CN116633656A - Application network traffic blocking method and device, computer equipment and storage medium - Google Patents
Application network traffic blocking method and device, computer equipment and storage medium Download PDFInfo
- Publication number
- CN116633656A CN116633656A CN202310687134.4A CN202310687134A CN116633656A CN 116633656 A CN116633656 A CN 116633656A CN 202310687134 A CN202310687134 A CN 202310687134A CN 116633656 A CN116633656 A CN 116633656A
- Authority
- CN
- China
- Prior art keywords
- message
- outgoing
- application
- preset
- outgoing message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 65
- 230000000903 blocking effect Effects 0.000 title claims abstract description 59
- 238000004458 analytical method Methods 0.000 claims abstract description 29
- 230000008569 process Effects 0.000 claims abstract description 23
- 238000004590 computer program Methods 0.000 claims description 9
- 238000010801 machine learning Methods 0.000 claims description 9
- 238000012549 training Methods 0.000 claims description 9
- 238000004804 winding Methods 0.000 abstract description 4
- 238000012423 maintenance Methods 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 5
- 238000001914 filtration Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 5
- 230000009286 beneficial effect Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 238000013528 artificial neural network Methods 0.000 description 2
- 238000013135 deep learning Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 101150030531 POP3 gene Proteins 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 238000013499 data model Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the application provides a method, a device, computer equipment and a storage medium for blocking network traffic of an application, and relates to the technical field of network security, wherein the method comprises the following steps: obtaining an outgoing message of a target network at the boundary of the target network in a mirror image flow mode, inputting the outgoing message into a message analysis model, and outputting port characteristics and message structure characteristics of the outgoing message by the message analysis model; judging whether the outgoing message is a message of a preset application or not through a relation model according to the port characteristics and the message structure characteristics of the outgoing message; if yes, judging whether the outgoing message accords with the outgoing condition of the preset application; if not, stopping the process of the preset application through the application server. The scheme can automatically, accurately and precisely identify the network flow for preset application and flexibly and accurately block according to the winding piece.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and apparatus for blocking network traffic, a computer device, and a storage medium for an application.
Background
With the increasing popularity of internet applications, network security has also become increasingly important. In the process of network operation and maintenance, when a technician operates an application program, after issuing a stop instruction, each module called by an application main program cannot be stopped in time due to the reasons of application protection, delay and the like, and the outgoing flow can be continued, so that a certain influence is generated on a service system. Meanwhile, the outgoing flow of a specific application cannot be audited in time, and operation and maintenance difficulties are caused to operation and maintenance auditors.
Today, when information technology is rapidly developed, the dependency degree of enterprises on an information system is higher and higher, and the stability and safety of the information system are directly related to the core competitiveness of the enterprises.
At present, the problem of blocking the outgoing traffic of a special application at the network boundary mainly comprises four main stream technologies based on firewall, gateway, proxy and bypass blocking.
The firewall and the gateway work below the network layer, only a few advanced firewalls can simply filter application layer data, for example, by deploying the advanced firewalls at the network boundary, checking the protocol characteristics of the application layer, the transmission layer and the network layer, and simply matching and filtering the application layer data according to specific application programs and file types, but the advanced firewalls do not have the functions of deep analysis and matching of the application layer protocol, cannot block application outgoing traffic, only support limited applications, have poor scalability, are difficult to configure by a user, and are opaque to the network. The proxy mode trades higher security performance at the cost of speed, but becomes a bottleneck of the network when the network throughput is high, and a corresponding proxy needs to be set, so that user experience is affected, and popularization is difficult to implement. The bypass mode is mirrored through the switch port and connected into the network to block the TCP protocol from sending TCP_RESET messages, but because of the hysteresis of the TCP_RESET messages, the control of the network is easily lost.
At present, the prior art also provides a method for filtering the flow aiming at the application protocol, and based on the Nginx flow agent, the data structure inspection based on the standard application protocol such as ftp, http, smtp and pop3 and the like and various custom non-standard application protocols is realized. The method realizes the flow filtering function of the common application protocol by modifying the self configuration and self-grinding the plug-in, and comprises the following steps: function compiling, configuration modifying and flow filtering, and the data structure checking rule is flexible and configurable, so that software can quickly pick out malicious flow or safe flow from a large amount of flow, release the safe flow, block the malicious flow and generate corresponding log information, thereby greatly improving the safety protection capability of an application system.
However, this solution is only suitable for security protection and is not suitable for application outgoing traffic, i.e. outgoing traffic for a specific application cannot be determined and blocked.
The prior art also provides a data processing method based on flow blocking, which is applied to an operating system, wherein the kernel of the operating system is configured with a flow blocking module and a user interface module, and the user interface module is used for configuring flow blocking rules; the method comprises the following steps: receiving traffic information from a data link layer based on the traffic blocking module; obtaining release flow information according to a filtering rule preset by the user interface module and sending the release flow information to a network protocol stack in the kernel; and carrying out data processing on the release flow information. The method filters the traffic information once before the traffic information enters the protocol stack, identifies the traffic information to be discarded, and reduces the processing pressure of the protocol stack.
However, in this scheme, the traffic information of the data link layer is filtered, and released traffic information is obtained and sent to the network protocol stack in the kernel, and the traffic information that needs to be discarded is identified and discarded, that is, the traffic information that needs to be sent out is filtered, but the outgoing traffic of a certain application cannot be blocked.
Thus, there is a need for an accurate and high-precision solution for identifying application traffic for blocking.
Disclosure of Invention
In view of the above, the embodiment of the application provides an application network traffic blocking method, so as to solve the technical problem that the application traffic cannot be accurately and precisely identified and blocked in the prior art. The method comprises the following steps:
obtaining an outgoing message of a target network at the boundary of the target network in a mirror image flow mode, inputting the outgoing message into a message analysis model, and outputting port characteristics and message structure characteristics of the outgoing message by the message analysis model, wherein the message analysis model is obtained by taking historical outgoing messages, port characteristics of the historical outgoing messages and message structure characteristics of the historical outgoing messages as sample training machine learning components;
judging whether the outgoing message is a message of a preset application or not through a relation model according to the port characteristics and the message structure characteristics of the outgoing message;
if yes, judging whether the outgoing message accords with the outgoing condition of the preset application;
if not, stopping the process of the preset application through the application server.
The embodiment of the application also provides an applied network flow blocking device, which solves the technical problem that the applied flow cannot be accurately and precisely identified and blocked in the prior art. The device comprises:
the message acquisition module is used for acquiring an outgoing message of the target network in a mirror image flow mode at the boundary of the target network, inputting the outgoing message into the message analysis model, and outputting the port characteristic and the message structure characteristic of the outgoing message by the message analysis model, wherein the message analysis model is obtained by training a machine learning component by taking the historical outgoing message, the port characteristic of the historical outgoing message and the message structure characteristic of the historical outgoing message as samples;
the application identification module is used for judging whether the outgoing message is a preset application message or not through a relation model according to the port characteristics and the message structure characteristics of the outgoing message;
the flow identification module is used for judging whether the outgoing message accords with the outgoing condition of the preset application or not when the outgoing message is the message of the preset application;
and the flow blocking module is used for stopping the process of the preset application through the application server when the outgoing message does not accord with the outgoing condition of the preset application.
The embodiment of the application also provides computer equipment, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor realizes the network flow blocking method of any application when executing the computer program so as to solve the technical problem that the application flow cannot be accurately and precisely identified and blocked in the prior art.
The embodiment of the application also provides a computer readable storage medium which stores a computer program for executing the network traffic blocking method of any application, so as to solve the technical problem that the application traffic cannot be accurately and precisely identified and blocked in the prior art.
Compared with the prior art, the beneficial effects that above-mentioned at least one technical scheme that this description embodiment adopted can reach include at least: the method comprises the steps of obtaining an outgoing message of a target network through a mirror image flow mode at the boundary of the target network, inputting the outgoing message into a message analysis model, outputting port characteristics and message structure characteristics of the outgoing message by the message analysis model, judging whether the outgoing message is a message of a preset application or not through a relation model according to the port characteristics and the message structure characteristics of the outgoing message, judging whether the outgoing message meets outgoing conditions of the preset application or not when the outgoing message does not meet the outgoing conditions of the preset application, and stopping the progress of the preset application through an application server. On the basis of not changing the original network architecture, the method automatically, accurately and precisely identifies the network flow of the preset application according to the port characteristics and the message structure characteristics of the application layer and flexibly and precisely blocks according to the outward spring piece; meanwhile, the application of the message analysis model and the relation model can efficiently and accurately determine the characteristics of the outgoing message and judge the message of the preset application, thereby being beneficial to further improving the efficiency and reliability of operation and maintenance.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of a network traffic blocking method of an application according to an embodiment of the present application;
fig. 2 is a flowchart of a network traffic blocking method for implementing the above application according to an embodiment of the present application;
fig. 3 is a schematic diagram of a framework for implementing the network traffic blocking method of the application according to the embodiment of the present application;
FIG. 4 is a block diagram of a computer device according to an embodiment of the present application;
fig. 5 is a block diagram of a network traffic blocking device according to an embodiment of the present application.
Detailed Description
Embodiments of the present application will be described in detail below with reference to the accompanying drawings.
Other advantages and effects of the present application will become apparent to those skilled in the art from the following disclosure, which describes the embodiments of the present application with reference to specific examples. It will be apparent that the described embodiments are only some, but not all, embodiments of the application. The application may be practiced or carried out in other embodiments that depart from the specific details, and the details of the present description may be modified or varied from the spirit and scope of the present application. It should be noted that the following embodiments and features in the embodiments may be combined with each other without conflict. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
In an embodiment of the present application, there is provided an applied network traffic blocking method, as shown in fig. 1, including:
step S101: obtaining an outgoing message of a target network at the boundary of the target network in a mirror image flow mode, inputting the outgoing message into a message analysis model, and outputting port characteristics and message structure characteristics of the outgoing message by the message analysis model, wherein the message analysis model is obtained by taking historical outgoing messages, port characteristics of the historical outgoing messages and message structure characteristics of the historical outgoing messages as sample training machine learning components;
step S102: judging whether the outgoing message is a message of a preset application or not through a relation model according to the port characteristics and the message structure characteristics of the outgoing message;
step S103: if yes, judging whether the outgoing message accords with the outgoing condition of the preset application;
step S104: if not, stopping the process of the preset application through the application server.
As can be seen from the flow shown in fig. 1, in the embodiment of the present application, on the basis of not changing the original network architecture, according to the port feature and the application layer message structure feature, the method automatically, accurately and precisely identifies the network flow of the preset application and flexibly and precisely blocks according to the winding piece, and the method does not have the leakage resistance, effectively blocks the risk of the outgoing flow of the specific (preset) application, simplifies the cost and operation steps of operation and maintenance, provides guarantee for the stability of the service system, is transparent to the user, and has good user experience; meanwhile, the application of the message analysis model and the relation model can efficiently and accurately determine the characteristics of the outgoing message and judge the message of the preset application, thereby being beneficial to further improving the efficiency and reliability of operation and maintenance.
In one embodiment, a mirror port may be configured at a boundary of the target network, so that a system running the network traffic blocking method of the application accesses the target network in a mirror traffic manner, so as to directly capture an outgoing message of the target network from the network card through the high-speed message capturing module thereof.
In one embodiment, in order to collect the outgoing packets of the target network in a large-flow and high-concurrency manner, the UIO may be driven by a user mode of a system running the network traffic blocking method of the application, and the outgoing packets of the network card may be read in a polling manner in the user mode.
In one embodiment, in order to accurately identify an outgoing message of a preset application (i.e., a preset application requiring network traffic blocking), in this embodiment, it is proposed to efficiently and accurately acquire a port feature and a message structure feature of the outgoing message by using a message parsing model, for example, input the outgoing message into a message parsing model, and output the port feature and the message structure feature of the outgoing message by using a historical outgoing message, the port feature of the historical outgoing message, and the message structure feature of the historical outgoing message as obtained by a sample training machine learning component. For example, under the condition that the application rule is not known, the port characteristics and the message structure characteristics of the outgoing message can be quickly and accurately acquired through the message analysis model. In particular, the machine learning component may be a neural network, a deep learning network, or a model, among various network architecture types.
In one embodiment, the port feature of the outgoing message may be a feature such as a port number, for example, a port number of the transmitting end. The message structure feature of the outgoing message may be an application layer protocol feature and/or a structure of the data packet (e.g., which bytes the header of the data packet includes).
In one embodiment, after the port feature and the message structure feature of the outgoing message are obtained, whether the outgoing message is a message of a preset application or not may be identified through a relationship model, for example, a corresponding relationship between the preset application and the preset port feature and the preset message structure feature is stored in the relationship model, the port feature and the message structure feature of the outgoing message are matched with the preset port feature and the preset message structure feature in the corresponding relationship through the relationship model, and if the matching is successful, the outgoing message is judged to be the message of the preset application.
In specific implementation, the corresponding relation between the preset application and the preset port features and the corresponding relation between the preset application and the preset message structure features can be stored in the relation model in advance, namely, the corresponding relation can be realized in a two-dimensional table mode, wherein the corresponding relation corresponds to the port features and the message structure features of the preset application. Specifically, the relationship model may be a model obtained by training after learning the correspondence through a neural network or a deep learning network, or may be a data model in the form of a two-dimensional table.
In one embodiment, when determining that the outgoing message is a message of a preset application, the following manner is adopted to quickly and accurately determine whether the outgoing message is network traffic to be blocked. For example, judging whether the current sending time of the outgoing message belongs to a preset outgoing time period of the preset application; if not, judging that the outgoing message does not accord with the outgoing condition of the preset application; if yes, judging that the outgoing message accords with the outgoing condition of the preset application.
In specific implementation, the outgoing condition of the preset application may include one or more preset outgoing periods, where the preset outgoing periods are periods in which the preset application allows outgoing messages; a white list can also be set, and the outgoing message belongs to the white list, so that the outgoing condition of the preset application is met.
In an embodiment, a plurality of different outward-forbidden conditions of the preset application can be set, so that network traffic needing to be blocked can be flexibly and rapidly identified, for example, port features and content features of the outward-forbidden outward-spiral piece of the preset application are respectively matched, and the outward-forbidden outward-spiral piece comprises any one or any combination of the following: a blacklist, a source ip for prohibiting the outgoing, a source port for prohibiting the outgoing, a destination ip for prohibiting the outgoing, a destination port for prohibiting the outgoing and a content feature for prohibiting the outgoing;
when the matching is successful (any one or more matching is successful), judging that the outgoing message does not accord with the outgoing condition of the preset application; and when the matching fails, judging that the outgoing message accords with the outgoing condition of the preset application.
In a specific implementation, the content features for prohibiting the outgoing may include content anti-leakage sensitive keywords (for example, sensitive keywords such as contract, name, etc.), regular rules (for example, sensitive information with a certain rule such as an identification card number, a mailbox address, etc.), and a blacklist may also be set, that is, outgoing messages belonging to the blacklist may be blocked directly.
In a specific implementation, the outgoing prohibition period may be set in the outgoing prohibition condition, and if the current sending time of the outgoing message belongs to the outgoing prohibition period of the preset application, the outgoing message does not conform to the outgoing condition of the preset application.
In one embodiment, when the outgoing message is judged to be in accordance with the outgoing condition of the preset application, the outgoing message is directly sent; and blocking the outbound message when judging that the outbound message does not accord with the outbound condition of the preset application. For example, the blocking of the outbound message may be accurate by: stopping the process of the preset application through an application server, including: determining a process id for transmitting the outgoing message according to the session information of the outgoing message; and stopping the process of sending the outgoing message according to the process id.
In the specific implementation, the application process is stopped by the application server, so that the application process is in an unoperated state, thereby blocking the flow and achieving the purpose of prohibiting the outgoing flow of a specific (preset) application.
In one embodiment, the network traffic refers to data traffic generated on the network by a device capable of connecting to the network. Blocking: the progress or progress of the [ something ] is interrupted by the blocking.
The following describes in detail the implementation procedure of the network traffic blocking method applied in the above manner with reference to fig. 2, and as shown in fig. 2, the procedure includes the following steps:
in the first step, as shown in fig. 3, the system running the above-mentioned network traffic blocking method of application accesses the target network boundary through the bypass, sets the blocking function (module) on the application server, and simultaneously gives the configuration mirror image port to directly capture the network message from the network card through its high-speed message capturing module.
The system for running the network traffic blocking method of the application is deployed at the network boundary, the network is accessed in a mirror traffic mode, blocking is carried out on hit rules according to the characteristics of specific (preset) application protocol messages, the situation of leakage blocking cannot occur, the system is transparent to users, and the user experience is good.
And a second step of: and setting a content blocking anti-leakage sensitive keyword, a regular rule, a outward spring prohibiting time period and other outward spring prohibiting or outward spring permitting conditions by an administrator through a system management platform, and storing the outward spring prohibiting or outward spring permitting conditions in a feature library or a database.
It should be noted that, any one or a combination of four-tuple information (source IP, destination IP, source port, destination port) may be used to set a condition for prohibiting outgoing, for example, identifying outgoing behavior from port application a, so as to perform traffic blocking interception.
And a third step of: when the application server sends out traffic, the application server obtains all outgoing messages flowing through the gateway through the high-speed message grabbing module.
Fourth step: and analyzing the outgoing message Wen Shendu through a message analysis model to obtain the characteristics of a message port (such as a message port number) and the characteristics of a message structure (the characteristics of an application layer protocol). The message analysis model is obtained by training after characteristic learning of data samples such as historical port characteristics, historical structure characteristics and the like through a machine learning component.
Fifth step: and matching the message port characteristics and the message structure characteristics with preset port characteristics and preset message structure characteristics corresponding to preset applications prestored in the relation model, and determining whether the outgoing message is a message of the preset applications.
Sixth step: if yes, the port characteristics and the content characteristics of the outgoing message are respectively matched with the pre-stored application forbidden outer spring piece or the allowed outer spring piece in the characteristic library (or the database), so as to judge whether the outgoing message should be blocked or not. For example, in the condition of prohibiting the outgoing from 8 a.m. to 6 a.m. as the period of prohibiting the outgoing, when the current sending time of the outgoing message belongs to the period of prohibiting the outgoing, the outgoing flow is directly not allowed, and the blocking is performed.
Seventh step: and the application server receives the blocking instruction, queries the mapping relation according to the provided session information of the acquired message, finds the process id corresponding to the outgoing message, and stops the process.
In this embodiment, a computer device is provided, as shown in fig. 4, including a memory 401, a processor 402, and a computer program stored in the memory and capable of running on the processor, where the processor implements the network traffic blocking method of any of the above applications when executing the computer program.
In particular, the computer device may be a computer terminal, a server or similar computing means.
In the present embodiment, there is provided a computer-readable storage medium storing a computer program for executing the network traffic blocking method of any of the above-described applications.
In particular, computer-readable storage media, including both permanent and non-permanent, removable and non-removable media, may be used to implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer-readable storage media include, but are not limited to, phase-change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Disks (DVD) or other optical storage, magnetic cassettes, magnetic tape disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable storage media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
Based on the same inventive concept, the embodiment of the application also provides an applied network traffic blocking device, as described in the following embodiment. Because the principle of the applied network traffic blocking device for solving the problem is similar to that of the applied network traffic blocking method, the implementation of the applied network traffic blocking device can refer to the implementation of the applied network traffic blocking method, and the repetition is not repeated. As used below, the term "unit" or "module" may be a combination of software and/or hardware that implements the intended function. While the means described in the following embodiments are preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
Fig. 5 is a block diagram of a network traffic blocking apparatus according to an embodiment of the present application, and as shown in fig. 5, the apparatus includes:
the message obtaining module 501 is configured to obtain an outgoing message of a target network at a boundary of the target network in a mirror image flow manner, input the outgoing message into a message analysis model, and output a port feature and a message structure feature of the outgoing message by the message analysis model, where the message analysis model is obtained by training a machine learning component with a historical outgoing message, a port feature of the historical outgoing message, and a message structure feature of the historical outgoing message as samples;
the application identification module 502 is configured to determine whether the outgoing packet is a packet of a preset application according to the port feature and the packet structure feature of the outgoing packet;
the flow identification module 503 is configured to determine, when the outgoing message is a message of a preset application, whether the outgoing message meets an outgoing condition of the preset application through a relationship model;
and the flow blocking module 504 is configured to stop, by the application server, the process of the preset application when the outgoing message does not conform to the outgoing condition of the preset application.
In one embodiment, the traffic identifying module is configured to determine whether a current sending time of the outgoing message belongs to a preset outgoing period of the preset application; if not, judging that the outgoing message does not accord with the outgoing condition of the preset application.
In an embodiment, the flow identification module is further configured to match the port feature and the content feature of the outgoing message with an outgoing forbidden winding piece of the preset application, where the outgoing forbidden winding piece includes any one or any combination of the following: a blacklist, a source ip for prohibiting the outgoing, a source port for prohibiting the outgoing, a destination ip for prohibiting the outgoing, a destination port for prohibiting the outgoing and a content feature for prohibiting the outgoing; and when the matching is successful, judging that the outgoing message does not accord with the outgoing condition of the preset application.
In one embodiment, the traffic blocking module is configured to determine a process id of the outgoing message according to session information of the outgoing message; and stopping the process of sending the outgoing message according to the process id.
In one embodiment, the application identification module is configured to store a corresponding relation between a preset application and a preset port feature and a preset message structure feature in the relation model, match the port feature and the message structure feature of the outgoing message with the preset port feature and the preset message structure feature in the corresponding relation through the relation model, and if the matching is successful, determine that the outgoing message is a message of the preset application.
The embodiment of the application realizes the following technical effects: on the basis of not changing the original network architecture, the method automatically, accurately and precisely identifies the network flow of the preset application according to the port characteristics and the message structure characteristics of the application layer and flexibly and precisely blocks according to the outward spring piece; meanwhile, the application of the message analysis model and the relation model can efficiently and accurately determine the characteristics of the outgoing message and judge the message of the preset application, thereby being beneficial to further improving the efficiency and reliability of operation and maintenance.
It will be apparent to those skilled in the art that the modules or steps of the embodiments of the application described above may be implemented in a general purpose computing device, they may be concentrated on a single computing device, or distributed across a network of computing devices, they may alternatively be implemented in program code executable by computing devices, so that they may be stored in a storage device for execution by computing devices, and in some cases, the steps shown or described may be performed in a different order than what is shown or described, or they may be separately fabricated into individual integrated circuit modules, or a plurality of modules or steps in them may be fabricated into a single integrated circuit module. Thus, embodiments of the application are not limited to any specific combination of hardware and software.
The above description is only of the preferred embodiments of the present application and is not intended to limit the present application, and various modifications and variations can be made to the embodiments of the present application by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the protection scope of the present application.
Claims (9)
1. An applied network traffic blocking method, comprising:
obtaining an outgoing message of a target network at the boundary of the target network in a mirror image flow mode, inputting the outgoing message into a message analysis model, and outputting port characteristics and message structure characteristics of the outgoing message by the message analysis model, wherein the message analysis model is obtained by taking historical outgoing messages, port characteristics of the historical outgoing messages and message structure characteristics of the historical outgoing messages as sample training machine learning components;
judging whether the outgoing message is a message of a preset application or not through a relation model according to the port characteristics and the message structure characteristics of the outgoing message;
if yes, judging whether the outgoing message accords with the outgoing condition of the preset application;
if not, stopping the process of the preset application through the application server.
2. The method for blocking network traffic of an application according to claim 1, wherein determining whether the outgoing message meets the outgoing condition of the preset application comprises:
judging whether the current sending time of the outgoing message belongs to a preset outgoing time period of the preset application;
if not, judging that the outgoing message does not accord with the outgoing condition of the preset application.
3. The method for blocking network traffic of an application according to claim 1, wherein determining whether the outgoing message meets the outgoing condition of the preset application comprises:
respectively matching the port characteristics and the content characteristics of the outgoing message with the externally-prohibited spring piece of the preset application, wherein the externally-prohibited spring piece comprises any one or any combination of the following components: a blacklist, a source ip for prohibiting the outgoing, a source port for prohibiting the outgoing, a destination ip for prohibiting the outgoing, a destination port for prohibiting the outgoing and a content feature for prohibiting the outgoing;
and when the matching is successful, judging that the outgoing message does not accord with the outgoing condition of the preset application.
4. The network traffic blocking method of an application according to claim 1, wherein stopping the process of the preset application by an application server comprises:
determining a process id for transmitting the outgoing message according to the session information of the outgoing message;
and stopping the process of sending the outgoing message according to the process id.
5. The method for blocking network traffic of an application according to any one of claims 1 to 4, wherein determining, according to the port feature and the message structure feature of the outgoing message, whether the outgoing message is a message of a preset application through a relational model includes:
storing the corresponding relation between the preset application and the preset port feature and the preset message structure feature in the relation model, matching the port feature and the message structure feature of the outgoing message with the preset port feature and the preset message structure feature in the corresponding relation through the relation model, and judging the outgoing message as the message of the preset application if the matching is successful.
6. The method for blocking network traffic for an application according to any one of claims 1 to 4, wherein the message structure feature comprises an application layer protocol feature.
7. An applied network traffic blocking device, comprising:
the message acquisition module is used for acquiring an outgoing message of the target network in a mirror image flow mode at the boundary of the target network, inputting the outgoing message into the message analysis model, and outputting the port characteristic and the message structure characteristic of the outgoing message by the message analysis model, wherein the message analysis model is obtained by training a machine learning component by taking the historical outgoing message, the port characteristic of the historical outgoing message and the message structure characteristic of the historical outgoing message as samples;
the application identification module is used for judging whether the outgoing message is a preset application message or not through a relation model according to the port characteristics and the message structure characteristics of the outgoing message;
the flow identification module is used for judging whether the outgoing message accords with the outgoing condition of the preset application or not when the outgoing message is the message of the preset application;
and the flow blocking module is used for stopping the process of the preset application through the application server when the outgoing message does not accord with the outgoing condition of the preset application.
8. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the network traffic blocking method of the application of any of claims 1 to 6 when the computer program is executed.
9. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program that executes the network traffic blocking method of the application of any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310687134.4A CN116633656A (en) | 2023-06-09 | 2023-06-09 | Application network traffic blocking method and device, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310687134.4A CN116633656A (en) | 2023-06-09 | 2023-06-09 | Application network traffic blocking method and device, computer equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116633656A true CN116633656A (en) | 2023-08-22 |
Family
ID=87641746
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310687134.4A Pending CN116633656A (en) | 2023-06-09 | 2023-06-09 | Application network traffic blocking method and device, computer equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116633656A (en) |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170048312A1 (en) * | 2015-08-12 | 2017-02-16 | Brocade Communications Systems, Inc. | Sdn-based mirroring of traffic flows for in-band network analytics |
| WO2017163241A1 (en) * | 2016-03-23 | 2017-09-28 | Firmitas Cyber Solutions (Israel) Ltd. | Adjusting a protocol for a concrete appliance |
| KR101909957B1 (en) * | 2018-04-03 | 2018-12-19 | 큐비트시큐리티 주식회사 | Web traffic logging system and method for detecting web hacking in real time |
| CN112152971A (en) * | 2019-06-28 | 2020-12-29 | 北京奇虎科技有限公司 | Method and apparatus for controlling network usage behavior, electronic device, and medium |
| CN113709129A (en) * | 2021-08-20 | 2021-11-26 | 绿盟科技集团股份有限公司 | White list generation method, device and system based on traffic learning |
| CN114006869A (en) * | 2020-07-28 | 2022-02-01 | 阿里巴巴集团控股有限公司 | Flow control method and device, electronic equipment and computer readable storage medium |
| CN114039774A (en) * | 2021-11-08 | 2022-02-11 | 北京天融信网络安全技术有限公司 | Blocking method, detection method and device for malicious PE program |
| US20220070188A1 (en) * | 2020-08-26 | 2022-03-03 | Bank Of America Corporation | Network Traffic Correlation Engine |
| CN114884707A (en) * | 2022-04-24 | 2022-08-09 | 金祺创(北京)技术有限公司 | Intelligent security monitoring and networking alarm method and system for large-scale network attack |
| WO2023040303A1 (en) * | 2021-09-16 | 2023-03-23 | 华为云计算技术有限公司 | Network traffic control method and related system |
| CN116192461A (en) * | 2022-12-30 | 2023-05-30 | 中国建设银行股份有限公司北京市分行 | Traffic processing method, device, equipment and storage medium |
-
2023
- 2023-06-09 CN CN202310687134.4A patent/CN116633656A/en active Pending
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170048312A1 (en) * | 2015-08-12 | 2017-02-16 | Brocade Communications Systems, Inc. | Sdn-based mirroring of traffic flows for in-band network analytics |
| WO2017163241A1 (en) * | 2016-03-23 | 2017-09-28 | Firmitas Cyber Solutions (Israel) Ltd. | Adjusting a protocol for a concrete appliance |
| KR101909957B1 (en) * | 2018-04-03 | 2018-12-19 | 큐비트시큐리티 주식회사 | Web traffic logging system and method for detecting web hacking in real time |
| CN112152971A (en) * | 2019-06-28 | 2020-12-29 | 北京奇虎科技有限公司 | Method and apparatus for controlling network usage behavior, electronic device, and medium |
| CN114006869A (en) * | 2020-07-28 | 2022-02-01 | 阿里巴巴集团控股有限公司 | Flow control method and device, electronic equipment and computer readable storage medium |
| US20220070188A1 (en) * | 2020-08-26 | 2022-03-03 | Bank Of America Corporation | Network Traffic Correlation Engine |
| CN113709129A (en) * | 2021-08-20 | 2021-11-26 | 绿盟科技集团股份有限公司 | White list generation method, device and system based on traffic learning |
| WO2023040303A1 (en) * | 2021-09-16 | 2023-03-23 | 华为云计算技术有限公司 | Network traffic control method and related system |
| CN114039774A (en) * | 2021-11-08 | 2022-02-11 | 北京天融信网络安全技术有限公司 | Blocking method, detection method and device for malicious PE program |
| CN114884707A (en) * | 2022-04-24 | 2022-08-09 | 金祺创(北京)技术有限公司 | Intelligent security monitoring and networking alarm method and system for large-scale network attack |
| CN116192461A (en) * | 2022-12-30 | 2023-05-30 | 中国建设银行股份有限公司北京市分行 | Traffic processing method, device, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112468488B (en) | Industrial anomaly monitoring method, industrial anomaly monitoring device, computer equipment and readable storage medium | |
| WO2022017249A1 (en) | Programmable switch, traffic statistics method, defense method, and packet processing method | |
| US8166547B2 (en) | Method, apparatus, signals, and medium for managing a transfer of data in a data network | |
| EP1122932B1 (en) | Protection of computer networks against malicious content | |
| CN101707608A (en) | Method and device for automatically testing application layer protocol | |
| JP7388613B2 (en) | Packet processing method and apparatus, device, and computer readable storage medium | |
| US20160269362A1 (en) | Network security system to intercept inline domain name system requests | |
| CN112688932A (en) | Honeypot generation method, honeypot generation device, honeypot generation equipment and computer readable storage medium | |
| Masumi et al. | Towards efficient labeling of network incident datasets using tcpreplay and snort | |
| CN114389900A (en) | OpenResty-based abnormal traffic capturing and intercepting method and system | |
| CN111698168B (en) | Message processing method, device, storage medium and processor | |
| CN116170235B (en) | Database optimized access method, system, equipment and medium | |
| CN116633656A (en) | Application network traffic blocking method and device, computer equipment and storage medium | |
| CN110224932B (en) | Method and system for rapidly forwarding data | |
| CN115033407B (en) | System and method for collecting and identifying flow suitable for cloud computing | |
| CN117040788A (en) | Data pipeline filtering method and device implemented in DCS domain separator | |
| CN113098727A (en) | Data packet detection processing method and device | |
| CN112565259B (en) | Method and device for filtering DNS tunnel Trojan communication data | |
| CN112751839B (en) | Anti-virus gateway processing acceleration strategy based on user traffic characteristics | |
| CN114356593A (en) | Data processing method, device, network equipment and medium | |
| CN110336920A (en) | A method of based on Transmission Control Protocol assessment mobile payment perception | |
| CN114024765B (en) | Firewall strategy convergence method based on combination of bypass flow and firewall configuration | |
| CN104253797A (en) | Identification method and device for worm virus | |
| CN113992424B (en) | Method and related device for transmitting pcap packet for attack test | |
| CN109299218B (en) | Method and device for extracting user information |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |