CN115022155A

CN115022155A - Information processing method, device and storage medium

Info

Publication number: CN115022155A
Application number: CN202210573270.6A
Authority: CN
Inventors: 张斌
Original assignee: Sangfor Technologies Co Ltd
Current assignee: Sangfor Technologies Co Ltd
Priority date: 2022-05-24
Filing date: 2022-05-24
Publication date: 2022-09-06
Anticipated expiration: 2042-05-24
Also published as: CN115022155B

Abstract

The invention provides an information processing method, an information processing device and a storage medium, wherein the method comprises the following steps: acquiring network flow data sent by a target host through quintuple information based on a predetermined local network chain; analyzing the network flow data to obtain terminal identification information corresponding to the quintuple information; the terminal identification information is the identification of the terminal equipment initiating the connection, and is embedded into the network flow data of the terminal equipment initiating the connection; if the local network link is abnormal, sending abnormal information to a back-end processing node, wherein the abnormal information comprises terminal identification information; and the back-end processing node processes the plurality of abnormal information by using the terminal identification information in the plurality of abnormal information sent by the plurality of front-end nodes. Because the abnormal information in the scheme comprises the terminal identification information, the back-end processing node can rapidly determine a plurality of abnormal information for processing through the terminal identification information, the processing speed is increased, and the efficiency of determining abnormal equipment is further improved.

Description

Information processing method, device and storage medium

Technical Field

The embodiment of the invention relates to the technical field of network security, in particular to an information processing method, an information processing device and a storage medium.

Background

When the network security device performs security detection or host computer crash detection, it needs to analyze Internet Protocol (IP) address information in an alarm log corresponding to an attack network data stream, so as to detect an abnormal device. Because the Network environment of the Network security device is complex, a Network Address Translation (NAT) router exists in the intranet for communicating with the internet, and after one Network data stream between two communication hosts passes through the NAT router, the source and destination IP addresses are all converted, so that one Network data stream forms a plurality of alarm logs containing different source and destination IP addresses, and the efficiency of determining the abnormal device is low.

Disclosure of Invention

The information processing method, the information processing device and the storage medium provided by the embodiment of the invention can improve the efficiency of determining abnormal equipment.

The technical scheme of the invention is realized as follows:

the embodiment of the invention provides an information processing method, which comprises the following steps:

acquiring network flow data sent by a target host based on predetermined quintuple information of a local network chain;

analyzing the network flow data to obtain terminal identification information corresponding to the quintuple information; the terminal identification information is the identification of the terminal equipment initiating the connection, and is embedded into the network flow data of the terminal equipment initiating the connection;

if the local network link is abnormal, sending abnormal information to a back-end processing node, wherein the abnormal information comprises terminal identification information; and the back-end processing node processes the plurality of abnormal information by using the terminal identification information in the plurality of abnormal information sent by the plurality of front-end nodes.

In the above scheme, the terminal identification information includes: terminal device information and/or a data stream unique value;

analyzing the network flow data to obtain terminal identification information corresponding to the quintuple information, comprising the following steps:

and analyzing in a predetermined field of the network flow data to obtain terminal equipment information and/or a data flow unique value corresponding to the quintuple information.

The embodiment of the invention also provides an information processing method, which is applied to the back-end processing node and comprises the following steps:

acquiring N pieces of abnormal information; wherein N is an integer greater than 1;

determining a plurality of abnormal information belonging to the same data stream by using N terminal identification information corresponding to the N abnormal information; wherein, each terminal identification information is the identification of the corresponding terminal equipment initiating the connection;

and determining abnormal equipment information by using the plurality of abnormal information.

In the above scheme, determining a plurality of pieces of abnormal information belonging to the same data stream by using N pieces of terminal identification information corresponding to N pieces of abnormal information includes:

and in the N pieces of abnormal information, the abnormal information of which the similarity between the identification information of each terminal is greater than or equal to a preset threshold value is used as a plurality of pieces of abnormal information belonging to the same data flow.

In the above scheme, determining abnormal device information by using a plurality of abnormal information includes:

sorting the plurality of abnormal information based on the time information corresponding to the plurality of abnormal information;

and determining abnormal equipment information according to the terminal identification information corresponding to each piece of sequenced abnormal information.

The embodiment of the invention also provides an information processing method, which is applied to the terminal node and comprises the following steps:

responding to the acquired instruction information to form data to be sent;

forming terminal identification information, and writing the terminal identification information into data to be sent to form a data stream;

and sending the data stream to a destination terminal node, so that a plurality of front-end nodes between the terminal node and the destination terminal node send abnormal information to a back-end processing node when detecting that the local network chain to which the front-end nodes belong is abnormal.

In the above scheme, the terminal identification information includes: terminal equipment information and/or a data stream unique value;

forming terminal identification information, and writing the terminal identification information into data to be sent to form a data stream, including:

acquiring local terminal equipment information, and forming a data stream unique value corresponding to data to be sent after a terminal node and a target terminal node are communicated for the first time;

and writing the terminal equipment information and/or the data stream unique value into a preset field of data to be sent to form a data stream.

and aggregating the plurality of abnormal information to obtain aggregated abnormal information so as to determine the abnormal source equipment information.

The embodiment of the invention also provides an information processing method, which is applied to the front-end node and comprises the following steps:

if the network flow data is abnormal, determining terminal identification information in a first mapping table based on quintuple information corresponding to the network flow data; the first mapping table comprises mapping relation information of a plurality of pieces of terminal identification information and a plurality of pieces of quintuple information;

the terminal identification information is sent to the terminal node, and the terminal node determines abnormal terminal information in a second mapping table according to the terminal identification information; the second mapping table includes mapping relationship information of the terminal identification information and the plurality of terminal attribute information.

An embodiment of the present invention further provides an information processing apparatus, which is applied to a front-end node, and includes:

the first data receiving unit is used for acquiring network flow data sent by a target host based on predetermined quintuple information of a local network chain;

the analysis unit is used for analyzing the network flow data to obtain terminal identification information corresponding to the quintuple information; the terminal identification information is the identification of the terminal equipment initiating the connection, and the terminal identification information is embedded into the network flow data of the terminal equipment initiating the connection;

a first sending unit, configured to send, if the local network link is abnormal, abnormal information to a back-end processing node, where the abnormal information includes the terminal identification information; and the back-end processing node processes the plurality of abnormal information by using the terminal identification information in the plurality of abnormal information sent by the plurality of front-end nodes.

An embodiment of the present invention further provides an information processing apparatus, applied to a back-end processing node, including:

the second data receiving unit is used for acquiring N pieces of abnormal information; wherein N is an integer greater than 1;

a first determining unit, configured to determine, by using N pieces of terminal identification information corresponding to the N pieces of abnormal information, a plurality of pieces of abnormal information belonging to the same data flow; wherein, each terminal identification information is the identification of the corresponding terminal equipment initiating the connection;

and the processing unit is used for determining abnormal equipment information by using the plurality of abnormal information.

An embodiment of the present invention further provides an information processing apparatus, which is applied to a terminal node, and includes:

the response unit is used for responding to the acquired instruction information and forming data to be sent;

the data processing unit is used for forming terminal identification information and writing the terminal identification information into the data to be sent to form a data stream;

and the second sending unit is used for sending the data stream to a destination terminal node, so that when a plurality of front end nodes between the terminal node and the destination terminal node detect that the local network chain to which the front end nodes belong is abnormal, abnormal information is sent to a back end processing node.

a second determining unit, configured to determine, by using N pieces of terminal identification information corresponding to the N pieces of abnormal information, a plurality of pieces of abnormal information belonging to the same data flow; wherein, each terminal identification information is the identification of the corresponding terminal equipment initiating the connection;

and the aggregation unit is used for aggregating the plurality of abnormal information to obtain aggregated abnormal information so as to determine the abnormal source equipment information.

the third data receiving unit is used for acquiring network flow data sent by the target host based on the predetermined quintuple information of the local network chain;

a third determining unit, configured to determine, if the network flow data is abnormal, terminal identification information in a first mapping table based on the quintuple information corresponding to the network flow data; the first mapping table comprises mapping relation information of a plurality of pieces of terminal identification information and a plurality of pieces of quintuple information;

a third sending unit, configured to send the terminal identifier information to a terminal node, so that the terminal node determines, according to the terminal identifier information, abnormal terminal information in a second mapping table; the second mapping table includes mapping relationship information between the terminal identification information and a plurality of terminal attribute information.

The embodiment of the invention also provides an information processing device, which comprises a memory and a processor, wherein the memory stores a computer program capable of running on the processor, and the processor executes the program to realize the steps of the method.

An embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program is executed by a processor to implement the steps in the above method.

In the embodiment of the invention, network flow data sent by a target host is obtained through quintuple information based on a predetermined local network chain; analyzing the network flow data to obtain terminal identification information corresponding to the quintuple information; the terminal identification information is the identification of the terminal equipment initiating the connection, and is embedded into the network flow data of the terminal equipment initiating the connection; if the local network link is abnormal, sending abnormal information to a back-end processing node, wherein the abnormal information comprises terminal identification information; and the back-end processing node processes the plurality of abnormal information by using the terminal identification information in the plurality of abnormal information sent by the plurality of front-end nodes. Because the abnormal information in the scheme comprises the terminal identification information, the back-end processing node can rapidly determine a plurality of abnormal information for processing through the terminal identification information, the processing speed is increased, and the efficiency of determining abnormal equipment is further improved.

Drawings

Fig. 1 is an optional flowchart of an information processing method according to an embodiment of the present invention;

fig. 2 is a schematic diagram illustrating an optional effect of the information processing method according to the embodiment of the present invention;

fig. 3 is an alternative flow chart of an information processing method according to an embodiment of the present invention;

fig. 4 is an alternative flow chart of the information processing method according to the embodiment of the present invention;

fig. 5 is an alternative flow chart of the information processing method according to the embodiment of the present invention;

fig. 6 is an alternative flow chart of the information processing method according to the embodiment of the present invention;

fig. 7 is an interaction diagram of an information processing method according to an embodiment of the present invention;

FIG. 8 is a first schematic structural diagram of an information processing apparatus according to an embodiment of the present invention;

FIG. 9 is a first diagram illustrating a first hardware entity of an information processing apparatus according to an embodiment of the present invention;

FIG. 10 is a second schematic structural diagram of an information processing apparatus according to an embodiment of the present invention;

fig. 11 is a hardware entity diagram of an information processing apparatus according to an embodiment of the present invention;

fig. 12 is a third schematic structural diagram of an information processing apparatus according to an embodiment of the present invention;

fig. 13 is a hardware entity diagram of an information processing apparatus according to a third embodiment of the present invention;

fig. 14 is a schematic structural diagram of an information processing apparatus according to an embodiment of the present invention;

fig. 15 is a hardware entity diagram of an information processing apparatus according to a fourth embodiment of the present invention;

fig. 16 is a schematic structural diagram of an information processing apparatus according to an embodiment of the present invention;

fig. 17 is a hardware entity diagram of an information processing apparatus according to an embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions of the present invention are further elaborated with reference to the drawings and the embodiments, which are not to be construed as limiting the present invention, and all other embodiments obtained by a person of ordinary skill in the art without making creative efforts fall within the protection scope of the present invention.

In the following description, reference is made to "some embodiments" which describe a subset of all possible embodiments, but it is understood that "some embodiments" may be the same subset or different subsets of all possible embodiments, and may be combined with each other without conflict.

The following description will be added if similar descriptions of "first/second" appear in the invention document, and in the following description, reference is made to the term "first \ second \ third" merely to distinguish similar objects and not to represent a particular ordering for the objects, and it is to be understood that "first \ second \ third" may be interchanged under certain circumstances or the order of precedence so that embodiments of the invention described herein can be practiced in other than the order illustrated or described herein.

Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The terminology used herein is for the purpose of describing embodiments of the invention only and is not intended to be limiting of the invention.

In the related art, some hosts inside a private network can communicate with the internet using a NAT router method. This approach requires NAT software to be installed on the router of the private network connected to the internet. A router with NAT software, called a NAT router, has at least one valid external global IP address. Therefore, when all hosts using local addresses communicate with the outside, the local addresses of the hosts need to be converted into global IP addresses on the NAT router so as to be connected with the Internet.

The NAT router not only can solve the problem of insufficient lP addresses, but also can effectively avoid attacks from the outside of the network, and hide and protect computers inside the network. The private address of the internal network is converted into the public address of the external network. So that hosts on the intranet can access the Internet.

The intranet network generally has NAT router translation, and illustratively, two layers of NAT translation exist between the host a and the host B, which are NAT1 and NAT2, respectively, a network link from the host a to the NAT1 is network link 1, a network link from the NAT1 to the NAT2 is network link 2, and a network link from the NAT2 to the host B is network link 3. The source and destination IP addresses of a data stream from host a to host B differ at network chains 1, 2, 3.

If the enterprise chooses to deploy network security devices at1, 2, and 3, a network flow from host a to host B will now generate three alarm logs, which are essentially the same network traffic. This can cause great trouble in determining the attacking host. 1. Three alarm logs are generated by one network flow, and the 3 alarm logs need to be analyzed. 2. It is difficult to accurately identify which IP address belongs to which host is the real attack source host and which is the destination host from the 3 alarm logs. And thus the efficiency of determining the attacking host is low.

Fig. 1 is an optional flowchart of an information processing method according to an embodiment of the present invention, and will be described with reference to the steps shown in fig. 1.

S101, determining network flow data of the local network chain from the acquired multiple network flow data based on the predetermined quintuple information of the local network chain.

In the embodiment of the invention, the front-end node acquires the network flow data sent by the target host based on the predetermined quintuple information of the local network chain.

In the embodiment of the invention, the front-end node determines the network flow data sent by the target host in the acquired multiple network flow data based on the predetermined quintuple information of the local network chain.

In the embodiment of the invention, the front-end node acquires and stores quintuple information in the first communication data flow of the local network chain.

In the embodiment of the invention, when the two terminals perform TCP three-way handshake, corresponding first communication data flow can be formed in each network chain between the two terminals, and the front-end node acquires and stores quintuple information in the first communication data flow of the local network chain to which the front-end node belongs.

In an embodiment of the present invention, the quintuple information includes: source network address information, source port information, destination network address information, destination port information, and transport layer protocol information. The front-end node matches the intermediate source network address information, the intermediate source port information and the intermediate destination network address information contained in each data with the source network address information, the source port information, the destination network address information, the destination port information and the transmission layer protocol information respectively. And the front-end node determines that the data corresponding to the first source network address information, the first intermediate source port information, the first intermediate destination network address information, the first intermediate destination port information and the first intermediate transport layer protocol information which are matched with the quintuple information are network flow data.

In the embodiment of the present invention, a plurality of NAT routers may be configured between two communication terminals, and a front-end node may be configured between each NAT router and a previous device (the front-end node may be a network security device, where the target host may be the previous device corresponding to each NAT router). When two communication terminals establish communication connection for the first time, the front end node acquires quintuple information of a local network chain to which the front end node belongs and stores the quintuple information. The front-end node may determine network flow data sent by the target host among the received plurality of network flow data using the quintuple information.

In the embodiment of the present invention, the front-end node may be a firewall or a situation awareness device. Wherein, the quintuple information comprises: source IP address information, source port information, destination IP address information, destination port information, and transport layer protocol information. A local network chain refers to a communication link between two network devices at which a front-end node is located. For example, the local network link may be a network link between a communication terminal and a NAT router, and the local network link may also be a network link between two adjacent NAT routers.

Illustratively, in conjunction with fig. 2, a NAT1 and a NAT2 are configured between the host a and the host B. The network chain 1 between host a and NAT1 can configure the front-end node 1, with the local network chain to which the front-end node 1 belongs being network chain 1. The network chain 2 between the NAT1 and the NAT2 can configure the front end node 2, the local network chain to which the front end node 2 belongs is the network chain 2, the network chain 3 between the NAT2 and the host B can configure the front end node 3, and the local network chain to which the front end node 3 belongs is the network chain 3. The front-end node 1 may determine the network flow data sent by host a through the quintuple information of network chain 1. The front-end node 2 may determine the network flow data sent by the NAT1 from the five tuple information of the network chain 2. The front-end node 3 may determine the network flow data sent by the NAT2 from the five tuple information of the network chain 3.

In the embodiment of the invention, when network security equipment such as a firewall or situation awareness performs security detection, link tracking is established for each network flow based on quintuple information after three handshakes of a Transmission Control Protocol (TCP).

S102, analyzing network flow data to obtain terminal identification information corresponding to quintuple information; the terminal identification information is the identification of the terminal equipment initiating the connection, and the terminal identification information is embedded into the network flow data of the terminal equipment initiating the connection.

In the embodiment of the invention, the front-end node analyzes the network flow data to obtain the terminal identification information corresponding to the quintuple information. The terminal identification information is the identification of the terminal equipment initiating the connection, and the terminal identification information is embedded into network flow data of the terminal equipment initiating the connection.

In the embodiment of the invention, the front end node analyzes the preset field of the network flow data to obtain the terminal identification information. In the embodiment of the invention, the terminal node collects a plurality of attribute information of the terminal node, randomly forms a corresponding unique value of the data stream based on the current data stream, and combines the plurality of attribute information and the unique value to form the terminal identification information. The terminal node writes the plurality of attribute information and the unique data stream value into a preset field of data to be sent, and then sends the data to a target terminal node through the plurality of front end nodes.

In the embodiment of the invention, the front-end node analyzes the preset field of the network flow data to obtain the terminal name information, the terminal physical address information and/or the data flow unique value. Wherein, the terminal identification information may include: terminal device information and a data stream unique value. The terminal device information may also include: terminal name information, terminal physical address information. The predetermined field may be a TCP option or an IP option field.

In the embodiment of the present invention, the front-end node may write the terminal device information and/or the data stream unique value into a certain field of the five-tuple information of the network data stream.

In the embodiment of the invention, when the network security equipment acquires the network stream data, the information such as the host name, the Media Access Control Address (MAC) and the unique value of the data stream is analyzed.

In the embodiment of the invention, the terminal node corresponding to the front-end node can be provided with the end point protection software, and the end point protection software acquires the terminal name information and the terminal physical address information of the terminal. When a terminal initiates network link, the endpoint protection software writes terminal name information, terminal physical address information, unique values randomly generated based on data streams and other information into TCP option (TCP option) or IP option (IP option) fields of a plurality of data packets after three-way handshake of TCP connection. The Endpoint protection software may be an Endpoint Detection and Response (EDR) component.

S103, if the local network link is abnormal, sending abnormal information to a back-end processing node, wherein the abnormal information comprises terminal identification information; and the back-end processing node processes the plurality of abnormal information by using the terminal identification information in the plurality of abnormal information sent by the plurality of front-end nodes.

In the embodiment of the invention, if the local network link is abnormal, the front-end node sends abnormal information to the back-end processing node, wherein the abnormal information comprises terminal identification information; and the back-end processing node processes the plurality of abnormal information by using the terminal identification information in the plurality of abnormal information sent by the plurality of front-end nodes.

In the embodiment of the invention, the front-end node detects the network flow data by using a preset program, and if the network flow data is attack behavior data, the front-end node records quintuple information of the network flow data and associated terminal identification information to form abnormal information and sends the abnormal information to the back-end processing node. Meanwhile, a plurality of front end nodes between the terminal node and the destination terminal node all send abnormal information of corresponding data streams to the back end processing node. And the back-end processing node can process the plurality of abnormal information by using the terminal identification information in the plurality of abnormal information sent by the plurality of front-end nodes, so as to determine the abnormal equipment information.

In the embodiment of the invention, the terminal node writes the terminal identification information into the data stream, and then sends the data stream to the destination terminal node. At this time, the plurality of front-end nodes between the terminal node and the destination terminal node all form corresponding abnormal information, but the terminal identification information contained in the plurality of abnormal information is the same, and the back-end processing node can use the same characteristic of the terminal identification information in the plurality of abnormal information to perform sequencing and aggregation on the plurality of abnormal information. And determining abnormal equipment information and abnormal source equipment information by using the information obtained after sequencing and aggregation.

In the embodiment of the invention, no matter how many NAT routers the data flow of the same attack behavior between the two terminal nodes passes through, the terminal identification information contained in the data flow does not change, and then the front end node can form abnormal information based on the characteristics. The back-end processing node can determine a plurality of abnormal information belonging to the same attack data flow between the two terminals through the terminal identification information in the N pieces of abnormal information, and then uses the timestamps of the plurality of abnormal information to perform sequencing aggregation, so that the abnormal equipment information can be determined more quickly.

Fig. 3 is an optional flowchart of an information processing method according to an embodiment of the present invention, which will be described with reference to the steps shown in fig. 3.

S201, acquiring N pieces of abnormal information.

In the embodiment of the invention, the back-end processing node acquires N pieces of abnormal information. Wherein N is an integer greater than 1.

In the embodiment of the invention, the back-end processing node receives N pieces of abnormal information sent by different front-end nodes. Wherein N is an integer greater than 1.

In the embodiment of the present invention, the back-end processing node may be a server connected with a plurality of front-end nodes.

Wherein, a plurality of front-end nodes can be configured between two terminals of the same pair, and a plurality of front-end nodes can also be configured between two terminals of different pairs.

S202, determining a plurality of abnormal information belonging to the same data flow by using N pieces of terminal identification information corresponding to the N pieces of abnormal information; and each terminal identification information is the identification of the corresponding terminal equipment initiating the connection.

In the embodiment of the invention, a back-end processing node determines a plurality of abnormal information belonging to the same data stream by using N pieces of terminal identification information corresponding to N pieces of abnormal information; and each terminal identification information is the identification of the corresponding terminal equipment initiating the connection.

In the embodiment of the invention, the back-end processing node determines a plurality of abnormal information containing the same terminal identification information from the N abnormal information.

In the embodiment of the present invention, the back-end processing node may determine, from the N pieces of exception information, a plurality of pieces of exception information including the same unique value of the data stream.

In the embodiment of the invention, the back-end processing node takes a plurality of abnormal information of which the similarity between the identification information of each terminal is greater than or equal to a preset threshold value in the N pieces of abnormal information as a plurality of abnormal information belonging to the same data flow. The preset threshold may be a predetermined value.

In the embodiment of the invention, the back-end processing node calculates the similarity between any two pieces of terminal identification information in the N pieces of terminal identification information. And the back-end processing node finds the similarity which is greater than or equal to a preset threshold value in all the similarities. In the embodiment of the present invention, the back-end processing node may calculate that the similarity between the terminal identification information 1 and the terminal identification information 2, and the similarity between the terminal identification information 3 and the terminal identification information 4 are greater than the preset threshold. The back-end processing node may calculate that the similarity between the terminal identification information 5 and the terminal identification information 6 and the terminal identification information 7 is greater than a preset threshold. The back-end processing node may determine that the abnormal information corresponding to the terminal identification information 1 and the terminal identification information 2, and the terminal identification information 3 and the terminal identification information 4 is the abnormal information of the same data flow, and the back-end processing node may determine that the abnormal information corresponding to the terminal identification information 5 and the terminal identification information 6, and the terminal identification information 7 is the abnormal information of the same data flow.

Wherein the terminal identification information includes: terminal name information, terminal physical address information, and a data stream unique value.

S203, the abnormal equipment information is determined by using the plurality of abnormal information.

In the embodiment of the invention, the back-end processing node determines the abnormal equipment information by using the plurality of abnormal information.

In the embodiment of the invention, the plurality of abnormal information of the back-end processing node are sequenced, and the abnormal equipment information is determined according to the sequenced abnormal information.

In the embodiment of the present invention, the back-end processing node sequences the plurality of abnormal information based on the time information (timestamp) corresponding to the plurality of abnormal information. And the back-end processing node determines abnormal equipment information according to the terminal identification information corresponding to each piece of sequenced abnormal information.

In the embodiment of the invention, the back-end processing node can determine the abnormal equipment information through the sorted terminal identification information of each piece of abnormal information. And then the user can determine abnormal equipment in a certain sequence according to the abnormal equipment information.

In the embodiment of the present invention, the back-end processing node may determine that a first abnormal device of the multiple abnormal devices in the primary order is an abnormal source device.

In the embodiment of the invention, the back-end processing node can aggregate a plurality of abnormal information through the timestamps of the plurality of abnormal information to obtain the aggregated abnormal information. And enabling the user to determine the abnormal source equipment information by aggregating the terminal identification information in the abnormal information.

In the embodiment of the invention, the back-end processing node can be in communication connection with a plurality of front-end nodes. The plurality of front-end nodes may be network security devices between different groups of two terminals. No matter how many NAT routers the data flow of the same attack behavior between the two terminals passes through, the terminal identification information in the network data flow sent by the data flow does not change, and then the front end node can form abnormal information with the same terminal identification information. The back-end processing node can determine a plurality of abnormal information belonging to the same attack data flow between two terminals through the terminal identification information in the N pieces of abnormal information, and then sort the abnormal information by utilizing the timestamps of the abnormal information to form abnormal information in a certain order. And then abnormal equipment information can be determined more quickly.

In the embodiment of the invention, the back-end processing node determines a plurality of abnormal information belonging to the same data stream by using the terminal identification information contained in the N pieces of abnormal information, and further processes the plurality of abnormal information, so that the processing speed is increased, and the efficiency of determining abnormal equipment is increased.

In some embodiments, referring to fig. 4, fig. 4 is an optional flowchart of an information processing method provided in an embodiment of the present invention, and will be described with reference to steps.

And S301, responding to the acquired instruction information to form data to be transmitted.

In the embodiment of the invention, the terminal node responds to the acquired instruction information to form data to be sent.

In the embodiment of the invention, the terminal node responds to the acquired instruction information of the target object and forms data to be sent through a predetermined process.

In the embodiment of the invention, the terminal node responds to the instruction information of certain application and forms data to be sent through a predetermined process.

S302, terminal identification information is formed and written into data to be sent to form a data stream.

In the embodiment of the invention, the terminal node forms the terminal identification information and writes the terminal identification information into the data to be sent to form the data stream.

In the embodiment of the invention, the terminal node forms the terminal identification information based on the self attribute and the prepared data stream, and writes the terminal identification information into the data to be sent to form the data stream.

In the embodiment of the invention, the terminal node collects a plurality of attribute information (which can be process information, file information or registry information of response instruction information) of the terminal node through the broken terminal point protection software and randomly forms a data stream unique value corresponding to the prepared data stream. And then terminal identification information is obtained. And the terminal node writes the terminal identification information into the data to be sent to form a data stream.

S303, the data flow is sent to the destination terminal node, and when the plurality of front end nodes between the terminal node and the destination terminal node detect the abnormality of the local network chain, the abnormal information is sent to the back end processing node.

In the embodiment of the invention, a terminal node sends a data stream to a destination terminal node, when a plurality of front-end nodes between the terminal node and the destination terminal node detect that a local network chain to which the front-end nodes belong is abnormal, abnormal information is sent to a back-end processing node, and the back-end processing node determines a plurality of pieces of abnormal information belonging to the same data stream in the received abnormal information by using terminal identification information and processes the plurality of pieces of abnormal information to determine abnormal equipment information.

Illustratively, in conjunction with FIG. 2, host A sends the resulting data stream to host B. The data flow will pass through NAT1 and NAT2 as well as front end node 1, front end node 2 and front end node 3. The front-end node 1, the front-end node 2 and the front-end node 3 detect the data streams acquired respectively, and when the detection is abnormal, the front-end node 1, the front-end node 2 and the front-end node 3 form three abnormal information and send the three abnormal information to the back-end processing node. And the back-end processing node extracts 3 abnormal information sent by the front-end node 1, the front-end node 2 and the front-end node 3 from the N abnormal information by using the terminal identification information, sorts the 3 abnormal information and further determines the abnormal equipment information.

In the embodiment of the invention, the terminal node is detected by a plurality of front-end nodes in the process of sending the data stream to the target terminal node, and when the abnormality is detected, a plurality of formed abnormal information is sent to the back-end processing node, so that the back-end processing node can rapidly extract the abnormal information by using the terminal identification information for processing, the processing speed is improved, and the efficiency of determining abnormal equipment is further improved.

In some embodiments, S302 shown in fig. 4 may be implemented by S304 to S305, which will be described in conjunction with the steps.

S304, local terminal equipment information is obtained, and a data stream unique value is formed corresponding to data to be sent after the terminal node and the target terminal node communicate for the first time.

In the embodiment of the invention, the terminal node acquires the local terminal equipment information and forms a data stream unique value corresponding to the data to be sent after the terminal node and the target terminal node communicate for the first time. The terminal identification information includes: terminal device information and/or a data stream unique value.

In the embodiment of the invention, the terminal node acquires the local terminal equipment information and forms a data stream unique value corresponding to the data to be sent after the TCP first handshake between the terminal node and the target terminal node.

In the embodiment of the invention, the terminal node acquires the local terminal name information and the terminal physical address information, and forms a data stream unique value corresponding to the data to be sent after the TCP first handshake.

In the embodiment of the invention, the terminal node can calculate the data to be sent by using a preset algorithm to form a data stream unique value. The terminal can also randomly form a data stream unique value corresponding to the prepared data stream.

In the embodiment of the present invention, the terminal node may determine an information segment with a predetermined byte length in the payload of the data to be sent, and the terminal node may calculate the information segment by using a hash Algorithm or an information Digest Algorithm (MD5 Message-Digest Algorithm, MD5) Algorithm to obtain a unique value of the data stream.

S305, writing the terminal equipment information and/or the data stream unique value into a preset field of data to be sent to form a data stream.

In the embodiment of the invention, the terminal node writes the terminal equipment information and/or the unique value of the data stream into the preset field of the data to be sent, and the data streams of all rows in the new city.

In the embodiment of the invention, the terminal node writes the terminal name information, the terminal physical address information and/or the data stream unique value into the preset field of the prepared data stream to form the data stream.

In some embodiments, referring to fig. 5, fig. 5 is an optional flowchart of an information processing method provided in an embodiment of the present invention, and will be described with reference to steps.

S401, N pieces of abnormal information are obtained.

S402, determining a plurality of abnormal information belonging to the same data flow by using N terminal identification information corresponding to the N abnormal information; and each terminal identification information is the identification of the corresponding terminal equipment initiating the connection.

And S403, aggregating the plurality of abnormal information to obtain aggregated abnormal information so as to determine the abnormal source equipment information.

In the embodiment of the invention, the back-end processing node aggregates the plurality of abnormal information to obtain the aggregated abnormal information so as to determine the abnormal source equipment information.

In the embodiment of the invention, the back-end processing node aggregates the plurality of abnormal information by using the time information of the received plurality of abnormal information to obtain the aggregated abnormal information. And the back-end processing node determines the information of the abnormal source equipment in the aggregated abnormal information so as to determine the abnormal source equipment.

In the embodiment of the invention, the back-end processing node sequences the abnormal information according to the time information of the abnormal information. And the back-end processing node acquires the source network address information and the source port information of the first abnormal information after sequencing and the destination network address information and the destination port information of the last abnormal information, and combines the transport layer protocol information, the terminal identification information and the unique data flow value which are all contained in a plurality of abnormal information to form aggregated abnormal information. And the back-end processing node determines that the source network address information, the source port information and the terminal identification information (terminal name information and terminal physical address information) are abnormal source equipment information in the aggregation abnormal information, so that a user can determine the abnormal source equipment based on the source network address information, the source port information and the terminal identification information.

In the embodiment of the present invention, each of the plurality of pieces of exception information includes: source network address information, source port information, destination network address information, destination port information, transport layer protocol information, terminal name information, terminal physical address information, and a data stream unique value.

In the embodiment of the present invention, if the back-end processing node receives three exception messages A, B, C. The three pieces of exception information A, B, C respectively correspond to timestamps of 15:04:02, 15:04:03 and 15:04: 06. The back-end processing node orders the three exception information A, B, C in the order of the three timestamps. And the back-end processing node acquires the source IP address information of the abnormal information A, acquires the source IP address information of the abnormal information C, and combines the transport layer protocol information, the terminal identification information and the unique value of the data flow to form the aggregated abnormal information.

In the embodiment of the invention, the back-end processing node determines that the source IP address information, the source port information, the terminal name information and the terminal physical address information are abnormal equipment information in the aggregation abnormal information, so that a user can determine abnormal equipment according to the abnormal equipment information.

In some embodiments, referring to fig. 6, fig. 6 is an optional flowchart of an information processing method according to an embodiment of the present invention, and will be described with reference to steps.

S501, network flow data sent by the target host is obtained based on the predetermined quintuple information of the local network chain.

In the embodiment of the invention, the front end node acquires the network flow data sent by the target host based on the predetermined quintuple information of the local network chain.

S502, if the network flow data is abnormal, determining terminal identification information in a first mapping table based on quintuple information corresponding to the network flow data; the first mapping table includes mapping relationship information of a plurality of terminal identification information and a plurality of quintuple information.

In the embodiment of the invention, if the network flow data is abnormal, the front-end node determines the terminal identification information in the first mapping table based on the quintuple information corresponding to the network flow data. The first mapping table includes mapping relationship information of a plurality of terminal identification information and a plurality of quintuple information.

In the embodiment of the invention, the front-end node detects the network flow data through a preset program, and if the network flow data is abnormal, the front-end node extracts quintuple information from the network flow data. And the front-end node determines corresponding terminal identification information in the first mapping table through the quintuple information.

In the embodiment of the present invention, when the front-end node performs data detection, the terminal identifier information and the quintuple information also need to be associated to form the first mapping table.

S503, sending the terminal identification information to the terminal node for the terminal node to determine abnormal terminal information in a second mapping table according to the terminal identification information; the second mapping table includes mapping relationship information between the terminal identification information and the plurality of terminal attribute information.

In the embodiment of the invention, the front end node sends the terminal identification information to the terminal node, so that the terminal node can determine abnormal terminal information in a second mapping table according to the terminal identification information; the second mapping table includes mapping relationship information of the terminal identification information and the plurality of terminal attribute information.

In the embodiment of the present invention, when the terminal node performs information acquisition, the terminal identification information also needs to be associated with multiple pieces of terminal attribute information to form a second mapping table. The plurality of terminal attribute information includes: process information, file information, and registry information corresponding to the data stream are formed.

In some embodiments, referring to fig. 7, fig. 7 is an interaction schematic diagram of an information processing method provided by an embodiment of the present invention, and the description will be made with reference to each step.

S601, the back-end processing node acquires N abnormal information.

The detailed implementation of step S601 is consistent with that of S201, and is not described herein again.

S602, the back-end processing node determines a plurality of abnormal information belonging to the same data flow by using N pieces of terminal identification information corresponding to the N pieces of abnormal information; and each terminal identification information is the identification of the corresponding terminal equipment initiating the connection.

The detailed implementation of step S602 is consistent with the implementation of step S202, and is not described herein again.

S603, the back-end processing node determines the abnormal equipment information by using the plurality of abnormal information.

The detailed implementation of step S603 is consistent with that of S203, and is not described herein again.

Referring to fig. 8, fig. 8 is a first schematic structural diagram of an information processing apparatus according to an embodiment of the present invention.

An embodiment of the present invention further provides an information processing apparatus 500, which is applied to a front-end node, and includes: a first data receiving unit 503, a parsing unit 504 and a first sending unit 505.

A first data receiving unit 503, configured to acquire network stream data sent by a target host based on predetermined quintuple information of a local network chain;

an analyzing unit 504, configured to analyze the network flow data to obtain terminal identifier information corresponding to the quintuple information; the terminal identification information is the identification of the terminal equipment initiating the connection, and the terminal identification information is embedded into the network flow data of the terminal equipment initiating the connection;

a first sending unit 505, configured to send, if the local network link is abnormal, abnormal information to a back-end processing node, where the abnormal information includes the terminal identification information; and the back-end processing node processes the plurality of abnormal information by using the terminal identification information in the plurality of abnormal information sent by the plurality of front-end nodes.

In the embodiment of the present invention, the terminal identification information includes: terminal equipment information and/or a data stream unique value; the parsing unit 504 in the information processing apparatus 500 is configured to parse a predetermined field of the network stream data to obtain the terminal device information and/or the data stream unique value corresponding to the quintuple information.

In the embodiment of the present invention, the first data receiving unit 503 acquires network stream data sent by the target host based on predetermined quintuple information of the local network link; analyzing the network flow data through an analyzing unit 504 to obtain terminal identification information corresponding to the quintuple information; the terminal identification information is the identification of the terminal equipment initiating the connection, and is embedded into the network flow data of the terminal equipment initiating the connection; if the local network link is abnormal, the first sending unit 505 sends abnormal information to the back-end processing node, where the abnormal information includes terminal identification information; and the back-end processing node processes the plurality of abnormal information by using the terminal identification information in the plurality of abnormal information sent by the plurality of front-end nodes. Because the abnormal information in the scheme comprises the terminal identification information, the back-end processing node can rapidly determine a plurality of abnormal information for processing through the terminal identification information, the processing speed is increased, and the efficiency of determining abnormal equipment is further improved.

It should be noted that, in the embodiment of the present invention, if the information processing method is implemented in the form of a software functional module and sold or used as a standalone product, the information processing method may also be stored in a computer readable storage medium. Based on such understanding, the technical solutions of the embodiments of the present invention may be substantially implemented or portions thereof that contribute to the related art may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing an information processing apparatus (which may be a personal computer or the like) to execute all or part of the methods described in the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read Only Memory (ROM), a magnetic disk, or an optical disk. Thus, embodiments of the invention are not limited to any specific combination of hardware and software.

Correspondingly, the embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, implements the steps of the above-mentioned method.

Correspondingly, the embodiment of the present invention provides an information processing apparatus, which includes a first memory 502 and a first processor 501, where the first memory 502 stores a computer program that can be executed on the first processor 501, and the first processor 501 implements the steps in the method when executing the computer program.

Here, it should be noted that: the above description of the storage medium and apparatus embodiments, similar to the description of the method embodiments above, have similar beneficial effects as the method embodiments. For technical details not disclosed in the embodiments of the storage medium and the apparatus according to the invention, reference is made to the description of the embodiments of the method according to the invention.

It should be noted that fig. 9 is a first schematic diagram of a hardware entity of an information processing apparatus according to an embodiment of the present invention, as shown in fig. 9, the hardware entity of the information processing apparatus 500 includes: a first processor 501 and a first memory 502, wherein;

the first processor 501 generally controls the overall operation of the information processing apparatus 500.

The first Memory 502 is configured to store instructions and applications executable by the first processor 501, and may also buffer data (e.g., image data, audio data, voice communication data, and video communication data) to be processed or already processed by the first processor 501 and modules in the information processing apparatus 500, and may be implemented by a FLASH Memory (FLASH) or a Random Access Memory (RAM).

Referring to fig. 10, fig. 10 is a schematic structural diagram of an information processing apparatus according to an embodiment of the present invention.

An embodiment of the present invention further provides an information processing apparatus 600, applied to a back-end processing node, including: a second data receiving unit 603, a first determining unit 604 and a processing unit 605.

A second data receiving unit 603, configured to obtain N pieces of exception information; wherein N is an integer greater than 1;

a first determining unit 604, configured to determine, by using N pieces of terminal identification information corresponding to the N pieces of abnormal information, a plurality of pieces of abnormal information belonging to the same data flow; wherein, each terminal identification information is the identification of the corresponding terminal equipment initiating the connection;

the processing unit 605 is configured to determine abnormal device information by using the plurality of abnormal information.

In this embodiment of the present invention, the first determining unit 604 in the information processing apparatus 600 is configured to, among the N pieces of abnormal information, use, as a plurality of pieces of abnormal information belonging to the same data flow, abnormal information whose similarity between terminal identification information is greater than or equal to a preset threshold.

In this embodiment of the present invention, the processing unit in the information processing apparatus 600 is configured to sort the plurality of abnormal information based on the time information corresponding to the plurality of abnormal information; and determining abnormal equipment information according to the terminal identification information corresponding to each piece of sequenced abnormal information.

In the embodiment of the present invention, the second data receiving unit 603 is configured to obtain N pieces of abnormal information; n is an integer greater than 1; a first determining unit 604, configured to determine multiple pieces of abnormal information belonging to the same data flow by using N pieces of terminal identification information corresponding to the N pieces of abnormal information; wherein, each terminal identification information is the identification of the corresponding terminal equipment initiating the connection; the processing unit 605 is configured to determine abnormal device information by using the plurality of abnormal information. Because the abnormal information in the scheme comprises the terminal identification information, the back-end processing node can rapidly process a plurality of abnormal information sent by a plurality of front-end nodes through the terminal identification information, and the efficiency of determining abnormal equipment is improved.

Correspondingly, the embodiment of the present invention provides an information processing apparatus, which includes a second memory 602 and a second processor 601, where the second memory 602 stores a computer program operable on the second processor 601, and the second processor 601 executes the computer program to implement the steps in the method.

Here, it should be noted that: the above description of the storage medium and apparatus embodiments is similar to the description of the method embodiments above, with similar beneficial effects as the method embodiments. For technical details not disclosed in the embodiments of the storage medium and the apparatus according to the invention, reference is made to the description of the embodiments of the method according to the invention.

Fig. 11 is a schematic diagram of a hardware entity of an information processing apparatus according to an embodiment of the present invention, and as shown in fig. 11, the hardware entity of the information processing apparatus 600 includes: a second processor 601 and a second memory 602, wherein;

the second processor 601 generally controls the overall operation of the information processing apparatus 600.

The second Memory 602 is configured to store instructions and applications executable by the second processor 601, and may also buffer data (e.g., image data, audio data, voice communication data, and video communication data) to be processed or already processed by the second processor 601 and modules in the information processing apparatus 600, and may be implemented by a FLASH Memory (FLASH) or a Random Access Memory (RAM).

Referring to fig. 12, fig. 12 is a schematic structural diagram three of an information processing apparatus according to an embodiment of the present invention.

An embodiment of the present invention further provides an information processing apparatus 800, which is applied to a terminal node, and includes: a response unit 703, a data processing unit 704 and a second sending unit 705.

A response unit 703, configured to respond to the acquired instruction information to form data to be sent;

a data processing unit 704, configured to form terminal identification information, and write the terminal identification information into the data to be sent to form a data stream;

a second sending unit 705, configured to send the data stream to a destination terminal node, so that when detecting that a local network chain to which a plurality of front-end nodes between the terminal node and the destination terminal node belong is abnormal, the front-end nodes send abnormal information to a back-end processing node.

In the embodiment of the present invention, the terminal identification information includes: terminal equipment information and/or a data stream unique value;

the data processing unit 704 is configured to obtain local terminal device information, and form a data stream unique value corresponding to data to be sent after the terminal node and the destination terminal node communicate for the first time; and writing the terminal equipment information and/or the data stream unique value into a preset field of data to be sent to form a data stream.

Because the abnormal information in the scheme comprises the terminal identification information, the back-end processing node can rapidly process a plurality of abnormal information sent by a plurality of front-end nodes through the terminal identification information, and the efficiency of determining abnormal equipment is improved.

Correspondingly, an embodiment of the present invention provides an information processing apparatus, including a third memory 702 and a third processor 701, where the third memory 702 stores a computer program operable on the third processor 701, and the third processor 701 implements the steps in the method when executing the computer program.

It should be noted that fig. 13 is a schematic diagram of a hardware entity of an information processing apparatus according to an embodiment of the present invention, and as shown in fig. 13, the hardware entity of the information processing apparatus 700 includes: a third processor 701 and a third memory 702, wherein;

the third processor 701 generally controls the overall operation of the information processing apparatus 700.

The third Memory 702 is configured to store instructions and applications executable by the third processor 701, and may also buffer data (e.g., image data, audio data, voice communication data, and video communication data) to be processed or already processed by the third processor 701 and modules in the information processing apparatus 700, and may be implemented by a FLASH Memory (FLASH) or a Random Access Memory (RAM).

Referring to fig. 14, fig. 14 is a schematic structural diagram of an information processing apparatus according to an embodiment of the present invention.

An embodiment of the present invention further provides an information processing apparatus, applied to a back-end processing node, including: a second data receiving unit 803, a second determining unit 804, and an aggregating unit 805.

A second data receiving unit 803, configured to acquire N pieces of exception information; wherein N is an integer greater than 1;

a second determining unit 804, configured to determine multiple pieces of abnormal information belonging to the same data flow by using N pieces of terminal identification information corresponding to the N pieces of abnormal information; wherein, each terminal identification information is the identification of the corresponding terminal equipment initiating the connection;

an aggregating unit 805, configured to aggregate the plurality of abnormal information to obtain aggregated abnormal information, so as to determine the abnormal source device information.

Correspondingly, an embodiment of the present invention provides an information processing apparatus, which includes a fourth memory 802 and a fourth processor 801, where the fourth memory 802 stores a computer program operable on the fourth processor 801, and the fourth processor 801 implements the steps in the foregoing method when executing the computer program.

It should be noted that fig. 15 is a schematic diagram of a hardware entity of an information processing apparatus according to an embodiment of the present invention, and as shown in fig. 15, the hardware entity of the information processing apparatus 800 includes: a fourth processor 801 and a fourth memory 802, wherein;

the fourth processor 801 generally controls the overall operation of the information processing apparatus 800.

The fourth Memory 802 is configured to store instructions and applications executable by the fourth processor 801, and may also buffer data (e.g., image data, audio data, voice communication data, and video communication data) to be processed or already processed by each module in the fourth processor 801 and the information processing apparatus 800, and may be implemented by a FLASH Memory (FLASH) or a Random Access Memory (RAM).

Referring to fig. 16, fig. 16 is a schematic structural diagram five of an information processing apparatus according to an embodiment of the present invention.

An embodiment of the present invention further provides an information processing apparatus, which is applied to a front-end node, and includes: a third data receiving unit 903, a third determining unit 904 and a third transmitting unit 905.

A third data receiving unit 903, configured to acquire network stream data sent by the target host based on predetermined quintuple information of the local network chain;

a third determining unit 904, configured to determine, if the network flow data is abnormal, terminal identifier information in a first mapping table based on the quintuple information corresponding to the network flow data; the first mapping table comprises mapping relation information of a plurality of pieces of terminal identification information and a plurality of pieces of quintuple information;

a third sending unit 905, configured to send the terminal identifier information to a terminal node, so that the terminal node determines, according to the terminal identifier information, abnormal terminal information in a second mapping table; the second mapping table includes mapping relationship information between the terminal identification information and a plurality of terminal attribute information.

Correspondingly, an embodiment of the present invention provides an information processing apparatus, including a fifth memory 902 and a fifth processor 901, where the fifth memory 902 stores a computer program operable on the fifth processor 901, and the fifth processor 901 implements the steps in the method when executing the computer program.

It is to be noted here that: the above description of the storage medium and apparatus embodiments, similar to the description of the method embodiments above, have similar beneficial effects as the method embodiments. For technical details not disclosed in the embodiments of the storage medium and the apparatus according to the invention, reference is made to the description of the embodiments of the method according to the invention.

It should be noted that fig. 17 is a schematic diagram of a hardware entity of an information processing apparatus according to an embodiment of the present invention, and as shown in fig. 17, the hardware entity of the information processing apparatus 900 includes: a fifth processor 901 and a fifth memory 902, wherein;

the fifth processor 901 generally controls the overall operation of the information processing apparatus 900.

The fifth Memory 902 is configured to store instructions and applications executable by the fifth processor 901, and may also buffer data (e.g., image data, audio data, voice communication data, and video communication data) to be processed or already processed by the fifth processor 901 and modules in the information processing apparatus 900, and may be implemented by a FLASH Memory (FLASH) or a Random Access Memory (RAM).

It should be appreciated that reference throughout this specification to "one embodiment" or "an embodiment" means that a particular feature, structure or characteristic described in connection with the embodiment is included in at least one embodiment of the present invention. Thus, the appearances of the phrases "in one embodiment" or "in an embodiment" in various places throughout this specification are not necessarily all referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. It should be understood that, in various embodiments of the present invention, the sequence numbers of the above-mentioned processes do not mean the execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation on the implementation process of the embodiments of the present invention. The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.

It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

In the embodiments provided in the present invention, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described device embodiments are merely illustrative, for example, the division of the unit is only a logical functional division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or in other forms.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units; can be located in one place or distributed on a plurality of network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, all the functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may be separately regarded as one unit, or two or more units may be integrated into one unit; the integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.

Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium includes: various media capable of storing program codes, such as a removable Memory device, a Read Only Memory (ROM), a magnetic disk, or an optical disk.

Alternatively, the integrated unit of the present invention may be stored in a computer-readable storage medium if it is implemented in the form of a software functional module and sold or used as a separate product. Based on such understanding, the technical solutions of the embodiments of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the methods according to the embodiments of the present invention. And the aforementioned storage medium includes: various media that can store program codes, such as a removable storage device, a ROM, a magnetic disk, or an optical disk.

The above description is only an embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily think of the changes or substitutions within the technical scope of the present invention, and shall cover the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.

Claims

1. An information processing method applied to a front-end node includes:

analyzing the network flow data to obtain terminal identification information corresponding to the quintuple information; the terminal identification information is the identification of the terminal equipment initiating the connection, and the terminal identification information is embedded into the network flow data of the terminal equipment initiating the connection;

if the local network link is abnormal, sending abnormal information to a back-end processing node, wherein the abnormal information comprises the terminal identification information; and the back-end processing node processes the plurality of abnormal information by using the terminal identification information in the plurality of abnormal information sent by the plurality of front-end nodes.

2. The information processing method according to claim 1, wherein the terminal identification information includes: terminal equipment information and/or a data stream unique value;

analyzing the network flow data to obtain terminal identification information corresponding to the quintuple information, wherein the method comprises the following steps:

and analyzing in a predetermined field of the network flow data to obtain the terminal equipment information and/or the data flow unique value corresponding to the quintuple information.

3. An information processing method applied to a back-end processing node, comprising:

4. The information processing method according to claim 3, wherein the determining, by using N pieces of terminal identification information corresponding to the N pieces of abnormal information, a plurality of pieces of abnormal information belonging to the same data flow includes:

and in the N pieces of abnormal information, using the abnormal information of which the similarity between the terminal identification information is greater than or equal to a preset threshold value as a plurality of pieces of abnormal information belonging to the same data flow.

5. The information processing method according to claim 4, wherein the determining abnormal device information using the plurality of abnormal information includes:

sorting the plurality of abnormal information based on time information corresponding to the plurality of abnormal information;

and determining the abnormal equipment information according to the terminal identification information corresponding to each piece of sequenced abnormal information.

6. An information processing method, applied to a terminal node, includes:

responding to the acquired instruction information to form data to be sent;

forming terminal identification information, and writing the terminal identification information into the data to be sent to form a data stream;

7. The information processing method according to claim 6, wherein the terminal identification information includes: terminal equipment information and/or a data stream unique value;

the forming terminal identification information and writing the terminal identification information into the data to be sent to form a data stream includes:

acquiring local terminal equipment information, and forming a data stream unique value corresponding to the data to be sent after the terminal node and the target terminal node communicate for the first time;

and writing the terminal equipment information and/or the data stream unique value into a preset field of the data to be sent to form the data stream.

8. An information processing method applied to a back-end processing node, comprising:

determining a plurality of abnormal information belonging to the same data stream by using N pieces of terminal identification information corresponding to the N pieces of abnormal information; wherein, each terminal identification information is the identification of the corresponding terminal equipment initiating the connection;

9. An information processing method applied to a front-end node includes:

if the network flow data is abnormal, determining terminal identification information in a first mapping table based on the quintuple information corresponding to the network flow data; the first mapping table comprises mapping relation information of a plurality of pieces of terminal identification information and a plurality of pieces of quintuple information;

the terminal identification information is sent to a terminal node, and the terminal node determines abnormal terminal information in a second mapping table according to the terminal identification information; the second mapping table includes mapping relationship information between the terminal identification information and a plurality of terminal attribute information.

10. An information processing apparatus, applied to a front-end node, comprising:

11. An information processing apparatus, applied to a back-end processing node, comprising:

and the processing unit is used for determining the abnormal equipment information by utilizing the plurality of abnormal information.

12. An information processing apparatus, applied to a terminal node, comprising:

13. An information processing apparatus, applied to a back-end processing node, comprising:

14. An information processing apparatus, applied to a front-end node, comprising:

a third determining unit, configured to determine, if the network flow data is abnormal, terminal identifier information in a first mapping table based on the quintuple information corresponding to the network flow data; the first mapping table comprises mapping relation information of a plurality of pieces of terminal identification information and a plurality of pieces of quintuple information;

15. An information processing apparatus comprising a memory and a processor, the memory storing a computer program operable on the processor, the processor implementing the steps of the method of any one of claims 1 or 2, 3 to 5, 6 or 7, 8, 9 when executing the program.

16. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 or 2, 3 to 5, 6 or 7, 8, 9.