CN117376186A - Data detection method, apparatus, device, storage medium and computer program product - Google Patents
Data detection method, apparatus, device, storage medium and computer program product Download PDFInfo
- Publication number
- CN117376186A CN117376186A CN202311330415.0A CN202311330415A CN117376186A CN 117376186 A CN117376186 A CN 117376186A CN 202311330415 A CN202311330415 A CN 202311330415A CN 117376186 A CN117376186 A CN 117376186A
- Authority
- CN
- China
- Prior art keywords
- detected
- data packet
- data
- equipment
- current
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 111
- 238000004590 computer program Methods 0.000 title claims abstract description 26
- 230000001681 protective effect Effects 0.000 claims abstract description 91
- 238000005070 sampling Methods 0.000 claims abstract description 65
- 238000007689 inspection Methods 0.000 claims abstract description 49
- 238000000034 method Methods 0.000 claims abstract description 43
- 238000012545 processing Methods 0.000 claims abstract description 25
- 238000011156 evaluation Methods 0.000 claims description 29
- 230000002159 abnormal effect Effects 0.000 claims description 15
- 230000036541 health Effects 0.000 claims description 11
- 238000004364 calculation method Methods 0.000 claims description 6
- 230000008569 process Effects 0.000 claims description 2
- 230000007123 defense Effects 0.000 abstract description 7
- 230000005856 abnormality Effects 0.000 description 9
- 238000004422 calculation algorithm Methods 0.000 description 6
- 230000007246 mechanism Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 4
- 238000012360 testing method Methods 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 230000008859 change Effects 0.000 description 3
- 238000013500 data storage Methods 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- OKTJSMMVPCPJKN-UHFFFAOYSA-N Carbon Chemical compound [C] OKTJSMMVPCPJKN-UHFFFAOYSA-N 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 150000001875 compounds Chemical class 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012854 evaluation process Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 229910021389 graphene Inorganic materials 0.000 description 1
- 230000003862 health status Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000010187 selection method Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0805—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability
- H04L43/0817—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability by checking functioning
Landscapes
- Engineering & Computer Science (AREA)
- Environmental & Geological Engineering (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present application relates to a data detection method, apparatus, device, storage medium and computer program product. The method comprises the following steps: acquiring a data packet to be detected; the data to be detected comprises a history approval field corresponding to history protective equipment in the protective equipment; when the current protective equipment searches that a previous approval field corresponding to the previous protective equipment exists in the historical approval field, performing spot check processing on the data packet to be detected to obtain a spot check result; when the sampling inspection result indicates that the sampling inspection is passed, a current approval field corresponding to the current protection equipment is inserted into the data packet to be detected, so that the detection result of the current protection equipment on the data packet to be detected is obtained. The method can effectively improve the efficiency of detection and defense against network attacks.
Description
Technical Field
The present invention relates to the field of computer and device management and control technologies, and in particular, to a data detection method, apparatus, device, storage medium, and computer program product.
Background
Along with the rapid increase of the number of small and medium-sized internet enterprises at present, in the existing network environment, along with the development of diversified and compounded situations of attack from outside to a server, the existing solution for the situation is as follows: by connecting various types of security defense devices in series, adopting a multi-layer protection and multi-filtering processing mode, each type of security defense device detects a security threat characteristic in a network data message, thereby achieving the joint detection defense of diversified and compound network attacks.
However, the prior art often has the problems that the same security detection item performs repeated detection for multiple times in different devices, the performance difference of each security defense device is large, and the like, so that a great amount of security monitoring time and network system resources are consumed.
At present, an effective solution is not proposed for the problem of low monitoring and defense efficiency for diversified and compounded network attacks in the prior art.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a data detection method, apparatus, device, storage medium, and computer program product.
In a first aspect, the present application provides a data detection method. The method comprises the following steps:
acquiring a data packet to be detected; the data to be detected comprises a history approval field corresponding to history protective equipment in the protective equipment;
when the current protective equipment searches that a previous approval field corresponding to the previous protective equipment exists in the historical approval field, performing spot check processing on the data packet to be detected to obtain a spot check result;
when the sampling inspection result indicates that the sampling inspection is passed, a current approval field corresponding to the current protection equipment is inserted into the data packet to be detected, so that the detection result of the current protection equipment on the data packet to be detected is obtained.
In one embodiment, the method further includes:
when the sampling inspection result indicates that the last data sampling inspection to be detected fails, intercepting the data packet to be detected, generating warning information and sending the warning information to a preset early warning module;
and determining the last protective equipment based on the last approval field, and isolating the last protective equipment.
In one embodiment, the method further comprises:
when the current protective equipment retrieves that the data packet to be detected does not have the last approval field corresponding to the last protective equipment, the data packet to be detected is intercepted, and warning information is generated and sent to a preset early warning module.
In one embodiment, after inserting the current approval field corresponding to the current protection equipment in the data packet to be detected, the method further includes:
acquiring at least one data type in a data packet to be detected based on current protective equipment;
determining data to be detected corresponding to the data type based on the data type; wherein the data packet to be detected comprises data to be detected
Detecting the data to be detected to obtain a target detection result, and completing detection of the data packet to be detected based on the target detection result.
In one embodiment, before acquiring the data packet to be detected, the method further includes:
acquiring at least two initial protection devices;
evaluating all the initial protection devices to obtain evaluation results corresponding to all the initial protection devices;
comparing the preset evaluation threshold value with an evaluation result, determining unhealthy protective equipment and healthy protective equipment in the initial protective equipment based on the comparison result, and isolating the unhealthy protective equipment;
and connecting the health protection devices in series to obtain the protection device.
In one embodiment, the evaluation process is performed on all the initial protection devices, so as to obtain the evaluation results corresponding to all the initial protection devices, including:
determining device parameters and network parameters corresponding to the initial protection device; wherein the device parameters are determined based on the historical abnormal state of the initial protection device and the network parameters are determined based on the historical operating state of the initial protection device;
and finishing the evaluation of the initial protection equipment based on the equipment parameters and the network parameters, and obtaining an evaluation result.
In a second aspect, the present application also provides a data detection device, which is integrated on the present protection apparatus. The device comprises:
the acquisition module is used for acquiring the data packet to be detected; the data to be detected comprises a history approval field corresponding to history protective equipment in the protective equipment;
the computing module is used for carrying out sampling inspection processing on the data packet to be detected when the current protective equipment searches that the last approval field corresponding to the last protective equipment exists in the history approval field, so as to obtain sampling inspection results;
and the generation module is used for inserting a current approval field corresponding to the current protection equipment into the data packet to be detected when the sampling detection result indicates that the sampling detection is passed, so as to obtain the detection result of the current protection equipment on the data packet to be detected.
In a third aspect, the present application also provides a computer device. The computer device comprises a memory storing a computer program and a processor which when executing the computer program performs the steps of:
acquiring a data packet to be detected; the data to be detected comprises a history approval field corresponding to history protective equipment in the protective equipment;
when the current protective equipment searches that a previous approval field corresponding to the previous protective equipment exists in the historical approval field, performing spot check processing on the data packet to be detected to obtain a spot check result;
when the sampling inspection result indicates that the sampling inspection is passed, a current approval field corresponding to the current protection equipment is inserted into the data packet to be detected, so that the detection result of the current protection equipment on the data packet to be detected is obtained.
In a fourth aspect, the present application also provides a computer-readable storage medium. The computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of:
acquiring a data packet to be detected; the data to be detected comprises a history approval field corresponding to history protective equipment in the protective equipment;
when the current protective equipment searches that a previous approval field corresponding to the previous protective equipment exists in the historical approval field, performing spot check processing on the data packet to be detected to obtain a spot check result;
when the sampling inspection result indicates that the sampling inspection is passed, a current approval field corresponding to the current protection equipment is inserted into the data packet to be detected, so that the detection result of the current protection equipment on the data packet to be detected is obtained.
In a fifth aspect, the present application also provides a computer program product. The computer program product comprises a computer program which, when executed by a processor, implements the steps of:
acquiring a data packet to be detected; the data to be detected comprises a history approval field corresponding to history protective equipment in the protective equipment;
when the current protective equipment searches that a previous approval field corresponding to the previous protective equipment exists in the historical approval field, performing spot check processing on the data packet to be detected to obtain a spot check result;
when the sampling inspection result indicates that the sampling inspection is passed, a current approval field corresponding to the current protection equipment is inserted into the data packet to be detected, so that the detection result of the current protection equipment on the data packet to be detected is obtained.
The data detection method, the device, the equipment, the storage medium and the computer program product are characterized in that whether a last approval field exists in a data packet to be detected is detected, and if the last approval field exists, the data to be detected is subjected to sampling detection; and then under the condition that the sampling inspection result passes, inserting a current approval field corresponding to the current protective equipment into the data packet to be detected, and obtaining a detection result. By the method, on one hand, the detection of the data packet to be detected by integrating a plurality of protective devices can be realized, and the method is flexibly applicable to most practical application scenes; on the other hand, the inserted field used for representing that the data passes through the detection of the prior protective equipment not only can provide a characteristic evidence for the follow-up protective equipment to discriminate and change the data flow and complete the safety detection, but also can provide support for the positioning of the abnormal equipment once the flow is found to still have abnormality or safety threat, thereby avoiding the situation of data detection errors caused by the abnormality of the protective equipment and further improving the accuracy of data detection.
Drawings
FIG. 1 is a diagram of an application environment for a data detection method in one embodiment;
FIG. 2 is a flow chart of a method of data detection in one embodiment;
FIG. 3 is a flow chart of a method of detecting data in a preferred embodiment;
FIG. 4 is a block diagram showing the structure of a data detecting device according to another embodiment;
fig. 5 is an internal structural diagram of a computer device in one embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application.
The data detection method provided by the embodiment of the application can be applied to an application environment shown in fig. 1. Wherein the terminal 102 communicates with the server 104 via a network. The data storage system may store data that the server 104 needs to process. The data storage system may be integrated on the server 104 or may be located on a cloud or other network server. Firstly, detecting whether a last approval field exists in a data packet to be detected, and if so, performing spot check processing on the last data to be detected; and then under the condition that the sampling inspection result passes, inserting a current approval field corresponding to the current protective equipment into the data packet to be detected, and obtaining a detection result. The terminal 102 may be, but not limited to, various personal computers, notebook computers, smart phones, tablet computers, internet of things devices, and portable wearable devices, where the internet of things devices may be smart speakers, smart televisions, smart air conditioners, smart vehicle devices, and the like. The portable wearable device may be a smart watch, smart bracelet, headset, or the like. The server 104 may be implemented as a stand-alone server or as a server cluster of multiple servers.
In one embodiment, as shown in fig. 2, a data detection method is provided, and the method is applied to the server in fig. 1 for illustration, and includes the following steps:
step S202, obtaining a data packet to be detected; wherein the data to be detected includes a history approval field corresponding to a history guard among the guards.
The data to be detected is usually a packet in the form of HTTP or HTTPs generated for the user client to access the WEB application. In this application, a plurality of protection devices are connected in series, and when the data packet to be detected passes through the detection of the protection devices, an x-forward-for field is inserted into the packet header, which indicates that the data packet passes through the detection of the corresponding protection devices.
Step S204, when the current protective equipment searches that the last approval field corresponding to the last protective equipment exists in the history approval field, performing sampling inspection processing on the data packet to be detected to obtain sampling inspection results.
Under the condition that the last examination field exists, the current protective equipment performs sampling inspection processing on the field corresponding to the last examination field, the sampling inspection algorithm can be random sampling inspection or sampling inspection algorithm preset by a user, and further, the last examination field is the x-forward-for field which is inserted in the data packet header and corresponds to the last protective equipment when the last protective equipment finishes detecting the last data to be detected and has no abnormality. It can be understood that each protecting device has an approval field corresponding to one of the protecting devices, and the corresponding approval field is inserted when the protecting device passes the inspection of the data packet to be detected.
Step S206, when the sampling inspection result indicates that the sampling inspection is passed, a current approval field corresponding to the current protection equipment is inserted into the data packet to be detected, so as to obtain the detection result of the current protection equipment on the data packet to be detected.
And if no abnormality is detected, inserting an x-forward-for field corresponding to the current protection device into the data packet to be detected, namely the current approval field, which indicates that the current data to be detected passes the detection of the current protection device, and obtaining the detection result.
Through steps S202 to S206, after the security detection and passing of the data packet to be detected are carried out by the protection equipment, the approval field is inserted, so that the forwarding and the transparent transmission of the specific flow by the protection equipment can be realized, the transmission and the processing efficiency of the whole application layer are improved, and the network security detection efficiency and the network resource utilization rate are also improved on the premise of effectively ensuring the whole network security. Furthermore, the approval fields and the protection equipment are in one-to-one correspondence, the approval fields not only can provide characteristic evidence for the follow-up protection equipment to screen the data traffic to finish safety detection, but also can provide support for positioning of the abnormal equipment once the follow-up detection finds that the data traffic still has abnormality or safety threat, thereby being more suitable for practical application environments.
In one embodiment, the method further comprises:
when the sampling inspection result indicates that the last data sampling inspection to be detected fails, intercepting the data packet to be detected, generating warning information and sending the warning information to a preset early warning module;
and determining the last protective equipment based on the last approval field, and isolating the last protective equipment.
Specifically, the sampling inspection for the data packet to be detected may be random sampling inspection, or sampling inspection performed based on a sampling inspection algorithm preset by a user. If the selective inspection is not passed, that is, the current protection equipment detects threat characteristics in the data packet to be detected, then the whole data packet to be detected is intercepted, and is processed according to a safety threat disposal mechanism preset based on the protection equipment, and alarm information is sent, wherein the processing can be preferably performed according to the safety threat disposal mechanism of the current protection equipment. Further, if the threat feature is found in the spot check of the data packet to be detected by the current device, the detection of the last protection device is incomplete, or the last protection device is abnormal, so that the last protection device is isolated and related technicians are notified to overhaul. The method can be used for secondarily detecting the detected data, so that the accuracy of data detection is further improved under the condition that the whole detection efficiency is not greatly influenced.
In one embodiment, the method further comprises:
when the current protective equipment retrieves that the data packet to be detected does not have the last approval field corresponding to the last protective equipment, the data packet to be detected is intercepted, and warning information is generated and sent to a preset early warning module.
Specifically, if it is detected that the last approval field does not exist, it indicates that the data packet to be detected does not pass through the detection of the last protection device, that is, the last protection device has a detection vulnerability or has an operation problem, at this time, the data packet to be detected is wholly intercepted, or may be processed according to a security threat handling mechanism of the current protection device, or may also select to perform full security detection and processing on the data to be detected, and send an alarm signal at the same time, where the alarm signal includes an indication that the last protection device is abnormal, and needs to isolate the last protection device and notify related technicians of maintenance. In the prior art, the situation that the data is detected inaccurately and even lost due to the abnormality of the protective equipment is caused generally, so that the loss is caused, and the protective equipment can be detected while the data is detected through the method, so that the loss caused by the abnormality of the protective equipment is effectively avoided, and the method is more suitable for a complex and changeable real environment in actual operation.
In one embodiment, the method further comprises:
acquiring at least one data type in a data packet to be detected based on current protective equipment;
determining data to be detected corresponding to the data type based on the data type; the data packet to be detected comprises data to be detected;
detecting the data to be detected to obtain a target detection result, and completing detection of the data packet to be detected based on the target detection result.
In particular, it will be appreciated that a data packet to be detected typically includes various data, which in practice often appear as sub-data packets to be detected. The method for detecting the target detection comprises the steps of selecting part of data types from all data types to be detected to detect, wherein the selection method can be used for randomly selecting the data to be detected corresponding to a plurality of data types to detect, and extracting a plurality of data types through a reservoir sampling algorithm to obtain the data to be detected and detect. Preferably, in practical application, after the random spot check of the current protection device is completed, part of data types are further selected by the detection method in the embodiment, so that the data to be detected are obtained for supplementary detection; it can be understood that the sampling inspection processing and the detection method for determining the data to be detected based on the multiple data types in the embodiment can be integrated on the same protection device for detection, can also be integrated on different protection devices, and can be selected according to practical application conditions. Further, if the network threat is detected, intercepting the full-volume data packet to perform full-volume security detection, and circularly executing the detection operation of the full-volume data packet in the current protection equipment. By the method, the data packet to be detected can be further screened, the detection accuracy is further improved under the condition that the data detection efficiency is guaranteed, and the conditions of missing detection and false detection are avoided.
In one embodiment, the method further comprises:
acquiring at least two initial protection devices;
evaluating all the initial protection devices to obtain evaluation results corresponding to all the initial protection devices;
comparing the preset evaluation threshold value with an evaluation result, determining unhealthy protective equipment and healthy protective equipment in the initial protective equipment based on the comparison result, and isolating the unhealthy protective equipment;
and connecting the health protection devices in series to obtain the protection device.
Specifically, before detecting a data packet to be detected, all protection devices are evaluated, evaluation results corresponding to all initial protection devices are obtained based on a preset evaluation method, further, fee health protection devices and health protection devices in the initial protection devices are obtained based on comparison with an evaluation threshold value, non-health protection devices are isolated and overhauled, and the health protection devices are connected in series to obtain the protection devices. By the method, the evaluation result is compared with the threshold value, and whether the protection equipment can support the detection of the data packet to be detected is judged according to the comparison result, so that the detection precision of the data packet to be detected is further improved, and the possibility of detection failure caused by the abnormality of the protection equipment is reduced.
In one embodiment, the method further comprises:
determining device parameters and network parameters corresponding to the initial protection device; wherein the device parameters are determined based on the historical abnormal state of the initial protection device and the network parameters are determined based on the historical operating state of the initial protection device;
and finishing the evaluation of the initial protection equipment based on the equipment parameters and the network parameters, and obtaining an evaluation result.
Specifically, the initial protective equipment may be detected based on the expression:
wherein,the above is the device parameter, ">Is the above netThe parameters, alpha and beta are the proportional coefficients of the equipment parameter and the network parameter respectively, and alpha > beta > 0, and the specific value of the proportional coefficient is set by the person skilled in the art according to the model of the protection equipment.
Further, the above device parameters are used for reflecting the health status of the protective device itself, where n is the number of abnormal states occurring, i is a number library of abnormal states of the protective device, and is labeled {1, 2..the., n }, n is a positive integer,the YC is the number of occurrence of an abnormal state, which is the number of occurrence of an abnormal state in the case of the parameter configuration of the present protective device, within a period of time (T) which can be set by the user, as the probability of occurrence of any abnormal state within the T period. The larger the equipment parameter value is, the worse the health state of the protection equipment is; for example, if it is detected that 2 abnormal states of the protection device occur in the T period, that is, a filter configuration error and a hardware failure, respectively, n=2, so that in this state, the calculation expression is:
since the abnormal state of the protection device includes not only the filter configuration error and the hardware failure, when the abnormal state of the protection device is detected to be more, the value of n is larger.
Further, the network parameter is used for reflecting the running stability of the protection device, wherein RJ is a software running defect rate, PZ is a network protocol configuration accuracy rate, and the greater the network parameter is, the worse the running stability of the protection device is, the history running state can be comprehensively obtained based on the RJ and the PZ, and the history running state is obtained based on the history running data of the protection device. After the initial protective equipment is evaluated, the evaluation result JK is obtained x Comparing with a preset evaluation threshold, if the evaluation result is the JK x > evaluation threshold, then represents the initialThe health state and the running stability of the protective equipment are poor, namely the unhealthy protective equipment is judged, isolation is carried out, and an overhaul worker is informed of overhaul treatment. The method completes the evaluation of the initial protection equipment from two aspects so as to judge whether the protection equipment can support the safety detection of the data packet to be detected, further improves the detection precision of the data packet to be detected, and reduces the probability of detection failure caused by the abnormality of the protection equipment.
The embodiment also provides a specific embodiment of the data detection method, as shown in fig. 3, and fig. 3 is a schematic flow chart of the data detection method in a preferred embodiment.
Firstly, before the data packet to be detected is subjected to safety detection, collecting parameter calculation evaluation results of all initial protection devices, judging whether the initial protection devices can support detection or not through comparison results of the evaluation results and a preset threshold value, and connecting the health protection devices which can support detection in series to obtain the protection devices. Wherein the initial protection device may be evaluated based on the device parameters and the network parameters of the initial protection device.
When the data packet to be detected passes through the first cis-position protection equipment of the serial security defense system, the protection equipment performs security inspection on the data packet to be detected through a self security detection engine, if the threat features in the data packet to be detected are detected, the data packet to be detected is processed according to a self security threat handling mechanism of the first cis-position protection equipment, and meanwhile, alarm information is sent to an early warning platform; if the threat characteristic is not found in the data packet to be detected and no potential safety hazard is confirmed, an x-forward-for field is inserted into the packet header of the target packet, and the source of the protection equipment is identified as the first-order protection equipment. Then the data packet is forwarded to the next-order serial protection equipment, the next-order serial protection equipment judges whether the data forwarded by the immediately-before-order protection equipment exists an x-forward-for approval field corresponding to the last-order, if the approval field does not exist, the current protection equipment carries out full-scale safety detection and processing on the data packet, and simultaneously gives an alarm to an early warning platform, and further, the last-order protection equipment can be isolated and overhauled; if the existence of the x-forward-for approval field corresponding to the last order is detected, carrying out random sampling detection processing on the data packet to be detected by adopting a random sampling algorithm, and if the detection passes, inserting the x-forward-for approval field of the protective equipment corresponding to the next order. It can be understood that the last-in-place protecting device is the last protecting device, and the next-in-place protecting device is the current protecting device, and further, the last protecting device can also be the first protecting device in the protecting system.
Further, the data packet detected by the immediately preceding protection device can be judged by the detection system through algorithms such as random sampling reservoir and the like; if the random sampling data packet is detected to have network threat, the current-order protective equipment performs full-quantity safety detection on the received message data packet and circularly executes detection operation, and further, alarm information can be sent to the early warning platform. When the data packet is not detected to have network threat, the prior protection equipment is indicated to run normally, the safety detection strategy of the online protection equipment is suitable for the current network data condition, the current-order protection equipment does not perform safety detection processing, the message data packet is forwarded to the next-order protection equipment, and the detection operation is continuously executed by the detection mechanism of the next-order protection equipment.
It should be understood that, although the steps in the flowcharts related to the embodiments described above are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.
Based on the same inventive concept, the embodiment of the application also provides a data detection device for realizing the above related data detection method. The implementation of the solution provided by the device is similar to the implementation described in the above method, so the specific limitation in the embodiments of the data detection device or devices provided below may be referred to the limitation of the data detection method hereinabove, and will not be repeated here.
In one embodiment, as shown in fig. 4, there is provided a data detection apparatus, the apparatus being integrated on a current protective device, comprising: an acquisition module 41, a calculation module 42 and a generation module 43, wherein:
an obtaining module 41, configured to obtain a data packet to be detected; the data to be detected comprises a history approval field corresponding to history protective equipment in the protective equipment;
the calculation module 42 is configured to perform sampling inspection processing on the data packet to be detected when the current protection device retrieves that a previous approval field corresponding to a previous protection device exists in the historical approval fields, so as to obtain a sampling inspection result;
the generating module 43 is configured to insert a current approval field corresponding to the current protection device into the data packet to be detected when the sampling result indicates that the sampling test is passed, so as to obtain a detection result of the current protection device on the data packet to be detected.
Specifically, the obtaining module 41 obtains a data packet to be detected, where the data packet to be detected includes a history approval field in which a history protection device is inserted; the obtaining module 41 sends the data packet to be detected to the calculating module 42, and when the current protection device searches that the previous approval field corresponding to the previous protection device exists in the historical approval field, the calculating module 42 performs sampling inspection processing on the data packet to be detected to obtain sampling inspection results. And then, the calculation module 42 transmits the sampling test result and the data detection result to the generation module 43, and when the sampling test result indicates that the data sampling test passes, the generation module 43 inserts the current approval field corresponding to the current protection equipment into the data to be detected, so as to obtain the detection result corresponding to the current protection equipment.
By the device, the detection system is combined with sampling inspection, and safety and health evaluation is carried out on the front-stage equipment according to the result, so that a forwarding and transmission optimization mechanism of the protection equipment for specific flow is realized, the frequency of repeated detection is greatly reduced, the equipment performance resource loss is finally reduced, the time of safety detection is reduced, and the load capacity is improved.
The respective modules in the above-described data detection device may be implemented in whole or in part by software, hardware, and combinations thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In one embodiment, a computer device is provided, which may be a server, the internal structure of which may be as shown in fig. 5. The computer device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The database of the computer device is used for storing data of the data detection method. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a data detection method.
It will be appreciated by those skilled in the art that the structure shown in fig. 5 is merely a block diagram of some of the structures associated with the present application and is not limiting of the computer device to which the present application may be applied, and that a particular computer device may include more or fewer components than shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer readable storage medium is provided having a computer program stored thereon, which when executed by a processor, performs the steps of:
acquiring a data packet to be detected; the data to be detected comprises a history approval field corresponding to history protective equipment in the protective equipment;
when the current protective equipment searches that a previous approval field corresponding to the previous protective equipment exists in the historical approval field, performing spot check processing on the data packet to be detected to obtain a spot check result;
when the sampling inspection result indicates that the sampling inspection is passed, a current approval field corresponding to the current protection equipment is inserted into the data packet to be detected, so that the detection result of the current protection equipment on the data packet to be detected is obtained.
In one embodiment, a computer program product is provided comprising a computer program which, when executed by a processor, performs the steps of:
acquiring a data packet to be detected; the data to be detected comprises a history approval field corresponding to history protective equipment in the protective equipment;
when the current protective equipment searches that a previous approval field corresponding to the previous protective equipment exists in the historical approval field, performing spot check processing on the data packet to be detected to obtain a spot check result;
when the sampling inspection result indicates that the sampling inspection is passed, a current approval field corresponding to the current protection equipment is inserted into the data packet to be detected, so that the detection result of the current protection equipment on the data packet to be detected is obtained.
It should be noted that, user information (including but not limited to user equipment information, user personal information, etc.) and data (including but not limited to data for analysis, stored data, presented data, etc.) referred to in the present application are information and data authorized by the user or sufficiently authorized by each party.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in the various embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (ReRAM), magnetic random access Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (Ferroelectric Random Access Memory, FRAM), phase change Memory (Phase Change Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can be in the form of a variety of forms, such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), and the like. The databases referred to in the various embodiments provided herein may include at least one of relational databases and non-relational databases. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processors referred to in the embodiments provided herein may be general purpose processors, central processing units, graphics processors, digital signal processors, programmable logic units, quantum computing-based data processing logic units, etc., without being limited thereto.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The above examples only represent a few embodiments of the present application, which are described in more detail and are not to be construed as limiting the scope of the present application. It should be noted that it would be apparent to those skilled in the art that various modifications and improvements could be made without departing from the spirit of the present application, which would be within the scope of the present application. Accordingly, the scope of protection of the present application shall be subject to the appended claims.
Claims (10)
1. A method of data detection, for use with a protective device, the method comprising:
acquiring a data packet to be detected; wherein the data to be detected comprises a history approval field corresponding to history protection equipment in the protection equipment;
when the current protective equipment retrieves that the last approval field corresponding to the last protective equipment exists in the history approval field, performing sampling inspection processing on the data packet to be detected to obtain sampling inspection results;
and when the sampling inspection result indicates that the sampling inspection is passed, inserting a current approval field corresponding to the current protection equipment into the data packet to be detected, and obtaining the detection result of the current protection equipment on the data packet to be detected.
2. The method of claim 1, wherein after performing a sampling process on the data packet to be detected to obtain a sampling result, the method further comprises:
when the sampling result indicates that the last data sampling to be detected fails, intercepting the data packet to be detected, generating warning information and sending the warning information to a preset early warning module;
and determining the last protective equipment based on the last approval field, and isolating the last protective equipment.
3. The method according to claim 1, wherein the method further comprises:
when the current protective equipment retrieves that the last approval field corresponding to the last protective equipment does not exist in the data packet to be detected, the data packet to be detected is intercepted, and warning information is generated and sent to a preset early warning module.
4. The method of claim 1, wherein after inserting a current approval field corresponding to the current protection device in the data packet to be detected, the method further comprises:
acquiring at least one data type in the data packet to be detected based on the current protective equipment;
determining data to be detected corresponding to the data type based on the data type; wherein the data packet to be detected comprises the data to be detected
And detecting the data to be detected to obtain a target detection result, and completing detection of the data packet to be detected based on the target detection result.
5. The method of claim 1, wherein prior to the obtaining the data packet to be detected, the method further comprises:
acquiring at least two initial protection devices;
evaluating all the initial protection devices to obtain evaluation results corresponding to all the initial protection devices;
comparing the preset evaluation threshold value with the evaluation result, determining unhealthy protective equipment and healthy protective equipment in the initial protective equipment based on the comparison result, and isolating the unhealthy protective equipment;
and connecting the health protection equipment in series to obtain the protection equipment.
6. The method according to claim 5, wherein the evaluating all the initial protection devices to obtain the evaluation results corresponding to all the initial protection devices comprises:
determining device parameters and network parameters corresponding to the initial protection device; wherein the device parameters are determined from historical abnormal states of the initial protection device, and the network parameters are determined from historical operating states in the initial protection device;
and completing the evaluation of the initial protection equipment based on the equipment parameters and the network parameters, and obtaining the evaluation result.
7. A data detection device, wherein the device is integrated on a current protective equipment, the device comprising:
the acquisition module is used for acquiring the data packet to be detected; wherein the data to be detected comprises a history approval field corresponding to history protection equipment in the protection equipment;
the calculation module is used for carrying out sampling inspection processing on the data packet to be detected when the current protective equipment searches that the last approval field corresponding to the last protective equipment exists in the history approval field, so as to obtain sampling inspection results;
and the generation module is used for inserting a current approval field corresponding to the current protection equipment into the data packet to be detected when the sampling detection result indicates that the sampling detection is passed, so as to obtain the detection result of the current protection equipment on the data packet to be detected.
8. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any of claims 1 to 6 when the computer program is executed.
9. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 6.
10. A computer program product comprising a computer program, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311330415.0A CN117376186A (en) | 2023-10-13 | 2023-10-13 | Data detection method, apparatus, device, storage medium and computer program product |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311330415.0A CN117376186A (en) | 2023-10-13 | 2023-10-13 | Data detection method, apparatus, device, storage medium and computer program product |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117376186A true CN117376186A (en) | 2024-01-09 |
Family
ID=89399766
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311330415.0A Pending CN117376186A (en) | 2023-10-13 | 2023-10-13 | Data detection method, apparatus, device, storage medium and computer program product |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117376186A (en) |
-
2023
- 2023-10-13 CN CN202311330415.0A patent/CN117376186A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110166264B (en) | Fault positioning method and device and electronic equipment | |
| US9369484B1 (en) | Dynamic security hardening of security critical functions | |
| CN108924084B (en) | Network equipment security assessment method and device | |
| CN105549508B (en) | A kind of alarm method and device merged based on information | |
| CN110995482A (en) | Alarm analysis method and device, computer equipment and computer readable storage medium | |
| CN105009132A (en) | Event correlation based on confidence factor | |
| CN114978568A (en) | Data center management using machine learning | |
| US11163633B2 (en) | Application fault detection and forecasting | |
| CN111949480B (en) | Log anomaly detection method based on component perception | |
| CN102447707A (en) | DDoS (Distributed Denial of Service) detection and response method based on mapping request | |
| CN114625556A (en) | System exception handling method, device, equipment, storage medium and product | |
| CN112769615B (en) | Anomaly analysis method and device | |
| CN113472582A (en) | System and method for alarm correlation and alarm aggregation in information technology monitoring | |
| CN111104670B (en) | APT attack identification and protection method | |
| CN111475556A (en) | Data acquisition method, data acquisition equipment, server and readable storage medium | |
| CN117376186A (en) | Data detection method, apparatus, device, storage medium and computer program product | |
| CN114095265B (en) | ICMP hidden tunnel detection method and device and computer equipment | |
| CN107682173B (en) | Automatic fault positioning method and system based on transaction model | |
| CN113660223B (en) | Network security data processing method, device and system based on alarm information | |
| CN111813872B (en) | Method, device and equipment for generating fault troubleshooting model | |
| JP2018169643A (en) | Security operation system, security operation management apparatus, and security operation method | |
| CN113807697A (en) | Alarm association-based order dispatching method and device | |
| EP4033386A1 (en) | Systems and methods for sensor trustworthiness | |
| CN117520397A (en) | Alarm storm processing method, device, equipment, storage medium and program product | |
| CN115408197B (en) | Load data verification method based on streaming processing and multi-source data cross verification |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |