CN115484039A - Security protection method and device, computer readable medium and electronic equipment - Google Patents
Security protection method and device, computer readable medium and electronic equipment Download PDFInfo
- Publication number
- CN115484039A CN115484039A CN202110662712.XA CN202110662712A CN115484039A CN 115484039 A CN115484039 A CN 115484039A CN 202110662712 A CN202110662712 A CN 202110662712A CN 115484039 A CN115484039 A CN 115484039A
- Authority
- CN
- China
- Prior art keywords
- request
- unit
- resource access
- access request
- protection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Signal Processing (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application belongs to the technical field of computers, and particularly relates to a safety protection method, a safety protection device, a computer readable medium and electronic equipment. The safety protection method comprises the following steps: acquiring a resource access request, and distributing the resource access request to a protection unit, wherein the protection unit is a minimum scheduling unit which is obtained by segmenting a protection system and provides a network protection function; sending the resource access request to the detection unit through the network management unit; carrying out attack detection on the resource access request through a detection unit to obtain a detection result; and when the detection result is an aggressive request, blocking the resource access request corresponding to the detection result. The method can avoid the continuous transmission and harm of the resource access request with the detection result of the aggressive request, and has better robustness in the face of high concurrent resource access requests, so that the method has better network security protection effect.
Description
Technical Field
The application belongs to the technical field of computers, and particularly relates to a safety protection method, a safety protection device, a computer readable medium and electronic equipment.
Background
The development of network information technology is developing new industrial and technical revolution, and brings huge security risk, and the importance of network security in the information era is self-evident. With the continuous development of communication technology and internet technology, network application is more and more abundant, the coverage area of the network is larger and larger, and the importance of network security in production and life is higher and higher. Meanwhile, security events such as web page tampering, web page trojans, SQL injection, XSS vulnerabilities, and CSRF attacks occur frequently. There are a number of security issues in network access that require corresponding safeguards. In the related art, the effect of network security protection is not good.
It is noted that the information disclosed in the above background section is only for enhancement of understanding of the background of the application and therefore may include information that does not constitute prior art that is already known to a person of ordinary skill in the art.
Disclosure of Invention
An object of the present application is to provide a security protection method, apparatus, computer readable medium and electronic device, which overcome the technical problem of poor network security protection effect in the related art at least to a certain extent.
Other features and advantages of the present application will be apparent from the following detailed description, or may be learned by practice of the application.
According to one aspect of the embodiment of the application, a safety protection method is provided. The safety protection method comprises the following steps:
acquiring a resource access request, and distributing the resource access request to a protection unit, wherein the protection unit is a minimum scheduling unit which is obtained by segmenting a protection system and provides a network protection function, and the protection unit comprises a network management unit and at least one detection unit which are used for realizing the network protection function;
sending the resource access request to the detection unit through the network management unit;
carrying out attack detection on the resource access request through the detection unit to obtain a detection result, wherein the detection result comprises an aggressive request and a non-aggressive request;
and blocking the resource access request corresponding to the detection result when the detection result is the aggressive request.
According to one aspect of an embodiment of the present application, a safety shield apparatus is provided. The safety device comprises:
a resource access request obtaining module configured to obtain a resource access request and allocate the resource access request to a protection unit, where the protection unit is a minimum scheduling unit that provides a network protection function and is obtained by segmenting a protection system, and the protection unit includes a network management unit and at least one detection unit for implementing the network protection function;
a resource access request sending module configured to send the resource access request to the detecting unit through the network management unit;
the attack detection module is configured to perform attack detection on the resource access request through the detection unit to obtain a detection result, wherein the detection result comprises an aggressive request and a non-aggressive request;
and the request blocking module is configured to block the resource access request corresponding to the detection result when the detection result is an aggressive request.
In some embodiments of the present application, based on the above technical solution, the resource access request sending module includes:
a resource access request loading unit configured to load, by the network management unit, the resource access request into a corresponding storage page of the guard unit in a shared storage space, where the storage page is visible to the guard unit corresponding to the storage page, and the storage page is invisible to other guard units other than the guard unit corresponding to the storage page;
a detection request transmitting unit configured to transmit a detection request into the detection unit through the network management unit;
and the resource access request reading unit is configured to receive the detection request through the detection unit and read the resource access request in the storage page according to the detection request.
In some embodiments of the present application, based on the above technical solutions, the attack detection module includes:
the analysis processing unit is configured to analyze the resource access request in the corresponding storage page in the shared storage space through the detection unit to obtain to-be-detected data;
and the matching detection unit is configured to perform matching detection on the data to be detected and the aggressive data in the preset database through the detection unit to obtain a detection result.
In some embodiments of the present application, based on the above technical solution, the resource access request loading unit includes:
a resource request information obtaining subunit configured to obtain resource request information, where the resource request information includes request length information and a flag bit;
a resource request information caching subunit configured to cache the received resource request information and wait for receiving the next resource request information when it is determined that the resource request information is not completely received according to the request length information and the received resource request information;
the resource request information aggregation subunit is configured to aggregate the cached resource request information with the same flag bit to form the resource access request when the resource request information is judged to be received according to the request length information and the received resource request information;
a resource access request loading subunit configured to load, by the network management unit, the resource access request formed by aggregating the resource request information into a corresponding storage page of the guard unit in a shared storage space.
In some embodiments of the present application, based on the above technical solutions, the safety device further includes:
a state information caching unit configured to cache, by the network management unit, state information of the resource access request, the state information including IP information, port information, and timestamp information of the resource access request;
and the state information loading unit is configured to load the state information of the resource access request into a corresponding storage page of the protection unit in a shared storage space through the network management unit.
In some embodiments of the present application, based on the above technical solution, the detection request sending unit includes:
an index address determination subunit, configured to perform offloading processing on the resource access request according to the state information of the resource access request to determine an index address for addressing the detection unit;
a detection request sending subunit configured to send, by the network management unit, a detection request to the detection unit corresponding to the index address, where the detection request includes storage address information of the resource access request in a shared storage space.
In some embodiments of the present application, based on the above technical solutions, the safety protection device further includes:
an IP information and port information obtaining unit configured to obtain, by the network management unit, the IP information and the port information corresponding to the resource access request, where the IP information includes a source IP address, and the port information includes source port information;
and the detection result returning unit is configured to return the detection result to a request end sending the resource access request according to the source IP address and the source port information.
In some embodiments of the present application, based on the above technical solutions, the safety protection device further includes:
a CPU binding unit configured to assign and bind one or more CPUs for operating the guard units for each of the guard units;
the protection unit number increasing unit is configured to increase the number of the protection units and the number of the corresponding bound CPUs when the average CPU utilization rate of the CPUs bound by the protection units is higher than a first preset threshold;
the protection unit number reducing unit is configured to reduce the number of the protection units and the number of the corresponding bound CPUs when the average CPU utilization rate of the CPUs bound by the protection units is lower than a second preset threshold, wherein the second preset threshold is smaller than the first preset threshold.
In some embodiments of the present application, based on the above technical solution, the storage page, and the CPU bound by the network management unit and the detection unit in the protection unit corresponding to the storage page are located in the same hardware architecture node.
According to an aspect of the embodiments of the present application, there is provided a computer readable medium, on which a computer program is stored, and the computer program, when executed by a processor, implements a security protection method as in the above technical solution.
According to an aspect of an embodiment of the present application, there is provided an electronic apparatus including: a processor; and a memory for storing executable instructions of the processor; wherein the processor is configured to execute the security protection method as in the above technical solution via executing the executable instructions.
According to an aspect of an embodiment of the present application, there is provided a computer program product or a computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer readable storage medium, and the processor executes the computer instructions, so that the computer device executes the security protection method in the technical scheme.
In the technical scheme provided by the embodiment of the application, the protection unit is a minimum scheduling unit which is obtained after a protection system is segmented and provides a network protection function, the protection unit comprises a network management unit and at least one detection unit which are used for realizing the network protection function, the resource access request is firstly distributed into the protection unit, then the resource access request is subjected to attack detection through the detection unit to obtain a detection result, and when the detection result is an aggressive request, the resource access request corresponding to the detection result is blocked, so that the resource access request of which the detection result is the aggressive request can be prevented from being continuously transmitted and generating harm, and the application has a better network security protection effect.
Moreover, the protection unit is the minimum scheduling unit which is obtained after the protection system is segmented and provides the network protection function, and the scheduling granularity of the protection system is the protection unit, so that the expansion and contraction capacity of the protection system can be conveniently realized, and therefore, when a high-concurrency resource access request is encountered, the safety protection method, the safety protection device, the computer readable medium and the electronic device have better robustness, and the network safety protection effect of the application can be improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present application and together with the description, serve to explain the principles of the application. It is obvious that the drawings in the following description are only some embodiments of the application, and that for a person skilled in the art, other drawings can be derived from them without inventive effort.
Fig. 1 schematically shows a block diagram of an exemplary device architecture to which the solution of the present application applies.
Fig. 2 schematically shows a flow of steps of a security protection method provided by an embodiment of the present application.
Fig. 3 schematically shows a flow of steps of sending a resource access request to a detection unit through a network management unit in the embodiment of the present application.
Fig. 4 schematically shows an internal structure and a process flow diagram of the protection system in the embodiment of the present application.
Fig. 5 schematically shows a data processing flow diagram of the guard unit in the embodiment of the present application.
Fig. 6 schematically illustrates a flow of steps of loading, by a network management unit, a resource access request into a corresponding memory page of a guard unit in a shared memory space in the embodiment of the present application.
Fig. 7 schematically illustrates a partial step flow of the method after the cached resource request information with the same flag bit is aggregated to form a resource access request in this embodiment.
Fig. 8 schematically shows a flow of steps of sending a detection request to a detection unit through a network management unit in the embodiment of the present application.
Fig. 9 schematically shows a flow of steps of performing attack detection on a resource access request by a detection unit to obtain a detection result in the embodiment of the present application.
Fig. 10 schematically illustrates a partial flow of steps of the method after blocking a resource access request corresponding to a detection result in the embodiment of the present application.
Fig. 11 schematically shows a partial flow of steps of the method before a resource access request is obtained and allocated to a guard unit in the embodiment of the present application.
Fig. 12 schematically shows a block diagram of a safety guard provided in an embodiment of the present application.
Fig. 13 schematically shows a block diagram of an electronic device for implementing an embodiment of the present application.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art.
Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the application. One skilled in the relevant art will recognize, however, that the subject matter of the present application can be practiced without one or more of the specific details, or with other methods, components, devices, steps, and so forth. In other instances, well-known methods, devices, implementations, or operations have not been shown or described in detail to avoid obscuring aspects of the application.
The block diagrams shown in the figures are functional entities only and do not necessarily correspond to physically separate entities. I.e. these functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor means and/or microcontroller means.
The flow charts shown in the drawings are merely illustrative and do not necessarily include all of the contents and operations/steps, nor do they necessarily have to be performed in the order described. For example, some operations/steps may be decomposed, and some operations/steps may be combined or partially combined, so that the actual execution sequence may be changed according to the actual situation.
Before the technical solutions of the security protection method, the security protection device, and the like provided in the embodiments of the present application are described in detail, a cloud technology and a block chain technology related in some embodiments of the present application are briefly introduced.
Cloud technology refers to a hosting technology for unifying series of resources such as hardware, software, and network in a wide area network or a local area network to realize calculation, storage, processing, and sharing of data.
Cloud computing (cloud computing) is a computing model that distributes computing tasks over a pool of resources formed by a large number of computers, enabling various application systems to obtain computing power, storage space, and information services as needed. The network that provides the resources is referred to as the "cloud". Resources in the "cloud" appear to the user as if they are infinitely expandable and can be acquired at any time, used on demand, expanded at any time, and paid for use.
As a basic capability provider of cloud computing, a cloud computing resource pool (called as an ifas (Infrastructure as a Service) platform for short is established, and multiple types of virtual resources are deployed in the resource pool and are selectively used by external clients.
According to the logic function division, a PaaS (Platform as a Service) layer can be deployed on an IaaS (Infrastructure as a Service) layer, a SaaS (Software as a Service) layer is deployed on the PaaS layer, and the SaaS can be directly deployed on the IaaS. PaaS is a platform on which software runs, such as a database, a web container, etc. SaaS is a variety of business software, such as web portal, sms, and mass texting. Generally speaking, saaS and PaaS are upper layers relative to IaaS.
A distributed cloud storage system (hereinafter, referred to as a storage system) refers to a storage system that integrates a large number of storage devices (storage devices are also referred to as storage nodes) of different types in a network through application software or application interfaces to cooperatively work by using functions such as cluster application, grid technology, and a distributed storage file system, and provides a data storage function and a service access function to the outside.
Cloud Security (Cloud Security) refers to the generic name of Security software, hardware, users, organizations, security Cloud platforms based on Cloud computing business model applications. The cloud security integrates emerging technologies and concepts such as parallel processing, grid computing and unknown virus behavior judgment, abnormal monitoring of software behaviors in the network is achieved through a large number of meshed clients, the latest information of trojans and malicious programs in the internet is obtained and sent to the server for automatic analysis and processing, and then the virus and trojan solution is distributed to each client.
The main research directions of cloud security include: 1. the cloud computing security mainly researches how to guarantee the security of the cloud and various applications on the cloud, including the security of a cloud computer system, the secure storage and isolation of user data, user access authentication, information transmission security, network attack protection, compliance audit and the like; 2. the cloud of the security infrastructure mainly researches how to adopt cloud computing to newly build and integrate security infrastructure resources and optimize a security protection mechanism, and comprises the steps of constructing a super-large-scale security event and an information acquisition and processing platform through a cloud computing technology, realizing the acquisition and correlation analysis of mass information, and improving the handling control capability and the risk control capability of the security event of the whole network; 3. the cloud security service mainly researches various security services, such as anti-virus services and the like, provided for users based on a cloud computing platform.
The block chain is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, a consensus mechanism, an encryption algorithm and the like. A block chain (Blockchain), which is essentially a decentralized database, is a series of data blocks associated by using a cryptographic method, and each data block contains information of a batch of network transactions, so as to verify the validity (anti-counterfeiting) of the information and generate a next block. The blockchain may include a blockchain underlying platform, a platform product services layer, and an application services layer.
The block chain underlying platform can comprise processing modules such as user management, basic service, intelligent contract and operation monitoring. The user management module is responsible for identity information management of all blockchain participants, and comprises public and private key generation maintenance (account management), key management, user real identity and blockchain address corresponding relation maintenance (authority management) and the like, and under the authorization condition, the user management module supervises and audits the transaction condition of certain real identities and provides rule configuration (wind control audit) of risk control; the basic service module is deployed on all block chain node equipment and used for verifying the validity of the service request, recording the service request to storage after consensus on the valid request is completed, for a new service request, the basic service firstly performs interface adaptation analysis and authentication processing (interface adaptation), then encrypts service information (consensus management) through a consensus algorithm, transmits the service information to a shared account (network communication) completely and consistently after encryption, and performs recording and storage; the intelligent contract module is responsible for registering and issuing contracts, triggering the contracts and executing the contracts, developers can define contract logics through a certain programming language, issue the contract logics to a block chain (contract registration), call keys or other event triggering and executing according to the logics of contract clauses, complete the contract logics and simultaneously provide the function of upgrading and canceling the contracts; the operation monitoring module is mainly responsible for deployment, configuration modification, contract setting, cloud adaptation in the product release process and visual output of real-time states in product operation, such as: alarm, monitoring network conditions, monitoring node equipment health status, and the like.
The platform product service layer provides basic capability and an implementation framework of typical application, and developers can complete block chain implementation of business logic based on the basic capability and the characteristics of the superposed business. The application service layer provides the application service based on the block chain scheme for the business participants to use.
The system related to the embodiment of the present application may be a distributed system formed by a client, a plurality of nodes (any form of computing devices in an access network, such as a server, a user terminal) connected through a network communication form.
The following detailed description is made of a safety protection method and a safety protection device provided by the present application with reference to specific embodiments.
Fig. 1 schematically shows a block diagram of an exemplary device architecture to which the solution of the present application applies.
As shown in fig. 1, the apparatus architecture 100 may include a terminal device 110, a network 120, and a server 130. The terminal device 110 may include various electronic devices such as a smart phone, a tablet computer, a notebook computer, and a desktop computer. The server 130 may be an independent physical server, a server cluster or a distributed device configured by a plurality of physical servers, or a cloud server providing cloud computing services. Network 120 may be any type of communications medium capable of providing a communications link between terminal device 110 and server 130, such as a wired communications link or a wireless communications link.
The device architecture in the embodiments of the present application may have any number of terminal devices, networks, and servers, according to implementation needs. For example, the server 130 may be a server group composed of a plurality of server devices. In addition, the technical solution provided in the embodiment of the present application may be applied to the terminal device 110, may also be applied to the server 130, or may be implemented by both the terminal device 110 and the server 130, which is not particularly limited in this application.
For example, after the terminal device 110 sends the resource access request to the server 130, the server 130 may execute the security protection method provided in the present application, so that the resource access request is allocated to the protection unit of the protection system, the detection unit performs attack detection on the resource access request to obtain a detection result, and when the detection result is an aggressive request, the resource access request corresponding to the detection result is blocked, thereby preventing the resource access request whose detection result is the aggressive request from being continuously transmitted and causing harm, and thus the present application has a better network security protection effect.
It can be appreciated that there are a number of security issues in network access and corresponding safeguards are required. Especially, when the server or the service system is exposed to highly concurrent requests, the effect of network security protection is not good.
The protection unit is the minimum scheduling unit for providing the network protection function obtained after the protection system is segmented, that is, the scheduling granularity of the protection system is the protection unit. Therefore, the capacity expansion of the protection system can be realized by increasing the number of the protection units, the capacity reduction of the protection system can be realized by reducing the number of the protection units, and the structural complexity of the protection system can be reduced. Moreover, the protection system is convenient to expand when facing high concurrent access requests so as to avoid the protection system from being crashed, and the protection system is also convenient to contract when the number of the access requests is low so as to reduce the consumption of the protection system on resources, so that the network security protection effect of the security protection method, the security protection device, the computer readable medium and the electronic equipment in the embodiment of the application can be improved.
In a specific application, the security protection method of the embodiment of the application can be applied to a Web server, and can also be applied to an anti-intrusion detection transfer station between the Web server and a client of a user.
Fig. 2 schematically shows a step flow of a security protection method provided in an embodiment of the present application, where an execution subject of the security protection method may be a terminal device or a server. As shown in fig. 2, the safety protection method mainly includes the following steps S210 to S240:
and S210, acquiring the resource access request, and distributing the resource access request to the protection unit.
The protection unit is a minimum scheduling unit which is obtained by segmenting the protection system and provides a network protection function, and comprises a network management unit and at least one detection unit which are used for realizing the network protection function.
The method includes acquiring a resource access request from an external node, such as an Http packet request, an Http post request, or a Http (Hypertext Transfer Protocol) based transmission Protocol or a network request based on another transmission Protocol. The resource access request is then distributed to a guard unit of the guard system. Specifically, the resource access requests may be uniformly distributed to the protection units of the protection system, so that when the protection system includes a plurality of protection units, the load of each protection unit of the protection system is balanced, which is beneficial to improving the security of the server or the service system that employs the security protection method, the apparatus, the computer readable medium, and the electronic device of the embodiment of the present application, that is, improving the network security protection effect of the security protection method, the apparatus, the computer readable medium, and the server or the service system of the electronic device of the present application.
In addition, the protection unit is the minimum scheduling unit for providing the network protection function obtained after the protection system is segmented, that is, the scheduling granularity of the protection system is the protection unit. Therefore, when the protection system needs to be expanded, the number of the protection units can be increased; when the protection system needs to be subjected to capacity reduction, the number of protection units can be reduced; therefore, the protection system can conveniently realize the expansion and contraction. The protection system is designed in a segmentation mode, so that when high-concurrency resource access requests are met, the protection system can achieve horizontal expansion with high efficiency, the safety protection method has good robustness, and the network safety protection effect can be improved.
The network protection function comprises a function of preventing the network from being damaged by the aggressive resource access request, and can realize the protection effect on the network security. Specifically, the network protection function includes a function of performing attack detection on the resource access request and blocking the resource access request of which the detection result is an aggressive request.
S220, sending the resource access request to the detection unit through the network management unit.
In particular embodiments, the protection system may be deployed on kubernets (k 8 s). The network management unit may run in a container deployed on kubernets. The resource access request can be sent to the detection unit by the network management unit. The detection unit may be run in a container deployed on kubernets.
Fig. 3 schematically shows a flow of steps of sending a resource access request to a detection unit through a network management unit in the embodiment of the present application. As shown in fig. 3, on the basis of the above embodiment, in some embodiments, the sending of the resource access request to the detection unit through the network management unit in step S220 may further include the following steps S310 to S330:
and S310, loading the resource access request into a corresponding storage page of the protection unit in the shared storage space through the network management unit. The memory page is visible to the guard unit corresponding to the memory page. The memory page is invisible to other guard units than the guard unit to which the memory page corresponds.
Fig. 4 schematically shows an internal structure and a process flow diagram of the protection system in the embodiment of the present application. As shown in fig. 4, the guard system 400 includes two guard units 410. The guard unit 410 includes a network management unit 411 and a guard detection unit 412. Resource access requests may be loaded into the corresponding memory page 421 of guard unit 410 in shared memory 420 by network management unit 411. The storage page 421 is visible to the guard unit 410 to which the storage page 421 corresponds. Memory page 421 is not visible to guard cells 410 other than the guard cell 410 to which memory page 421 corresponds.
Fig. 5 schematically shows a data processing flow diagram of the guard unit in the embodiment of the present application. As shown in fig. 5, the resource access request may be loaded into a corresponding memory page 530 of the guard unit in the shared memory space by the network management unit 510. The memory page 530 is visible to the network management unit 510 and the guard detection unit 520 in the guard unit 500 corresponding to the memory page 530, and the memory page 530 is invisible to other guard units except the guard unit 500 corresponding to the memory page 530. Therefore, the addressing efficiency of the network management unit to the corresponding storage page of the protection unit in the shared storage space can be improved, so that the time consumed for loading the resource access request into the corresponding storage page of the protection unit in the shared storage space by the network management unit can be reduced, and the operation efficiency can be improved.
It can be understood that the detection unit needs to perform attack detection on the resource access request, consumes CPU resources comparatively, and adopts a layout mode that one network management module corresponds to two or more protection detection modules, so that the load of the network management module and the protection detection module can be balanced, and the operating efficiency of the protection unit can be improved when the system resources are fixed.
Fig. 6 schematically illustrates a flow of steps of loading, by a network management unit, a resource access request into a corresponding memory page of a guard unit in a shared memory space in the embodiment of the present application. As shown in fig. 6, based on the above embodiment, in some embodiments, the loading, by the network management unit, the resource access request into the corresponding storage page of the guard unit in the shared storage space in step S310 may further include the following steps S610 to S640:
s610, acquiring resource request information, wherein the resource request information comprises request length information and a flag bit;
s620, when judging that the resource request information is not received completely according to the request length information and the received resource request information, caching the received resource request information and waiting for receiving the next resource request information;
s630, when the fact that the resource request information is received is judged according to the request length information and the received resource request information, the cached resource request information with the same zone bit is aggregated to form a resource access request;
and S640, loading the resource access request formed by aggregating the resource request information into a corresponding storage page of the protection unit in the shared storage space through the network management unit.
It is understood that some resource access requests may be split into multiple resource request messages due to limitations such as network bandwidth. Each resource request message may be encapsulated into a network packet. Resource request information with the same flag bit is derived from the same resource access request. When all the resource request information is received, the cached resource request information with the same zone bit is aggregated to form a resource access request, and the split resource request information can be aggregated to be restored into a complete resource access request. Therefore, attack detection is carried out subsequently aiming at the complete resource access request, whether the whole resource access request contains the offensive data or not can be completely detected, the problem that the offensive data cannot be identified due to the fact that the offensive data are split in different resource request information is avoided, and the identification rate of the safety protection method for the offensive request can be improved.
Specifically, the information Length of the resource request information may be stored in a variable Content-Length of a request header of the resource access request.
In some embodiments, the network management unit may start network monitoring to obtain the resource request information in real time. The network management unit may establish an HTTP session table for each network packet of the resource request information, to store state information of the resource request information, and aggregate the state information of the resource request information to obtain state information of the resource access request when the resource access request is formed by aggregating the resource request information.
Fig. 7 schematically shows a partial step flow of the method after the cached resource request information with the same flag bit is aggregated to form a resource access request in the embodiment of the present application. As shown in fig. 7, on the basis of the above embodiments, in some embodiments, after aggregating the cached resource request information with the same flag bit to form a resource access request in step S630, the security protection method may further include the following steps S710 to S720:
and S710, caching the state information of the resource access request through the network management unit. The state information includes IP information, port information, and timestamp information of the resource access request.
And S720, loading the state information of the resource access request into a corresponding storage page of the protection unit in the shared storage space through the network management unit.
It can be understood that when the network management unit obtains the resource access request, the status information of the resource access request is obtained. The status information includes IP information, port information, timestamp information, and the like. The IP information may include a source IP address and a destination IP address. The port information may include source port information, destination port number. The timestamp information may include a timestamp that the resource access request was received by the protection system, or the timestamp information may include a timestamp that the protection system received the respective resource request information in the resource access request. Therefore, the state information of the resource access request can be cached by the network management unit, and the state information of the resource access request is loaded into the corresponding storage page of the protection unit in the shared storage space by the network management unit, so that the state information of the resource access request can be conveniently read and utilized subsequently.
S320, sending a detection request to the detection unit through the network management unit.
As shown in fig. 5, the network management unit 510 may send a detection request to the detection unit 520, so that the detection unit 520 performs attack detection on the resource access request. The detection request may include storage address information of a resource access request corresponding to the detection request in the shared storage space.
Fig. 8 schematically shows a flow of steps of sending a detection request to a detection unit through a network management unit in the embodiment of the present application. As shown in fig. 8, on the basis of the above embodiment, in some embodiments, the sending of the detection request to the detection unit through the network management unit in step S320 may further include the following steps S810 to S820:
and S810, performing shunting processing on the resource access request according to the state information of the resource access request to determine an index address for addressing the detection unit.
And S820, sending a detection request to a detection unit corresponding to the index address through the network management unit, wherein the detection request comprises storage address information of the resource access request in the shared storage space.
The detection request is sent to the detection unit through the network management unit, and specifically, the resource access request may be shunted according to the state information of the resource access request to determine an index address for addressing the detection unit, and then the detection request is sent to the detection unit corresponding to the index address through the network management unit.
Specifically, the splitting processing may be performed according to timestamp information of the resource access requests, for example, the resource access requests are sorted according to the order of receiving timestamps of the resource access requests, and the resource access request with the first receiving timestamp of the resource access request is arranged after the resource access request with the second receiving timestamp of the resource access request. After the arrangement is completed, the detection requests including the storage address information of the resource access requests in the shared storage space may be sent to each detection unit in turn according to the arrangement order. For example, when the guard unit includes two detection units: detecting unit a and detecting unit B; a detection request including the storage address information of the resource access request in the shared storage space can be generated according to the resource access request with the first bit arranged currently, and then the detection request is sent to the detection unit A; generating a detection request including the storage address information of the resource access request in the shared storage space according to the resource access request of the current second bit, and then sending the detection request to a detection unit B; generating a detection request including the storage address information of the resource access request in the shared storage space according to the resource access request of the currently arranged third bit, and then sending the detection request to a detection unit A; and generating a detection request comprising the storage address information of the resource access request in the shared storage space according to the resource access request of the currently arranged fourth bit, and then sending the detection request to the detection unit B, and so on. Therefore, the efficiency of detecting the resource access request can be improved, the detection resources of the detection units can be fully utilized, and the load imbalance among the detection units can be avoided.
In some embodiments, the detection requests corresponding to the resource access requests may be sent to the respective detection units in turn according to the request length of the resource access requests. For example, when the guard unit includes two detection units: detecting unit a and detecting unit B; a corresponding detection request can be generated according to a resource access request with the currently arranged first bit, the length information of the resource access request is 3 unit information length, and the detection request is sent to a detection unit A; generating a corresponding detection request according to the resource access request of the currently arranged second bit, wherein the length information of the resource access request is 1 unit information length, and sending the detection request to a detection unit B; generating a corresponding detection request according to a resource access request of a currently arranged third bit, wherein the length information of the resource access request is 2 unit information lengths, and sending the detection request to a detection unit B; generating a corresponding detection request according to the resource access request of the currently arranged fourth bit, wherein the length information of the resource access request is 1 unit information length, and sending the detection request to a detection unit A; generating a corresponding detection request according to the resource access request of the current arranged fifth bit, wherein the length information of the resource access request is 2 unit information lengths, and sending the detection request to a detection unit A; and generating a corresponding detection request according to the resource access request of the current arranged sixth bit, wherein the length information of the resource access request is 3 unit information lengths, and sending the detection request to the detection unit B. And so on. Therefore, when the resource access requests are sent to the detection units in turn, the request length information obtained by adding one or more resource access requests sent to the detection units is close to each other. Thus, load imbalance between the detection units can be further avoided.
S330, receiving the detection request through the detection unit, and reading the resource access request in the storage page according to the detection request.
As shown in fig. 5, after receiving the detection request through the detection unit 520, the resource access request may be read in the corresponding storage page 530 according to the detection request. Since the detection request includes the storage address information of the resource access request in the shared storage space, after receiving the detection request, the detection unit may read the resource access request in the corresponding storage page in the shared storage space according to the detection request. Therefore, after the resource access request is loaded into the corresponding storage page of the protection unit in the shared storage space through the network management unit, the resource access request can be read in the corresponding storage page through the detection unit according to the detection request, so that the related data of the resource access request can be prevented from being copied between the network management unit and the detection unit, the consumption of system resources can be reduced, the interaction between the units in the protection unit is more efficient, and the internal resources of the network management unit and the detection unit can be saved.
And S230, carrying out attack detection on the resource access request through a detection unit to obtain a detection result. The detection result comprises an aggressive request and a non-aggressive request.
As shown in fig. 5, after the attack detection is performed on the resource access request by the detection unit 520, a detection result can be obtained. Specifically, the detection result may be returned to the network management unit 510.
Fig. 9 schematically shows a flow of steps of performing attack detection on a resource access request by a detection unit to obtain a detection result in the embodiment of the present application. As shown in fig. 9, on the basis of the above embodiments, in some embodiments, the performing attack detection on the resource access request by the detection unit in step S230 to obtain a detection result may further include the following steps S910 to S920:
s910, analyzing and processing the resource access request in the corresponding storage page in the shared storage space through a detection unit to obtain to-be-detected data;
s920, matching and detecting the data to be detected and the offensive data in the preset database through a detection unit to obtain a detection result.
And analyzing the resource access request in the corresponding storage page in the shared storage space through the detection unit to obtain to-be-detected data, and then performing matching detection on the to-be-detected data and the offensive data in the preset database through the detection unit to obtain a detection result. Specifically, the detection unit may analyze and process both the Head (request header) and the Body (request Body) of the resource access request in the corresponding storage page in the shared storage space, extract data to be detected in the Head and the Body of the resource access request, and perform matching detection on the data to be detected and the offensive data in the preset database to obtain a detection result, where the detection result includes an offensive request and a non-offensive request.
Specifically, an attack detection engine may be used to perform matching detection on data to be detected and aggressive data in a preset database. The protection system can be constructed between the client and the Web server, and the attack detection can be Web attack detection. The aggressive request is a resource access request containing suspected aggressive data, and the non-aggressive request is a resource access request containing no suspected aggressive data. Specifically, the offensive data may be data related to network security attacks such as web page tampering, web page trojan, SQL injection, XSS vulnerability, CSRF attack, and the like. Therefore, attack detection on the resource access request can be efficiently and conveniently realized, and subsequent interception or blocking of the resource access request with the attack is facilitated.
And S240, blocking the resource access request corresponding to the detection result when the detection result is an aggressive request.
In some embodiments, when a detection result obtained by the detection unit performing attack detection on the resource access request is an aggressive request, the resource access request corresponding to the detection result is blocked. And when the detection result of the detection unit for carrying out attack detection on the resource access request is a non-aggressive request, releasing the resource access request corresponding to the detection result. Therefore, the protection unit can provide a network protection function, can avoid continuous transmission and harm of the resource access request containing the offensive data, can normally transmit the resource access request containing no offensive data, can improve the security of the server or the service system adopting the security protection method, the security protection device, the computer readable medium and the electronic equipment in the embodiment of the application, and has a better network security protection effect.
Fig. 10 schematically shows a partial step flow of the method after blocking a resource access request corresponding to a detection result in the embodiment of the present application. As shown in fig. 10, based on the above embodiment, in some embodiments, after blocking the resource access request corresponding to the detection result in step S240, the security protection method may further include the following steps S1010 to S1020:
s1010, IP information and port information corresponding to the resource access request are obtained through a network management unit. The IP information includes a source IP address and the port information includes source port information.
And S1020, returning the detection result to the request end sending the resource access request according to the source IP address and the source port information.
As shown in fig. 5, after the detection result is returned to the network management unit 510, and after the protection unit 500 blocks the resource access request whose detection result is an offensive request, the detection result may be returned to the requesting end sending the resource access request according to the source IP address and the source port information. The request end may be a client or a server that sends a resource access request through a source IP address and source port information. Therefore, the request end can obtain the response of the resource access request sent by the request end, and can know that the resource access request is detected as an aggressive request, so that the request end can check whether an aggressive data source exists in the request end and repair a corresponding system bug, the safety of the request end can be improved, and the safety protection effect of the safety protection method can be improved.
Fig. 11 schematically shows a partial flow of steps of the method before a resource access request is obtained and allocated to a guard unit in the embodiment of the present application. As shown in fig. 11, based on the above embodiments, in some embodiments, before the step S210 of obtaining the resource access request and allocating the resource access request to the guard unit, the security protection method may further include the following steps S1110 to S1130:
s1110, distributing and binding one or more CPUs (central processing units) for operating the protection units for each protection unit;
s1120, when the average CPU utilization rate of the CPUs bound by the protection units is higher than a first preset threshold, increasing the number of the protection units and the number of the CPUs bound correspondingly;
s1130, when the average CPU utilization rate of the CPUs bound by the protection units is lower than a second preset threshold value, reducing the number of the protection units and the number of the CPUs bound correspondingly.
Before obtaining the resource access request and allocating the resource access request into the guard units, one or more CPUs (central processing units) for running the guard units may be allocated and bound for each guard unit. When the average CPU utilization rate of the CPUs bound by the protection units is higher than a first preset threshold value, increasing the number of the protection units and the number of the CPUs bound correspondingly; and when the average CPU utilization rate of the CPUs bound by the protection unit is lower than a second preset threshold value, reducing the number of the protection units and the number of the CPUs bound correspondingly. And the second preset threshold is smaller than the first preset threshold. Therefore, the CPU utilization rate of the CPU bound by the protection unit is not more than a first preset threshold value and is not lower than a second preset threshold value, the CPU bound by the protection unit can be prevented from being overloaded, the protection system can be prevented from being crashed due to overload when facing high concurrent requests, the safety of the protection system and even a server or a service system carrying the safety protection method of the embodiment of the application can be improved, and the safety protection effect of the safety protection method of the application can also be improved.
Moreover, the protection system of the embodiment of the application is divided into the protection units, so that each protection unit can independently provide services for detecting the aggressivity, and the system resource occupation of a single protection unit is low. Therefore, when the flow of the resource access request received by the protection system is low, namely when the average CPU utilization rate of the CPU bound by the protection unit is lower than a second preset threshold value, the number of the protection units is reduced, system resources can be saved, and the system operation efficiency is improved; moreover, when the flow of the resource access request received by the protection system is high, that is, when the average CPU utilization rate of the CPU bound by the protection unit is higher than the first preset threshold, the number of the protection units can be increased, so that the protection system has better robustness when facing high concurrent resource access requests, and thus the security of the protection system, and even the server or the service system carrying the security protection method of the embodiment of the present application, can be improved, and the security protection effect of the security protection method of the present application is improved. Specifically, the protection system of the embodiment of the application can be configured on the cloud server, so that the protection units in the protection system can be conveniently expanded and reduced, the expansion efficiency of the expansion of the protection units in the protection system during the sudden increase of the flow of the resource access request can be improved, and the safety protection effect of the protection system can be favorably improved.
In a specific example, the CPU management policy of the protection system may be adjusted to static, and meanwhile, a QoS (Quality of Service) mechanism of kubernets is adopted, and a Guaranteed level is adopted to limit the CPU, so that the purpose that the protection unit monopolizes and binds the core of the CPU can be achieved, a change that the protection unit operates the CPU of the protection unit when operating can be avoided, quality of Service management of the protection unit in the protection system can be achieved, the protection unit has higher performance, and the system robustness of the protection system when dealing with a high concurrent request can be improved.
On the basis of the above embodiments, in some embodiments, when one or more protection units of the protection system fail, the number of the protection units and the number of the CPUs bound correspondingly may be increased, so that the newly added protection unit can take over the resource access request of the failed protection unit for attack detection, thereby preventing the protection system from being paralyzed, and improving the robustness of the protection system. Thereby improving the safety protection effect of the protection system.
On the basis of the above embodiments, in some embodiments, the storage page, and the CPUs bound to the network management unit and the detection unit in the protection unit corresponding to the storage page are located in the same hardware architecture node. Therefore, the data transmission distance of the storage page, the CPU bound by the network management unit and the detection unit in the protection unit corresponding to the storage page can be shortened, the internal interaction efficiency of the protection unit can be improved, the robustness of the protection unit and the protection system can be improved, the safety of the protection system and even a server or a service system carrying the safety protection method of the embodiment of the application can be further improved, and the safety protection effect of the safety protection method of the application is improved.
Specifically, the hardware architecture node may be a Non Uniform Memory Access (NUMA) node. Therefore, the transmission distance between the storage page and the CPU bound by the network management unit and the detection unit in the protection unit corresponding to the storage page is short, so that the NUMA affinity of the network management unit, the storage page and the detection unit can be improved, the topology management inside the protection unit is optimized, the internal interaction efficiency of the protection unit can be improved, the robustness of the protection unit and the protection system can be improved, the safety of the protection system and even a server or a service system carrying the safety protection method of the embodiment of the application can be further improved, and the safety protection effect of the safety protection method of the application is improved.
It should be noted that although the various steps of the methods in this application are depicted in the drawings in a particular order, this does not require or imply that these steps must be performed in this particular order, or that all of the shown steps must be performed, to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions, etc.
Embodiments of the apparatus of the present application are described below, which may be used to implement the safety protection methods of the above-described embodiments of the present application. Fig. 12 schematically shows a block diagram of a safety guard provided in an embodiment of the present application. As shown in fig. 12, safety shield apparatus 1200 may include:
a resource access request obtaining module 1210 configured to obtain a resource access request and allocate the resource access request to a protection unit, where the protection unit is a minimum scheduling unit that provides a network protection function and is obtained by splitting a protection system, and the protection unit includes a network management unit and at least one detection unit for implementing the network protection function;
a resource access request sending module 1220 configured to send a resource access request to the detection unit through the network management unit;
the attack detection module 1230 is configured to perform attack detection on the resource access request through the detection unit to obtain a detection result, where the detection result includes an aggressive request and a non-aggressive request;
and the request blocking module 1240 is configured to block the resource access request corresponding to the detection result when the detection result is an aggressive request.
In some embodiments of the present application, based on the above embodiments, the resource access request sending module includes:
the resource access request loading unit is configured to load the resource access request into a corresponding storage page of the protection unit in the shared storage space through the network management unit, the storage page is visible to the protection unit corresponding to the storage page, and the storage page is invisible to other protection units except the protection unit corresponding to the storage page;
a detection request transmitting unit configured to transmit a detection request into the detecting unit through the network managing unit;
and the resource access request reading unit is configured to receive the detection request through the detection unit and read the resource access request in the storage page according to the detection request.
In some embodiments of the present application, based on the above embodiments, the attack detection module includes:
the analysis processing unit is configured to analyze the resource access request in the corresponding storage page in the shared storage space through the detection unit to obtain to-be-detected data;
and the matching detection unit is configured to perform matching detection on the data to be detected and the aggressive data in the preset database through the detection unit to obtain a detection result.
In some embodiments of the present application, based on the above embodiments, the resource access request loading unit includes:
a resource request information obtaining subunit configured to obtain resource request information, where the resource request information includes request length information and a flag bit;
a resource request information caching subunit configured to cache the received resource request information and wait for receiving the next resource request information when it is determined that the resource request information is not completely received according to the request length information and the received resource request information;
the resource request information aggregation subunit is configured to aggregate the cached resource request information with the same zone bit to form a resource access request when the fact that the resource request information is received is judged according to the request length information and the received resource request information;
and the resource access request loading subunit is configured to load the resource access request formed by aggregating the resource request information into a corresponding storage page of the protection unit in the shared storage space through the network management unit.
In some embodiments of the present application, based on the above embodiments, the safety protection device further includes:
the state information caching unit is configured to cache the state information of the resource access request through the network management unit, and the state information comprises IP information, port information and timestamp information of the resource access request;
and the state information loading unit is configured to load the state information of the resource access request into a corresponding storage page of the protection unit in the shared storage space through the network management unit.
In some embodiments of the present application, based on the above embodiments, the detection request sending unit includes:
the index address determining subunit is configured to perform shunting processing on the resource access request according to the state information of the resource access request to determine an index address for addressing the detection unit;
and the detection request sending subunit is configured to send a detection request to the detection unit corresponding to the index address through the network management unit, wherein the detection request comprises storage address information of the resource access request in the shared storage space.
In some embodiments of the present application, based on the above embodiments, the safety protection device further includes:
the IP information and port information acquisition unit is configured to acquire IP information and port information corresponding to the resource access request through the network management unit, wherein the IP information comprises a source IP address, and the port information comprises source port information;
and the detection result returning unit is configured to return the detection result to the request end sending the resource access request according to the source IP address and the source port information.
In some embodiments of the present application, based on the above embodiments, the safety device further includes:
a CPU binding unit configured to assign and bind one or more CPUs for operating the protection units for each protection unit;
the protection unit number increasing unit is configured to increase the number of the protection units and the number of the correspondingly bound CPUs when the average CPU utilization rate of the CPUs bound by the protection unit is higher than a first preset threshold;
the protection unit number reducing unit is configured to reduce the number of the protection units and the number of the correspondingly bound CPUs when the average CPU utilization rate of the CPUs bound by the protection unit is lower than a second preset threshold value, wherein the second preset threshold value is smaller than the first preset threshold value.
In some embodiments of the present application, based on the above embodiments, the storage page, and the CPU bound by the network management unit and the detection unit in the protection unit corresponding to the storage page are located in the same hardware architecture node.
The specific details of the safety protection device provided in each embodiment of the present application have been described in detail in the corresponding method embodiment, and are not described herein again.
Fig. 13 schematically shows a block diagram of an electronic device for implementing an embodiment of the present application.
It should be noted that the electronic device 1300 shown in fig. 13 is only an example, and should not bring any limitation to the functions and the scope of the application of the embodiments.
As shown in fig. 13, the electronic apparatus 1300 includes a Central Processing Unit (CPU) 1301 that can perform various appropriate actions and processes according to a program stored in a Read-Only Memory (ROM) 1302 or a program loaded from a storage section 1308 into a Random Access Memory (RAM) 1303. In the random access memory 1303, various programs and data necessary for the device to operate are also stored. The cpu 1301, the rom 1302, and the ram 1303 are connected to each other via a bus 1304. An Input/Output interface 1305 (Input/Output interface, i.e., I/O interface) is also connected to the bus 1304.
The following components are connected to the input/output interface 1305: an input portion 1306 including a keyboard, a mouse, and the like; an output section 1307 including a Display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and a speaker; a storage portion 1308 including a hard disk and the like; and a communication section 1309 including a network interface card such as a local area network card, modem, or the like. The communication section 1309 performs communication processing via a network such as the internet. The driver 1310 is also connected to the input/output interface 1305 as necessary. A removable medium 1311 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 1310 as necessary, so that a computer program read out therefrom is mounted into the storage portion 1308 as necessary.
In particular, according to embodiments of the present application, the processes described in the various method flowcharts may be implemented as computer software programs. For example, embodiments of the present application include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated by the flow chart. In such embodiments, the computer program may be downloaded and installed from a network via communications component 1309 and/or installed from removable media 1311. When the computer program is executed by the central processing unit 1301, various functions defined in the apparatus of the present application are executed.
It should be noted that the computer readable medium shown in the embodiments of the present application may be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor device, apparatus, or a combination of any of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a Read-Only Memory (ROM), an Erasable Programmable Read-Only Memory (EPROM), a flash Memory, an optical fiber, a portable Compact Disc Read-Only Memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present application, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution apparatus, device, or apparatus. In this application, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution apparatus, device, or apparatus. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based apparatus that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
It should be noted that although in the above detailed description several modules or units of the device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit, according to embodiments of the application. Conversely, the features and functions of one module or unit described above may be further divided into embodiments by a plurality of modules or units.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present application can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (which can be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which can be a personal computer, a server, a touch terminal, or a network device, etc.) to execute the method according to the embodiments of the present application.
Other embodiments of the present application will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains.
It will be understood that the present application is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the application is limited only by the appended claims.
Claims (12)
1. A method of safety protection, the method comprising:
acquiring a resource access request, and distributing the resource access request to a protection unit, wherein the protection unit is a minimum scheduling unit which is obtained by segmenting a protection system and provides a network protection function, and the protection unit comprises a network management unit and at least one detection unit which are used for realizing the network protection function;
sending the resource access request to the detection unit through the network management unit;
carrying out attack detection on the resource access request through the detection unit to obtain a detection result, wherein the detection result comprises an aggressive request and a non-aggressive request;
and blocking the resource access request corresponding to the detection result when the detection result is an aggressive request.
2. The security protection method according to claim 1, wherein the sending, by the network management unit, the resource access request to the detection unit includes:
loading the resource access request into a corresponding storage page of the protection unit in a shared storage space through the network management unit, wherein the storage page is visible to the protection unit corresponding to the storage page, and the storage page is invisible to other protection units except the protection unit corresponding to the storage page;
sending a detection request to the detection unit through the network management unit;
and receiving the detection request through the detection unit, and reading the resource access request in the storage page according to the detection request.
3. The security protection method according to claim 2, wherein the performing attack detection on the resource access request by the detection unit to obtain a detection result includes:
analyzing and processing the resource access request in the corresponding storage page in the shared storage space through the detection unit to obtain data to be detected;
and matching and detecting the data to be detected and the aggressive data in the preset database through the detection unit to obtain a detection result.
4. The security protection method according to claim 2, wherein the loading, by the network management unit, the resource access request into a corresponding memory page of the protection unit in a shared memory space comprises:
acquiring resource request information, wherein the resource request information comprises request length information and a flag bit;
when the resource request information is judged not to be completely received according to the request length information and the received resource request information, caching the received resource request information and waiting for receiving the next resource request information;
when the resource request information is judged to be received completely according to the request length information and the received resource request information, the cached resource request information with the same zone bit is aggregated to form the resource access request;
and loading the resource access request formed by aggregating the resource request information into a corresponding storage page of the protection unit in a shared storage space through the network management unit.
5. The method of claim 4, wherein after aggregating the cached resource request information with the same flag bit to form the resource access request, the method further comprises:
caching state information of the resource access request through the network management unit, wherein the state information comprises IP information, port information and timestamp information of the resource access request;
and loading the state information of the resource access request into a corresponding storage page of the protection unit in a shared storage space through the network management unit.
6. The security protection method according to claim 5, wherein the sending, by the network management unit, the detection request to the detection unit comprises:
shunting the resource access request according to the state information of the resource access request to determine an index address for addressing the detection unit;
and sending a detection request to the detection unit corresponding to the index address through the network management unit, wherein the detection request comprises storage address information of the resource access request in a shared storage space.
7. The security protection method according to claim 5, wherein after blocking the resource access request corresponding to the detection result, the security protection method further comprises:
acquiring the IP information and the port information corresponding to the resource access request through the network management unit, wherein the IP information comprises a source IP address, and the port information comprises source port information;
and returning the detection result to a request end for sending the resource access request according to the source IP address and the source port information.
8. The method of any of claims 2-7, wherein prior to obtaining the resource access request and allocating the resource access request into a guard unit, the method further comprises:
allocating and binding one or more CPUs (central processing units) used for operating the protection units for each protection unit;
when the average CPU utilization rate of the CPUs bound by the protection unit is higher than a first preset threshold value, increasing the number of the protection units and the number of the CPUs bound correspondingly;
and when the average CPU utilization rate of the CPUs bound by the protection unit is lower than a second preset threshold value, reducing the number of the protection units and the number of the CPUs bound correspondingly, wherein the second preset threshold value is smaller than the first preset threshold value.
9. The security protection method according to claim 8, wherein the storage page, the network management unit in the protection unit corresponding to the storage page, and the CPU bound by the detection unit are located in a same hardware architecture node.
10. A safety shield apparatus, comprising:
a resource access request obtaining module configured to obtain a resource access request and allocate the resource access request to a protection unit, where the protection unit is a minimum scheduling unit that provides a network protection function and is obtained by segmenting a protection system, and the protection unit includes a network management unit and at least one detection unit for implementing the network protection function;
a resource access request sending module configured to send the resource access request to the detecting unit through the network management unit;
the attack detection module is configured to perform attack detection on the resource access request through the detection unit to obtain a detection result, wherein the detection result comprises an aggressive request and a non-aggressive request;
and the request blocking module is configured to block the resource access request corresponding to the detection result when the detection result is an aggressive request.
11. A computer-readable medium, on which a computer program is stored which, when being executed by a processor, carries out the method of safeguarding according to any one of claims 1 to 9.
12. An electronic device, comprising:
a processor; and
a memory for storing executable instructions of the processor;
wherein the processor is configured to perform the method of any of claims 1 to 9 via execution of the executable instructions.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110662712.XA CN115484039A (en) | 2021-06-15 | 2021-06-15 | Security protection method and device, computer readable medium and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110662712.XA CN115484039A (en) | 2021-06-15 | 2021-06-15 | Security protection method and device, computer readable medium and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115484039A true CN115484039A (en) | 2022-12-16 |
Family
ID=84420328
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110662712.XA Pending CN115484039A (en) | 2021-06-15 | 2021-06-15 | Security protection method and device, computer readable medium and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115484039A (en) |
-
2021
- 2021-06-15 CN CN202110662712.XA patent/CN115484039A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Kumari et al. | A survey of fault tolerance in cloud computing | |
| KR102566892B1 (en) | Blockchain consensus method, device and system | |
| WO2022095730A1 (en) | Service communication method, system and apparatus, and electronic device | |
| JP5522307B2 (en) | System and method for remote maintenance of client systems in electronic networks using software testing with virtual machines | |
| US20180025166A1 (en) | Validating computer resource usage | |
| CN112149105A (en) | Data processing system, method, related device and storage medium | |
| US10318747B1 (en) | Block chain based authentication | |
| US20230037932A1 (en) | Data processing method and apparatus based on blockchain network, and computer device | |
| WO2018017609A1 (en) | Secure asynchronous communications | |
| US10817327B2 (en) | Network-accessible volume creation and leasing | |
| CN112311788A (en) | Access control method, device, server and medium | |
| Rui et al. | Research on secure transmission and storage of energy IoT information based on Blockchain | |
| CN111651739A (en) | Login authentication service system and method, authentication service node and electronic equipment | |
| CN113361913A (en) | Communication service arranging method, device, computer equipment and storage medium | |
| CN112235301A (en) | Method and device for verifying access authority and electronic equipment | |
| Ficco et al. | Intrusion tolerance in cloud applications: The mOSAIC approach | |
| Liu et al. | BCmaster: a compatible framework for comprehensively analyzing and monitoring blockchain systems in IoT | |
| US10326833B1 (en) | Systems and method for processing request for network resources | |
| CN113011960A (en) | Block chain-based data access method, device, medium and electronic equipment | |
| CN107196957A (en) | A kind of distributed identity authentication method and system | |
| CN110309213B (en) | Database access control method, device, system, medium and equipment | |
| CN111597537A (en) | Block chain network-based certificate issuing method, related equipment and medium | |
| Quamara et al. | An In-depth Security and Performance Investigation in Hyperledger Fabric-configured Distributed Computing Systems | |
| CN113938496B (en) | Block chain network method and system based on Internet of things equipment | |
| CN115484039A (en) | Security protection method and device, computer readable medium and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |