CN117424743A

CN117424743A - Data processing method and device, electronic equipment and storage medium

Info

Publication number: CN117424743A
Application number: CN202311458795.6A
Authority: CN
Inventors: 李天将; 尚程; 黄晓青; 秦峻峰; 熊春华; 龚济才
Original assignee: Eversec Beijing Technology Co Ltd
Current assignee: Eversec Beijing Technology Co Ltd
Priority date: 2023-11-03
Filing date: 2023-11-03
Publication date: 2024-01-19

Abstract

The invention discloses a data processing method, a data processing device, electronic equipment and a storage medium. The method comprises the following steps: the method comprises the steps of concurrence of a plurality of preset domain names to a plurality of domain name servers, so that the domain name servers determine alias records of content distribution network nodes corresponding to the corresponding preset domain names; receiving alias records fed back by each domain name server, and determining a suspected risk network node of a preset type from the content distribution network nodes based on the alias records; determining node information corresponding to the suspected risk network node, and determining a risk detection result of the suspected risk network node based on the node information; and if the risk detection result is an abnormal result, performing risk tracking based on the access data in the suspected risk network node. The problem of in prior art through detecting the service data that the CDN node provided and judging whether risk, lead to hysteresis quality and the security of monitoring low is solved, the timeliness and the accuracy of data security control are improved, reach the effect of guaranteeing data transmission security.

Description

Data processing method and device, electronic equipment and storage medium

Technical Field

The present invention relates to the field of computer processing technologies, and in particular, to a data processing method, a data processing device, an electronic device, and a storage medium.

Background

With the development of big data technology, many websites generally access a CDN (Content Delivery Network ) to provide service data for users in order to decompress a server, and in this case, in order to ensure data security, data security monitoring is required.

The current data monitoring method generally determines whether there is a data transmission risk by detecting whether there is an abnormality (such as tampering) in the service data after receiving the service data provided by the CDN node. The data monitoring in this way has hysteresis, and is easy to cause data leakage, and has data security risks.

Disclosure of Invention

The invention provides a data processing method, a data processing device, electronic equipment and a storage medium, which are used for improving timeliness and accuracy of data security monitoring and guaranteeing security of data transmission.

According to an aspect of the present invention, there is provided a data processing method comprising:

The method comprises the steps of concurrence of a plurality of preset domain names to a plurality of domain name servers, so that the domain name servers determine alias records of content distribution network nodes corresponding to the corresponding preset domain names and feed back the alias records;

receiving alias records fed back by the domain name servers, and determining a suspected risk network node of a preset type from the content distribution network nodes based on the alias records;

determining node information corresponding to the suspected risk network node, and determining a risk detection result of the suspected risk network node based on the node information; wherein, the node information comprises an internet protocol address and a port;

and if the risk detection result is an abnormal result, performing risk tracking based on the access data in the suspected risk network node.

According to another aspect of the present invention, there is provided a data processing apparatus comprising:

the concurrency module is used for concurrency of a plurality of preset domain names to a plurality of domain name servers so that the domain name servers determine and feed back alias records of the content distribution network nodes corresponding to the corresponding preset domain names;

the suspected node determining module is used for receiving the alias records fed back by the domain name servers and determining a suspected risk network node of a preset type from the content distribution network nodes based on the alias records;

The risk detection result determining module is used for determining node information corresponding to the suspected risk network node and determining a risk detection result of the suspected risk network node based on the node information; wherein, the node information comprises an internet protocol address and a port;

and the risk tracking module is used for carrying out risk tracking based on the access data in the suspected risk network node if the risk detection result is an abnormal result.

According to another aspect of the present invention, there is provided an electronic apparatus including:

at least one processor; and

a memory communicatively coupled to the at least one processor; wherein,

the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the data processing method according to any one of the embodiments of the present invention.

According to another aspect of the present invention, there is provided a computer readable storage medium storing computer instructions for causing a processor to execute a data processing method according to any one of the embodiments of the present invention.

According to the technical scheme, a plurality of preset domain names are sent to a plurality of domain name servers, alias records fed back by the domain name servers are received, and based on the alias records, a suspected risk network node of a preset type is determined from the content distribution network nodes; determining node information corresponding to the suspected risk network node, and determining a risk detection result of the suspected risk network node based on the node information; if the risk detection result is an abnormal result, risk tracking is performed based on the access data in the suspected risk network node, the problem that whether risk is detected by detecting service data provided by the CDN node in the prior art, so that monitoring hysteresis and safety are low is solved, a plurality of preset domain names are concurrent to a plurality of domain name servers in an active monitoring mode, a suspected risk network node of a preset type is timely and effectively issued according to an alias record of a content distribution network node corresponding to the corresponding preset domain name determined by the domain name servers, the suspected risk network node is subjected to secondary detection through node information corresponding to the suspected risk network node, the risk detection result of the suspected risk network node is determined, the accuracy of risk detection is improved, further, risk problem positioning is realized based on the access data in the suspected risk network node of the abnormal result, data guarantee is provided for data safety processing, and the technical effect of guaranteeing data transmission safety is achieved.

It should be understood that the description in this section is not intended to identify key or critical features of the embodiments of the invention or to delineate the scope of the invention. Other features of the present invention will become apparent from the description that follows.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

FIG. 1 is a flow chart of a data processing method according to a first embodiment of the present invention;

FIG. 2 is a schematic diagram of a data processing method according to a first embodiment of the present invention;

FIG. 3 is a schematic diagram of a data processing apparatus according to a third embodiment of the present invention;

fig. 4 is a schematic structural diagram of an electronic device implementing a data processing method according to an embodiment of the present invention.

Detailed Description

In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.

It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

Example 1

Fig. 1 is a flowchart of a data processing method according to a first embodiment of the present invention, where the method may be performed by a data processing apparatus, and the data processing apparatus may be implemented in hardware and/or software, and the data processing apparatus may be configured in a computing device. As shown in fig. 1, the method includes:

And S110, the preset domain names are concurrent to the domain name servers, so that the domain name servers determine the alias records of the content distribution network nodes corresponding to the corresponding preset domain names and feed back the alias records.

The preset domain name may be a domain name of a preconfigured website which needs to monitor whether data security risks exist, the website is based on CDN service, and when a user accesses the website joining the CDN service, the user's request may be served through a CDN node in the CDN. The CDN node is a content delivery network node, and CDN servers in the node respond to the request of the user like the original servers of the website. The domain name server may be a DNS (Domain Name System ) server configured in the CDN node layer, i.e., a load balancing device, which functions to make Cache (Cache) work cooperatively, and may guide to the optimal CDN node in the whole CDN node layer according to user source IP address resolution. CDN nodes may be deployed worldwide, and accordingly domain name servers may be deployed worldwide.

In this embodiment, a plurality of preset domain names may be concurrently sent to a plurality of domain name servers worldwide, and DNS resolution is performed on the corresponding preset domain name by each domain name server worldwide to obtain a CNAME record of the CDN node corresponding to the preset domain name, where the CNAME record is an alias record.

For example, referring to fig. 2, a distributed DNS resolution node (i.e., a domain name server) may be deployed in advance, and then, the domain name server performs DNS resolution on the domain name of the important website (i.e., a preset domain name) to be detected in the global scope based on the distributed D NS resolution technology, so as to resolve the domain name to an alias record.

S120, receiving the alias records fed back by the domain name servers, and determining a suspected risk network node of a preset type from the content distribution network nodes based on the alias records.

In this embodiment, the preset type may be foreign. In order to improve safety monitoring and management of domestic website foreign CDN nodes, structural analysis can be carried out on the respective name records after the alias records analyzed by each domain name server are collected, content information carried in the alias records is used for screening out content distribution network nodes of a preset type from the content distribution network nodes, whether the corresponding content distribution network nodes of the preset type are suspected of having data safety risks or not is evaluated through the content information, and if so, the content distribution network nodes can be used as suspected risk network nodes.

In order to accurately judge the risk, data such as IP, alias and the like required by risk judgment can be screened from the alias records so as to determine whether the content distribution network node has data security risk or not through the screened data. Optionally, determining a suspected risk network node of a preset type from the content distribution network nodes based on the alias records, including: processing the alias records according to preset matching rules and/or filtering rules to obtain information to be used; and determining a suspected risk network node of a preset type from the content distribution network nodes based on the information to be used.

The information to be used includes, but is not limited to, a domain name alias (i.e. CNAME), a hierarchy of the domain name alias, an internet protocol address (referring to an IP corresponding to the domain name), and a type identifier.

In this embodiment, a matching rule may be pre-configured, and then rule matching is performed on information in the alias record through the matching rule, and the matched field data may be used as information to be used. And filtering rules can be pre-configured, and in the rule matching process, the filtering rules are used for filtering the information in the alias records, so that the matching speed and accuracy are improved. Alternatively, the matching rule may include a plurality of fields to be matched, where the fields correspond to information to be used. The filtering rule may also include a plurality of fields to be filtered, and the fields and information useless for risk judgment may be configured in a customized manner. For example, with continued reference to fig. 2, the alias record may be used as a response packet, and content information in the response packet is obtained by analyzing the response packet, and rule filtering and matching are performed on the content information to obtain keywords in the CNAME, analyze the IP address, and wait for use information of the CNAME hierarchy.

Further, based on each information to be used, a preset type of suspected risk network node may be determined from the content distribution network nodes, and the specific implementation manner may be: determining a network node to be detected as a preset type from the content distribution network nodes based on target data in the information to be used; for each network node to be detected, processing the information to be used corresponding to the network node to be detected from a plurality of evaluation dimensions to obtain suspected risk attributes of the network node to be detected; and determining the suspected risk network node from the network nodes to be detected based on the suspected risk attributes.

In this embodiment, whether the content distribution network node is of a preset type may be determined by identifying target data for characterizing the node type in the information to be used, and the content distribution network node of the preset type is selected as the network node to be detected. For example, the target data may be a type identifier, such as an overseas type indicated by a "JINGWAI" identifier, or the target data may be a CNAME, where the CNAME carries a keyword indicating the overseas type. The method for determining whether each network node to be detected is a suspected risk network node is the same, and may be described by taking as an example whether one of the network nodes to be detected is a suspected risk network node. The suspicious node determination rule may be preconfigured, and the suspicious risk attribute of the network node to be detected is determined by evaluating the information to be used corresponding to the network node to be detected from a plurality of evaluation dimensions through the suspicious node determination rule. Optionally, the evaluation dimension includes, but is not limited to, IP resolution number, IP distribution, CNAME hierarchy, CNAME keywords; the suspected node determination rule may include an evaluation rule for each evaluation dimension. For example, evaluation rules may include, but are not limited to: the higher the IP analysis number is, the higher the suspected risk attribute value is; the number of the IP analysis reaches a plurality of values of suspected risk attributes; the number of the IP analysis is up to several, the areas where the IPs are located are different, and the suspected risk attribute value is a preset first value (such as 20%); the number of CNAME layers reaches a preset number, and the suspected risk attribute value is a preset second value (such as 40%); the information to be used includes a set risk keyword, and the value of the suspected risk attribute is a preset third value (for example, 90%). For example, the suspected risk attribute may be represented by the suspected degree, the total number of IP resolutions included in the information to be used and the area where each IP is located are calculated, and if the more the total number of IP resolutions is and the different areas where the IP is located are distributed, the greater the risk is, the higher the suspected degree is; or, when more than 4 IPs are present based on domain name resolution, and the IP addresses are distributed in different provinces and cities, the degree of certainty is confirmed to be 20%. Calculating the CNAME layer number in the information to be used, and if the layer number is higher, the suspected risk attribute value is higher; alternatively, the hierarchy in CNAME is above level 2, confirming that the plausibility is 40%. If the information to be used contains more set risk keywords, the suspected risk attribute value is higher; or if CNAME contains dns, cdn, cache and other keywords, the suspected degree is confirmed to be 90%. The suspected degrees can be weighted to obtain final suspected degrees, namely suspected risk attributes of the network nodes to be detected corresponding to the domain names, and the network nodes to be detected, to which the suspected risk attributes exceeding the preset risk attributes belong, are taken as the suspected risk network nodes. It should be noted that the specific suspected scale may be determined by a technician according to the actual working situation.

In this embodiment, the suspicious node determination rule may be integrated in the CDN acceleration node discovery engine, so that the information to be used may be loaded to the CDN acceleration node discovery engine, and the CDN acceleration node discovery engine may process the information to be used by using a nonlinear weighting algorithm, and analyze suspicious risk attributes of the network node to be detected from multiple evaluation dimensions such as an IP resolution number, an IP distribution, a CNAME level, a CNAME keyword, and the like, so as to improve the detection speed.

S130, determining node information corresponding to the suspected risk network nodes, and determining a risk detection result of the suspected risk network nodes based on the node information.

The node information comprises an Internet protocol address and a port;

in this embodiment, node information such as an internet protocol address corresponding to each suspected risk network node and a port on the internet protocol address may be determined. Further, whether the internet protocol address and the port of the suspected risk network node have risks or not can be determined by checking the internet protocol address and the port of the suspected risk network node, so that whether the corresponding suspected risk network node has risks or not is determined, and a risk detection result of the suspected risk network node is obtained.

Optionally, determining, based on the node information, a risk detection result for the suspected risk network node includes: detecting an internet protocol address and a port in the node information, and determining detection information corresponding to the node information; or acquiring detection information corresponding to the node information based on a log retention system; based on the detection information, determining a suspected risk network node containing abnormal node information, and determining a risk detection result of the suspected risk network node.

In this embodiment, an active detection manner may be adopted to actively detect the IP and the port of the suspected risk network node through the detection engine, to find detection information such as the port opening condition, WEB fingerprint information, host fingerprint information, and the like, and determine whether the IP and the port have suspected risks through the detection information, if so, the node information having suspected risks may be used as the abnormal node information. The method can also adopt a passive detection mode to judge the log information in the log keeping system through analysis and the like, obtain the node IP and the port state, and take the IP and the port state as detection information, so that whether the node information is abnormal node information or not is judged through the detection information, for example, if the port state is abnormal, the corresponding node information is considered to be abnormal node information. Further, the suspected risk network nodes are screened, the suspected risk network nodes containing abnormal node information are screened from the suspected risk network nodes, the IP and the port of the CDN nodes are positioned through secondary verification, the suspected risk network nodes are more accurately confirmed, and further risk detection is carried out on the screened suspected risk network nodes, so that a risk detection result of the suspected risk network nodes is obtained.

For example, with continued reference to fig. 2, a CDN fingerprint detection engine, an ip+port asset detection engine, etc. may be used to actively detect the IP and the port of the suspected CDN node (i.e., the suspected risk network node), find the detection information such as the port opening condition, WEB fingerprint information, host fingerprint information, etc., and secondarily check and locate the IP and the port of the CDN node through the detection information, so as to determine the suspected abnormal IP and port, thereby determining the suspected CDN node including the abnormal IP and port.

In this embodiment, determining a risk detection result for a suspected risk network node includes: determining association information associated with the abnormal node information; and determining a risk detection result of the corresponding suspected risk network node based on the association information according to a preset risk detection rule.

The preset risk detection rule comprises a plurality of detection indexes, wherein the detection indexes comprise but are not limited to the number of overseas communication, CDN hosting ratio, website fingerprint importance degree, website security vulnerability and website security event. The associated information includes, but is not limited to, node fingerprint information, communication data, security events, security vulnerabilities, viruses, malicious network resources, malicious programs, and the like. The node fingerprint information can be accelerated through CDN nodes, and the acceleration cache nodes are hosted abroad; open host port, service fingerprint information; domestic CDN delivery nodes connected to off-shore hosts, etc. The security events may include major network security events, daily network security events, and the like.

In this embodiment, communication information that is in communication with the abnormal node information may be retrieved from the access log, information such as a security event, an asset security hole, an asset fingerprint, etc. that corresponds to the abnormal node information may be detected, the information may be used as associated information that is associated with the abnormal node information, the associated information may be processed according to a preset risk detection rule, the number of overseas communication, CDN hosting duty ratio, website fingerprint importance, website security hole, and website security event may be counted, and a risk detection result for the suspected risk network node that corresponds to the abnormal node information may be determined according to the statistical information that corresponds to the detection index. For example, the number of the cells to be processed,

for example, with continued reference to fig. 2, through the IP of the suspected CDN node and the communication information outside the country, the existing information such as a security event, an asset security hole, an asset fingerprint, and the like, in combination with a preset risk detection rule, the data security risk is intelligently rated, the suspected CDN node is rated, the obtained score may be a risk detection result of the suspected CDN node, and when the score exceeds a preset threshold, the risk detection result may be considered as an abnormal result.

And S140, if the risk detection result is an abnormal result, performing risk tracking based on the access data in the suspected risk network node.

In this embodiment, if the risk detection result is an abnormal result, it indicates that there is a data security risk, and at this time, the restoration analysis may be performed on the access data (for example, the access data may be a specific PCAP in communication with the IP, or a data packet on the network, or data sent to other hosts) on the suspected risk network node based on the data packet capturing and restoring function of the DPI (deep packet inspection technology), so as to determine the security risk problem existing in the IP and the port where the suspected risk network node is located, thereby performing tracking and evidence obtaining.

Optionally, performing risk tracking based on the access data in the suspected risk network node includes: determining a data packet communicated with a suspected risk protocol address in node information corresponding to the suspected risk network node from the access data; and analyzing the data packet to obtain a positioning result of risk tracking.

Specifically, a data packet that is in communication with a suspected risk protocol address in node information corresponding to the suspected risk network node may be determined from the access data, where the suspected risk protocol address is determined based on probe information for the risk protocol address. And (3) determining the security risk problems existing in the IP and the port where the suspected risk network node server is located by carrying out reduction analysis on the data packet, namely obtaining the positioning result of risk tracking, so as to carry out tracking evidence obtaining.

In this embodiment, each traffic packet with a potential threat may be determined from the access data, and track playback is performed on each frame of the traffic packets, so as to analyze the threat deeply and provide a data basis. The threat or the impending threat existing in the data can be found through the access behavior path of the data, so that the evidence collection can be tracked conveniently. The method and the device provide complex and detailed visual security analysis, attack details and subsequent attack data and protocol-level depth decoding under the condition of discovering the attack.

In this embodiment, after determining the risk detection result for the suspected risk network node, the method further includes: and generating a risk prompt and feeding back based on the suspected risk network node and a preset domain name served by the suspected risk network node.

In this embodiment, after determining the suspected risk network node and the risk detection result thereof, the risk early warning prompt may be further performed through the specific risk detection result, and the warning may be fed back to the user to warn the existing security risk, and provide corresponding disposal measures, so as to improve the timeliness of data security monitoring and ensure the data transmission security.

Example two

As an alternative embodiment of the foregoing embodiment, a specific application scenario example is given to make the technical solution of the embodiment of the present invention further clear to those skilled in the art. In particular, reference may be made to the following details.

The technical scheme provided by the embodiment can be realized by a risk detection system, wherein the risk detection system comprises an acceleration node discovery module, an acceleration node port detection module, a suspicious IP and port automatic research and judgment engine and a tracking evidence collection module.

The accelerating node discovery module is used for analyzing the IP through a distributed DNS analysis technology and sending to a plurality of DNS servers worldwide to acquire the Internet website as comprehensively as possible, matching a suspected CDN rule algorithm and determining a suspected CDN node.

The accelerating node port detection module is used for actively detecting specific nodes IP and ports of the CDN based on the asset detection engine, finding the port opening condition, WEB fingerprint information and host fingerprint information; based on a log retention system and the like, the port state on the acceleration node IP is obtained through analysis and judgment.

The suspicious IP and port automatic research and judgment engine is used for jointly screening out the IP and the port of the suspicious CDN node and the suspicious port which are subjected to the security event, the existing vulnerability risk and the open according to the security threat data, the knowledge data, the basic information data, the CDN fingerprint data and the security event data, so as to determine the suspicious CDN node with abnormal node information.

Wherein the security threat data comprises: malicious network resources, malicious programs, security risks, and other threats. The knowledge data includes: vulnerability library, basic information data, virus library, malicious code library, case library, plan library and business database. The basic information data includes: IP address library, key guarantee object, domain name library, infrastructure library. The CDN fingerprint data includes: accelerating through CDN nodes, and hosting the accelerating cache nodes abroad; open host port, service fingerprint information; and the domestic CDN distribution node is connected with a foreign host. The security event includes: significant network security events and everyday network security events.

The tracking evidence obtaining module is used for carrying out tracking evidence obtaining by carrying out reduction analysis on the specific PCAP of suspicious IP communication based on the DPI data packet capturing and restoring function and further determining that the IP and the port of the CDN acceleration server have the security risk problem utilized by hackers.

Example III

Fig. 3 is a schematic structural diagram of a data processing apparatus according to a third embodiment of the present invention. As shown in fig. 3, the apparatus includes: the concurrency module 210, the suspected node determining module 220, the risk detection result determining module 230 and the risk tracking module 240.

The concurrency module 210 is configured to concurrency a plurality of preset domain names to a plurality of domain name servers, so that the domain name servers determine and feed back alias records of content distribution network nodes corresponding to the corresponding preset domain names; a suspected node determining module 220, configured to receive the alias records fed back by each domain name server, and determine a suspected risk network node of a preset type from the content distribution network nodes based on the alias records; a risk detection result determining module 230, configured to determine node information corresponding to the suspected risk network node, and determine a risk detection result for the suspected risk network node based on the node information; wherein, the node information comprises an internet protocol address and a port; and the risk tracking module 240 is configured to perform risk tracking based on the access data in the suspected risk network node if the risk detection result is an abnormal result.

On the basis of the above device, optionally, the suspicious node determining module 220 includes an information to be used determining unit and a suspicious node determining unit.

The information to be used determining unit is used for processing the alias records according to a preset matching rule and/or a filtering rule to obtain information to be used; wherein the information to be used comprises a domain name alias, a hierarchy of the domain name alias and an Internet protocol address;

and the suspected node determining unit is used for determining a suspected risk network node of a preset type from the content distribution network nodes based on the information to be used.

On the basis of the device, optionally, the suspicious node determining unit comprises a node determining subunit to be detected, a suspicious risk attribute determining subunit and a suspicious node determining subunit.

A node to be detected determining subunit, configured to determine, from the content distribution network nodes, a network node to be detected as a preset type based on the target data in the information to be used;

a suspected risk attribute determining subunit, configured to process, for each network node to be detected, the information to be used corresponding to the network node to be detected from multiple evaluation dimensions, to obtain a suspected risk attribute of the network node to be detected;

A suspected node determining subunit, configured to determine a suspected risk network node from the network nodes to be detected based on each suspected risk attribute.

On the basis of the above apparatus, optionally, the risk detection result determining module 230 includes a detection information determining unit and a risk detection result determining unit.

The detection information determining unit is used for detecting the Internet protocol address and the port in the node information and determining detection information corresponding to the node information; or, based on a log retention system, acquiring detection information corresponding to the node information;

and the risk detection result determining unit is used for determining a suspected risk network node containing abnormal node information based on the detection information and determining a risk detection result of the suspected risk network node.

On the basis of the device, optionally, the risk detection result determining unit comprises a correlation information determining unit and a detection unit.

An association information determining unit configured to determine association information associated with the abnormal node information; the association information comprises at least one of node fingerprint information, communication data, security events and security vulnerabilities;

The detection unit is used for determining a risk detection result of the corresponding suspected risk network node based on the association information according to a preset risk detection rule.

On the basis of the above device, optionally, the risk tracking module 240 includes a packet determining unit and a tracking unit.

The data packet determining unit is used for determining a data packet communicated with a suspected risk protocol address in node information corresponding to the suspected risk network node from the access data;

and the tracking unit is used for analyzing the data packet to obtain a positioning result of risk tracking.

On the basis of the device, optionally, the device further comprises an early warning module, wherein the early warning module is used for generating a risk prompt and feeding back based on the suspected risk network node and a preset domain name served by the suspected risk network node.

The data processing device provided by the embodiment of the invention can execute the data processing method provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.

Example IV

Fig. 4 shows a schematic diagram of the structure of an electronic device 10 that may be used to implement an embodiment of the invention. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. Electronic equipment may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.

As shown in fig. 4, the electronic device 10 includes at least one processor 11, and a memory, such as a Read Only Memory (ROM) 12, a Random Access Memory (RAM) 13, etc., communicatively connected to the at least one processor 11, in which the memory stores a computer program executable by the at least one processor, and the processor 11 may perform various appropriate actions and processes according to the computer program stored in the Read Only Memory (ROM) 12 or the computer program loaded from the storage unit 18 into the Random Access Memory (RAM) 13. In the RAM 13, various programs and data required for the operation of the electronic device 10 may also be stored. The processor 11, the ROM 12 and the RAM 13 are connected to each other via a bus 14. An input/output (I/O) interface 15 is also connected to bus 14.

Various components in the electronic device 10 are connected to the I/O interface 15, including: an input unit 16 such as a keyboard, a mouse, etc.; an output unit 17 such as various types of displays, speakers, and the like; a storage unit 18 such as a magnetic disk, an optical disk, or the like; and a communication unit 19 such as a network card, modem, wireless communication transceiver, etc. The communication unit 19 allows the electronic device 10 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunication networks.

The processor 11 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of processor 11 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, digital Signal Processors (DSPs), and any suitable processor, controller, microcontroller, etc. The processor 11 performs the various methods and processes described above, such as data processing methods.

In some embodiments, the data processing method may be implemented as a computer program tangibly embodied on a computer-readable storage medium, such as the storage unit 18. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 10 via the ROM 12 and/or the communication unit 19. One or more of the steps of the data processing method described above may be performed when the computer program is loaded into RAM 13 and executed by processor 11. Alternatively, in other embodiments, the processor 11 may be configured to perform the data processing method in any other suitable way (e.g. by means of firmware).

Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuit systems, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.

A computer program for carrying out methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be implemented. The computer program may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.

In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. The computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.

To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) through which a user can provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.

The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), blockchain networks, and the internet.

The computing system may include clients and servers. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical hosts and VPS service are overcome.

It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps described in the present invention may be performed in parallel, sequentially, or in a different order, so long as the desired results of the technical solution of the present invention are achieved, and the present invention is not limited herein.

The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention.

Claims

1. A method of data processing, comprising:

2. The method of claim 1, wherein the determining a pre-set type of suspected risk network node from the content distribution network nodes based on the alias records comprises:

processing the alias records according to preset matching rules and/or filtering rules to obtain information to be used; wherein the information to be used comprises a domain name alias, a hierarchy of the domain name alias and an Internet protocol address;

and determining a suspected risk network node of a preset type from the content distribution network nodes based on the information to be used.

3. The method according to claim 2, wherein determining a pre-set type of suspected risk network node from the content distribution network nodes based on each of the information to be used comprises:

Determining a network node to be detected as a preset type from the content distribution network nodes based on the target data in the information to be used;

for each network node to be detected, processing the information to be used corresponding to the network node to be detected from a plurality of evaluation dimensions to obtain suspected risk attributes of the network node to be detected;

and determining a suspected risk network node from the network nodes to be detected based on each suspected risk attribute.

4. The method of claim 1, wherein the determining a risk detection result for the suspected risk network node based on the node information comprises:

detecting an internet protocol address and a port in the node information, and determining detection information corresponding to the node information; or, based on a log retention system, acquiring detection information corresponding to the node information;

and determining a suspected risk network node containing abnormal node information based on the detection information, and determining a risk detection result of the suspected risk network node.

5. The method of claim 4, wherein the determining a risk detection result for the suspected risk network node comprises:

Determining association information associated with the abnormal node information; the association information comprises at least one of node fingerprint information, communication data, security events and security vulnerabilities;

and determining a risk detection result of the corresponding suspected risk network node based on the association information according to a preset risk detection rule.

6. The method of claim 1, wherein the risk tracking based on access data in the suspected risk network node comprises:

determining a data packet communicated with a suspected risk protocol address in node information corresponding to the suspected risk network node from the access data;

and analyzing the data packet to obtain a positioning result of risk tracking.

7. The method of claim 1, further comprising, after the determining the risk detection result for the suspected risk network node:

and generating a risk prompt and feeding back based on the suspected risk network node and a preset domain name served by the suspected risk network node.

8. A data processing apparatus, comprising:

9. An electronic device, the electronic device comprising:

at least one processor; and

a memory communicatively coupled to the at least one processor; wherein,

the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the data processing method of any one of claims 1-7.

10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores computer instructions for causing a processor to implement the data processing method of any one of claims 1-7 when executed.