CN115955423A - Domain name based network traffic processing method and device and processing equipment - Google Patents
Domain name based network traffic processing method and device and processing equipment Download PDFInfo
- Publication number
- CN115955423A CN115955423A CN202211626406.1A CN202211626406A CN115955423A CN 115955423 A CN115955423 A CN 115955423A CN 202211626406 A CN202211626406 A CN 202211626406A CN 115955423 A CN115955423 A CN 115955423A
- Authority
- CN
- China
- Prior art keywords
- network traffic
- domain name
- processed
- target object
- session
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a domain name-based network traffic processing method, a domain name-based network traffic processing device and domain name-based network traffic processing equipment, which are used for simply acquiring specific network traffic and realizing an accurate network traffic capturing effect. The network traffic processing method based on the domain name provided by the application comprises the following steps: acquiring network traffic to be processed, wherein the network traffic to be processed is used for analyzing whether the network traffic belongs to the network traffic of a preset target object; extracting a domain name of a receiver and a domain name of a sender of the network traffic to be processed on an application level; determining whether the network flow to be processed is matched with a preset domain name matching rule of a target object or not according to the domain name of the receiver and the domain name of the sender; and if so, determining that the network traffic to be processed belongs to the network traffic of the target object.
Description
Technical Field
The present application relates to the field of internet, and in particular, to a method, an apparatus, and a device for processing network traffic based on a domain name.
Background
A Domain Name System (DNS) Protocol is an important Protocol in a computer network, and realizes conversion between a Domain Name and an Internet Protocol Address (IP), and therefore, in a DNS device in a network architecture, DNS traffic is a traffic that is easily focused in monitoring network traffic.
The inventor of the present application finds that, because DNS traffic in a network is large, a traffic monitoring system in the prior art is often captured and displayed without distinction, which means that a large number of storage resources in the aspects of hard disks or databases need to be occupied for storage, and obviously, there are situations of high application cost or inconvenient application.
Disclosure of Invention
The application provides a method, a device and a device for processing network traffic based on a domain name, which are used for simply acquiring specific network traffic and realizing an accurate network traffic capturing effect.
In a first aspect, the present application provides a method for processing network traffic based on a domain name, where the method includes:
acquiring network traffic to be processed, wherein the network traffic to be processed is used for analyzing whether the network traffic belongs to the network traffic of a preset target object;
extracting a domain name of a receiver and a domain name of a sender of the network traffic to be processed on an application level;
determining whether the network flow to be processed is matched with a preset domain name matching rule of a target object or not according to the domain name of the receiver and the domain name of the sender;
and if so, determining that the network traffic to be processed belongs to the network traffic of the target object.
With reference to the first aspect of the present application, in a first possible implementation manner of the first aspect of the present application, if the network traffic to be processed belongs to the request packet type and the target object is a target session, after determining that the network traffic to be processed belongs to the network traffic of the target object, the method further includes:
creating a log of the target object;
and writing the relevant session characteristics of the network flow to be processed into the log of the target session for storage.
With reference to the first aspect of the present application, in a second possible implementation manner of the first aspect of the present application, if the network traffic to be processed belongs to a response packet type and the target object is a target session, after determining that the network traffic to be processed belongs to the network traffic of the target object, the method further includes:
and writing the relevant session characteristics of the network traffic to be processed into the log of the target session for storage.
With reference to the first or second possible implementation manner of the first aspect of the present application, in a third possible implementation manner of the first aspect of the present application, the method further includes:
extracting quintuple information of network traffic to be processed, wherein the quintuple information specifically comprises a source IP, a destination IP, a source port, a destination port and a protocol type;
and determining whether the network traffic to be processed belongs to the target session or not according to the quintuple information.
With reference to the third possible implementation manner of the first aspect of the present application, in a fourth possible implementation manner of the first aspect of the present application, if there is no related query packet or response packet in the network traffic to be processed, and the target object is a target session, the method further includes:
and adding a missing identifier for the network traffic to be processed in a log of the network traffic to be processed about the target session, wherein the missing identifier is used for identifying that the network traffic to be processed does not have a related query message or response message.
With reference to the first aspect of the present application, in a fifth possible implementation manner of the first aspect of the present application, determining whether the network traffic to be processed matches a preset domain name matching rule of a target object according to a domain name of a receiver and a domain name of a sender includes:
on the basis of the domain name of the receiver and the domain name of the sender, determining whether the network flow to be processed is matched with a preset domain name matching rule of a target object through a hyperscan engine, wherein domain name keywords and corresponding ID numbers are written into the hyperscan engine for matching.
With reference to the first aspect of the present application, in a sixth possible implementation manner of the first aspect of the present application, the traffic to be processed is specifically DNS traffic passing through a DNS device.
In a second aspect, the present application provides a domain name-based network traffic processing apparatus, including:
the device comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring network traffic to be processed, and the network traffic to be processed is used for analyzing whether the network traffic belongs to a preset target object;
the extraction unit is used for extracting the domain name of a receiver and the domain name of a sender of the network traffic to be processed on an application level;
and the determining unit is used for determining whether the network traffic to be processed is matched with a preset domain name matching rule of the target object or not according to the domain name of the receiver and the domain name of the sender, and if so, determining that the network traffic to be processed belongs to the network traffic of the target object.
With reference to the second aspect of the present application, in a first possible implementation manner of the second aspect of the present application, the apparatus further includes a log processing unit, where if the to-be-processed network traffic belongs to a request packet type and a target object is a target session, the log processing unit is configured to:
creating a log of the target object;
and writing the relevant session characteristics of the network traffic to be processed into the log of the target session for storage.
With reference to the second aspect of the present application, in a second possible implementation manner of the second aspect of the present application, the apparatus further includes a log processing unit, where if the to-be-processed network traffic belongs to a response packet type and a target object is a target session, the log processing unit is configured to:
and writing the relevant session characteristics of the network traffic to be processed into the log of the target session for storage.
With reference to the first or second possible implementation manner of the second aspect of the present application, in a third possible implementation manner of the second aspect of the present application, the determining unit is further configured to:
extracting quintuple information of network traffic to be processed, wherein the quintuple information specifically comprises a source IP, a destination IP, a source port, a destination port and a protocol type;
and determining whether the network traffic to be processed belongs to the target session or not according to the quintuple information.
With reference to the third possible implementation manner of the second aspect of the present application, in a fourth possible implementation manner of the second aspect of the present application, the apparatus further includes a log processing unit, and if there is no related query packet or response packet in the network traffic to be processed and a target object is a target session, the log processing unit is configured to:
and adding a missing identifier for the network traffic to be processed in a log of the network traffic to be processed about the target session, wherein the missing identifier is used for identifying that the network traffic to be processed does not have a related query message or response message.
With reference to the second aspect of the present application, in a fifth possible implementation manner of the second aspect of the present application, the determining unit is specifically configured to:
on the basis of the domain name of the receiving party and the domain name of the sending party, whether the network flow to be processed is matched with a preset domain name matching rule of the target object or not is determined through a hyperscan engine, wherein domain name keywords and corresponding ID numbers are written into the hyperscan engine for matching.
With reference to the second aspect of the present application, in a sixth possible implementation manner of the second aspect of the present application, the traffic to be processed is specifically DNS traffic passing through a DNS device.
In a third aspect, the present application provides a processing device, including a processor and a memory, where the memory stores a computer program, and the processor executes the method provided in the first aspect of the present application or any one of the possible implementation manners of the first aspect of the present application when calling the computer program in the memory.
In a fourth aspect, the present application provides a computer-readable storage medium storing a plurality of instructions adapted to be loaded by a processor to perform the method provided in the first aspect of the present application or any one of the possible implementations of the first aspect of the present application.
From the above, the present application has the following advantageous effects:
for the capturing requirement of the specific network flow, the domain name of a receiving party and the domain name of a sending party are determined from an application layer of the network flow to be processed, and then the matching relation between the network flow to be processed and the target object is determined by combining the domain name matching rule of the target object.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic flowchart of a domain name-based network traffic processing method according to the present application;
FIG. 2 is a flowchart illustrating a domain name matching process according to the present application;
fig. 3 is a schematic structural diagram of a domain name based network traffic processing apparatus according to the present application;
FIG. 4 is a schematic diagram of a processing apparatus according to the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The terms "first," "second," and the like in the description and in the claims of the present application and in the above-described drawings are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that the embodiments described herein may be practiced otherwise than as specifically illustrated or described herein. Moreover, the terms "comprises," "comprising," and any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or modules is not necessarily limited to those steps or modules explicitly listed, but may include other steps or modules not expressly listed or inherent to such process, method, article, or apparatus. The naming or numbering of the steps appearing in the present application does not mean that the steps in the method flow must be executed in the chronological/logical order indicated by the naming or numbering, and the named or numbered flow steps may be changed in execution order according to the technical purpose to be achieved, as long as the same or similar technical effects are achieved.
The division of the modules presented in this application is a logical division, and in practical applications, there may be another division, for example, multiple modules may be combined or integrated in another system, or some features may be omitted, or not executed, and in addition, the shown or discussed coupling or direct coupling or communication connection between each other may be through some interfaces, and the indirect coupling or communication connection between the modules may be in an electrical or other similar form, which is not limited in this application. The modules or sub-modules described as separate components may or may not be physically separated, may or may not be physical modules, or may be distributed in a plurality of circuit modules, and some or all of the modules may be selected according to actual needs to achieve the purpose of the present disclosure.
Before describing the domain name based network traffic processing method provided by the present application, the background related to the present application will be described first.
The domain name based network traffic processing method, device and computer readable storage medium provided by the application can be applied to processing equipment, and are used for simply acquiring specific network traffic and realizing an accurate network traffic capturing effect.
In the domain name based network traffic processing method, an execution main body may be a domain name based network traffic processing apparatus, or different types of processing devices such as a server, a physical host, or User Equipment (UE) that integrates the domain name based network traffic processing apparatus. The domain name based network traffic processing apparatus may be implemented in a hardware or software manner, the UE may specifically be a terminal device such as a smart phone, a tablet computer, a notebook computer, a desktop computer, or a Personal Digital Assistant (PDA), and the processing device may be set in a device cluster manner.
It should be understood that the processing device only needs to have an execution capability of executing the functional service related to the domain name-based network traffic processing method of the present application, and therefore, the device form and the device architecture where the processing device is located may be adaptively adjusted according to actual needs, and return to a network architecture scene.
Next, a method for processing network traffic based on domain name provided by the present application is described.
First, referring to fig. 1, fig. 1 shows a schematic flow chart of the domain name based network traffic processing method according to the present application, and the domain name based network traffic processing method according to the present application may specifically include the following steps S101 to S105:
step S101, obtaining network flow to be processed, wherein the network flow to be processed is used for analyzing whether the network flow belongs to a preset target object;
it can be understood that, corresponding to the network traffic analysis scenario related to the present application, what is first to do is to determine the network traffic that needs to be processed currently or this time, and for convenience of description, it is referred to as the network traffic to be processed.
The network traffic to be processed may be traffic monitored in real time or historically monitored, and the acquisition processing of the network traffic to be processed may be acquisition processing initiated by the processing device itself or reception of traffic transmitted for processing by other devices for the network traffic analysis scenario involved in the present application.
In addition, the present application is proposed based on the defects of DNS traffic related in the prior art, and therefore, the network traffic to be processed may specifically be DNS traffic, and in practical applications, in addition to DNS traffic, the present application may also achieve a simple and accurate capturing effect on other types of network traffic, and thus may also be applied to other types of network traffic or other device nodes.
As for the DNS traffic itself mainly targeted by the present application, as a specific implementation manner, the traffic to be processed may specifically be the DNS traffic passing through the DNS device, so that the present application may focus on the NDS device, and simply and accurately capture specific network traffic from the DNS traffic passing through the DNS device for use by a related data application.
For convenience of explanation, the following description will be made by taking DNS traffic as an example.
Step S102, extracting the domain name of a receiver and the domain name of a sender of the network traffic to be processed on an application level;
it is understood that the capture of network traffic in the present application does not focus on what it is actually transmitting, but rather distinguishes it with its domain name.
Therefore, the domain name extraction processing can be performed from the application layer, specifically, the domain name of the relevant receiver and the domain name of the sender are extracted from the specific position of the domain name in the application layer data of the network traffic to be processed, so as to lay a foundation for the subsequent domain name identification.
Step S103, determining whether the network flow to be processed is matched with a preset domain name matching rule of a target object or not according to the domain name of the receiver and the domain name of the sender, and if so, triggering step S104;
it can be understood that, in the network traffic analysis performed in the present application, the implementation of accurate capture is performed based on domain names, and therefore, domain name matching rules may be preconfigured, so that corresponding domain names may be adapted in subsequent applications, and thus, specific network traffic may be determined.
The domain name matching rules are configured by corresponding objects, and under the setting, an object corresponds to the back of each domain name matching rule, so that the determined specific network traffic corresponds to a specific object, and the effect of capturing the network traffic which is based on the domain name and is targeted at the specific object is achieved.
Correspondingly, after the domain name of the receiver and the domain name of the sender of the current network traffic to be processed are determined, the domain names can be matched with the preset domain name matching rule of the target object, and if the matching condition exists, obviously, the network traffic related to the target object can be determined.
It should be added that, for the target object, it may be one object or multiple objects, and each object may be configured with a domain name matching rule corresponding to itself.
And step S104, determining that the network traffic to be processed belongs to the network traffic of the target object.
After the matching is determined to exist, the current network traffic to be processed can be determined as the network traffic belonging to the target object according to a specific result determination mechanism.
The determination process is obviously a process content that can be specifically determined according to actual needs, and is generally adjusted subsequently to the relevant data application of the specific captured network traffic.
As can be seen from the embodiment shown in fig. 1, for the capturing requirement of the specific network traffic, the present application starts from the application layer of the network traffic to be processed, determines the domain name of the receiving party and the domain name of the sending party, and then determines the matching relationship between the network traffic to be processed and the target object in combination with the domain name matching rule of the target object.
The steps of the embodiment shown in fig. 1 and the possible implementation manner thereof in practical application will be described in detail.
It can be understood that the execution unit for capturing network traffic, that is, the specific object referred to above, may specifically be a session, that is, the application may perform accurate capturing of the corresponding network traffic for a specific session (for example, there is a specific session characteristic of a specific session party, a specific time point, and the like), which may be related to both operation business considerations and network security considerations in network operation, and obviously has a significant practical value.
For example, the messages requested by the network are session-differentiated according to the quintuple information, and the quintuple information is the same, or the messages only exchanged between the source IP and the destination IP can obviously be directly considered as belonging to the same session.
As an example, a hash (hash) calculation may be performed according to five-tuple information, and a hash table may be generated as a session table, so that a session to which a certain packet belongs may be conveniently and quickly queried.
Among other things, the session table data structure may be configured as follows:
correspondingly, for the determination process of whether the target session is involved in the following process, the method of the present application may further include the following steps:
extracting quintuple information of network traffic to be processed, wherein the quintuple information specifically comprises a source IP, a destination IP, a source port, a destination port and a protocol type;
and determining whether the network traffic to be processed belongs to the target session or not according to the quintuple information.
The source IP and the destination IP can be set to be in the same relation or in the exchange relation between the quintuple information of the network flow to be processed and the quintuple information specific to the target session.
Further, under the condition that the network traffic is presented in a message form, the network traffic can be divided into two types of request and response, namely a request message type and a response message type, so as to perform network traffic analysis with smaller granularity.
In the network traffic analysis process, a log factor can be introduced to provide a more detailed feature labeling effect for the traffic capture processing of the session unit, so that a concise and rich feature reference can be provided in the later related analysis processing of the captured network traffic.
Specifically, as another specific implementation manner, if the to-be-processed network traffic belongs to the request packet type and the target object is the target session, after determining that the to-be-processed network traffic belongs to the network traffic of the target object in step S104, the method may further include:
creating a log of the target object;
and writing the relevant session characteristics of the network flow to be processed into the log of the target session for storage.
It can be understood that each session is triggered by a request message, and then if the session is normally advanced, a corresponding response message exists, so that when it is determined that the request message corresponding to the target session exists, a corresponding log can be created first, and the relevant session features of the current response message (the current network traffic to be processed) are written into the log, so as to perform feature storage for subsequent use.
After the log of the target session is created according to the request message, the subsequent messages belonging to the same target session can continue to extract the session features and continue to be written into the log, so that a complete session feature recording effect of the target session is formed.
Correspondingly, there is another case that the currently processed message is already a response message type, that is, if the to-be-processed network traffic belongs to the response message type and the target object is a target session, after determining that the to-be-processed network traffic belongs to the network traffic of the target object in step S104, the method of the present application may further include:
and writing the relevant session characteristics of the network traffic to be processed into the log of the target session for storage.
It is understood that the log written here is created previously triggered by the corresponding request message.
For the session features of the response message, besides the basic session features that can be extracted like the request message, such as the domain name and the corresponding IP, the session features related to the response aspect, such as the query return code, the response time, and the like, can also be involved.
In addition, the method and the device also consider the situation that a request message or a response message is missing in a session due to interference of abnormal factors such as network fluctuation, message disorder or packet loss and the like which may exist in practical application, for example, a DNS response message is received first, or only a DNS query message is received without corresponding response, so that in a log related to network traffic, obviously, due to the missing of the request, a record of session characteristics of the related request is also missing, and for the situation, the method and the device can also mark out to record the related session situation more accurately and finely and continuously perfect the recorded content.
Specifically, if there is no related query message or response message in the network traffic to be processed, as another specific implementation manner, the method of the present application may further include:
and adding a missing identifier for the network flow to be processed in the log of the network flow to be processed, wherein the missing identifier is used for identifying that the network flow to be processed does not have a related query message or response message.
It is easy to understand that the situation that the message corresponding to the same session is lost is simply and clearly identified through the configuration of the lost identification.
In addition, corresponding to the setting of capturing and configuring the log corresponding to the session for the session development network traffic, the configuration lacking the identifier can be specifically and directly configured in the log, and the content recorded by the log corresponding to the session is continuously perfected.
Correspondingly, in another specific implementation manner, the target object is a target session, and the adding of the missing identifier for the network traffic to be processed in the log of the network traffic to be processed may specifically include the following:
and adding a missing identifier for the network traffic to be processed in a log of the network traffic to be processed about the target session, wherein the missing identifier is used for identifying that the network traffic to be processed does not have a related query message or response message.
In addition, for the matching process related to the present application, that is, the matching process performed based on the domain name matching rule of the target object in advance, it can be understood that, for the domain name matching rule related thereto, the worker may set in advance, each rule may include a plurality of domain names, the rules indicate corresponding domain names of DNS traffic to be concerned by the worker, and then the system analyzes the received DNS packet to obtain domain name information thereof, performs matching in a rule list preset by the user, and checks whether the traffic is concerned.
In addition, for the use of the log, an updating mechanism can be introduced, and after the log finishes subsequent application (such as for front-end interface query display or other purposes), data emptying operation and log structure data space releasing operation can be performed, so that a more favorable processing environment is provided for the subsequent flow capture processing of other network flows to be processed, and the overall data processing effect is facilitated.
In the process, the application finds that, according to the conventional method, when domain name matching is performed, character string comparison is performed one by one according to domain name rules, and when the DNS traffic is large and/or the domain name matching rules are many, the system is likely to become a bottleneck, and it is difficult to undertake massive matching processing in unit time.
Therefore, as another specific implementation manner, the present application introduces a hyperscan matching engine to perform matching processing, that is, step S103 determines whether the network traffic to be processed matches the domain name matching rule of the preset target object according to the domain name of the receiving party and the domain name of the sending party, which specifically includes:
on the basis of the domain name of the receiver and the domain name of the sender, determining whether the network flow to be processed is matched with a preset domain name matching rule of a target object through a hyperscan engine, wherein domain name keywords and corresponding ID numbers are written into the hyperscan engine for matching.
For the hyperscan engine which is a regular expression engine focused on high-performance multimode and stream matching, the domain name matching can be completed quickly and effectively, the matching result is directly returned, and the matching efficiency is greatly improved.
To illustrate by using an example, if an administrator on the DNS device side wants to monitor DNS traffic for querying the domain names xxx.com and yyy.com in the network, the administrator may configure corresponding domain name rule 1 and domain name rule 2, which respectively include the above two domain names.
In the configuration process of the hyperscan engine, two corresponding rule _ ids can be generated, the rule _ ids are locally unique and used for distinguishing different rules, and then two domain names XXX.com and YYY.com are respectively added into a keyword array as keywords (keyword information can be formed according to the grammar rule of a regular expression as required, so that accurate matching or fuzzy matching is realized);
meanwhile, the respective rule _ id is used as a key word number and is also added into an id number array, and the matching result is returned later.
And then calling a compiling API interface of the hyperscan for compiling, wherein the API requires to input a keyword array and an id number array, so that keyword information related to domain name matching rules of two domain names XXX.com and YYY.com and rule _ id thereof are added into a hyperscan engine database, and the hyperscan engine can expand corresponding domain name matching processing.
In the specific process of domain name matching, a matching API of hyperscan is called for matching, the API requires providing a user-defined callback function to execute the matched operation, and the function directly returns the rule _ id on the matching so as to find out which rule on the matching.
For the convenience of understanding, the above can also be understood by referring to a workflow diagram of the domain name matching process of the present application shown in fig. 2.
After the capture of the domain name based network traffic is completed, as mentioned above, the corresponding data application can be deployed to achieve the effect of the data application with a precise range of network traffic, such as the application of the log mentioned above.
In addition, other types of data applications can be performed according to system characteristics or application requirements, for example, displaying logs, counting matched DNS traffic proportion, drawing domain names and IP association graphs and the like, which can be flexibly adjusted according to actual conditions, and a processing object, namely, network traffic captured based on domain names has a highly accurate capturing effect, so that the highly accurate data application effect can be brought.
The above is the introduction of the domain name based network traffic processing method provided by the present application, and in order to better implement the domain name based network traffic processing method provided by the present application, the present application further provides a domain name based network traffic processing apparatus from the perspective of a functional module.
Referring to fig. 3, fig. 3 is a schematic structural diagram of a domain name based network traffic processing apparatus 300 according to the present application, in which the domain name based network traffic processing apparatus may specifically include the following structure:
an obtaining unit 301, configured to obtain a network traffic to be processed, where the network traffic to be processed is used to analyze whether the network traffic belongs to a preset target object;
an extracting unit 302, configured to extract, in an application layer, a domain name of a receiver and a domain name of a sender of the network traffic to be processed;
the determining unit 303 is configured to determine whether the network traffic to be processed matches a preset domain name matching rule of the target object according to the domain name of the receiver and the domain name of the sender, and if so, determine that the network traffic to be processed belongs to the network traffic of the target object.
In an exemplary implementation manner, the apparatus further includes a log processing unit 304, configured to, if the network traffic to be processed belongs to the request packet type and the target object is a target session:
creating a log of the target object;
and writing the relevant session characteristics of the network traffic to be processed into the log of the target session for storage.
In another exemplary implementation manner, the apparatus further includes a log processing unit 304, configured to, if the network traffic to be processed belongs to the response packet type and the target object is a target session:
and writing the relevant session characteristics of the network traffic to be processed into the log of the target session for storage.
In yet another exemplary implementation, the determining unit 303 is further configured to:
extracting quintuple information of network traffic to be processed, wherein the quintuple information specifically comprises a source IP, a destination IP, a source port, a destination port and a protocol type;
and determining whether the network traffic to be processed belongs to the target session or not according to the quintuple information.
In another exemplary implementation manner, the apparatus further includes a log processing unit 304, configured to, if there is no related query packet or response packet in the network traffic to be processed, and a target object is a target session, be configured to:
and adding a missing identifier for the network traffic to be processed in a log of the network traffic to be processed about the target session, wherein the missing identifier is used for identifying that the network traffic to be processed does not have a related query message or response message.
In another exemplary implementation manner, the determining unit 303 is specifically configured to:
on the basis of the domain name of the receiver and the domain name of the sender, determining whether the network flow to be processed is matched with a preset domain name matching rule of a target object through a hyperscan engine, wherein domain name keywords and corresponding ID numbers are written into the hyperscan engine for matching.
In another exemplary implementation, the traffic to be processed is specifically DNS traffic passing through a DNS device.
Referring to fig. 4, fig. 4 shows a schematic structural diagram of a processing device of the present application, specifically, the processing device of the present application may include a processor 401, a memory 402, and an input/output device 403, where the processor 401 is configured to implement, when executing a computer program stored in the memory 402, the steps of the domain name-based network traffic processing method in the corresponding embodiment of fig. 1; alternatively, the processor 401 is configured to implement the functions of the units in the embodiment corresponding to fig. 3 when executing the computer program stored in the memory 402, and the memory 402 is configured to store the computer program required by the processor 401 to execute the domain name based network traffic processing method in the embodiment corresponding to fig. 1.
Illustratively, a computer program may be partitioned into one or more modules/units, which are stored in memory 402 and executed by processor 401 to accomplish the present application. One or more modules/units may be a series of computer program instruction segments capable of performing certain functions, the instruction segments being used to describe the execution of a computer program in a computer device.
The processing devices may include, but are not limited to, a processor 401, a memory 402, and input-output devices 403. Those skilled in the art will appreciate that the illustration is merely an example of a processing device and does not constitute a limitation of the processing device and may include more or less components than those illustrated, or combine certain components, or different components, e.g., the processing device may also include a network access device, bus, etc., through which the processor 401, memory 402, input output device 403, etc., are connected.
The Processor 401 may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic, discrete hardware components, etc. The general purpose processor may be a microprocessor or the processor may be any conventional processor or the like, the processor being the control center for the processing device and the various interfaces and lines connecting the various parts of the overall device.
The memory 402 may be used to store computer programs and/or modules, and the processor 401 may implement various functions of the computer device by running or executing the computer programs and/or modules stored in the memory 402 and invoking data stored in the memory 402. The memory 402 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required for at least one function, and the like; the storage data area may store data created according to the use of the processing apparatus, and the like. In addition, the memory may include high speed random access memory, and may also include non-volatile memory, such as a hard disk, a memory, a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), at least one magnetic disk storage device, a Flash memory device, or other volatile solid state storage device.
The processor 401, when executing the computer program stored in the memory 402, may specifically implement the following functions:
acquiring network traffic to be processed, wherein the network traffic to be processed is used for analyzing whether the network traffic belongs to the network traffic of a preset target object;
extracting a domain name of a receiver and a domain name of a sender of the network traffic to be processed on an application level;
determining whether the network flow to be processed is matched with a preset domain name matching rule of a target object or not according to the domain name of the receiver and the domain name of the sender;
and if so, determining that the network traffic to be processed belongs to the network traffic of the target object.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the domain name based network traffic processing apparatus, the processing device and the corresponding units thereof described above may refer to the description of the domain name based network traffic processing method in the embodiment corresponding to fig. 1, and are not described herein again in detail.
It will be understood by those skilled in the art that all or part of the steps of the methods of the above embodiments may be performed by instructions or by associated hardware controlled by the instructions, which may be stored in a computer readable storage medium and loaded and executed by a processor.
For this reason, the present application provides a computer-readable storage medium, where a plurality of instructions are stored, where the instructions can be loaded by a processor to execute the steps of the domain name based network traffic processing method in the embodiment corresponding to fig. 1 in the present application, and specific operations may refer to the description of the domain name based network traffic processing method in the embodiment corresponding to fig. 1, which is not described herein again.
Wherein the computer-readable storage medium may include: read Only Memory (ROM), random Access Memory (RAM), magnetic or optical disks, and the like.
Because the instructions stored in the computer-readable storage medium can execute the steps of the domain name based network traffic processing method in the embodiment corresponding to fig. 1, the beneficial effects that can be achieved by the domain name based network traffic processing method in the embodiment corresponding to fig. 1 can be achieved, which are described in detail in the foregoing description and are not described herein again.
The method, the apparatus, the processing device and the computer-readable storage medium for processing network traffic based on domain name provided by the present application are introduced in detail above, and a specific example is applied in the present application to explain the principle and the implementation of the present application, and the description of the above embodiment is only used to help understanding the method and the core idea of the present application; meanwhile, for those skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.
Claims (10)
1. A method for processing network traffic based on a domain name, the method comprising:
acquiring network traffic to be processed, wherein the network traffic to be processed is used for analyzing whether the network traffic belongs to the network traffic of a preset target object;
extracting the domain name of a receiver and the domain name of a sender of the network traffic to be processed on an application level;
determining whether the network flow to be processed is matched with a preset domain name matching rule of the target object or not according to the domain name of the receiver and the domain name of the sender;
and if so, determining that the network traffic to be processed belongs to the network traffic of the target object.
2. The method according to claim 1, wherein if the pending network traffic belongs to a request packet type and the target object is a target session, after determining that the pending network traffic belongs to the network traffic of the target object, the method further comprises:
creating a log of the target object;
and writing the relevant session characteristics of the network flow to be processed into the log of the target session for storage.
3. The method according to claim 1, wherein if the to-be-processed network traffic belongs to a response packet type and the target object is a target session, after determining that the to-be-processed network traffic belongs to the network traffic of the target object, the method further comprises:
and writing the relevant session characteristics of the network flow to be processed into the log of the target session for storage.
4. A method according to claim 2 or 3, characterized in that the method further comprises:
extracting quintuple information of the network traffic to be processed, wherein the quintuple information specifically comprises a source IP, a destination IP, a source port, a destination port and a protocol type;
and determining whether the network flow to be processed belongs to the target session or not according to the quintuple information.
5. The method according to claim 4, wherein if there is no relevant query message or response message in the network traffic to be processed, and the target object is a target session, the method further comprises:
and adding the missing identifier for the network traffic to be processed in a log of the network traffic to be processed about the target session, wherein the missing identifier is used for identifying that the network traffic to be processed does not have a related query message or response message.
6. The method according to claim 1, wherein the determining whether the network traffic to be processed matches a preset domain name matching rule of the target object according to the domain name of the receiver and the domain name of the sender includes:
and on the basis of the domain name of the receiver and the domain name of the sender, determining whether the network flow to be processed is matched with a preset domain name matching rule of the target object or not through a hyperscan engine, wherein domain name keywords and corresponding ID numbers are written into the hyperscan engine for matching use.
7. The method according to claim 1, wherein the traffic to be processed is specifically DNS traffic passing through a DNS device.
8. A domain name based network traffic processing apparatus, the apparatus comprising:
the device comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring network traffic to be processed, and the network traffic to be processed is used for analyzing whether the network traffic belongs to a preset target object;
an extracting unit, configured to extract, at an application level, a domain name of a receiver and a domain name of a sender of the to-be-processed network traffic;
and the determining unit is used for determining whether the network traffic to be processed is matched with a preset domain name matching rule of the target object according to the domain name of the receiver and the domain name of the sender, and if so, determining that the network traffic to be processed belongs to the network traffic of the target object.
9. A processing device comprising a processor and a memory, a computer program being stored in the memory, the processor performing the method according to any of claims 1 to 7 when calling the computer program in the memory.
10. A computer readable storage medium, having stored thereon a plurality of instructions adapted to be loaded by a processor to perform the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211626406.1A CN115955423A (en) | 2022-12-16 | 2022-12-16 | Domain name based network traffic processing method and device and processing equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211626406.1A CN115955423A (en) | 2022-12-16 | 2022-12-16 | Domain name based network traffic processing method and device and processing equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115955423A true CN115955423A (en) | 2023-04-11 |
Family
ID=87296480
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211626406.1A Pending CN115955423A (en) | 2022-12-16 | 2022-12-16 | Domain name based network traffic processing method and device and processing equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115955423A (en) |
-
2022
- 2022-12-16 CN CN202211626406.1A patent/CN115955423A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2019134226A1 (en) | Log collection method, device, terminal apparatus, and storage medium | |
| WO2019227689A1 (en) | Data monitoring method and apparatus, and computer device and storage medium | |
| US9501345B1 (en) | Method and system for creating enriched log data | |
| WO2021189954A1 (en) | Log data processing method and apparatus, computer device, and storage medium | |
| CN113301012B (en) | Network threat detection method and device, electronic equipment and storage medium | |
| CN112448969B (en) | Link tracking method, device, system, equipment and readable storage medium | |
| CN111752799A (en) | Service link tracking method, device, equipment and storage medium | |
| CN110489315B (en) | Operation request tracking method, operation request tracking device and server | |
| CN108093026B (en) | Method and device for processing multi-tenant request | |
| CN108228322B (en) | Distributed link tracking and analyzing method, server and global scheduler | |
| CN110096363B (en) | Method and device for associating network event with process | |
| US20200042424A1 (en) | Method, apparatus and system for processing log data | |
| CN111064804B (en) | Network access method and device | |
| KR20160056944A (en) | Acceleration based on cached flows | |
| US10142359B1 (en) | System and method for identifying security entities in a computing environment | |
| US11038803B2 (en) | Correlating network level and application level traffic | |
| CN115766258A (en) | Multi-stage attack trend prediction method and device based on causal graph and storage medium | |
| JP6501924B2 (en) | Method and server for canceling alert | |
| CN111198806A (en) | Service call data statistical analysis method and system based on service open platform | |
| CN115955423A (en) | Domain name based network traffic processing method and device and processing equipment | |
| CN111163184B (en) | Method and device for extracting message features | |
| CN114301872A (en) | Domain name based access method and device, electronic equipment and storage medium | |
| KR101345095B1 (en) | Method and system for bgp routing data processing based on cluster | |
| CN111865976A (en) | Access control method, device and gateway | |
| CN110868360A (en) | Flow statistical method, electronic device, system and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |