CN116455801A - Method and device for acquiring full path network access relation - Google Patents

Method and device for acquiring full path network access relation Download PDF

Info

Publication number
CN116455801A
CN116455801A CN202310454802.9A CN202310454802A CN116455801A CN 116455801 A CN116455801 A CN 116455801A CN 202310454802 A CN202310454802 A CN 202310454802A CN 116455801 A CN116455801 A CN 116455801A
Authority
CN
China
Prior art keywords
network
nat
nat device
session
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310454802.9A
Other languages
Chinese (zh)
Inventor
郭曦拓
徐徽
周明嘉
张佳温
张祥
颜回中
陈梓忠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Guangfa Bank Co Ltd
Original Assignee
China Guangfa Bank Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Guangfa Bank Co Ltd filed Critical China Guangfa Bank Co Ltd
Priority to CN202310454802.9A priority Critical patent/CN116455801A/en
Publication of CN116455801A publication Critical patent/CN116455801A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/02Topology update or discovery
    • H04L45/04Interdomain routing, e.g. hierarchical routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/256NAT traversal
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a method and a device for acquiring a full path network access relationship. Wherein the method comprises the following steps: obtaining a structured session log corresponding to each NAT device in a plurality of NAT devices; extracting a local network access relation of a network session at each NAT device according to a structured session log corresponding to each NAT device, wherein the network session is a session between a device in a network boundary to which each NAT device belongs and a device outside the network boundary to which each NAT device belongs; and connecting the local network access relations of the network session at each NAT device in series to obtain the full-path network access relation of the network boundary of each NAT device. The method and the device solve the technical problem that the related technology cannot efficiently and accurately acquire the full-path network access relation penetrating through the NAT equipment due to the complex NAT environment.

Description

Method and device for acquiring full path network access relation
Technical Field
The present invention relates to the field of network communication technologies, and in particular, to a method and an apparatus for obtaining a full path network access relationship.
Background
With the development of online service, communication between an enterprise intranet and the Internet and between the enterprise intranet and the Internet are increasingly frequent, and meanwhile, the security risk of the exposed surface of the network security boundary is also increased increasingly; the rapid acquisition of the security boundary network access relationship is critical to locating boundary attack events. Because the network access communication session passes through the security boundary, the information of the source network address (Internet Protocol, IP), the destination IP, the destination port, etc. in the access relationship may be converted one or more times, and the related art cannot efficiently and accurately obtain the full path network access relationship crossing the security boundary in an environment similar to the above-mentioned environment where the complex network address conversion (Network Address Translation, NAT) exists.
In view of the above problems, no effective solution has been proposed at present.
Disclosure of Invention
The embodiment of the application provides a method and a device for acquiring a full-path network access relationship, which are used for at least solving the technical problem that the related technology cannot efficiently and accurately acquire the full-path network access relationship penetrating through NAT equipment due to the complex NAT environment.
According to an aspect of an embodiment of the present application, there is provided a method for acquiring a full path network access relationship, including: obtaining a structured session log corresponding to each NAT device in a plurality of NAT devices; extracting a local network access relation of a network session at each NAT device according to a structured session log corresponding to each NAT device, wherein the network session is a session between a device in a network boundary to which each NAT device belongs and a device outside the network boundary to which each NAT device belongs; and connecting the local network access relations of the network session at each NAT device in series to obtain the full-path network access relation of the network boundary of each NAT device.
Optionally, extracting the local network access relationship of the network session at each NAT device according to the structured conversational log corresponding to each NAT device, including: obtaining a network boundary topological relation of the NAT equipment, and generating an access path table of the NAT equipment according to the network boundary topological relation, wherein the access path table of the NAT equipment comprises: the method comprises the steps that identification information of NAT equipment, names of network boundaries where the NAT equipment is located and cascade levels of the NAT equipment are used, and the network session passes through an access direction of the NAT equipment, names of an inlet interface and names of an outlet interface, wherein the inlet interface is an interface for enabling the network session to enter the NAT equipment, and the outlet interface is an interface for enabling the network session to come out of the NAT equipment; generating a log aggregation table according to the structured session log, and determining the access direction of the network session passing through the NAT equipment according to the access path table and the log aggregation table of the NAT equipment; and extracting the local network access relation of the network session at the NAT equipment according to the access direction.
Optionally, obtaining a structured session log corresponding to each NAT device of the plurality of NAT devices includes: acquiring a plurality of logs of a plurality of NAT devices, and acquiring key element information from the plurality of logs, wherein the key element information comprises: timestamp, source network address, destination port, source mapping network address, destination mapping port, protocol type, source interface and destination interface; acquiring identification information of each NAT device, wherein the identification information comprises at least one of the following: the name of the NAT device and the network address of the NAT device; and combining the key element information of each NAT device with the identification information of each NAT device to obtain a structured session log corresponding to each NAT device.
Optionally, generating the log aggregation table according to the structured session log includes: determining a preset period, and collecting a plurality of structured conversation logs in the preset period; classifying the data which are completely identical in other key element information except the time stamp in the structured conversation logs into one group of data to obtain a plurality of groups of data; generating a log aggregation table according to multiple groups of data, wherein the log aggregation table comprises: identification information of the NAT device, key element information, and the number of times each group of data appears.
Optionally, generating a log aggregation table according to the structured session log, and determining an access direction of the network session passing through the NAT device according to the access path table and the log aggregation table of the NAT device, including: acquiring the identification information of the NAT equipment, the name of a source interface corresponding to the identification information of the NAT equipment and the name of a destination interface corresponding to the identification information of the NAT equipment in a log aggregation table; and determining the access direction of the network session of the NAT device indicated by the identification information of the NAT device through an access path table of the NAT device by utilizing the identification information of the NAT device, the name of the source interface corresponding to the identification information of the NAT device and the name of the destination interface corresponding to the identification information of the NAT device.
Optionally, extracting the local network access relationship of the network session at the NAT device according to the access direction includes: if the access direction is an inbound, determining a source mapping network address corresponding to the identification information of the NAT device as an inbound source network address, determining a destination network address corresponding to the identification information of the NAT device as an inbound destination network address, determining a destination port corresponding to the identification information of the NAT device as an inbound destination port, determining a source network address corresponding to the identification information of the NAT device as an outbound source network address, determining a destination mapping network address corresponding to the identification information of the NAT device as an outbound destination network address, and determining a destination mapping port corresponding to the identification information of the NAT device as an outbound destination port, wherein the inbound indicates that devices within the network boundary are accessed from devices outside the network boundary. Determining a plurality of local network access relations of the network session at the NAT equipment when the access direction is the inbound interface according to the source network address of the internal interface, the destination port of the internal interface, the source network address of the external interface, the destination network address of the external interface and the destination port of the external interface; if the access direction is out of bounds, determining a source network address corresponding to the identification information of the NAT device as an internal interface source network address, determining a destination mapping network address corresponding to the identification information of the NAT device as an internal interface destination network address, determining a destination mapping port corresponding to the identification information of the NAT device as an internal interface destination port, determining a source mapping network address corresponding to the identification information of the NAT device as an external interface source network address, determining a destination network address corresponding to the identification information of the NAT device as an external interface destination network address, and determining a destination port corresponding to the identification information of the NAT device as an external interface destination port, wherein out of bounds indicates that devices outside the network boundary are accessed from devices within the network boundary. And determining a plurality of local network access relations of the network session at the NAT equipment when the access direction is out of range according to the internal interface source network address, the internal interface destination port, the external interface source network address, the external interface destination network address and the external interface destination port.
Optionally, the step of concatenating the local network access relationships of each NAT device to obtain a full path network access relationship of the network boundary to which each NAT device belongs includes: determining the number of NAT devices in a network boundary to which the NAT devices belong from an access path table of the NAT devices; if the number is greater than one, connecting a plurality of local network access relations of a plurality of NAT devices in the same network boundary in series according to a series rule to obtain a full path network access relation; if the number is equal to one, the local network access relationship of the NAT device is determined as a full path network access relationship.
Optionally, concatenating the plurality of local network access relationships of the plurality of NAT devices within the same network boundary according to the concatenation rule includes: and if the internal interface source network address of the first NAT device in the plurality of NAT devices is equal to the external interface source network address of the second NAT device in the plurality of NAT devices, the internal interface destination network address of the first NAT device is equal to the external interface destination network address of the second NAT device, and the internal interface destination port of the first NAT device is equal to the external interface destination port of the second NAT device, the local network access relationship of the first NAT device and the local network access relationship of the second NAT device are connected in series to form a full path access relationship of the network boundary, wherein the first NAT device and the second NAT device belong to the same network boundary, adjacent relationship exists between the first NAT device and the second NAT device, and the cascade level of the first NAT device is smaller than the cascade level of the second NAT device.
Optionally, the method for acquiring the full path network access relation further comprises: determining a node corresponding to equipment initiating an access request in a full-path network access relation as a starting node, determining a node corresponding to equipment receiving the access request in the full-path network access relation as an ending node, and determining NAT equipment in the full-path network access relation as an intermediate node; determining line segments connecting the start node, the intermediate node and the end node as edges, wherein the direction of the edges is determined according to the access direction of the network session through the network boundary, and the direction of the edges is indicated by arrows; generating a visible view of the full-path network access relation according to the starting node, the intermediate node, the ending node and the edges; a visual view of the full path network access relationship is shown.
According to another aspect of the embodiments of the present application, there is also provided a system for displaying a full path network access relationship, including: the system comprises a terminal device, a data visualization server and a data processing server, wherein the terminal device is connected with the data visualization server and is used for sending a query request for requesting access to the network boundary of the full path network access relationship to the data visualization server and displaying the full path network access relationship; the data visualization server is connected with the data processing server and is used for responding to the query request and acquiring data corresponding to the full-path network access relation; the data processing server is used for acquiring a plurality of logs of the NAT devices, converting the logs into structured session logs corresponding to each NAT device in the NAT devices, extracting a local network access relation of a network session at each NAT device according to the structured session logs corresponding to each NAT device, connecting the local network access relations at each NAT device in series to obtain a full-path network access relation of a network boundary of each NAT device, storing data corresponding to the full-path network access relation, and issuing the data corresponding to the full-path network access relation to the data visualization server, wherein the network session is a session between a device in the network boundary and a device outside the network boundary.
According to another aspect of the embodiment of the present application, there is also provided an apparatus for acquiring a full path network access relationship, including: the system comprises an acquisition module, a storage module and a control module, wherein the acquisition module is used for acquiring a structured session log corresponding to each NAT device in a plurality of NAT devices; the extraction module is used for extracting the local network access relation of the network session at each NAT device according to the structured session log corresponding to each NAT device, wherein the network session is a session between the device in the network boundary to which each NAT device belongs and the device outside the network boundary to which each NAT device belongs; and the processing module is used for connecting the local network access relations of the network session at each NAT device in series to obtain the full-path network access relation of the network boundary of each NAT device.
According to another aspect of the embodiments of the present application, there is further provided a non-volatile storage medium, where a computer program is stored in the non-volatile storage medium, where a device in which the non-volatile storage medium is located executes the method of the above-mentioned all-path network access relationship by running the computer program.
According to another aspect of the embodiments of the present application, there is also provided an electronic device comprising a memory, in which a computer program is stored, and a processor arranged to perform the above-described method of full path network access relation by means of the computer program.
In the embodiment of the application, a structured session log corresponding to each NAT device in a plurality of NAT devices is acquired; extracting a local network access relation of a network session at each NAT device according to a structured session log corresponding to each NAT device, wherein the network session is a session between a device in a network boundary to which each NAT device belongs and a device outside the network boundary to which each NAT device belongs; the method comprises the steps of connecting network session in series with local network access relations at each NAT device to obtain full path network access relations of network boundaries of each NAT device, and obtaining the full path network access relations of the NAT devices through the serial matching of the local network access relations collected by the nodes in the boundary network paths by collecting the local network access relations before and after the nodes of the NAT devices, so that the purpose of obtaining and displaying the full path network access relations of the network boundaries of the NAT devices is achieved, and the technical problem that the full path network access relations of the NAT devices can not be obtained efficiently and accurately due to the complex NAT environment is solved under the application scenarios of complex NAT configuration such as one-to-many mapping, many-to-one mapping, address mapping associated with policy routing (Policy Based Routing, PBR) and port mapping in the NAT devices and the complex application scenarios of cascade connection of the NAT devices.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute an undue limitation to the application. In the drawings:
FIG. 1 is a flow chart of a method of obtaining full path network access relationships according to an embodiment of the present application;
FIG. 2 is a schematic diagram of a log aggregation table according to an embodiment of the present application;
FIG. 3 is a schematic diagram of a network boundary topology according to an embodiment of the present application;
FIG. 4 is a schematic diagram of an ingress and egress path table of a NAT device according to an embodiment of the present application;
FIG. 5 is a schematic diagram of a full path network access relationship table according to an embodiment of the present application;
FIG. 6 is a schematic diagram of a full path network access relationship view according to an embodiment of the present application;
FIG. 7 is a block diagram of a system for exposing full path network access relationships according to an embodiment of the present application;
FIG. 8 is a workflow diagram of a presentation system of full path network access relationships according to an embodiment of the present application;
fig. 9 is a block diagram of an apparatus for full path network access relationships according to an embodiment of the present application.
Detailed Description
In order to make the present application solution better understood by those skilled in the art, the following description will be made in detail and with reference to the accompanying drawings in the embodiments of the present application, it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, shall fall within the scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of the present application and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that embodiments of the present application described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
For better understanding of the embodiments of the present application, technical terms related in the embodiments of the present application are explained below:
NAT equipment: a device having a function of converting a source IP, a destination port, and the like in an IP packet in network communication; the NAT device in the embodiment of the present application may be a device with NAT function, such as a firewall, a load balancer, a switch, a router, or a NAT gateway, and in a device form, may be a physical device, or may be a virtual server or a cloud server.
Timestamp: the data generated by the digital signature technique is used to authenticate the generation time of the signature object, and in the embodiment of the present application, the timestamp of each log is used to indicate the generation time of each log.
Source network address (source IP): the IP value of the source address field in the IP packet message before the client-side initiated packet enters the NAT device is represented as the true source IP.
Source mapping network address (source mapping IP): the IP value of the source address field in the IP packet message after the data packet initiated by the client side passes through the NAT equipment is represented.
Destination network address (destination IP): the IP value of the destination address field in the IP packet message after the data packet initiated by the client side passes through the NAT equipment is represented.
Destination mapped network address (destination mapped IP): the IP value representing the destination address field in the IP packet message before the client side initiated packet enters the NAT device.
The destination port: the port value of the destination port field in the IP packet after the data packet initiated by the client side traverses the NAT device is represented as the true destination port.
Destination mapping port: and the port value of the destination port field in the IP packet message before the data packet initiated by the client side enters the NAT equipment is represented.
An inner interface: an interface representing a side of the NAT device near the internal network; when the external network client actively accesses the internal network, the external network client is an output interface of the data packet; when the internal network client actively accesses the external network, the internal network client is an input interface of the data packet.
An external interface: an interface which represents that the NAT equipment is close to one side of an external network; when the external network client actively accesses the internal network, the external network client is an input interface of a data packet; when the internal network client actively accesses the external network, the internal network client is an output interface of the data packet.
Internal interface source network address (internal interface source IP): the IP value of the source IP field in the IP packet message of the interface side in the NAT equipment is represented by the data packet initiated by the client side.
Internal interface destination network address (internal interface destination IP): the IP value of the destination IP field in the IP packet message of the interface side in the NAT equipment is represented by the data packet initiated by the client side.
Internal interface destination port: and the port value of the destination port field in the IP packet message of the interface side in the NAT equipment is represented by the data packet initiated by the client side.
External interface source network address (external interface source IP): the IP value of the source IP field of the data packet initiated by the client side in the IP packet message of the external interface side of the NAT equipment is represented.
External interface destination network address (external interface destination IP): the IP value of the destination IP field in the IP packet message of the external interface side of the NAT equipment is represented by the data packet initiated by the client side.
External interface destination port: and the port value of a destination port field in the IP packet message of the external interface side of the NAT equipment is represented by the data packet initiated by the client side.
Local network access relationship: the access relationship in the network traffic observed at a specific location in the network security boundary topology path, in this embodiment, a network access relationship is commonly represented by "source IP, destination port, and protocol" in the client-initiated data packet.
Full path network access relationship: after passing through the NAT device, the local network access relationship will be translated. And sequentially carrying out series matching on the local network access relations before and after each NAT device in the network security boundary path to obtain a full-path network access relation penetrating through the whole network security boundary.
In the related art, an agent program is set on a server, and network access information of the server is reported to a central monitoring server through the agent program so as to acquire a local network access relation of the server; or deploying a network flow probe, capturing a flow data packet through the network flow probe, analyzing the data packet through a network flow analysis device to obtain network session data, and then performing aggregation processing to obtain a network access relation crossing a network boundary. However, the network access relationship collected by the agent program is mixed with the access relationship of the internal inter-access of the intranet, and the network access relationship crossing the network boundary can be identified by screening with other databases such as configuration management data (Configuration Management Database, CMDB); the method for analyzing the flow data packet captured by the network flow probe to obtain the network access relation crossing the network boundary has higher requirements on the storage and configuration of the CPU, so that the problems of complicated method and high cost and the like that only the local network access relation crossing the network boundary can be obtained exist. In order to solve this problem, related solutions are provided in the embodiments of the present application, and are described in detail below.
In accordance with embodiments of the present application, there is provided a method embodiment for obtaining full path network access relationships, it being noted that the steps illustrated in the flowcharts of the figures may be performed in a computer system, such as a set of computer executable instructions, and although a logical order is illustrated in the flowcharts, in some cases the steps illustrated or described may be performed in an order other than that illustrated herein.
Fig. 1 is a flowchart of a method for obtaining a full path network access relationship according to an embodiment of the present application, as shown in fig. 1, the method includes the following steps:
step S102, a structured session log corresponding to each NAT device in the plurality of NAT devices is obtained.
The method provided by the application is realized on the basis of acquiring the session logs of the NAT devices, so that in step S102, firstly, the structured session log of each NAT device in the network boundary is acquired, and because a plurality of NAT devices of different types are usually present in the network boundary, the types of the devices are different, the formats of the acquired logs are also different, and the initially acquired logs are usually a large string of irregular characters; therefore, when obtaining the structured session log of each NAT device, it is first required to identify the interface protocol of the log interface provided by each NAT device, specifically, the interface protocol may be multiple types of protocols such as system log protocol (syslog), file transfer protocol (File Transfer Protocol, FTP), secure file transfer protocol (Secret File Transfer Protocol, SFTP), hypertext transfer protocol (HyperText Transfer Protocol, HTTP), and the like, and the session log of each NAT device is collected according to the interface protocol, for example, if the log interface provided by the NAT device uses the system log protocol (syslog), the session log of the NAT device is obtained through syslog; which is then converted into a structured session log in a standard form.
According to an alternative embodiment of the present application, obtaining a structured session log corresponding to each NAT device in a plurality of NAT devices includes the steps of: acquiring a plurality of logs of a plurality of NAT devices, and acquiring key element information from the plurality of logs, wherein the key element information comprises at least one of the following: timestamp, source network address, destination port, source mapping network address, destination mapping port, protocol type, source interface and destination interface; acquiring identification information of each NAT device, wherein the identification information comprises at least one of the following: the name of the NAT device and the network address of the NAT device; and combining the key element information of each NAT device with the identification information of each NAT device to obtain a structured session log corresponding to each NAT device.
In this embodiment, the method for converting the collected log into the structured session log in the standard form is as follows: analyzing the collected logs, extracting an IP value (namely a source network address and a source IP) of a source address field in an IP packet message before a data packet from a client side enters NAT equipment, an IP value (namely a destination network address and a destination IP) of a destination address field in the IP packet message after the data packet from the client side passes through NAT equipment, a port value (namely a destination port) of a destination port field in the IP packet message after the data packet from the client side passes through NAT equipment, an IP value (namely a source mapping network address and a source mapping IP) of a source address field in the IP packet message after the data packet from the client side passes through NAT equipment, an IP value (namely a destination mapping network address and a destination IP) of a destination address field in the IP packet message before the data packet from the client side enters NAT equipment, acquiring a protocol adopted by a corresponding network session, an interface (namely a source interface) through which the data packet enters the equipment, a key information element formed by the key information element such as an interface through which the data packet passes through NAT equipment (namely the NAT interface) and the like; meanwhile, extracting identification information capable of identifying the identity of the NAT equipment, such as the name of the NAT equipment or the IP address of the NAT equipment, from the collected logs; and combining the name of the NAT equipment or the IP address identification of the NAT equipment with key element information such as source IP, destination port, source mapping IP, destination mapping port, source interface, destination interface and the like of the NAT equipment indicated by the name/IP address of the NAT equipment to generate a structured session log of each NAT equipment. For example, the structured session log of each NAT device is obtained by combining the first field which is the NAT device name, the second field which is the source IP, the third field which is the destination IP, the fourth field which is the destination port, the fifth field which is the protocol type, the sixth field which is the source mapping IP, the seventh field which is the destination mapping IP, the eighth field which is the destination mapping port, the ninth field which is the source interface, and the tenth field which is the destination interface.
Step S104, extracting the local network access relation of the network session at each NAT device according to the structured session log corresponding to each NAT device, wherein the network session is a session between the device in the network boundary to which each NAT device belongs and the device outside the network boundary to which each NAT device belongs.
After the structured session log of each NAT device is obtained by the method provided in step S102, in step S104, an access relationship (i.e., a local network access relationship) between network sessions observed at each NAT device is extracted according to information recorded in the structured session log of each NAT device, where a network session is a session occurring between a device within a network boundary to which the NAT device belongs and a device outside the network boundary to which the NAT device belongs.
According to another optional embodiment of the present application, the extracting a local network access relationship of a network session at each NAT device according to a structured conversational log corresponding to each NAT device includes the following steps: obtaining a network boundary topological relation of the NAT equipment, and generating an access path table of the NAT equipment according to the network boundary topological relation, wherein the access path table of the NAT equipment comprises: the method comprises the steps that identification information of NAT equipment, names of network boundaries where the NAT equipment is located and cascade levels of the NAT equipment are used, and the network session passes through an access direction of the NAT equipment, names of an inlet interface and names of an outlet interface, wherein the inlet interface is an interface for enabling the network session to enter the NAT equipment, and the outlet interface is an interface for enabling the network session to come out of the NAT equipment; generating a log aggregation table according to the structured session log, and determining the access direction of the network session passing through the NAT equipment according to the access path table and the log aggregation table of the NAT equipment; and extracting the local network access relation of the network session at the NAT equipment according to the access direction.
In this embodiment, the local network access relationship at each NAT device is extracted from the information recorded in the structured session log of each NAT device by: firstly, generating a log aggregation table based on the structured session log of each NAT device acquired in step S102; then obtaining a network boundary topological graph of the network boundary of the NAT equipment, which records the information of the name/IP address of the NAT equipment (namely the identification information of the NAT equipment), the name of the network boundary of the NAT equipment, the cascade level of the NAT equipment, the access direction of the network session through the NAT equipment, the name of an interface (namely an inlet interface) of the network session entering the NAT equipment, the name of an interface (namely an outlet interface) of the network session coming out of the NAT equipment and the like, and determining the direction of network access to the NAT equipment according to the network boundary topological graph and a log aggregation table, namely determining the access direction from an external network, the NAT equipment, the internal network or the access direction from the internal network, the NAT equipment and the external network; and finally, extracting the local network access relation of the network session at each NAT device according to the determined access direction.
According to some preferred embodiments of the present application, generating a log aggregation table from a structured session log includes: determining a preset period, and collecting a plurality of structured conversation logs in the preset period; classifying the data which are completely identical in other key element information except the time stamp in the structured conversation logs into one group of data to obtain a plurality of groups of data; generating a log aggregation table according to multiple groups of data, wherein the log aggregation table comprises: identification information of the NAT device, key element information, and the number of times each group of data appears.
In some preferred embodiments, the method of generating the log aggregation table from the structured session log is as follows: because the NAT device generates a log when establishing a session, in this embodiment, a large amount of data is obtained when the NAT device logs are collected in real time, and the large amount of data includes a plurality of pieces of data that are identical except for the timestamp, in some preferred embodiments, a processing period (i.e., a preset period) is preset, for example, an hour, a day, or a month, a structured session log is collected in the processing period, the logs in the processing period are aggregated, specifically, the structured session log with identical key element information such as name/IP address, source IP, destination port, and protocol type of the NAT device is aggregated into a set of data, and multiple sets of data obtained by the aggregation by the above method are stored to generate a log aggregation table. Fig. 2 is a schematic diagram of a log aggregation table, as shown in fig. 2, where the line identifier of the log aggregation table is sequentially a date, a NAT device, a source IP, a destination port, a protocol, a source mapping IP, a destination mapping port, a source interface, a destination interface, and a connection number (i.e., the number of occurrences of each group of data), where the date is used to indicate the date when the log is generated, the NAT device is used to indicate the name/IP address of the NAT device, and the connection number is used to indicate the number of occurrences of the group of data in one processing period, as shown in fig. 2, in the data acquired in one processing period of 2022, 01, there are 100 source IPs 211.0.0.2, destination IPs 172.16.0.2, destination ports 8080, protocol types are transmission control protocols (Transmission Control Protocol, TCP), source mapping IPs 211.0.0.2, destination mapping IPs 112.0.0.2, destination mapping ports 80, source interfaces extranet, and journals of the type are recorded in the log table, and then the number of occurrences of the journals is marked after the entry; in addition, how many different kinds of logs appear in one processing cycle, several groups of data are recorded in the log aggregation table, that is, the number of packets is the same as the kind of the logs, wherein any one kind of data in the name/IP address, the source IP, the destination port and the protocol type of the NAT device is different, that is, the kind of the logs is different.
It should be noted that if the source IP and the source mapping IP are the same, it means that the NAT device does not translate the source IP field; if the destination IP and the destination mapping IP are the same, the NAT equipment does not translate the destination IP field; if the destination port and the destination mapping port are the same, the NAT device does not translate the destination port field.
According to an optional embodiment of the present application, generating a log aggregation table according to a structured session log, and determining an access direction of a network session passing through a NAT device according to an access path table of the NAT device and the log aggregation table, includes: acquiring the identification information of the NAT equipment, the name of a source interface corresponding to the identification information of the NAT equipment and the name of a destination interface corresponding to the identification information of the NAT equipment in a log aggregation table; and determining the access direction of the network session of the NAT device indicated by the identification information of the NAT device through an access path table of the NAT device by utilizing the identification information of the NAT device, the name of the source interface corresponding to the identification information of the NAT device and the name of the destination interface corresponding to the identification information of the NAT device.
Fig. 3 is a schematic diagram of a network boundary topology diagram, as shown in fig. 3, in which paths of a network session through a NAT device are described in the form of a topology diagram, where the network boundary topology diagram includes: the name of the network boundary where the NAT device is located, the name of each NAT device in the network boundary where the NAT device is located, the name of the cascade hierarchy of each NAT device, the name of the in interface and the name of the out interface of each NAT device, the name of the network accessing the network boundary where the NAT device is located, and the name of the network reaching after passing through the network boundary where the NAT device is located are shown in fig. 3, the name of the network boundary is a network boundary 1, the network boundary 1 comprises a device 2-1 and a device 2-2, wherein the "-1" in the device 2-1 represents the cascade hierarchy of the NAT device as 1, and the "-2" in the device 2-2 represents the cascade hierarchy of the NAT device as 2; when the internal network 2 and/or the internal network 3 are accessed from the external network 1, the input interface of the device 2-1 is extranet, the output interface is imperforate, the input interface of the device 2-2 is outlide, the output interface is dmz and intranet, and when the access direction is determined, the access direction of the network session corresponding to each group of logs is comprehensively queried according to the values of three fields, namely NAT device, source interface and destination interface, of each group of logs recorded in the log aggregation table. For example, if the value of the NAT device field in the set of logs recorded in the log aggregation table is device 2-1, the value of the source interface field is extranet, and the value of the destination interface field is inside, if the network boundary 1 can be queried in the network boundary topology diagram shown in fig. 3, the NAT device named device 2-1 and the value of the entry field is extranet, and the value of the exit interface field is inside, then it can be determined that the NAT device recorded in the set of logs is the same NAT device as the NAT device in the network topology diagram, and from the network boundary topology diagram, it can be determined that the NAT device from the interface extranet to the interface inside is accessed from the external network to the internal network, that is, it can be determined that the access direction of the network session in the NAT device 2-1 is in the boundary. Conversely, if the value of the NAT device field in another set of logs recorded in the log aggregation table is device 2-2, the value of the source interface field is inter, and the value of the destination interface field is outside, if the network boundary 1 can be queried that there is a NAT device named device 2-2 and the value of the ingress interface field is inter and the value of the egress interface field is outside in the network boundary topology shown in fig. 3, then it can be determined that the NAT device recorded in the set of logs is the same NAT device as the device in the network topology, and from the network boundary topology, it can be determined that the network session is out of range from the interface inter to the interface outside as accessing the external network from the internal network, that is, it can be determined that the access direction of the network session in the NAT device 2-2.
It should be noted that, after the server performing data processing acquires the network boundary topological relation, the network boundary topological relation is stored in a table form shown in fig. 4, fig. 4 is an access path table of the NAT device, and contents recorded in the table are identical to information recorded in fig. 3, for example, names of network boundaries where the NAT device is located, cascade levels of the network boundaries, names of each NAT device in the network boundaries where the NAT device is located, cascade levels of each NAT device, an access direction of the network session through the NAT device, an interface (i.e., an in interface) where the network session enters the NAT device, and an interface (i.e., an out interface) where the network session exits the NAT device are recorded. As shown in fig. 4, when the information is described in fig. 3, in fig. 4, a network boundary 1 including 2 NAT devices is correspondingly described, the access direction is in-bound when the internal network 2 is accessed from the external network 1 through the network boundary 1, the in-interface of the device 2-1 with the cascade level 1 is extranet, the out-interface is imperforate, the in-interface of the device 2-2 with the cascade level 2 is outservice, and the out-interface is dmz; the access direction is out of bounds when the internal network 2 accesses the external network 1 through the network boundary 1, the input interface of the equipment 2-1 with the cascade level 1 is an input, the output interface is an extranet, the input interface of the equipment 2-2 with the cascade level 2 is dmz, and the output interface is an outside; the access direction is out of bounds when the internal network 3 accesses the external network 1 through the network boundary 1, the input interface of the device 2-1 with the cascade level 1 is an input interface, the output interface is an extranet, the input interface of the device 2-2 with the cascade level 2 is an intranet, and the output interface is an outlide. The network boundary topology relationship can be stored and reused only by initializing once, and is updated only when the NAT equipment topology in the network boundary is detected to change.
According to another optional embodiment of the application, extracting the local network access relationship of the network session at the NAT device according to the access direction comprises: if the access direction is an inbound, determining a source mapping network address corresponding to the identification information of the NAT device as an inbound source network address, determining a destination network address corresponding to the identification information of the NAT device as an inbound destination network address, determining a destination port corresponding to the identification information of the NAT device as an inbound destination port, determining a source network address corresponding to the identification information of the NAT device as an outbound source network address, determining a destination mapping network address corresponding to the identification information of the NAT device as an outbound destination network address, and determining a destination mapping port corresponding to the identification information of the NAT device as an outbound destination port, wherein the inbound indicates that devices within the network boundary are accessed from devices outside the network boundary. Determining a plurality of local network access relations of the network session at the NAT device when the access direction of the NAT device is the access according to the internal interface source network address, the internal interface destination network address, the internal interface port, the external interface source network address, the external interface destination network address and the external interface destination port; if the access direction is out of bounds, determining a source network address corresponding to the identification information of the NAT device as an internal interface source network address, determining a destination mapping network address corresponding to the identification information of the NAT device as an internal interface destination network address, determining a destination mapping port corresponding to the identification information of the NAT device as an internal interface destination port, determining a source mapping network address corresponding to the identification information of the NAT device as an external interface source network address, determining a destination network address corresponding to the identification information of the NAT device as an external interface destination network address, and determining a destination port corresponding to the identification information of the NAT device as an external interface destination port, wherein out of bounds indicates that devices outside the network boundary are accessed from devices within the network boundary. And determining a plurality of local network access relations of the network session at the NAT equipment when the access direction is out of range according to the internal interface source network address, the internal interface destination port, the external interface source network address, the external interface destination network address and the external interface destination port.
In this embodiment, after determining the access direction of the NAT device according to the above embodiment, the method for extracting the local network access relationship of the NAT device according to the access direction is as follows: when the access direction is in the world, the value of the source mapping IP field recorded in the log of the NAT device is determined as the network address (i.e., the internal interface source network address) of the interface (i.e., the internal interface) of the NAT device near the internal network side, the value of the destination IP field recorded in the log of the NAT device is determined as the internal interface destination network address of the NAT device, the value of the destination port field recorded in the log of the NAT device is determined as the internal interface destination port of the NAT device, the value of the source IP field recorded in the log of the NAT device is determined as the network address (i.e., the external interface source network address) of the interface (i.e., the external interface) of the NAT device near the external network side, the value of the destination mapping IP field recorded in the log of the NAT device is determined as the external interface destination network address of the NAT device, and the destination mapping port recorded in the log of the NAT device is determined as the external interface destination port of the NAT device. When the access direction is out of bounds, determining a value of a source IP field recorded in a log of the NAT device as a network address (i.e., an internal interface source network address) of an interface (i.e., an internal interface) of the NAT device near the internal network side, determining a value of a destination mapping IP field recorded in the log of the NAT device as an internal interface destination network address of the NAT device, determining a value of a destination mapping port field recorded in the log of the NAT device as an internal interface destination port of the NAT device, determining a value of a source mapping IP field recorded in the log of the NAT device as a network address (i.e., an external interface source network address) of an interface (i.e., an external interface) of the NAT device near the external network side, determining a value of a destination IP field recorded in the log of the NAT device as an external interface destination network address of the NAT device, and determining a destination port recorded in the log of the NAT device as an external interface destination port of the NAT device. Therefore, the internal interface source network address, the internal interface destination port, the external interface source network address, the external interface destination network address and the external interface destination port of the NAT device can be determined according to whether the access direction is the access or the egress, and the local network access relationship of the network session formed by the internal interface source network address, the internal interface destination port, the external interface source network address, the external interface destination network address and the external interface destination port at the NAT device is further determined, wherein if only one NAT device exists in the network boundary, two local network access relationships of one NAT device are obtained through the method, one is the local network access relationship from the external network to the external interface of the NAT device, and the other is the local network access relationship from the internal interface of the NAT device to the internal network; if there are multiple NAT devices in the network boundary, two local network access relationships should be obtained for each NAT device. For example, in fig. 2, the source IP of the device 2-1 is 211.0.0.2, the destination IP is 172.16.0.2, the destination port is 8080, the source mapping IP is 211.0.0.2, the destination mapping IP is 112.0.0.2, the destination mapping port is 80, when the access direction is defined as being in the boundary when the internal network 2 is accessed from the external network 1, and when the access direction is defined as being in the boundary, the network session has the following two sections of local network access relationships at the device 2-1, wherein one section is a local network access relationship of an external interface from the external network 1 to the external interface of the NAT device 2-1, which is formed by an external interface source network address 211.0.0.2, an external interface destination network address 112.0.0.2, and an external interface destination port 80; the other segment is a local network access relationship from the internal interface of the NAT device 2-1 to the internal interface of the NAT device 2-2, which is composed of an internal interface source network address 211.0.0.2, an internal interface destination network address 172.16.0.2, and an internal interface destination port 8080.
Step S106, the local network access relation of the network session at each NAT device is connected in series, and the full path network access relation of the network boundary of each NAT device is obtained.
In step S106, after determining the local network access relationship of the NAT device by the above method, the network session is connected in series with the local network access relationships of each NAT device, so as to obtain the full path network access relationship of the network boundary to which the NAT device belongs.
According to an optional embodiment of the present application, the step of concatenating the local network access relationships of each NAT device to obtain a full path network access relationship of a network boundary to which each NAT device belongs includes: determining the number of NAT devices in a network boundary to which the NAT devices belong from an access path table of the NAT devices; if the number is greater than one, connecting a plurality of local network access relations of a plurality of NAT devices in the same network boundary in series according to a series rule to obtain a full path network access relation; if the number is equal to one, the local network access relationship of the NAT device is determined as a full path network access relationship.
In this embodiment, when the local network access relationship of each NAT device is connected in series, firstly, determining the network boundary to which the NAT device belongs and the number of NAT devices in the network boundary from the access path table of the NAT device shown in fig. 4, and if only one NAT device exists in the network boundary, the local network access relationship of the NAT device is the full path network access relationship of the network boundary; if the network boundary comprises 2 or more NAT devices, at this time, the local network access relations of the NAT devices in the network boundary are connected in series to obtain the full path network access relation of the network boundary.
According to other preferred embodiments of the present application, concatenating a plurality of local network access relationships of a plurality of NAT devices within the same network boundary according to a concatenation rule includes: and if the internal interface source network address of the first NAT device in the plurality of NAT devices is equal to the external interface source network address of the second NAT device in the plurality of NAT devices, the internal interface destination network address of the first NAT device is equal to the external interface destination network address of the second NAT device, and the internal interface destination port of the first NAT device is equal to the external interface destination port of the second NAT device, the local network access relationship of the first NAT device and the local network access relationship of the second NAT device are connected in series to form a full path access relationship of the network boundary, wherein the first NAT device and the second NAT device belong to the same network boundary, adjacent relationship exists between the first NAT device and the second NAT device, and the cascade level of the first NAT device is smaller than the cascade level of the second NAT device.
In other preferred embodiments, the cascade hierarchy of the plurality of NAT devices within the same network boundary is determined by concatenating the plurality of local network access relationships of the plurality of NAT devices within the same network boundary by concatenating, from the lowest level, the internal interface source network address described in the local network access relationship of the NAT device of the low cascade hierarchy with the external interface source network address described in the local network access relationship of the NAT device of the higher cascade hierarchy adjacent thereto, and the internal interface destination network address described in the local network access relationship of the NAT device of the low cascade hierarchy with the external interface destination network address described in the local network access relationship of the NAT device of the higher cascade adjacent thereto, and the internal interface destination port described in the local network access relationship of the NAT device of the low cascade hierarchy with the external interface destination port described in the local network access relationship of the NAT device of the higher cascade hierarchy adjacent thereto, sequentially concatenating the local network access relationship of the NAT devices of the low cascade hierarchy with the local network access relationship of the NAT device of the higher cascade hierarchy from the lowest level until the highest-level NAT device of the network boundary is reached, and the full concatenation path of the cascade boundary is completed. For example, the network boundary 1 includes a level 1 NAT device 2-1 and a level 2 NAT device 2-2, the internal interface source network address of the NAT device 2-1 is 211.0.0.2, the internal interface destination network address is 172.16.0.2, the internal interface destination port is 8080, the external interface source network address of the NAT device 2-2 is 211.0.0.2, the external interface destination network address is 172.16.0.2, and the external interface destination port is 8080, and then the local network access relationship of the NAT device 2-1 and the local network access relationship of the NAT device 2-2 are connected in series to form a full path network access relationship of the network boundary 1.
Fig. 5 is a schematic diagram of a full path network access relationship table, which needs to be explained, after obtaining the full path network access relationship of the network boundary, the full path network access relationship table may also be recorded and stored in the form of the table shown in fig. 5, where the full path network access relationship table records the name of the network boundary, the access direction of the network session access network boundary, the local network access relationship of the external interface of the lowest cascade level, the local network access relationship of the internal interface of the highest cascade level, the local network access relationship between adjacent NAT devices, the protocol adopted by the network session, and the number of occurrences (i.e. the number of connection times) of the same full path network access relationship, where the local network access relationship of the external interface of the lowest cascade level, the local network access relationship of the internal interface of the highest cascade level, and the local network access relationship between adjacent NAT devices are all composed of a source IP field, a destination IP field, and a destination port field. When the network boundary 1 shown in fig. 3 includes the NAT device 2-1 of the lowest cascade level and the NAT device 2-2 of the highest cascade level, and when the internal network 2 or the internal network 3 is accessed through the external network 1, the access direction is recorded as an entry in the full path network access relationship table of the network boundary 1, the local network access relationship of the external interface of the device 2-1 is composed of the source IP211.0.0.2, the destination IP112.0.0.2, and the destination port 80, the local network access relationship of the internal interface of the device 2-2 is composed of the source IP211.0.0.2, the destination IP172.16.0.2, and the destination port 8080, the local network access relationship between the device 2-1 and the device 2-2 is composed of the source IP211.0.0.2, the destination IP172.16.0.2, and the destination port 8080, and the number of occurrences of the full path access relationship is recorded in the full path network access relationship table of the network boundary 1 (for example, 100 times). When the external network 1 is accessed through the internal network 2 or the internal network 3, the access direction is recorded as out-bound in the full path network access relation table of the network boundary 1, the local network access relation of the external interface of the device 2-1 is composed of a source IP112.0.10.3, a destination IP211.0.0.3 and a destination port 443, the local network access relation of the internal interface of the device 2-2 is composed of a source IP172.16.0.3, a destination IP192.168.0.3 and a destination port 443, the local network access relation between the device 2-1 and the device 2-2 is composed of a source IP172.16.0.3, a destination IP211.0.0.3 and a destination port 443, and the number of occurrences (for example, 200 times) of the full path access relation is recorded in the full path network access relation table of the network boundary 1.
Through the steps, the local network access relations before and after the NAT equipment is extracted through the NAT session log, and the NAT equipment topological graph of the network boundary is combined to connect a plurality of local network access relations in series to form a full-path network access relation of the network boundary where the NAT equipment is located; the full-path network access relation of the network session passing through the network boundary is extracted from the session log without acquiring the full-path network access relation of the network session passing through the network boundary based on mapping configuration data of the NAT device, so that the method is suitable for application scenes of complex NAT configuration such as one-to-many mapping, many-to-one mapping, mapping associated with policy routing and the like in the NAT device, and is suitable for application scenes of cascade connection of a plurality of NAT devices, and the method can accurately and efficiently acquire the full-path network access relation of the network boundary while reducing operation and maintenance cost without deploying an agent program and capturing and analyzing massive traffic data packets.
According to an optional embodiment of the present application, the method for obtaining the full path network access relation further includes: determining a node corresponding to equipment initiating an access request in a full-path network access relation as a starting node, determining a node corresponding to equipment receiving the access request in the full-path network access relation as an ending node, and determining NAT equipment in the full-path network access relation as an intermediate node; determining line segments connecting the start node, the intermediate node and the end node as edges, wherein the direction of the edges is determined according to the access direction of the network session through the network boundary, and the direction of the edges is indicated by arrows; generating a visible view of the full-path network access relation according to the starting node, the intermediate node, the ending node and the edges; a visual view of the full path network access relationship is shown.
The method provided according to the embodiment of the present application may further display a full path network access relationship, and fig. 6 is a schematic diagram of a full path network access relationship visual view, where the full path network access relationship visual view includes an external network area, a network boundary area, and an internal network area, and the internal network initiates a network session, and the internal network area displays a name (i.e., a client) of a device in the internal network and a network address (e.g., 172.16.0.3) of the device and a local network access relationship of the network session from the internal network into the network boundary; the network boundary area shows the name of each NAT device in the network boundary (e.g., NAT device 1, NAT device 2), the source interface (e.g., inside, intranet) and destination interface (e.g., extranet, outside), and the local network access relationship between NAT devices in the network boundary for the network session; the external network area displays the name (such as a server) of the device in the external network, the network address (such as 112.0.10.3:443) of the device and the local network access relation of the network session to the external network through the network boundary; wherein the local network access relationship of the external network access network boundary is displayed in the form of a label, including a source network address (e.g., 112.00.10.3), a destination network address (e.g., 211.0.10.3) and a destination port (e.g., 443); the local network access relationship of the internal network access network boundary is displayed in the form of a label, including a source network address (e.g., 172.16.0.3), a destination network address (e.g., 192.168.0.3) and a destination port (e.g., 443); the local network access relationship of the network session between NAT devices is shown in the form of a label, including a source network address (e.g., 172.16.0.3), a destination network address (e.g., 211.0.0.3), and a destination port (e.g., 443). When the access path is displayed, the node corresponding to the accessed device is taken as an end node, the nodes corresponding to the NAT devices are taken as intermediate nodes, the node corresponding to the device initiating the access request in the whole path is taken as a start node, the nodes corresponding to the devices in the access path are connected through line segments to be taken as edges, and the access direction is indicated through arrows.
Fig. 7 is a block diagram of a system for displaying a full path network access relationship according to an embodiment of the present application, including: the terminal device 70, the data visualization server 72 and the data processing server 74, wherein the terminal device 70 is connected with the data visualization server 72 and is used for sending a query request for requesting access to the network boundary of the full path network access relationship to the data visualization server 72 and displaying the full path network access relationship; a data visualization server 72, coupled to the data processing server 74, for responding to the query request and obtaining data corresponding to the full path network access relationship; the data processing server 74 is configured to obtain multiple logs of multiple NAT devices, convert the multiple logs into structured session logs corresponding to each NAT device in the multiple NAT devices, extract a local network access relationship of a network session at each NAT device according to the structured session log corresponding to each NAT device, concatenate the local network access relationships at each NAT device to obtain a full path network access relationship of a network boundary to which each NAT device belongs, store data corresponding to the full path network access relationship, and send the data corresponding to the full path network access relationship to the data visualization server 72, where the network session is a session between a device within the network boundary and a device outside the network boundary.
Fig. 8 is a flowchart of a system for displaying the full path network access relationship of the network boundary where the NAT device is located, where the terminal device 70 first initiates a query request to the data visualization server 72 to query the full path network access relationship of the network boundary where the NAT device is located, and the data visualization server 72 obtains the full path network access relationship from the data processing server 74 after receiving the query request; the data processing server 74 issues the stored data for identifying the full path network access relationship to the data visualization server 72, wherein the data processing server 74 collects the session log of each NAT device in the network boundary in a predetermined period and converts each session log into a standard structured session log, further extracts the local network access relationship of each NAT device through the structured session log of each NAT device, and connects the local network access relationship of each NAT device in series as the full path network access relationship of the network boundary where the plurality of NAT devices are located and stores the full path network access relationship according to the above method; the data visualization server 72 transmits the processed full path network access relationship that can be visualized to the terminal device 70, and the terminal device 70 generates a visual view representing the full path network access relationship and displays the visual view.
Fig. 9 is a block diagram of an apparatus for obtaining a full path network access relationship according to an embodiment of the present application, including: an obtaining module 90, configured to obtain a structured session log corresponding to each NAT device in the plurality of NAT devices; an extracting module 92, configured to extract, according to a structured session log corresponding to each NAT device, a local network access relationship of a network session at each NAT device, where the network session is a session performed between a device within a network boundary to which each NAT device belongs and a device outside the network boundary to which each NAT device belongs; the processing module 94 is configured to concatenate the local network access relationships of the network session at each NAT device to obtain a full path network access relationship of the network boundary to which each NAT device belongs.
When the device for acquiring the full-path network access relation works, the acquired original session log is converted into a standard structured session log by acquiring and analyzing the session log of each NAT device in the network boundary in real time through the acquisition module 90; the extraction module 92 acquires and stores the structured session log obtained by the acquisition module 90, and performs aggregation classification on data in one hour or data in one day or data in one month according to a preset period such as one hour, one day and one month, and extracts a local network access relationship before and after passing through the NAT device from the aggregated classification; the local network access relationship before and after passing through the NAT device, which is obtained by the extraction module 92, is connected in series by the processing module 94 to be the full path network access relationship of the network device where the NAT device is located.
It should be noted that, the preferred implementation manner of the embodiment shown in fig. 9 may refer to the related description of the embodiment shown in fig. 1, which is not repeated herein.
The method provided by the embodiment can be applied to any network boundary where NAT equipment is deployed, for example, the method can be applied to the boundary between an intranet and the Internet in a data center, the boundary between different service isolation areas in the data center, the boundary between public cloud and the Internet, and the like. The NAT session log of the network security boundary NAT equipment is collected through the method provided by the embodiment of the application, the local network access relation before and after passing through the NAT equipment is extracted, and the local network access relation before and after a plurality of NAT equipment nodes on the boundary network path is matched in series, so that the security boundary full-path access relation is accurately obtained. In a complex multi-NAT device cascade environment and a complex NAT device configuration environment, such as an application environment in which complex NAT configuration such as one-to-many mapping, many-to-one mapping, address mapping and port mapping associated with policy routing (Policy Based Routing, PBR) exists in NAT devices, the agent program does not need to be deployed on a large number of service servers, and massive service flow data packets do not need to be captured and analyzed, so that the operation and maintenance cost is reduced.
The embodiment of the application also provides a nonvolatile storage medium, wherein the nonvolatile storage medium stores a computer program, and the equipment where the nonvolatile storage medium is located executes the method of the full path network access relationship through running the computer program.
The above-described nonvolatile storage medium is used to store a program that performs the following functions: obtaining a structured session log corresponding to each NAT device in a plurality of NAT devices; extracting a local network access relation of a network session at each NAT device according to a structured session log corresponding to each NAT device, wherein the network session is a session between a device in a network boundary to which each NAT device belongs and a device outside the network boundary to which each NAT device belongs; and connecting the local network access relations of the network session at each NAT device in series to obtain the full-path network access relation of the network boundary of each NAT device.
The embodiment of the application also provides an electronic device comprising a memory in which a computer program is stored and a processor arranged to perform the above method of full path network access relation by the computer program.
The processor in the electronic device is configured to execute a program that performs the following functions: obtaining a structured session log corresponding to each NAT device in a plurality of NAT devices; extracting a local network access relation of a network session at each NAT device according to a structured session log corresponding to each NAT device, wherein the network session is a session between a device in a network boundary to which each NAT device belongs and a device outside the network boundary to which each NAT device belongs; and connecting the local network access relations of the network session at each NAT device in series to obtain the full-path network access relation of the network boundary of each NAT device.
Note that each module in the apparatus for acquiring the full path network access relationship may be a program module (for example, a set of program instructions for implementing a specific function), or may be a hardware module, and for the latter, it may be represented by the following form, but is not limited thereto: the expression forms of the modules are all a processor, or the functions of the modules are realized by one processor.
The foregoing embodiment numbers of the present application are merely for describing, and do not represent advantages or disadvantages of the embodiments.
In the foregoing embodiments of the present application, the descriptions of the embodiments are emphasized, and for a portion of this disclosure that is not described in detail in this embodiment, reference is made to the related descriptions of other embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed technology content may be implemented in other manners. The above-described embodiments of the apparatus are merely exemplary, and the division of the units, for example, may be a logic function division, and may be implemented in another manner, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interfaces, units or modules, or may be in electrical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be essentially or a part contributing to the related art or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium, including several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely a preferred embodiment of the present application and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present application and are intended to be comprehended within the scope of the present application.

Claims (13)

1. A method for obtaining a full path network access relationship, comprising:
obtaining a structured session log corresponding to each NAT device in a plurality of NAT devices;
extracting a local network access relation of a network session at each NAT device according to the structured session log corresponding to each NAT device, wherein the network session is a session between a device in a network boundary to which each NAT device belongs and a device outside the network boundary to which each NAT device belongs;
and connecting the local network access relations of the network session at each NAT device in series to obtain the full-path network access relation of the network boundary of each NAT device.
2. The method of claim 1, wherein extracting the local network access relationship of the network session at each NAT device from the structured conversational log corresponding to each NAT device comprises:
Acquiring a network boundary topological relation of the NAT equipment, and generating an access path table of the NAT equipment according to the network boundary topological relation, wherein the access path table of the NAT equipment comprises: the identification information of the NAT equipment, the name of the network boundary where the NAT equipment is located, the cascade hierarchy of the NAT equipment, the access direction of the network session through the NAT equipment, the name of an input interface and the name of an output interface, wherein the input interface is the interface of the network session entering the NAT equipment, and the output interface is the interface of the network session coming out of the NAT equipment;
generating a log aggregation table according to the structured session log, and determining the access direction of the network session passing through the NAT equipment according to the access path table of the NAT equipment and the log aggregation table;
and extracting the local network access relation of the network session at the NAT equipment according to the access direction.
3. The method of claim 1, wherein obtaining a structured session log corresponding to each of the plurality of NAT devices comprises:
acquiring a plurality of logs of a plurality of NAT devices, and acquiring key element information from the plurality of logs, wherein the key element information comprises: timestamp, source network address, destination port, source mapping network address, destination mapping port, protocol type, source interface and destination interface;
Acquiring identification information of each NAT device, wherein the identification information comprises at least one of the following:
the name of the NAT equipment and the network address of the NAT equipment;
and combining the key element information of each NAT device with the identification information of each NAT device to obtain a structured session log corresponding to each NAT device.
4. A method according to claim 3, wherein generating a log aggregation table from the structured session log comprises:
determining a preset period, and collecting a plurality of structured conversation logs in the preset period;
classifying the data which are completely identical in the key element information except the time stamp in the structured conversation logs into a group of data to obtain a plurality of groups of data;
generating a log aggregation table according to the plurality of groups of data, wherein the log aggregation table comprises: the identification information of the NAT equipment, the key element information and the frequency of each group of data.
5. The method of claim 2, wherein generating a log aggregation table from the structured session log and determining an access direction for a network session passing through the NAT device from the access path table of the NAT device and the log aggregation table comprises:
Acquiring the identification information of the NAT equipment, the name of a source interface corresponding to the identification information of the NAT equipment and the name of a destination interface corresponding to the identification information of the NAT equipment in the log aggregation table;
and determining the access direction of the network session of the NAT equipment indicated by the identification information of the NAT equipment through the access path table of the NAT equipment by utilizing the identification information of the NAT equipment, the name of the source interface corresponding to the identification information of the NAT equipment and the name of the destination interface corresponding to the identification information of the NAT equipment.
6. The method of claim 2, wherein extracting the local network access relationship of the network session at the NAT device according to the access direction comprises:
if the access direction is an inbound, determining a source mapping network address corresponding to the identification information of the NAT device as an inbound destination network address, determining a destination port corresponding to the identification information of the NAT device as an inbound destination port, determining a source network address corresponding to the identification information of the NAT device as an outbound source network address, determining a destination mapping network address corresponding to the identification information of the NAT device as an outbound destination network address, and determining a destination mapping port corresponding to the identification information of the NAT device as an outbound destination port, wherein the inbound indicates that devices within the network boundary are accessed from devices outside the network boundary.
Determining a plurality of local network access relations of the network session at the NAT device when the access direction is inbound according to the internal interface source network address, the internal interface destination port, the external interface source network address, the external interface destination network address and the external interface destination port;
if the access direction is out of bounds, determining a source network address corresponding to the identification information of the NAT device as the internal interface source network address, determining a destination mapping network address corresponding to the identification information of the NAT device as the internal interface destination network address, determining a destination mapping port corresponding to the identification information of the NAT device as the internal interface destination port, determining a source mapping network address corresponding to the identification information of the NAT device as the external interface source network address, determining a destination network address corresponding to the identification information of the NAT device as the external interface destination network address, and determining a destination port corresponding to the identification information of the NAT device as the external interface destination port, wherein the out of bounds indicates that devices outside the network boundary are accessed from devices within the network boundary.
And determining a plurality of local network access relations of the network session at the NAT equipment when the access direction is out of range according to the internal interface source network address, the internal interface destination port, the external interface source network address, the external interface destination network address and the external interface destination port.
7. The method of claim 2, wherein concatenating the local network access relationships of each NAT device to obtain the full path network access relationship for the network boundary to which each NAT device belongs, comprises:
determining the number of NAT devices in a network boundary to which the NAT devices belong from an access path table of the NAT devices;
if the number is greater than one, connecting a plurality of local network access relations of a plurality of NAT devices in the same network boundary in series according to a series rule to obtain the full path network access relation;
and if the number is equal to one, determining the local network access relation of the NAT equipment as the full path network access relation.
8. The method of claim 7, wherein concatenating the plurality of local network access relationships for the plurality of NAT devices within the same network boundary according to a concatenation rule comprises:
And if the internal interface source network address of a first NAT device in the NAT devices is equal to the external interface source network address of a second NAT device in the NAT devices, the internal interface destination network address of the first NAT device is equal to the external interface destination network address of the second NAT device, the internal interface destination port of the first NAT device is equal to the external interface destination port of the second NAT device, and the local network access relation of the first NAT device and the local network access relation of the second NAT device are connected in series to form a full path access relation of a network boundary, wherein the first NAT device and the second NAT device belong to the same network boundary, the first NAT device and the second NAT device have adjacent relation, and the cascade level of the first NAT device is smaller than the cascade level of the second NAT device.
9. The method according to claim 1, wherein the method further comprises:
determining a node corresponding to equipment initiating an access request in the full-path network access relation as a starting node, determining a node corresponding to equipment receiving the access request in the full-path network access relation as an ending node, and determining NAT equipment in the full-path network access relation as an intermediate node;
Determining a line segment connecting the starting node, the intermediate node and the ending node as edges, wherein the direction of the edges is determined according to the access direction of the network session through the network boundary, and the direction of the edges is indicated by an arrow;
generating a visual view of the full path network access relationship according to the start node, the intermediate node, the end node and the edge;
and displaying a visual view of the full path network access relationship.
10. A system for displaying full path network access relationships, comprising: a terminal device, a data visualization server and a data processing server, wherein,
the terminal equipment is connected with the data visualization server and is used for sending a query request for requesting to access the full-path network access relation of the network boundary to the data visualization server and displaying the full-path network access relation;
the data visualization server is connected with the data processing server and is used for responding to the query request and acquiring data corresponding to the full-path network access relation;
the data processing server is configured to obtain multiple logs of multiple NAT devices, convert the multiple logs into structured session logs corresponding to each NAT device in the multiple NAT devices, extract a local network access relationship of a network session at each NAT device according to the structured session logs corresponding to each NAT device, concatenate the local network access relationships at each NAT device to obtain a full path network access relationship of a network boundary to which each NAT device belongs, store data corresponding to the full path network access relationship, and send the data corresponding to the full path network access relationship to the data visualization server, where the network session is a session performed between a device within the network boundary and a device outside the network boundary.
11. An apparatus for obtaining a full path network access relationship, comprising:
the system comprises an acquisition module, a storage module and a control module, wherein the acquisition module is used for acquiring a structured session log corresponding to each NAT device in a plurality of NAT devices;
the extraction module is used for extracting the local network access relation of the network session at each NAT device according to the structured session log corresponding to each NAT device, wherein the network session is a session between a device in the network boundary of each NAT device and a device outside the network boundary of each NAT device;
and the processing module is used for connecting the local network access relations of the network session at each NAT device in series to obtain the full-path network access relation of the network boundary of each NAT device.
12. A non-volatile storage medium, wherein a computer program is stored in the non-volatile storage medium, and wherein a device in which the non-volatile storage medium is located performs the method of the full path network access relationship of any one of claims 1 to 9 by running the computer program.
13. An electronic device comprising a memory and a processor, wherein the memory has stored therein a computer program, the processor being arranged to perform the method of the full path network access relationship of any of claims 1 to 9 by means of the computer program.
CN202310454802.9A 2023-04-24 2023-04-24 Method and device for acquiring full path network access relation Pending CN116455801A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310454802.9A CN116455801A (en) 2023-04-24 2023-04-24 Method and device for acquiring full path network access relation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310454802.9A CN116455801A (en) 2023-04-24 2023-04-24 Method and device for acquiring full path network access relation

Publications (1)

Publication Number Publication Date
CN116455801A true CN116455801A (en) 2023-07-18

Family

ID=87120125

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310454802.9A Pending CN116455801A (en) 2023-04-24 2023-04-24 Method and device for acquiring full path network access relation

Country Status (1)

Country Link
CN (1) CN116455801A (en)

Similar Documents

Publication Publication Date Title
TW476204B (en) Information security analysis system
Dusi et al. Quantifying the accuracy of the ground truth associated with Internet traffic traces
EP1480379A1 (en) Automated characterization of network traffic
CN107683586A (en) Method and apparatus for rare degree of the calculating in abnormality detection based on cell density
US20190007292A1 (en) Apparatus and method for monitoring network performance of virtualized resources
CN106055608A (en) Method and apparatus for automatically collecting and analyzing switch logs
CN109995582A (en) Asset equipment management system and method based on real-time status
US10523549B1 (en) Method and system for detecting and classifying networked devices
CN111241104A (en) Operation auditing method and device, electronic equipment and computer-readable storage medium
CN112688932A (en) Honeypot generation method, honeypot generation device, honeypot generation equipment and computer readable storage medium
CN115883223A (en) User risk portrait generation method and device, electronic equipment and storage medium
Kiravuo et al. Peeking under the skirts of a nation: finding ics vulnerabilities in the critical digital infrastructure
CN114338600A (en) Equipment fingerprint selection method and device, electronic equipment and medium
CN114172980A (en) Method, system, device, equipment and medium for identifying type of operating system
CN116708253B (en) Equipment identification method, device, equipment and medium
EP3718284B1 (en) Extending encrypted traffic analytics with traffic flow data
CN104283703A (en) User login reminding method and system
CN116455801A (en) Method and device for acquiring full path network access relation
CN114553546B (en) Message grabbing method and device based on network application
CN111200543A (en) Encryption protocol identification method based on active service detection engine technology
CN111343008B (en) Comprehensive measurement method and system for discovering IPv6 accelerated deployment state
KR20060079782A (en) Security system to improve the interoperability in ipv4 and ipv6 coexistence network
CN110620682B (en) Resource information acquisition method and device, storage medium and terminal
von der Assen DDoSGrid 2.0: Integrating and Providing Visualizations for the European DDoS Clearing House
CN111144504B (en) Software mirror image flow identification and classification method based on PCA algorithm

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination