CN115514687A - Multi-cloud application gateway flow monitoring method and device, computer equipment and medium - Google Patents

Multi-cloud application gateway flow monitoring method and device, computer equipment and medium Download PDF

Info

Publication number
CN115514687A
CN115514687A CN202210674139.9A CN202210674139A CN115514687A CN 115514687 A CN115514687 A CN 115514687A CN 202210674139 A CN202210674139 A CN 202210674139A CN 115514687 A CN115514687 A CN 115514687A
Authority
CN
China
Prior art keywords
flow
log file
cloud application
application gateway
flow information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210674139.9A
Other languages
Chinese (zh)
Inventor
陈旃
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Cormorant Technology Shenzhen Co ltd
Original Assignee
Cormorant Technology Shenzhen Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cormorant Technology Shenzhen Co ltd filed Critical Cormorant Technology Shenzhen Co ltd
Priority to CN202210674139.9A priority Critical patent/CN115514687A/en
Publication of CN115514687A publication Critical patent/CN115514687A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0604Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Environmental & Geological Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method and a device for monitoring the flow of a multi-cloud application gateway, computer equipment and a storage medium, wherein the method comprises the following steps: the method comprises the steps of monitoring flow information in real time in a NetFlow mode, analyzing the flow information to obtain a log file corresponding to the flow information, screening and filtering the log file corresponding to the flow information based on a preset flow screening mode to obtain a target log file, carrying out network safety inspection on data in the target log file to obtain a safety inspection result, and executing corresponding early warning measures if the safety inspection result indicates that at least one network flow threat exists. The method and the device realize quick judgment of real-time flow safety and are beneficial to improving the timeliness and safety of flow monitoring.

Description

Multi-cloud application gateway flow monitoring method and device, computer equipment and medium
Technical Field
The invention relates to the field of network security, in particular to a method and a device for monitoring the flow of a multi-cloud application gateway, computer equipment and a medium.
Background
At present, the development of the traffic volume in a financial network, an industry network or a wide area network such as the Internet exceeds the most optimistic estimation in the past, and a large amount of information requests, continuously updated application requirements and continuous and uninterrupted service access of the traffic of a user become necessary for an application service provider to solve Internet service and ensure the normal response of a traffic access request and the safety monitoring of the traffic.
In the existing processing mode, information in the flow is mainly analyzed through some security software or firewalls, but the comparison mode consumes resources such as network bandwidth and the like, when the flow is large, access delay and even loss are easily caused, and some modes predict flow trend and perform simulation early warning on flow security through a mode of machine learning and a neural network model, but the mode has certain uncertainty and is difficult to check some unknown risks.
Disclosure of Invention
The embodiment of the invention provides a method and a device for monitoring the flow of a multi-cloud application gateway, computer equipment and a storage medium, so as to improve the flow monitoring safety of the multi-cloud application gateway.
In order to solve the foregoing technical problem, an embodiment of the present application provides a method for monitoring traffic of a multi-cloud application gateway, including:
monitoring flow information in real time in a NetFlow mode, and analyzing the flow information to obtain a log file corresponding to the flow information;
based on a preset flow screening mode, carrying out screening and filtering processing on a log file corresponding to the flow information to obtain a target log file;
performing network security check on the data in the target log file to obtain a security check result;
and if the safety inspection result indicates that at least one network flow threat exists, executing corresponding early warning measures.
Optionally, the monitoring, in real time, the traffic information in a NetFlow manner includes:
and extracting the flow in an IPFIX format, and analyzing and recording the extracted flow in real time to obtain the flow information.
Optionally, the filtering, based on a preset traffic filtering manner, the filtering the log file corresponding to the traffic information to obtain a target log file includes:
deploying the distributed publish-subscribe message system Kafka and the log analysis tool Logstash;
acquiring a log file corresponding to the flow information in real time through the distributed publish-subscribe message system Kafka;
and using the log analysis tool Logstash to filter and process the log file corresponding to the flow information to obtain a target log file.
Optionally, the performing network security check on the data in the target log file to obtain a security check result includes:
screening bidirectional packet data from the target log file;
and checking the bidirectional packet data according to a preset safety rule through a built-in application defense system WAF to obtain the safety check result.
Optionally, the performing network security check on the data in the target log file to obtain a security check result includes:
and updating the preset safety rule when an updating instruction is received or a preset time period is reached.
Optionally, if the security check result indicates that at least one network traffic threat exists, after a corresponding early warning measure is executed, the traffic monitoring method of the cloud application gateway further includes:
and performing data analysis on the target log file and the network flow threat, and constructing a visual chart, wherein the visual chart comprises at least one of a trend chart, a frequency chart, a proportion chart or a data table.
In order to solve the foregoing technical problem, an embodiment of the present application further provides a traffic monitoring apparatus for a multi-cloud application gateway, including:
the log acquisition module is used for monitoring the flow information in real time in a NetFlow mode and analyzing the flow information to obtain a log file corresponding to the flow information;
the log screening module is used for screening and filtering the log file corresponding to the flow information based on a preset flow screening mode to obtain a target log file;
the security detection module is used for carrying out network security inspection on the data in the target log file to obtain a security inspection result;
and the early warning module is used for executing corresponding early warning measures if the safety check result indicates that at least one network flow threat exists.
Optionally, the log collection module includes:
and the flow extraction unit is used for extracting the flow in an IPFIX format, analyzing and recording the extracted flow in real time to obtain the flow information.
Optionally, the log filtering module includes:
the deployment unit is used for deploying the distributed publish-subscribe message system Kafka and the log analysis tool Logstash;
the acquisition unit is used for acquiring a log file corresponding to the flow information in real time through the distributed publish-subscribe message system Kafka;
and the analysis unit is used for screening and filtering the log file corresponding to the flow information by using the log analysis tool logstack to obtain a target log file.
Optionally, the security detection module includes:
the data screening unit is used for screening bidirectional packet data from the target log file;
and the safety check unit is used for checking the bidirectional packet data according to a preset safety rule through a built-in application defense system WAF to obtain the safety check result.
Optionally, the security check unit comprises:
and the updating module is used for updating the preset safety rule when an updating instruction is received or a preset time period is reached.
Optionally, the traffic monitoring apparatus of the multi-cloud application gateway further includes:
and the data visualization module is used for carrying out data analysis on the target log file and the network flow threat and constructing a visualization chart, wherein the visualization chart comprises at least one item of a trend chart, a frequency chart, a proportion chart or a data table.
In order to solve the technical problem, an embodiment of the present application further provides a computer device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the steps of the traffic monitoring method for the multi-cloud application gateway when executing the computer program.
In order to solve the above technical problem, an embodiment of the present application further provides a computer-readable storage medium, where a computer program is stored, and when the computer program is executed by a processor, the steps of the traffic monitoring method of the multi-cloud application gateway are implemented.
The embodiment of the invention provides a flow monitoring method, a flow monitoring device, computer equipment and a storage medium for a multi-cloud application gateway, which adopt a NetFlow mode to monitor flow information in real time, analyze the flow information to obtain a log file corresponding to the flow information, screen and filter the log file corresponding to the flow information based on a preset flow screening mode to obtain a target log file, perform network security check on data in the target log file to obtain a security check result, and if the security check result indicates that at least one network flow threat exists, execute corresponding early warning measures. The method and the device realize quick judgment of real-time flow safety and are beneficial to improving the timeliness and safety of flow monitoring.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required to be used in the description of the embodiments of the present invention will be briefly introduced below, and it is obvious that the drawings in the description below are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive labor.
FIG. 1 is a schematic diagram of an application environment of the present application;
FIG. 2 is a flow diagram of one embodiment of a method for traffic monitoring of a multi-cloud application gateway of the present application;
FIG. 3 is a schematic block diagram of an embodiment of a traffic monitoring apparatus of a multi-cloud application gateway according to the present application;
FIG. 4 is a schematic block diagram of one embodiment of a computer device according to the present application.
Detailed Description
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs; the terminology used in the description of the application herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application; the terms "including" and "having," and any variations thereof, in the description and claims of this application and the description of the above figures are intended to cover non-exclusive inclusions. The terms "first," "second," and the like in the description and claims of this application or in the above-described drawings are used for distinguishing between different objects and not for describing a particular order.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the application. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is explicitly and implicitly understood by one skilled in the art that the embodiments described herein can be combined with other embodiments.
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1, as shown in fig. 1, a system architecture 100 may include terminal devices 101, 102, 103, a network 104 and a server 105. The network 104 serves as a medium for providing communication links between the terminal devices 101, 102, 103 and the server 105. Network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
A user may use terminal devices 101, 102, 103 to interact with a server 105 over a network 104 to receive or send messages or the like.
The terminal devices 101, 102, 103 may be various electronic devices having display screens and supporting web browsing, including but not limited to smart phones, tablet computers, E-book readers, MP3 players (Moving Picture E interface displays the properties Group Audio Layer III, mpeg compression standard Audio Layer 3), MP4 players (Moving Picture E interface displays the properties Group Audio Layer IV, mpeg compression standard Audio Layer 4), laptop portable computers, desktop computers, and the like.
The server 105 may be a server providing various services, such as a background server providing support for pages displayed on the terminal devices 101, 102, 103.
It should be noted that, the traffic monitoring method for the cloudy application gateway provided in the embodiment of the present application is executed by a server, and accordingly, the traffic monitoring apparatus for the cloudy application gateway is disposed in the server.
It should be understood that the number of terminal devices, networks, and servers in fig. 1 is merely illustrative. Any number of terminal devices, networks and servers may be provided according to implementation needs, and the terminal devices 101, 102 and 103 in this embodiment may specifically correspond to an application system in actual production.
Referring to fig. 2, fig. 2 shows a traffic monitoring method for a multi-cloud application gateway according to an embodiment of the present invention, which is detailed as follows:
s201: and monitoring the flow information in real time by adopting a NetFlow mode, and analyzing the flow information to obtain a log file corresponding to the flow information.
NetFlow is a network monitoring technology used to collect the number and information of IP packets entering and leaving a network interface, and is applied to products such as routers and switches. By analyzing the information collected by Netflow, the source and destination of the packet, the type of network service, and the cause of network congestion can be known.
Netflow provides a session level view of network traffic, recording information for each TCP/IP transaction, a Netflow flow is defined as a unidirectional packet flow transmitted between a source IP address and a destination IP address, and all packets have common transport layer source and destination port numbers.
Optionally, the monitoring the traffic information in real time by using a NetFlow method includes:
and extracting the flow in an IPFIX format, and analyzing and recording the extracted flow in real time to obtain flow information.
Among them, IPFIX is called IP Flow Information Export, which is a standard protocol published by IETF for Flow Information measurement in a network. The IPFIX defined format is based on Cisco Netflow Version 9 data export format, which allows IP traffic information to be transferred from an Exporter (Exporter) to a Collector (Collector). Because IPFIX is a protocol for analyzing the characteristics of the data stream and outputting a format based on a template, the IPFIX has strong expandability and can define different data formats for different requirements. In the embodiment, the IPFIX format is adopted for extracting the flow, and the field information in the flow can be set and monitored according to actual needs, so that unnecessary data monitoring is reduced, and the timeliness of data transmission and storage is improved.
S202: and based on a preset flow screening mode, carrying out screening and filtering processing on the log file corresponding to the flow information to obtain a target log file.
Further, in step S202, based on a preset traffic screening manner, performing screening filtering processing on the log file corresponding to the traffic information, and obtaining the target log file includes:
deploying a distributed publish-subscribe message system Kafka and a log analysis tool Logstash;
acquiring a log file corresponding to the flow information in real time through a distributed publish-subscribe message system Kafka;
and using a log analysis tool Logstash to screen and filter the log files corresponding to the flow information to obtain target log files.
Specifically, a distributed publish-subscribe message system Kafka and a log analysis tool Logstash are respectively deployed on each cluster server at a cluster end.
Kafka, among others, is a high throughput distributed publish-subscribe messaging system. Kafka provides message persistence through a disk data structure that can maintain stable performance for long periods of time for TB-scale message storage, and can handle all action stream data in consumer-scale sites.
Specifically, actions in the action flow data include, but are not limited to: web browsing, searching and other user actions, which are a key factor in many social functions on modern networks. Action flow data is typically addressed by handling logs and log aggregations based on throughput requirements.
For example, in one embodiment, the Kafka collected action stream may include: logs generated by running of each process on the server, logs generated by operation of a manager on the server, processing logs of the server during running, and the like.
Currently common open source log analysis tools for cluster management include: spark, hadoop, logstash, etc., wherein Spark and Hadoop are relatively high in cost, and therefore the log analysis tool used in the embodiment of the present invention is Logstash.
The Logstash is a lightweight log collection processing framework, and can conveniently collect scattered and diversified logs, perform customized processing, and transmit the logs to a specified position, such as a certain server or a certain file.
Further, the Logstash can perform a log filtering operation by configuring the matching symbol.
The Logstash is a lightweight log collection processing framework and has the characteristic of conveniently collecting scattered and diversified logs. After Kafak stores the cluster end log files acquired in real time in a distributed mode in a preset user-defined storage position, logstash acquires the log files according to application requirements and classifies and filters the log files to obtain the mark log files.
S203: and carrying out network security check on the data in the target log file to obtain a security check result.
Further, in step S203, performing network security check on the data in the target log file, and obtaining a security check result includes:
screening bidirectional packet data from a target log file;
and checking the bidirectional packet data according to a preset safety rule through a built-in application defense system WAF to obtain a safety check result.
The Application protection system (also called website Application level intrusion prevention system, english: web Application Firewall, WAF for short) is used for specially providing protection for Web Application by executing a series of security policies aiming at HTTP/HTTPS.
As WEB applications become more and more abundant, WEB servers are becoming the main target of attacks with their powerful computing power, processing performance and high implication value. SQL injection, web page tampering, web page horse hanging, and other security events occur frequently. In 2007, the total number of tampered websites in China, which is monitored by a national computer network emergency technology processing coordination center (CNCERT/CC for short), is accumulated to 61228, which is increased by 1.5 times compared with 2006.
Users such as enterprises generally adopt firewalls as the first line of defense of a security system. In reality, however, web servers and applications have various security problems and become more difficult to prevent as hacking techniques advance, because these problems are difficult for a general firewall to detect and block, thereby creating a WAF (Web application protection system). Web Application protection systems (WAF) represent a new class of information security technologies, and are used for solving the problem of Web Application security that traditional devices such as firewalls are not qualified by hands. Unlike traditional firewalls, the WAF works at the application layer, thus having inherent technical advantages for Web application protection. Based on deep understanding of Web application service and logic, the WAF detects and verifies the content of various requests from a Web application program client, ensures the security and the legality of the requests, and blocks illegal requests in real time, thereby effectively protecting various website sites.
Optionally, the preset security rule is updated when an update instruction is received or a preset time period is reached.
S204: and if the safety inspection result indicates that at least one network flow threat exists, executing corresponding early warning measures.
If the security check result indicates that at least one network traffic threat exists, after the corresponding early warning measure is executed, the traffic monitoring method of the multi-cloud application gateway further comprises the following steps:
and performing data analysis on the target log file and the network traffic threat, and constructing a visual chart, wherein the visual chart comprises at least one of a trend chart, a frequency chart, a proportion chart or a data table.
The generated visualization chart specifically includes but is not limited to: the trend graph, the frequency graph, the ratio graph or the data table may be set according to actual requirements, and are not limited herein.
It should be noted that after the visual chart is generated, the visual chart can be sent to an interface of the monitoring end, and the visual chart is sent to the third-party communication platform as the early warning prompt information.
In this embodiment, the flow information is monitored in real time in a NetFlow manner, and is analyzed to obtain a log file corresponding to the flow information, the log file corresponding to the flow information is filtered based on a preset flow filtering manner to obtain a target log file, network security check is performed on data in the target log file to obtain a security check result, and if the security check result indicates that at least one network flow threat exists, a corresponding early warning measure is executed. The method and the device realize quick judgment of real-time flow safety and are beneficial to improving the timeliness and safety of flow monitoring.
It should be understood that, the sequence numbers of the steps in the foregoing embodiments do not imply an execution sequence, and the execution sequence of each process should be determined by functions and internal logic of the process, and should not limit the implementation process of the embodiments of the present invention in any way.
Fig. 3 is a schematic block diagram of a traffic monitoring apparatus of a multi-cloud application gateway, which corresponds to the traffic monitoring method of the multi-cloud application gateway according to the foregoing embodiment one to one. As shown in fig. 3, the traffic monitoring apparatus of the multi-cloud application gateway includes a log collection module 31, a log screening module 32, a security detection module 33, and an early warning module 34. The functional modules are explained in detail as follows:
the log acquisition module 31 is configured to monitor the flow information in real time in a NetFlow manner, and analyze the flow information to obtain a log file corresponding to the flow information;
the log screening module 32 is configured to perform screening and filtering processing on the log files corresponding to the traffic information based on a preset traffic screening manner to obtain target log files;
the security detection module 33 is configured to perform network security inspection on data in the target log file to obtain a security inspection result;
and the early warning module 34 is configured to execute a corresponding early warning measure if the security check result indicates that at least one network traffic threat exists.
Optionally, the log collection module 31 includes:
and the flow extraction unit is used for extracting the flow in an IPFIX format, analyzing and recording the extracted flow in real time to obtain flow information.
Optionally, the log filtering module 32 includes:
the deployment unit is used for deploying a distributed publish-subscribe message system Kafka and a log analysis tool Logstash;
the acquisition unit is used for acquiring a log file corresponding to the flow information in real time through a distributed publish-subscribe message system Kafka;
and the analysis unit is used for screening and filtering the log file corresponding to the flow information by using a log analysis tool Logstash to obtain a target log file.
Optionally, the security detection module 33 comprises:
the data screening unit is used for screening the bidirectional packet data from the target log file;
and the safety check unit is used for checking the bidirectional packet data according to a preset safety rule through a built-in application defense system WAF to obtain a safety check result.
Optionally, the security check unit comprises:
and the updating module is used for updating the preset safety rule when an updating instruction is received or a preset time period is reached.
Optionally, the traffic monitoring apparatus of the multi-cloud application gateway further includes:
and the data visualization module is used for carrying out data analysis on the target log file and the network flow threat and constructing a visualization chart, wherein the visualization chart comprises at least one of a trend chart, a frequency chart, a proportion chart or a data table.
For specific limitations of the traffic monitoring apparatus of the cloud application gateway, reference may be made to the above limitations of the traffic monitoring method of the cloud application gateway, and details are not described herein again. All or part of the modules in the flow monitoring device of the multi-cloud application gateway can be realized by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent of a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In order to solve the technical problem, an embodiment of the present application further provides a computer device. Referring to fig. 4, fig. 4 is a block diagram of a basic structure of a computer device according to the present embodiment.
The computer device 4 comprises a memory 41, a processor 42, a network interface 43 communicatively connected to each other via a system bus. It is noted that only the computer device 4 having the components connection memory 41, processor 42, network interface 43 is shown, but it is understood that not all of the shown components are required to be implemented, and that more or fewer components may be implemented instead. As will be understood by those skilled in the art, the computer device is a device capable of automatically performing numerical calculation and/or information processing according to a preset or stored instruction, and the hardware includes, but is not limited to, a microprocessor, an Application Specific Integrated Circuit (ASIC), a Programmable Gate Array (FPGA), a Digital Signal Processor (DSP), an embedded device, and the like.
The computer device can be a desktop computer, a notebook, a palm computer, a cloud server and other computing devices. The computer equipment can carry out man-machine interaction with a user through a keyboard, a mouse, a remote controller, a touch panel or voice control equipment and the like.
The memory 41 includes at least one type of readable storage medium including a flash memory, a hard disk, a multimedia card, a card-type memory (e.g., SD or D interface display memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a Read Only Memory (ROM), an Electrically Erasable Programmable Read Only Memory (EEPROM), a Programmable Read Only Memory (PROM), a magnetic memory, a magnetic disk, an optical disk, etc. In some embodiments, the memory 41 may be an internal storage unit of the computer device 4, such as a hard disk or a memory of the computer device 4. In other embodiments, the memory 41 may also be an external storage device of the computer device 4, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like, which are provided on the computer device 4. Of course, the memory 41 may also include both internal and external storage devices of the computer device 4. In this embodiment, the memory 41 is generally used for storing an operating system installed in the computer device 4 and various types of application software, such as program codes for controlling electronic files. Further, the memory 41 may also be used to temporarily store various types of data that have been output or are to be output.
The processor 42 may be a Central Processing Unit (CPU), controller, microcontroller, microprocessor, or other data Processing chip in some embodiments. The processor 42 is typically used to control the overall operation of the computer device 4. In this embodiment, the processor 42 is configured to execute the program code stored in the memory 41 or process data, for example, execute program code for data access.
The network interface 43 may comprise a wireless network interface or a wired network interface, and the network interface 43 is generally used for establishing communication connection between the computer device 4 and other electronic devices.
The present application further provides another embodiment, which is to provide a computer-readable storage medium, wherein the computer-readable storage medium stores a data access program, and the data access program can be executed by at least one processor, so that the at least one processor executes the steps of the traffic monitoring method of the multi-cloud application gateway.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present application.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present application.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present application.
It should be understood that the above-described embodiments are merely exemplary of some, and not all, embodiments of the present application, and that the drawings illustrate preferred embodiments of the present application without limiting the scope of the claims appended hereto. This application is capable of embodiments in many different forms and is provided for the purpose of enabling a thorough understanding of the disclosure of the application. Although the present application has been described in detail with reference to the foregoing embodiments, it will be apparent to one skilled in the art that the present application may be practiced without modification or with equivalents of some of the features described in the foregoing embodiments. All equivalent structures made by using the contents of the specification and the drawings of the present application are directly or indirectly applied to other related technical fields and are within the protection scope of the present application.

Claims (10)

1. A flow monitoring method of a multi-cloud application gateway is applied to a cluster server, and is characterized in that the flow monitoring method of the multi-cloud application gateway comprises the following steps:
monitoring flow information in real time in a NetFlow mode, and analyzing the flow information to obtain a log file corresponding to the flow information;
based on a preset flow screening mode, carrying out screening and filtering processing on a log file corresponding to the flow information to obtain a target log file;
performing network security check on the data in the target log file to obtain a security check result;
and if the safety check result indicates that at least one network flow threat exists, executing corresponding early warning measures.
2. The traffic monitoring method of the multi-cloud application gateway according to claim 1, wherein the monitoring of the traffic information in real time in a NetFlow manner includes:
and extracting the flow in an IPFIX format, and analyzing and recording the extracted flow in real time to obtain the flow information.
3. The traffic monitoring method of the multi-cloud application gateway according to claim 1, wherein the filtering and filtering the log file corresponding to the traffic information based on a preset traffic filtering manner to obtain a target log file comprises:
deploying the distributed publish-subscribe message system Kafka and the log analysis tool Logstash;
acquiring a log file corresponding to the flow information in real time through the distributed publish-subscribe message system Kafka;
and using the log analysis tool Logstash to filter and process the log file corresponding to the flow information to obtain a target log file.
4. The traffic monitoring method for the multi-cloud application gateway according to any one of claims 1 to 3, wherein the performing network security check on the data in the target log file to obtain a security check result includes:
screening bidirectional packet data from the target log file;
and checking the bidirectional packet data according to a preset safety rule through a built-in application defense system WAF to obtain the safety check result.
5. The traffic monitoring method of the multi-cloud application gateway of claim 4, wherein the checking the bidirectional packet data according to a preset security rule through a built-in application defense system (WAF) to obtain the security check result comprises:
and updating the preset safety rule when an updating instruction is received or a preset time period is reached.
6. The traffic monitoring method of the multi-cloud application gateway according to claim 1, wherein after the corresponding pre-warning measure is executed if the security check result indicates that at least one network traffic threat exists, the traffic monitoring method of the multi-cloud application gateway further comprises:
and performing data analysis on the target log file and the network flow threat, and constructing a visual chart, wherein the visual chart comprises at least one of a trend chart, a frequency chart, a proportion chart or a data table.
7. A flow monitoring device of a multi-cloud application gateway is characterized in that the flow monitoring device of the multi-cloud application gateway comprises:
the log acquisition module is used for monitoring the flow information in real time in a NetFlow mode and analyzing the flow information to obtain a log file corresponding to the flow information;
the log screening module is used for screening and filtering the log file corresponding to the flow information based on a preset flow screening mode to obtain a target log file;
the security detection module is used for carrying out network security check on the data in the target log file to obtain a security check result;
and the early warning module is used for executing corresponding early warning measures if the safety inspection result indicates that at least one network flow threat exists.
8. The multi-cloud application gateway traffic monitoring apparatus according to claim 7, wherein said multi-cloud application gateway traffic monitoring apparatus is configured to monitor traffic of said multi-cloud application gateway
The log screening module comprises:
the deployment unit is used for deploying the distributed publish-subscribe message system Kafka and the log analysis tool Logstash;
the acquisition unit is used for acquiring a log file corresponding to the flow information in real time through the distributed publish-subscribe message system Kafka;
and the analysis unit is used for screening and filtering the log file corresponding to the flow information by using the log analysis tool logstack to obtain a target log file.
9. A computer device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, wherein the processor implements the traffic monitoring method of the multi-cloud application gateway of any of claims 1 to 6 when executing the computer program.
10. A computer-readable storage medium, in which a computer program is stored, which, when being executed by a processor, implements a method for traffic monitoring of a multi-cloud application gateway according to any one of claims 1 to 6.
CN202210674139.9A 2022-06-14 2022-06-14 Multi-cloud application gateway flow monitoring method and device, computer equipment and medium Pending CN115514687A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210674139.9A CN115514687A (en) 2022-06-14 2022-06-14 Multi-cloud application gateway flow monitoring method and device, computer equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210674139.9A CN115514687A (en) 2022-06-14 2022-06-14 Multi-cloud application gateway flow monitoring method and device, computer equipment and medium

Publications (1)

Publication Number Publication Date
CN115514687A true CN115514687A (en) 2022-12-23

Family

ID=84500887

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210674139.9A Pending CN115514687A (en) 2022-06-14 2022-06-14 Multi-cloud application gateway flow monitoring method and device, computer equipment and medium

Country Status (1)

Country Link
CN (1) CN115514687A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105553957A (en) * 2015-12-09 2016-05-04 国家电网公司 Network safety situation awareness early-warning method and system based big data
CN111092852A (en) * 2019-10-16 2020-05-01 平安科技(深圳)有限公司 Network security monitoring method, device, equipment and storage medium based on big data
CN111683097A (en) * 2020-06-10 2020-09-18 广州市品高软件股份有限公司 Cloud network flow monitoring system based on two-stage architecture
CN113176978A (en) * 2021-04-30 2021-07-27 平安壹钱包电子商务有限公司 Monitoring method, system and device based on log file and readable storage medium
CN113965389A (en) * 2021-10-26 2022-01-21 天元大数据信用管理有限公司 Network security management method, equipment and medium based on firewall log

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105553957A (en) * 2015-12-09 2016-05-04 国家电网公司 Network safety situation awareness early-warning method and system based big data
CN111092852A (en) * 2019-10-16 2020-05-01 平安科技(深圳)有限公司 Network security monitoring method, device, equipment and storage medium based on big data
CN111683097A (en) * 2020-06-10 2020-09-18 广州市品高软件股份有限公司 Cloud network flow monitoring system based on two-stage architecture
CN113176978A (en) * 2021-04-30 2021-07-27 平安壹钱包电子商务有限公司 Monitoring method, system and device based on log file and readable storage medium
CN113965389A (en) * 2021-10-26 2022-01-21 天元大数据信用管理有限公司 Network security management method, equipment and medium based on firewall log

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
MB5FE18F0F5C8C6: "Netflow/IPFIX流量搜集与分析", pages 1 - 2, Retrieved from the Internet <URL:https://blog.51cto.com/u_15064632/3468980> *

Similar Documents

Publication Publication Date Title
US11750631B2 (en) System and method for comprehensive data loss prevention and compliance management
US10735456B2 (en) Advanced cybersecurity threat mitigation using behavioral and deep analytics
US20220224723A1 (en) Ai-driven defensive cybersecurity strategy analysis and recommendation system
US20220201042A1 (en) Ai-driven defensive penetration test analysis and recommendation system
CN111813516B (en) Resource control method and device, computer equipment and storage medium
EP3494506A1 (en) Detection mitigation and remediation of cyberattacks employing an advanced cyber-decision platform
CN112463422A (en) Internet of things fault operation and maintenance method and device, computer equipment and storage medium
CN111740868A (en) Alarm data processing method and device and storage medium
CN111475705A (en) SQ L query-based network service monitoring method, device, equipment and storage medium
WO2019018829A1 (en) Advanced cybersecurity threat mitigation using behavioral and deep analytics
CN116074075A (en) Security event association behavior analysis method, system and equipment based on association rule
CN111800292A (en) Early warning method and device based on historical flow, computer equipment and storage medium
CN115086064A (en) Large-scale network security defense system based on cooperative intrusion detection
CN113472798B (en) Method, device, equipment and medium for backtracking and analyzing network data packet
CN202652270U (en) Database audit system
CN116015808A (en) Network port abnormity open sensing method and device, electronic equipment and storage medium
CN115514687A (en) Multi-cloud application gateway flow monitoring method and device, computer equipment and medium
CN114238069A (en) Web application firewall testing method and device, electronic equipment, medium and product
CN109327433B (en) Threat perception method and system based on operation scene analysis
CN114866342B (en) Flow characteristic identification method and device, computer equipment and storage medium
CN114205095B (en) Method and device for detecting encrypted malicious traffic
CN110719260B (en) Intelligent network security analysis method and device and computer readable storage medium
CN114154160B (en) Container cluster monitoring method and device, electronic equipment and storage medium
CN115396142A (en) Information access method and device based on zero trust, computer equipment and medium
CN118316656A (en) Data packet processing method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination