CN116610530A - Processing method and device of network data, computer equipment and storage medium - Google Patents
Processing method and device of network data, computer equipment and storage medium Download PDFInfo
- Publication number
- CN116610530A CN116610530A CN202310852745.XA CN202310852745A CN116610530A CN 116610530 A CN116610530 A CN 116610530A CN 202310852745 A CN202310852745 A CN 202310852745A CN 116610530 A CN116610530 A CN 116610530A
- Authority
- CN
- China
- Prior art keywords
- data
- receiving interface
- space
- network
- parameter
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000003860 storage Methods 0.000 title claims abstract description 25
- 238000003672 processing method Methods 0.000 title abstract description 7
- 238000012545 processing Methods 0.000 claims abstract description 57
- 238000000034 method Methods 0.000 claims description 126
- 230000008569 process Effects 0.000 claims description 70
- 238000007405 data analysis Methods 0.000 claims description 63
- 230000015654 memory Effects 0.000 claims description 58
- 238000004458 analytical method Methods 0.000 claims description 25
- 238000013507 mapping Methods 0.000 claims description 18
- 230000004044 response Effects 0.000 claims description 17
- 238000012806 monitoring device Methods 0.000 description 11
- 230000001360 synchronised effect Effects 0.000 description 11
- 238000001514 detection method Methods 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 6
- 238000011161 development Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 5
- 230000003068 static effect Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 230000005291 magnetic effect Effects 0.000 description 4
- 238000004590 computer program Methods 0.000 description 3
- 230000003993 interaction Effects 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000013481 data capture Methods 0.000 description 2
- 238000013500 data storage Methods 0.000 description 2
- 238000009826 distribution Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- KLDZYURQCUYZBL-UHFFFAOYSA-N 2-[3-[(2-hydroxyphenyl)methylideneamino]propyliminomethyl]phenol Chemical compound OC1=CC=CC=C1C=NCCCN=CC1=CC=CC=C1O KLDZYURQCUYZBL-UHFFFAOYSA-N 0.000 description 1
- 206010063385 Intellectualisation Diseases 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 201000001098 delayed sleep phase syndrome Diseases 0.000 description 1
- 208000033921 delayed sleep phase type circadian rhythm sleep disease Diseases 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 230000005294 ferromagnetic effect Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
- G06F11/3041—Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is an input/output interface
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
- G06F11/301—Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system is a virtual computing platform, e.g. logically partitioned systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3065—Monitoring arrangements determined by the means or processing involved in reporting the monitored data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/34—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
- G06F11/3438—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment monitoring of user actions
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/34—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
- G06F11/3466—Performance evaluation by tracing or monitoring
- G06F11/3476—Data logging
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Quality & Reliability (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Mathematical Physics (AREA)
- Computer Hardware Design (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the invention discloses a processing method, a device, computer equipment and a storage medium of network data, wherein an operating system installed on the computer equipment comprises a user mode and a kernel mode, wherein the user mode is provided with a user mode receiving interface, and the kernel mode is provided with a network card receiving interface; responding to the starting of the network card receiving interface to receive the network data to be analyzed, and determining a first space parameter of a first cache space of the network card receiving interface; determining a second space parameter corresponding to the first space parameter according to the first space parameter, wherein the second space parameter refers to a space parameter of a second environment space configured for the user state receiving interface; according to the second space parameter, storing the network data to be analyzed into a second cache space indicated by the second space parameter; and the user state receiving interface starts an analysis program to analyze the network data in the second cache space. Thus, the processing performance of the network data can be improved.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method and apparatus for processing network data, a computer device, and a storage medium.
Background
The data is taken as a novel production element, is a basis of digitalization, networking and intellectualization, and simultaneously, along with the development of novel technologies such as cloud computing, big data, internet of things, 5G and the like, the data security problem becomes more complex and severe, and the problems such as data leakage, tampering and destruction bring huge losses to individuals and enterprises. In the security monitoring and traffic analysis application, traffic data packets at the network gateway need to be analyzed, and with the development of internet technology, the traffic is larger and larger, and the traffic of a general network may reach 1000 tens of thousands pps, which is a challenge for capturing the data packets.
At present, the capturing of the data packet is mainly based on the network protocol stack of the kernel of the operating system, such as pfring, and based on the scheme of the kernel of the system, for example, in a Linux system, the program needs to perform frequent switching and frequent data interaction between the user mode and the kernel mode, so that the data can be captured and resolved in the operating system. Therefore, the program has poor performance caused by data packet loss and the like in the switching process of the user mode and the kernel mode, and the requirement of large flow cannot be met. Therefore, how to improve the processing performance of the network large-flow data packet is a technical problem to be solved.
Disclosure of Invention
In view of the foregoing, a primary object of the present invention is to provide a method, an apparatus, a computer device and a storage medium for processing network data, which aim to improve the processing performance of the computer device on the network data.
In order to achieve the above purpose, the technical scheme of the invention is realized as follows:
the embodiment of the invention provides a processing method of network data, which is applied to computer equipment, wherein the computer equipment is provided with an operating system, the operating system comprises a user mode and a kernel mode, the user mode is provided with a user mode receiving interface, and the kernel mode is provided with a network card receiving interface; the method comprises the following steps:
responding to the starting of the network card receiving interface to receive network data to be analyzed, and determining first space parameters of a first cache space of the network card receiving interface, wherein the first cache space is in the kernel mode, and the first cache space is the current cache space when the network receiving interface operates;
determining a second space parameter corresponding to the first space parameter according to the first space parameter of the network card receiving interface, wherein the second space parameter is a space parameter of a second cache space configured for the user mode receiving interface, and the second cache space is positioned in the user mode;
According to the second space parameter, storing the network data to be analyzed into the second cache space indicated by the second space parameter;
and the user state receiving interface starts an analysis program to analyze the network data in the second cache space.
In the above solution, the operating system further includes: the virtual environment state is used for storing the corresponding relation between the first space parameter of the network card receiving interface and the user state receiving interface parameter;
the determining, according to the first spatial parameter of the network card receiving interface, a second spatial parameter corresponding to the first spatial parameter includes:
acquiring a corresponding relation between the first space parameter of the network card receiving interface and the second space parameter of the user state receiving interface from the virtual environment state according to the first space parameter of the network card receiving interface;
and determining a second space parameter corresponding to the first space parameter according to the corresponding relation.
In the above scheme, the method further comprises:
initializing the virtual environment state in response to the monitored time information meeting a time condition, and reconfiguring the corresponding relation between the first space parameter of the network card receiving interface and the second space parameter of the user state receiving interface;
And/or the number of the groups of groups,
and initializing a virtual environment state in response to the monitored user operation information meeting the operation condition, and reconfiguring the corresponding relation between the first space parameter of the network card receiving interface and the second space parameter of the user state receiving interface.
In the above scheme, the method further comprises:
acquiring the resource consumption information of the user mode;
initializing the virtual environment state, reconfiguring a corresponding relationship between a first spatial parameter of a network card receiving interface and a second spatial parameter of the user state receiving interface, including:
initializing the virtual environment state, and reconfiguring the corresponding relation between the first space parameter of the network card receiving interface and the second space parameter of the user state receiving interface according to the resource consumption information of the user state.
In the above aspect, the parsing program includes: a data capturing process and a data analyzing process;
the user state receiving interface starts an analysis program to analyze the network data in the second buffer space, and the method comprises the following steps:
the user state receiving interface starts a data capturing process in the analysis program, and acquires the network data to be analyzed from the second cache space;
And the user state receiving interface starts a data analysis process in the analysis program, and analyzes the network data to be analyzed.
In the above solution, the data parsing process includes: a plurality of data parsing threads;
before the user state receiving interface starts the parsing program, the method further includes:
acquiring thread parameters of the data analysis thread;
according to the first number of the data analysis threads, the network data to be analyzed is shunted to obtain a plurality of network sub-data with the second number identical to the first number; establishing a mapping relation between the data analysis thread and the network sub-data according to thread parameters corresponding to the data analysis threads;
the user state receiving interface starts a data analysis process in the analysis program, analyzes the network data to be analyzed, and comprises the following steps:
the user state receiving interface respectively starts a plurality of data analysis threads in the analysis process according to the thread parameters of the plurality of data analysis threads; and according to the mapping relation, respectively and simultaneously analyzing the corresponding network sub-data by utilizing a plurality of data analysis threads.
In the above scheme, the method further comprises: determining the data quantity of each network sub-data;
the establishing a mapping relationship between the data analysis thread and the network sub-data according to the thread parameters corresponding to the data analysis threads includes:
and establishing a mapping relation between the data analysis thread and the network sub-data according to the thread parameters and the data quantity corresponding to each data analysis thread.
In addition, the embodiment of the invention also provides a processing device of the network data, which is applied to the computer equipment, wherein the computer equipment is provided with an operating system, the operating system comprises a user mode and a kernel mode, the user mode is provided with a user mode receiving interface, and the kernel mode is provided with a network card receiving interface; the device comprises:
the first determining module is used for responding to the starting of the network card receiving interface to receive network data to be analyzed, determining first space parameters of a first cache space of the network card receiving interface, wherein the first cache space is in the kernel state, and the first cache space refers to the cache space when the network card receiving interface operates;
the second determining module is configured to determine a second spatial parameter corresponding to the first spatial parameter according to the first spatial parameter of the network card receiving interface, where the second spatial parameter is a spatial parameter of a second buffer space configured for the user mode receiving interface, and the second buffer space is located in the user mode;
The storage module is used for storing the network data to be analyzed into a second cache space indicated by the second space parameter according to the second space parameter;
and the analysis module is used for starting an analysis program by the user state receiving interface and analyzing the network data in the second cache space.
To achieve the above object, an embodiment of the present invention further provides a computer device, including:
a processor;
a memory for storing processor-executable instructions;
the processor is configured to execute the method for processing network data according to any one of the above schemes.
To achieve the above object, an embodiment of the present invention further provides a computer storage medium having one or more programs executable by one or more processors to cause the one or more processors to perform the method for processing network data according to any one of the above aspects.
The embodiment of the invention provides a processing method, a device, computer equipment and a storage medium of network data, wherein the computer equipment is provided with an operating system, the operating system comprises a user mode and a kernel mode, the user mode is provided with a user mode receiving interface, and the kernel mode is provided with a network card receiving interface; determining a first space parameter of a first cache space of the network card receiving interface by responding to the starting of the network card receiving interface to receive network data to be analyzed, wherein the first cache space is in the kernel mode, and the first cache space refers to the current cache space when the network receiving interface operates; then, determining a second space parameter corresponding to the first space parameter according to the first space parameter of the network card receiving interface, wherein the second space parameter is a space parameter of a second cache space configured for a user mode receiving interface, and the second cache space is positioned in the user mode; then according to the second space parameter, the network data to be analyzed is stored in the second cache space indicated by the second space parameter; and finally, the user state receiving interface starts an analysis program to analyze the network data in the second cache space. Based on this, compared with the prior art, network data received by the network card receiving interface is required to be stored into the kernel mode, and then the user mode is extracted from the kernel mode for capturing and analyzing by the user mode receiving interface, when the network card receiving interface is started to receive the network data to be analyzed, the embodiment of the invention determines the first space parameter of the first cache space of the current network card receiving interface; then determining a second space parameter corresponding to the first space parameter according to the first space parameter, so as to determine a second cache space in a user mode of a user operation user mode receiving interface according to the second space parameter; and the network data to be analyzed is directly stored in the second buffer space, and an analysis program is started at a user state receiving interface to directly analyze the network data in the second buffer space, so that the network data is not required to be transferred and stored from a kernel state to a user state, the packet loss phenomenon in the process of transferring the data from the kernel state to the user state is reduced, the related computer program is not required to be switched between the kernel state and the user state, the data processing efficiency is improved, and the problems of interruption of the data processing program, overtime of the data processing program and the like are reduced. Therefore, in the embodiment, under the condition that the network card is started, the kernel mode is skipped to directly execute data storage, data processing and the like in the user mode, so that the performance problem of data processing caused by interaction of the program and network data between the kernel mode and the user mode is reduced, and the processing performance of the network data is improved.
Drawings
FIG. 1 is a technical framework diagram of a data security product provided in some embodiments of the present invention;
FIG. 2 is a flow chart illustrating a process of processing network data according to some embodiments of the present invention;
fig. 3 is a schematic view of an application scenario of a method for processing network data according to some embodiments of the present invention;
fig. 4 is a schematic structural diagram of a processing device for network data according to some embodiments of the present invention;
fig. 5 is a schematic diagram of a hardware structure of a computer device according to an embodiment of the present invention.
Detailed Description
It should be noted that, with the development of cloud, 5G land and industrial internet, the "digital" office of enterprises and institutions has become a major trend, and the "digital" office brings high-efficiency data circulation to enterprises, and meanwhile, risks and facing adjustment brought by data leakage are also more prominent. Therefore, how to ensure the data security of office computers in enterprises and institutions is the direction of research on embodiments of the present invention.
Based on the above, the embodiment of the invention provides a set of data security protection products of computer equipment, which can be installed in the computer equipment in the form of a plug-in unit, or can be installed in a network platform or a network server connected with the computer equipment. The data safety protection product can ensure the safety of the data of the computer equipment.
FIG. 1 is a technical framework diagram of a data security product that discovers and identifies data assets, data security detection and protection, and data security response and operation, as shown in FIG. 1. In the data asset discovery and identification process, scanning data assets of computer equipment, identifying network data, deeply sensing hidden information of an electronic document, and simultaneously discovering and classifying the data assets; in the process of endpoint safety detection and protection, self-adaptive intelligent protection of endpoint data is performed, wherein the data is scanned in the process of self-adaptive protection of the endpoint data so as to intelligently identify whether the data needs protection or not, and network data is intelligently audited and protected; in the data safety response and operation process, high-performance mass data processing can be performed, and automatic flow arrangement, data safety situation awareness and the like of the data safety response are performed.
In some scenes, because business of enterprises and public institutions is complex, the core exchange data volume is large, the port rate of the interactive machine of the data exchange center of the main stream in China is being upgraded and evolved to 10GE, even 100GE, how to capture the mirror image data of ultra-large flow with high performance is very challenging, so that a short board exists in the technology of capturing and analyzing the data of large flow, and more defects exist in the processing performance of capturing and analyzing the data of large flow by a computer.
In the prior art, some manufacturers use the libpcap of the kernel, namely the network data packet capturing function packet under the unix/linux platform to capture data, but the data capturing mode needs to directly copy data back and forth in the kernel mode and the user mode of the operating system, and the program is switched back and forth, so that the phenomena of data packet loss, program interruption, overtime and the like are easily caused.
The embodiment of the invention aims to research a large-flow network data capturing and analyzing technology, and solve the problems of short plates, insufficient processing performance and the like in the large-flow network data and analyzing technology in the prior art.
Fig. 2 is a flow chart of a method for processing network data in an embodiment of the present invention, referring to fig. 2, the embodiment of the present invention provides a method for processing network data, which is applied to a computer device, where the computer device is installed with an operating system, the operating system includes a user mode and a kernel mode, the user mode is provided with a user mode receiving interface, and the kernel mode is provided with a network card receiving interface; the method comprises the following steps:
step 201: responding to the starting of the network card receiving interface to receive network data to be analyzed, determining a first space book wiping of a first cache space of the network card receiving interface, wherein the first cache space is in the kernel mode, and the first cache space refers to the current cache space when the network receiving interface operates;
Here, taking the Linux operating system as an example, the Linux operating system is a multi-user, multi-tasking, multi-thread supporting operating system based on a portable operating system interface (Portable Operating System Interface, POSIX) and a UNIX operating system, and has the characteristics of openness, multi-user, multi-tasking, good user interface, device independence, stability, good portability, reliable system security, and the like, and is known in terms of efficiency and flexibility. In order to improve the expandability and flexibility of resource management, the method facilitates the user to call the resources and the centralized relationship. It is known that the Linux operating system logically divides the Linux operating system into a user mode and a kernel mode.
The user mode is an active space of an upper application program and the like and is used for storing codes and data of the application program of the user. The kernel state is an active space of the operating system and is used for storing codes and data of the operating system or the kernel. Typically, the hardware resources of a computer device that is accessible to an application or process in a state of use are limited, and only a portion of the hardware device is accessible; and the system program in the kernel mode has the authority to access all hardware devices of the computer device, and can access all hardware devices of the computer device. In addition, the user-mode application program cannot directly access the hardware equipment, and can interact with the kernel mode and access the hardware equipment in a system call, library function and Shell script mode. The above roles and differences between kernel mode and user mode are not limited to the above description of the present application, and specific parameters may be related to the prior art, and the embodiments of the present application are not described herein.
Based on this, in the related art, when the network card receiving interface in kernel mode is started, network data received by the network card receiving interface is stored in the storage space in kernel mode, and then the network data stored in the storage space in kernel mode is transferred to user mode by system call or transfer program and the like to be received by the user mode receiving interface, so that the user mode receiving interface captures and analyzes the network data, and then the network data are analyzed and then are given to the corresponding target application program, thereby facilitating the call and viewing of the target application program.
For example, when an instant messaging application program receives network data, an operating system of a computer device receives the network data through a kernel-mode network card receiving interface, places the network data into a kernel-mode random certain idle storage space, stores the network data in the kernel-mode into a user-mode certain storage space according to protocol rules of certain protocol stacks by the user-mode receiving interface, and analyzes the network data according to certain analysis protocols of the user-mode so as to analyze the network data into files which are convenient for a user to check or display, and stores the files into a disk space of the computer; the above-described storage space in the user mode and kernel mode should be understood as the memory space of the computer device.
It should be noted that, the network card receiving interface is generally started when it is monitored that there is network data to transmit data to a device address of the computer device. The device address here may be an IP address or Mac address of the computer device, etc.
Here, the user state receiving interface refers to a receiving interface of a user state for receiving network data that is put in a kernel state and parsed by the user state, and includes a plurality of programs or processes that are used by the user state for receiving the network data, association rules between the programs or processes, and the like. Interface parameters of the user state receiving interface include, but are not limited to, second space parameters of a second buffer space where a plurality of programs or processes of the user state receiving interface run, thread parameters of each thread in the invoked processes or programs, and the like; the second spatial parameters of the second buffer space herein may include: space occupation, space address, etc., where the thread parameters may include: the space amount of thread operation, the queue information of the thread, the virtual hardware information and the physical hardware information of the thread and the like; in general, because there is less physical hardware that can be invoked directly by a user state, in some embodiments, the interface parameters of the user state receiving interface may not include a physical hardware identification.
It should be noted that, in the prior art, the user mode is provided with a user mode receiving interface, the kernel mode is provided with a network card receiving interface, and all interfaces in the user mode are sequentially operated, so that data received by the network card receiving interface is not directly received by the user mode receiving interface and is rapidly resolved, but is queued for all processing threads in the user mode, in the queuing process, an operating system of the computer can firstly put data received by the network card receiving interface into a certain buffer space in the kernel mode for operating the network card receiving interface for storage, report an address of the buffer space to the user mode receiving interface, or obtain an address of the buffer space when the waiting user mode receiving interface is operated, thereby extracting network data from the buffer space and transferring the network data into another buffer space in the user mode for processing and resolving the data, then the user mode receiving interface is used for resolving the network data, and other program interfaces in the user mode are used for storing the network data in the disk space for resolving the following network data, and the like. It can be understood that the disk space is a storage location after network data is parsed, and can be used for calling or reading by other programs or interfaces in the user mode.
It should be noted that the network card receiving interface is a related program that operates in a kernel mode and is configured to receive network data by using the network card. The user state receiving interface is a related program which operates in a user state and is configured to receive network data by using virtual hardware in the user state. The network card receiving and receiving is only responsible for placing the network data in the kernel mode, and the user mode receiving interface is responsible for placing the network data in the user mode.
Step 202: and determining a second space parameter corresponding to the first space parameter according to the first space parameter of the network card receiving interface, wherein the second space parameter refers to a space parameter of a second cache space configured for the user mode receiving interface, and the second cache space is positioned in the user mode.
Here, the spatial parameters include, but are not limited to, a cache space address, a cache space capacity, and the like; the first cache space may be a memory space address allocated by the operating system for kernel mode; the second cache space address may be a memory space address allocated by the operating system for the user mode.
Step 203: and according to the second space parameter, storing the network data to be analyzed into the second cache space indicated by the second space parameter.
It should be noted that, the second buffer space may be a designated one, and in an actual operation process, the second buffer space may be divided into a plurality of buffer subspaces, so as to be beneficial to fully utilizing the second buffer space. For example, for 8 cores in the computer equipment, each core has a corresponding kernel mode and a user mode in an independent operation process, so that the data stored in the user mode can be divided into a plurality of different cache subspaces for storage by taking a multi-core parallel processing vehicle, thereby facilitating subsequent parallel processing or parallel analysis and improving the analysis speed of network data. Based on this, in some embodiments, the storing the network data to be parsed according to the second spatial parameter into a second buffer space indicated by the second spatial parameter includes: and determining the space capacity of a plurality of cache subspaces indicated in the second space parameter according to the second space parameter, and storing the network data based on the space capacity of the plurality of cache subspaces.
In some embodiments, the storing the network data based on the spatial capacity of the plurality of cache subspaces comprises: the network data is stored based on the spatial capacity of the plurality of cache subspaces and the data volume of the network data.
In some embodiments, the network data is stored in any one of the cache subspaces that is larger than the data amount of the network data based on the spatial capacity of the plurality of cache subspaces and the data amount of the network data.
In other embodiments, the network data is split based on the space capacity of the plurality of cache subspaces and the data amount of the network data, and based on a data splitting policy, and the split plurality of network subspaces are respectively stored in the corresponding cache subspaces.
It should be added that the data splitting policy herein is data splitting that may be based on traffic classification of network data; data distribution based on the format classification of network data, etc., may be performed, and is not limited in any way.
Step 204: and the user state receiving interface starts an analysis program to analyze the network data in the second cache space.
It should be understood that parsing the network data refers to parsing the electrical data stored in the network card receiving interface into network data that can be read by a user through decoding, and in some embodiments, the parsing program of the application receiving interface may support multiple tunnel decoding such as VLan, vxLan, MPLS, PPPoE, GRE.
In this way, in the embodiment of the invention, through the corresponding relation between the first space parameter of the network card receiving interface and the second space parameter of the second buffer space of the user operation user state receiving interface in the user state, when the network card receiving interface is started to receive the network data to be analyzed, the second space parameter is directly obtained by the first space parameter of the current buffer space (the first buffer space) of the network card receiving interface, so that the second buffer space of the user operation state receiving interface is obtained based on the second space parameter, and then the network data is directly stored in the second buffer space, thereby realizing that the data storage, the data processing and the like are directly executed in the user state by skipping the kernel state under the condition of starting the network card receiving, reducing the performance problem of the data processing caused by the interaction of the program and the network data between the kernel state and the user state, and improving the processing performance of the network data.
Therefore, compared with the prior art, the network data received by the network card receiving interface is required to be stored into the kernel mode first, and then the network data is extracted from the kernel mode to the user mode for capturing and analyzing by the user mode receiving interface, the embodiment of the invention can directly store the network data into the second buffer space of the user mode so that the user mode analyzes the network data, thereby eliminating the need of transferring the network data from the kernel mode to the user mode, reducing the packet loss phenomenon in the transferring and storing process, eliminating the need of switching the related computer program between the kernel mode and the user mode, improving the data processing efficiency, reducing the interruption of the data processing program, reducing the overtime of the data processing program and the like.
In some embodiments, the operating system further comprises: a virtual environment state, wherein the virtual environment state stores a corresponding relation between a first space parameter of the network card receiving interface and a second space parameter of the user state receiving interface;
the determining, according to the first spatial parameter of the network card receiving interface, a second spatial parameter corresponding to the first spatial parameter includes:
acquiring a corresponding relation between the first space parameter of the network card receiving interface and the second space parameter of the user state receiving interface from the virtual environment state according to the first space parameter of the network card receiving interface;
and determining the second space parameter corresponding to the first space parameter according to the corresponding relation.
It is understood that the virtual environment layer herein may be understood as being built with EAL (Environment Abstraction Layer ) of DPDK (Data Plane Development Kit, data plane development kit). It will be appreciated that EAL created by DPDK is primarily responsible for access to underlying resources of the computer (e.g., hardware and memory space) and encapsulation of implementation details of the interface embodiments of the provided user. Its initialization routine determines how these resources, e.g., PCI devices, timers, consoles, etc., are allocated.
As shown in fig. 3, in this embodiment, a layer of virtual environment state is further constructed between the user state and the kernel state, and unlike EAL of DPDK, the virtual environment state has a certain storage space capacity, which can at least store resource configuration information initialized by DPDK. In this embodiment, the virtual environment state may store at least a correspondence between a first spatial parameter of the network card receiving interface and a second spatial parameter of the user state receiving interface.
It should be added that, in some embodiments, the obtaining, according to the first spatial parameter of the network card receiving interface, a corresponding relationship between the first spatial parameter of the network card receiving interface and the second spatial parameter of the user state receiving interface from the virtual environment state includes:
and acquiring the corresponding relation between the first space parameter of the network card receiving interface configured on the EAL layer based on DPDK and the second space parameter of the user state receiving interface from the virtual environment state according to the first space parameter of the network card receiving interface.
In this way, a layer of virtual environment state is built in the operating system, and the virtual environment state is used for storing the corresponding relation between the first space parameter of the network card receiving interface and the second space parameter of the user state receiving interface, so that the problems that in the prior art, the network data is lost in the transferring process between the kernel state and the user state, the processing efficiency is low due to the fact that the processing process of the network data is switched between the kernel state and the user state in the prior art can be reduced can be solved by directly determining the second space parameter corresponding to the first space parameter of the first buffer space for operating the network card receiving interface in the kernel state based on the corresponding relation when the network card receiving interface is started to receive the network data to be analyzed, and the second space parameter can be used for indicating the second buffer space for operating the user state receiving interface in the user state.
In other embodiments, the method further comprises:
initializing the virtual environment state in response to the fact that the time information meets the time condition, and reconfiguring the corresponding relation between the first space parameter of the network card receiving interface and the second space parameter of the user state receiving interface;
and/or the number of the groups of groups,
and initializing a virtual environment state in response to the monitored user operation information meeting the operation condition, and reconfiguring the corresponding relation between the first space parameter of the network card receiving interface and the second space parameter of the user state receiving interface.
It will be appreciated that in some embodiments, the method further comprises:
monitoring a timer;
and initializing the virtual environment state in response to the fact that the time information meets the time condition, and reconfiguring the corresponding relation between the first space parameter of the network card receiving interface and the second space parameter of the user state receiving interface, wherein the method comprises the following steps:
and initializing the virtual environment state based on the fact that the timer monitors that the current moment meets the time condition, and reconfiguring the corresponding relation between the first space parameter of the network card receiving interface and the second space parameter of the user state receiving interface.
The time condition here may be, for example, a period of time, or a preset specific time.
It is to be appreciated that the user operation information can include, but is not limited to, network request class operations, where the operation condition refers to, for example, operations in which the user operation belongs to the network request class.
In the embodiment, under the condition that the time information meets the time condition or the condition that the user operation information meets the operation condition, the virtual environment state is initialized, the corresponding relation between the first space parameter of the network card receiving interface and the second space parameter of the user state receiving interface can not be configured because the storage space of the virtual environment state is occupied, and therefore the realization of the subsequent rapid storage of the network data into the second buffer space of the user state through the corresponding relation is facilitated, the capturing and the analysis of the large-flow data are facilitated, and the capturing speed of the network data is improved.
In some embodiments, the method further comprises:
acquiring the resource consumption information of the user mode;
initializing the virtual environment state, reconfiguring a corresponding relationship between a first spatial parameter of the network card receiving interface and a second spatial parameter of the user state receiving interface, including:
Initializing the virtual environment state, and reconfiguring the corresponding relation between the first space parameter of the network card receiving interface and the second space parameter of the user state receiving interface according to the resource consumption information of the user state.
It should be noted that, the computer device allocates a memory space with a preset capacity for the user mode, it is understood that the more applications that are opened or run on the computer device, the more memory space is required to be consumed, so the more memory space is required to be allocated for the user mode. The user-state resource consumption information herein includes, but is not limited to, user-state memory space resource consumption information, and the like.
In this way, in this embodiment, the corresponding relationship between the first spatial parameter of the network card receiving interface and the second spatial parameter of the user state receiving interface is reconfigured based on the user state resource consumption information, so that the full utilization of the resources of the computer device can be facilitated, the performance of the computer device is improved, and the processing performance of the network data is further improved.
In other embodiments, the parsing procedure includes: a data capturing process and a data analyzing process;
The user state receiving interface starts an analysis program to analyze the network data in the second buffer space, and the method comprises the following steps:
the user state receiving interface starts a data capturing process in the analysis program, and acquires the network data to be analyzed from the second cache space;
and the user state receiving interface starts a data analysis process in the analysis program, and analyzes the network data to be analyzed.
It should be noted that the data capturing process and the data analyzing process may be executed in different cache subspaces of the same second cache space, and virtual hardware adopted by the data capturing process and the data analyzing process may also be different, for example, the data capturing process is executed by adopting a logic core 1 driver, and the data analyzing process is executed by adopting a logic core 2 driver. It should be added that the virtual hardware adopted by the data capturing process and the data analyzing process can be determined by the virtual hardware parameters configured for the user mode receiving interface.
In some embodiments, when the virtual environment state is initialized, the corresponding relationship between the first spatial parameter of the network card receiving interface and the second spatial parameter of the user state receiving interface is reconfigured, and meanwhile, other operation parameters of the user state receiving interface are also reconfigured, so that the user state receiving interface is ensured to be capable of timely receiving network data, and waiting is not needed to prevent part of data from being remained in the first cache space of the kernel state due to waiting.
The operation parameters of the user mode receiving interface may include, but are not limited to, virtual hardware information corresponding to each process of the user mode receiving interface. The virtual hardware parameter may be an identification of virtual hardware, where one virtual hardware corresponds to one physical hardware; for example, in a computer device with an 8-core CPU, one logical core corresponds to one CPU submodule, and each logical core can independently complete a program or an execution event. As described above, logical core 1 reconfigured for the data capture process and logical core 2 reconfigured for the data resolution process.
In this way, in this embodiment, the data capturing process and the data analyzing process are isolated and decoupled, so that the performance of network data processing can be improved, and the efficiency of network data processing can be improved.
In other embodiments, the data parsing process includes: a plurality of data parsing threads;
the method further comprises the steps of:
acquiring thread parameters of the data analysis thread;
before the user state receiving interface starts the parsing program, the method further includes:
according to the first number of the data analysis threads, the network data to be analyzed is shunted to obtain a plurality of network sub-data with the second number identical to the first number; establishing a mapping relation between the data analysis thread and the network sub-data according to thread parameters corresponding to the data analysis threads;
The user state receiving interface starts a data analysis process in the analysis program, analyzes the network data to be analyzed, and comprises the following steps:
the user state receiving interface respectively starts a plurality of data analysis threads in the analysis process according to the thread parameters of the plurality of data analysis threads; and according to the mapping relation, respectively and simultaneously analyzing the corresponding network sub-data by utilizing a plurality of data analysis threads.
The thread parameters herein may include, but are not limited to, at least one of a virtual hardware identification for executing the corresponding data resolution thread, a queue in which the corresponding data resolution thread is configured, and an affinity of the protocol stack, queue, and CPU that each resolution thread runs.
The virtual hardware refers to a driver program similar to physical hardware in a user mode for running the analysis thread, for example, the logic core is described above, and the corresponding physical hardware is actually a CPU. It will be appreciated that in the user state, the CPU is partitioned into multiple logical cores so that multiple processes or multiple threads may run, but in the kernel state, the CPU is still shared when multiple processes or multiple threads run.
Additionally, the method further comprises the steps of: binding a plurality of data analysis threads in a data analysis process with a logic core, and setting a queue for the analysis threads bound with the same logic core;
analyzing the corresponding network sub-data by using a plurality of data analysis threads respectively and simultaneously, wherein the method comprises the following steps:
and sequentially executing each analysis thread corresponding to the same logic core by using the lock-free queue and according to the queues of the analysis threads bound by the same logic core so as to analyze the network sub-data.
It should be noted that, the buffer subspace may be partitioned based on the second buffer space in the user mode, and different network sub-data exist in different buffer subspaces.
The network sub-data may be obtained by splitting based on a data splitting policy. The corresponding split policies for different computer devices also vary.
In this embodiment, the network data is shunted into different analysis threads for parallel processing, so that the analysis speed of the network data can be improved, and the processing performance of the network data can be improved.
In other embodiments, the method further comprises:
the method further comprises the steps of:
determining the data quantity of each network sub-data;
The establishing a mapping relationship between the data analysis thread and the network sub-data according to the thread parameters corresponding to the data analysis threads includes:
and establishing a mapping relation between the data analysis thread and the network sub-data according to the thread parameters and the data quantity corresponding to each data analysis thread.
In some embodiments, the data splitting policy may be that the performance of virtual hardware in the data resolution thread splits in positive correlation with the data volume of the network sub-data.
It should be noted that, while driving the execution of the parsing thread, one virtual hardware may also drive some threads that execute other application programs or system programs; the performance of the virtual hardware depends on the number of threads running with the virtual hardware at the same time, the greater the number, the lower the performance and vice versa.
In this embodiment, by splitting the network data to be parsed according to the performance parameters of the virtual hardware corresponding to the parsing thread to obtain a plurality of network sub-data, the physical hardware performance can be effectively utilized, the efficiency of network data processing is improved, and the processing performance of the network data is further improved.
Of course, in other embodiments, the splitting the network data to be parsed according to the plurality of parsing thread parameters to obtain a plurality of network sub-data may include:
And according to the analysis thread parameters, indicating the number of analysis threads, and averagely distributing the network data according to the number of analysis threads to obtain the network sub-data with the same number as the number of analysis threads. Thus, the data splitting policy here is an average splitting policy for network data based on the number of analysis threads,
Of course, in other embodiments, the data splitting policy may also be a policy that splits according to a data type of network data, for example, the data of a picture type is configured as one network sub-data, and the data of a text type is configured as one network sub-data.
It should be added that the computer device may be a server device, a server for providing data security protection products, or a monitoring device connected to the monitored terminal device. The terminal device to be monitored here refers to, for example, a computer device in an enterprise or public institution that requires data security.
The network data herein may be data transmitted by a monitored terminal device (hereinafter referred to as a transmitting device) received by the monitoring device, for example, data pre-transmitted by the monitored terminal device, user behavior data of the monitored terminal device, or the like. The collection of user behavior data of the monitored terminal device can help analyze the security type of the monitored terminal device, thereby determining a security protection policy for the monitored terminal device.
It will be appreciated that in some embodiments, the computer device may be a monitoring device, or a monitoring server, in which virtually all of the data streams of the monitored terminal device are streamed to the monitoring device so that the monitoring device monitors the data of the monitored terminal device to ensure the data security of the monitored terminal device. For monitoring devices, the network data is a large amount of data because of the large number of devices that need to be monitored or protected. By improving the operating system in the embodiment, the performance of processing the network data with large flow can be improved.
Based on this, the network data of this embodiment may also refer to a network packet sent from the monitored terminal device to the monitoring device, and for convenience of expression, the network data will be equivalent to the network packet.
In some embodiments, the user mode receiving interface starts a data parsing process in the parsing program, and parse the network data in the second buffer space may include:
the user state interface starts a data analysis process in the analysis program, and decodes the network data in the second cache space by using an analysis protocol of an analysis protocol stack;
Determining a second network message to be audited according to the header information of the first network message decoded by the protocol stack; and analyzing the second network message to determine the security of the network data.
The second network message to be audited refers to a network message which may have a potential safety hazard, for example, a network message which has been modified or is sent out in advance, etc. That is, when the monitored terminal device has data modified or data to be sent out, the modified data or the data to be sent out is automatically sent to the server corresponding to the data security protection product, that is, one end of the monitoring device, and the monitoring device analyzes the data to determine whether the data is the security network data.
Illustratively, the method further comprises:
according to the header information of the second message, establishing a first session connection between a first proxy module of the computer equipment and the sending equipment of the second network message;
detecting the second network message;
in response to detecting the second network message security, sending the second message to the target device based on a second session connection between a second proxy module of the monitoring device and the target device; the second proxy module and the first proxy module are connected through a third session;
The first session connection, the second session connection, and the third session connection are used for secure transmission of the message between the sending device of the second message and the target device.
The first proxy module and the second proxy module herein may be understood as virtual communication modules of a computing device, such as virtual network card modules, which may be located in a user state.
In some embodiments, the establishing a session connection between the first proxy module of the monitoring device and the sending device of the second network packet according to the header information of the second network packet includes:
determining whether the second network message is from a first device, wherein the first device has established a session connection with the first proxy module;
and responding to the target message from second equipment, and establishing a first session connection between the first proxy module and the second equipment according to the message information of the second message.
Therefore, an agent module is not required to be established between the driving kernel mode and the first equipment for transmitting network data between the first equipment and the user mode, and loss of network messages is reduced.
In other embodiments, the method further comprises:
And forwarding or discarding the first message in response to the first network message not being the second message to be audited.
In some embodiments, the parsing process includes a plurality of detecting threads and stacks, wherein different detecting threads are associated with different first session connections; one of the detection threads is associated with one of the stacks; and the detection threads are used for detecting the second messages of different first session connections in parallel. Here, the same transmitting device transmitting network data may be split into multiple network sub-data, associating different detection threads for different network sub-data, and associating different first session connections. Based on the method, one detection thread is associated with one stack through data splitting, and meanwhile, a plurality of network sub-data splitting the second message are detected in parallel, so that the efficiency of security detection can be improved.
In order to achieve the above objective, an embodiment of the present invention further provides a device for processing network data, referring to fig. 4, where the device is applied to a computer device, and the computer device is installed with an operating system, where the operating system includes a user mode and a kernel mode, the user mode is provided with a user mode receiving interface, and the kernel mode is provided with a network card receiving interface; the device comprises:
The first determining module 41 is configured to determine, in response to the network card receiving interface being started to receive network data to be parsed, a first space parameter of a first cache space of the network card receiving interface, where the first cache space is in the kernel mode, and the first cache space is a cache space when the network card receiving interface is running;
a second determining module 42, configured to determine, according to a first spatial parameter of the network card receiving interface, a second spatial parameter corresponding to the first spatial parameter, where the second spatial parameter is a spatial parameter of a second buffer space configured for the user mode receiving interface, and the second buffer space is located in the user mode;
a storage module 43, configured to store the network data to be parsed into the second buffer space indicated by the second space parameter according to the second space parameter;
and the parsing module 44 is configured to start a parsing program for the user state receiving interface, and parse the network data in the second buffer space.
In some embodiments, the operating system further comprises: a virtual environment state, wherein the virtual environment state stores a corresponding relation between a first space parameter of the network card receiving interface and a second space parameter of the user state receiving interface;
The second determining module 42 is further configured to:
acquiring a corresponding relation between the first space parameter of the network card receiving interface and the second space parameter of the user state receiving interface from the virtual environment state according to the first space parameter of the network card receiving interface;
and determining the second space parameter corresponding to the first space parameter according to the corresponding relation.
In some embodiments, the apparatus further comprises:
the reconfiguration module is used for initializing the virtual environment state in response to the monitored time information meeting the time condition and reconfiguring the corresponding relation between the first space parameter of the network card receiving interface and the second space parameter of the user state receiving interface; and/or, the virtual environment state is initialized in response to the monitored user operation information meeting the operation condition, and the corresponding relation between the first space parameter of the network card receiving interface and the second space parameter of the user state receiving interface is reconfigured.
In some embodiments, the apparatus further comprises:
the acquisition module is used for acquiring the resource consumption information of the user mode;
the reconfiguration module is further configured to: initializing the virtual environment state, and reconfiguring the corresponding relation between the first space parameter of the network card receiving interface and the second space parameter of the user state receiving interface according to the resource consumption information of the user state.
In some embodiments, the parsing program includes: data capture process and data parsing process:
the parsing module 44 is further configured to: the user state receiving interface starts a data capturing process in the analysis program, and acquires the network data to be analyzed from the second cache space; and the user state receiving interface starts a data analysis process in the analysis program, and analyzes the network data to be analyzed.
In some embodiments, the data parsing process includes: a plurality of data parsing threads;
the apparatus further comprises:
the second acquisition module is used for acquiring the thread parameters of the data analysis thread before the user state receiving interface starts the analysis program;
the distribution module is used for distributing the network data to be analyzed according to the first number of the data analysis threads to obtain a plurality of network sub-data with the second number identical to the first number;
the establishing module is used for establishing the mapping relation between the data analysis thread and the network sub-data according to the thread parameters corresponding to each data analysis thread;
the parsing module 44 is further configured to: the user state receiving interface respectively starts a plurality of data analysis threads in the analysis process according to the thread parameters of the plurality of data analysis threads; and according to the mapping relation, respectively and simultaneously analyzing the corresponding network sub-data by utilizing a plurality of data analysis threads.
In some embodiments, the apparatus further comprises:
a third determining module, configured to determine a data amount of each network sub-data;
the establishing module is further configured to: and establishing a mapping relation between the data analysis thread and the network sub-data according to the thread parameters and the data quantity corresponding to each data analysis thread.
It should be noted here that: the description of the above processing device item of the network data is similar to the description of the processing method item of the network data, and the description of the beneficial effects of the same method is omitted. For technical details not disclosed in the embodiment of the network data processing apparatus according to the embodiment of the present invention, please refer to the description of the embodiment of the network data processing method according to the embodiment of the present invention.
In order to achieve the above object, an embodiment of the present invention further provides a computer device, where an operating system is installed on the computer device, the operating system includes a user mode and a kernel mode, the user mode is provided with one or more application program receiving interfaces, and the kernel mode is provided with a network card receiving interface; as shown in fig. 5, the computer device comprises a processor 501, and a memory 503 connected to the processor 501 via a communication bus 502; wherein the memory 503 is used for processing network data; the processor 501 is configured to execute a processing program of the network data to implement the method steps of the processing of the network data according to any one of the above aspects: responding to the starting of the network card receiving interface to receive network data to be analyzed, and determining first space parameters of a first cache space of the network card receiving interface, wherein the first cache space is in the kernel mode, and the first cache space is the current cache space when the network receiving interface operates; determining a second space parameter corresponding to the first space parameter according to the first space parameter of the network card receiving interface, wherein the second space parameter is a space parameter of a second cache space configured for the user mode receiving interface, and the second cache space is positioned in the user mode; according to the second space parameter, storing the network data to be analyzed into the second cache space indicated by the second space parameter; and the user state receiving interface starts an analysis program to analyze the network data in the second cache space.
The operating system further includes: a virtual environment state, wherein the virtual environment state stores a corresponding relation between a first space parameter of the network card receiving interface and a second space parameter of the user state receiving interface; the processor 501 is configured to execute a processing program of the network data, so as to implement the following processing steps of the network data: acquiring a corresponding relation between the first space parameter of the network card receiving interface and the second space parameter of the user state receiving interface from the virtual environment state according to the first space parameter of the network card receiving interface; and determining the second space parameter corresponding to the first space parameter according to the corresponding relation.
Here, the processor 501 is configured to execute a processing program of the network data, so as to implement the following processing steps of the network data: initializing the virtual environment state in response to the monitored time information meeting a time condition, and reconfiguring the corresponding relation between the first space parameter of the network card receiving interface and the second space parameter of the user state receiving interface; and/or, initializing a virtual environment state in response to the monitored user operation information meeting the operation condition, and reconfiguring the corresponding relation between the first space parameter of the network card receiving interface and the second space parameter of the user state receiving interface.
Here, the processor 501 is configured to execute a processing program of the network data, so as to implement the following processing steps of the network data: acquiring the resource consumption information of the user mode; initializing the virtual environment state, and reconfiguring the corresponding relation between the first space parameter of the network card receiving interface and the second space parameter of the user state receiving interface according to the resource consumption information of the user state.
Here, the parsing program includes: a data capturing process and a data analyzing process; the processor 501 is configured to execute a processing program of the network data, so as to implement the following processing steps of the network data: the user state receiving interface starts a data capturing process in the analysis program, and acquires the network data to be analyzed from the second cache space; and the user state receiving interface starts a data analysis process in the analysis program, and analyzes the network data to be analyzed.
Here, the data parsing process includes: a plurality of data parsing threads; the processor 501 is configured to execute a processing program of the network data, so as to implement the following processing steps of the network data: before the user state receiving interface starts the analysis program, thread parameters of the data analysis thread are obtained;
According to the first number of the data analysis threads, the network data to be analyzed is shunted to obtain a plurality of network sub-data with the second number identical to the first number; establishing a mapping relation between the data analysis thread and the network sub-data according to thread parameters corresponding to the data analysis threads; the user state receiving interface respectively starts a plurality of data analysis threads in the analysis process according to the thread parameters of the plurality of data analysis threads; and according to the mapping relation, respectively and simultaneously analyzing the corresponding network sub-data by utilizing a plurality of data analysis threads.
Here, the processor 501 is configured to execute a processing program of the network data, so as to implement the following processing steps of the network data: determining the data quantity of each network sub-data; and establishing a mapping relation between the data analysis thread and the network sub-data according to the thread parameters and the data quantity corresponding to each data analysis thread.
Alternatively, the processor 501 may be a general purpose processor, a digital signal processor (Digital Signal Processor, DSP), an application specific integrated circuit (Application Specific Integrated Circuit, ASIC), a field programmable gate array (Field Programmable Gate Array, FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components. Here, the program executed by the processor 501 may be stored in a memory 503 connected to the processor 501 via a communication bus 502, and the memory 503 may be a volatile memory or a nonvolatile memory, or may include both volatile and nonvolatile memories. Wherein the nonvolatile Memory may be Read Only Memory (ROM), programmable Read Only Memory (PROM, programmable Read-Only Memory), erasable programmable Read Only Memory (EPROM, erasable Programmable Read-Only Memory), electrically erasable programmable Read Only Memory (EEPROM, electrically Erasable Programmable Read-Only Memory), magnetic random access Memory (FRAM, ferromagnetic random access Memory), flash Memory (Flash Memory), magnetic surface Memory, optical disk, or compact disk Read Only Memory (CD-ROM, compact Disc Read-Only Memory); the magnetic surface memory may be a disk memory or a tape memory. The volatile memory may be random access memory (RAM, random Access Memory), which acts as external cache memory. By way of example, and not limitation, many forms of RAM are available, such as static random access memory (SRAM, static Random Access Memory), synchronous static random access memory (SSRAM, synchronous Static Random Access Memory), dynamic random access memory (DRAM, dynamic Random Access Memory), synchronous dynamic random access memory (SDRAM, synchronous Dynamic Random Access Memory), double data rate synchronous dynamic random access memory (ddr SDRAM, double Data Rate Synchronous Dynamic Random Access Memory), enhanced synchronous dynamic random access memory (ESDRAM, enhanced Synchronous Dynamic Random Access Memory), synchronous link dynamic random access memory (SLDRAM, sync Link Dynamic Random Access Memory), direct memory bus random access memory (DRRAM, direct Rambus Random Access Memory). The memory 503 described by embodiments of the present invention is intended to comprise, without being limited to, these and any other suitable types of memory 503. The memory 503 in embodiments of the present invention is used to store various types of data to support the operation of the processor 501. Examples of such data include: any computer programs for operation by the processor 501, such as an operating system and application programs; contact data; telephone book data; a message; a picture; video, etc. The operating system includes various system programs, such as a framework layer, a core library layer, a driver layer, and the like, for implementing various basic services and processing hardware-based tasks.
In some embodiments, memory 502 in embodiments of the invention may be volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory. The nonvolatile Memory may be a Read-Only Memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an Electrically Erasable EPROM (EEPROM), or a flash Memory. The volatile memory may be random access memory (Random Access Memory, RAM) which acts as an external cache. By way of example, and not limitation, many forms of RAM are available, such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (Double Data Rate SDRAM), enhanced SDRAM (ESDRAM), synchronous DRAM (SLDRAM), and Direct RAM (DRRAM). The memory 502 of the systems and methods described herein is intended to comprise, without being limited to, these and any other suitable types of memory.
And processor 501 may be an integrated circuit chip with signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuitry in hardware or instructions in software in the processor 501. The processor 501 may be a general purpose processor, a digital signal processor (Digital Signal Processor, DSP), an application specific integrated circuit (Application Specific Integrated Circuit, ASIC), an off-the-shelf programmable gate array (Field Programmable Gate Array, FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components. The disclosed methods, steps, and logic blocks in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be embodied directly in the execution of a hardware decoding processor, or in the execution of a combination of hardware and software modules in a decoding processor. The software modules may be located in a random access memory, flash memory, read only memory, programmable read only memory, or electrically erasable programmable memory, registers, etc. as well known in the art. The storage medium is located in a memory 502, and the processor 501 reads information in the memory 502 and, in combination with its hardware, performs the steps of the method described above.
In some embodiments, the embodiments described herein may be implemented in hardware, software, firmware, middleware, microcode, or a combination thereof. For a hardware implementation, the processing units may be implemented within one or more application specific integrated circuits (Application Specific Integrated Circuits, ASIC), digital signal processors (Digital Signal Processing, DSP), digital signal processing devices (DSP devices, DSPD), programmable logic devices (Programmable Logic Device, PLD), field programmable gate arrays (Field-Programmable Gate Array, FPGA), general purpose processors, controllers, microcontrollers, microprocessors, other electronic units designed to perform the functions described herein, or a combination thereof.
For a software implementation, the techniques described herein may be implemented with modules (e.g., procedures, functions, and so on) that perform the functions described herein. The software codes may be stored in a memory and executed by a processor. The memory may be implemented within the processor or external to the processor.
Yet another embodiment of the present application provides a computer storage medium storing an executable program that, when executed by the processor 501, can implement steps of a method for processing network data applied to the computer device. Such as one or more of the methods shown in fig. 2 or 3.
In some embodiments, the computer storage medium may include: a U-disk, a removable hard disk, a Read Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
It should be noted that: the technical schemes described in the embodiments of the present invention may be arbitrarily combined without any collision.
The foregoing description is only of the preferred embodiments of the present invention, and is not intended to limit the scope of the present invention.
Claims (10)
1. The method is characterized in that the method is applied to computer equipment, the computer equipment is provided with an operating system, the operating system comprises a user mode and a kernel mode, the user mode is provided with a user mode receiving interface, and the kernel mode is provided with a network card receiving interface; the method comprises the following steps:
responding to the starting of the network card receiving interface to receive network data to be analyzed, and determining first space parameters of a first cache space of the network card receiving interface, wherein the first cache space is in the kernel mode, and the first cache space is the current cache space when the network receiving interface operates;
Determining a second space parameter corresponding to the first space parameter according to the first space parameter of the network card receiving interface, wherein the second space parameter is a space parameter of a second cache space configured for the user mode receiving interface, and the second cache space is positioned in the user mode;
according to the second space parameter, storing the network data to be analyzed into the second cache space indicated by the second space parameter;
and the user state receiving interface starts an analysis program to analyze the network data in the second cache space.
2. The method of claim 1, wherein the operating system further comprises: a virtual environment state, wherein the virtual environment state stores a corresponding relation between a first space parameter of the network card receiving interface and a second space parameter of the user state receiving interface;
the determining, according to the first spatial parameter of the network card receiving interface, a second spatial parameter corresponding to the first spatial parameter includes:
acquiring a corresponding relation between the first space parameter of the network card receiving interface and the second space parameter of the user state receiving interface from the virtual environment state according to the first space parameter of the network card receiving interface;
And determining the second space parameter corresponding to the first space parameter according to the corresponding relation.
3. The method according to claim 2, wherein the method further comprises:
initializing the virtual environment state in response to the monitored time information meeting a time condition, and reconfiguring the corresponding relation between the first space parameter of the network card receiving interface and the second space parameter of the user state receiving interface;
and/or the number of the groups of groups,
and initializing a virtual environment state in response to the monitored user operation information meeting the operation condition, and reconfiguring the corresponding relation between the first space parameter of the network card receiving interface and the second space parameter of the user state receiving interface.
4. A method according to claim 3, characterized in that the method further comprises:
acquiring the resource consumption information of the user mode;
initializing the virtual environment state, reconfiguring a corresponding relationship between a first spatial parameter of the network card receiving interface and a second spatial parameter of the user state receiving interface, including:
initializing the virtual environment state, and reconfiguring the corresponding relation between the first space parameter of the network card receiving interface and the second space parameter of the user state receiving interface according to the resource consumption information of the user state.
5. The method of claim 1, wherein the parsing program comprises: a data capturing process and a data analyzing process;
the user state receiving interface starts an analysis program to analyze the network data in the second buffer space, and the method comprises the following steps:
the user state receiving interface starts a data capturing process in the analysis program, and acquires the network data to be analyzed from the second cache space;
and the user state receiving interface starts a data analysis process in the analysis program, and analyzes the network data to be analyzed.
6. The method of claim 5, wherein the data parsing process comprises: a plurality of data parsing threads;
before the user state receiving interface starts the parsing program, the method further includes:
acquiring thread parameters of the data analysis thread;
according to the first number of the data analysis threads, the network data to be analyzed is shunted to obtain a plurality of network sub-data with the second number identical to the first number; establishing a mapping relation between the data analysis thread and the network sub-data according to thread parameters corresponding to the data analysis threads;
The user state receiving interface starts a data analysis process in the analysis program, analyzes the network data to be analyzed, and comprises the following steps:
the user state receiving interface respectively starts a plurality of data analysis threads in the analysis process according to the thread parameters of the plurality of data analysis threads; and according to the mapping relation, respectively and simultaneously analyzing the corresponding network sub-data by utilizing a plurality of data analysis threads.
7. The method of claim 6, wherein the step of providing the first layer comprises,
determining the data quantity of each network sub-data;
the establishing a mapping relationship between the data analysis thread and the network sub-data according to the thread parameters corresponding to the data analysis threads includes:
and establishing a mapping relation between the data analysis thread and the network sub-data according to the thread parameters and the data quantity corresponding to each data analysis thread.
8. The device is applied to computer equipment, wherein the computer equipment is provided with an operating system, the operating system comprises a user mode and a kernel mode, the user mode is provided with a user mode receiving interface, and the kernel mode is provided with a network card receiving interface; the device comprises:
The first determining module is used for responding to the starting of the network card receiving interface to receive network data to be analyzed, determining first space parameters of a first cache space of the network card receiving interface, wherein the first cache space is in the kernel state, and the first cache space refers to the cache space when the network card receiving interface operates;
the second determining module is configured to determine a second spatial parameter corresponding to the first spatial parameter according to the first spatial parameter of the network card receiving interface, where the second spatial parameter is a spatial parameter of a second buffer space configured for the user mode receiving interface, and the second buffer space is located in the user mode;
the storage module is used for storing the network data to be analyzed into the second cache space indicated by the second space parameter according to the second space parameter;
and the analysis module is used for starting an analysis program by the user state receiving interface and analyzing the network data in the second cache space.
9. A computer device, comprising:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to perform the method of processing network data according to any one of claims 1 to 7.
10. A computer storage medium storing one or more programs executable by one or more processors to cause the one or more processors to perform the method of processing network data according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310852745.XA CN116610530A (en) | 2023-07-12 | 2023-07-12 | Processing method and device of network data, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310852745.XA CN116610530A (en) | 2023-07-12 | 2023-07-12 | Processing method and device of network data, computer equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116610530A true CN116610530A (en) | 2023-08-18 |
Family
ID=87682112
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310852745.XA Pending CN116610530A (en) | 2023-07-12 | 2023-07-12 | Processing method and device of network data, computer equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116610530A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103856474A (en) * | 2012-11-29 | 2014-06-11 | 北京千橡网景科技发展有限公司 | Method and device for processing network data |
| CN109241176A (en) * | 2018-07-10 | 2019-01-18 | 北京亿赛通科技发展有限责任公司 | The correlation analysis system and method for big data under a kind of Network Environment |
| CN110855610A (en) * | 2019-09-30 | 2020-02-28 | 视联动力信息技术股份有限公司 | Data packet processing method and device and storage medium |
| WO2021147358A1 (en) * | 2020-01-23 | 2021-07-29 | 华为技术有限公司 | Network interface establishing method, apparatus, and system |
| CN114840408A (en) * | 2021-02-02 | 2022-08-02 | 腾讯科技(深圳)有限公司 | Application program performance analysis method, system, device and storage medium |
-
2023
- 2023-07-12 CN CN202310852745.XA patent/CN116610530A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103856474A (en) * | 2012-11-29 | 2014-06-11 | 北京千橡网景科技发展有限公司 | Method and device for processing network data |
| CN109241176A (en) * | 2018-07-10 | 2019-01-18 | 北京亿赛通科技发展有限责任公司 | The correlation analysis system and method for big data under a kind of Network Environment |
| CN110855610A (en) * | 2019-09-30 | 2020-02-28 | 视联动力信息技术股份有限公司 | Data packet processing method and device and storage medium |
| WO2021147358A1 (en) * | 2020-01-23 | 2021-07-29 | 华为技术有限公司 | Network interface establishing method, apparatus, and system |
| CN114840408A (en) * | 2021-02-02 | 2022-08-02 | 腾讯科技(深圳)有限公司 | Application program performance analysis method, system, device and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10735329B2 (en) | Container communication method and system for parallel applications | |
| CN106161537B (en) | Method, device and system for processing remote procedure call and electronic equipment | |
| US8195968B2 (en) | System and method for power reduction by sequestering at least one device or partition in a platform from operating system access | |
| US9015822B2 (en) | Automatic invocation of DTN bundle protocol | |
| CN111711801B (en) | Video data transmission method, device, server and computer readable storage medium | |
| EP3567483B1 (en) | Method for processing service data, and network device | |
| US20220391489A1 (en) | Data processing method and apparatus, computer device, and storage medium | |
| WO2024037296A1 (en) | Protocol family-based quic data transmission method and device | |
| CN114124929A (en) | Cross-network data processing method and device | |
| US9621633B2 (en) | Flow director-based low latency networking | |
| CN109634738A (en) | Asynchronous processing method, server, storage medium and device based on micro services | |
| CN113067849B (en) | Network communication optimization method and device based on Glusterfs | |
| CN111737022A (en) | Interface calling method, system, equipment and medium based on micro-service | |
| CN112261094A (en) | Message processing method and proxy server | |
| CN115269213A (en) | Data receiving method, data transmitting method, device, electronic device and medium | |
| WO2021189257A1 (en) | Malicious process detection method and apparatus, electronic device, and storage medium | |
| CN109271268B (en) | DPDK-based intelligent fault tolerance method | |
| CN114598931A (en) | Streaming method, system, device and medium for multi-open cloud game | |
| WO2021238259A1 (en) | Data transmission method, apparatus and device, and computer-readable storage medium | |
| CN116610530A (en) | Processing method and device of network data, computer equipment and storage medium | |
| CN116582365A (en) | Network traffic safety control method and device and computer equipment | |
| CN111901386A (en) | Method, system, equipment and readable storage medium for remote file processing | |
| CN112422457B (en) | Message processing method and device and computer storage medium | |
| CN113271336B (en) | DPDK-based robot middleware DDS data transmission method, electronic equipment and computer-readable storage medium | |
| CN116546262A (en) | Data processing method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |