CN115333843A - Information security system and information security data processing method - Google Patents
Information security system and information security data processing method Download PDFInfo
- Publication number
- CN115333843A CN115333843A CN202210983071.2A CN202210983071A CN115333843A CN 115333843 A CN115333843 A CN 115333843A CN 202210983071 A CN202210983071 A CN 202210983071A CN 115333843 A CN115333843 A CN 115333843A
- Authority
- CN
- China
- Prior art keywords
- data
- cache
- information security
- node
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The application discloses an information security system and a processing method of information security data. Wherein, this system includes: the system comprises a log acquisition module, a cache data acquisition module, a data analysis processing module and a control module, wherein the log acquisition module is used for acquiring information safety data from a log of an edge node; the cache data acquisition module is arranged on a cache node of the content distribution network and used for carrying out snapshot on cache data on the cache node at any moment and acquiring information security data from the cache data; the data analysis processing module is used for transmitting the information security data acquired by the log acquisition module and the cache data acquisition module to the control module and transmitting an interception instruction issued by the control module to the log acquisition module and the cache data acquisition module; and the control module is at least used for sending an interception instruction to the data analysis processing module. The method and the device solve the technical problem that the traditional information security data acquisition method is low in processing efficiency due to excessive acquisition.
Description
Technical Field
The application relates to the technical field of emerging information, in particular to an information security system and a processing method of information security data.
Background
In a traditional IDC/ISP information security management system, an information security data acquisition method is implemented as follows (hereinafter, referred to as a beam splitting and DPI-based security data acquisition method): 1. deploying a shunting device at the side of each CDN service node network outlet device to obtain a full amount of CDN service data packets; 2. and through Deep Packet Inspection (DPI), retrieving and filtering the information security basic data from the shunted full traffic flow, and reporting the information security basic data to a CDN information security system control center.
In the CDN full traffic, most of the traffic is user traffic such as video stream, file, and picture accelerated by the CDN, and in order to filter and obtain the information security basic data from the user traffic, light splitting and deep packet inspection of the full traffic must be performed. Because the ratio of the total traffic data to the basic security data is 1000 to even lower, the traditional security data acquisition method has the disadvantages of serious excessive acquisition, low treatment efficiency and low input and output.
In view of the above problems, no effective solution has been proposed.
Disclosure of Invention
The embodiment of the application provides an information security system and a processing method of information security data, and at least solves the technical problem that the processing efficiency is low due to excessive acquisition in the traditional acquisition method of the information security data.
According to an aspect of an embodiment of the present application, there is provided an information security system including: the system comprises a log acquisition module, a cache data acquisition module, a data analysis processing module and a control module, wherein the log acquisition module is deployed on an edge node of a content distribution network and is used for acquiring information security data from a log of the edge node; the cache data acquisition module is arranged on a cache node of the content distribution network and used for carrying out snapshot on cache data on the cache node at any moment and acquiring information security data from the cache data; the data analysis processing module is used for transmitting the information safety data acquired by the log acquisition module and the cache data acquisition module to the control module and transmitting an interception instruction issued by the control module to the log acquisition module and the cache data acquisition module, wherein the interception instruction is used for intercepting target type data in the information safety data; and the control module is at least used for sending an interception instruction to the data analysis processing module.
Optionally, when the log collection module obtains the information security data from the log of the edge node, the following method is used for implementing: acquiring a service log from an edge node through a network file transfer protocol; and converting the information in the service log into a target format, and filtering the service log converted into the target format to obtain the information security data.
Optionally, the log collection module is further configured to support the following data merging manner: merge according to timestamp, merge according to source IP address, merge according to domain name and merge according to edge node IP address.
Optionally, when receiving the interception instruction issued by the data analysis processing module, the log acquisition module distributes the interception instruction to the edge node, and the log acquisition module supports the following interception modes: intercepting according to the IP address of the edge node, intercepting according to the domain name, intercepting according to the request URL and intercepting according to the source IP address.
Optionally, the cache data collecting module supports snapshot in one of the following manners: support global full data snapshots, support incremental data snapshots based on querying any time period, support user-based data snapshots, support domain name-based data snapshots, support source IP address-based data snapshots, and support IP address of edge nodes.
Optionally, the cache data acquisition module is further configured to support the following data filtering modes: filtering by timestamp, filtering by source IP address, filtering by domain name, and filtering by IP address of edge node.
Optionally, the cache data acquisition module distributes the interception instruction to the cache node when receiving the interception instruction issued by the data analysis processing module, and the cache data acquisition module supports the following interception modes: intercepting the node corresponding to the domain name according to the domain name, intercepting the node corresponding to the URL according to the request URL and intercepting the node corresponding to the source IP address.
Optionally, before the data analysis processing module forwards the information security data to the control module, the data analysis processing module is further configured to: summarizing the information security data according to a target format; classifying the summarized information security data according to the data type and the event type; and associating the data belonging to the same domain name, the same client name and the same service request in the information security data to obtain the target information security data.
Optionally, the data analysis processing module forwards the interception instruction issued by the control module to the log acquisition module and the cache data acquisition module, and the method is implemented in the following manner: receiving an interception instruction issued by a control module; retrieving a target node involved in the intercept instruction, wherein the target node comprises at least one of: an edge node and a cache node; and forwarding the target node to the log acquisition module and the node corresponding to the cache data acquisition module.
Optionally, the data analysis processing module is further configured to receive a feedback result of the log acquisition module and the cache data acquisition module, where the feedback result is a result of the target node executing the interception instruction, and the feedback result includes data remaining after the target node executes the interception instruction.
According to another aspect of the embodiments of the present application, there is also provided a method for processing information security data, including: obtaining information security data from the edge nodes of the content distribution network and the cache space of the cache nodes; sending the information security data to control center equipment; receiving an interception instruction issued by the control center equipment according to the information security data, wherein the interception instruction is used for intercepting target type data in the information security data; determining a target node involved in the interception instruction, wherein the target node comprises at least one of the following: caching nodes and edge nodes; and informing the target node to execute the interception instruction, and receiving data of the target node after the interception instruction is executed.
Optionally, the sending the information security data to the control center device includes: after the information security data are gathered according to the target format, the information security data belonging to the same domain name, the same client name and the same service request are associated to obtain target information security data; and sending the target information security data to the control center equipment.
In the embodiment of the application, the CDN information safety data are obtained from the CDN information safety data by acquiring the cache data of the edge node CDN logs and the cache nodes in the CDN system, the information safety data of the CDN system can be completely covered after the cache data acquired from the cache is integrated with the information safety data acquired from the CDN logs, the information safety data are uniformly transmitted to the data analysis processing module after being acquired by the acquisition end, the information safety data are summarized, merged and correlated by the data analysis processing module and then transmitted to the control module of the CDN information safety system, the purpose of reducing the processing amount of the CDN original data is achieved, the technical effect of saving resources is achieved, and the technical problem that the processing efficiency is low due to excessive acquisition in the conventional information safety data acquisition method is solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
FIG. 1 is a schematic diagram of a conventional information security data collection method according to an embodiment of the present application;
FIG. 2 is a block diagram of an information security system according to an embodiment of the present application;
fig. 3a is a schematic diagram of a trust and security data acquisition method based on CDN cache and logs according to an embodiment of the present application;
FIG. 3b is a functional block diagram of a log collection module according to an embodiment of the present disclosure;
fig. 3c is a schematic functional structure diagram of a cache data acquisition module according to an embodiment of the present application;
FIG. 3d is a functional block diagram of a data analysis processing module according to an embodiment of the present disclosure;
fig. 4 is a schematic diagram of a CDN trust and security data collection mode of a distributed architecture in an existing network environment according to an embodiment of the present application;
fig. 5 is a flowchart of a method for processing information security data according to an embodiment of the present application.
Detailed Description
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only partial embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the accompanying drawings are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It should be understood that the data so used may be interchanged under appropriate circumstances such that embodiments of the application described herein may be implemented in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Because the CDN uses global (e.g., a region or a country) cache acceleration for content, dynamic distribution is implemented, which causes a high difficulty in tracing and positioning, and is difficult to monitor and handle abnormal information, and an existing IDC/ISP information security management system technical means cannot cover CDN services.
The CDN information security management system constructed by the CDN service operator should have the functions of basic data management, information security management, access log management, service state monitoring, and the like, so as to meet the information security management requirements of the CDN service operator and the management department.
The main functional requirements of the CDN trust and security management system are as follows:
1) Underlying data management
Local management of basic data: including business entity information, customer information, node information, accelerated domain name service information, etc.
Reporting and checking basic data: and after checking the basic data such as the information of the business units, the information of the clients and the like, automatically reporting the updated information to the information management system (reporting the updated data to the information management system within 10 minutes after the basic data is updated).
Basic data query: the system can search the local record and report the related information in response to the basic data query instruction issued by the superior management department.
2) Active resource monitoring: and carrying out full monitoring on a data link providing public information service for the CDN to form a service state monitoring record to be reported to a superior management department every day.
3) Information security management: the system can receive an abnormal website list and an abnormal information monitoring/filtering instruction issued by a superior management department, generate a corresponding abnormal network and an information monitoring/filtering record (local) for the effective instruction, and report the abnormal network and the information monitoring/filtering record to the superior management department in real time or periodically (no more than 2 hours).
4) And (3) access log management: the system completely records and counts access information based on successful access behavior of an external access user to the internet content accelerated by the CDN to form an access log. When the condition of issuing the query instruction by the information security system is met, reporting the query instruction according to the requirement (the relevant access log can be effectively queried within 2 hours after the user access behavior occurs).
Fig. 1 is a schematic diagram of a conventional method for acquiring information security data according to an embodiment of the present application, as shown in fig. 1, the conventional method is a bandwidth coverage manner, and an optical splitter is deployed at an exit side of a network of each CDN service node, where a CDN service node includes at least a CDN cache transit node and a CDN edge node to obtain a total amount of CDN service data including service traffic data and security data, and a DPI is used to retrieve and filter information security basic data (hereinafter, security data) from a split total amount of service traffic, and report the information security basic data to a CDN security system, where the security data only accounts for 0.3% of the total amount of data, the CDN security system performs uniform storage of the security data, performs format translation and reports the information security data to a CDN security monitoring system, the CDN security system receives a blocking/detecting instruction from a higher management department, extracts a url or a domain name and a keyword that needs blocking/monitoring by the security system, translates the instruction, queries the CDN node to the CDN node, and sends a blocking to a corresponding CDN outlet switch, and returns an execution result of the CDN security system. However, the traditional method has the disadvantages that a large amount of service traffic such as video streams, files, pictures and the like is contained in the full service traffic, the information security data is filtered and obtained from the service traffic, the light splitting and deep packet detection of the full service traffic are required, and the input-output ratio is not high.
According to the requirement of information management, when the matched trust and security construction of a multi-node high-capacity (the whole network distribution capacity is over Tbps or even 10 Tbps) CDN system is carried out, the construction cost of using a traditional trust and security data acquisition means is increased sharply along with the increase of the scale and the number of nodes of the CDN system, so that the method can effectively reduce the overall construction cost of the CDN trust and security system, can meet the requirement of CDN compliance supervision, and is a practical problem in the operation of CDN service providers. In order to solve the above problems, embodiments of the present application provide corresponding solutions, which are described in detail below.
Fig. 2 is a block diagram of an information security system according to an embodiment of the present application, and as shown in fig. 2, the system includes: the system comprises a log acquisition module 202, a cache data acquisition module 204, a data analysis processing module 206 and a control module 208, wherein the log acquisition module is deployed on an edge node of a content distribution network and used for acquiring information security data from a log of the edge node; the cache data acquisition module is arranged on a cache node of the content distribution network and used for carrying out snapshot on cache data on the cache node at any moment and acquiring information security data from the cache data; the data analysis processing module is used for transmitting the information safety data acquired by the log acquisition module and the cache data acquisition module to the control module and transmitting an interception instruction issued by the control module to the log acquisition module and the cache data acquisition module, wherein the interception instruction is used for intercepting target type data in the information safety data; and the control module is at least used for sending an interception instruction to the data analysis processing module.
In this embodiment of the application, for example, the method may be implemented by using a schematic diagram of a trust and security data acquisition method based on CDN cache and logs shown in fig. 3a, where a CDN log acquisition module is deployed on each CDN content edge node, supports distributed, acquires an original service log from a CDN node through a log API interface adapted to a CDN system, or through network file transfer protocols such as ftp, rsync, nfs, and the like, and performs format translation and filtering to obtain original trust and security data.
The cache data acquisition module is used for supplementing information to the log acquisition module, the cache data acquisition module is deployed on a first-level cache and a second-level cache node of the CDN system to support distribution, and the cache data acquisition module can be used for carrying out snapshot acquisition on basic information on the cache node of the CDN system at a certain moment through adapting a cache API interface of the CDN system to obtain the trust and security data. Although the service data (video stream, picture, file, etc.) in the cache is updated very frequently, the change of the security data (such as domain name, url, ip, etc.) is much lower, and the snapshot at a fixed interval (such as 30 seconds) can basically keep the information synchronization of the security system and the current network of the CDN. By adjusting the collection frequency and interval of the collection module, the real-time performance of the information and security data collection and the additional system overhead of the collection module can be balanced.
After the two modules respectively acquire original information and security data, processing the data into information and security data in a target format, and reporting the information and security data to an information and security data analysis processing module; the trust and security data analysis processing module is in a centralized deployment mode and is responsible for data summarization, merging and association, and then reports the data to a CDN trust and security system control center in an API mode, wherein the control center is equivalent to a control module in the embodiment of the application. The latter further implements subsequent operation processing (data reporting, bad information alarming, domain name blocking instruction issuing, etc.).
In the information security system, when the log collection module obtains the information security data from the log of the edge node, the following steps are performed: acquiring a service log from an edge node through a network file transfer protocol; and converting the information in the service log into a target format, and filtering the service log converted into the target format to obtain the information security data.
In the information security system, the log collection module is further configured to support a merging mode of the following data: merge according to timestamp, merge according to source IP address, merge according to domain name, and merge according to IP address of edge node.
In the information security system, when receiving an interception instruction issued by the data analysis processing module, the log acquisition module distributes the interception instruction to the edge node, and the log acquisition module supports the following interception modes: intercepting according to the IP address of the edge node, intercepting according to the domain name, intercepting according to the request URL and intercepting according to the source IP address.
In this embodiment of the present application, the log collection module may be as shown in fig. 3b, and in fig. 3b, the CDN log collection module mainly implements the following functions: log reading, format translation, data filtering and merging, and executing a blocking processing instruction, wherein the blocking processing instruction can also be called an interception instruction.
1) Log reading
Directly reading content items in the CDN original service log file through an API log interface adaptive to a CDN system;
and the method supports the network file transmission protocols such as ftp, rsync, nfs and the like, and acquires the CDN original service log file from the CDN edge node.
2) Format translation: if the log file is the original log file obtained through the network file transmission protocol, the format of the log file needs to be translated, and the entries containing the CDN trust and security basic information need to be filtered and screened out.
Under the actual fused CDN scene, the original CDN service log formats of CDN operators are different, and information in a log file is uniformly arranged into the following formats through format translation:
| log field | Meaning of a field |
| $remote_addr | Client IP |
| $remote_user | User name of HTTP Auth |
| $time_local | Time of access |
| $request_method | Access type GET |
| $scheme | Application protocol |
| $http_host | Accessing domain names |
| $uri | Request URI |
| $querystring | Request parameters |
| $server_protocol | HTTP protocol version |
| $status | Return status code |
| $bodybytessent | Number of bytes sent |
| $http_referer | Request source referrer |
| $httpuseragent | Client information |
| $content_type | Content type |
| $requestcontentlength | Content size of client-side initiating request to server-side |
| $cache_hit | Whether CDN cache hits |
| $source_code | Source station return status code |
| $is_dynamic | Whether to request dynamically |
| $cache_control | Caching control header information |
| $request_time | Request handling time |
| $edgeserverip | CDN edge node IP |
3) Data filtering and merging: the information generates information security data information containing preset requirements for each user access record, and the preset requirements are the requirements of a superior management department. However, there is a large amount of duplicate information, and the exceptions that need to be considered include: when a user client is abnormal, a large number of repeated requests are sent, and repeated access is carried out at different moments; repeatedly transmitting information caused by network jitter among nodes inside the CDN; an access failure request when the CDN system suffers from abnormal network attack; other non-value information and the like, for example, other information irrelevant or non-value to CDN trust data, and in addition, in the current log data, besides trust security basic data, a large amount of auxiliary information irrelevant to trust security is also included, and filtering is required.
For the reasons described above, further filtering and merging deduplication of the data is needed. The CDN log collection module needs to support the following functions: support merging by timestamp; support merging by source IP; support merging by domain name; per-node IP merging is supported.
After the data filtering and merging are completed, the data can be further reduced into the following format, and duplicate record deduplication is completed:
4) Executing a blocking instruction or an intercepting instruction: after receiving a plugging instruction sent by the CDN trust security system, notifying an edge node to execute the plugging instruction according to requirements, and calling a CDN cache API (application programming interface). Specifically, the log collection module can support IP plugging according to edge nodes; supporting plugging according to a domain name; supporting per-url blocking and supporting per-source ip blocking.
In the information security system, the cache data acquisition module supports one of the following modes to perform snapshot: support global full data snapshots, support incremental data snapshots based on querying any time period, support user-based data snapshots, support domain name-based data snapshots, support source IP address-based data snapshots, and support IP address of edge nodes.
In the information security system, the cache data acquisition module is further configured to support the following data filtering modes: filtering by timestamp, filtering by source IP address, filtering by domain name, and filtering by IP address of edge node.
In the information security system, when receiving an interception instruction issued by the data analysis processing module, the cache data acquisition module distributes the interception instruction to the cache node, and the cache data acquisition module supports the following interception modes: intercepting the node corresponding to the domain name according to the domain name, intercepting the node corresponding to the URL according to the request URL, and intercepting the node corresponding to the source IP address.
In the embodiment of the application, since the cache information has a synchronization time difference with the information already stored in the CDN service log, directly collecting the cache node data can be used as effective information supplement for the CDN service log. The cache data acquisition module can perform snapshot acquisition on cache data on a cache node of the CDN system at a certain moment by adapting the API interface of the cache class of the CDN system, and obtain the information security data from the cache data acquisition module.
The cache data acquisition module may also be referred to as a cache information acquisition module, and the cache information acquisition module may be as shown in a schematic diagram in fig. 3c, as shown in fig. 3c, and the main functions of the cache data acquisition module are as follows: snapshot collection, data filtering, execution of a blocking handling instruction (also called an intercept instruction).
1) And snapshot collection, namely performing snapshot on content items related to the safety data in the CDN cache node and the CDN edge node through a cache type API (application programming interface) adaptive to the CDN system, and further collecting the safety data in the cache. The cache information acquisition module supports snapshots in the following modes: global full data snapshot is supported; supporting incremental data snapshot based on querying a determined time period; supporting user-based data snapshots; supporting domain name based data snapshots; supporting data snapshots based on source IP; and supporting data snapshot of the IP of the edge node.
2) And (3) data filtering: for multiple snapshots of a cache node, a large amount of repeated data exists, and data filtering and deduplication are required. The cache information acquisition module supports the following filtering modes: support filtering by timestamp; supporting data filtering per user; data filtering according to source IP is supported; supporting data filtering by domain name; data filtering by edge node IP is supported.
3) Executing a plugging instruction: after receiving a plugging instruction issued by the upper level, notifying the cache node to execute the plugging instruction as required, and calling a CDN cache API (application programming interface). Specifically, the cache data acquisition module supports the following several ways to execute the blocking instruction: supporting single-node plugging according to a domain name, supporting single-node plugging according to a url, supporting single-node plugging according to a source ip, supporting global plugging according to the domain name, inquiring a full transfer node and an edge node related to the domain name, and issuing a plugging instruction.
In the above information security system, before the data analysis processing module forwards the information security data to the control module, the data analysis processing module is further configured to: summarizing the information safety data according to a target format; classifying the summarized information security data according to the data type and the event type; and associating the data belonging to the same domain name, the same client name and the same service request in the information security data to obtain the target information security data.
In the information security system, the data analysis processing module forwards the interception instruction issued by the control module to the log acquisition module and the cache data acquisition module, and the method is realized by the following steps: receiving an interception instruction issued by a control module; retrieving a target node involved in the intercept instruction, wherein the target node comprises at least one of: an edge node and a cache node; and forwarding the target node to a node corresponding to the log acquisition module and the cache data acquisition module.
In the information security system, the data analysis processing module is further configured to receive a feedback result of the log acquisition module and a feedback result of the cache data acquisition module, where the feedback result is a result of the target node executing the interception instruction, and the feedback result includes data remaining after the target node executes the interception instruction.
In the embodiment of the present application, the data analysis processing module has the main functions of: and summarizing, merging and associating the basic data of the information and security, receiving the blocking instruction, searching the related nodes and issuing the instruction in a targeted manner. In particular, the module may be a schematic diagram as shown in fig. 3d, and the function of the data analysis processing module is explained by fig. 3 d.
1) Data summarization: and summarizing the information and security data acquired by each CDN log acquisition module and each cache information acquisition module according to a uniform format, and storing the information and security data into a database.
2) Merging data: and labeling and classifying the information security data according to the data type and the event type.
3) Data association: and associating the trust and security data from different nodes according to the domain name, the customer name and the service request, so that a CDN trust and security system control center can conveniently check, monitor and manage the trust and security data.
4) Receiving and issuing a plugging instruction: and receiving a plugging instruction issued by the CDN trust and security management system, retrieving nodes related to the plugging instruction, respectively notifying each node to execute the plugging instruction, and receiving the feedback of the execution result of each node.
In the embodiment of the application, the CDN system edge node CDN log and the cache data of the cache node are acquired, data analysis and processing are further performed, CDN information security data are obtained, and in the CDN service system, the security data are distributed in the CDN service log and the CDN cache. The embodiment of the application is divided into a data acquisition end and a data processing end, wherein the information security basic data acquisition end is divided into a CDN log acquisition module and a cache data acquisition module according to different positions and mechanisms of acquisition points, so that real-time coverage of the information security data of the CDN system is achieved.
And the CDN log acquisition module is deployed at each CDN edge node side and is responsible for collecting CDN service logs on the edge nodes, translating and filtering formats, and acquiring the information security data on the edge nodes from the CDN service logs, wherein the cache of the CDN system has hotspot data which are not written with logs outside the CDN service logs. Therefore, the cache data acquisition modules deployed at the first-level cache node and the second-level cache node of the CDN system are responsible for interacting with the cache of the CDN system in real time and acquiring security data in the cache. After the information and security data obtained from the cache and the information and security data obtained from the CDN log are integrated, the information and security data safety coverage of the CDN system can be formed. After the acquisition end acquires the information and security basic data, the information and security basic data are uniformly transmitted to the information and security data analysis processing module, the information and security data are gathered, merged and correlated by the information and security data analysis processing module, and then the information and security data are transmitted to the CDN information and security system control center.
Compared with the traditional method for acquiring the trusted security data based on light splitting and DPI, the original data volume (CDN service log) to be processed in the embodiment of the application is reduced by more than 99% compared with the traditional method (full service flow, including videos, large files, pictures and the like), the principle is that the CDN log volume generated in unit time is about 1% of the CDN full service flow, the traditional method needs to filter, screen and process the full service flow, the application only needs to filter, screen and process the CDN service log, and after a large amount of service flow is shielded, the processing volume of the whole trusted security system on the original data of the CDN service platform can be greatly reduced.
In the aspect of the construction cost of the trust security system, the expenditure of system resources and hardware resources is lower in the application (log coverage mode) compared with the traditional trust security method, and each piece of trust security server hardware can process the trust security data filtering of CDN service flow of 100G-200G (according to different application types of users), so that the construction cost of the CDN trust security platform at the acquisition end is greatly saved. The construction cost is compared as follows:
in addition, when a trust and safety blocking instruction is implemented, the method and the system can accurately position the affair-related server, and compared with the traditional method that only the affair-related physical machine room can be accurately positioned, the method and the system are more friendly to the operation of the current network of the CDN platform.
In a production environment of an existing network CDN system, as shown in fig. 4, a schematic diagram of a CDN trust-security data acquisition mode of a distributed architecture in the existing network environment is shown, where fig. 4 takes two places of hai and zhejiang as an example, the CDN system is integrally a multi-level architecture (a transit node and an edge node) and is usually deployed in a distributed manner, the CDN node locations are in multiple physical machine rooms, and the CDN nodes are intercommunicated with each other through the internet. In addition, with the service development needs of CDN operators, the CDN system is basically a converged architecture, that is, a self-built platform needs to be converged with other CDN operator platforms, and the self-built platform is mutually converged and adapted in three aspects of main functions (content delivery, content preheating, and the like), charging, and trust and security, so that the service delivery is integrally implemented for customers. Under the converged architecture, the physical architecture, system implementation method, log format, etc. of each CDN operator are different.
In the trust and security coverage implementation process, a CDN log acquisition module needs to be deployed on each CDN edge node side first. For CDN platforms of different manufacturers and heterogeneous physical architectures, CDN logs can be obtained through customization of the module, through a log API, or through network file transfer protocols allowed to be opened by platforms such as ftp, rsync and nfs.
The original CDN logs from different sources still may be inconsistent in data format, so the CDN log collection module needs to translate the security data from different sources into a unified data format, and further report the data to the CDN security management system, and the CDN log collection system stores the data in a unified manner.
The CDN log collection module supports distributed deployment, and a CDN node (edge node or transit node) associated with the module may be 1: and the N relation supports 1 module to simultaneously acquire logs of a plurality of CDN nodes (of the same system). In the mode, the whole CDN trust security system can be expanded infinitely along with the expansion of the service delivery capacity of the CDN service system, and the capacity limit on trust security management is avoided.
The cache data acquisition module and each transfer node are deployed in a mode of 1, and are not limited by regions, and the flow load of the network outlet equipment is not increased.
When an abnormal website blocking instruction is received, the information security log analysis module firstly receives an instruction forwarded by a CDN information security control center, retrieves all involved nodes, and then respectively issues the instruction to a CDN log acquisition module and a cache data acquisition module, wherein the CDN log acquisition module and the cache data acquisition module are final execution terminals. The mode can further issue an abnormal website disposal instruction to the CDN service system through an API (application programming interface) adaptive to the CDN service system, so that the disposal speed is accelerated, unnecessary manual review and configuration links are eliminated, and the disposal speed is improved.
Fig. 5 is a flowchart of a method for processing information security data according to an embodiment of the present application, and as shown in fig. 5, the method includes:
step S502, obtaining information security data from the edge nodes of the content distribution network and the cache space of the cache nodes;
step S504, sending the information security data to the control center equipment;
step S506, receiving an interception instruction issued by the control center equipment according to the information security data, wherein the interception instruction is used for intercepting target type data in the information security data;
step S508, determining a target node involved in the interception instruction, wherein the target node comprises at least one of the following: caching nodes and edge nodes;
step S510, notifying the target node to execute the interception instruction, and receiving data of the target node after executing the interception instruction.
In step S504 of the method for processing information security data, the method for sending information security data to the control center device specifically includes the following steps: after the information security data are gathered according to the target format, the information security data belonging to the same domain name, the same client name and the same service request are associated to obtain target information security data; and sending the target information safety data to the control center equipment.
It should be noted that the method for processing the information security data shown in fig. 5 can be applied to the information security system shown in fig. 2, and therefore the explanation in the above information security system is also applicable to the method for processing the information security data, and is not described herein again.
The above-mentioned serial numbers of the embodiments of the present application are merely for description, and do not represent the advantages and disadvantages of the embodiments.
In the above embodiments of the present application, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed technical content can be implemented in other manners. The above-described apparatus embodiments are merely illustrative, and for example, the division of the units may be a logical division, and in actual implementation, there may be another division, for example, multiple units or components may be combined or may be integrated into another system, or some features may be omitted, or may not be executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic disk, or an optical disk, and various media capable of storing program codes.
The foregoing is only a preferred embodiment of the present application and it should be noted that those skilled in the art can make several improvements and modifications without departing from the principle of the present application, and these improvements and modifications should also be considered as the protection scope of the present application.
Claims (12)
1. An information security system, comprising: a log acquisition module, a cache data acquisition module, a data analysis processing module and a control module, wherein,
the log acquisition module is deployed on an edge node of a content distribution network and used for acquiring information security data from a log of the edge node;
the cache data acquisition module is arranged on a cache node of the content distribution network and used for carrying out snapshot on cache data on the cache node at any moment and acquiring information safety data from the cache data;
the data analysis processing module is used for forwarding the information security data acquired by the log acquisition module and the cache data acquisition module to the control module and forwarding an interception instruction issued by the control module to the log acquisition module and the cache data acquisition module, wherein the interception instruction is used for intercepting target type data in the information security data;
the control module is at least used for sending the interception instruction to the data analysis processing module.
2. The system of claim 1, wherein when the log collection module obtains the information security data from the log of the edge node, the method is implemented by:
acquiring a service log from the edge node through a network file transfer protocol;
and converting the information in the service log into a target format, and filtering the service log converted into the target format to obtain the information security data.
3. The system of claim 2, wherein the log collection module is further configured to support a merging of the following data: merging according to the time stamp, merging according to the source IP address, merging according to the domain name and merging according to the IP address of the edge node.
4. The system according to claim 3, wherein the log collection module distributes the interception instruction to the edge node when receiving the interception instruction issued by the data analysis processing module, and the log collection module supports the following interception modes: intercepting according to the IP address of the edge node, intercepting according to the domain name, intercepting according to the request URL and intercepting according to the source IP address.
5. The system of claim 1, wherein the cache data collection module supports snapshot in one of: the method comprises the steps of supporting global full data snapshot, incremental data snapshot based on any inquiry time period, user-based data snapshot, domain name-based data snapshot, source IP address-based data snapshot and edge node IP address.
6. The system of claim 1, wherein the cache data collection module is further configured to support the following data filtering modes: filtering according to a timestamp, filtering according to a source IP address, filtering according to a domain name, and filtering according to an IP address of the edge node.
7. The system of claim 6, wherein the cache data acquisition module distributes the interception instruction to the cache node when receiving the interception instruction issued by the data analysis processing module, and the cache data acquisition module supports the following interception modes: intercepting the node corresponding to the domain name according to the domain name, intercepting the node corresponding to the URL according to the request URL, and intercepting the node corresponding to the source IP address.
8. The system of claim 1, wherein before the data analysis processing module forwards the information security data to the control module, the data analysis processing module is further configured to:
summarizing the information security data according to a target format;
classifying the summarized information security data according to the data type and the event type;
and associating the data belonging to the same domain name, the same client name and the same service request in the information security data to obtain target information security data.
9. The system of claim 1, wherein the data analysis processing module forwards the interception instruction issued by the control module to the log collection module and the cache data collection module, and the method is implemented as follows:
receiving the interception instruction issued by the control module;
retrieving a target node involved in the intercept instruction, wherein the target node comprises at least one of: the edge node and the cache node;
and forwarding the target node to the nodes corresponding to the log acquisition module and the cache data acquisition module.
10. The system according to claim 9, wherein the data analysis processing module is further configured to receive feedback results of the log collection module and the cache data collection module, where the feedback results are results of the target node executing the interception instruction, and the feedback results include data remaining after the target node executes the interception instruction.
11. A method for processing information security data is characterized by comprising the following steps:
obtaining information security data from the edge nodes of the content distribution network and the cache space of the cache nodes;
sending the information security data to control center equipment;
receiving an interception instruction issued by the control center equipment according to the information security data, wherein the interception instruction is used for intercepting target type data in the information security data;
determining a target node involved in the intercept instruction, wherein the target node comprises at least one of: the cache node and the edge node;
and informing the target node to execute the interception instruction, and receiving data of the target node after the target node executes the interception instruction.
12. The method of claim 11, wherein transmitting the information security data to a control center device comprises:
after the information security data are gathered according to a target format, the information security data belonging to the same domain name, the same client name and the same service request are associated to obtain target information security data;
and sending the target information security data to the control center equipment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210983071.2A CN115333843A (en) | 2022-08-16 | 2022-08-16 | Information security system and information security data processing method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210983071.2A CN115333843A (en) | 2022-08-16 | 2022-08-16 | Information security system and information security data processing method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115333843A true CN115333843A (en) | 2022-11-11 |
Family
ID=83923640
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210983071.2A Pending CN115333843A (en) | 2022-08-16 | 2022-08-16 | Information security system and information security data processing method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115333843A (en) |
-
2022
- 2022-08-16 CN CN202210983071.2A patent/CN115333843A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| AU2019203412B2 (en) | Cybersecurity system | |
| US9565076B2 (en) | Distributed network traffic data collection and storage | |
| Arlitt et al. | Web server workload characterization: The search for invariants | |
| US7818440B1 (en) | Digital asset monitoring system and method | |
| US9210090B1 (en) | Efficient storage and flexible retrieval of full packets captured from network traffic | |
| US20120157088A1 (en) | Method and apparatus for correlating end to end measurements through control plane monitoring of wireless traffic | |
| US20080144655A1 (en) | Systems, methods, and computer program products for passively transforming internet protocol (IP) network traffic | |
| CN103731298A (en) | Large-scale distributed network safety data acquisition method and system | |
| CN103152352A (en) | Perfect information security and forensics monitoring method and system based on cloud computing environment | |
| CN111740868B (en) | Alarm data processing method and device and storage medium | |
| CN112632129A (en) | Code stream data management method, device and storage medium | |
| US9055113B2 (en) | Method and system for monitoring flows in network traffic | |
| CN106326280B (en) | Data processing method, device and system | |
| US20120155293A1 (en) | Method and apparatus for providing a two-layer architecture for processing wireless traffic | |
| KR20220001606A (en) | Real-time packet data storing method and apparatus for mass network monitoring | |
| CN115333843A (en) | Information security system and information security data processing method | |
| KR102423038B1 (en) | Real-time packet data collection method and apparatus for mass network monitoring | |
| US20130205015A1 (en) | Method and Device for Analyzing Data Intercepted on an IP Network in order to Monitor the Activity of Users on a Website | |
| CN110958186A (en) | Network equipment data processing method and system | |
| WO2021032123A1 (en) | Method, apparatus, and system for acheiving policy scheduling | |
| TWI783195B (en) | Cyber security system and method thereof and computer readable storage medium | |
| Jin et al. | Research and design of traffic detection based on GPRS | |
| IE20070438A1 (en) | Mobile network user activity monitoring | |
| IE84921B1 (en) | Mobile network user activity monitoring |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |