CN115987826A - Keyword plugging method for multiple data transmission links and related equipment - Google Patents

Keyword plugging method for multiple data transmission links and related equipment Download PDF

Info

Publication number
CN115987826A
CN115987826A CN202211714773.7A CN202211714773A CN115987826A CN 115987826 A CN115987826 A CN 115987826A CN 202211714773 A CN202211714773 A CN 202211714773A CN 115987826 A CN115987826 A CN 115987826A
Authority
CN
China
Prior art keywords
information
url
quintuple
node
data transmission
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211714773.7A
Other languages
Chinese (zh)
Inventor
李小坤
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Greenet Information Service Co Ltd
Original Assignee
Wuhan Greenet Information Service Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Greenet Information Service Co Ltd filed Critical Wuhan Greenet Information Service Co Ltd
Priority to CN202211714773.7A priority Critical patent/CN115987826A/en
Publication of CN115987826A publication Critical patent/CN115987826A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a keyword plugging method and related equipment for a plurality of data transmission links, wherein the method comprises the following steps: acquiring first quintuple information and first url information of first uplink flow; storing the first quintuple information and the first url information into an association relation table of the quintuple and the url; receiving second quintuple information and mark information of the second quintuple information sent by a second node; determining second url information associated with the second quintuple information based on the association relation table; and synchronizing the second url information and the mark information to a url list table in each node so as to perform keyword plugging. The method and the device have the advantages that quintuple information and mark information of the downlink flow are sent to the first node, so that the first node can determine the url associated with the quintuple information based on the association relation table of the quintuple and the url, the mark information is associated with the url, repeated recombination and restoration of the flow are avoided, and the efficiency of keyword plugging is improved.

Description

Keyword plugging method for multiple data transmission links and related equipment
Technical Field
The present application relates to the field of deep packet inspection technologies, and in particular, to a keyword blocking method for multiple data transmission links and related devices.
Background
DPI (Deep Packet Inspection ) is a Packet-based Deep Inspection technology, which performs Deep Inspection on different network application layer loads (such as HTTP, DNS, etc.), and determines the validity of a Packet by inspecting the payload of the Packet. In order to ensure information security of a network, DPI devices are often deployed in an IDC (Internet Data Center) machine room to detect and block whether sensitive keywords exist in a webpage transmitted in an HTTP protocol, so as to prevent malicious information from spreading.
Specifically, one DPI device often processes uplink traffic or downlink traffic of one session, reconstructs and restores the downlink traffic to obtain a corresponding transmission page, then performs matching determination on the transmission page for an illegal keyword, and associates the transmission page with a url (uniform resource locator) of the transmission page after the determination is successful, so as to directly block the url when the url appears again.
However, the route of the traffic of the user accessing a certain web page is not fixed, and for stability, the rooms generally have redundant backup, for example, when the data transmission link of the room a is interrupted (for example, the optical cable is cut), the load traffic of the room a is automatically switched to the data transmission link of the room B under the rule of routing. Therefore, there are often situations where the uplink traffic and the downlink traffic pass through different rooms respectively. When the uplink traffic and the downlink traffic respectively pass through different machine rooms, the uplink traffic corresponding to the downlink traffic cannot be associated with the url of the transmission page because the uplink traffic passes through other dpi devices of other machine rooms, so that the transmission page still needs to be recombined and restored when appearing again, and the efficiency of blocking the keywords is reduced.
Disclosure of Invention
The application provides a keyword plugging method and related equipment for a plurality of data transmission links, and aims to improve the efficiency of keyword plugging.
In one aspect, the present application provides a keyword blocking method for multiple data transmission links, where the multiple data transmission links are disposed between a user end and a server end, and the multiple data transmission links include a first link for transmitting uplink traffic and a second link for transmitting downlink traffic, where the first link is connected to a first node for deep packet inspection, and the second link is connected to a second node for deep packet inspection, and the method applied to the first node includes:
acquiring first uplink flow in the first link;
acquiring first quintuple information and first url information of the first uplink flow;
storing the first quintuple information and the first url information into an association relation table of the quintuple and the url of the first node;
receiving second quintuple information and mark information of the second quintuple information sent by the second node, wherein the second node acquires second downlink traffic in the second link, acquires the second quintuple information of the second downlink traffic, and determines the mark information of the second quintuple information;
determining second url information associated with the second five-tuple information based on the association relation table;
and synchronizing the second url information and the marking information to a url list table in each node for deep packet inspection, wherein a plurality of url information and marking information of each url information are stored in the url list table, so as to perform keyword plugging based on the url list table.
In some embodiments, the determining, based on the association relation table, second url information associated with the second five-tuple information includes:
generating target quintuple information based on the second quintuple information, wherein a source ip in the target quintuple information is a target ip in the second quintuple information, a source port in the target quintuple information is a target port in the second quintuple information, a target ip in the target quintuple information is a source ip in the second quintuple information, and a target port in the target quintuple information is a source port in the second quintuple information;
and determining url information of the target five-tuple information in the association relation table, and using the url information as second url information associated with the second five-tuple information.
In some embodiments, the url name list table is a url black and white name list table, the flag information of each url information in the url black and white name list table is a white flag or a black flag, and the flag information of the second quintuple information is a white flag or a black flag.
In some embodiments, after synchronizing the second url information and the tag information to the url list in each node for deep packet inspection, the method further includes:
acquiring a second uplink flow in the first link;
if the mark information of the url information of the second uplink flow in the synchronized url name list table is a black mark, performing blocking processing on the second uplink flow;
and if the mark information of the url information of the second uplink flow in the synchronized url list table is a white mark, synchronizing the quintuple information of the second uplink flow into the quintuple white list table of each node for deep packet inspection, so that when the received quintuple information of the third downlink flow exists in the synchronized quintuple white list table, the third downlink flow is not subjected to recombination reduction processing and blocking processing.
In another aspect, the present application provides a keyword blocking method for multiple data transmission links, where the method is applied to any one of the second nodes described above, and includes:
acquiring a second downlink flow in the second link;
acquiring second quintuple information of the second downlink flow;
if the quintuple information does not exist in the quintuple white list of the second node, detecting whether a preset keyword exists in the second downlink flow;
determining the marking information of the second downlink flow based on whether a preset keyword exists in the second downlink flow;
and sending the second quintuple information and the mark information of the second quintuple information to each node for deep packet detection, so that each node determines second url information related to the second quintuple information based on an incidence relation table of the quintuple and the url of each node, and synchronizes the second url information and the mark information to a url list table in each node for deep packet detection, wherein a plurality of url information and the mark information of each url information are stored in the url list table, and keyword plugging is performed based on the url list table.
In some embodiments, if the quintuple information does not exist in the quintuple white list table of the second node, detecting whether a preset key exists in the second downlink traffic includes:
if the quintuple information does not exist in the quintuple white list of the second node, carrying out recombination reduction processing on the second downlink flow to obtain the original content of the second downlink flow;
and determining whether the second downlink flow has preset keywords or not based on whether the original content has the preset keywords or not.
In some embodiments, after sending the second five-tuple information and the tag information of the second five-tuple information to each node for deep packet inspection, the method further includes:
receiving quintuple information of the second uplink flow sent by a first node;
synchronizing quintuple information of the second uplink flow to a quintuple white list table of the second node;
and when the received quintuple information of the third downlink flow exists in the synchronized quintuple white list table, not performing recombination reduction processing and plugging processing on the third downlink flow.
In another aspect, the present application provides a keyword plugging apparatus for multiple data transmission links, the apparatus including:
an obtaining unit, configured to obtain a first uplink traffic in the first link, and obtain first quintuple information and first url information of the first uplink traffic;
a storage unit, configured to store the first quintuple information and the first url information into an association table of the quintuple and the url of the first node;
a receiving unit, configured to receive second quintuple information and tag information of the second quintuple information sent by the second node, where the second node obtains a second downlink traffic in the second link, obtains the second quintuple information of the second downlink traffic, and determines the tag information of the second quintuple information;
a determining unit, configured to determine, based on the association relationship table, second url information associated with the second five-tuple information;
and a synchronization unit, configured to synchronize the second url information and the tag information to a url list table in each node for deep packet inspection, where the url list table stores multiple url information and tag information of each url information, so as to perform keyword plugging based on the url list table.
In another aspect, the present application provides a keyword plugging apparatus for multiple data transmission links, the apparatus including:
an extracting unit, configured to obtain a second downlink traffic in the second link, and obtain second quintuple information of the second downlink traffic;
a detecting unit, configured to detect whether a preset keyword exists in the second downlink traffic if the quintuple information does not exist in the quintuple white list table of the second node;
a marking unit, configured to determine marking information of the second downlink traffic based on whether a preset keyword exists in the second downlink traffic;
a sending unit, configured to send the second quintuple information and the tag information of the second quintuple information to each node used for deep packet inspection, so that each node determines, based on an association relation table between a quintuple of each node and a url, second url information associated with the second quintuple information, and synchronizes the second url information and the tag information to a url list table in each node used for deep packet inspection, where multiple url information and tag information of each url information are stored in the url list table, so as to perform keyword plugging based on the url list table.
In another aspect, the present application further provides a computer device, including:
one or more processors;
a memory; and
one or more application programs, wherein the one or more application programs are stored in the memory and configured to be executed by the processor to implement the key blocking method for a plurality of data transmission links.
In another aspect, the present application further provides a computer readable storage medium, on which a computer program is stored, where the computer program is loaded by a processor to execute the steps in the keyword blocking method for multiple data transmission links.
In the keyword blocking method and related device for multiple data transmission links provided in the embodiment of the present application, the multiple data transmission links are disposed between a user side and a server side, the multiple data transmission links include a first link for transmitting uplink traffic and a second link for transmitting downlink traffic, the first link is connected to a first node for deep packet inspection, and the second link is connected to a second node for deep packet inspection, where the method is applied to the first node, and includes: acquiring a first uplink flow in a first link; acquiring first quintuple information and first url information of first uplink flow; storing the first quintuple information and the first url information into an association relation table of the quintuple and the url of the first node; receiving second quintuple information and mark information of the second quintuple information sent by a second node, wherein the second node acquires second downlink traffic in a second link, acquires the second quintuple information of the second downlink traffic and determines the mark information of the second quintuple information; determining second url information associated with the second quintuple information based on the association relation table; and synchronizing the second url information and the marking information to a url list table in each node for deep packet inspection, wherein a plurality of url information and the marking information of each url information are stored in the url list table, so as to perform keyword plugging based on the url list table. The quintuple information and the mark information of the downlink flow are sent to the first node, so that the first node can determine the url associated with the quintuple information based on the association relation table of the quintuple and the url, the mark information is associated with the url, repeated recombination and restoration of the flow are avoided, and the efficiency of keyword plugging is improved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic view of a scenario of a keyword blocking system for multiple data transmission links according to an embodiment of the present application;
fig. 2 is a schematic flowchart of an embodiment of a keyword blocking method for multiple data transmission links provided in an embodiment of the present application;
fig. 3 is a schematic flowchart of another embodiment of a keyword blocking method for multiple data transmission links provided in this embodiment of the present application;
fig. 4 is another schematic view of a keyword blocking system for multiple data transmission links according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of an embodiment of a keyword plugging device for multiple data transmission links provided in the embodiment of the present application;
fig. 6 is a schematic structural diagram of an embodiment of a computer device provided in an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In the description of the present application, it is to be understood that the terms "center", "longitudinal", "lateral", "length", "width", "thickness", "upper", "lower", "front", "rear", "left", "right", "vertical", "horizontal", "top", "bottom", "inner", "outer", etc. indicate orientations or positional relationships based on those shown in the drawings, merely for convenience of description and simplicity of description, and do not indicate or imply that the device or element referred to must have a particular orientation, be constructed and operated in a particular orientation, and thus, should not be considered limiting of the present application. Furthermore, the terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or to implicitly indicate the number of technical features indicated. Thus, features defined as "first", "second", may explicitly or implicitly include one or more of the described features. In the description of the present application, "a plurality" means two or more unless specifically limited otherwise.
In this application, the word "exemplary" is used to mean "serving as an example, instance, or illustration. Any embodiment described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments. The following description is presented to enable any person skilled in the art to make and use the application. In the following description, details are set forth for the purpose of explanation. It will be apparent to one of ordinary skill in the art that the present application may be practiced without these specific details. In other instances, well-known structures and processes are not set forth in detail in order to avoid obscuring the description of the present application with unnecessary detail. Thus, the present application is not intended to be limited to the embodiments shown, but is to be accorded the widest scope consistent with the principles and features disclosed herein.
The embodiments of the present application provide a keyword blocking method for multiple data transmission links and related devices, which are described in detail below.
As shown in fig. 1, fig. 1 is a schematic view of a scenario of a keyword blocking system for multiple data transmission links according to an embodiment of the present application, where the keyword blocking system for multiple data transmission links may include a computer device 100, and a keyword blocking apparatus for multiple data transmission links is integrated in the computer device 100, such as the computer device 100 in fig. 1.
In this embodiment, the computer device 100 may be a terminal or a server, and when the computer device 100 is a server, it may be an independent server, or may be a server network or a server cluster composed of servers, for example, the computer device 100 described in this embodiment includes, but is not limited to, a computer, a network host, a single network server, multiple network server sets, or a cloud server constructed by multiple servers. Among them, the Cloud server is constructed by a large number of computers or web servers based on Cloud Computing (Cloud Computing).
It is to be understood that, when the computer device 100 is a terminal in the embodiment of the present application, the terminal used may be a device including both receiving and transmitting hardware, that is, a device having receiving and transmitting hardware capable of performing bidirectional communication on a bidirectional communication link. Such a device may include: a cellular or other communication device having a single line display or a multi-line display or a cellular or other communication device without a multi-line display. The specific computer device 100 may specifically be a desktop terminal or a mobile terminal, and the computer device 100 may also specifically be one of a mobile phone, a tablet computer, a notebook computer, and the like.
It can be understood by those skilled in the art that the application environment shown in fig. 1 is only one application scenario related to the present application, and is not limited to the application scenario related to the present application, and that other application environments may further include more or less computer devices than those shown in fig. 1, for example, only 1 computer device is shown in fig. 1, and it can be understood that the keyword blocking system for multiple data transmission links may further include one or more other computer devices, which is not limited herein.
In addition, as shown in fig. 1, the key blocking system for multiple data transmission links may further include a memory 200 for storing data, such as an association table of five tuples and url.
It should be noted that the scenario diagram of the keyword blocking system for multiple data transmission links shown in fig. 1 is merely an example, and the keyword blocking system for multiple data transmission links and the scenario described in the embodiment of the present application are for more clearly illustrating the technical solution of the embodiment of the present application, and do not form a limitation to the technical solution provided in the embodiment of the present application.
For example, referring to fig. 4, fig. 4 is a schematic diagram of another scenario of a keyword blocking system for multiple data transmission links. In fig. 4, a plurality of data transmission links are disposed between a user end and a server end, and the plurality of data transmission links includes a first link for transmitting uplink traffic and a second link for transmitting downlink traffic. The uplink flow refers to the flow sent by the user side to the server side, and the downlink flow refers to the flow sent by the server side to the user side. The first link is connected with a DPI (Deep Packet Inspection) device in the machine room A through the optical splitter and the splitter, and the second link is connected with a DPI device in the machine room B through the optical splitter and the splitter. The splitter is used for mirror image transmission of uplink traffic or downlink traffic in a link to the splitter, and the splitter is used for splitting the mirror image traffic obtained by mirror image transmission to one DPI device in a machine room for keyword detection and blocking based on load balancing (for example, load balancing in a binary (source ip, destination ip) hash mode). The machine room a and the machine room B are both IDC (Internet Data Center) machine rooms, the machine rooms a and B are respectively deployed in a plurality of DPI devices, one DPI device is a node, for example, in fig. 4, one DPI device in the machine room a is a first node, one DPI device in the machine room B is a second node, and both the first node and the second node are used for deep packet inspection.
It should be noted that any one of the DPI devices in the machine room a and the machine room B can be used as a first node or a second node, and it is only required that the first node processes the uplink traffic and the second node processes the downlink traffic, that is, the DPI devices through which the uplink traffic and the downlink traffic pass are different.
Next, a keyword blocking method for multiple data transmission links provided by the embodiment of the present application is described.
In the embodiment of the method for blocking keywords for multiple data transmission links, the keyword blocking devices for multiple data transmission links are used as an execution subject, and for simplicity and convenience of description, the execution subject will be omitted in the subsequent method embodiments, and the keyword blocking devices for multiple data transmission links are applied to computer equipment.
Referring to fig. 2, fig. 2 is a flowchart illustrating an embodiment of a keyword blocking method for multiple data transmission links according to an embodiment of the present application, where the keyword blocking method for multiple data transmission links is applied to the first node, and includes:
201. acquiring first uplink flow in the first link;
in an embodiment of the present application, the first uplink traffic is an uplink traffic sent by the user side to the server side, and the first uplink traffic is split to the first node based on a load balancing policy of the splitter.
202. Acquiring first quintuple information and first url information of the first uplink flow;
in an embodiment of the application, the first uplink traffic includes first quintuple information and first url information, and is obtained by analyzing the first uplink traffic. The first quintuple information comprises a source ip, a source port, a destination ip and a destination port of first uplink flow, and the first url information is a url address of a page requested by a user side to a server through the first uplink flow.
203. Storing the first quintuple information and the first url information into an association relation table of the quintuple and the url of the first node;
in the embodiment of the application, the first node stores an association table of five-tuple and url, and the association table stores a plurality of pieces of five-tuple information and url information associated with each piece of five-tuple information. By storing the first quintuple information and the first url information to the association relation table, the expansion of the association relation table can be realized.
204. Receiving second quintuple information and mark information of the second quintuple information sent by the second node, wherein the second node acquires second downlink traffic in the second link, acquires the second quintuple information of the second downlink traffic, and determines the mark information of the second quintuple information;
in this embodiment of the application, when the second node processes the second downlink traffic, the second node sends the second quintuple information of the second downlink traffic and the tag information of the second quintuple information to all nodes in the machine room a and the machine room B based on a communication connection (e.g., a Transmission Control Protocol (TCP) connection) between the nodes, so that the first node may also receive the second quintuple information and the tag information of the second quintuple information. The steps of the second node acquiring the second five-tuple information and the tag information of the second five-tuple information are detailed in the embodiment shown in fig. 3. The mark information is used to indicate whether the page of the second downlink traffic contains a preset keyword, for example, the mark information may be a white mark or a black mark, where the white mark indicates that the page of the second downlink traffic does not contain the preset keyword, and the black mark indicates that the page of the second downlink traffic contains the preset keyword. The preset keywords are generally preset sensitive characters, and can be preset based on actual requirements.
205. Determining second url information associated with the second five-tuple information based on the association relation table;
in the embodiment of the present application, the second five-tuple information includes a source ip, a source port, a destination ip, and a destination port.
Since the second quintuple information is obtained based on the downlink traffic and the quintuple information in the association table is obtained based on the uplink traffic, when determining the second url information associated with the second quintuple information, it is necessary to invert the source and the target in the second quintuple information, that is, determining the second url information associated with the second quintuple information based on the association table may include: generating target quintuple information based on the second quintuple information, wherein a source ip in the target quintuple information is a target ip in the second quintuple information, a source port in the target quintuple information is a target port in the second quintuple information, a target ip in the target quintuple information is a source ip in the second quintuple information, and a target port in the target quintuple information is a source port in the second quintuple information, so that the source and the target in the second quintuple information are reversed; and determining url information of the target five-tuple information in the association relation table, and using the url information as second url information associated with the second five-tuple information.
206. And synchronizing the second url information and the marking information to a url list table in each node for deep packet inspection, wherein a plurality of url information and marking information of each url information are stored in the url list table, so as to perform keyword plugging based on the url list table.
In the embodiment of the application, each node for deep packet inspection includes all nodes in the machine room a and the machine room B, and each node stores one url list table. The mark information of the second quintuple information is used as the mark information of the second url information and is synchronized to the url list table in each node for deep packet inspection, so that the correlation between the mark information and the url information is realized. The keyword plugging is to perform plugging processing when a preset keyword exists in the traffic, and determine whether the preset keyword exists in the traffic based on the marking information.
In some embodiments of the present application, the url list table is a url black and white list table, and the label information of each url information in the url black and white list table is a white label or a black label. The black and white list table indicates that the url information of the white mark and the url information of the black mark are stored in the same list table. Therefore, when determining whether the plugging processing is needed, each node only needs to query the url black and white list table once for determination, and does not need to query the url black list table and the url white list table respectively (for example, if the url information to be queried does not exist in the url black list table, it needs to determine whether the url information to be queried exists in the url white list table, and then it needs to determine whether the plugging processing is needed), so that the matching efficiency of the url information to be queried and the keyword plugging efficiency are improved.
In some embodiments of the present application, after synchronizing the second url information and the tag information to the url list in each node for deep packet inspection, the method may further include: acquiring a second uplink flow in the first link; and if the mark information of the url information of the second uplink flow in the synchronized url list table is a black mark, judging that a preset keyword exists in the downlink flow corresponding to the second uplink flow, and plugging the second uplink flow. The plugging treatment may be: and respectively sending session ending information to the user end and the server end to end the second uplink flow-based access session (such as a TCP session) between the user end and the server end, so that the user end cannot acquire data of the requested flow, and the purpose of blocking the keywords is realized.
Further, after acquiring the second uplink traffic in the first link, the method may further include: if the mark information of the url information of the second uplink flow in the synchronized url list table is a white mark, it is determined that no preset keyword exists in the downlink flow corresponding to the second uplink flow, and the quintuple information of the second uplink flow is synchronized into the quintuple white list table in each node for deep packet inspection, so that when the received quintuple information of the third downlink flow exists in the synchronized quintuple white list table, the reassembly and restoration processing and the plugging processing are not performed on the third downlink flow, and the action of repeatedly performing the reassembly and restoration processing is avoided. It can be understood that after the first node acquires the second uplink traffic in the first link, it cannot know which node processes the downlink traffic corresponding to the second uplink traffic, and therefore the five tuple information of the second uplink traffic needs to be synchronized into the five tuple white list tables in all nodes. The quintuple white list stores the information of each quintuple marked by white.
According to the keyword plugging method for multiple data transmission links provided by the embodiment of the application, quintuple information and mark information of downlink flow are sent to the first node, so that the first node can determine the url associated with the quintuple information based on the association relation table of the quintuple and the url, the mark information is associated with the url, repeated recombination and reduction of the flow are avoided, keyword plugging judgment is more timely, and the efficiency of keyword plugging is improved.
Referring to fig. 3, fig. 3 is a schematic flowchart of another embodiment of a key blocking method for multiple data transmission links according to an embodiment of the present application, where the key blocking method for multiple data transmission links is applied to the second node, and includes:
301. acquiring a second downlink flow in the second link;
in an embodiment of the present application, the second downlink traffic is a downlink traffic sent by the user side to the server side, and the second downlink traffic is split to the second node based on the load balancing policy of the splitter.
302. Acquiring second quintuple information of the second downlink flow;
in an embodiment of the present application, the second downlink traffic includes second quintuple information, and is obtained by analyzing the second downlink traffic. The second quintuple information includes a source ip, a source port, a destination ip, and a destination port of the second downlink traffic.
303. If the quintuple information does not exist in the quintuple white list of the second node, detecting whether a preset keyword exists in the second downlink traffic;
in the embodiment of the present application, if the quintuple information does not exist in the quintuple white list table of the second node, it indicates that the second downlink traffic has not been subjected to the reassembly reduction and the detection of the preset keyword before, and therefore it is necessary to detect whether the preset keyword exists in the second downlink traffic.
In some embodiments of the present application, if the quintuple information does not exist in the quintuple white list table of the second node, detecting whether the preset keyword exists in the second downlink traffic may include: if the quintuple information does not exist in the quintuple white list of the second node, carrying out recombination reduction processing on the second downlink flow to obtain the original content of the second downlink flow; and determining whether the preset keyword exists in the second downlink flow based on whether the preset keyword exists in the original content. It can be understood that, when the server side sends the downlink traffic, the server side often performs processing such as segmentation, encoding, and compression on the data of the downlink traffic, and then sends the data, so that it is necessary to perform reassembly and restoration to obtain the original content in the downlink traffic. For example, when the second downlink traffic includes a plurality of compressed data packets, performing a reassembly and reduction process on the second downlink traffic to obtain an original content of the second downlink traffic, which may include: splicing (for example, TCP (Transmission Control Protocol) reassembly) multiple data packets compressed in the second downlink traffic to obtain a compressed file of the second downlink traffic, where the page content in the second downlink traffic cannot be viewed; and decompressing the compressed file to obtain the page content in the second downlink flow, wherein the page content is the original content.
304. Determining the marking information of the second downlink flow based on whether a preset keyword exists in the second downlink flow;
in an embodiment of the present application, if a preset keyword exists in the second downlink traffic, it is determined that the mark information of the second downlink traffic is a black mark. And if the preset keyword does not exist in the second downlink flow, determining that the marking information of the second downlink flow is a white mark.
305. And sending the second quintuple information and the mark information of the second quintuple information to each node for deep packet detection, so that each node determines second url information related to the second quintuple information based on an incidence relation table of the quintuple and the url of each node, and synchronizes the second url information and the mark information to a url list table in each node for deep packet detection, wherein a plurality of url information and the mark information of each url information are stored in the url list table, and keyword plugging is performed based on the url list table.
It can be understood that after the second node acquires the second downlink traffic in the second link, it cannot know which node the uplink traffic corresponding to the second downlink traffic is processed by, and therefore the second quintuple information of the second downlink traffic needs to be sent to all nodes.
In some embodiments of the present application, after sending the second five-tuple information and the tag information of the second five-tuple information to each node for deep packet inspection, the method may further include: receiving quintuple information of second uplink flow sent by a first node; synchronizing quintuple information of the second uplink flow into a quintuple white list table of the second node to update the quintuple white list table of the second node, wherein each node stores one quintuple white list table; when the received quintuple information of the third downlink flow exists in the synchronized quintuple white list table, the recombination reduction processing and the blocking processing are not performed on the third downlink flow, but the third downlink flow is directly judged to have no preset keyword, and the third downlink flow is released, so that the repeated recombination reduction processing is avoided, and the memory overhead and the recombination reduction consumption of the DPI equipment are saved.
According to the scheme disclosed by the embodiment of the application, the quintuple information and the mark information of the downlink flow are sent to the first node, so that the first node can determine the url associated with the quintuple information based on the association relation table of the quintuple and the url, the mark information is associated with the url, repeated recombination and reduction of the flow are avoided, and the efficiency of keyword plugging is improved.
In order to better implement the keyword blocking method for multiple data transmission links in the embodiment of the present application, on the basis of the keyword blocking method for multiple data transmission links, an embodiment of the present application further provides a keyword blocking device for multiple data transmission links, and as shown in fig. 5, the keyword blocking device 500 for multiple data transmission links includes:
an obtaining unit 501, configured to obtain a first uplink traffic in a first link, and obtain first quintuple information and first url information of the first uplink traffic;
a storage unit 502, configured to store the first quintuple information and the first url information in an association table of the quintuple and the url of the first node;
a receiving unit 503, configured to receive second quintuple information and tag information of the second quintuple information sent by a second node, where the second node obtains a second downlink traffic in a second link, obtains the second quintuple information of the second downlink traffic, and determines the tag information of the second quintuple information;
a determining unit 504, configured to determine, based on the association relation table, second url information associated with the second five-tuple information;
a synchronizing unit 505, configured to synchronize the second url information and the tag information to a url list table in each node for deep packet inspection, where the url list table stores multiple url information and tag information of each url information, so as to perform keyword blocking based on the url list table.
According to the keyword plugging device for multiple data transmission links provided by the embodiment of the application, quintuple information and mark information of downlink flow are sent to the first node, so that the first node can determine the url associated with the quintuple information based on the association relation table of the quintuple and the url, the mark information is associated with the url, repeated recombination and reduction of the flow are avoided, and the keyword plugging efficiency is improved.
In order to better implement the keyword plugging method for multiple data transmission links in the embodiment of the present application, on the basis of the keyword plugging method for multiple data transmission links, an embodiment of the present application further provides a keyword plugging device for multiple data transmission links, where the keyword plugging device for multiple data transmission links includes:
an extracting unit, configured to obtain a second downlink traffic in a second link, and obtain second quintuple information of the second downlink traffic;
the detection unit is used for detecting whether a preset keyword exists in the second downlink flow if the quintuple information does not exist in the quintuple white list of the second node;
the marking unit is used for determining marking information of the second downlink traffic based on whether the preset keyword exists in the second downlink traffic;
and the sending unit is used for sending the second quintuple information and the mark information of the second quintuple information to each node for deep packet detection, so that each node determines second url information related to the second quintuple information based on an association relation table of the quintuple and the url of each node, and synchronizes the second url information and the mark information to a url list table in each node for deep packet detection, wherein a plurality of url information and the mark information of each url information are stored in the url list table, and keyword plugging is performed based on the url list table.
According to the keyword plugging device for multiple data transmission links provided by the embodiment of the application, quintuple information and mark information of downlink flow are sent to the first node, so that the first node can determine the url associated with the quintuple information based on the association relation table of the quintuple and the url, the mark information is associated with the url, repeated recombination and reduction of the flow are avoided, and the keyword plugging efficiency is improved.
In addition to the above method and apparatus for blocking a keyword for multiple data transmission links, an embodiment of the present application further provides a computer device, which integrates any one of the apparatus for blocking a keyword for multiple data transmission links, provided by the embodiments of the present application, where the computer device includes:
one or more processors;
a memory; and
one or more application programs, wherein the one or more application programs are stored in the memory and configured to be executed by the processor for performing any of the steps of any of the embodiments of the above-described key blocking method for a plurality of data transmission links.
The embodiment of the present application further provides a computer device, which integrates any one of the keyword plugging devices for multiple data transmission links provided in the embodiment of the present application. As shown in fig. 6, it shows a schematic structural diagram of a computer device according to an embodiment of the present application, specifically:
the computer device may include components such as a processor 601 of one or more processing cores, a storage unit 602 of one or more computer-readable storage media, a power supply 603, and an input unit 604. Those skilled in the art will appreciate that the computer device configuration illustrated in FIG. 6 does not constitute a limitation of the computer device, and may include more or fewer components than illustrated, or some components may be combined, or a different arrangement of components. Wherein:
the processor 601 is a control center of the computer device, connects various parts of the entire computer device using various interfaces and lines, performs various functions of the computer device and processes data by running or executing software programs and/or modules stored in the storage unit 602 and calling data stored in the storage unit 602, thereby monitoring the computer device as a whole. Optionally, processor 601 may include one or more processing cores; preferably, the processor 601 may integrate an application processor, which mainly handles operating systems, user interfaces, application programs, etc., and a modem processor, which mainly handles wireless communications. It will be appreciated that the modem processor described above may not be integrated into the processor 601.
The storage unit 602 may be used to store software programs and modules, and the processor 601 executes various functional applications and data processing by operating the software programs and modules stored in the 5-storage unit 602. The storage unit 602 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program (such as a sound playing function, an image playing function, etc.) required by at least one function, and the like; the storage data area may store data created according to use of the computer device, and the like. In addition, memory sheets
The cell 602 may include high speed random access memory and may also include non-volatile memory, such as at least 0 disk storage device, flash memory device, or other volatile solid state storage device. Accordingly, the memory unit 602 may also include a memory controller to provide the processor 601 access to the memory unit 602.
The computer device further comprises a power supply 603 for supplying power to the various components, and preferably, the power supply 603 is logically connected to the processor 601 through a power management system, so that functions of managing charging, discharging, and power consumption are realized through the power management system. The power supply 603 may also include one or more of a direct or alternating current (dc) or 5-dc power supply, a recharging system, a power failure detection circuit, a power converter or inverter, a power status indicator, and any other component.
The computer device may also include an input unit 604, the input unit 604 being operable to receive input numeric or character information and to generate keyboard, mouse, joystick, optical or trackball signal inputs related to user settings and function control.
0 although not shown, the computer device may further include a display unit and the like, which will not be described herein. Specifically, in this embodiment of the present application, the processor 601 in the computer device loads the executable file corresponding to the process of one or more application programs into the storage unit 602 according to the following instructions, and the processor 601 runs the application programs stored in the storage unit 602, thereby implementing various functions as follows:
acquiring a first uplink flow in a first link; acquiring first quintuple information and 5 first url information of first uplink flow; storing the first quintuple information and the first url information into an association relation table of the quintuple and the url of the first node; receiving second quintuple information and mark information of the second quintuple information sent by a second node, wherein the second node acquires second downlink traffic in a second link, acquires the second quintuple information of the second downlink traffic and determines the mark information of the second quintuple information; determining second url information associated with the second quintuple information based on the association relation table; synchronizing the second url information and the marking information to a url list table in each node for deep packet inspection, wherein a plurality of url information and the marking information of each url information are stored in the url list table, so that keyword plugging is performed based on the url list table;
and/or acquiring a second downlink flow in a second link; acquiring second quintuple information of a second downlink flow; if the quintuple information does not exist in the quintuple white list of the second node, detecting whether a preset keyword exists in the second downlink flow; determining marking information of the second downlink traffic based on whether the preset keyword exists in the second downlink traffic; and sending the second quintuple information and the mark information of the second quintuple information to each node for deep packet detection so that each node can determine the second url information related to the second quintuple information based on the association relation table of the quintuple and the url of each node, and synchronizing the second url information and the mark information to a url list table in each node for deep packet detection, wherein a plurality of url information and the mark information of each url information are stored in the url list table, so as to perform keyword plugging based on the url list table.
To this end, an embodiment of the present application provides a computer-readable storage medium, which may include: read Only Memory (ROM), random Access Memory (RAM), magnetic or optical disks, and the like. The computer readable storage medium has stored therein a plurality of instructions, which can be loaded by a processor to perform the steps of any of the methods for blocking a plurality of data transmission links provided in the embodiments of the present application. For example, the instructions may perform the steps of:
acquiring a first uplink flow in a first link; acquiring first quintuple information and first url information of first uplink flow; storing the first quintuple information and the first url information into an association relation table of the quintuple and the url of the first node; receiving second quintuple information and mark information of the second quintuple information sent by a second node, wherein the second node acquires second downlink traffic in a second link, acquires the second quintuple information of the second downlink traffic and determines the mark information of the second quintuple information; determining second url information associated with the second quintuple information based on the association relation table; synchronizing the second url information and the marking information to a url list table in each node for deep packet inspection, wherein a plurality of url information and the marking information of each url information are stored in the url list table, so that keyword plugging is performed based on the url list table;
and/or acquiring a second downlink flow in a second link; acquiring second quintuple information of second downlink flow; if the quintuple information does not exist in the quintuple white list of the second node, detecting whether a preset keyword exists in the second downlink flow; determining marking information of the second downlink traffic based on whether the preset keyword exists in the second downlink traffic; and sending the second quintuple information and the mark information of the second quintuple information to each node for deep packet detection so that each node can determine the second url information related to the second quintuple information based on the association relation table of the quintuple and the url of each node, and synchronizing the second url information and the mark information to a url list table in each node for deep packet detection, wherein a plurality of url information and the mark information of each url information are stored in the url list table, so as to perform keyword plugging based on the url list table.
In the foregoing embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
The keyword blocking method and related devices for multiple data transmission links provided in the embodiments of the present application are described in detail above, and specific examples are applied herein to explain the principles and embodiments of the present application, and the description of the embodiments above is only used to help understand the method and core ideas of the present application; meanwhile, for those skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.

Claims (10)

1. A keyword blocking method for multiple data transmission links, wherein the multiple data transmission links are disposed between a user end and a server end, the multiple data transmission links include a first link for transmitting uplink traffic and a second link for transmitting downlink traffic, the first link is connected to a first node for deep packet inspection, and the second link is connected to a second node for deep packet inspection, and the method applied to the first node includes:
acquiring first uplink flow in the first link;
acquiring first quintuple information and first url information of the first uplink flow;
storing the first quintuple information and the first url information into an association relation table of the quintuple and the url of the first node;
receiving second quintuple information and mark information of the second quintuple information sent by the second node, wherein the second node acquires second downlink traffic in the second link, acquires the second quintuple information of the second downlink traffic, and determines the mark information of the second quintuple information;
determining second url information associated with the second five-tuple information based on the association relation table;
and synchronizing the second url information and the marking information to a url list table in each node for deep packet inspection, wherein a plurality of url information and marking information of each url information are stored in the url list table, so as to perform keyword plugging based on the url list table.
2. The method according to claim 1, wherein the second quintuple information includes a source ip, a source port, a destination ip, and a destination port, and the determining, based on the association table, second url information associated with the second quintuple information includes:
generating target quintuple information based on the second quintuple information, wherein a source ip in the target quintuple information is a target ip in the second quintuple information, a source port in the target quintuple information is a target port in the second quintuple information, a target ip in the target quintuple information is a source ip in the second quintuple information, and a target port in the target quintuple information is a source port in the second quintuple information;
and determining url information of the target five-tuple information in the association relation table, and using the url information as second url information associated with the second five-tuple information.
3. The method as claimed in claim 1, wherein the url name list table is a url black and white name list table, the flag information of each url information in the url black and white name list table is a white flag or a black flag, and the flag information of the second quintuple information is a white flag or a black flag.
4. The method for blocking keywords according to claim 3, wherein the synchronizing the second url information and the tag information to a url list in each node for deep packet inspection further comprises:
acquiring a second uplink flow in the first link;
if the mark information of the url information of the second uplink flow in the synchronized url name list table is a black mark, performing blocking processing on the second uplink flow;
and if the mark information of the url information of the second uplink flow in the synchronized url list table is a white mark, synchronizing the quintuple information of the second uplink flow into the quintuple white list table of each node for deep packet inspection, so that when the received quintuple information of the third downlink flow exists in the synchronized quintuple white list table, the third downlink flow is not subjected to recombination reduction processing and blocking processing.
5. A method for blocking keywords for a plurality of data transmission links, wherein the method is applied to the second node of any one of claims 1 to 4, and comprises:
acquiring a second downlink flow in the second link;
acquiring second quintuple information of the second downlink flow;
if the quintuple information does not exist in the quintuple white list of the second node, detecting whether a preset keyword exists in the second downlink flow;
determining marking information of the second downlink traffic based on whether preset keywords exist in the second downlink traffic;
and sending the second quintuple information and the mark information of the second quintuple information to each node for deep packet detection, so that each node determines second url information related to the second quintuple information based on an incidence relation table of the quintuple and the url of each node, and synchronizes the second url information and the mark information to a url list table in each node for deep packet detection, wherein a plurality of url information and the mark information of each url information are stored in the url list table, and keyword plugging is performed based on the url list table.
6. The method according to claim 5, wherein the detecting whether a preset keyword exists in the second downlink traffic includes:
if the quintuple information does not exist in the quintuple white list of the second node, carrying out recombination reduction processing on the second downlink flow to obtain the original content of the second downlink flow;
and determining whether the preset keyword exists in the second downlink flow based on whether the preset keyword exists in the original content.
7. The method according to claim 5, wherein after sending the second quintuple information and the tag information of the second quintuple information to each node for deep packet inspection, the method further comprises:
receiving quintuple information of the second uplink flow sent by a first node;
synchronizing quintuple information of the second uplink flow to a quintuple white list table of the second node;
and when the received quintuple information of the third downlink flow exists in the synchronized quintuple white list table, not performing recombination reduction processing and plugging processing on the third downlink flow.
8. A key blocking system for multiple data transmission links, the system comprising multiple data transmission links, the multiple data transmission links being disposed between a user end and a server end, the multiple data transmission links including a first link for transmitting uplink traffic and a second link for transmitting downlink traffic, the first link being connected to a first node for deep packet inspection, the second link being connected to a second node for deep packet inspection, the first node being configured to perform the key blocking method for the multiple data transmission links according to any one of claims 1 to 4, and the second node being configured to perform the key blocking method for the multiple data transmission links according to any one of claims 5 to 7.
9. A computer device, characterized in that the computer device comprises:
one or more processors;
a memory; and
one or more application programs, wherein the one or more application programs are stored in the memory and configured to be executed by the processor to implement the keyword blocking method for a plurality of data transmission links of any of claims 1 to 7.
10. A computer-readable storage medium, having stored thereon a computer program which is loaded by a processor to perform the steps of the method for keyword blocking for a plurality of data transmission links of any of claims 1 to 7.
CN202211714773.7A 2022-12-29 2022-12-29 Keyword plugging method for multiple data transmission links and related equipment Pending CN115987826A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211714773.7A CN115987826A (en) 2022-12-29 2022-12-29 Keyword plugging method for multiple data transmission links and related equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211714773.7A CN115987826A (en) 2022-12-29 2022-12-29 Keyword plugging method for multiple data transmission links and related equipment

Publications (1)

Publication Number Publication Date
CN115987826A true CN115987826A (en) 2023-04-18

Family

ID=85973763

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211714773.7A Pending CN115987826A (en) 2022-12-29 2022-12-29 Keyword plugging method for multiple data transmission links and related equipment

Country Status (1)

Country Link
CN (1) CN115987826A (en)

Similar Documents

Publication Publication Date Title
US10305904B2 (en) Facilitating secure network traffic by an application delivery controller
EP3815333B1 (en) Batch processing for quic
EP3352431B1 (en) Network load balance processing system, method, and apparatus
CN107135279B (en) Method and device for processing long connection establishment request
CN112261094B (en) Message processing method and proxy server
WO2023005773A1 (en) Message forwarding method and apparatus based on remote direct data storage, and network card and device
WO2023030417A1 (en) Packet processing method and device, storage medium, and computer program product
US9843514B2 (en) Packet processing method and background server
WO2021237433A1 (en) Message pushing method and apparatus, and electronic device and computer-readable medium
US11057475B2 (en) Methods, apparatus and systems for resuming transmission link
US20130291104A1 (en) File Transfer Method and Device
CN111352716B (en) Task request method, device and system based on big data and storage medium
CN110633168A (en) Data backup method and system for distributed storage system
CN112134960B (en) Data request method and device
CN110909030B (en) Information processing method and server cluster
CN113507431B (en) Message management method, device, equipment and machine-readable storage medium
CN115987826A (en) Keyword plugging method for multiple data transmission links and related equipment
WO2022267564A1 (en) Packet processing method and apparatus, device, system, and readable storage medium
EP3408989B1 (en) Detecting malware on spdy connections
CN116016562A (en) Keyword plugging method for multiple deep packet inspection nodes and related equipment
WO2016184079A1 (en) Method and device for processing system log message
CN108848175B (en) Method and device for establishing TCP connection
CN111416852A (en) Method for session synchronization among multiple load balancers and load balancer
CN110677417A (en) Anti-crawler system and method
CN116996421B (en) Network quality detection method and related equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination