CN114944958A - Processing method and device of access request and electronic equipment - Google Patents

Abstract

The present application provides a method, device and electronic device for processing an access request, wherein the method includes receiving an access request for accessing a target object; determining a target request processing corresponding to the access request from a plurality of candidate request processing partitions inside the firewall Partition; obtain the security access address segment of the target request processing partition, and intercept the access request according to the security access address segment. In the present application, secure access to the target object and the offloading processing of the access request are realized, the processing efficiency of the access request by the firewall is improved, the verification and analysis efficiency of the firewall performance is further improved, and the feasibility of the firewall performance verification is realized. Management, optimized the verification method and verification effect.

Description

Access request processing method, device and electronic device

technical field

The present application relates to the field of data processing, and in particular, to a method, apparatus and electronic device for processing an access request.

Background technique

With the development of technology, the application scope of system-on-chip in products has become more and more extensive. In order to realize the security control of the system-on-chip and the protection of data in the system, a corresponding security defense system can be configured on the chip.

In the related art, after the security defense system is configured on the chip, the running performance of the chip may be affected. Therefore, it is necessary to perform relevant verification on the performance of the chip configured with the security defense system.

SUMMARY OF THE INVENTION

The purpose of this application is to solve one of the technical problems in the above technologies at least to a certain extent.

A first aspect of the present application provides a method for processing an access request, including: receiving an access request for accessing a target object; determining a target request processing partition corresponding to the access request from a plurality of candidate request processing partitions inside a firewall; obtaining The target request processes the security access address segment of the partition, and intercepts the access request according to the security access address segment.

A method for processing an access request proposed in the first aspect of the present application also has the following technical features, including:

According to an embodiment of the present application, intercepting the access request according to the security access address segment includes: obtaining the target access address of the access request to the target object; identifying whether the access request is an illegal access request according to the security access address segment and the target access address; In response to identifying that the access request is an illegal access request, the illegal access request is intercepted.

According to an embodiment of the present application, identifying whether the access request is an illegal access request according to the security access address segment and the target access address includes: in response to the target access address belonging to the security access address segment of the target request processing partition, determining that the access request is a security access request; in response to the target access address not belonging to the security access address segment of the target request processing partition, determine that the access request is an illegal access request.

According to an embodiment of the present application, determining a target request processing partition of an access request from a plurality of candidate request processing partitions inside the firewall includes: obtaining an identifier correspondence between the area identifiers of the candidate request processing partitions and the device identifiers of the test equipment , wherein the test device is used to initiate an access request to the target object; from the information carried in the access request, determine the target device identifier of the target test device that initiates the access request; according to the identifier correspondence, determine the target area identifier corresponding to the target device identifier , and determine the candidate request processing partition corresponding to the target area identifier as the target request processing partition for processing the access request.

According to an embodiment of the present application, the method further includes: performing performance evaluation on the firewall and the target object, and respectively obtaining a first performance evaluation result of the firewall and a second performance evaluation result of the target object; according to the first performance evaluation result and the second performance evaluation result Evaluate the results to evaluate the performance of the target system.

According to an embodiment of the present application, obtaining the first performance evaluation result of the firewall includes: determining the proportion of initiated illegal access requests from the initiated amount of access requests; monitoring the interception amount of illegal access requests by the firewall, and obtaining the interception amount in The proportion of interception in the received volume of access requests; the performance of the firewall is evaluated according to the proportion of initiation and interception to obtain the first performance evaluation result of the firewall.

According to an embodiment of the present application, the performance of the firewall is evaluated according to the proportion of initiation and the proportion of interception to obtain the first performance evaluation result of the firewall, including: obtaining the error value of the proportion of initiation and the proportion of interception; responding to the error value It belongs to the set error range, and it is determined that the first performance evaluation result of the firewall is qualified.

According to an embodiment of the present application, obtaining the second performance evaluation result of the target object includes: obtaining the response delay time of the target object to the access request not intercepted by the firewall; evaluating the performance of the target object according to the response delay time to obtain the target object The results of the second performance evaluation.

According to an embodiment of the present application, evaluating the performance of the target object according to the response delay time to obtain the second performance evaluation result of the target object includes: obtaining the threshold time of the response delay of the target object; Threshold time, it is determined that the second performance evaluation result of the target object is qualified.

According to an embodiment of the present application, evaluating the performance of the target system according to the first performance evaluation result and the second performance evaluation result includes: indicating that the firewall performance is qualified in response to the first performance evaluation result, and the second performance evaluation result indicates the target system If the performance of the object is qualified, it is determined that the performance evaluation result of the target system is qualified.

A second aspect of the present application proposes an access request processing device, comprising: a receiving module for receiving an access request for accessing a target object; a determining module for determining from multiple candidate request processing partitions inside the firewall The target request processing partition corresponding to the access request; the processing module is used to obtain the security access address segment of the target request processing partition, and intercept the access request according to the security access address segment.

The device for processing an access request proposed in the second aspect of the present application also has the following technical features, including:

According to an embodiment of the present application, the processing module is further configured to: obtain the target access address of the access request to the target object; identify whether the access request is an illegal access request according to the security access address segment and the target access address; in response to identifying the access request For illegal access requests, the illegal access requests are intercepted.

According to an embodiment of the present application, the processing module is further configured to: in response to the target access address belonging to the security access address segment of the target request processing partition, determine that the access request is a security access request; in response to the target access address not belonging to the target request processing partition The security access address segment determines that the access request is an illegal access request.

According to an embodiment of the present application, the determination module is further configured to: obtain the identification correspondence between the area identification of the candidate request processing partition and the device identification of the test equipment, wherein the test equipment is used to initiate an access request to the target object; In the information carried by the access request, determine the target device identifier of the target test device that initiates the access request; according to the identifier correspondence, determine the target area identifier corresponding to the target device identifier, and determine the candidate request processing partition corresponding to the target area identifier as processing access. The target request processing partition of the request.

According to an embodiment of the present application, the apparatus further includes an evaluation module configured to: perform performance evaluation on the firewall and the target object, and obtain a first performance evaluation result of the firewall and a second performance evaluation result of the target object respectively; The evaluation result and the second performance evaluation result are used to evaluate the performance of the target system.

According to an embodiment of the present application, the evaluation module is further configured to: determine the proportion of illegal access requests initiated from the initiated amount of access requests; monitor the interception amount of illegal access requests by the firewall, and obtain the interception amount in the reception of the access request The percentage of interception in the volume; the performance of the firewall is evaluated according to the percentage of initiation and the percentage of interception to obtain the first performance evaluation result of the firewall.

According to an embodiment of the present application, the evaluation module is further configured to: obtain the error value of the initiation ratio and the interception ratio; and determine that the first performance evaluation result of the firewall is qualified in response to the error value belonging to the set error range.

According to an embodiment of the present application, the evaluation module is further configured to: obtain the response delay time of the target object to the access request not intercepted by the firewall; and evaluate the performance of the target object according to the response delay time to obtain the second performance evaluation of the target object result.

According to an embodiment of the present application, the evaluation module is further configured to: obtain the response delay threshold time of the target object; and determine that the second performance evaluation result of the target object is qualified in response to the response delay time being less than or equal to the threshold time.

According to an embodiment of the present application, the evaluation module is further configured to: in response to the first performance evaluation result indicating that the firewall's performance is qualified, and the second performance evaluation result indicating that the target object's performance is qualified, determine that the target system performance evaluation result is qualified.

An embodiment of the third aspect of the present application provides an electronic device, comprising: at least one processor; and a memory communicatively connected to the at least one processor; wherein the memory stores instructions executable by the at least one processor, and the instructions are executed by at least one processor. One processor executes, so that at least one processor can execute the access request processing method proposed in the first aspect of the present application.

An embodiment of the fourth aspect of the present application provides a non-transitory computer-readable storage medium storing computer instructions, where the computer instructions are used to cause a computer to execute the access request processing method provided in the first aspect of the present application.

The embodiment of the fifth aspect of the present application provides a computer program product. When an instruction processor in the computer program product is executed, the method for processing an access request provided in the first aspect of the present application is executed.

The access request processing method and device proposed in the present application receive the access request of the target object, determine the target request processing partition corresponding to the access request from a plurality of candidate request processing partitions divided inside the firewall, and further, process the request according to the target request The security access address segment of the partition identifies and judges access requests, and intercepts access requests determined to carry non-secure access addresses. In the present application, the access request of the target object is identified and intercepted by the firewall, the secure access to the target object is realized, and the interior of the firewall is divided into multiple candidate request processing partitions, so as to realize the branch processing of the access request, and improve the firewall. The processing efficiency of access requests improves the efficiency of verification and analysis of firewall performance, realizes the manageability of firewall performance verification, and optimizes verification methods and verification effects.

Additional aspects and advantages of the present application will be set forth, in part, in the following description, and in part will be apparent from the following description, or learned by practice of the present application.

Description of drawings

The above and/or additional aspects and advantages of the present application will become apparent and readily understood from the following description of embodiments taken in conjunction with the accompanying drawings, wherein:

1 is a schematic flowchart of a method for processing an access request according to an embodiment of the present application;

2 is a schematic flowchart of a method for processing an access request according to another embodiment of the present application;

3 is a schematic flowchart of a method for processing an access request according to another embodiment of the present application;

4 is a schematic flowchart of a method for processing an access request according to another embodiment of the present application;

FIG. 5 is a schematic structural diagram of an apparatus for processing an access request according to an embodiment of the present application;

FIG. 6 is a block diagram of an electronic device according to an embodiment of the present application.

Detailed ways

The following describes in detail the embodiments of the present application, examples of which are illustrated in the accompanying drawings, wherein the same or similar reference numerals refer to the same or similar elements or elements having the same or similar functions throughout. The embodiments described below with reference to the accompanying drawings are exemplary, and are intended to be used to explain the present application, but should not be construed as a limitation to the present application.

The following describes an access request processing method, apparatus, electronic device, and storage medium according to the embodiments of the present application with reference to the accompanying drawings.

FIG. 1 is a schematic flowchart of a method for processing an access request according to an embodiment of the present application. As shown in FIG. 1 , the method includes:

S101. Receive an access request for accessing a target object.

In the implementation, there is a need for security control and security access in the System on Chip (SOC), wherein a corresponding security control system can be set on the SOC chip, so as to realize the protection of related functions and related information on the SOC chip. .

Optionally, a corresponding security control system may be set at the port for receiving the total information of the SOC chip, and a corresponding security control system may also be set at the information receiving port of the functional module on the SOC chip.

Wherein, a firewall can be set at the information receiving port of the functional module of the SOC chip, so as to realize the protection and security control of the functional module.

Optionally, the object protected by the firewall may be determined as the target object.

For example, if the target object is set to the Double DataRate Synchronous Dynamic Random Access Memory (DDR SDRAM) on the SOC chip, the corresponding firewall can be configured for the DDR storage system, so as to realize the information stored in the DDR storage system. protection of.

In some implementations, the performance of a target object configured with a firewall may be affected to a certain extent compared to a target object without a firewall configured.

Therefore, in order to ensure the running performance of the target object configured with the firewall, the performance of the target object can be verified and analyzed after the firewall is configured.

Correspondingly, in order to realize the security protection of the target object by the firewall, after configuring the firewall for the target object, the relevant verification and analysis processing of the interception protection performance of the firewall can also be performed.

In this embodiment of the present application, a corresponding verification environment can be established for a target object configured with a firewall, and a corresponding test case can be constructed, thereby realizing performance verification of the firewall and the target object configured with the firewall.

Optionally, an access request can be sent to a target object configured with a firewall, and the performance verification and analysis of the firewall can be realized through the relevant processing information of the firewall to the access request. A validated analysis of the performance of a target object configured with a firewall.

In the implementation, the firewall realizes the security protection of the target object through the relevant identification and interception functions, so the access request can be received by the firewall in advance.

The firewall has a corresponding access port, and the access request is received by the firewall through the related function of receiving information configured by the access port.

Optionally, the sending of the access request and the receiving of the access request by the firewall may be implemented through a bus protocol (Advanced eXtensible Interface, AXI) between the initiator of the access request and the firewall.

S102, from a plurality of candidate request processing partitions inside the firewall, determine a target request processing partition corresponding to the access request.

In the embodiment of the present application, the firewall may implement the interception processing of access requests through its internal access request processing area, wherein the set access request processing area inside the firewall may be divided, and a plurality of divided access request processing areas may be obtained. The processing zone is identified as multiple candidate request processing partitions inside the firewall.

Further, different area attribute information is configured for different candidate request processing partitions, so that there are corresponding processable access requests in different candidate request processing partitions, thereby realizing the offload processing of the received access requests.

Optionally, the information configuration of the candidate request processing partition may be implemented by a top-level module (tb_top module) in the verification environment. For example, the tb_top module can use the setting method to pour the received area attribute information into the area attribute register corresponding to the candidate request processing partition, and then realize the configuration of the area attribute information of the candidate request processing partition through the area attribute register.

In some implementations, the information of the area attribute register of the candidate request processing partition may be static information. Therefore, the area attribute information of all the candidate request processing partitions can be filled into the area attribute register through the setting method, so as to realize the internal control of the firewall. All candidate requests process the batch configuration of the zone attribute information of the partition.

Further, a corresponding setting standard can be configured for the access request that can be processed by each candidate request processing partition. When the access request satisfies the setting standard corresponding to one of the candidate request processing partitions, the candidate request processing partition can be used as the corresponding setting standard. The target request processing partition of the access request.

For example, for the candidate request processing partition A, there is a corresponding set standard B for the access requests it can process. When the received access request meets the set standard B, the candidate request processing partition A can be used as the target of the access request Request processing partition.

S103: Obtain the security access address segment of the target request processing partition, and intercept the access request according to the security access address segment.

In this embodiment of the present application, according to the set access address range of the target object, a corresponding access address segment may be configured for the candidate request processing partition inside the firewall as the security access address segment corresponding to the candidate request processing partition.

Further, when the candidate request processing partition is used as the target request processing partition to process the access request, it can be judged whether the access request is a security access request according to its corresponding security access address segment, and then it can be judged whether to intercept it.

Wherein, if the access address in the access request belongs to the security access address segment of the target request processing partition, it can be determined that the access request is a security access request, and the interception processing is not performed.

Correspondingly, if the access address in the access request does not belong to the secure access address segment corresponding to the target request processing partition, the access request may be determined as a non-secure access request and intercepted.

The access request processing method proposed in the present application receives the access request of the target object, and determines the target request processing partition corresponding to the access request from a plurality of candidate request processing partitions divided inside the firewall, and further, according to the target request processing partition The secure access address segment identifies and judges access requests, and intercepts access requests determined to carry non-secure access addresses. In the present application, the access request of the target object is identified and intercepted by the firewall, the secure access to the target object is realized, and the interior of the firewall is divided into multiple candidate request processing partitions, so as to realize the branch processing of the access request, and improve the firewall. The processing efficiency of access requests improves the efficiency of verification and analysis of firewall performance, realizes the manageability of firewall performance verification, and optimizes verification methods and verification effects.

In the above embodiment, the processing and interception of access requests can be further understood with reference to FIG. 2 , which is a schematic flowchart of a processing method for an access request according to another embodiment of the present application. As shown in FIG. 2 , the method includes:

S201: Obtain a target access address of the target object of the access request.

In this embodiment of the present application, the firewall may obtain the intended access address of the initiator of the access request to the target object from the received access request, and determine the access address as the target access for the initiator of the access request to access the target object address.

Optionally, the firewall may read the trust information of the received access request through its configured channel port, so as to obtain the target access address carried therein.

S202, according to the security access address segment and the target access address, identify whether the access request is an illegal access request.

In the implementation, there may be illegal access requests in the access requests for accessing the target object. In the scenario where the illegal access request successfully accesses the target object, there may be a certain degree of impact on the security of the information stored on the target object.

For example, if the target object is the storage system on the SOC chip, in the scenario where an illegal access request successfully accesses the storage system, there may be information leakage of the storage system, which affects the information security of the storage system.

In this scenario, the illegal access request can be intercepted by the configured firewall to avoid the illegal access request from successfully accessing the target object. Therefore, in order to effectively verify the interception performance of the firewall, the access request received by the firewall can be Configure a set percentage of illegal access requests.

Optionally, the judgment criterion corresponding to the illegal access request may be acquired, the received access request is compared with the set judgment criterion, and the identification and judgment of the illegal access request is realized according to the comparison result.

Wherein, the judgment standard of the illegal access request can be set according to the access address.

For example, the target access address in the access request and the security access address segment corresponding to the target request processing partition corresponding to the access request can be obtained separately, and whether the access request is illegal is determined according to the relationship between the target access address and the security access address segment. access request.

Wherein, in response to the target access address belonging to the security access address segment of the target request processing partition, it is determined that the access request is a security access request.

It can be understood that when the target access address belongs to the access address in the security access address segment, it can be judged that the target access address is the security access address of the target object, and the access request initiated to the target object based on the target access address will not The information security of the target object is affected, therefore, the access request carrying the target access address can be determined as a secure access request.

Accordingly, in response to the target access address not belonging to the secure access address segment of the target request processing partition, it is determined that the access request is an illegal access request.

It can be understood that when the target access address does not belong to the security access address segment corresponding to the target request processing partition, it can be judged that the target access address is the abnormal access address of the target object, and when accessing the target object based on the target access address, There may be an impact on the information security of the target object, therefore, the access request carrying the target access address can be determined as an illegal access request.

S203, in response to identifying that the access request is an illegal access request, intercept the illegal access request.

In order to avoid the impact of illegal access requests on the information security of the target object, the firewall can intercept the determined illegal access request to avoid its access to the target object, thereby realizing the security protection of the target object.

For example, set the security access address segment of the target request processing partition A corresponding to the access request as a1 to a8. When the target access address carried in the access request is a3, it can be determined that the target access address a3 belongs to the security of the target request processing partition A. access address segment, the access request is not an illegal access request.

Correspondingly, when the target access address carried by the access request is a9, it can be judged that the target access address a9 does not belong to the security access address segment of the target request processing partition A, then it can be determined that the access request is an illegal access request, and the Intercept processing.

The method for processing an access request proposed by the present application includes obtaining a target access address for accessing a target object by the access request, and obtaining the security access address segment of the target request processing partition corresponding to the access request. According to the target access address and the security access address segment, Determine whether the access request is an illegal access request. Further, when it is determined that the access request is an illegal access request, the access request is intercepted. In this application, the access request of the target object is identified and intercepted by the firewall, so as to realize the secure access to the target object, and the access request is processed by the candidate request processing partition inside the firewall, which improves the processing efficiency of the access request by the firewall. The set proportion of illegal access requests received by the access request is controlled, so as to realize the effective verification of the firewall performance, and optimize the verification method and verification effect.

In the above embodiment, the determination of the target request processing partition can be further understood with reference to FIG. 3 , which is a schematic flowchart of a processing method for an access request according to another embodiment of the present application. As shown in FIG. 3 , the method includes:

S301: Acquire the identification correspondence between the area identification of the candidate request processing partition and the device identification of the test device, where the test device is used to initiate an access request to the target object.

In some implementations, a corresponding access request initiating device may be configured for the firewall and the target object configured with the firewall, and the access request to the target object is initiated by controlling the part of the device.

Among them, in order to realize the controllability of the performance verification of the firewall, the device attribute information that matches the area attribute information inside the firewall can be configured for this part of the access request initiating device, so that the access request initiating device has a corresponding candidate request processing partition inside the firewall .

Further, the device that initiates the access request may be determined as a test device for the performance verification of the firewall and the target object configured with the firewall.

Optionally, the initiation of a test device's access request to the target object may be controlled by a test stimulus generator in the verification environment. The test stimulus generator can process the area attribute information of the partition configuration according to the candidate request inside the firewall, generate a test stimulus sequence corresponding to the test device, and configure the corresponding test device through the test stimulus sequence to initiate an access request.

Therefore, there is a set correspondence between the test equipment and the candidate request processing partitions inside the firewall.

In the embodiment of the present application, the test equipment has a corresponding device identifier, and the candidate request processing partition has a corresponding area identifier. Therefore, the correspondence between the device identifier and the area identifier can be obtained to determine the relationship between the test equipment and the candidate request processing partition. The corresponding relationship between the test equipment to determine the corresponding target request processing partition for the access request initiated by the test device.

Optionally, when configuring the area attribute information of the candidate request processing partitions divided inside the firewall, the area identification information of the candidate request processing partitions may be configured. The identification information may be a numerical number or other identification information, which is not limited here.

Correspondingly, if the test equipment has a corresponding equipment identifier, the relevant identification information can be set for each test equipment through the setting method, and the identification information corresponding to each equipment can be determined as the equipment identifier of the test equipment.

It should be noted that the device identifier of the test device and/or the area identifier of the candidate request processing partition is unique, and there is a one-to-one correspondence between the device identifier of the test device and the area identifier of the candidate request processing partition.

For example, if there is a set correspondence between the test device D and the candidate request processing partition F inside the firewall, the access request initiated by the test device D may use the candidate request processing partition F as its corresponding target request processing partition.

That is to say, after the association between the test equipment and the candidate request processing partition is constructed according to the set method, the target request processing partition corresponding to any access request initiated by the test equipment is a candidate request that has an associated relationship with the test equipment. Process partitions.

Optionally, a correspondence relationship between the device identifier of the test device and the area identifier of the candidate request processing partition may be constructed based on the set condition.

Among them, the device identifier and the area identifier having the same digital information can be determined as the device identifier and the area identifier that have a corresponding relationship.

For example, if the device identifiers of the test equipment are set to be D1, D2, D3, ..., Dn, and the area identifiers of the candidate request processing partitions are F1, F2, F3, ..., Fn, then the device identifier D1 and the area identifier F1 There is a corresponding relationship between the device identification D2 and the area identification F2, there is a corresponding relationship between the device identification D3 and the area identification F3, and there is a corresponding relationship between the device identification Dn and the area identification Fn.

Further, the corresponding relationship may be determined as the identification corresponding relationship between the device identification of the test device and the area identification of the candidate request processing partition.

S302, from the information carried in the access request, determine the target device identifier of the target test device that initiates the access request.

In this embodiment of the present application, the detailed information carried in the access request may include the device identification information of the test device that initiated the access request, and the firewall may obtain the information about the test device that initiated the access request by reading the information of the access request. related information.

Wherein, the test device that initiates the access request can be determined as the target test device of the access request. When initiating the access request, the target device identification information of the target test device can be carried in the access request and received and read by the firewall.

S303: Determine the target area identifier corresponding to the target device identifier according to the identifier correspondence, and determine the candidate request processing partition corresponding to the target area identifier as the target request processing partition for processing the access request.

In this embodiment of the present application, the area identifier that has a corresponding relationship with the target device identifier may be determined as the target area identifier.

Further, according to the identification correspondence between the target device identification and the target area identification, it can be determined that there is a correspondence between the test equipment corresponding to the target device identification and the candidate request processing partition corresponding to the target area identification.

Therefore, it can be determined that the access request initiated by the target test device can be identified and judged by the candidate request processing partition corresponding to the target area identifier.

Further, the candidate request processing partition corresponding to the target area identifier may be determined as the target request processing partition corresponding to the access request carrying the target access address.

The method for processing an access request proposed in the present application acquires the identification correspondence between the device identification of the test equipment and the area identification of the candidate request processing partition. From the received access request, the target device identifier of the target test device that initiates the access request is obtained, the corresponding target area identifier is determined according to the identifier correspondence, and the target request processing partition corresponding to the access request is determined according to the target area identifier. In this application, there is a corresponding relationship between the device identifier and the area identifier. According to the corresponding relationship between the identifiers, the target request processing partition of the access request is determined, and the confirmation method of the target request processing partition is optimized, so that the access request initiated by the test device can be processed inside the firewall. There is a corresponding request processing partition, so as to realize the offload processing of the access request and improve the processing efficiency of the access request.

Further, for the performance of the firewall and the performance verification analysis of the target object configured with the firewall, it can be understood in conjunction with FIG. 4 , which is a schematic flowchart of a processing method for an access request according to another embodiment of the present application, as shown in FIG. 4 , The method includes:

S401. Perform performance evaluation on the firewall and the target object, and obtain a first performance evaluation result of the firewall and a second performance evaluation result of the target object, respectively.

In this embodiment of the present application, a system composed of a firewall and a target object may be determined as a target system, and by performing separate performance evaluation on the firewall and performing a separate performance evaluation on the target object, the target system composed of the firewall and the target object can be independently evaluated. performance evaluation.

Optionally, the performance evaluation of the firewall can be implemented through the results of the firewall's identification and interception of illegal access requests in the access requests.

Wherein, the initiation ratio of illegal access requests may be determined from the initiation amount of access requests.

In some implementations, the test stimulus sequence generated by the test stimulus generator can configure relevant information for initiating an access request for the test device, and control the test device to initiate an access request to the target object.

Optionally, in the control process, the test incentive generator can control the proportion of illegal access requests in the initiated amount of access requests by controlling the proportion of illegal access addresses carried in the test incentive sequence.

Wherein, before the performance verification starts, the relevant information of the proportion of illegal access requests in the total access request initiation volume can be configured in the test incentive generator.

For example, if the initiation ratio of illegal access requests in the total initiation volume of all access requests is set to be 10%, the data can be configured in the test stimulus generator before the performance verification starts. When generating a test stimulus sequence, the test stimulus generator can generate a corresponding proportion of the stimulus sequence with illegal access addresses, and based on the part of the stimulus sequence with illegal access addresses, it can generate a corresponding proportion of illegal access requests.

Optionally, the initiation ratio of the configured illegal access requests in the initiation amount of all the access requests may be obtained from the relevant data storage area of the test stimulus generator.

Further, the interception amount of illegal access requests by the firewall can be monitored, and the interception amount of the interception amount in the received amount of access requests can be obtained.

Optionally, a corresponding monitoring code may be hooked at the channel port of the firewall, so as to realize the monitoring of the interception amount of the illegal access request by the firewall.

As a possible implementation manner, a setting code for counting the number of illegal access requests intercepted by the firewall can be attached to the channel port of the firewall, and the interception of illegal access requests can be monitored by running the setting code.

Further, according to the statistics of the intercepted amount of illegal access requests and the received amount of access requests received by the firewall, determine the proportion of interception corresponding to illegal access requests among all the access requests received by the firewall.

As another possible implementation, a setting code for counting the number of security access requests passed through the firewall can be attached to the channel port of the firewall, and the throughput statistics of the security access request can be realized by running the setting code.

Further, according to the statistics of the throughput and the amount of access requests received by the firewall, determine the proportion of passing security access requests in all the access requests received by the firewall, and then determine the proportion of interception corresponding to illegal access requests.

Evaluate the performance of the firewall according to the proportion of initiation and interception to obtain the first performance evaluation result of the firewall.

In this embodiment of the present application, the obtained initiation ratio and interception ratio may be compared, and the performance evaluation of the firewall may be implemented according to the comparison result.

The evaluation result obtained by performing performance evaluation on the firewall may be determined as the first performance evaluation result.

As a possible implementation method, a set algorithm can be calculated for the interception ratio and the initiation ratio, and an error value between the interception ratio and the initiation ratio can be obtained.

Further, the set error range corresponding to the error value is obtained, and when the obtained error value belongs to the set error range, it can be judged that the firewall has passed the performance evaluation of the interception processing of the illegal access request.

As shown in Table 1, the target object is set to the storage system on the SOC chip. Among all the read access requests initiated by the test equipment to the storage system, the corresponding initiation ratio of read illegal access requests is 10%, and accordingly , among all the write access requests initiated by the test equipment to the storage system, the corresponding initiated write access requests account for 10%.

Further, as shown in Table 1, the interception ratio of the firewall for reading illegal access requests and the interception ratio for writing illegal requests by the firewall are obtained respectively, so as to realize the performance evaluation of the firewall and obtain the first performance evaluation of the firewall. evaluation result.

Table 1:

It can be seen from Table 1 that the interception of read illegal access requests and the interception of write illegal access requests are both 10.05%.

Further, obtain the error value of 1 between 10% of the read access requests initiated and the percentage of read illegal access requests intercepted by 10.05% of all read access requests received by the firewall, And, the error value 2 between 10% of illegal write access requests initiated and 10.05% of all write access requests received by the firewall intercepted by illegal write access requests.

Among them, it can be set that the error value 1 and the error value 2 belong to the set error range. In the scenario where the firewall's interception performance for illegal access requests is shown in Table 1, the performance of the firewall can meet the needs of practical applications, then it can be It is determined that the first performance evaluation result of the firewall evaluation is qualified.

Further, after the firewall intercepts and filters the access request, the performance evaluation of the target object can be implemented according to the relevant response information of the target object to the access request not intercepted by the firewall. Among them, the response delay time of the target object to the access request not intercepted by the firewall can be obtained.

Optionally, when the target object responds to the access request that is not intercepted by the firewall, the response delay time of the target object can be monitored, so as to obtain the response delay time of the target object to the access request that is not intercepted by the firewall.

Further, the performance of the target object is evaluated according to the response delay time to obtain a second performance evaluation result of the target object.

As a possible implementation, the response delay time of the target object without the firewall configuration to the access request and the response delay time of the target object configured with the firewall to the access request not intercepted by the firewall can be obtained, so as to evaluate the target object, Further, the second performance evaluation result of the performance evaluation of the target object is obtained.

As another possible implementation, the threshold time corresponding to the response delay time can be obtained, and the obtained response delay time can be compared with the threshold time. When the response delay time is less than or equal to the threshold time, it can be determined that a firewall is currently configured The response delay of the target object will not affect its normal running performance, therefore, it can be determined that the second performance evaluation result of the target object in this scenario is qualified.

As shown in Table 2, if the target object is set to the storage system, the initiation speed and response speed of the storage system for read access requests, and the initiation speed and response speed of the write access request can be counted respectively, and then the data of the storage system can be obtained. Information about the response delay time of read access requests, and information about the response delay time of the storage system to write access requests.

Among them, as shown in Table 2, the relevant information about the response delay time of the storage system to the read access request may include the maximum delay time, the minimum delay time, and the average delay time of the storage system to the read access request response. The information about the response delay time of the access request may include the maximum delay time, the minimum delay time, and the average delay time of the storage system responding to the write access request.

Further, according to the response speed and the relevant information of the response time shown in Table 2, the performance of the storage system is evaluated, so as to determine that the performance of the storage system shown in Table 2 can still meet the actual needs after the firewall is configured. , and then it can be determined that the second performance evaluation result of the target object configured with the firewall is qualified.

Table 2:

S402: Evaluate the performance of the target system according to the first performance evaluation result and the second performance evaluation result.

In this embodiment of the present application, the performance evaluation of the target system can be implemented according to the detailed content of the first performance evaluation result and the second performance evaluation result.

Optionally, in response to the first performance evaluation result indicating that the firewall's performance is qualified, and the second performance evaluation result indicating that the target object's performance is qualified, it is determined that the target system performance evaluation result is qualified.

Wherein, when the first performance evaluation result indicates that the performance of the firewall is qualified, it can be determined that the interception performance of the firewall for illegal access requests can meet actual requirements. Correspondingly, when the second performance evaluation result indicates that the performance of the target object is appropriate, it can be determined that the performance of the current target object's response to the access request can meet the actual requirements. The formed target system can meet the needs of practical application.

Further, it can be determined that the performance evaluation result of the target system is qualified.

In the method for processing an access request proposed by the present application, a performance evaluation is performed on a firewall to obtain a first performance evaluation result, a performance evaluation is performed on a target object to obtain a corresponding second performance evaluation result, and according to the first performance evaluation result and the second performance evaluation result, Implement performance evaluation of the target system. In this application, the performance evaluation of the target system composed of the firewall and the target object is realized through the performance evaluation of the firewall and the target object respectively, and then the evaluation of the impact degree of the configuration firewall on the performance of the target object is realized, and the performance evaluation of the firewall and the target object is realized. Performance verification of the security and stability of the target system composed of target objects.

Corresponding to the methods for processing access requests proposed by the above-mentioned embodiments, an embodiment of the present application also provides a device for processing access requests. Corresponding to the access request processing method proposed in the example, therefore, the implementation manner of the above-mentioned access request processing method is also applicable to the access request processing apparatus proposed by the embodiment of the present application, and will not be described in detail in the following embodiments.

5 is a schematic structural diagram of an apparatus for processing an access request according to an embodiment of the present application. As shown in FIG. 5 , an apparatus for processing an access request 500 includes a receiving module 51, a determining module 52, a processing module 53, and an evaluating module 54, wherein:

a receiving module 51, configured to receive an access request for accessing the target object;

The determining module 52 is used to determine the target request processing partition corresponding to the access request from a plurality of candidate request processing partitions inside the firewall;

The processing module 53 is configured to obtain the security access address segment of the target request processing partition, and intercept the access request according to the security access address segment.

In the embodiment of the present application, the processing module 53 is further configured to: obtain the target access address of the access request to the target object; identify whether the access request is an illegal access request according to the security access address segment and the target access address; in response to identifying the access request For illegal access requests, the illegal access requests are intercepted.

In the embodiment of the present application, the processing module 53 is further configured to: in response to the target access address belonging to the security access address segment of the target request processing partition, determine that the access request is a security access request; in response to the target access address not belonging to the target request processing partition The security access address segment determines that the access request is an illegal access request.

In the embodiment of the present application, the determination module 52 is further configured to: obtain the identification correspondence between the region identification of the candidate request processing partition and the device identification of the test equipment, wherein the test equipment is used to initiate an access request to the target object; In the information carried by the access request, determine the target device identifier of the target test device that initiates the access request; according to the identifier correspondence, determine the target area identifier corresponding to the target device identifier, and determine the candidate request processing partition corresponding to the target area identifier as processing access. The target request processing partition of the request.

In this embodiment of the present application, the apparatus further includes an evaluation module 54, configured to: perform performance evaluation on the firewall and the target object, and obtain the first performance evaluation result of the firewall and the second performance evaluation result of the target object respectively; The evaluation result and the second performance evaluation result are used to evaluate the performance of the target system.

In the embodiment of the present application, the evaluation module 54 is further configured to: determine the proportion of illegal access requests initiated from the initiated amount of access requests; monitor the interception amount of illegal access requests by the firewall, and obtain the interception amount in the reception of the access request The percentage of interception in the volume; the performance of the firewall is evaluated according to the percentage of initiation and the percentage of interception to obtain the first performance evaluation result of the firewall.

In the embodiment of the present application, the evaluation module 54 is further configured to: obtain the error value of the initiation ratio and the interception ratio; and determine that the first performance evaluation result of the firewall is qualified in response to the error value belonging to the set error range.

In the embodiment of the present application, the evaluation module 54 is further configured to: obtain the response delay time of the target object to the access request not intercepted by the firewall; evaluate the performance of the target object according to the response delay time, so as to obtain the second performance evaluation of the target object result.

In the embodiment of the present application, the evaluation module 54 is further configured to: obtain the threshold time of the response delay of the target object; in response to the response delay time being less than or equal to the threshold time, determine that the second performance evaluation result of the target object is qualified.

In this embodiment of the present application, the evaluation module 54 is further configured to: in response to the first performance evaluation result indicating that the firewall performance is qualified, and the second performance evaluation result indicating that the target object performance is qualified, determine that the target system performance evaluation result is qualified.

The access request processing device proposed in the present application receives the access request of the target object, and determines the target request processing partition corresponding to the access request from a plurality of candidate request processing partitions divided inside the firewall, and further, according to the target request processing partition The secure access address segment identifies and judges access requests, and intercepts access requests determined to carry non-secure access addresses. In the present application, the access request of the target object is identified and intercepted by the firewall, the secure access to the target object is realized, and the interior of the firewall is divided into multiple candidate request processing partitions, so as to realize the branch processing of the access request, and improve the firewall. The processing efficiency of access requests improves the efficiency of verification and analysis of firewall performance, realizes the manageability of firewall performance verification, and optimizes verification methods and verification effects.

In order to achieve the above embodiments, the present application also proposes an electronic device, a computer-readable storage medium, and a computer program product.

FIG. 6 is a block diagram of an electronic device according to an embodiment of the present application. According to the electronic device shown in FIG. 6 , the access request processing method of the embodiments of FIGS. 1 to 4 can be implemented.

In order to implement the above-mentioned embodiments, the present application further provides a non-transitory computer-readable storage medium storing computer instructions, where the computer instructions are used to cause the computer to execute the access request processing method in the embodiments of FIG. 1 to FIG. 4 .

In order to implement the above embodiments, the present application further provides a computer program product, when an instruction processor in the computer program product executes, executes the access request processing method in the embodiments of FIG. 1 to FIG. 4 .

In the description of this specification, description with reference to the terms "one embodiment," "some embodiments," "example," "specific example," or "some examples", etc., mean specific features described in connection with the embodiment or example , structure, material or feature is included in at least one embodiment or example of the present application. In this specification, schematic representations of the above terms are not necessarily directed to the same embodiment or example. Furthermore, the particular features, structures, materials or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, those skilled in the art may combine and combine the different embodiments or examples described in this specification, as well as the features of the different embodiments or examples, without conflicting each other.

In addition, the terms "first" and "second" are only used for descriptive purposes, and should not be construed as indicating or implying relative importance or implying the number of indicated technical features. Thus, a feature delimited with "first", "second" may expressly or implicitly include at least one of that feature. In the description of the present application, "plurality" means at least two, such as two, three, etc., unless expressly and specifically defined otherwise.

Any process or method description in the flowcharts or otherwise described herein may be understood to represent a module, segment or portion of code comprising one or more executable instructions for implementing custom logical functions or steps of the process , and the scope of the preferred embodiments of the present application includes alternative implementations in which the functions may be performed out of the order shown or discussed, including performing the functions substantially concurrently or in the reverse order depending upon the functions involved, which should It is understood by those skilled in the art to which the embodiments of the present application belong.

The logic and/or steps represented in flowcharts or otherwise described herein, for example, may be considered an ordered listing of executable instructions for implementing the logical functions, may be embodied in any computer-readable medium, For use with, or in conjunction with, an instruction execution system, apparatus, or device (such as a computer-based system, a system including a processor, or other system that can fetch instructions from and execute instructions from an instruction execution system, apparatus, or apparatus) or equipment. For the purposes of this specification, a "computer-readable medium" can be any device that can contain, store, communicate, propagate, or transport the program for use by or in connection with an instruction execution system, apparatus, or apparatus. More specific examples (non-exhaustive list) of computer readable media include the following: electrical connections with one or more wiring (electronic devices), portable computer disk cartridges (magnetic devices), random access memory (RAM), Read Only Memory (ROM), Erasable Editable Read Only Memory (EPROM or Flash Memory), Fiber Optic Devices, and Portable Compact Disc Read Only Memory (CDROM). In addition, the computer readable medium may even be paper or other suitable medium on which the program may be printed, as the paper or other medium may be optically scanned, for example, followed by editing, interpretation, or other suitable medium as necessary process to obtain the program electronically and then store it in computer memory.

It should be understood that various parts of this application may be implemented in hardware, software, firmware, or a combination thereof. In the above-described embodiments, various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware as in another embodiment, it can be implemented by any one of the following techniques known in the art, or a combination thereof: discrete with logic gates for implementing logic functions on data signals Logic circuits, application specific integrated circuits with suitable combinational logic gates, Programmable Gate Arrays (PGA), Field Programmable Gate Arrays (FPGA), etc.

Those skilled in the art can understand that all or part of the steps carried by the methods of the above embodiments can be completed by instructing the relevant hardware through a program, and the program can be stored in a computer-readable storage medium, and the program can be stored in a computer-readable storage medium. When executed, one or a combination of the steps of the method embodiment is included.

In addition, each functional unit in each embodiment of the present application may be integrated into one processing module, or each unit may exist physically alone, or two or more units may be integrated into one module. The above-mentioned integrated modules can be implemented in the form of hardware, and can also be implemented in the form of software function modules. If the integrated modules are implemented in the form of software functional modules and sold or used as independent products, they may also be stored in a computer-readable storage medium.

The above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, and the like. Although the embodiments of the present application have been shown and described above, it should be understood that the above embodiments are exemplary and should not be construed as limitations to the present application. Embodiments are subject to variations, modifications, substitutions and variations.

Claims (22)

1. A method for processing an access request, the method comprising:

receiving an access request for accessing a target object;

determining a target request processing partition corresponding to the access request from a plurality of candidate request processing partitions in the firewall;

and acquiring a security access address field of the target request processing partition, and intercepting the access request according to the security access address field.

2. The method of claim 1, wherein intercepting the access request according to the secure access address segment comprises:

acquiring a target access address of the access request to the target object;

identifying whether the access request is an illegal access request or not according to the safe access address field and the target access address;

and intercepting the illegal access request in response to identifying that the access request is an illegal access request.

3. The method of claim 2, wherein said identifying whether the access request is an illegal access request based on the secure access address field and the target access address comprises:

determining that the access request is a secure access request in response to the target access address belonging to the secure access address segment of the target request processing partition;

determining that the access request is the illegal access request in response to the target access address not belonging to the secure access address segment of the target request processing partition.

4. The method of claim 1, wherein determining a target request processing partition for the access request from a plurality of candidate request processing partitions inside a firewall comprises:

acquiring an identification corresponding relation between the area identification of the candidate request processing partition and the equipment identification of the test equipment, wherein the test equipment is used for initiating an access request to the target object;

determining the target equipment identification of the target test equipment initiating the access request from the information carried by the access request;

and determining a target area identifier corresponding to the target equipment identifier according to the identifier corresponding relation, and determining a candidate request processing partition corresponding to the target area identifier as a target request processing partition for processing the access request.

5. The method of claim 1, further comprising:

performing performance evaluation on the firewall and the target object, and respectively acquiring a first performance evaluation result of the firewall and a second performance evaluation result of the target object;

and evaluating the performance of the target system according to the first performance evaluation result and the second performance evaluation result.

6. The method of claim 5, wherein obtaining the first performance assessment result of the firewall comprises:

determining the initiation ratio of the illegal access request from the initiation amount of the access request;

monitoring the interception amount of the firewall to the illegal access request, and acquiring the interception ratio of the interception amount in the receiving amount of the access request;

and evaluating the performance of the firewall according to the initiating proportion and the intercepting proportion to obtain the first performance evaluation result of the firewall.

7. The method according to claim 6, wherein the evaluating the performance of the firewall according to the initiating proportion and the intercepting proportion to obtain the first performance evaluation result of the firewall comprises:

obtaining an error value of the initiating ratio and the intercepting ratio;

and determining that the first performance evaluation result of the firewall is qualified in response to the error value belonging to a set error range.

8. The method of claim 5, wherein obtaining the second performance assessment result of the target object comprises:

obtaining the response delay time of the target object to the access request which is not intercepted by the firewall;

and evaluating the performance of the target object according to the response delay time to obtain a second performance evaluation result of the target object.

9. The method of claim 8, wherein the evaluating the performance of the target object according to the response delay time to obtain the second performance evaluation result of the target object comprises:

acquiring the threshold time of the response delay of the target object;

in response to the response delay time being less than or equal to the threshold time, determining that the second performance assessment result for the target object is qualified.

10. The method of claim 7 or 9, wherein said evaluating the performance of the target system based on the first performance evaluation result and the second performance evaluation result comprises:

and judging that the target system performance evaluation result is qualified in response to the first performance evaluation result indicating that the firewall performance is qualified and the second performance evaluation result indicating that the target object performance is qualified.

11. An apparatus for processing an access request, the apparatus comprising:

a receiving module for receiving an access request for accessing a target object;

the determining module is used for determining a target request processing partition corresponding to the access request from a plurality of candidate request processing partitions in the firewall;

and the processing module is used for acquiring the safe access address field of the target request processing partition and intercepting the access request according to the safe access address field.

12. The apparatus of claim 11, wherein the processing module is further configured to:

acquiring a target access address of the access request to the target object;

identifying whether the access request is an illegal access request or not according to the safe access address field and the target access address;

and responding to the condition that the access request is identified as an illegal access request, and intercepting the illegal access request.

13. The apparatus of claim 12, wherein the processing module is further configured to:

determining that the access request is a secure access request in response to the target access address belonging to the secure access address segment of the target request processing partition;

determining that the access request is the illegal access request in response to the target access address not belonging to the secure access address segment of the target request processing partition.

14. The apparatus of claim 11, wherein the determining module is further configured to:

acquiring an identification corresponding relation between the area identification of the candidate request processing partition and the equipment identification of the test equipment, wherein the test equipment is used for initiating an access request to the target object;

determining the target equipment identification of the target test equipment initiating the access request from the information carried by the access request;

and determining a target area identifier corresponding to the target equipment identifier according to the identifier corresponding relation, and determining a candidate request processing partition corresponding to the target area identifier as a target request processing partition for processing the access request.

15. The apparatus of claim 11, further comprising an evaluation module configured to:

performing performance evaluation on the firewall and the target object, and respectively acquiring a first performance evaluation result of the firewall and a second performance evaluation result of the target object;

and evaluating the performance of the target system according to the first performance evaluation result and the second performance evaluation result.

16. The apparatus of claim 15, wherein the evaluation module is further configured to:

determining the initiation ratio of the illegal access request from the initiation amount of the access request;

monitoring the interception amount of the firewall to the illegal access request, and acquiring the interception ratio of the interception amount in the receiving amount of the access request;

and evaluating the performance of the firewall according to the initiating proportion and the intercepting proportion to obtain the first performance evaluation result of the firewall.

17. The apparatus of claim 16, wherein the evaluation module is further configured to:

obtaining an error value of the initiating ratio and the intercepting ratio;

and determining that the first performance evaluation result of the firewall is qualified in response to the error value belonging to a set error range.

18. The apparatus of claim 15, wherein the evaluation module is further configured to:

obtaining the response delay time of the target object to the access request which is not intercepted by the firewall;

and evaluating the performance of the target object according to the response delay time to obtain a second performance evaluation result of the target object.

19. The apparatus of claim 18, wherein the evaluation module is further configured to:

acquiring the threshold time of the response delay of the target object;

and in response to the response delay time being less than or equal to the threshold time, determining that the second performance evaluation result of the target object is qualified.

20. The apparatus according to claim 17 or 19, wherein the evaluation module is further configured to:

and judging that the target system performance evaluation result is qualified in response to the first performance evaluation result indicating that the firewall performance is qualified and the second performance evaluation result indicating that the target object performance is qualified.

21. An electronic device, comprising:

at least one processor; and

a memory communicatively coupled to the at least one processor; wherein,

the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-10.

22. A non-transitory computer readable storage medium having stored thereon computer instructions for causing the computer to perform the method of any one of claims 1-10.

Images