CN116599716A - Network security protection method, device, equipment and medium - Google Patents

Network security protection method, device, equipment and medium Download PDF

Info

Publication number
CN116599716A
CN116599716A CN202310530391.7A CN202310530391A CN116599716A CN 116599716 A CN116599716 A CN 116599716A CN 202310530391 A CN202310530391 A CN 202310530391A CN 116599716 A CN116599716 A CN 116599716A
Authority
CN
China
Prior art keywords
data packet
mirror image
image data
network card
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310530391.7A
Other languages
Chinese (zh)
Inventor
林东森
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qingyun Science And Technology Co ltd
Original Assignee
Beijing Qingyun Science And Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qingyun Science And Technology Co ltd filed Critical Beijing Qingyun Science And Technology Co ltd
Priority to CN202310530391.7A priority Critical patent/CN116599716A/en
Publication of CN116599716A publication Critical patent/CN116599716A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1095Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the disclosure provides a network security protection method, device, equipment and medium. The method comprises the following steps: copying the data packet of the first network card to form a mirror image data packet; transmitting the mirror image data packet to a second network card through the first network card; transmitting the mirror image data packet to the drainage module through the second network card; wherein, the drainage module is positioned on the third host; transmitting the mirror image data packet to the security device through the drainage module; and carrying out safety protection on the current network based on the safety log output by the safety equipment. According to the embodiment of the disclosure, the data packet passing through the first network card is copied to form the mirror image data packet, the mirror image data packet is sent to the drainage module, the mirror image data packet is sent to the security device through the drainage module, and the current network is protected based on the security log output by the security device, so that the network security protection is realized, the load of a network link is reduced, and the delay time of data packet communication is reduced.

Description

Network security protection method, device, equipment and medium
Technical Field
The embodiment of the disclosure relates to the technical field of computers, in particular to a network security protection method, device, equipment and medium.
Background
With the continued development of informatization technology, network security has become increasingly important. In order to maintain network security, network traffic needs to be detected. For example, when the virtual machine generates the mining behavior, the cloud platform needs to analyze the data packets requested by all domain name systems (Domain Name System, DNS) of the whole area, and timely stop the mining behavior according to the domain name characteristics. As another example, resources such as service internet protocol (Internet Protocol, IP), physical machines, virtual hosts, etc. of the cloud platform need to secure network traffic. The tenant sets up the network protection of north-south (access in the cloud and outside the cloud) and east-west (access between the internal networks) according to own service characteristics, the traffic of east-west, i.e. the internal network is often particularly large, certain service characteristics have requirements on the network delay of east-west, and the normal work of the service can be influenced by the too high delay.
Both of the above conditions generate large traffic, and when a large number of data packets are pulled to the network security device for immediate analysis and protection, the following disadvantages are present:
1) Because the network link becomes long, and a certain time is required for the analysis of the security device, the unit data packet communication time will be prolonged, and the network delay will be increased.
2) A large amount of data packets are pulled to the security device, and a large amount of round trip flow is generated between the cloud resources and the security device, so that the load of a network link is increased.
3) Since the "set behavior attack" is a persistent behavior, and the east-west traffic is communication between the internal networks, the external network generally cannot access the internal networks, and the internal networks are relatively safe, so the instant protection of the full traffic is too heavy. The setting behavior is understood to be a process of performing an arithmetic operation, and is a specific process of repeatedly executing a hash function and detecting an execution result from the standpoint of a computer and a code. The setting behavior can also be understood as a process of setting up a web site and repeatedly running an algorithm by accessing a computer computing resource (or cloud resource).
Disclosure of Invention
The embodiment of the disclosure provides a network security protection method, device, equipment and medium, which can reduce the load of a network link while realizing network security protection.
In a first aspect, an embodiment of the present disclosure provides a network security protection method, including: copying the data packet of the first network card to form a mirror image data packet; the first network card is installed on a first host; transmitting the mirror image data packet to a second network card through the first network card; the second network card is installed on a second host; transmitting the mirror image data packet to a drainage module through the second network card; wherein, the drainage module is positioned on a third host; transmitting the mirror image data packet to a security device through the drainage module; and carrying out safety protection on the current network based on the safety log output by the safety equipment.
In a second aspect, embodiments of the present disclosure further provide a network security guard, including: the data packet copying module is used for copying the data packet of the first network card to form a mirror image data packet; the first network card is installed on a first host; the first mirror image data packet sending module is used for sending the mirror image data packet to the second network card through the first network card; the second network card is installed on a second host; the second mirror image data packet sending module is used for sending the mirror image data packet to the drainage module through the second network card; wherein, the drainage module is positioned on a third host; the third mirror image data packet sending module is used for sending the mirror image data packet to the safety equipment through the drainage module; and the safety protection module is used for carrying out safety protection on the current network based on the safety log output by the safety equipment.
In a third aspect, embodiments of the present disclosure further provide an electronic device, including:
one or more processors;
storage means for storing one or more programs,
the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the network security protection method as described in embodiments of the present disclosure.
In a fourth aspect, the disclosed embodiments also provide a storage medium containing computer-executable instructions that, when executed by a computer processor, are used to perform a network security protection method as described in the disclosed embodiments.
According to the technical scheme, the data packet of the first network card is copied to form a mirror image data packet; the first network card is installed on a first host; transmitting the mirror image data packet to a second network card through the first network card; the second network card is installed on a second host; transmitting the mirror image data packet to a drainage module through the second network card; wherein, the drainage module is positioned on a third host; transmitting the mirror image data packet to a security device through the drainage module; and carrying out safety protection on the current network based on the safety log output by the safety equipment. According to the embodiment of the disclosure, the data packet passing through the first network card is copied to form the mirror image data packet, the mirror image data packet is sent to the drainage module, the mirror image data packet is sent to the security device through the drainage module, and the current network is protected based on the security log output by the security device, so that the network security protection is realized, the load of a network link is reduced, and the delay time of data packet communication is reduced.
Drawings
The above and other features, advantages, and aspects of embodiments of the present disclosure will become more apparent by reference to the following detailed description when taken in conjunction with the accompanying drawings. The same or similar reference numbers will be used throughout the drawings to refer to the same or like elements. It should be understood that the figures are schematic and that elements and components are not necessarily drawn to scale.
Fig. 1 is a schematic flow chart of a network security protection method according to an embodiment of the disclosure;
fig. 2 is a schematic diagram of a network security protection effect according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a network security protection apparatus according to an embodiment of the disclosure;
fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the disclosure.
Detailed Description
Embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While certain embodiments of the present disclosure have been shown in the accompanying drawings, it is to be understood that the present disclosure may be embodied in various forms and should not be construed as limited to the embodiments set forth herein, but are provided to provide a more thorough and complete understanding of the present disclosure. It should be understood that the drawings and embodiments of the present disclosure are for illustration purposes only and are not intended to limit the scope of the present disclosure.
It should be understood that the various steps recited in the method embodiments of the present disclosure may be performed in a different order and/or performed in parallel. Furthermore, method embodiments may include additional steps and/or omit performing the illustrated steps. The scope of the present disclosure is not limited in this respect.
The term "including" and variations thereof as used herein are intended to be open-ended, i.e., including, but not limited to. The term "based on" is based at least in part on. It will be appreciated that the data (including but not limited to the data itself, the acquisition or use of the data) involved in the present technical solution should comply with the corresponding legal regulations and the requirements of the relevant regulations.
Fig. 1 is a schematic flow chart of a network security protection method provided by an embodiment of the present disclosure, where the embodiment of the present disclosure is applicable to a situation of performing security protection on a network, the method may be performed by a network security protection device, and the device may be implemented in a form of software and/or hardware, and optionally, may be implemented by an electronic device, where the electronic device may be a mobile terminal, a PC end, a server, or the like. As shown in fig. 1, the method includes:
s110, copying the data packet of the first network card to form a mirror image data packet.
The first network card is installed on the first host. In this embodiment, all the data packets passing through the first network card may be acquired, the data packets may be copied, and the copied data packets may be used as mirror image data packets.
Optionally, copying the data packet of the first network card to form a mirror image data packet, including: acquiring a request data packet and/or a response data packet passing through a first network card; and copying the request data packet and/or the response data packet to obtain a mirror image data packet.
It should be noted that, the first network card may be a network card of a first host corresponding to the virtual machine (or the cloud host), where data packets interacted by the virtual machine and the internet or the target host pass through the first network card.
Specifically, taking as an example, the virtual machine sends a request packet to the target host, or the virtual machine receives a response packet from the target host. And the first network card sends the request data packet generated by the virtual machine to the target host. When the request packet passes through the first network card, the request packet (the request packet at this time may be a packet in the forward direction for the first network card) is copied to form a first mirror packet. Or alternatively; the first network card receives the response data packet sent by the target host and sends the response data packet to the virtual machine. When the response data packet passes through the first network card, the response data packet (the response data packet at this time may be the data packet in the outgoing direction for the first network card) is copied to form a second mirror data packet. The mirror image data packet comprises a first mirror image data packet and/or a second mirror image data packet.
S120, the mirror image data packet is sent to the second network card through the first network card.
The second network card is installed on the second host. In this embodiment, a native Traffic Control (TC) of an operating system (such as a linux system) may be executed, so that the first network card sends the mirror data packet to the second network card.
S130, the mirror image data packet is sent to the drainage module through the second network card.
Wherein, the drainage module is located on the third host. The second host may be the same as the third host or may be different from the third host. The drainage module comprises a third network card. The second network card and the third network card are a pair of virtual network cards, and the virtual network cards are characterized by entering and exiting at the same time. In this embodiment, the mirror data packet (the mirror data packet at this time, for the second network card, the outgoing data packet) may be sent to the third network card in the drainage module through the second network card. In this embodiment, for the second network card, since "packet reinjection" is not needed, that is, the original path returns, only the mirror image packet in the outgoing direction is provided, and no packet in the incoming direction is provided. The drainage module may be a stand-alone network space environment implemented using the netns (network namespaces) of an operating system, such as the linux system.
Optionally, the mirror image data packet includes a destination address, and the sending, by the second network card, the mirror image data packet to the drainage module includes: modifying the target address in the mirror image data packet into a target address corresponding to the third network card through the second network card; and sending the mirror image data packet to a drainage module based on the modified target address.
In this embodiment, after the second network card receives the mirror image data packet, the destination address in the mirror image data packet is modified to the destination address corresponding to the third network card, and the mirror image data packet is sent to the drainage module based on the modified destination address, so that the second network card can be ensured to accurately send the mirror image data packet to the third network card, and the third network card can receive the mirror image data packet. Wherein the destination address may be a MAC address.
And S140, transmitting the mirror image data packet to the security device through the drainage module.
The drainage module comprises a fourth network card. In this embodiment, the fourth network card may send the mirror image data packet to the security device through the routing information. The security device may also be referred to as a security instance, security engine, etc., and may be a cloud host or physical machine that has firewall security software installed. Firewall security software may be next generation firewalls (Next Generation Firewall, NGFW) and Web application protection systems (Web Application Firewall, WAF), among others. It should be noted that, the routing information only has one direction of routing, that is, the mirror image data packet of the third network card is routed to the security device through the fourth network card.
Optionally, the transmitting, by the drainage module, the mirror image data packet to the security device includes: acquiring route information; the routing information includes address information of at least one security device; and transmitting the mirror image data packet to the corresponding security device based on the routing information.
In this embodiment, the flow guiding module may send the mirror image data packet to a plurality of security devices, specifically, obtain the routing information, and send the mirror image data packet to the corresponding security device based on the routing information.
S150, carrying out safety protection on the current network based on the safety log output by the safety equipment.
In this embodiment, the mirror image data packet may be checked by firewall software in the security device, to obtain a check result, and a security log may be obtained according to the check result, and security protection may be performed according to the security log.
Optionally, the security log is generated in the following manner: the security device carries out security inspection on the mirror image data packet based on firewall security software to obtain an inspection result; if the checking result is that the mirror image data packet is an attack mirror image data packet, outputting a security log; the security log comprises quintuple information and attack types of attack mirror image data packets.
The five-tuple information may refer to a source IP address (i.e., an attack host IP address), a source port (i.e., an attack host port), a destination IP address (i.e., an attacked host IP address), a destination port (i.e., an attacked host port), and a transport layer protocol. The present embodiment is not limited to this specific attack type, and may be, for example, a denial of service attack, a set behavior attack, or the like. In the embodiment, the security device performs security inspection on the mirror image data packet based on firewall security software to obtain an inspection result; if the checking result is that the mirror image data packet is an attack mirror image data packet, namely, when the security equipment detects that the network is threatened by security, outputting a security log, and discarding the attack mirror image data packet; if the checking result is that the mirror image data packet is a non-attack mirror image data packet, the mirror image data packet is directly discarded.
It should be noted that if the security device does not have the capability of "direct discard", an "invalid" ip address may be selected as a gateway in the two-layer network net. X (as shown in fig. 2), where the ip address is absent, and the address where the ARP request does not respond is sent to the gateway, so as to implement a discarding effect similar to a black hole.
Optionally, the security log output based on the security device performs security protection on the current network, including: storing the security log into a database; setting a state identifier of a stored security log; wherein, the state identification comprises unprocessed, processed and processed completion; determining a protection strategy according to the attack type and the state identification of the mirror image data packet; and protecting the network safety based on the protection strategy.
Optionally, determining the protection policy according to the attack type and the state identifier of the mirror data packet includes: if the state identification is unprocessed, determining a protection strategy according to the attack type, and updating the state identification into processing.
The database may be any type of database, which is not limited in this embodiment. For example, a relational database mysql, or other types of databases, such as an elastiscearch database. In this embodiment, the security device may send the security log to management software in the cloud platform, where the management software in the cloud platform may be security threat service provided by the cloud platform, and the management software in the cloud platform may store the security log in the database, and set a state identifier of the stored security log. If the state identification is unprocessed, determining a protection strategy according to the attack type, and updating the state identification into processing. And protecting the network security based on the protection strategy, and updating the state identifier to be processed after protecting the network security. In this embodiment, the concurrent repeated operations can be prevented by the status identifier.
Optionally, determining the protection policy according to the attack type includes: if the attack type is denial of service attack, the protection strategy is to seal the address of the attack host and the port of the attacked host based on the set time; if the attack type is the set behavior attack, the protection strategy is to close the attack host.
In this embodiment, if the attack type is denial of service attack, the protection policy is to seal the address of the attack host and the port of the attacked host for a set time. If the attack type is the set behavior attack, the protection strategy is to close the attack host.
In this embodiment, the first network card, the virtual machine, the second network card, the third network card, the fourth network card, the drainage module, the security device, and the like are all located in the cloud platform.
It should be noted that, in this embodiment, the mirror image data packet mode, the flow traction (drainage) mode, the security threat service analysis and processing mode, etc. are not specifically limited, and the specific implementation in actual production may have many ways to achieve the effects of each step in this scheme.
According to the technical scheme, the data packet of the first network card is copied to form a mirror image data packet; the first network card is installed on the first host; transmitting the mirror image data packet to a second network card through the first network card; the second network card is installed on the second host; transmitting the mirror image data packet to the drainage module through the second network card; wherein, the drainage module is positioned on the third host; transmitting the mirror image data packet to the security device through the drainage module; and carrying out safety protection on the current network based on the safety log output by the safety equipment. According to the embodiment of the disclosure, the data packet passing through the first network card is copied to form the mirror image data packet, the mirror image data packet is sent to the drainage module, the mirror image data packet is sent to the security device through the drainage module, and the current network is protected based on the security log output by the security device, so that the network security protection is realized, the load of a network link is reduced, and the delay time of data packet communication is reduced.
Fig. 2 is a schematic diagram of a network security protection effect according to an embodiment of the present invention, as shown in fig. 2. In fig. 2, VM2 is virtual machine 2, eth0 in vm2 is a network card in virtual machine 2, and tap1 is a network card of a host corresponding to VM2. VM1 is virtual machine 1, eth0 in VM1 is a network card in virtual machine 1, and tap0 is a first network card. If0 is a second network card, if0p is a third network card, tt.netns is a drainage module, if.x is a fourth network card, NET.X is a network, NGFW is a security device, internet is the Internet, bridge is a bridge, and the network for expression access is two-layer or three-layer reachable. Virtual machine 1 and virtual machine 2 may each be a host or cloud host.
Assuming that vm1 and vm2 are mutually visited, the original network path is: vm1- > vm1.Bridge- > vm2, round trip the same way.
Network security protection is carried out on the in-out data packet of vm1, and the traditional network paths for timely drainage and security protection are as follows: vm1- > [ tt.netns- > NGFW- > tt.netns ] - > vm1.Bridge- > vm2.Bridge- > vm2, round-trip the same way.
The network path of the service data packet in the scheme is unchanged and is consistent with the original network path. Whereas the network path of the "mirror" packet is: vm1- > mirror packet [ tt.netns- > ngfw ].
It can be seen that, for communication between vm1 and vm2 of east-west traffic, the timeliness network security protection performs traffic traction (drainage) on all data packets, and the load of the network link is increased by returning the traffic to the security device (tt.netns- > NGFW- > tt.netns). And the link path becomes longer, increasing the delay time of unit data packet communication.
In this embodiment, the data packet passing through the first network card is copied to form a mirror image data packet, and the mirror image data packet is transmitted to the security device, that is, the traffic mirror image mode does not affect the original data packet communication, does not change the network link of the original data packet communication, and has little change in network delay compared with the original data packet communication. The mirror image data packets are transmitted to the safety equipment in one direction only by cloud resources, after the safety equipment checks, if the check result is that the mirror image data packets are attack mirror image data packets, corresponding safety logs are sent out, otherwise, the data packets are not processed, and finally the data packets are directly discarded without 'original return', so that compared with the traditional traffic traction mode, the traffic increment of one time is reduced. For threats such as 'persistent' malicious behaviors, attack behaviors and the like, and communication between east-west traffic, namely an intranet, on a certain choice, instant analysis and protection can become unimportant, and 'timeliness' can be sacrificed for performance.
In the embodiment, the cost performance is better under the inherent conditions that the network environment is a closed intranet and is basically safe; it may be appropriate under the unique conditions that the security threat is "persistent", "weak (or non-destructive"), etc.
Taking the example of a denial of service attack on virtual machine vm1 by virtual machine 2 as an example, reference is also made to fig. 2.
Step one: VM2 issues a syn_flood attack on VM1.
Wherein the IP address of VM1 is 10.73.14.154. The specific operation is as follows: hping3-i u1-S-p 808010.73.14.154. At this time, VM2 will initiate a large number of tcp syn packets to the 8080 port of VM1.
Step two: the security device outputs a security log and sends it to the security threat service.
The specific operation is as follows: mar 1316:21:51CFW;530011001137646833922603; ipv4;3, a step of; security_flood: user_name=; src_ip= 192.168.12.9; src_port=2411; dst_ip= 10.73.14.154; dst_port=8080; name=synflood; type = flood-attack; protocol = TCP; mac=52:54:d5:a6:a0:ae; count=1924; level=4; in_if_name=g1; create_time= 1678695686; end_time= 1678695687; extension=. After the security threat service receives the security log, the security threat service stores the security log in a database, and sets a state identifier of the stored security log.
Step three: the security threat service analyzes the security log.
By analyzing the security log, it can be determined that the source IP is 192.168.12.9 (i.e., the IP address of VM 2), the attack is 1924 times per second, and the syncflood attack is performed on the 8080 port of 10.73.14.154.
Step four: if the state identification is unprocessed, determining a protection strategy according to the denial of service attack, and updating the state identification into processing.
Wherein, the protection policy is: and (3) configuring rules, sealing and banning the address of the attack host and the port of the attacked host based on the set time, and updating the state identification into the processing completion.
Specifically, iptables-t filter-A FW_VM1-p tcp-s 192.168.12.9-dport 8080-m time-datestart 2023-03-13T 16:21:51-datestat
2023-03-13T16:31:51-j DROP。
In the face of a large number of packet attacks of the intranet, the data volume is particularly large, in actual production, due to the consideration of factors such as cost and the like, the load of safety equipment can be insufficient, even the safety equipment cannot be processed, so that 'timely processing' can be caused, and network stability problems are caused. In addition, there are a lot of service data packets to be processed in time, which will slow down the network transmission efficiency and increase the network load, so that the production efficiency of the service becomes low. This "asynchronous mode" of the present solution thus safeguards the current network. Although the original network is not protected for a short period of time before protection, once protection is carried out, the problem can be solved based on the protection strategy of the scheme, so that the stability of the network can be ensured in a tolerable time, and the stability of the service is maintained.
By way of example, in the technical solution provided in this embodiment, using the linux system as an example, tc+iptables+routing information is used to perform packet drainage for network security protection.
The tc is a flow control module of the linux system kernel, and can perform functions of data packet redirection, data packet editing, data packet marking and the like. The iptables are ipv4 data packet management modules of the linux system kernel, and can perform data packet marking, connection record generation and other functions. The ip_rule is a routing rule (or routing information) management function of the kernel of the linux system, and can configure a target to which a route is sent according to a packet label.
In actual production, the network security protection effect graphs are complex and various, and the configuration is also different, but the network security protection effect graphs are not limited to the network security protection effect graphs. The main working method and the packet processing flow are basically consistent. In actual production, tap0 may also be within a netns, and because its processing methods are consistent, the simplest tap0 is illustrated in the default network space of the host.
The general configuration method comprises the following steps:
defining packet flags (bitmaps) as:
# bitmap, binary expansion view
FWMARK_PASS='0xc000' #1100000000000000
FWMARK_SNAT='0xa000' #1010000000000000
FWMARK_DNAT='0x9000' #1001000000000000
FWMARK_TRACTION='0x8800' #1000100000000000
FWMARK_HASH_ROUTE1=0x8100 #1000000100000000
Occupying 16bit marks, from left to right in turn:
The first bit of the expression data packet is processed by a drainage module;
the second bit expression data packet does not need to be drained;
the third bit of the data packet requires source address translation;
the fourth bit of the expression data packet requires target address conversion;
the fifth bit of the expression data packet needs to be drained, and can be used in a 'only north-south' drainage mode;
a sixth bit, a seventh bit reservation;
the eighth bit represents a data packet routing object, which is an offset for performing hash calculation;
the remaining 8 bits, namely 0xff, express a drainage target, namely ngfw, and the drainage target can be multiple, and the drainage targets are sequentially numbered for distinguishing.
For example, when the hash calculation results in a value of 1 and expresses the ngfw with the number of 1, the packet label value is 0x8100+1=0x8101, and a routing policy corresponding to the 0x8101 label is preset in the routing rule (routing information), so that the packet can be distributed to different routes, namely different drainage targets (ngfw) according to the hash calculation, and load balancing is achieved. It should be noted that the above-mentioned "drainage" is only performed for the "mirrored data packet".
Step one: the network namespaces tt.
The creation of an ipset records tenant network (tenant_networks) information, which is known to the cloud platform. The ipset here will be used by the later mentioned configuration step of the "tenant network". Is configured as follows
The # tenant network is 10.67.0.0/24, and this ip set can be configured with multiple network address segments.
root@topsail:~#ipset list tenant_networks
Name:tenant_networks
Type:hash:net
Revision:6
Header:family inet hashsize 1024maxelem 65536
Size in memory:504
References:6
Number of entries:1
Members:
10.67.0.0/24
Step two: and configuring a routing rule.
The data packet needs to be sent to the drainage destination, i.e., ngfw, and when there are multiple ngfw, multiple rules are needed to be corresponding. The data packet routing tag value may be obtained by numbering the ngfw and then adding the calculated offsets using the hash of the 0x8100 data packet routing object described above. The configuration is as follows:
#0x8101 is a routing tag value of ngfw number 1
root@topsail:~#ip rule|grep 0x81ff
32764:from all fwmark 0x8102/0x81ff lookup 33026
32765:from all fwmark 0x8101/0x81ff lookup 33025
# where ldst-br_0_p corresponds to if.x in FIG. 2, 100.64.1.2 is the ip address of ngfw.
root@topsail:~#ip route show table 0x8101
default via 100.64.1.2dev ldst-br_0_p
100.64.1.2dev ldst-br_0_p scope link
Step three: the "enter" (packet enters netns) direction of the third network card if0p is configured.
The concrete main parts are as follows: the first part sets the data packet discarding rule. When the third network card if0 is configured on the bridge, if0 will receive some broadcast or multicast packets, and if0p will also receive these packets, and these packets may be discarded directly without processing. The specific processing method can be that 1) multicast and broadcast data packet marks are set as 'no-drainage' marks; 2) Setting a match to "no drain" flag is discarded. In addition, the cloud platform or the user can also configure control strategies such as ip, protocol or port and the like which are not drained according to the requirement. When the if0 network card is not on any bridge, it will not passively receive the packet, so this part may be left unconfigured.
The second part, calculate/query gets the packet route tag. The hash calculation obtains the data packet mark of the drainage target, and when the drainage target, namely, the ngfw, is in a plurality of conditions, the load balancing can be realized. It should be noted that, here, a connection record (conntrack) is made, and a new data packet comes in to query the connection record to obtain a data packet tag value, so that hash calculation is not required for each data packet. Opening the connection record consumes memory, but reduces cpu usage and facilitates tracking session connections. Not opening a "connection record" increases cpu usage and cannot keep track of session connections. Preferably, the "connection record" is opened.
And the third part sets the NAT label of the data packet.
Some policies are customized to mark whether the packet requires source address translation or destination address translation. Taking the north-south traffic as an example, the following strategy can be made: when the source address and the target address of the data packet belong to the tenant network, nat is not needed; when the source address is a tenant network, the target address is a non-tenant network, and a mark for source address conversion is set; when the source address is a non-tenant network, the target address is a tenant network, and a flag of target address conversion is set. The purpose of this is to allow the ngfw to record the session information of the actual internet instead of the private IP to internet IP session. Of course, it is also possible to dispense with nat, as desired.
The configuration is as follows:
a first part: and setting a data packet discarding rule.
Setting multicast and broadcast data packet mark as 'no flow'
filter protocol ip pref 162u32 fh 801::803order 2051key ht 801bkt 0terminal flowid not_in_hw
match IP dst 224.0.0.0/4
action order 1:skbedit mark 49152/0xc000 continue
filter protocol ip pref 162u32 fh 801::804order 2052key ht 801bkt 0terminal flowid not_in_hw
match IP dst 255.255.255.255/32
action order 1:skbedit mark 49152/0xc000 continue
filter protocol all pref 240fw handle 0xc000/0xc000
action order 1:gact action pass
Packet label matching "no drainage" is discarded
root@topsail:~#iptables-t mangle-S|grep MARK_SRC
-A PREROUTING-i if0p-j TT_MARK_SRC
-A TT_MARK_SRC-m mark--mark 0xc000/0xc000-j DROP。
The second part: the calculation/query results in a packet routing label.
And setting the if0p network card to start the connection record, and setting the connection record to be not opened by default.
#root@topsail:~#iptables-t raw-S PREROUTING
-A PREROUTING-i if0p-j ACCEPT
-A PREROUTING-j CT--notrack
# packet route label
root@topsail:~#iptables-t mangle-S|grep HMARK
-aTT_MARK_HMARK-m conntrack-ctstate RELATED, ESTABLISHED-jCONNMARK-restore-MARK-nfmask 0 xffffffff-ctmask 0 xffffff# is queried from the connection record
-A TT_MARK_HMARK-m Command-Command hash_mark-m MARK-! -mark0x8100/0x8100-j HMARK-HMARK-src-prefix 32-HMARK-dst-prefix 32-HMARK-rnd 0x000f 4243-HMARK-mod 2-HMARK-offset 33025# were not found, where the modulus was 2 expressing the drainage target, i.e. ngfw, 2.
-aTT_MARK_HMARK-m conntrack-ctstate NEW-m MARK-MARK 0x8100/0x8100-j CONNMARK-save-MARK-nfmask 0 xffffffff-ctmask 0 xffffff# when a NEW connection is generated and after a route MARK of a packet is successfully obtained has been calculated, a connection record (conntrack) is saved
-A TT_MARK_SRC-j TT_MARK_HMARK。
The third part sets the packet NAT flag.
Flow in the north-south direction is taken as an example
root@topsail:~#iptables-t mangle-S|grep NAT
-A TT_MARK_NAT-m set--match-set tenant_networks src-m set--match-set tenant_networks dst-j ACCEPT
-A TT_MARK_NAT-m comment--comment snat_mark-m set--match-set tenant_networks src-j MARK--set-xmark 0xa000/0xa000
-A TT_MARK_NAT-m comment--comment dnat_mark-m set--match-set tenant_networks dst-j MARK--set-xmark 0x9000/0x9000
-A TT_MARK_SRC-j TT_MARK_NAT。
Step four: the "out" (leaving netns) direction of the fourth network card if. X is configured.
Editing the data packet. And carrying out ip address modification corresponding to the NAT packet mark, and modifying the source address when the ip address modification is matched with the source address conversion mark. Matching to the target address translation marker, the target address is modified. The address is modified followed by recalculation and modification of the csum value (checksum).
The configuration is as follows:
in this embodiment, only the "mirrored data packet" is sent to the security device, and the security device does not need to send back the original route, and does not need to send back the route.
In networking, only a two-layer network of the safety device and the drainage module is required to be constructed, and the safety device does not need to be configured with a reinjection route, namely, after the data packet arrives at the safety device and is analyzed and processed, the data packet can be discarded or black hole processed.
Fig. 3 is a schematic structural diagram of a network security protection apparatus according to an embodiment of the present disclosure, as shown in fig. 3, where the apparatus includes: the data packet copying module 310, the first mirror data packet sending module 320, the second mirror data packet sending module 330, the third mirror data packet sending module 340, and the security protection module 350.
The data packet copying module 310 is configured to copy the data packet of the first network card to form a mirror image data packet; the first network card is installed on a first host;
The first mirror image data packet sending module 320 is configured to send the mirror image data packet to the second network card through the first network card; the second network card is installed on a second host;
a second mirror packet sending module 330, configured to send the mirror packet to a drainage module through the second network card; wherein, the drainage module is positioned on a third host;
a third mirror packet sending module 340, configured to send the mirror packet to a security device through the drainage module;
and the security protection module 350 is configured to perform security protection on the current network based on the security log output by the security device.
According to the technical scheme, a data packet copying module copies a data packet of a first network card to form a mirror image data packet; the first network card is installed on a first host; the first mirror image data packet sending module sends the mirror image data packet to a second network card through the first network card; the second network card is installed on a second host; the second mirror image data packet sending module sends the mirror image data packet to the drainage module through the second network card; wherein, the drainage module is positioned on a third host; the third mirror image data packet sending module sends the mirror image data packet to the security equipment through the drainage module; and the safety protection module carries out safety protection on the current network based on the safety log output by the safety equipment. According to the embodiment of the disclosure, the data packet passing through the first network card is copied to form the mirror image data packet, the mirror image data packet is sent to the drainage module, the mirror image data packet is sent to the security device through the drainage module, and the current network is protected based on the security log output by the security device, so that the network security protection is realized, the load of a network link is reduced, and the delay time of data packet communication is reduced.
Optionally, the data packet copying module is specifically configured to: acquiring a request data packet and/or a response data packet passing through the first network card; copying the request data packet and/or the response data packet to obtain a mirror image data packet.
Optionally, the drainage module includes a third network card; the mirrored data packet includes a destination address. Optionally, the second mirror packet sending module is specifically configured to: modifying a target address in the mirror image data packet into a target address corresponding to the third network card through the second network card; and sending the mirror image data packet to the drainage module based on the modified target address.
Optionally, the drainage module includes a fourth network card. Optionally, the third mirror packet sending module is specifically configured to: acquiring route information; the routing information includes address information of at least one security device; and sending the mirror image data packet to a corresponding safety device based on the routing information.
Optionally, the security device is provided with firewall security software; the generation mode of the security log is as follows: the security device carries out security inspection on the mirror image data packet based on the firewall security software to obtain an inspection result; if the checking result is that the mirror image data packet is an attack mirror image data packet, outputting a security log; the security log comprises quintuple information and an attack type of the attack mirror image data packet.
Optionally, the safety protection module is specifically configured to: storing the security log into a database; setting a state identifier of a stored security log; wherein, the state identification comprises unprocessed, processed and processed completion; determining a protection strategy according to the attack type of the mirror image data packet and the state identifier; and protecting the network safety based on the protection strategy.
Optionally, the safety protection module is further configured to: and if the state identifier is unprocessed, determining a protection strategy according to the attack type, and updating the state identifier into processing.
Optionally, the safety protection module is further configured to: if the attack type is denial of service attack, the protection strategy is to seal the address of the attack host and the port of the attacked host based on the set time; if the attack type is the set behavior attack, the protection strategy is to close the attack host.
The network security protection device provided by the embodiment of the disclosure can execute the network security protection method provided by any embodiment of the disclosure, and has the corresponding functional modules and beneficial effects of the execution method.
It should be noted that each unit and module included in the above apparatus are only divided according to the functional logic, but not limited to the above division, so long as the corresponding functions can be implemented; in addition, the specific names of the functional units are also only for convenience of distinguishing from each other, and are not used to limit the protection scope of the embodiments of the present disclosure.
Fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the disclosure. Referring now to fig. 4, a schematic diagram of an electronic device (e.g., a terminal device or server in fig. 4) 400 suitable for use in implementing embodiments of the present disclosure is shown. The terminal devices in the embodiments of the present disclosure may include, but are not limited to, mobile terminals such as mobile phones, notebook computers, digital broadcast receivers, PDAs (personal digital assistants), PADs (tablet computers), PMPs (portable multimedia players), in-vehicle terminals (e.g., in-vehicle navigation terminals), and the like, and stationary terminals such as digital TVs, desktop computers, and the like. The electronic device shown in fig. 3 is merely an example and should not be construed to limit the functionality and scope of use of the disclosed embodiments.
As shown in fig. 4, the electronic device 400 may include a processing means (e.g., a central processing unit, a graphics processor, etc.) 401, which may perform various suitable actions and processes according to a program stored in a Read Only Memory (ROM) 402 or a program loaded from a storage means 408 into a Random Access Memory (RAM) 403. In the RAM 403, various programs and data necessary for the operation of the electronic device 400 are also stored. The processing device 401, the ROM 402, and the RAM 403 are connected to each other by a bus 404. An edit/output (I/O) interface 406 is also connected to bus 404.
In general, the following devices may be connected to the I/O interface 406: input devices 406 including, for example, a touch screen, touchpad, keyboard, mouse, camera, microphone, accelerometer, gyroscope, etc.; an output device 407 including, for example, a Liquid Crystal Display (LCD), a speaker, a vibrator, and the like; storage 408 including, for example, magnetic tape, hard disk, etc.; and a communication device 409. The communication means 409 may allow the electronic device 400 to communicate with other devices wirelessly or by wire to exchange data. While fig. 4 shows an electronic device 400 having various means, it is to be understood that not all of the illustrated means are required to be implemented or provided. More or fewer devices may be implemented or provided instead.
In particular, according to embodiments of the present disclosure, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a non-transitory computer readable medium, the computer program comprising program code for performing the method shown in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network via communications device 409, or from storage 408, or from ROM 402. The above-described functions defined in the methods of the embodiments of the present disclosure are performed when the computer program is executed by the processing device 401.
The names of messages or information interacted between the various devices in the embodiments of the present disclosure are for illustrative purposes only and are not intended to limit the scope of such messages or information.
The electronic device provided by the embodiment of the present disclosure and the network security protection method provided by the foregoing embodiment belong to the same inventive concept, and technical details not described in detail in the present embodiment may be referred to the foregoing embodiment, and the present embodiment has the same beneficial effects as the foregoing embodiment.
The embodiment of the present disclosure provides a computer storage medium having stored thereon a computer program which, when executed by a processor, implements the network security protection method provided by the above embodiment.
It should be noted that the computer readable medium described in the present disclosure may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present disclosure, however, the computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with the computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, fiber optic cables, RF (radio frequency), and the like, or any suitable combination of the foregoing.
In some implementations, the clients, servers may communicate using any currently known or future developed network protocol, such as HTTP (HyperText Transfer Protocol ), and may be interconnected with any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include a local area network ("LAN"), a wide area network ("WAN"), the internet (e.g., the internet), and peer-to-peer networks (e.g., ad hoc peer-to-peer networks), as well as any currently known or future developed networks.
The computer readable medium may be contained in the electronic device; or may exist alone without being incorporated into the electronic device.
The computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to:
the computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to: copying the data packet of the first network card to form a mirror image data packet; the first network card is installed on a first host; transmitting the mirror image data packet to a second network card through the first network card; the second network card is installed on a second host; transmitting the mirror image data packet to a drainage module through the second network card; wherein, the drainage module is positioned on a third host; transmitting the mirror image data packet to a security device through the drainage module; and carrying out safety protection on the current network based on the safety log output by the safety equipment.
Computer program code for carrying out operations of the present disclosure may be written in one or more programming languages, including, but not limited to, an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider).
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units involved in the embodiments of the present disclosure may be implemented by means of software, or may be implemented by means of hardware. The name of the unit does not in any way constitute a limitation of the unit itself, for example the first acquisition unit may also be described as "unit acquiring at least two internet protocol addresses".
The functions described above herein may be performed, at least in part, by one or more hardware logic components. For example, without limitation, exemplary types of hardware logic components that may be used include: a Field Programmable Gate Array (FPGA), an Application Specific Integrated Circuit (ASIC), an Application Specific Standard Product (ASSP), a system on a chip (SOC), a Complex Programmable Logic Device (CPLD), and the like.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. The machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The foregoing description is only of the preferred embodiments of the present disclosure and description of the principles of the technology being employed. It will be appreciated by persons skilled in the art that the scope of the disclosure referred to in this disclosure is not limited to the specific combinations of features described above, but also covers other embodiments which may be formed by any combination of features described above or equivalents thereof without departing from the spirit of the disclosure. Such as those described above, are mutually substituted with the technical features having similar functions disclosed in the present disclosure (but not limited thereto).
Moreover, although operations are depicted in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order. In certain circumstances, multitasking and parallel processing may be advantageous. Likewise, while several specific implementation details are included in the above discussion, these should not be construed as limiting the scope of the present disclosure. Certain features that are described in the context of separate embodiments can also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment can also be implemented in multiple embodiments separately or in any suitable subcombination.
Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are example forms of implementing the claims.

Claims (11)

1. A method of protecting network security, comprising:
copying the data packet of the first network card to form a mirror image data packet; the first network card is installed on a first host;
transmitting the mirror image data packet to a second network card through the first network card; the second network card is installed on a second host;
transmitting the mirror image data packet to a drainage module through the second network card; wherein, the drainage module is positioned on a third host;
transmitting the mirror image data packet to a security device through the drainage module;
and carrying out safety protection on the current network based on the safety log output by the safety equipment.
2. The method of claim 1, wherein copying the data packets of the first network card to form mirrored data packets comprises:
acquiring a request data packet and/or a response data packet passing through the first network card;
Copying the request data packet and/or the response data packet to obtain a mirror image data packet.
3. The method of claim 1, wherein the drainage module comprises a third network card; the mirror image data packet includes a target address, and the mirror image data packet is sent to a drainage module through the second network card, including:
modifying a target address in the mirror image data packet into a target address corresponding to the third network card through the second network card;
and sending the mirror image data packet to the drainage module based on the modified target address.
4. The method of claim 1, wherein the drainage module comprises a fourth network card; transmitting, by the drainage module, the mirrored data packet to a security device, including:
acquiring route information; the routing information includes address information of at least one security device;
and sending the mirror image data packet to a corresponding safety device based on the routing information.
5. The method of claim 1, wherein the security device is installed with firewall security software; the generation mode of the security log is as follows:
the security device carries out security inspection on the mirror image data packet based on the firewall security software to obtain an inspection result;
If the checking result is that the mirror image data packet is an attack mirror image data packet, outputting a security log; the security log comprises quintuple information and an attack type of the attack mirror image data packet.
6. The method of claim 5, wherein securing the current network based on the security log output by the security device comprises:
storing the security log into a database;
setting a state identifier of a stored security log; wherein, the state identification comprises unprocessed, processed and processed completion;
determining a protection strategy according to the attack type of the mirror image data packet and the state identifier;
and protecting the network safety based on the protection strategy.
7. The method of claim 6, wherein determining a protection policy based on the type of attack of the mirrored data packet and the status identifier comprises:
and if the state identifier is unprocessed, determining a protection strategy according to the attack type, and updating the state identifier into processing.
8. The method of claim 6, wherein determining a protection policy based on the attack type comprises:
If the attack type is denial of service attack, the protection strategy is to seal the address of the attack host and the port of the attacked host based on the set time;
if the attack type is the set behavior attack, the protection strategy is to close the attack host.
9. A network security appliance, comprising:
the data packet copying module is used for copying the data packet of the first network card to form a mirror image data packet; the first network card is installed on a first host;
the first mirror image data packet sending module is used for sending the mirror image data packet to the second network card through the first network card; the second network card is installed on a second host;
the second mirror image data packet sending module is used for sending the mirror image data packet to the drainage module through the second network card; wherein, the drainage module is positioned on a third host;
the third mirror image data packet sending module is used for sending the mirror image data packet to the safety equipment through the drainage module;
and the safety protection module is used for carrying out safety protection on the current network based on the safety log output by the safety equipment.
10. An electronic device, the electronic device comprising:
One or more processors;
storage means for storing one or more programs,
the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the network security protection method of any of claims 1-8.
11. A storage medium containing computer executable instructions for performing the network security protection method of any of claims 1-8 when executed by a computer processor.
CN202310530391.7A 2023-05-11 2023-05-11 Network security protection method, device, equipment and medium Pending CN116599716A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310530391.7A CN116599716A (en) 2023-05-11 2023-05-11 Network security protection method, device, equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310530391.7A CN116599716A (en) 2023-05-11 2023-05-11 Network security protection method, device, equipment and medium

Publications (1)

Publication Number Publication Date
CN116599716A true CN116599716A (en) 2023-08-15

Family

ID=87607432

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310530391.7A Pending CN116599716A (en) 2023-05-11 2023-05-11 Network security protection method, device, equipment and medium

Country Status (1)

Country Link
CN (1) CN116599716A (en)

Similar Documents

Publication Publication Date Title
US10798058B2 (en) Distributed identity-based firewalls
KR102451237B1 (en) Security for container networks
CN113711561B (en) Intent-based governance service
US9363172B2 (en) Managing a configurable routing scheme for virtual appliances
US20160226916A1 (en) Creating and managing a network security tag
US10911406B2 (en) Accessing cloud resources using private network addresses
US11252183B1 (en) System and method for ransomware lateral movement protection in on-prem and cloud data center environments
US20140149490A1 (en) Dynamic routing through virtual appliances
US20140149981A1 (en) Sharing memory between virtual appliances
US20070297410A1 (en) Real-time stateful packet inspection method and apparatus
EP1710978A1 (en) Method and apparatus for reducing firewall rules
KR101948049B1 (en) Enhancing network controls in mandatory access control computing environments
CN105430011A (en) Method and device for detecting distributed denial of service attack
RU2653241C1 (en) Detecting a threat of a zero day with the use of comparison of a leading application/program with a user agent
US20170250998A1 (en) Systems and methods of preventing infection or data leakage from contact with a malicious host system
CN111865996A (en) Data detection method and device and electronic equipment
Yoo et al. SmartCookie: Blocking Large-Scale SYN Floods with a Split-Proxy Defense on Programmable Data Planes
US12095629B2 (en) Security threat detection during service query handling
US11303615B2 (en) Security information propagation in a network protection system
US20160337232A1 (en) Flow-indexing for datapath packet processing
CN110995763A (en) Data processing method and device, electronic equipment and computer storage medium
CN116599716A (en) Network security protection method, device, equipment and medium
CN108337222B (en) Port opening method and device for distinguishing access terminal identity and readable storage medium
CN115865802A (en) Virtual instance flow mirroring method and device, virtual machine platform and storage medium
CN111800340B (en) Data packet forwarding method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination