CN114866316B - Security protection method, device, equipment and storage medium - Google Patents

Security protection method, device, equipment and storage medium Download PDF

Info

Publication number
CN114866316B
CN114866316B CN202210476255.XA CN202210476255A CN114866316B CN 114866316 B CN114866316 B CN 114866316B CN 202210476255 A CN202210476255 A CN 202210476255A CN 114866316 B CN114866316 B CN 114866316B
Authority
CN
China
Prior art keywords
port
quintuple information
destination
transport layer
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210476255.XA
Other languages
Chinese (zh)
Other versions
CN114866316A (en
Inventor
徐国坤
石志鑫
王妍
官宇
李敏
黄伟庆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN202210476255.XA priority Critical patent/CN114866316B/en
Publication of CN114866316A publication Critical patent/CN114866316A/en
Application granted granted Critical
Publication of CN114866316B publication Critical patent/CN114866316B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Abstract

The invention provides a safety protection method, a safety protection device, safety protection equipment, a storage medium and a program product, wherein the safety protection method comprises the following steps: performing log analysis on each target session log in a target time period to obtain quintuple information corresponding to each target session log, wherein the quintuple information comprises: a source IP address, a source port, a destination IP address, a destination port and a transport layer protocol; performing cluster analysis on the quintuple information set corresponding to each transport layer protocol to obtain N target quintuple information in each quintuple information set, wherein the quintuple information set comprises one or more quintuple information; and based on the source port and the destination port in the N pieces of target five-tuple information, obtaining each service port of each transport layer protocol, and writing the source IP address and the destination IP address corresponding to the service port and the service port into a white list.

Description

Security protection method, device, equipment and storage medium
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a security protection method, apparatus, device, and storage medium.
Background
The boundary safety protection is to monitor the entering of external program into the computer, and judge whether the virus is safe or unsafe when the virus is not operated, thereby guaranteeing the safety protection of the local computer to the maximum extent.
The white list strategy of the boundary safety protection equipment is mainly based on a manual configuration mode, and the application scene requires that an administrator is very familiar with the information such as the communication relation between an access subject and an access object, network topology and the like, which brings great challenges to the administrator. Firstly, when facing complex, old and other network environments, a security administrator cannot complete clear carding and configuration of a white list policy in a short time; secondly, when the network environment is changed, an access subject and an access object are newly added, offline and other application scenes, management personnel are required to finish the updating of the strategy in a manual mode, the operation process is very complicated, and the normal access requirements of service users are likely to be affected due to unreasonable strategy configuration caused by improper operation.
Therefore, how to configure whitelists more reasonably and achieve effective security protection has become a problem to be solved in the industry.
Disclosure of Invention
The invention provides a safety protection method, a safety protection device, safety protection equipment and a storage medium, which are used for solving the defect that white list configuration is unreasonable in the prior art.
The invention provides a safety protection method, which comprises the following steps:
performing log analysis on each target session log in a target time period to obtain quintuple information corresponding to each target session log, wherein the quintuple information comprises: a source IP address, a source port, a destination IP address, a destination port and a transport layer protocol;
performing cluster analysis on the quintuple information set corresponding to each transport layer protocol to obtain N target quintuple information in each quintuple information set, wherein the quintuple information set comprises one or more quintuple information;
and based on the source port and the destination port in the N pieces of target five-tuple information, obtaining each service port of each transport layer protocol, and writing the source IP address and the destination IP address corresponding to the service port and the service port into a white list.
According to the security protection method provided by the invention, after the five-tuple information corresponding to each target session log is obtained, the security protection method further comprises the following steps:
classifying the quintuple information based on the transport layer protocols to obtain initial quintuple information sets corresponding to each transport layer protocol;
and removing the repeated source IP address and the repeated destination IP address in each initial quintuple information set to obtain a quintuple information set corresponding to each transmission protocol layer.
According to the security protection method provided by the invention, the cluster analysis is performed on the quintuple information set corresponding to each transport layer protocol to obtain N target quintuple information in each quintuple information set, including:
calculating the clustering distance between each quintuple information and other quintuple information in the quintuple information set based on the source IP address and the destination IP address of each quintuple information in the quintuple information set;
and obtaining N groups of target quintuple information in each quintuple information set based on the clustering distance, wherein N is a positive integer.
According to the safety protection method provided by the invention, each service port of each transport layer protocol is obtained based on the source port and the destination port in the N target five-tuple information, and the method comprises the following steps of;
writing the source port and the destination port in each quintuple information set into a port statistical table corresponding to a transport layer protocol of each quintuple information set;
and taking the destination port or the source port with the largest port number in the port statistics table as the service port corresponding to the transport layer protocol to obtain the service port of each transport layer protocol, and deleting the service port in the port statistics table to obtain the target port statistics table.
According to the security protection method provided by the invention, after the target port statistical table is obtained, the security protection method further comprises the following steps:
under the condition that the number of the processed ports in the port statistics table is smaller than a preset threshold, taking a destination port or a source port with the largest number of the ports in the target port statistics table as a service port corresponding to the transport layer protocol, and deleting the service port in the target port statistics table until the number of the processed ports in the port statistics table is larger than or equal to the preset threshold, so as to obtain each service port of each transport layer protocol;
wherein the processed ports refer to a source port and a destination port which are determined to be service ports.
The invention also provides a safety device, comprising:
the analysis module is used for carrying out log analysis on each target session log in the target time period to obtain quintuple information corresponding to each target session log, wherein the quintuple information comprises: a source IP address, a source port, a destination IP address, a destination port and a transport layer protocol;
the analysis module is used for carrying out cluster analysis on the quintuple information sets corresponding to each transmission layer protocol to obtain N target quintuple information in each quintuple information set, wherein the quintuple information sets comprise one or more quintuple information;
and the protection module is used for obtaining each service port of each transport layer protocol based on the source port and the destination port in the N pieces of target five-tuple information, and writing the source IP address and the destination IP address corresponding to the service port and the service port into a white list.
Optionally, the device is further configured to:
classifying the quintuple information based on the transport layer protocols to obtain initial quintuple information sets corresponding to each transport layer protocol;
and removing the repeated source IP address and the repeated destination IP address in each initial quintuple information set to obtain a quintuple information set corresponding to each transmission protocol layer.
The invention also provides an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the security protection method as described in any of the above when executing the program.
The invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements a security protection method as described in any of the above.
The invention also provides a computer program product comprising a computer program which, when executed by a processor, implements a security protection method as described in any of the above.
According to the security protection method, the security protection device, the security protection equipment and the security protection storage medium, the target session log in the target time period is subjected to log analysis to obtain the quintuple information, the obtained quintuple information set is subjected to cluster analysis, the target quintuple information in the quintuple information is screened out, then the target quintuple information is analyzed in a recursion mode, a reliable service port is effectively screened out, the service port and the corresponding IP address are written into the white list, and the white list can be automatically generated and updated after the self-adaptive network environment is changed. The safety and the quality of communication in the network are improved, and the problems of complicated configuration and improper operation of an administrator are avoided.
Drawings
In order to more clearly illustrate the invention or the technical solutions of the prior art, the following description will briefly explain the drawings used in the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are some embodiments of the invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic flow chart of a safety protection method according to an embodiment of the present application;
fig. 2 is a schematic diagram of a whitelist policy generation flow provided in an embodiment of the present application;
fig. 3 is a schematic diagram of a service port processing flow provided in an embodiment of the present application;
FIG. 4 is a schematic structural diagram of a safety device according to an embodiment of the present disclosure;
fig. 5 is a schematic structural diagram of an electronic device provided by the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In the related technology, the intelligent analysis algorithm based on the flow log is provided to complete the automatic learning of the white list policy, and the learned policy is automatically configured into the boundary safety protection equipment, so that the heavy and complex work of an administrator is greatly reduced. However, the existing method cannot clearly determine the access request subject and the access object, which can generate a large number of repeated whitelist policies after self-learning, for example, the access subject 192.168.100.2 actively initiates a request to the 80 server port of the access object 192.168.100.3, but because the source port of the access subject is dynamically changed, the automatically learned whitelist policies may be 192.168.100.2:5567- >192.168.100.3:80, 192.168.100.2:5568- >192.168.100.3:80, 192.168.100.2:5569- >192.168.100.3:80, and the like, and because an algorithm cannot determine which are source ports and which are destination ports, the number of the automatically learned policies is huge, and meanwhile, because of the dynamic nature of the source ports, the service access relationship is very likely not to be normally performed due to the automatic configuration of the policies.
Fig. 1 is a schematic flow chart of a security protection method provided in an embodiment of the present application, as shown in fig. 1, including:
step 110, performing log analysis on each target session log in a target time period to obtain quintuple information corresponding to each target session log, where the quintuple information includes: a source IP address, a source port, a destination IP address, a destination port and a transport layer protocol;
specifically, the target period of time described in the embodiments of the present application may be a preset period of time, or may be a preset period of time after detecting that the network environment is changed.
The target session logs described in the embodiments of the present application may specifically be to collect traffic flowing through a network boundary safety protection device, and pre-process collected data to form various session logs, where each target session log may include a TCP session, a UDP session, an ICMP session, and the like, and after each target session log is obtained, the target session log may be preliminarily stored, so as to facilitate subsequent analysis.
In the embodiment of the present application, source IP address analysis, source port analysis, destination IP address analysis, destination port analysis, and transport layer protocol analysis are performed on each target session log obtained in the target time period, so as to obtain quintuple information corresponding to each target log session, where each quintuple information includes: source IP address, source port, destination IP address, destination port and transport layer protocol.
Step 120, performing cluster analysis on the quintuple information set corresponding to each transport layer protocol to obtain N target quintuple information in each quintuple information set, wherein the quintuple information set comprises one or more quintuple information;
specifically, in the embodiment of the application, the quintuple information sets are classified based on the communication protocol, that is, the quintuple information of the same transport layer protocol is gathered together for analysis, so as to obtain the quintuple information set corresponding to each transport layer protocol.
In the embodiment of the application, after the quintuple information set corresponding to each transport layer protocol is obtained, the quintuple information set is further subjected to IP information clustering analysis, so that N groups of target quintuple information with more reliable data in the quintuple information set are screened.
And 130, obtaining each service port of each transport layer protocol based on the source port and the destination port in the N pieces of target five-tuple information, and writing the source IP address and the destination IP address corresponding to the service port and the service port into a white list.
Specifically, in the embodiment of the present application, statistics may be performed on source ports and destination ports in N pieces of target five-tuple information corresponding to each transport layer protocol, then the counted ports are ordered according to a descending order, and each time one port with the maximum value of the number of ports is obtained by traversing is used as a service port, and each service port of each transport layer protocol is obtained by traversing continuously.
In this embodiment of the present application, after obtaining each service port of each transport layer protocol, the IP address and the port corresponding to the port are further written into the white list along with the transport layer protocol.
According to the safety protection method, the device, the equipment, the storage medium and the program product, the quintuple information is obtained after the log analysis is carried out on the target session log in the target time period, the obtained quintuple information set is subjected to cluster analysis, the target quintuple information in the quintuple information is screened out, then the target quintuple information is analyzed in a recursion mode, a reliable service port is effectively screened out, the service port and the corresponding IP address are written into the white list, and the white list can be automatically generated and updated after the self-adaptive network environment is changed. The safety and the quality of communication in the network are improved, and the problems of complicated configuration and improper operation of an administrator are avoided.
Optionally, after obtaining the quintuple information corresponding to each target session log, the method further includes:
classifying the quintuple information based on the transport layer protocols to obtain initial quintuple information sets corresponding to each transport layer protocol;
and removing the repeated source IP address and the repeated destination IP address in each initial quintuple information set to obtain a quintuple information set corresponding to each transmission protocol layer.
Specifically, since the data of different communication protocols are not suitable for overall analysis, in the embodiment of the present application, the quintuple information is classified based on the transport layer protocols, and quintuple information of the same transport layer protocol is aggregated together to obtain an initial quintuple information set corresponding to each transport layer protocol.
In order to avoid the increase of the analyzed data amount of the repeated data, in the embodiment of the application, the repeated source IP addresses in the same initial quintuple information set are subjected to deduplication, and the repeated destination IP addresses in the same initial quintuple information set are subjected to deduplication, so that a quintuple information set after deduplication, namely a quintuple information set corresponding to each transport protocol layer, is obtained.
In the embodiment of the application, the network session log is preprocessed and analyzed, so that the processing of data quantity is further reduced, the data can be processed quickly and efficiently, and the capability of coping with various complex network environments is greatly improved.
Optionally, the performing cluster analysis on the quintuple information set corresponding to each transport layer protocol to obtain N target quintuple information in each quintuple information set includes:
calculating the clustering distance between each quintuple information and other quintuple information in the quintuple information set based on the source IP address and the destination IP address of each quintuple information in the quintuple information set;
and obtaining N groups of target quintuple information in each quintuple information set based on the clustering distance, wherein N is a positive integer.
Specifically, the clustering algorithm described in the embodiments of the present application may be a K-means clustering algorithm.
In the embodiment of the application, a clustering algorithm is specifically used to perform cluster analysis on a source IP address and a destination IP address in five-tuple information, a preset distance C may be specifically set as a threshold, and when a minimum value S of a distance between a certain point and all cluster centers is obtained min >C, regarding as a new cluster center
More specifically, in the embodiment of the present application, the calculation formula of the clustering distance is D i-j =(SrcAddr i -SrcAddr j ) 2 +(DstAddr i -DstAddr j ) 2 Wherein SrcAddr i With SrcAddr j Source IP, dstAddr for log i and log j respectively i And DstAddr j The preset distance C can be adjusted as required to obtain N groups of IP information and further obtain N groups of target quintuple information for the destination IP of the log i and the destination IP of the log j respectively.
In the embodiment of the application, the clustering algorithm can effectively screen out some data which does not have analysis value, effectively reduce the analysis data quantity, rapidly and efficiently process the data, and greatly improve the capability of coping with various complex network environments.
Optionally, based on the source port and the destination port in the N target five-tuple information, obtaining each service port of each transport layer protocol, including;
writing the source port and the destination port in each quintuple information set into a port statistical table corresponding to a transport layer protocol of each quintuple information set;
and taking the destination port or the source port with the largest port number in the port statistics table as the service port corresponding to the transport layer protocol to obtain the service port of each transport layer protocol, and deleting the service port in the port statistics table to obtain the target port statistics table.
In the embodiment of the application, the source port and the destination port of each quintuple information in the quintuple information set are counted, each quintuple information is traversed, and the source port and the destination port in each quintuple information set are written into a port counting table corresponding to a transmission layer protocol of each quintuple information set.
In the port statistics table in the embodiment of the present application, each source port and each destination port are ordered according to the number of ports in a descending order, and only the port information of the same transport layer protocol is stored in each port statistics table.
After the port statistics table is obtained, the service port of each transport layer protocol is further obtained according to the destination port or the source port with the largest port number in the port statistics table as the service port corresponding to the transport layer protocol.
After the service ports are selected in the port statistics table, deleting the service ports in the port statistics table to obtain a target port statistics table, and if the obtained service ports still do not meet the requirements, continuing to search the service ports in the target port statistics table until the number of the processed ports in the port statistics table is greater than or equal to the preset threshold.
In the embodiment of the application, the port statistics table is obtained by ordering the port numbers in a descending order, and the port statistics table is analyzed, so that the service ports of both communication parties can be automatically judged, the configuration of a white list strategy is greatly simplified, and the application scene of the invention is widened.
Optionally, after the obtaining the target port statistics table, the method further includes:
under the condition that the number of the processed ports in the port statistics table is smaller than a preset threshold, taking a destination port or a source port with the largest number of the ports in the target port statistics table as a service port corresponding to the transport layer protocol, and deleting the service port in the target port statistics table until the number of the processed ports in the port statistics table is larger than or equal to the preset threshold, so as to obtain each service port of each transport layer protocol;
wherein the processed ports refer to a source port and a destination port which are determined to be service ports.
More specifically, in the embodiment of the present application, the target ports are screened only once, which may result in too few screened ports, affecting user access, and thus further analysis of the target port statistics is required.
The processed port described in the embodiment of the present application refers to the port that is originally in the port statistics table or the destination port statistics table and is ranked first, and the port has been determined to be a service port, and is deleted from the port statistics table or the destination port statistics table.
The preset threshold described in the embodiments of the present application may be half of the number of the processed ports, and the number of the preset threshold may be adjusted according to the needs.
In this embodiment of the present application, when the number of the processed ports in the port statistics table is smaller than the preset threshold, it is indicated that further screening of the port data in the port statistics table is still required at this time, so that the destination port or the source port with the largest number of ports in the destination port statistics table is used as the service port corresponding to the transport layer protocol.
In this embodiment of the present application, when the number of processed ports in the port statistics table is greater than or equal to the preset threshold, it is indicated that the number of screened service ports is sufficient, and only the screening from the target port statistics table is needed to be continued at this time, and the automatic learning process is ended, so as to finally obtain each service port of each transport layer protocol, and then the service ports and the source IP address and the destination IP address corresponding to the service ports are written into the white list.
Optionally, after the data is written into the white list, the white list which is automatically learned is stored into a database, and meanwhile, whether the data is directly issued to the boundary safety protection equipment can be determined according to the requirement of a user.
In the embodiment of the application, through carrying out the cyclic analysis on the data in the port statistics table, sufficient port information can be effectively acquired, and further, sufficient IP information corresponding to the port information is acquired, so that the strategy can be automatically generated and updated after the self-adaptive network environment is changed. The safety and the quality of communication in the network are improved, and the problems of complicated configuration and improper operation of an administrator are avoided.
Fig. 2 is a schematic diagram of a whitelist policy generation flow provided in an embodiment of the present application, where, as shown in fig. 2, the method includes: firstly, a session log is obtained, five-tuple information is extracted and classified according to protocol types according to analysis of the session log, then duplication removal, broadcast filtration and multicast are carried out on the five-tuple information, cluster analysis is carried out according to IP values, a service port is determined through recursive analysis, and therefore a white list policy is finally obtained,
Fig. 3 is a schematic diagram of a service port processing flow provided in an embodiment of the present application, as shown in fig. 3, including:
searching the ending time of the previous period session log analysis from Redis, dividing the ending time into a plurality of time periods by hours by taking the current time as a limit, and inquiring the session log generated in the appointed time period.
Extracting a session log, analyzing the session log into quintuple information, de-duplicating according to IP information and protocol types, and dividing the session log into different data sets according to different protocol types. And filters the IP addresses in each dataset.
Clustering the IP information by using a clustering algorithm, setting a distance C as a threshold, and when the minimum value Smin of the distance between a certain point and all clustering centers is larger than C, regarding the distance as a new clustering center, wherein a distance formula is Di-j= (SrcAddri-SrcAddri j) 2+ (DstAddri-DstAddri j) 2, wherein SrcAddri and SrcAddri are respectively the source IP of a log i and a log j, dstAddri and DstAddri are respectively the destination IP of the log i and the log j, and C can be adjusted according to the needs to obtain N groups of IP information.
Traversing each group of IP meta-information, and counting port access relation information between each pair of source IP and destination IP.
And sequencing the counted ports in a descending order, taking one of the maximum values of the counted ports as a service port in each traversal, and updating a port counting table.
And taking the port with the highest occurrence frequency in the port statistics table (processing the same port information once if the number of the occurrence ports is the same), judging whether the port statistics value is larger than 1 and whether the number of the processed ports is smaller than or equal to half of the total port number, if so, putting the rest information into the next round for processing, otherwise, finishing the strategy automatic learning process, and calling a strategy storage module.
Combining the obtained service ports and IP into a white list strategy, storing the white list strategy into a strategy set, recording the statistical quantity of the ports and accumulating the statistical quantity of the ports to the quantity of the processed ports, and calling the last step after removing the processed port information in the port statistical table.
In the embodiment of the application, the white list policy generation method can be automatically completed aiming at the boundary safety protection equipment, and the deployment of the policy can be completed based on the automatic policy assembly or manual issuing of an administrator. The policy generation module algorithm generates a multi-dimensional white list policy for selection, and the policy takes effect immediately after the policy is distributed and deployed. When the network environment changes, the access subject and the access object have new and offline application scenes, a white list strategy can be generated according to the new environment, so that the configuration operation of an administrator is greatly simplified; the problem that an administrator configures conflicting white list policies without perception does not occur, and various complex network environments can be accommodated.
The following describes the safety protection device provided by the present invention, and the safety protection device described below and the safety protection method described above can be referred to correspondingly.
Fig. 4 is a schematic structural diagram of a safety device according to an embodiment of the present application, as shown in fig. 4, including: parsing module 410, analyzing module 420, and protection module 430; the parsing module 410 is configured to parse each target session log in a target time period to obtain quintuple information corresponding to each target session log, where the quintuple information includes: a source IP address, a source port, a destination IP address, a destination port and a transport layer protocol; the analysis module 420 is configured to perform cluster analysis on a quintuple information set corresponding to each transport layer protocol, so as to obtain N target quintuple information in each of the quintuple information sets, where the quintuple information set includes one or more quintuple information. The protection module 430 is configured to obtain each service port of each transport layer protocol based on the source port and the destination port in the N pieces of destination five-tuple information, and write the source IP address and the destination IP address corresponding to the service port and the service port into a white list.
Optionally, the device is further configured to:
classifying the quintuple information based on the transport layer protocols to obtain initial quintuple information sets corresponding to each transport layer protocol;
and removing the repeated source IP address and the repeated destination IP address in each initial quintuple information set to obtain a quintuple information set corresponding to each transmission protocol layer.
In the embodiment of the application, after log analysis is performed on the target session log in the target time period, quintuple information is obtained, the obtained quintuple information set is subjected to cluster analysis, target quintuple information in the quintuple information is screened out, then the target quintuple information is analyzed in a recursion mode, a reliable service port is effectively screened out, the service port and a corresponding IP address are written into a white list, and the white list can be automatically generated and updated after the self-adaptive network environment is changed. The safety and the quality of communication in the network are improved, and the problems of complicated configuration and improper operation of an administrator are avoided.
Fig. 5 is a schematic structural diagram of an electronic device according to the present invention, and as shown in fig. 5, the electronic device may include: processor 510, communication interface (Communications Interface) 520, memory 530, and communication bus 540, wherein processor 510, communication interface 520, memory 530 complete communication with each other through communication bus 540. Processor 510 may invoke logic instructions in memory 530 to perform a security protection method comprising: performing log analysis on each target session log in a target time period to obtain quintuple information corresponding to each target session log, wherein the quintuple information comprises: a source IP address, a source port, a destination IP address, a destination port and a transport layer protocol; performing cluster analysis on the quintuple information set corresponding to each transport layer protocol to obtain N target quintuple information in each quintuple information set, wherein the quintuple information set comprises one or more quintuple information; and based on the source port and the destination port in the N pieces of target five-tuple information, obtaining each service port of each transport layer protocol, and writing the source IP address and the destination IP address corresponding to the service port and the service port into a white list.
Further, the logic instructions in the memory 530 described above may be implemented in the form of software functional units and may be stored in a computer-readable storage medium when sold or used as a stand-alone product. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
In another aspect, the present invention also provides a computer program product comprising a computer program, the computer program being storable on a non-transitory computer readable storage medium, the computer program, when executed by a processor, being capable of performing the security protection method provided by the methods described above, the method comprising: performing log analysis on each target session log in a target time period to obtain quintuple information corresponding to each target session log, wherein the quintuple information comprises: a source IP address, a source port, a destination IP address, a destination port and a transport layer protocol; performing cluster analysis on the quintuple information set corresponding to each transport layer protocol to obtain N target quintuple information in each quintuple information set, wherein the quintuple information set comprises one or more quintuple information; and based on the source port and the destination port in the N pieces of target five-tuple information, obtaining each service port of each transport layer protocol, and writing the source IP address and the destination IP address corresponding to the service port and the service port into a white list.
In yet another aspect, the present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, is implemented to perform a method of security protection provided by the above methods, the method comprising: performing log analysis on each target session log in a target time period to obtain quintuple information corresponding to each target session log, wherein the quintuple information comprises: a source IP address, a source port, a destination IP address, a destination port and a transport layer protocol; performing cluster analysis on the quintuple information set corresponding to each transport layer protocol to obtain N target quintuple information in each quintuple information set, wherein the quintuple information set comprises one or more quintuple information; and based on the source port and the destination port in the N pieces of target five-tuple information, obtaining each service port of each transport layer protocol, and writing the source IP address and the destination IP address corresponding to the service port and the service port into a white list.
The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on this understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the respective embodiments or some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (6)

1. A method of safeguarding comprising:
performing log analysis on each target session log in a target time period to obtain quintuple information corresponding to each target session log, wherein the quintuple information comprises: a source IP address, a source port, a destination IP address, a destination port and a transport layer protocol;
performing cluster analysis on the quintuple information set corresponding to each transport layer protocol to obtain N target quintuple information in each quintuple information set, wherein the quintuple information set comprises one or more quintuple information;
based on the source port and the destination port in the N pieces of target five-tuple information, obtaining each service port of each transport layer protocol, and writing the source IP address and the destination IP address corresponding to the service port and the service port into a white list;
based on the source port and the destination port in the N pieces of target five-tuple information, obtaining each service port of each transport layer protocol, wherein the service ports comprise;
writing the source port and the destination port in each quintuple information set into a port statistical table corresponding to a transport layer protocol of each quintuple information set;
taking the destination port or the source port with the largest port number in the port statistics table as a service port corresponding to the transport layer protocol to obtain a service port of each transport layer protocol, and deleting the service port in the port statistics table to obtain a destination port statistics table;
after the target port statistics table is obtained, the method further includes:
under the condition that the number of the processed ports in the port statistics table is smaller than a preset threshold, taking a destination port or a source port with the largest number of the ports in the target port statistics table as a service port corresponding to the transport layer protocol, and deleting the service port in the target port statistics table until the number of the processed ports in the port statistics table is larger than or equal to the preset threshold, so as to obtain each service port of each transport layer protocol;
wherein the processed ports refer to a source port and a destination port which are determined to be service ports;
and performing cluster analysis on the quintuple information set corresponding to each transport layer protocol to obtain N target quintuple information in each quintuple information set, wherein the cluster analysis comprises the following steps:
calculating the clustering distance between each quintuple information and other quintuple information in the quintuple information set based on the source IP address and the destination IP address of each quintuple information in the quintuple information set;
and obtaining N groups of target quintuple information in each quintuple information set based on the clustering distance, wherein N is a positive integer.
2. The method of claim 1, wherein after obtaining the five-tuple information corresponding to each target session log, further comprises:
classifying the quintuple information based on the transport layer protocols to obtain initial quintuple information sets corresponding to each transport layer protocol;
and removing the repeated source IP address and the repeated destination IP address in each initial quintuple information set to obtain a quintuple information set corresponding to each transmission protocol layer.
3. A safety shield apparatus, comprising:
the analysis module is used for carrying out log analysis on each target session log in the target time period to obtain quintuple information corresponding to each target session log, wherein the quintuple information comprises: a source IP address, a source port, a destination IP address, a destination port and a transport layer protocol;
the analysis module is used for carrying out cluster analysis on the quintuple information sets corresponding to each transmission layer protocol to obtain N target quintuple information in each quintuple information set, wherein the quintuple information sets comprise one or more quintuple information;
the protection module is used for obtaining each service port of each transport layer protocol based on the source port and the destination port in the N pieces of target five-tuple information, and writing the source IP address and the destination IP address corresponding to the service port and the service port into a white list;
the device is specifically used for:
writing the source port and the destination port in each quintuple information set into a port statistical table corresponding to a transport layer protocol of each quintuple information set;
taking the destination port or the source port with the largest port number in the port statistics table as a service port corresponding to the transport layer protocol to obtain a service port of each transport layer protocol, and deleting the service port in the port statistics table to obtain a destination port statistics table;
after the target port statistics table is obtained, the method further includes:
under the condition that the number of the processed ports in the port statistics table is smaller than a preset threshold, taking a destination port or a source port with the largest number of the ports in the target port statistics table as a service port corresponding to the transport layer protocol, and deleting the service port in the target port statistics table until the number of the processed ports in the port statistics table is larger than or equal to the preset threshold, so as to obtain each service port of each transport layer protocol;
wherein the processed ports refer to a source port and a destination port which are determined to be service ports;
wherein the device is further for:
calculating the clustering distance between each quintuple information and other quintuple information in the quintuple information set based on the source IP address and the destination IP address of each quintuple information in the quintuple information set;
and obtaining N groups of target quintuple information in each quintuple information set based on the clustering distance, wherein N is a positive integer.
4. A safety shield apparatus according to claim 3, wherein the apparatus is further adapted to:
classifying the quintuple information based on the transport layer protocols to obtain initial quintuple information sets corresponding to each transport layer protocol;
and removing the repeated source IP address and the repeated destination IP address in each initial quintuple information set to obtain a quintuple information set corresponding to each transmission protocol layer.
5. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the security method of any of claims 1 to 2 when the program is executed by the processor.
6. A non-transitory computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when executed by a processor, implements the safety protection method according to any one of claims 1 to 2.
CN202210476255.XA 2022-04-29 2022-04-29 Security protection method, device, equipment and storage medium Active CN114866316B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210476255.XA CN114866316B (en) 2022-04-29 2022-04-29 Security protection method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210476255.XA CN114866316B (en) 2022-04-29 2022-04-29 Security protection method, device, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN114866316A CN114866316A (en) 2022-08-05
CN114866316B true CN114866316B (en) 2023-08-01

Family

ID=82635006

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210476255.XA Active CN114866316B (en) 2022-04-29 2022-04-29 Security protection method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN114866316B (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111782140A (en) * 2020-06-18 2020-10-16 杭州安恒信息技术股份有限公司 Network data packet storage method and device, computer equipment and storage medium

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106506497B (en) * 2016-11-04 2019-08-30 广州华多网络科技有限公司 Forge white list IP address detection method, device and server
WO2018227519A1 (en) * 2017-06-16 2018-12-20 唐全德 System, method and apparatus for implementing network interconnection
CN109688237B (en) * 2018-03-26 2020-05-12 新华三技术有限公司 NAT (network Address translation) conversion method and device and NAT equipment
CN112448911B (en) * 2019-08-27 2022-02-11 四川大学 K-Means-based normal Server IP white list mining method
CN112887159B (en) * 2021-03-26 2023-04-28 北京安天网络安全技术有限公司 Statistical alarm method and device

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111782140A (en) * 2020-06-18 2020-10-16 杭州安恒信息技术股份有限公司 Network data packet storage method and device, computer equipment and storage medium

Also Published As

Publication number Publication date
CN114866316A (en) 2022-08-05

Similar Documents

Publication Publication Date Title
CN111885012B (en) Network situation perception method and system based on information acquisition of various network devices
US8997227B1 (en) Attack traffic signature generation using statistical pattern recognition
US8797876B2 (en) Identification of underutilized network devices
CN111885106A (en) Internet of things safety management and control method and system based on terminal equipment characteristic information
US7516475B1 (en) Method and apparatus for managing security policies on a network
CN111159702B (en) Process list generation method and device
CN114356989A (en) Audit abnormal data detection method and device
CN111654486A (en) Server equipment judgment and identification method
CN114866316B (en) Security protection method, device, equipment and storage medium
Hajamydeen et al. A detailed description on unsupervised heterogeneous anomaly based intrusion detection framework
CN112632044A (en) Database security audit method
CN111901199A (en) Mass data-based quick early warning matching implementation method
CN114531306B (en) Real-time detection method and system based on threat behaviors
CN112887316B (en) Access control list conflict detection system and method based on classification
CN111901138B (en) Visual auditing method for illegal access of industrial network
CN111064637B (en) NetFlow data duplicate removal method and device
CN115883110A (en) Firewall policy optimization method, device, equipment and storage medium
KR20230062166A (en) Method for optimizing firewall policies and apparatus thereof
CN113596050A (en) Abnormal flow separation and filtration method and system, storage medium and electronic equipment
CN114386468A (en) Network abnormal flow detection method and device, electronic equipment and storage medium
CN116708356B (en) IP feature library generation method
US11949570B2 (en) Methods, systems, and computer readable media for utilizing machine learning to automatically configure filters at a network packet broker
CN115604040B (en) Abnormal access behavior identification method based on IP access sequence
CN113194095B (en) Crawler flow preposed limiting method based on Nginx
CN115134099B (en) Network attack behavior analysis method and device based on full flow

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant