CN117424711A

CN117424711A - Network security management method, device, computer equipment and storage medium

Info

Publication number: CN117424711A
Application number: CN202210808809.1A
Authority: CN
Inventors: 厉辉; 高丽娜; 龚飞斐
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2022-07-11
Filing date: 2022-07-11
Publication date: 2024-01-19

Abstract

The application discloses a network security management method, a network security management device, computer equipment and a storage medium, which can be applied to various scenes such as cloud technology, artificial intelligence, intelligent traffic, auxiliary driving and the like; the method comprises the following steps: receiving a first notification event, wherein the first notification event is used for indicating that data traffic flowing into a first traffic inlet meets a blocking condition; determining a second flow inlet from a set of available flow inlets, the set of available flow inlets including at least one flow inlet previously applied for; and sending an entry switching indication message, wherein the entry switching indication message is used for indicating the domain name management server to switch the traffic entry of the middle domain name of the target gateway equipment cluster from the first traffic entry to the second traffic entry, so that the client side sends data traffic to the second traffic entry, and the middle domain name corresponds to the service domain name of each gateway equipment included in the target gateway equipment cluster. The method and the device can improve the efficiency of flow switching and the protection effect on flow attack, and ensure the data safety.

Description

Network security management method, device, computer equipment and storage medium

Technical Field

The present disclosure relates to the field of computer technologies, and in particular, to a network security management method, a network security management device, a computer device, and a computer readable storage medium.

Background

Distributed denial of service (Distributed Denial of Service, DDoS) attacks are more and more frequent threatening to basic business systems and data security, not only affecting users' normal use of various network devices, but also potentially causing significant economic loss to users. The design method of the DDoS protection system in the related art is generally to detect network attack traffic based on network flows (Netflow), and after the attack is found, DDoS attack is relieved by a special cleaning device.

However, in a large network, the DDoS threat of complex attack scene is faced, because the attack technique is complex and changeable, and the service scene is various, it is difficult to effectively protect and quickly adapt, and it is difficult to cover the advanced DDoS attack with a protection technique or a single protection scheme, so that the requirements of service timeliness and automation cannot be met.

Disclosure of Invention

The application provides a network security management method, a network security management device, computer equipment and a storage medium, which can improve the efficiency of flow switching and the protection effect on flow attack, thereby guaranteeing the normal use and data security of data flow.

In a first aspect, the present application provides a network security management method, which is applicable to a gateway device, and the method includes:

Receiving a first notification event reported by a flow detection server, wherein the first notification event is used for indicating that the data flow flowing into a first flow inlet meets a blocking condition;

determining, in response to a first notification event, a second flow inlet from a set of available flow inlets, the set of available flow inlets including at least one pre-applied flow inlet;

and sending entry switching indication information to the domain name management server, wherein the entry switching indication information comprises identification information of a second traffic entry, and is used for indicating the domain name management server to switch the traffic entry of the middle domain name of the target gateway equipment cluster from the first traffic entry to the second traffic entry, so that the client side sends data traffic to the second traffic entry, and the middle domain name corresponds to the service domain name of each gateway equipment included in the target gateway equipment cluster.

In a second aspect, the present application provides a network security management method, applicable to a domain name management server, the method including:

receiving entry switching indication information from gateway equipment, wherein the entry switching indication information comprises identification information of a second flow entry;

responding to the entry switching indication information, and acquiring an intermediate domain name of a target gateway equipment cluster to which the gateway equipment belongs, wherein the intermediate domain name corresponds to a service domain name of each gateway equipment included in the target gateway equipment cluster;

And switching the traffic inlet of the middle domain name from the first traffic inlet to the second traffic inlet so that the client sends data traffic to the second traffic inlet, wherein the first traffic inlet is the traffic inlet of which the inflow data traffic meets the blocking condition.

In a third aspect, the present application provides a network security management method, which is applicable to a traffic detection server, and the method includes:

acquiring data flow flowing into a first flow inlet;

if the data flow flowing into the first flow inlet meets the blocking condition, generating a first notification event, wherein the first notification event is used for indicating that the data flow flowing into the first flow inlet meets the blocking condition;

and sending a first notification event to the gateway equipment so that the gateway equipment determines a second traffic inlet from the available traffic inlet set, and sending inlet switching indication information to the domain name management server, wherein the inlet switching indication information is used for indicating the domain name management server to switch the traffic inlet of the middle domain name of the target gateway equipment cluster from the first traffic inlet to the second traffic inlet, and the target gateway equipment cluster comprises the gateway equipment.

In a fourth aspect, the present application provides a network security management apparatus, including:

The receiving unit is used for receiving a first notification event reported by the flow detection server, wherein the first notification event is used for indicating that the data flow flowing into the first flow inlet meets the blocking condition;

a processing unit, configured to determine, in response to a first notification event, a second traffic inlet from a set of available traffic inlets, the set of available traffic inlets including at least one traffic inlet applied in advance;

the sending unit is used for sending entry switching indication information to the domain name management server, the entry switching indication information comprises identification information of a second traffic entry, the entry switching indication information is used for indicating the domain name management server to switch the traffic entry of the middle domain name of the target gateway equipment cluster from the first traffic entry to the second traffic entry, so that the client sends data traffic to the second traffic entry, and the middle domain name corresponds to the service domain name of each gateway equipment included in the target gateway equipment cluster.

In a fifth aspect, the present application provides a network security management apparatus, including:

a receiving unit configured to receive ingress switching instruction information from a gateway device, the ingress switching instruction information including identification information of a second traffic ingress;

The processing unit is used for responding to the entry switching indication information and acquiring the intermediate domain name of the target gateway equipment cluster to which the gateway equipment belongs, wherein the intermediate domain name corresponds to the service domain name of each gateway equipment included in the target gateway equipment cluster; and switching the traffic inlet of the middle domain name from the first traffic inlet to the second traffic inlet so that the client sends data traffic to the second traffic inlet, wherein the first traffic inlet is the traffic inlet of which the inflow data traffic meets the blocking condition.

In a sixth aspect, the present application provides a network security management apparatus, including:

an acquisition unit configured to acquire a data flow flowing into the first flow inlet;

the processing unit is used for generating a first notification event if the data flow flowing into the first flow inlet meets the blocking condition, wherein the first notification event is used for indicating that the data flow flowing into the first flow inlet meets the blocking condition;

and the sending unit is used for sending a first notification event to the gateway equipment so that the gateway equipment determines a second traffic inlet from the available traffic inlet set and sends inlet switching indication information to the domain name management server, wherein the inlet switching indication information is used for indicating the domain name management server to switch the traffic inlet of the middle domain name of the target gateway equipment cluster from the first traffic inlet to the second traffic inlet, and the target gateway equipment cluster comprises gateway equipment.

In a seventh aspect, the present application provides a network security management device comprising a processor adapted to implement one or more computer programs; and a computer storage medium storing one or more computer programs loaded by the processor and implementing the network security management method provided herein.

In an eighth aspect, the present application provides a computer readable storage medium storing a computer program comprising program instructions that, when executed by a processor, cause the processor to implement the network security management method provided herein.

In a ninth aspect, the present application provides a computer program product comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the computer device implements the network security management method provided by the application.

Therefore, the flow detection server is used for detecting the data flow flowing to the flow inlet in real time, so that the characteristic information of the flow attack can be automatically identified; when the data flow flowing to the first flow inlet meets the blocking condition, the flow detection server can inform the gateway equipment to determine a second flow inlet from the available flow inlet set, so that the gateway equipment indicates the flow inlet of the middle domain name of the target gateway equipment of the domain name server to be switched to the second flow inlet, and the use safety of the data flow of the client is ensured. Wherein the available flow inlet set comprises at least one pre-applied flow inlet, and the second flow inlet can be directly taken from the available flow inlets; the middle domain name corresponds to the service domain name of each gateway device included in the target gateway device cluster, when traffic switching is executed, the domain name management server only needs to switch the traffic inlet to which the middle domain name points to the second traffic inlet once, and does not need to switch all the service domain names in the target gateway cluster once respectively, so that the traffic switching efficiency can be improved, the switching pressure of the domain name management server can be reduced, and the protection effect on traffic attack can be improved.

Drawings

In order to more clearly illustrate the technical solutions of the present application or the prior art, the following description will briefly introduce the drawings that are required to be used in the embodiments or the prior art descriptions, it is obvious that the drawings in the following description are only some embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

Fig. 1 is a schematic structural diagram of a network security management system according to an embodiment of the present application;

fig. 2 is a flow chart of a network security management method according to an embodiment of the present application;

FIG. 3 is a schematic diagram of a domain name pointing to a traffic portal according to an embodiment of the present application;

fig. 4 is an application scenario schematic diagram of a network security management method provided in an embodiment of the present application;

fig. 5 is a flow chart of another network security management method according to an embodiment of the present application;

fig. 6 is a schematic structural diagram of a network security management system according to an embodiment of the present application;

fig. 7 is a schematic structural diagram of a network security management device according to an embodiment of the present application;

fig. 8 is a schematic structural diagram of another network security management apparatus according to an embodiment of the present application;

Fig. 9 is a schematic structural diagram of still another network security management apparatus according to an embodiment of the present application;

fig. 10 is a schematic structural diagram of a computer device according to an embodiment of the present application.

Detailed Description

The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, are intended to be within the scope of the present application.

For ease of understanding, the terms referred to in this application will first be described.

Cloud technology (Cloud technology) refers to a hosting technology for integrating hardware, software, network and other series resources in a wide area network or a local area network to realize calculation, storage, processing and sharing of data.

The cloud technology is based on the general names of network technology, information technology, integration technology, management platform technology, application technology and the like applied by the cloud computing business mode, can form a resource pool, and is flexible and convenient as required. Cloud computing technology will become an important support. Background services of technical networking systems require a large amount of computing, storage resources, such as video websites, picture-like websites, and more portals. Along with the high development and application of the internet industry, each article possibly has an own identification mark in the future, the identification mark needs to be transmitted to a background system for logic processing, data with different levels can be processed separately, and various industry data needs strong system rear shield support and can be realized only through cloud computing.

A distributed denial of service (Distributed denial of service, DDoS) attack refers to multiple attackers at different locations simultaneously launching an attack on one or several targets, or an attacker controlling multiple machines at different locations and using these machines to simultaneously launch an attack on a victim. Since the points of attack are distributed across different locations, such attacks are known as distributed denial of service attacks, where there may be multiple ones. The DDoS uses the network protocol and some defects of the operating system to perform network attack by means of the group behavior initiated by hundreds or even thousands of hosts which are invaded and installed with attack processes, so that the website server is filled with a large amount of information required to be replied, and consumes network bandwidth or system resources, and the network or the system is not over-loaded, so that the network or the system breaks down and stops providing normal network services.

The network layer DDoS attack mainly refers to an attack mode that an attacker utilizes large-flow attack to congestion the network bandwidth of a target server, consumes the resources of a server system layer and leads the target server to be unable to normally respond to the client access. Common attack types include SYN Flood (SYN Flood) attacks, ACK Flood, user datagram protocol traffic (User Datagram Protocol, UDP Flood) attacks, internet control message protocol traffic (Internet Control Message Protocol, ICMP Flood) attacks, and other traffic attacks, and domain name system (Domain Name System, DNS), network time protocol (Network Time Protocol, NTP), simple service discovery protocol (Simple Service Discovery Protocol, SSDP) and other reflection attacks.

In order to cope with DDoS attacks, the present application proposes the following two protection schemes:

scheme one: a Web application firewall (Web Application Firewall, WAF) is employed to provide one-stop security for users. The WAF is typically accessed using a CNAME approach, the domain name is resolved to the CNAME address provided by the WAF, and the source/upstream server IP is configured to implement the opening of the WAF. After the WAF is started, the public network traffic of the website passes through the WAF first, malicious attack traffic can be detected and filtered, and normal traffic is returned to the source station IP, so that the safety, stability and usability of the source station IP are ensured.

Scheme II: and adopting a flow blocking and flow switching scheme to perform DDoS prevention and control. Specifically, if the server or the IP address is subject to a large amount of traffic attacks and the traffic exceeds a traffic threshold of protection or self-protection, traffic blocking is triggered. After triggering the traffic blocking, the server cannot be accessed by the external network or the external network, the IP cannot be accessed by the external network, and all requests for accessing the server or the external network IP are discarded. After traffic blocking, the access entry (IP) is switched to another non-attacked access entry by modifying domain name resolution and the like, so as to realize traffic switching. The common DDoS attack type usually attacks according to the IP address, so after the external network entry IP is switched, the service request can be recovered to be normal.

The traffic cleaning is to distinguish normal traffic from malicious traffic in all network traffic, block and discard the malicious traffic, and deliver only the normal traffic to the server; if a server or an IP suffers a large amount of attacks and exceeds a defensive or self-protecting traffic threshold, traffic blocking is triggered, and after the traffic blocking is triggered, the server cannot be accessed by an external network or the external network, the IP cannot be accessed by the external network, and all requests for accessing the server or the external network IP are discarded.

The WAF firewall service needs to be purchased for each cluster, so that the cost is high; in a specific application scenario, for example, the frequency of an application programming interface (Application Programming Interface, API) gateway suffering from DDoS is not high, but the flow of word attack is usually 20-100GB/s, and a high-allocation WAF service needs to be purchased to resist the level of attack, but long-time idle waste is caused; the WAF flow cleaning function has errors, and can clean the normal flow of the user, so that the stock service of the user is influenced, and the usability is influenced.

The traffic switching scheme of the scheme II has certain defects in a specific application scene, such as a scene for DDoS attack protection by an API gateway. Specifically, the API gateway provides services to the outside through domain names, and typically has tens of thousands of domain names on a cluster, when a cluster is attacked by DDoS, after applying for an available new IP address, an interface of a domain name server (Domain Name System, DNS) needs to be called to switch the tens of thousands of domain names of the cluster from the attacked current IP to the available IP. Because the number of domain names required to be switched is too large, and the number of domain names of interfaces for calling the DNS service each time is limited, thousands of times are required to complete the switching of all domain names on the cluster, about 1 second is required to complete each time of calling, and the time required to complete the switching of all domain names of the cluster is nearly 1 hour or even more than 1 hour. In addition, frequent calls to DNS services in a short period of time can create a large access pressure on DNS services, which can result in downtime of DNS services.

Based on the above analysis, the embodiment of the application provides a network security management system for protecting against DDoS traffic attacks. For example, but not limited to, the network security management method provided in the embodiment of the present application may be applied to the network security management system shown in fig. 1. As shown in fig. 1, the network security management system may include, but is not limited to: the network security management system establishes a communication connection with the operator network 150 through a wired network or a wireless network, and performs data interaction, with one or more gateway devices 110, one or more domain name management servers 120, a traffic detection server 130, and one or more traffic servers 140. Wherein the traffic detection server 130 may be configured in a core switch cluster; the service server 140 is a protection object of the network security management system, and the service request and the service traffic sent by the terminal to the service server 140 need to be detected and processed by the network security management system to intercept the attack traffic, so that the service server 140 can avoid being attacked by the traffic, thereby ensuring the normal operation of the service.

It should be noted that the number and the form of the apparatus shown in fig. 1 are used as examples, and are not limited to the embodiments of the present application.

In this embodiment, the carrier network 150 may include one or more terminals, where the terminals may include, but are not limited to, smart devices such as smart phones, tablet computers, notebook computers, desktop computers, smart speakers, smart watches, vehicle terminals, smart home appliances, smart voice interaction devices, and aircrafts. The terminals may be divided into clients and attack terminals for implementing traffic attacks, the clients may be clients for transmitting service requests and data traffic to the service server 140 through the operator network 150, and the attack terminals are terminals for transmitting DDoS traffic attacks to the service server 140.

The terminal can be used as a client to send data traffic to the first traffic inlet; the client can also send a domain name resolution request to a domain name server; if the identification information of the second traffic inlet sent by the domain name server is received, data traffic can be sent to the second traffic inlet based on the identification information of the second traffic inlet. The terminal can also be an attack terminal for implementing the flow attack, and the flow attack is implemented to the first flow inlet, for example, the UDP flow attack is sent, so that the normal operation of a server in the network security management system is affected, and the potential safety hazard of data is caused.

A gateway (gateway) is a computer system or device that provides data conversion services between networks. In the embodiment of the present application, the Gateway device 110 may be an API Gateway cluster formed by a plurality of application programming interface gateways (Application Programming Interface). The gateway device 110 may receive a first notification event reported by the traffic detection server 130, where the first notification event is used to indicate that the data traffic flowing into the first traffic inlet meets the blocking condition; determining, in response to a first notification event, a second flow inlet from a set of available flow inlets, the set of available flow inlets including at least one pre-applied flow inlet; and sending ingress switching indication information to the domain name management server 120, where the ingress switching indication information includes identification information of a second traffic ingress, and the ingress switching indication information is used to instruct the domain name management server 120 to switch the traffic ingress of the middle domain name of the target gateway device cluster from the first traffic ingress to the second traffic ingress, so that the client in the operator network 150 sends data traffic to the second traffic ingress. Wherein the intermediate domain name corresponds to a service domain name of each gateway device included in the target gateway device cluster.

In this embodiment of the present application, the server in the network security management system may be an independent physical server, or may be a server cluster or a distributed system formed by a plurality of physical servers, or may be a cloud server that provides cloud services, a cloud database, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, and basic cloud computing services such as big data and an artificial intelligence platform.

In the embodiment of the present application, the domain name management server 120 may be a domain name server (Domain Name Server, DNS) which is a server for performing domain name (domain name) and IP address conversion corresponding thereto. The DNS maintains a table of domain names and IP addresses corresponding thereto to resolve domain names of messages. As applied to the present application, the domain name management server 120 may receive portal handover indication information including identification information of the second traffic portal from the gateway device 110; and responding to the inlet switching indication information, acquiring an intermediate domain name of a target gateway equipment cluster to which the gateway equipment belongs, switching a flow inlet of the intermediate domain name from a first flow inlet to a second flow inlet, so that the client sends data flow to the second flow inlet, wherein the first flow inlet is a flow inlet of which the inflow data flow meets the blocking condition. Wherein the intermediate domain name corresponds to a service domain name of each gateway device included in the target gateway device cluster.

The server is used for acquiring the data flow flowing into the first flow inlet; if the data flow flowing into the first flow inlet meets the blocking condition, generating a first notification event, wherein the first notification event is used for indicating that the data flow flowing into the first flow inlet meets the blocking condition; the first notification event is sent to the gateway device 110, so that the gateway device 110 determines a second traffic portal from the set of available traffic portals, and sends ingress switching indication information to the domain name management server 120, where the ingress switching indication information is used to instruct the domain name management server 120 to switch the traffic portal of the middle domain name of the target gateway device cluster from the first traffic portal to the second traffic portal. Wherein the target gateway device cluster comprises gateway devices 110.

The data such as the intermediate domain name and the available traffic entrance set in the network security management method can be stored in a storage cloud database, and when the network security management method is executed, the network security management system acquires the data from the cloud database; or other data generated in the network security management method, such as the data of the first notification event, may also be stored in the blockchain. The block chain is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, a consensus mechanism, an encryption algorithm and the like, is essentially a decentralised database, and is a series of data blocks which are generated by correlation by using a cryptography method, and each data block contains information of a batch of network transactions and is used for verifying the validity (anti-counterfeiting) of the information and generating a next block. The data stored on the blockchain is not tamperable due to the characteristics of the blockchain, so that the safety of the data is ensured.

The embodiments of the present application may be applied to various scenarios including, but not limited to, cloud technology, artificial intelligence, intelligent transportation, assisted driving, and the like.

It can be understood that, in the specific embodiment of the present application, related data such as data traffic sent by a client is related, and when the above embodiments of the present application are applied to specific products or technologies, the related data needs to be licensed or agreed to by related objects, and the collection, use and processing of the related data need to comply with related laws and regulations and standards of related countries and regions.

Based on the network security management system shown in fig. 1, the embodiment of the application provides a network security management method, which can be applied to a network security management device. Referring to fig. 2, fig. 2 is a flow chart of a network security management method according to an embodiment of the present application. As shown in fig. 2, the network security management method includes, but is not limited to, the following steps:

s201: the flow detection server obtains data flow into the first flow inlet.

The first flow inlet is an IP inlet for providing services to the external network by the gateway device, and may be a virtual IP address or a virtual IP address group; a terminal in the external network wants to request a service, and then sends a service request and data traffic to the first traffic portal. The traffic detection server may detect all data traffic sent to the network security management system in real time. The traffic detection server can accurately identify which of the data traffic flowing into the first traffic inlet is safe traffic data traffic sent by the client and which is attack traffic sent by other terminals. If the detected safe service data flow is detected, the service data flow can be sent to a corresponding service server through a core switch; if the attack traffic is detected, the attack traffic can be intercepted and further traffic attack protection processing can be performed.

Optionally, when detecting the data traffic flowing into the first traffic inlet, the traffic detection server may store characteristic information of the data traffic in a database, where the characteristic information of the data traffic may include one or more of a traffic size, a traffic protocol type, and identification information of the first traffic inlet.

S202: and if the flow detection server detects that the data flow flowing into the first flow inlet meets the blocking condition, generating a first notification event and sending the first notification event to the gateway equipment.

The blocking condition may be a blocking threshold value set according to a flow rate of the data flow rate flowing into the first flow rate inlet. Illustratively, the blocking threshold may be a flow size of attack traffic exceeding 100 Gigabytes (GB) per second of data traffic flowing into the first traffic inlet. Optionally, the first notification event may carry information such as identification information of the first traffic inlet, traffic size of the attack traffic, etc. so as to facilitate decision of the gateway device for issuing traffic switching.

S203: the gateway device determines a second traffic inlet from a set of available traffic inlets in response to the first notification event, the set of available traffic inlets including the pre-applied at least one traffic inlet.

Wherein the set of available traffic inlets is a set of a plurality of traffic inlets pre-applied by the gateway device.

In general, a new traffic entry, i.e., a new Virtual IP (VIP) address, needs to be applied for VIP, VIP implemented, heartbeat detected (checked whether implemented successfully), and data plane traffic put through a series of processes, which often need several minutes to tens of minutes from application to validation. Thus, applying VIP using a conventional VIP application scheme may cause a minimum of several minutes to ten minutes of service to be unavailable, greatly affecting quality of service. In order to solve the above-mentioned problem, the embodiments of the present application are based on the pooling concept, by applying and implementing one or more groups of traffic portals in advance, forming a traffic portal set for switching, and when detecting that the current traffic portal is subjected to DDoS attack, the embodiments of the present application can directly take out an available second traffic portal from the available traffic portal set, so as to switch the data traffic sent by the client to a new available second traffic portal. Therefore, the time for applying and implementing the VIP (traffic entrance) can be optimized from more than ten minutes to 10 seconds, the time for finding an available traffic entrance after the gateway equipment is attacked by DDoS is greatly shortened, the service quality of the gateway equipment is improved, and the follow-up implementation of traffic switching is facilitated.

S204: the gateway device sends entry switching indication information to the domain name management server, wherein the entry switching indication information comprises identification information of the second traffic entry.

S205: the domain name management server responds to the entry switching indication information to obtain the intermediate domain name of the target gateway equipment cluster to which the gateway equipment belongs, wherein the intermediate domain name corresponds to the service domain name of each gateway equipment included in the target gateway equipment cluster.

In a network security management system, there may be one or more gateway clusters, each gateway cluster having a plurality of gateway devices therein. The intermediate domain names of gateway devices in the same cluster are consistent. The gateway device provides services to the outside through the service domain name, the domain name server can analyze the traffic inlet from the data traffic sent by the terminal, and the gateway device sends the data traffic to the corresponding traffic inlet. Typically, a gateway cluster has tens of thousands of service domains, and as shown in (a) in fig. 3, when switching tens of thousands of service domains in the cluster from an attacked first traffic portal to an available second traffic portal, because the number of service domains to be switched is too large and the number of domains of interfaces of a domain name management server to be called each time is limited, switching of all service domains on the cluster often needs to be called thousands of times, even if each call can be completed for 1 second, and it takes nearly 1 hour or more to complete switching of all service domains. Meanwhile, because the call to the domain name server is too high at one moment, tens of thousands of service domain names need to be operated in a short time, and a very large access pressure is caused to the domain name management server service, which may cause the downtime of the domain name management server service. Therefore, the domain name traffic switching scheme adopted in general is too slow to switch domain names, so that the requirements of gateway equipment cannot be met, and the DNS service is also subjected to great pressure, and downtime is possibly caused, so that the service quality of other businesses is affected.

Based on this, the fast switch domain name directed traffic entry scheme in the present application is based on the idea of an agent, mapping service domains (e.g. 1.Com, 2.Com, 3. Com) belonging to the same gateway cluster to an intermediate domain name (e.g. set-1. Com) by mapping records (CNAME), as shown in (b) of fig. 3. When the traffic switching is needed, the traffic inlets pointed by tens of thousands of service domain names of the corresponding clusters are not needed any more, and only the traffic inlets pointed by the middle domain name are needed to be switched.

By adopting the scheme, the gateway equipment can analyze the service domain name (such as 1.Com and the like) for providing service to the outside through the CNAME to obtain the intermediate domain name, and then analyze the intermediate domain name to obtain the switched available second traffic inlet, so that the traffic switching speed is greatly increased, the traffic switching speed of the network security management system is increased, and the unavailable time is reduced.

S206: the domain name management server switches the traffic portal of the intermediate domain name from the first traffic portal to the second traffic portal, so that the client sends data traffic to the second traffic portal.

The essence of the traffic inlet switching performed by the domain name management server is to adjust the corresponding relation between the intermediate domain name and the traffic inlet, and switch the original direction of the intermediate domain name to the first traffic inlet to the direction of the second traffic inlet, so that in the subsequent step, as the client can send the data traffic to the second traffic inlet, the data traffic belonging to the attack traffic is still sent to the first traffic inlet, the attack traffic can be intercepted and discarded, thereby realizing the protection of DDoS attack.

In one implementation, after the traffic detection server sends the first notification event to the gateway device, if it is detected that the data traffic flowing into the first traffic inlet meets the recovery condition, a second notification event is generated to the gateway device, and the second notification event is used for indicating that the data traffic of the first traffic inlet meets the recovery condition; the gateway device may add the first traffic inlet to the set of available traffic inlets in response to the second notification event. Wherein, the data flow flowing into the first flow inlet meeting the recovery condition represents that the attack flow sent to the first flow inlet is smaller than the blocking condition, or alternatively represents that the DDoS attack to the first flow inlet is stopped, the first flow inlet can be reused as a standby available flow inlet, so that the multiplexing rate of the flow inlets in the available flow inlets is improved to control the cost.

The network security management method provided by the embodiment of the application can be applied to an API gateway equipment data plane request forwarding function. Fig. 4 is an application scenario schematic diagram of a network security management method provided in an embodiment of the present application. As shown in fig. 4 (a), the data surface service management platform of the API gateway product is shown, in the time shown in the figure, the data of the column "real-time request number" can see that the data traffic has larger fluctuation, which indicates that the gateway cluster is subject to DDoS attack; in fig. 4 (b), the response statistics of the request forwarded by the cluster is shown in the position (1), the cluster is subjected to traffic attacks such as DDoS, and after the network security management system senses the traffic attacks, the traffic cleaning and the traffic switching are performed at the time point (2), so that the forwarding function of the data plane of the cluster API gateway is recovered to be normal, and the stability of the API gateway product is effectively improved.

According to the method and the device, the data flow flowing into the first flow inlet is detected in real time through the flow detection server, DDoS attack flow and the data flow of the client are automatically identified, and the gateway equipment and the domain name management server are notified, so that the second flow inlet which is applied in advance can be directly obtained when flow switching is performed based on the available flow inlet set and the intermediate domain name, the flow inlets pointed by the intermediate domain name of the target gateway cluster are switched, and the flow inlet switching of a plurality of service domain names of each gateway equipment in the target gateway cluster can be completed, thereby realizing high-efficiency flow switching, improving the protection effect and efficiency of DDoS attack, and guaranteeing the quality and stability of service provided for the client.

Referring to fig. 5, fig. 5 is a flowchart of another network security management method according to an embodiment of the present application. The network security management method may be applied to a network security management system as shown in fig. 1. As shown in fig. 5, the network security management method includes, but is not limited to, the following steps:

s501: the flow detection server obtains data flow into the first flow inlet.

S502: and if the flow detection server detects that the data flow flowing into the first flow inlet does not meet the blocking condition, reporting the characteristic information of the data flow to the gateway equipment.

The characteristic information of the data traffic may include one or more of traffic size, traffic protocol type, and identification information of the first traffic portal, and the traffic protocol type may be user datagram protocol (User Datagram Protocol, UDP), transmission control protocol (Transmission Control Protocol, TCP), hypertext transfer protocol (Hyper Text Transfer Protocol, HTTP), hypertext transfer security protocol (Hyper Text Transfer Protocol over Secure Socket Layer, HTTPs), and the like. The blocking condition may be a blocking threshold established according to a flow size of the data flow flowing into the first flow inlet. Illustratively, the blocking threshold may be a flow size of attack traffic exceeding 100 Gigabytes (GB) per second of data traffic flowing into the first traffic inlet.

Optionally, when detecting the data flow flowing into the first flow inlet, the flow detection server may store the characteristic information of the data flow in the database, and when detecting that the data flow flowing into the first flow inlet does not meet the blocking condition, the flow detection server takes out the characteristic information of the data flow to be reported from the database and sends the characteristic information to the gateway device.

S503: and the gateway equipment executes a preset protection strategy for the data traffic according to the characteristic information of the data traffic.

In the application, the gateway device can provide a basic DDoS protection service for a traffic inlet by means of a traffic detection server in the network security management system.

When the data traffic flowing into the first traffic inlet does not meet the blocking condition, the traffic detection server can control the core switch to deliver the data traffic to the gateway equipment, and the gateway equipment processes the attack traffic in the data traffic based on a preset protection policy. The preset protection policy may include, for different DDoS attack scenarios: the gateway device may obtain a first target traffic of a first traffic protocol type, and discard the first target traffic, where the first traffic protocol type includes at least one of a User Datagram Protocol (UDP) and a Transmission Control Protocol (TCP); the gateway device may further obtain a second target traffic of a second traffic protocol type from the data traffic, and perform a throttling process on the second target traffic, where the second traffic protocol type includes at least one of hypertext transfer protocol (HTTP) and hypertext transfer security protocol (HTTPs).

In one implementation manner, when the data traffic flowing into the first traffic inlet does not meet the blocking condition, the traffic detection server may perform protection processing on the attack traffic of the different types according to a preset protection policy formulated by the gateway device.

Illustratively, the gateway device may perform protection processing for different types of attack traffic based on the network security management system as shown in fig. 6. As shown in fig. 6, fig. 6 includes a terminal (including a client and an attacker), an operator network, and a network security management system including a traffic detection server, a plurality of core switches, a plurality of switches, four-layer load balancing gateway clusters 1 and 2, and a gateway device cluster and a service server. The terminal sends data traffic to the network security management system through the operator network, the data traffic flowing into the traffic inlet is detected through the traffic detection server, automatic identification of the data traffic from the client and the attack traffic from the terminal of the attacker is achieved, if the data traffic does not meet the blocking condition, characteristic information of the data traffic is reported to the gateway equipment, and the gateway equipment can control, manage and conduct traffic attack protection.

Since the services provided by the gateway device are mainly services based on http.1, webSocket and http.2, and UDP is not supported, UDP-based data traffic can be directly discarded, so that UDP-based traffic attacks are prevented. The synchronization sequence number traffic attack (Synchronize Sequence Numbers, SYN Flood) is a DDoS attack that uses TCP defects to send a large number of forged TCP connection requests to cause server resource waste, and can be prevented by a core switch in the network security management system. The HTTP and HTTPS requests of each gateway cluster can be limited, a default limiting threshold is set, and HTTP/HTTPS requests exceeding the limiting threshold are discarded, so that the condition that the flow of a single API is too high to influence the normal operation of other services in the clusters is avoided, and the HTTP attack with large flow is prevented. In addition, for the challenge black hole (Challenge Collapsar, CC) attack based on HTTP, the gateway device not only can protect the challenge black hole (Challenge Collapsar, CC) attack by setting a current limiting threshold value, but also provides various authentication functions, and CC traffic which does not pass authentication is discarded, so that the protection of CC attack is realized.

S504: and if the flow detection server detects that the data flow flowing into the first flow inlet meets the blocking condition, generating a first notification event and sending the first notification event to the gateway equipment.

S505: the gateway device determines a second traffic portal from the set of available traffic portals in response to the first notification event and will send portal switching indication information to the domain name management server.

Wherein the set of available flow inlets includes at least one flow inlet previously applied.

In one implementation, because of the high cost of maintaining a set of virtual IP addresses (set of available traffic portals), given that virtual addresses that are subject to DDoS attacks are typically no longer attacked within a few days, the concept of a circular queue may be employed, the gateway device may examine the set of available traffic portals in real time to determine if traffic portals are present in the set of available traffic portals, which may be periodic, e.g., the gateway device determines every 10 minutes. If the gateway device inquires that no flow inlet exists in the available flow inlet set, one or more flow inlets are automatically applied, for example, 5-10 flow inlets are applied, 2-3 flow inlet addresses are used as a group and are respectively added into the available flow inlet set, after one group of flow inlets is attacked, the attack flow of the group of flow inlets can be blocked, and the data flow of the client side is switched to another group of available flow inlets.

S506: after the domain name management server responds to the entry switching indication information and acquires the middle domain name of the target gateway equipment cluster to which the gateway equipment belongs, the traffic entry of the middle domain name is switched from the first traffic entry to the second traffic entry, so that the client side sends data traffic to the second traffic entry.

The intermediate domain name refers to an intermediate domain name of the target gateway device cluster, which is described by the gateway device, and corresponds to a service domain name of each gateway device included in the target gateway device cluster, where the target gateway device cluster is the gateway cluster to which the currently used gateway device belongs. In one gateway cluster, there may be multiple service domains for providing services outwards, while service domains belonging to the same gateway cluster all correspond to the same intermediate domain.

The domain name management server can adjust the corresponding relation between the intermediate domain name and the traffic inlet, and switch the original direction of the intermediate domain name to the first traffic inlet to the direction of the second traffic inlet, so that in the subsequent step, as the client can send the data traffic to the second traffic inlet, the data traffic belonging to the attack traffic is still sent to the first traffic inlet, the attack traffic can be intercepted and discarded, and the DDoS attack protection is realized.

In one implementation, the domain name management server may receive a domain name resolution request sent by the client, and determine a second traffic entry pointed by the intermediate domain name based on the intermediate domain name of the target gateway device cluster included in the domain name resolution request; and sending the obtained identification information of the second traffic inlet to the client so that the client can send data traffic to the second traffic inlet based on the identification information of the second durian inlet, and then send the data traffic to a service server corresponding to the service requested by the client, thereby ensuring the normal operation of the service. The terminal sending the attack flow cannot know that the flow inlet is switched to the second flow inlet, the attack flow is still sent to the first flow inlet, the first flow inlet is subjected to flow blocking, and the data flow flowing into the first flow inlet is discarded, so that the DDoS attack is effectively protected.

S507: and if the flow detection server detects that the data flow flowing into the first flow inlet meets the recovery condition, generating a second notification event and sending the second notification event to the gateway equipment.

The flow detection server may periodically detect data flows flowing into the first flow inlet and the second flow inlet, and when the flow detection server detects that the data flows flowing into the first flow inlet meet the recovery condition after the flow is switched, a second notification event may be generated and sent to the gateway device. Wherein, meeting the recovery condition may mean that the flow rate of the data flow rate flowing into the first flow rate inlet per second is smaller than the blocking threshold, for example, the data flow rate flowing into the first flow rate inlet per second is smaller than 100GB, which may indicate that the DDoS attack for the first flow rate inlet is weakened or absent, and the first flow rate inlet may be put back into use.

S508: the gateway device adds the first traffic inlet to the set of available traffic inlets in response to the second notification event.

Because the cost of maintaining the set of traffic inlets is high, considering that traffic inlets that are subject to DDoS attacks are not attacked any more in a few days, the idea of a circular queue can be adopted, and when the data traffic flowing into the first traffic inlet meets the recovery condition, the gateway device can add the first traffic inlet into the set of available traffic inlets, so as to improve the multiplexing rate of the traffic inlets in the set of available wander inlets and reduce the cost.

It should be noted that, based on the same inventive concept, the technical details and principles in S501, S504-S506 can be referred to the technical details and principles in S201-S205, and are not repeated here for brevity.

In the embodiment of the application, the preset protection strategy is formulated in the gateway equipment, the DDoS attack type is automatically identified through the flow detection server, and the corresponding protection strategy is automatically issued, so that the gateway equipment has a certain DDoS protection capability, other firewall services are not required to be purchased, the cost of network security management is reduced, and meanwhile, the flow switching is reduced, so that the pressure of a domain name management server is reduced; in addition, the available flow inlet set is maintained based on the thought of the circular queue, so that high-speed and high-efficiency flow switching is realized, the influence of DDoS on a network security management system is reduced, and the cost for maintaining the flow inlet is reduced.

Referring to fig. 7, fig. 7 is a schematic structural diagram of a network security management device according to an embodiment of the present application. The network security management apparatus includes a receiving unit 710, a processing unit 720, and a transmitting unit 730. Wherein:

a receiving unit 710, configured to receive a first notification event reported by the flow detection server, where the first notification event is used to indicate that the data flow flowing into the first flow entry meets the blocking condition;

a processing unit 720, configured to determine, in response to the first notification event, a second traffic inlet from a set of available traffic inlets, where the set of available traffic inlets includes at least one traffic inlet applied in advance;

and a sending unit 730, configured to send ingress switching indication information to the domain name management server, where the ingress switching indication information includes identification information of a second traffic ingress, and the ingress switching indication information is configured to instruct the domain name management server to switch a traffic ingress of an intermediate domain name of the target gateway device cluster from the first traffic ingress to the second traffic ingress, so that the client sends data traffic to the second traffic ingress, where the intermediate domain name corresponds to a service domain name of each gateway device included in the target gateway device cluster.

In one implementation, the receiving unit 710 is further configured to receive a second notification event reported by the traffic detection server, where the second notification event is used to indicate that the data traffic flowing into the first traffic inlet meets the recovery condition; the processing unit is further configured to add the first traffic inlet to the set of available traffic inlets in response to a second notification event.

In one implementation manner, the receiving unit 710 is further configured to receive, when the data traffic flowing into the first traffic inlet does not meet the blocking condition, the reported characteristic information of the data traffic, where the characteristic information includes one or more of a traffic size, a traffic protocol type, and identification information of the first traffic inlet; and the processing unit is also used for executing a preset protection strategy on the data traffic according to the characteristic information.

In one implementation, the processing unit 720 is further configured to obtain a first target traffic of a first traffic protocol type from the data traffic, and discard the first target traffic, where the first traffic protocol type includes at least one of a user datagram protocol and a transmission control protocol; and obtaining a second target flow of a second flow protocol type from the data flow, and performing flow limiting processing on the second target flow, wherein the second flow protocol type comprises at least one of a hypertext transfer protocol and a hypertext transfer security protocol.

In one implementation, the processing unit 720 is further configured to determine whether a traffic inlet exists in the set of available traffic inlets; if not, a third flow inlet is acquired and added to the set of available flow inlets.

Referring to fig. 8, fig. 8 is a schematic structural diagram of another network security management device according to an embodiment of the present application. The network security management apparatus includes a receiving unit 810, a processing unit 820. Wherein:

a receiving unit 810, configured to receive ingress switching indication information from a gateway device, where the ingress switching indication information includes identification information of a second traffic ingress;

a processing unit 820, configured to obtain, in response to the entry switch indication information, an intermediate domain name of a target gateway device cluster to which the gateway device belongs, where the intermediate domain name corresponds to a service domain name of each gateway device included in the target gateway device cluster; and switching the traffic inlet of the middle domain name from the first traffic inlet to the second traffic inlet so that the client sends data traffic to the second traffic inlet, wherein the first traffic inlet is the traffic inlet of which the inflow data traffic meets the blocking condition.

In one implementation, the receiving unit 810 is further configured to receive a domain name resolution request sent by the client, where the domain name resolution request includes an intermediate domain name of the target gateway device cluster; a processing unit 820 for determining a second traffic inlet based on the intermediate domain name; and sending the identification information of the second traffic inlet to the client so that the client sends the data traffic to the second traffic inlet based on the identification information of the second traffic inlet.

Referring to fig. 9, fig. 9 is a schematic structural diagram of a network security management device according to another embodiment of the present application. The network security management apparatus includes an acquisition unit 910, a processing unit 920, and a transmission unit 930. Wherein:

an acquisition unit 910 for acquiring a data flow flowing into the first flow inlet;

a processing unit 920, configured to generate a first notification event if the data traffic flowing into the first traffic inlet meets the blocking condition, where the first notification event is used to indicate that the data traffic flowing into the first traffic inlet meets the blocking condition;

a sending unit 930, configured to send a first notification event to the gateway device, so that the gateway device determines a second traffic portal from the set of available traffic portals, and sends ingress switching indication information to the domain name management server, where the ingress switching indication information is used to instruct the domain name management server to switch the traffic portal of the middle domain name of the target gateway device cluster from the first traffic portal to the second traffic portal, and the target gateway device cluster includes the gateway device.

In one implementation, after sending the first notification event to the gateway device, the processing unit 920 is further configured to generate a second notification event if the data traffic flowing into the first traffic inlet meets the recovery condition, where the second notification event is used to indicate that the data traffic flowing into the first traffic inlet meets the recovery condition; the sending unit 930 is further configured to send a second notification event to the gateway device, so that the gateway device adds the first traffic inlet to the set of available traffic inlets.

In one implementation manner, the processing unit 920 is further configured to obtain, if the data traffic flowing into the first traffic inlet does not meet the blocking condition, feature information of the data traffic, where the feature information includes one or more of a traffic size, a traffic protocol type, and identification information of the first traffic inlet; the sending unit 930 is further configured to send the feature information of the data traffic to the gateway device, so that the gateway device executes a preset protection policy on the data traffic according to the feature information.

According to an embodiment of the present application, each unit in the network security management apparatus shown in fig. 7, fig. 8, and fig. 9 may be separately or all combined into one or several units to form a structure, or some unit(s) thereof may be further split into a plurality of sub-units with smaller functions, so that the same operation may be implemented without affecting the implementation of the technical effects of the embodiments of the present application. The above units are divided based on logic functions, and in practical applications, the functions of one unit may be implemented by a plurality of units, or the functions of a plurality of units may be implemented by one unit. In other embodiments of the present application, the network security management apparatus may also include other units, and in practical applications, these functions may also be implemented with assistance from other units, and may be implemented by cooperation of multiple units.

It may be understood that the functions of each functional unit of the network security management apparatus described in the embodiments of the present application may be specifically implemented according to the method in the embodiments of the method, and the specific implementation process may refer to the relevant description of the embodiments of the method and will not be repeated herein.

Fig. 10 is a schematic structural diagram of a computer device provided in the present application. As shown in fig. 10, the computer device may include: a processor 1010, a network interface 1020, and a memory 1030. Wherein, the processor 1010, the network interface 1020 and the memory 1030 may be connected by a bus or other means, which is exemplified in the embodiment of the present application.

Among them, the processor 1010 (or CPU (Central Processing Unit, central processing unit)) is a computing core and a control core of a computer device, which can parse various instructions in the computer device and process various data of the computer device, for example: the CPU can be used for analyzing the switching-on and switching-off instruction sent to the computer equipment and controlling the computer equipment to perform switching-on and switching-off operation; and the following steps: the CPU may transmit various types of interaction data between internal structures of the computer device, and so on. The network interface 1020 may optionally include a standard wired interface, a wireless interface (e.g., wi-Fi, mobile communication interface, etc.), controlled by the processor 1010 for transceiving data. Memory 1030 (Memory) is a Memory device in a computer device for storing programs and data. It will be appreciated that the memory 1030 herein may include both built-in memory of the computer device and extended memory supported by the computer device. Memory 1030 provides storage space that stores an operating system for a computer device, which may include, but is not limited to: android systems, iOS systems, windows Phone systems, etc., which are not limiting in this application.

In one implementation, processor 1010 performs the following operations by executing executable program code in memory 1030:

receiving a first notification event reported by a flow detection server, wherein the first notification event is used for indicating that the data flow flowing into a first flow inlet meets a blocking condition; determining, in response to a first notification event, a second flow inlet from a set of available flow inlets, the set of available flow inlets including at least one pre-applied flow inlet; and sending entry switching indication information to the domain name management server, wherein the entry switching indication information comprises identification information of a second traffic entry, and is used for indicating the domain name management server to switch the traffic entry of the middle domain name of the target gateway equipment cluster from the first traffic entry to the second traffic entry, so that the client side sends data traffic to the second traffic entry, and the middle domain name corresponds to the service domain name of each gateway equipment included in the target gateway equipment cluster.

Optionally, the processor 1010 may also perform the following by executing executable program code in the memory 1030: receiving a second notification event reported by the flow detection server, wherein the second notification event is used for indicating that the data flow flowing into the first flow inlet meets the recovery condition; in response to the second notification event, the first traffic inlet is added to the set of available traffic inlets.

Optionally, the processor 1010 may also perform the following by executing executable program code in the memory 1030: receiving characteristic information of the data flow reported by the flow detection server when the data flow flowing into the first flow inlet does not meet the blocking condition, wherein the characteristic information comprises one or more of flow size, flow protocol type and identification information of the first flow inlet; and executing a preset protection strategy for the data traffic according to the characteristic information.

Optionally, the processor 1010 may also perform the following by executing executable program code in the memory 1030: acquiring a first target flow of a first flow protocol type from the data flow, discarding the first target flow, wherein the first flow protocol type comprises at least one of a user datagram protocol and a transmission control protocol; and obtaining a second target flow of a second flow protocol type from the data flow, and performing flow limiting processing on the second target flow, wherein the second flow protocol type comprises at least one of a hypertext transfer protocol and a hypertext transfer security protocol.

Optionally, the processor 1010 may also perform the following by executing executable program code in the memory 1030: determining whether a flow inlet exists in the set of available flow inlets; if not, a third flow inlet is acquired and added to the set of available flow inlets.

In another implementation, the processor 1010, by executing executable program code in the memory 1030, may perform the following operations:

the gateway device is used for receiving entry switching indication information from gateway equipment, wherein the entry switching indication information comprises identification information of a second flow entry; responding to the entry switching indication information, and acquiring an intermediate domain name of a target gateway equipment cluster to which the gateway equipment belongs, wherein the intermediate domain name corresponds to a service domain name of each gateway equipment included in the target gateway equipment cluster; and switching the traffic inlet of the middle domain name from the first traffic inlet to the second traffic inlet so that the client sends data traffic to the second traffic inlet, wherein the first traffic inlet is the traffic inlet of which the inflow data traffic meets the blocking condition.

Optionally, the processor 1010 may also perform the following by executing executable program code in the memory 1030: receiving a domain name resolution request sent by a client, wherein the domain name resolution request comprises an intermediate domain name of a target gateway device cluster; determining a second traffic portal based on the intermediate domain name; and sending the identification information of the second traffic inlet to the client so that the client sends the data traffic to the second traffic inlet based on the identification information of the second traffic inlet.

In yet another implementation, the processor 1010, by executing executable program code in the memory 1030, may perform the following operations:

acquiring data flow flowing into a first flow inlet; if the data flow flowing into the first flow inlet meets the blocking condition, generating a first notification event, wherein the first notification event is used for indicating that the data flow flowing into the first flow inlet meets the blocking condition; and sending a first notification event to the gateway equipment so that the gateway equipment determines a second traffic inlet from the available traffic inlet set, and sending inlet switching indication information to the domain name management server, wherein the inlet switching indication information is used for indicating the domain name management server to switch the traffic inlet of the middle domain name of the target gateway equipment cluster from the first traffic inlet to the second traffic inlet, and the target gateway equipment cluster comprises the gateway equipment.

Optionally, the processor 1010 may also perform the following by executing executable program code in the memory 1030: after the first notification event is sent to the gateway equipment, if the data flow flowing into the first flow inlet meets the recovery condition, generating a second notification event, wherein the second notification event is used for indicating that the data flow flowing into the first flow inlet meets the recovery condition; a second notification event is sent to the gateway device to cause the gateway device to add the first traffic inlet to the set of available traffic inlets.

Optionally, the processor 1010 may also perform the following by executing executable program code in the memory 1030: if the data flow flowing into the first flow inlet does not meet the blocking condition, acquiring characteristic information of the data flow, wherein the characteristic information comprises one or more of flow size, flow protocol type and identification information of the first flow inlet; and sending the characteristic information of the data traffic to the gateway equipment so that the gateway equipment executes a preset protection strategy on the data traffic according to the characteristic information.

It should be understood that the computer device described in the embodiments of the present application may perform the description of the network security management method described above in the embodiments corresponding to fig. 2 and 5, and may also perform the description of the network security management device described above in the embodiments corresponding to fig. 6 to 8, which are not repeated herein. In addition, the description of the beneficial effects of the same method is omitted.

The present application further provides a computer readable storage medium, where a computer program executed by the network security management apparatus mentioned above is stored, and the computer program includes program instructions, when executed by a processor, can perform the description of the network security management method in the embodiment corresponding to fig. 2 and 5, and therefore, a description will not be repeated here. In addition, the description of the beneficial effects of the same method is omitted. For technical details not disclosed in the embodiments of the computer storage medium related to the present application, please refer to the description of the method embodiments of the present application.

The present application provides a computer program product comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer readable storage medium, and the processor executes the computer instructions, so that the computer device performs the above description of the network security management method in the corresponding embodiment of fig. 2 and fig. 5, and therefore, a detailed description will not be given here. In addition, the description of the beneficial effects of the same method is omitted. For technical details not disclosed in the embodiments of the computer-readable storage medium according to the present application, please refer to the description of the method embodiments of the present application.

The terms first, second and the like in the description and in the claims and drawings of the embodiments of the present application are used for distinguishing between different objects and not for describing a particular sequential order. Furthermore, the term "include" and any variations thereof is intended to cover a non-exclusive inclusion. For example, a process, method, apparatus, article, or device that comprises a list of steps or elements is not limited to the list of steps or modules but may, in the alternative, include other steps or modules not listed or inherent to such process, method, apparatus, article, or device.

Those of ordinary skill in the art will appreciate that the elements and algorithm steps described in connection with the embodiments disclosed herein may be embodied in electronic hardware, in computer software, or in a combination of the two, and that the elements and steps of the examples have been generally described in terms of function in the foregoing description to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

The methods and related devices provided in the embodiments of the present application are described with reference to the method flowcharts and/or structure diagrams provided in the embodiments of the present application, and each flowchart and/or block of the method flowcharts and/or structure diagrams may be implemented by computer program instructions, and combinations of flowcharts and/or blocks in the flowchart and/or block diagrams. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable network security management device to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable network security management device, create means for implementing the functions specified in the flowchart flow or flows and/or block or blocks. These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable network security management apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or structural diagram block or blocks. These computer program instructions may also be loaded onto a computer or other programmable network security management device to cause a series of operational steps to be performed on the computer or other programmable device to produce a computer implemented process such that the instructions which execute on the computer or other programmable device provide steps for implementing the functions specified in the flowchart flow or flows and/or structures block or blocks.

The foregoing disclosure is only illustrative of the preferred embodiments of the present application and is not intended to limit the scope of the claims herein, as the equivalent of the claims herein shall be construed to fall within the scope of the claims herein.

Claims

1. A method of network security management, the method comprising:

determining, in response to the first notification event, a second flow inlet from a set of available flow inlets, the set of available flow inlets including at least one pre-applied flow inlet;

and sending entry switching indication information to a domain name management server, wherein the entry switching indication information comprises identification information of the second traffic entry, and the entry switching indication information is used for indicating the domain name management server to switch the traffic entry of an intermediate domain name of a target gateway device cluster from the first traffic entry to the second traffic entry, so that a client side sends data traffic to the second traffic entry, and the intermediate domain name corresponds to a service domain name of each gateway device included in the target gateway device cluster.

2. The method according to claim 1, wherein the method further comprises:

receiving a second notification event reported by the flow detection server, wherein the second notification event is used for indicating that the data flow flowing into the first flow inlet meets a recovery condition;

in response to the second notification event, the first traffic inlet is added to the set of available traffic inlets.

3. The method according to claim 1 or 2, characterized in that the method further comprises:

receiving characteristic information of the data flow reported by the flow detection server when the data flow flowing into the first flow inlet does not meet the plugging condition, wherein the characteristic information comprises one or more of flow size, flow protocol type and identification information of the first flow inlet;

and executing a preset protection strategy on the data traffic according to the characteristic information.

4. A method according to claim 3, wherein said performing a preset protection policy on said data traffic according to said characteristic information comprises:

acquiring a first target flow of a first flow protocol type from the data flow, and discarding the first target flow, wherein the first flow protocol type comprises at least one of a user datagram protocol and a transmission control protocol;

And obtaining a second target flow of a second flow protocol type from the data flow, and performing flow limiting processing on the second target flow, wherein the second flow protocol type comprises at least one of a hypertext transfer protocol and a hypertext transfer security protocol.

5. The method according to claim 1, wherein the method further comprises:

determining whether a flow inlet exists in the set of available flow inlets;

if not, a third flow inlet is acquired and added to the set of available flow inlets.

6. A method of network security management, the method comprising:

and switching the flow inlet of the intermediate domain name from a first flow inlet to the second flow inlet so that the client sends data flow to the second flow inlet, wherein the first flow inlet is a flow inlet of which the inflow data flow meets the blocking condition.

7. The method of claim 6, wherein the method further comprises:

receiving a domain name resolution request sent by the client, wherein the domain name resolution request comprises an intermediate domain name of the target gateway equipment cluster;

determining the second traffic inlet based on the intermediate domain name;

and sending the identification information of the second traffic inlet to the client so that the client sends data traffic to the second traffic inlet based on the identification information of the second traffic inlet.

8. A method of network security management, the method comprising:

acquiring data flow flowing into a first flow inlet;

and sending the first notification event to gateway equipment so that the gateway equipment determines a second traffic inlet from an available traffic inlet set, and sending inlet switching indication information to a domain name management server, wherein the inlet switching indication information is used for indicating the domain name management server to switch the traffic inlet of the middle domain name of a target gateway equipment cluster from the first traffic inlet to the second traffic inlet, and the target gateway equipment cluster comprises the gateway equipment.

9. The method of claim 8, wherein after the sending the first notification event to a gateway device, the method further comprises:

if the data flow flowing into the first flow inlet meets the recovery condition, generating a second notification event, wherein the second notification event is used for indicating that the data flow flowing into the first flow inlet meets the recovery condition;

the second notification event is sent to the gateway device to cause the gateway device to add the first traffic inlet to the set of available traffic inlets.

10. The method according to claim 8 or 9, characterized in that the method further comprises:

if the data flow flowing into the first flow inlet does not meet the blocking condition, acquiring characteristic information of the data flow, wherein the characteristic information comprises one or more of flow size, flow protocol type and identification information of the first flow inlet;

and sending the characteristic information of the data traffic to the gateway equipment so that the gateway equipment executes a preset protection strategy on the data traffic according to the characteristic information.

11. A network security management apparatus, comprising:

a processing unit, configured to determine a second traffic inlet from a set of available traffic inlets in response to the first notification event, where the set of available traffic inlets includes at least one traffic inlet applied in advance;

a sending unit, configured to send ingress switching indication information to a domain name management server, where the ingress switching indication information includes identification information of the second traffic ingress, and the ingress switching indication information is configured to instruct the domain name management server to switch a traffic ingress of an intermediate domain name of a target gateway device cluster from the first traffic ingress to the second traffic ingress, so that a client sends data traffic to the second traffic ingress, where the intermediate domain name corresponds to a service domain name of each gateway device included in the target gateway device cluster.

12. A network security management apparatus, comprising:

The processing unit is used for responding to the entry switching indication information and acquiring the intermediate domain name of the target gateway equipment cluster to which the gateway equipment belongs, wherein the intermediate domain name corresponds to the service domain name of each gateway equipment included in the target gateway equipment cluster; and switching the flow inlet of the intermediate domain name from a first flow inlet to the second flow inlet so that the client sends data flow to the second flow inlet, wherein the first flow inlet is a flow inlet of which the inflow data flow meets the blocking condition.

13. A network security management apparatus, comprising:

the sending unit is configured to send the first notification event to a gateway device, so that the gateway device determines a second traffic inlet from an available traffic inlet set, and sends ingress switching indication information to a domain name management server, where the ingress switching indication information is used to instruct the domain name management server to switch a traffic inlet of an intermediate domain name of a target gateway device cluster from the first traffic inlet to the second traffic inlet, and the target gateway device cluster includes the gateway device.

14. A computer device, comprising:

a processor adapted to implement one or more computer programs; the method comprises the steps of,

a computer storage medium storing one or more computer programs loaded by the processor and implementing the network security management method of any one of claims 1-5, or the network security management method of any one of claims 6-7, or the network security management method of any one of claims 8-10.

15. A computer readable storage medium, characterized in that the computer storage medium comprises a computer program which, when executed by a processor, is adapted to implement the network security management method according to any one of claims 1-5, or the network security management method according to any one of claims 6-7, or the network security management method according to any one of claims 8-10.