CN116015841A - Message processing method, device, equipment and storage medium - Google Patents
Message processing method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN116015841A CN116015841A CN202211667908.9A CN202211667908A CN116015841A CN 116015841 A CN116015841 A CN 116015841A CN 202211667908 A CN202211667908 A CN 202211667908A CN 116015841 A CN116015841 A CN 116015841A
- Authority
- CN
- China
- Prior art keywords
- message
- access target
- access
- address
- determining
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a message processing method, a message processing device, message processing equipment and a message processing storage medium, which relate to the technical field of information security and are used for improving the accuracy of network attack defense. The method comprises the following steps: the method comprises the steps of intercepting a message set in a preset time window from a network communication device, determining at least one access target related to the message set and entropy values of all access targets, aiming at any one access target of the at least one access target, determining the number of source network addresses corresponding to source physical addresses of the access targets according to a message subset corresponding to the access target in the message set when the entropy value of the access target is in an abnormal range, updating a message interception policy according to an address information set related to the message subset if the number of source network addresses is larger than a set number threshold, and sending the updated message interception policy to the network communication device so that the network communication device can execute message interception processing according to the updated message interception policy.
Description
Technical Field
The present invention relates to the field of information security technologies, and in particular, to a method, an apparatus, a device, and a storage medium for processing a message.
Background
A distributed denial of service (Distributed enial of Service, DDoS) attack is a network attack mode that causes a host device bandwidth of a target IP Address to be occupied and provide service anomalies by sending a large number of data packets to the target IP Address (Internet Protocol Address, IP Address), thereby causing a legitimate user to fail to obtain normal service. In the related art, a defense method for DDos attack is generally to process and filter a network data stream by a kernel protocol stack, judge whether the network data stream is attacked by DDos according to a source IP address of the data, and take corresponding DDos attack alleviation measures.
With the continuous development of network technology and the continuous increase of user demands, the traffic scale of the internet is more and more huge, and the misjudgment rate of judging whether the DDOS attack is suffered or not by singly passing the source IP address is gradually improved, so that the current DDOS attack defense demands cannot be met.
Disclosure of Invention
The embodiment of the application provides a message processing method, a message processing device, message processing equipment and a storage medium, which are used for improving the accuracy of network attack defense.
In one aspect, a method for processing a message is provided, where the method includes:
intercepting a message set in a preset time window from a network communication device, and determining at least one access target related to the message set and an entropy value of each access target, wherein the entropy value is used for representing the total number of accesses of each access target;
For any access target of the at least one access target, when the entropy value of the access target is in an abnormal range, determining the number of source network addresses corresponding to the source physical addresses of the access target based on a message subset corresponding to the access target in the message set;
if the number is larger than the set number threshold, updating a message interception strategy based on the address information set related to the message subset;
and sending the updated message interception policy to the network communication device so that the network communication device executes message interception processing based on the updated message interception policy.
In one aspect, a message processing apparatus is provided, including:
the system comprises an interception unit, a storage unit and a processing unit, wherein the interception unit is used for intercepting a message set in a preset time window from a network communication device, determining at least one access target related to the message set and an entropy value of each access target, and the entropy value is used for representing the total access times of each access target;
a determining unit, configured to determine, for any one of the at least one access target, when an entropy value of the access target is within an abnormal range, a number of source network addresses corresponding to source physical addresses of the access target based on a subset of messages corresponding to the access target in the set of messages;
The updating unit is used for updating the message interception strategy based on the address information set related to the message subset if the number is larger than a set number threshold;
and the sending unit is used for sending the updated message interception policy to the network communication device so that the network communication device executes message interception processing based on the updated message interception policy.
Optionally, the determining unit is specifically configured to:
for at least one source network address involved in the message set, respectively executing the following operations:
determining whether a source network address is located in a legal address table according to the source network address, wherein the legal address table is obtained based on legal messages determined by history;
and if the source network address is not in the legal address table, determining the entropy value of the access target related to the message corresponding to the source network address.
Optionally, the determining unit is specifically configured to:
and if the source network address is in the legal address table, storing the message corresponding to the source network address into a cache queue, reading the message from the cache queue and sending the message to a corresponding access target.
Optionally, the determining unit is specifically configured to:
if the number is not greater than the set number threshold, determining that each message in the message subset is a legal message;
and storing each message into a cache queue, reading the message from the cache queue and sending the message to a corresponding access target.
Optionally, the capturing unit is specifically configured to:
for the at least one access target, the following operations are respectively executed:
aiming at an access target, obtaining an entropy value corresponding to the access target based on the number of messages related to the access target in the preset time window and the total number of all messages in the preset time window.
Optionally, the capturing unit is specifically configured to:
storing the message set into a user state storage space, and sending notification information to a user state detection program, wherein the notification information comprises storage address information of the message set;
and reading the message set based on the storage address information through the user state detection program, and determining at least one access target related to the message set and entropy values of the access targets.
In one aspect, a computer device is provided comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the steps of any of the methods described above when the computer program is executed.
In one aspect, there is provided a computer storage medium having stored thereon computer program instructions which, when executed by a processor, perform the steps of any of the methods described above.
In one aspect, a computer program product or computer program is provided, the computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The computer instructions are read from a computer-readable storage medium by a processor of a computer device, and executed by the processor, cause the computer device to perform the steps of any of the methods described above.
The beneficial effects of the embodiment of the application are as follows:
in the embodiment of the application, a message set in a preset time window is intercepted from a network communication device, at least one access target related to the message set and entropy values of all the access targets are determined, when the entropy value of any one of the access targets is in an abnormal range, the number of source network addresses corresponding to source physical addresses of the access targets is determined according to a message subset corresponding to the access targets in the message set, if the number of source network addresses is larger than a set number threshold, a message interception policy is updated according to an address information set related to the message subset, the updated message interception policy is sent to the network communication device, and the network communication device executes message interception processing according to the updated message interception policy. According to the embodiment of the application, the entropy value is calculated through the access target aimed at by the message, and whether the access target is subjected to DDos attack is comprehensively judged by combining the number of the source network addresses corresponding to the source physical addresses of the access target, so that an attacker is prevented from avoiding attack detection by forging the source IP addresses and other means, and compared with an attack detection method based on the source IP addresses, the accuracy of network attack defense is improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the related art, the drawings that are required to be used in the embodiments or the related technical descriptions will be briefly described below, and it is apparent that the drawings in the following description are only embodiments of the present application, and other drawings may be obtained according to the provided drawings without inventive effort for a person having ordinary skill in the art.
Fig. 1 is a schematic view of an application scenario provided in an embodiment of the present application;
FIG. 2 is a system architecture diagram of a message processing device according to an embodiment of the present application;
fig. 3 is a flow chart of a message processing method provided in an embodiment of the present application;
FIG. 4 is a schematic diagram of a time window according to an embodiment of the present disclosure;
fig. 5 is a schematic diagram of a mapping Table1 provided in an embodiment of the present application;
fig. 6 is a schematic diagram of a mapping Table2 provided in an embodiment of the present application;
fig. 7 is a schematic diagram of a mapping Table3 provided in an embodiment of the present application;
FIG. 8 is a flowchart illustrating another message processing method according to an embodiment of the present disclosure;
Fig. 9 is a schematic structural diagram of a message processing apparatus according to an embodiment of the present application;
fig. 10 is a schematic diagram of a composition structure of a computer device according to an embodiment of the present application.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the present application more apparent, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure. Embodiments and features of embodiments in this application may be combined with each other arbitrarily without conflict. Also, while a logical order is depicted in the flowchart, in some cases, the steps depicted or described may be performed in a different order than presented herein.
In order to facilitate understanding of the technical solutions provided in the embodiments of the present application, some key terms used in the embodiments of the present application are explained here:
DDos traffic attack: a network attack mode that a large number of legal distributed servers send requests to a target so as to lead normal legal users to fail to obtain service is mainly characterized in that a large number of attack messages with fake source addresses are continuously sent to a network service port, so that a half-open connection queue in the target server is occupied, the bandwidth and host resources of the target server are maliciously occupied, and the network or the system is prevented from being overloaded so as to stop providing normal network service. DDoS attacks may vary like viruses, including common CC attacks, TCP/UDP/DNS/SYN/ICMP/NTP/SSDP/ACK/HTTP Flood and its variants Land/Tearrrop/Smurf/Ping of Death, and so forth.
The following briefly describes the design concept of the embodiment of the present application:
the main protection means and the processing flow aiming at DDos attack at present are that a network communication device receives a network data packet sent by a terminal device, sends the network data packet to a kernel protocol stack for processing (generally, a linux kernel), obtains information such as source IP, destination IP and the like of the terminal device corresponding to the data packet, calculates a specific entropy value for judging whether the current service network is attacked by DDOS or not, and carries out packet loss processing aiming at the data packet attacked by DDOS, thereby protecting normal access of legal users. With the continuous development of network technology and the continuous increase of user demands, DDos defense technology and products in related technologies have hardly kept pace with the current technical development demands, and are mainly reflected in the following aspects:
(1) Along with the increasing of the internet traffic scale, in the network communication era of 1000Mbps/10Gbps/40Gbps and even 100Gbps, the network communication device transmits a large amount of received messages to the kernel protocol stack to perform complex logic processing, but the data processing efficiency of the kernel protocol stack cannot adapt to the transmission speed of the network communication device, so that the data processing efficiency is too low, a large amount of data waits for processing in the kernel protocol stack, and the waiting time is greatly prolonged.
(2) The related art judges whether the DDOS attack is suffered or not based on the source IP address of the data packet, the misjudgment rate is high, and the DDOS attack can forge the source IP, so the judgment mode based on the source IP can not meet the accuracy requirement of the current DDOS attack defense.
In view of the above, embodiments of the present application provide a method for processing a message, where a message set in a preset time window is intercepted from a network communication device, and at least one access target related to the message set and an entropy value of each access target are determined. For any one access target of at least one access target, when the entropy value of the access target is in an abnormal range, determining the number of source network addresses corresponding to the source physical addresses of the access target according to a message subset corresponding to the access target in the message set, if the number is larger than a set number threshold, updating a message interception policy according to an address information set related to the message subset, and sending the updated message interception policy to a network communication device so that the network communication device executes message interception processing according to the updated message interception policy. According to the embodiment of the application, the entropy value is calculated through the access target aimed at by the message, and whether the access target is subjected to DDos attack is comprehensively judged by combining the number of the source network addresses corresponding to the source physical addresses of the access target, so that an attacker is prevented from avoiding attack detection by forging the source IP addresses and other means, and compared with an attack detection method based on the source IP addresses, the accuracy of network attack defense is improved.
In order to improve the message processing efficiency, the embodiment of the application also intercepts the network message data packet on the receiving path from the network communication device to the kernel protocol stack, so that the message data packet with DDOS attack threat is processed before entering the Linux kernel protocol stack, and the processing performance of the data packet is improved.
The following description is made for some simple descriptions of application scenarios applicable to the technical solutions of the embodiments of the present application, and it should be noted that the application scenarios described below are only used for illustrating the embodiments of the present application and are not limiting. In the specific implementation process, the technical scheme provided by the embodiment of the application can be flexibly applied according to actual needs.
The technical solution provided in the embodiment of the present application may be suitable for a network attack defense scenario of various network devices, as shown in fig. 1, which is a schematic application scenario provided in the embodiment of the present application, where the scenario may include a packet processing device 100, an attack client 101, a legal client 102, a protection server 103, and a network 104.
The message processing device 100 may be a computer device with a certain processing capability, for example, a mobile phone, a personal computer (personal computer, PC), a server, etc. may be configured to execute any one of the method apparatuses provided in the embodiments of the present application, which is not illustrated here. For convenience of description, hereinafter, embodiments of the method will be described taking an execution subject of the method as a server capable of executing the method as an example. It will be appreciated that the subject matter of the method being performed by the server is merely an exemplary illustration and should not be construed as limiting the method. The server may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDNs, basic cloud computing services such as big data and artificial intelligence platforms, but is not limited thereto.
The attack client 101 and the legal client 102 may be application programs installed on devices such as a mobile phone, a personal computer (Personal Computer, PC), a tablet personal computer (PAD), a notebook computer, a desktop computer, and a mobile internet device (Mobile Internet Device, MID), which are used for accessing a service port of a protection server and sending a packet to the protection server, and the embodiment of the application is not specifically limited.
The protection server 103 is a computer device protected by the message processing method provided in the embodiment of the present application, for example, a server, a router, a gateway device, etc., where the server may be an independent physical server, or may be a server cluster or a distributed system formed by multiple physical servers, or may be a cloud server that provides cloud services, a cloud database, cloud computing, a cloud function, cloud storage, a network service, cloud communication, a middleware service, a domain name service, a security service, a CDN, and basic cloud computing services such as big data and an artificial intelligent platform, but is not limited thereto.
In practical application, the messages sent by the attack client and the legal client to the protection server all reach the message processing equipment first, the message processing equipment processes the received message based on the message processing method provided by the embodiment of the application, determines whether the client corresponding to the message belongs to the attack client or not based on the processing result, discards the attack message if the client corresponding to the message is determined to belong to the attack client, and sends the message to the corresponding protection server if the client corresponding to the message is determined not to belong to the attack client, so as to realize the purpose of defending DDOS attack aiming at the protection server.
The message processing device 100, the attack client 101, the legal client 102, and the protection server 103 may be connected through a network 104, where the network 104 may be a wired network, or may be a Wireless network, for example, a Wireless network may be a mobile cellular network, for example, a fourth generation mobile communication (4 g) network, a fifth generation mobile communication (5 g) network, or a New Radio (NR) network, or may be a Wireless-Fidelity (WIFI) network, or may be other possible networks, which embodiments of the present invention are not limited in this respect.
It should be noted that, the number of the message processing device, the attack client, the legal client, and the protection server is not limited in practice, and is not particularly limited in the embodiment of the present application, which is shown in fig. 1 only by way of example.
As shown in fig. 2, a system architecture diagram of a message processing device provided in an embodiment of the present application is shown, where the message processing device specifically includes the following modules:
(1) And the forwarding channel module is used for intercepting network messages sent to the kernel protocol stack from network communication devices such as a network card and the like and acquiring the latest legal address table from the list storage module. And when the source network address of the network message is not in the legal address table, forwarding the network message to a message detection module for attack detection, otherwise forwarding the network message to a cache queue module, and sequentially reading the messages from the cache queue module and sending the messages to corresponding access targets.
(2) And the list storage module is used for storing legal address tables comprising source network address sets corresponding to a plurality of legal clients and inquiring whether the source network address of the network message exists in the legal address tables when the forwarding channel module intercepts the network message from the network communication device.
(3) And the message detection module is used for detecting the validity of the network message through the access target, the entropy value and the number of source network addresses corresponding to the source physical addresses of the access target, which are related to the network message. Storing legal messages to a buffer queue module, updating a message interception policy through address information related to the illegal messages and sending the message interception policy to a forwarding channel module, so that the forwarding channel module sends the updated message interception policy to a network communication device to enable the network communication device to execute message interception processing.
(4) And the buffer queue module is used for storing legal messages to be sent to corresponding access targets through the buffer queue, controlling and balancing the receiving and transmitting speeds of the messages, and avoiding the situation of packet loss when the forwarding channel module receives the data packets faster than the data packets.
(5) And the alarm monitoring module is used for sending the attack information corresponding to the illegal message to the associated terminal equipment through the communication protocol when the illegal message is detected by the attack detection module, and carrying out alarm reminding of network attack.
It should be noted that the components and structures of the functional block diagram shown in fig. 2 are merely exemplary and not limiting, and that other components and structures may be provided as desired in a practical scenario.
The message processing method provided in the exemplary embodiment of the present application is described below with reference to the accompanying drawings in conjunction with the application scenario described above, and it should be noted that the application scenario is only shown for the convenience of understanding the spirit and principles of the present application, and the embodiment of the present application is not limited in any way in this respect.
Referring to fig. 3, a flow chart of a message processing method provided in an embodiment of the present application is illustrated by taking a message processing device as an execution body, and a specific implementation flow of the method is as follows:
step 301: the method comprises the steps of intercepting a message set in a preset time window from a network communication device, and determining at least one access target related to the message set and entropy values of the access targets.
In the embodiment of the application, the message processing device intercepts and captures a message set sent to the kernel protocol stack from a network communication device such as a network card through a forwarding channel module, and determines a plurality of access targets related to the message set through the message set in a time window, and characterizes entropy values of total access times of all the access targets.
In a possible implementation manner, according to the source MAC address, the destination IP address and the destination port information contained in the message, a specific service port of a server accessed by the message is determined to be an access target of the message, the entropy value of each access target represents the number of times of access of the message set to the access target, and whether an illegal message exists in the message received by the access target can be determined through the entropy value of the access target.
In one possible implementation, the forwarding channel module may intercept all network packet data packets in the network card through a fast data path (express data path, XDP) procedure. Compared with the kernel protocol stack XDP, the XDP has stronger data processing performance, and before the network message data packet enters the kernel protocol stack, the XDP redirects the data packet to a memory buffer area in the user mode application program, processes the network message data packet, and reduces the processing time of the CPU.
In one possible implementation, when the packet is intercepted by the XDP and forwarded to the user mode memory buffer, in order to distinguish the traffic transient congestion state that may be caused by both a DDos attack and a large number of legal user access services, the user mode application may process the packet by using a sliding window technology. As shown in fig. 4, the unit of the time window is one data packet, the window size may be preset to 100 data packets, and the mapping table is constructed by five-tuple information of 100 data packets in the time window, which may, of course, be set to other possible values.
For example, the plurality of mapping tables can be constructed by using Key-Value Key Value pairs through information such as a source IP address, a source port, a destination IP address, a destination port and the like included in five-tuple information of the packet.
As shown in fig. 5, the key in the Table1 stores source MAC addresses corresponding to 100 data packets in the time window, and the value key corresponding to the key one-to-one stores a source IP address, a destination IP address, and a destination port corresponding to the data packets.
As shown in fig. 6, the key in the Table2 stores information sets of source MAC addresses, destination IP addresses, and destination ports corresponding to 100 data packets in the time window, which are used to indicate access targets corresponding to the data packets, and the value key corresponding to the key one-to-one stores access times corresponding to the access targets, so that the message detection module can determine the access targets related to the message data packets and entropy values corresponding to the access targets through the Table 2.
In a possible implementation manner, as shown in fig. 7, a Table3 may be further constructed, where the Table3 is used to record an access destination related to a historical packet data packet and an entropy value corresponding to the access destination, a key in the Table3 stores a source MAC address, a destination IP address, and a destination port corresponding to the data packet, a value key corresponding to the key one-to-one stores an entropy value corresponding to the data packet, and if the value key is calculated to obtain a new corresponding entropy value, the value stored in the Table3 is updated, and the Table3 is emptied every preset time, so as to reconstruct the Table3 corresponding to the latest time window.
In a possible implementation manner, as shown in fig. 5, the message detection module determines, for each access target related to the message set, an entropy value corresponding to the access target by presetting the number of messages related to each access target in the time window and the total number of all the messages in the time window.
The method includes the steps of dividing each 20 data packets in a current time window into a group in sequence to obtain five groups of data packets, counting access times corresponding to source MAC addresses, destination IP addresses and destination ports of the five groups of data packets in the current time window through a mapping Table Table2, calculating a ratio of access times corresponding to access targets of the five groups of data packets to total access times of all access targets in the current time window, calculating an entropy value corresponding to the ratio in the current time window through an entropy value calculation formula, and accurately judging whether a specific service port of a protected server is attacked by DDOS through the entropy value, wherein the ratio is as follows:
H(x)=-∑P(x)log2P(x),x={x1,x2,x3,x4,x5}
all data packets in the current time window are divided into a plurality of groups of data packets with the same quantity, and the number x represents the number of the data packet groups, for example, every 20 data packets in the current time window are sequentially divided into one group to obtain five groups of data packets, x1 is 1-20 data packets in the first group, x2 is 21-40 data packets in the second group, x3 is 41-60 data packets in the third group, x4 is 61-80 data packets in the fourth group, and x5 is 81-100 data packets in the second group. P (x) is the ratio of the access times corresponding to the access targets of the data packets in the group to the total access times corresponding to the access targets of all the data packets in the current time window, and H (x) is the entropy value corresponding to all the data packets in the current time window.
In one possible implementation manner, before the above determination is performed, the forwarding channel module may combine the legal address table provided by the list storage module to match the network packet data packet with the legal address table, so as to perform preliminary validity determination, thereby reducing the processing pressure of the device. For a plurality of source network addresses related to the message set, determining whether each source network address is located in a legal address table, if the source network address is not located in the legal address table, determining an entropy value of an access target related to a message corresponding to the source network address, and if the source network address is located in the legal address table, storing the message corresponding to the source network address into a cache queue so as to read the message from the cache queue and send the message to the corresponding access target.
The legal address table is obtained by statistics of the list storage module according to the detection result of the historical message data packet by the message detection module, and the list storage module is different from the technology of using a single hash table to store data in the related technology, and preferably uses a plurality of hash functions in a matching way through calculation and a large number of experiments, so that when a large amount of legal IP address information is stored, the memory occupied by the legal address table can be reduced, the query data is faster, and the collision probability is reduced. When the bloom filter stores legal address tables, the forwarding channel module firstly extracts a source IP address of a message data packet after receiving the message data packet, queries the legal address tables provided by the bloom filter, searches whether the source IP address exists when the data packet arrives, stores a message corresponding to the source network address into a cache queue if the source IP address exists, and otherwise, sends the message to the message detection module to perform subsequent processes such as entropy calculation and the like to judge whether the message is an illegal message.
Step 302: for any one access target of at least one access target, when the entropy value of the access target is in an abnormal range, determining the number of source network addresses corresponding to the source physical addresses of the access target based on a message subset corresponding to the access target in the message set.
In the embodiment of the application, the message detection module calculates the entropy value corresponding to the access target, and also needs to judge whether the entropy value is in a normal range, and when the entropy value is determined to be in an abnormal range, the validity of the message is further judged through the number of the source network addresses corresponding to the source physical addresses of the access target.
In one possible implementation manner, the message detection module may determine whether the entropy value corresponding to the access target is in a normal range by determining whether the entropy value is greater than a preset entropy value threshold, and determine that the entropy value is in an abnormal range when the entropy value is less than or equal to the preset entropy value threshold. The entropy value is smaller than or equal to the preset entropy value and is in an abnormal range, besides the access target possibly suffering from DDos attack message, short-time congestion caused by large-scale access of legal data packets is also possible, so that further judgment needs to be carried out in combination with other modes, for example, the validity of the message can be further judged by determining the number of source network addresses corresponding to the source physical address of the access target.
In one possible implementation manner, if the entropy value corresponding to the access target is determined to be greater than the preset entropy threshold, after the entropy value is in the normal range, the source IP address of the client corresponding to the packet is determined to be legal, and the source IP address is stored in a legal address table in the list storage module, so that the entropy value is prevented from being calculated repeatedly.
Step 303: judging whether the number of the source network addresses corresponding to the source physical addresses of the access targets is larger than a preset number threshold, if so, executing step 304, and if not, executing step 305.
In the embodiment of the application, the message detection module determines validity of the message by judging whether the number of the source network addresses corresponding to the source physical addresses of the access targets is larger than a preset number threshold.
In one possible implementation manner, the message detection module may determine whether the source MAC address of the access destination corresponds to the source IP address one by mapping the source MAC address stored by the key in Table1 and the source IP address, the destination IP address and the destination port corresponding to the key stored by the value key, and when determining that there are a plurality of corresponding source IP addresses in the source MAC address of the access destination in Table1, the access destination may be determined to be subject to a DDOS attack, and the message packet is an illegal packet. If it is determined that one source MAC address of the access target corresponds to only one source IP address, the client corresponding to the message data packet is a normal legal access user, and the source IP address is stored in a legal address table in the list storage module, so that the message can be directly distributed without judging validity in the subsequent distribution, and the efficiency of message distribution is improved.
Step 304: and updating the message interception strategy based on the address information set related to the message subset.
In the embodiment of the application, after the message detection module determines that the message subset is an illegal message, the corresponding message interception policy is updated according to the address information related to the message subset.
The address information set may be, for example, the combined information of the source MAC address, the destination IP and the destination port related to the packet subset, and update the corresponding packet loss policy by using the combined information set to intercept and discard the packet corresponding to the combined information, so as to achieve the purpose of defending against DDOS attack.
Step 305: storing each message in the message subset corresponding to the access target to a cache queue, so as to read the message from the cache queue and send the message to the corresponding access target.
In the embodiment of the application, after the message detection module determines that the message subset is legal, each message is stored in the buffer queue module, so that normal data communication is realized.
For example, since the XDP technology used by the forwarding channel module does not design a related queue buffering mechanism, when the XDP receives a data packet faster than it sends the data packet, a packet loss situation may be caused. Therefore, the buffer queue module is used for controlling the speed of balancing the XDP transmitting and receiving messages, so that the occurrence of a packet loss event is avoided.
Step 306: and sending the updated message interception policy to the network communication device so that the network communication device executes message interception processing based on the updated message interception policy.
In the embodiment of the application, the message detection module updates the message interception policy and then sends the message interception policy to the forwarding channel module, and the forwarding channel module sends the message interception policy to the network communication device such as the network card, so that the network communication device intercepts and discards the corresponding message according to the message information indicated by the message interception policy, thereby achieving the purpose of defending DDOS attack.
For example, the XDP may download the packet interception policy to the network device such as the network card in a byte code manner through a berkeley packet filtering (Berkeley Packet Filter, BPF) technology, and the network card performs packet loss processing on the corresponding illegal packet through an embedded Neural network processor (Neural-network Processing Unit, NPU) based on the packet interception policy, so as to implement a function of defending against DDOS attack.
In a possible implementation manner, as shown in fig. 8, a specific implementation flow of a message processing method provided in the embodiment of the present application is shown:
step 801: the time window is initialized.
Step 802: and receiving the message data packet in the current time window.
Step 803: five-tuple information is extracted from the message data packet, and mapping tables Table1 and Table2 are constructed according to the information.
Step 804: and calculating an entropy value corresponding to the access target of the current time window according to the access target indicated by the source MAC address, the destination IP address and the destination port information in the mapping Table Table2 and the corresponding access times.
Step 805: judging whether the entropy value is smaller than a preset entropy value threshold, if yes, executing step 806, otherwise executing step 807.
Step 806: and judging whether the number of the source network addresses corresponding to the source MAC addresses in the mapping Table Table1 is larger than a set number threshold according to the source MAC addresses of the access targets. If yes, go to step 808, if not, jump to step 807.
Step 807: and storing the message data packet into a buffer queue module.
Step 808: and updating the message interception policy according to the source MAC address, the destination IP address and the destination port information and sending the message interception policy to the network card, so that the network card executes corresponding message interception processing according to the message interception policy.
Step 809: and clearing the current time window information, and the mapping tables Table1 and Table2 of the current time window.
Referring to fig. 9, based on the same inventive concept, an embodiment of the present application further provides a message processing apparatus 9, which includes:
The intercepting unit 901 is configured to intercept a packet set in a preset time window from a network communication device, and determine at least one access target related to the packet set and an entropy value of each access target, where the entropy value is used to characterize a total number of accesses of each access target;
a determining unit 902, configured to determine, for any one of at least one access target, when an entropy value of the access target is within an abnormal range, based on a subset of messages corresponding to the access target in the set of messages, a number of source network addresses corresponding to source physical addresses of the access target;
an updating unit 903, configured to update the message interception policy based on the address information set related to the message subset if the number is greater than the set number threshold;
and the sending unit 904 is configured to send the updated message interception policy to the network communication device, so that the network communication device performs the message interception processing based on the updated message interception policy.
Optionally, the determining unit 902 is specifically configured to:
for at least one source network address involved in the message set, the following operations are performed respectively:
determining whether the source network address is in a legal address table according to a source network address, wherein the legal address table is obtained based on legal messages determined by history;
If the source network address is not in the legal address table, determining the entropy value of the access target related to the message corresponding to the source network address.
Optionally, the determining unit 902 is specifically configured to:
if the source network address is in the legal address table, storing the message corresponding to the source network address into a cache queue, reading the message from the cache queue and sending the message to a corresponding access target.
Optionally, the determining unit 902 is specifically configured to:
if the number is not greater than the set number threshold, determining that each message in the message subset is a legal message;
storing each message into a cache queue, so as to read the message from the cache queue and send the message to a corresponding access target.
Optionally, the capturing unit 901 is specifically configured to:
for at least one access target, the following operations are performed:
aiming at an access target, obtaining an entropy value corresponding to the access target based on the number of messages related to the access target in a preset time window and the total number of all messages in the preset time window.
Optionally, the capturing unit 901 is specifically configured to:
storing the message set into a user state storage space, and sending notification information to a user state detection program, wherein the notification information comprises storage address information of the message set;
And reading the message set based on the storage address information through a user state detection program, and determining at least one access target related to the message set and the entropy value of each access target.
By the device, a message set in a preset time window is intercepted from a network communication device, at least one access target related to the message set and entropy values of all the access targets are determined, when the entropy value of any one of the access targets is in an abnormal range, the number of source network addresses corresponding to source physical addresses of the access targets is determined according to a message subset corresponding to the access targets in the message set, if the number of source network addresses is larger than a set number threshold, a message interception strategy is updated according to an address information set related to the message subset, the updated message interception strategy is sent to the network communication device, and the network communication device executes message interception processing according to the updated message interception strategy. The device calculates the entropy value through the access target aimed at by the message, and comprehensively judges whether the access target is under DDos attack by combining the number of source network addresses corresponding to the source physical addresses of the access target, so that an attacker is prevented from avoiding attack detection by forging source IP addresses and other means, and compared with an attack detection method based on the source IP addresses, the network attack defense accuracy is improved.
For convenience of description, the above parts are respectively described as being functionally divided into unit modules (or modules). Of course, the functions of each unit (or module) may be implemented in the same piece or pieces of software or hardware when implementing the present application. The apparatus may be used to perform the methods shown in the embodiments of the present application, so the descriptions of the foregoing embodiments may be referred to for the functions that can be implemented by each functional module of the apparatus, and are not repeated.
Referring to fig. 10, based on the same technical concept, the embodiment of the application further provides a computer device. In one embodiment, the computer device may include a memory 1001, a communication module 1003, and one or more processors 1002 as shown.
The memory 1001 may be a volatile memory (RAM) such as a random-access memory (RAM); the memory 1001 may also be a nonvolatile memory (non-volatile memory), such as a read-only memory (rom), a flash memory (flash memory), a hard disk (HDD) or a Solid State Drive (SSD); or memory 1001 is any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited to such. Memory 1001 may be a combination of the above.
The processor 1002 may include one or more central processing units (central processing unit, CPU) or digital processing units, or the like. The processor 1002 is configured to implement the above-described message processing method when calling the computer program stored in the memory 1001.
The communication module 1003 is used for communicating with other network devices.
The specific connection medium between the memory 1001, the communication module 1003, and the processor 1002 is not limited in the embodiments of the present application. In the embodiment of the present application, the memory 1001 and the processor 1002 are connected by the bus 1004 in fig. 10, and the bus 1004 is depicted by a thick line in fig. 10, and the connection manner between other components is only schematically illustrated, and is not limited to the illustration. The bus 1004 may be divided into an address bus, a data bus, a control bus, and the like. For ease of description, only one thick line is depicted in fig. 10, but only one bus or one type of bus is not depicted.
The memory 1001 stores a computer storage medium, and the computer storage medium stores computer executable instructions for implementing the message processing method of the embodiment of the present application. The processor 1002 is configured to perform the message processing method of each of the above embodiments.
Based on the same inventive concept, the embodiments of the present application also provide a storage medium having a computer program stored thereon, which when executed on a computer causes a computer processor to perform the steps in the message processing method according to the various embodiments of the present application described above in the present specification.
In some possible embodiments, various aspects of the message processing method provided herein may also be implemented in the form of a program product comprising program code for causing a computer device to perform the steps of the message processing method according to various exemplary embodiments of the present application as described above, when the program product is run on a computer device, e.g. the computer device may perform the steps of the various embodiments.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium can be, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The program product of embodiments of the present application may employ a portable compact disc read only memory (CD-ROM) and include program code and may run on a computing device. However, the program product of the present application is not limited thereto, and in the present application, the readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with a command execution system, apparatus, or device.
The readable signal medium may include a data signal propagated in baseband or as part of a carrier wave with readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with a command execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations of the present application may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's equipment, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
It should be noted that although several units or sub-units of the apparatus are mentioned in the above detailed description, such a division is merely exemplary and not mandatory. Indeed, the features and functions of two or more of the elements described above may be embodied in one element in accordance with embodiments of the present application. Conversely, the features and functions of one unit described above may be further divided into a plurality of units to be embodied.
Furthermore, although the operations of the methods of the present application are depicted in the drawings in a particular order, this is not required to or suggested that these operations must be performed in this particular order or that all of the illustrated operations must be performed in order to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step to perform, and/or one step decomposed into multiple steps to perform.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
While preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiments and all such alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various modifications and variations can be made in the present application without departing from the spirit or scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims and the equivalents thereof, the present application is intended to cover such modifications and variations.
Claims (10)
1. A method for processing a message, the method comprising:
intercepting a message set in a preset time window from a network communication device, and determining at least one access target related to the message set and an entropy value of each access target, wherein the entropy value is used for representing the total number of accesses of each access target;
for any access target of the at least one access target, when the entropy value of the access target is in an abnormal range, determining the number of source network addresses corresponding to the source physical addresses of the access target based on a message subset corresponding to the access target in the message set;
if the number is larger than the set number threshold, updating a message interception strategy based on the address information set related to the message subset;
and sending the updated message interception policy to the network communication device so that the network communication device executes message interception processing based on the updated message interception policy.
2. The method of claim 1, wherein the determining at least one access objective involved in the set of messages and the entropy value of each access objective comprises:
for at least one source network address involved in the message set, respectively executing the following operations:
determining whether a source network address is located in a legal address table according to the source network address, wherein the legal address table is obtained based on legal messages determined by history;
and if the source network address is not in the legal address table, determining the entropy value of the access target related to the message corresponding to the source network address.
3. The method of claim 2, wherein after determining for a source network address whether the source network address is in a legal address table, the method further comprises:
and if the source network address is in the legal address table, storing the message corresponding to the source network address into a cache queue, reading the message from the cache queue and sending the message to a corresponding access target.
4. The method of claim 1, wherein after the determining the number of source network addresses corresponding to the source physical address of the access target based on the subset of messages corresponding to the access target in the set of messages, the method further comprises:
If the number is not greater than the set number threshold, determining that each message in the message subset is a legal message;
and storing each message into a cache queue, reading the message from the cache queue and sending the message to a corresponding access target.
5. The method according to any one of claims 1 to 4, wherein said determining at least one access target and an entropy value of each access target to which said set of messages relates for said preset time window comprises:
for the at least one access target, the following operations are respectively executed:
aiming at an access target, obtaining an entropy value corresponding to the access target based on the number of messages related to the access target in the preset time window and the total number of all messages in the preset time window.
6. The method according to any of claims 1-4, wherein after the intercepting of the set of messages from the network communication device within a preset time window, the method further comprises:
storing the message set into a user state storage space, and sending notification information to a user state detection program, wherein the notification information comprises storage address information of the message set;
The determining at least one access target related to the message set and the entropy value of each access target comprises:
and reading the message set based on the storage address information through the user state detection program, and determining at least one access target related to the message set and entropy values of the access targets.
7. A message processing apparatus, the apparatus comprising:
the system comprises an interception unit, a storage unit and a processing unit, wherein the interception unit is used for intercepting a message set in a preset time window from a network communication device, determining at least one access target related to the message set and an entropy value of each access target, and the entropy value is used for representing the total access times of each access target;
a determining unit, configured to determine, for any one of the at least one access target, when an entropy value of the access target is within an abnormal range, a number of source network addresses corresponding to source physical addresses of the access target based on a subset of messages corresponding to the access target in the set of messages;
the updating unit is used for updating the message interception strategy based on the address information set related to the message subset if the number is larger than a set number threshold;
And the sending unit is used for sending the updated message interception policy to the network communication device so that the network communication device executes message interception processing based on the updated message interception policy.
8. A computer device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the method according to any one of claims 1 to 6 when said computer program is executed.
9. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method according to any one of claims 1-6.
10. A computer program product comprising a computer program, characterized in that the computer program, when executed by a processor, implements the steps of the method according to any one of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211667908.9A CN116015841A (en) | 2022-12-23 | 2022-12-23 | Message processing method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211667908.9A CN116015841A (en) | 2022-12-23 | 2022-12-23 | Message processing method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116015841A true CN116015841A (en) | 2023-04-25 |
Family
ID=86031556
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211667908.9A Pending CN116015841A (en) | 2022-12-23 | 2022-12-23 | Message processing method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116015841A (en) |
-
2022
- 2022-12-23 CN CN202211667908.9A patent/CN116015841A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10735379B2 (en) | Hybrid hardware-software distributed threat analysis | |
| EP3420487B1 (en) | Hybrid hardware-software distributed threat analysis | |
| US10038715B1 (en) | Identifying and mitigating denial of service (DoS) attacks | |
| US20210112091A1 (en) | Denial-of-service detection and mitigation solution | |
| US8677473B2 (en) | Network intrusion protection | |
| US9043912B2 (en) | Method for thwarting application layer hypertext transport protocol flood attacks focused on consecutively similar application-specific data packets | |
| US7463590B2 (en) | System and method for threat detection and response | |
| US9838421B2 (en) | Systems and methods utilizing peer measurements to detect and defend against distributed denial of service attacks | |
| US20140157405A1 (en) | Cyber Behavior Analysis and Detection Method, System and Architecture | |
| EP2904539B1 (en) | Server with mechanism for reducing internal resources associated with a selected client connection | |
| US20200137112A1 (en) | Detection and mitigation solution using honeypots | |
| US10547636B2 (en) | Method and system for detecting and mitigating denial-of-service attacks | |
| KR101812403B1 (en) | Mitigating System for DoS Attacks in SDN | |
| Abou El Houda et al. | Brainchain-a machine learning approach for protecting blockchain applications using sdn | |
| CN108809749B (en) | Performing upper layer inspection of a stream based on a sampling rate | |
| Arafat et al. | A practical approach and mitigation techniques on application layer DDoS attack in web server | |
| Wang et al. | Efficient and low‐cost defense against distributed denial‐of‐service attacks in SDN‐based networks | |
| CN112559824A (en) | Message processing method, device and equipment | |
| CN115499230A (en) | Network attack detection method and device, equipment and storage medium | |
| WO2022183794A1 (en) | Traffic processing method and protection system | |
| US20230367875A1 (en) | Method for processing traffic in protection device, and protection device | |
| US11431750B2 (en) | Detecting and mitigating application layer DDoS attacks | |
| CN116015841A (en) | Message processing method, device, equipment and storage medium | |
| US20180331957A1 (en) | Policy Enforcement Based on Host Value Classification | |
| CN114553452B (en) | Attack defense method and protection equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |