to each transport layer protocol;
and removing the repeated source IP address and the repeated destination IP address in each initial quintuple information set to obtain the quintuple information set corresponding to each transmission protocol layer.
Specifically, since the data of different communication protocols are not suitable for the overall analysis, in the embodiment of the present application, the quintuple information is classified based on the transport layer protocol, and the quintuple information of the same transport layer protocol is gathered together to obtain an initial quintuple information set corresponding to each transport layer protocol.
In order to avoid the increase of the analyzed data amount by the repeated data, in the embodiment of the present application, the repeated source IP address in the same initial quintuple information set is deduplicated, and the repeated destination IP address in the same initial quintuple information set is deduplicated, so that a deduplicated quintuple information set, that is, a quintuple information set corresponding to each transport protocol layer, is obtained.
In the embodiment of the application, the network session logs are preprocessed and analyzed, so that the processing of data volume is further reduced, the data can be processed quickly and efficiently, and the capability of coping with various complex network environments is greatly improved.
Optionally, the performing cluster analysis on the quintuple information set corresponding to each transport layer protocol to obtain N target quintuple information in each quintuple information set includes:
calculating the clustering distance between each quintuple information and other quintuple information in the quintuple information set based on the source IP address and the target IP address of each quintuple information in the quintuple information set;
and obtaining N groups of target quintuple information in each quintuple information set based on the clustering distance, wherein N is a positive integer.
Specifically, the clustering algorithm described in the embodiment of the present application may specifically be a K-means clustering algorithm.
In the embodiment of the application, a clustering algorithm may be specifically used to perform clustering analysis on the source IP address and the destination IP address in the quintuple information, a preset distance C may be specifically set as a threshold, and when a certain point is the minimum distance S from all the clustering centers min >When C is higher, it is considered as a new polyClass center
More specifically, the calculation formula of the clustering distance in the embodiment of the present application is D i-j =(SrcAddr i -SrcAddr j ) 2 +(DstAddr i -DstAddr j ) 2 Wherein SrcAddr i And SrcAddr j DstAddr, source IP for log i and log j, respectively i And DstAddr j The preset distance C can be adjusted according to needs to obtain N groups of IP information and further obtain N groups of target quintuple information.
In the embodiment of the application, some data which do not have analysis value can be effectively screened out through the clustering algorithm, the analysis data volume is effectively reduced, the data can be quickly and efficiently processed, and the capability of coping with various complex network environments is greatly improved.
Optionally, based on the source port and the destination port in the N pieces of target five-tuple information, obtaining each service port of each transport layer protocol, including;
writing the source port and the destination port in each five-tuple information set into a port statistical table corresponding to a transport layer protocol of each five-tuple information set;
and taking the destination port or the source port with the maximum port number in the port statistical table as a service port corresponding to the transport layer protocol to obtain the service port of each transport layer protocol, and deleting the service port in the port statistical table to obtain a target port statistical table.
In the embodiment of the application, the source port and the destination port of each quintuple information in the quintuple information set are counted, each quintuple information is traversed, and the source port and the destination port of each quintuple information set are written into the port statistical table corresponding to the transport layer protocol of each quintuple information set.
In the port statistical table in the embodiment of the present application, each source port and each destination port are sorted in a descending order according to the number of ports, and each port statistical table only stores port information of the same transport layer protocol.
After the port statistical table is obtained, the service port of each transport layer protocol is obtained by further using the destination port or the source port with the largest port number in the port statistical table as the service port corresponding to the transport layer protocol.
And after the service port is selected in the port statistical table, deleting the service port in the port statistical table to obtain a target port statistical table, and if the obtained service port does not meet the requirement, continuously searching for the service port in the target port statistical table until the number of the processed ports in the port statistical table is greater than or equal to the preset threshold value.
In the embodiment of the application, the port statistical tables are obtained by sequencing the port number in a descending order, and are analyzed, so that the service ports of both communication parties can be automatically judged, the configuration of a white list strategy is greatly simplified, and the application scenes of the invention are widened.
Optionally, after obtaining the target port statistics table, the method further includes:
under the condition that the number of the processed ports in the port statistical table is smaller than a preset threshold value, taking a destination port or a source port with the largest port number in the target port statistical table as a service port corresponding to the transport layer protocol, and deleting the service port in the target port statistical table until the number of the processed ports in the port statistical table is larger than or equal to the preset threshold value, so as to obtain each service port of each transport layer protocol;
the processed ports refer to a source port and a destination port which are determined as service ports.
More specifically, in the embodiment of the present application, the target port is only filtered once, which may result in too few filtered ports, which affects user access, and therefore, the target port statistics table needs to be further analyzed.
The processed port described in the embodiment of the present application refers to a port that is originally in the port statistics table or the target port statistics table and is ranked first, and the port that has been determined as a service port is deleted from the port statistics table or the target port statistics table.
The preset threshold described in the embodiment of the present application may be specifically half of the number of the processed ports, and the number of the preset threshold may be automatically adjusted according to the requirement.
In this embodiment of the present application, when the number of the processed ports in the port statistics table is smaller than the preset threshold, it indicates that further screening of the port data in the port statistics table is still needed at this time, so that the destination port or the source port with the largest number of ports in the destination port statistics table is used as the service port corresponding to the transport layer protocol.
In this embodiment of the present application, when the number of processed ports in the port statistics table is greater than or equal to the preset threshold, it indicates that the number of service ports to be screened is sufficient, at this time, only screening from the target port statistics table is stopped, the automatic learning process is ended, each service port of each transport layer protocol is finally obtained, and then the service port and the source IP address and the destination IP address corresponding to the service port are written into the white list.
Optionally, after the data is written into the white list, the automatically learned white list is stored in the database, and meanwhile, whether the data is directly issued to the boundary safety protection device or not can be determined according to user requirements.
In the embodiment of the application, through cyclic analysis of the data in the port statistical table, sufficient port information can be effectively obtained, and then the IP information corresponding to the sufficient port information is obtained, so that the strategy can be automatically generated and updated after the network environment is changed. The safety and the quality of communication in the network are improved, and the problems of complicated configuration and improper operation of an administrator are solved.
Fig. 2 is a schematic diagram of a white list policy generation process provided in an embodiment of the present application, and as shown in fig. 2, the white list policy generation process includes: firstly, obtaining a session log, then analyzing the session log, extracting quintuple information, classifying according to protocol types, then carrying out duplicate removal, broadcast filtration and multicast on the quintuple information, carrying out cluster analysis according to IP values, and determining a service port through recursive analysis, thereby finally obtaining a white list strategy,
Fig. 3 is a schematic diagram of a service port processing flow provided in the embodiment of the present application, and as shown in fig. 3, the service port processing flow includes:
searching the end time of the session log analysis in the previous period from Redis, dividing the end time into a plurality of time periods according to hours by taking the current time as a boundary, and inquiring the session log generated in the specified time period.
And extracting the session log, analyzing the session log into quintuple information, removing duplication according to the IP information and the protocol type, and dividing the session log into different data sets according to different protocol types. And filters the IP addresses in each dataset.
Clustering the IP information by using a clustering algorithm, setting a distance C as a threshold value, and when the distance between a certain point and all the clustering centers is the minimum value Smin > C, regarding the certain point as a new clustering center, wherein the distance formula is Di-j ═ SrcAddr-SrcAddr j)2+ (DstAddri-DstAddrj)2, wherein SrcAddr and SrcAddr are respectively source IPs of a log i and a log j, DstAddri and DstAddrj are respectively target IPs of the log i and the log j, and C can be adjusted as required to obtain N groups of IP information.
And traversing each group of IP meta information, and counting port access relation information between each pair of source IP and destination IP.
And sorting the counted ports in a descending manner, taking one of the maximum port number of the counted ports in each traversal as a service port, and updating a port statistical table.
And (3) taking the port with the highest occurrence frequency in the port statistical table (if the number of the ports is the same, processing the same port information at one time), judging whether the port statistical number value is greater than 1 and whether the number of the processed ports is less than or equal to half of the total number of the ports, if the number of the processed ports is less than or equal to half of the total number of the ports, putting the residual information into the next round for processing, otherwise, ending the automatic strategy learning process, and calling a strategy storage module.
Combining the obtained service port and IP into a white list strategy, storing the strategy into a strategy set, recording the statistical number of the ports, accumulating the statistical number to the processed port number, and calling the previous step after removing the processed port information in the port statistical table.
In the embodiment of the application, the white list policy generation method can be automatically completed by aiming at the boundary safety protection equipment, and the deployment of the policy can be completed based on the automatic assembly of the policy or the manual issuing of an administrator. The strategy generation module algorithm generates multi-dimensional white list strategies for selection, and the strategies take effect immediately after the strategies are issued and deployed. When the network environment is changed, and application scenes such as newly added access subjects and access objects, offline and the like appear, a white list strategy can be generated according to the new environment, so that the configuration operation of an administrator is greatly simplified; the problem that an administrator configures a conflicting white list strategy without perception does not occur, and the method can adapt to various complex network environments.
The safety protection device provided by the invention is described below, and the safety protection device described below and the safety protection method described above can be correspondingly referred to.
Fig. 4 is a schematic structural view of a safety protection device according to an embodiment of the present application, as shown in fig. 4, including: a parsing module 410, an analysis module 420, and a protection module 430; the parsing module 410 is configured to perform log parsing on each target session log of a target time period to obtain five-tuple information corresponding to each target session log, where the five-tuple information includes: a source IP address, a source port, a destination IP address, a destination port and a transport layer protocol; the analysis module 420 is configured to perform cluster analysis on a quintuple information set corresponding to each transport layer protocol to obtain N target quintuple information in each quintuple information set, where the quintuple information set includes one or more quintuple information; the protection module 430 is configured to obtain each service port of each transport layer protocol based on the source port and the destination port in the N pieces of target five-tuple information, and write a source IP address and a destination IP address corresponding to the service port and the service port into a white list.
Optionally, the apparatus is further configured to:
classifying the quintuple information based on the transport layer protocols to obtain an initial quintuple information set corresponding to each transport layer protocol;
and removing the repeated source IP address and the repeated destination IP address in each initial quintuple information set to obtain the quintuple information set corresponding to each transmission protocol layer.
In the embodiment of the application, after log analysis is performed on a target session log in a target time period, quintuple information is obtained, a cluster analysis is performed on an obtained quintuple information set, target quintuple information in the quintuple information is screened out, then the target quintuple information is analyzed in a recursion mode, a reliable service port is effectively screened out, the service port and a corresponding IP address are written into a white list, and the white list can be automatically generated and updated after the network environment is changed. The safety and the quality of communication in the network are improved, and the problems of complicated configuration and improper operation of an administrator are solved.
Fig. 5 is a schematic structural diagram of an electronic device provided in the present invention, and as shown in fig. 5, the electronic device may include: a processor (processor)510, a communication Interface (Communications Interface)520, a memory (memory)530 and a communication bus 540, wherein the processor 510, the communication Interface 520 and the memory 530 communicate with each other via the communication bus 540. Processor 510 may call logic instructions in memory 530 to perform a security method comprising: performing log analysis on each target session log of a target time period to obtain five-tuple information corresponding to each target session log, wherein the five-tuple information comprises: a source IP address, a source port, a destination IP address, a destination port and a transport layer protocol; performing cluster analysis on a quintuple information set corresponding to each transport layer protocol to obtain N target quintuple information in each quintuple information set, wherein the quintuple information set comprises one or more quintuple information; and obtaining each service port of each transport layer protocol based on the source port and the destination port in the N pieces of target five-tuple information, and writing the service port and a source IP address and a destination IP address corresponding to the service port into a white list.
Furthermore, the logic instructions in the memory 530 may be implemented in the form of software functional units and stored in a computer readable storage medium when the software functional units are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In another aspect, the present invention also provides a computer program product, the computer program product including a computer program, the computer program being stored on a non-transitory computer-readable storage medium, wherein when the computer program is executed by a processor, a computer is capable of executing the security protection method provided by the above methods, and the method includes: performing log analysis on each target session log of a target time period to obtain five-tuple information corresponding to each target session log, wherein the five-tuple information comprises: a source IP address, a source port, a destination IP address, a destination port and a transport layer protocol; performing cluster analysis on a quintuple information set corresponding to each transport layer protocol to obtain N target quintuple information in each quintuple information set, wherein the quintuple information set comprises one or more quintuple information; and obtaining each service port of each transport layer protocol based on the source port and the destination port in the N pieces of target five-tuple information, and writing the service port and a source IP address and a destination IP address corresponding to the service port into a white list.
In yet another aspect, the present invention also provides a non-transitory computer-readable storage medium, on which a computer program is stored, the computer program being implemented by a processor to perform the security protection method provided by the above methods, the method including: performing log analysis on each target session log of a target time period to obtain five-tuple information corresponding to each target session log, wherein the five-tuple information comprises: a source IP address, a source port, a destination IP address, a destination port and a transport layer protocol; performing cluster analysis on a quintuple information set corresponding to each transport layer protocol to obtain N target quintuple information in each quintuple information set, wherein the quintuple information set comprises one or more quintuple information; and obtaining each service port of each transport layer protocol based on the source port and the destination port in the N pieces of target five-tuple information, and writing the service port and a source IP address and a destination IP address corresponding to the service port into a white list.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (10)

1. A method of safety protection, comprising:
performing log analysis on each target session log of a target time period to obtain five-tuple information corresponding to each target session log, wherein the five-tuple information comprises: a source IP address, a source port, a destination IP address, a destination port and a transport layer protocol;
performing cluster analysis on a quintuple information set corresponding to each transport layer protocol to obtain N target quintuple information in each quintuple information set, wherein the quintuple information set comprises one or more quintuple information;
and obtaining each service port of each transport layer protocol based on the source port and the destination port in the N pieces of target five-tuple information, and writing the service port and a source IP address and a destination IP address corresponding to the service port into a white list.
2. The security protection method according to claim 1, wherein after obtaining five-tuple information corresponding to each target session log, the method further comprises:
classifying the quintuple information based on the transport layer protocols to obtain an initial quintuple information set corresponding to each transport layer protocol;
and removing the repeated source IP address and the repeated destination IP address in each initial quintuple information set to obtain the quintuple information set corresponding to each transmission protocol layer.
3. The security protection method according to claim 1, wherein the performing cluster analysis on the quintuple information sets corresponding to each transport layer protocol to obtain N target quintuple information in each of the quintuple information sets comprises:
calculating the clustering distance between each quintuple information and other quintuple information in the quintuple information set based on the source IP address and the target IP address of each quintuple information in the quintuple information set;
and obtaining N groups of target quintuple information in each quintuple information set based on the clustering distance, wherein N is a positive integer.
4. The security protection method according to claim 1, wherein based on the source port and the destination port in the N destination five-tuple information, obtaining a service port of each transport layer protocol, including;
writing the source port and the destination port in each five-tuple information set into a port statistical table corresponding to a transport layer protocol of each five-tuple information set;
and taking the destination port or the source port with the maximum port number in the port statistical table as a service port corresponding to the transport layer protocol to obtain the service port of each transport layer protocol, and deleting the service port in the port statistical table to obtain a target port statistical table.
5. The security protection method of claim 4, wherein after obtaining the target port statistics table, further comprising:
under the condition that the number of the processed ports in the port statistical table is smaller than a preset threshold value, taking a destination port or a source port with the largest port number in the target port statistical table as a service port corresponding to the transport layer protocol, and deleting the service port in the target port statistical table until the number of the processed ports in the port statistical table is larger than or equal to the preset threshold value, so as to obtain each service port of each transport layer protocol;
the processed ports refer to a source port and a destination port which are determined as service ports.
6. A safety shield apparatus, comprising:
the analysis module is used for performing log analysis on each target session log of a target time period to obtain five-tuple information corresponding to each target session log, wherein the five-tuple information comprises: a source IP address, a source port, a destination IP address, a destination port, and a transport layer protocol;
the analysis module is used for carrying out clustering analysis on a quintuple information set corresponding to each transport layer protocol to obtain N target quintuple information in each quintuple information set, wherein the quintuple information set comprises one or more quintuple information;
and the protection module is used for obtaining each service port of each transport layer protocol based on the source port and the destination port in the N pieces of target five-tuple information, and writing the source IP address and the destination IP address corresponding to the service port and the service port into a white list.
7. The safety shield apparatus of claim 6, wherein the apparatus is further configured to:
classifying the quintuple information based on the transport layer protocols to obtain an initial quintuple information set corresponding to each transport layer protocol;
and removing the repeated source IP address and the repeated destination IP address in each initial quintuple information set to obtain the quintuple information set corresponding to each transmission protocol layer.
8. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the security method of any of claims 1 to 5 when executing the program.
9. A non-transitory computer-readable storage medium having stored thereon a computer program, wherein the computer program, when executed by a processor, implements the security method of any of claims 1 to 5.
10. A computer program product comprising a computer program, wherein the computer program when executed by a processor implements the method of safeguarding according to any of claims 1 to 5.
CN202210476255.XA 2022-04-29 2022-04-29 Security protection method, device, equipment and storage medium Active CN114866316B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210476255.XA CN114866316B (en) 2022-04-29 2022-04-29 Security protection method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210476255.XA CN114866316B (en) 2022-04-29 2022-04-29 Security protection method, device, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN114866316A true CN114866316A (en) 2022-08-05
CN114866316B CN114866316B (en) 2023-08-01

Family

ID=82635006

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210476255.XA Active CN114866316B (en) 2022-04-29 2022-04-29 Security protection method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN114866316B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106506497A (en) * 2016-11-04 2017-03-15 广州华多网络科技有限公司 Forge white list IP address detection method, device and server
WO2018227519A1 (en) * 2017-06-16 2018-12-20 唐全德 System, method and apparatus for implementing network interconnection
CN111782140A (en) * 2020-06-18 2020-10-16 杭州安恒信息技术股份有限公司 Network data packet storage method and device, computer equipment and storage medium
US20210036984A1 (en) * 2018-03-26 2021-02-04 New H3C Technologies Co., Ltd. Network address translation
CN112448911A (en) * 2019-08-27 2021-03-05 四川大学 K-Means-based normal Server IP white list mining method
CN112887159A (en) * 2021-03-26 2021-06-01 北京安天网络安全技术有限公司 Statistical alarm method and device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106506497A (en) * 2016-11-04 2017-03-15 广州华多网络科技有限公司 Forge white list IP address detection method, device and server
WO2018227519A1 (en) * 2017-06-16 2018-12-20 唐全德 System, method and apparatus for implementing network interconnection
US20210036984A1 (en) * 2018-03-26 2021-02-04 New H3C Technologies Co., Ltd. Network address translation
CN112448911A (en) * 2019-08-27 2021-03-05 四川大学 K-Means-based normal Server IP white list mining method
CN111782140A (en) * 2020-06-18 2020-10-16 杭州安恒信息技术股份有限公司 Network data packet storage method and device, computer equipment and storage medium
CN112887159A (en) * 2021-03-26 2021-06-01 北京安天网络安全技术有限公司 Statistical alarm method and device

Also Published As

Publication number Publication date
CN114866316B (en) 2023-08-01

Similar Documents

Publication Publication Date Title
CN111885012B (en) Network situation perception method and system based on information acquisition of various network devices
US8997227B1 (en) Attack traffic signature generation using statistical pattern recognition
CN103688489B (en) Method for strategy processing and network equipment
WO2022100146A1 (en) Internet performance monitoring method and system
CN111885106A (en) Internet of things safety management and control method and system based on terminal equipment characteristic information
CN115134099A (en) Network attack behavior analysis method and device based on full flow
CN114374569B (en) Message detection method and device, electronic equipment and storage medium
CN111654486A (en) Server equipment judgment and identification method
CN111159702B (en) Process list generation method and device
CN112019523A (en) Network auditing method and device for industrial control system
CN106453387A (en) Security strategy conflict detecting and eliminating method based on Hicuts algorithm
KR20230062166A (en) Method for optimizing firewall policies and apparatus thereof
CN113850294A (en) Abnormal encrypted traffic identification method and system
CN114866316A (en) Security protection method, device, equipment, storage medium and program product
CN112632044A (en) Database security audit method
CN111064637B (en) NetFlow data duplicate removal method and device
US11949570B2 (en) Methods, systems, and computer readable media for utilizing machine learning to automatically configure filters at a network packet broker
CN111901199A (en) Mass data-based quick early warning matching implementation method
CN111901138B (en) Visual auditing method for illegal access of industrial network
CN112269879B (en) Method and equipment for analyzing middle station log based on k-means algorithm
CN112910842B (en) Network attack event evidence obtaining method and device based on flow reduction
CN113596050A (en) Abnormal flow separation and filtration method and system, storage medium and electronic equipment
CN112887316A (en) Access control list conflict detection system and method based on classification
CN115883110A (en) Firewall policy optimization method, device, equipment and storage medium
CN114386468A (en) Network abnormal flow detection method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant