CN117579386A - Network traffic safety control method, device and storage medium - Google Patents

Network traffic safety control method, device and storage medium Download PDF

Info

Publication number
CN117579386A
CN117579386A CN202410057238.1A CN202410057238A CN117579386A CN 117579386 A CN117579386 A CN 117579386A CN 202410057238 A CN202410057238 A CN 202410057238A CN 117579386 A CN117579386 A CN 117579386A
Authority
CN
China
Prior art keywords
data packet
control
kernel
management
outbound
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202410057238.1A
Other languages
Chinese (zh)
Other versions
CN117579386B (en
Inventor
马桂才
孔金珠
谌志华
王盛业
周康玉
李天昊
屈宁
杨诏钧
魏立峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Kirin Software Co Ltd
Original Assignee
Kirin Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Kirin Software Co Ltd filed Critical Kirin Software Co Ltd
Priority to CN202410057238.1A priority Critical patent/CN117579386B/en
Publication of CN117579386A publication Critical patent/CN117579386A/en
Application granted granted Critical
Publication of CN117579386B publication Critical patent/CN117579386B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention discloses a network traffic safety control method, a device and a storage medium, which can receive a control strategy which is set by a user in a user space by utilizing a query strategy interface and convert the control strategy into a kernel space control data table with available kernel space. And the set kernel function module is utilized to check and process the flow packets according to the kernel space management and control data table, and the specific flow packets can be captured, copied and stored for further security audit by a user. User-defined policing policies may be performed in kernel space and prevented from being bypassed. Meanwhile, grabbing and synchronous copying can be performed in the kernel space, and on the premise that the outbound efficiency is not affected, the flow packets are flexibly grabbed for users to carry out security audit, so that the cost generated from the kernel space to the user space is reduced.

Description

Network traffic safety control method, device and storage medium
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method and apparatus for controlling network traffic security, and a storage medium.
Background
Network attack means are increasingly complex, and network traffic may contain clues to various threat information, so fine-grained security management and control of network traffic must be implemented. There is a need to more finely identify and manage network traffic, discover and defend against network threats. The requirement of developing network security management and control application based on the Linux operating system is increasing, and more intelligent network management and control is realized by utilizing the flow processing capacity of the operating system, so that organizations and enterprises can be helped to better protect themselves, and increasingly strict data protection and compliance requirements can be met.
In the prior art, a management and control policy is generally set in a user space, network traffic packets are captured through a bottom layer, and the network traffic packets are transmitted to the user space for management and control processing.
Disclosure of Invention
The embodiment of the invention provides a network traffic safety control method, a device and a storage medium, which are used for solving the technical problems of low network traffic safety control efficiency and capability in the prior art.
In a first aspect, an embodiment of the present invention provides a network traffic security control method, including:
receiving a management and control strategy issued by a user space from a query strategy interface;
generating a user space management and control linked list according to the management and control strategy;
converting the user space management and control linked list into a kernel space management and control data table;
checking an outbound flow data packet by using a first kernel functional module arranged on a flow controller, determining whether the outbound flow data packet meets the control data requirement in a kernel space control data table, and blocking and discarding the outbound flow data packet when the outbound flow data packet meets the control data requirement;
otherwise, the outbound flow data packet is copied, the copied outbound flow data packet is written into an outbound flow grabbing queue, the outbound flow data packet is released, the second kernel function module is used for acquiring the outbound flow data packet in the outbound flow grabbing queue and matching with the flow data packet characteristics in the grabbing flow mapping table, when matching is successful, the outbound flow data packet is stored into a data exchange annular buffer zone, a user space grabbing interface reads and stores the outbound flow data packet from the data exchange annular buffer zone, and the first kernel function module and the second kernel function module do not modify the original kernel code.
In a second aspect, an embodiment of the present invention further provides a network traffic security management and control device, including:
the acquisition module is used for receiving a management and control strategy issued by the user space from the inquiry strategy interface;
the generation module is used for generating a user space management and control linked list according to the management and control strategy;
the conversion module is used for converting the user space management and control linked list into a kernel space management and control data list;
the checking module is used for checking the outbound flow data packet by using a first kernel function module arranged on the flow controller, determining whether the outbound flow data packet meets the control data requirement in the kernel space control data table, and blocking and discarding the outbound flow data packet when the outbound flow data packet meets the control data requirement;
and the copying module is used for copying the outbound flow data packet, writing the copied outbound flow data packet into an outbound flow grabbing queue, releasing the outbound flow data packet, acquiring the outbound flow data packet in the outbound flow grabbing queue by using the second kernel function module, matching the outbound flow data packet with the flow data packet characteristics in the grabbing flow mapping table, storing the outbound flow data packet into a data exchange annular buffer area when matching is successful, and reading and storing the outbound flow data packet from the data exchange annular buffer area by using a user space grabbing interface, wherein the first kernel function module and the second kernel function module do not modify the original kernel code.
In a third aspect, embodiments of the present invention also provide a storage medium containing computer-executable instructions, which when executed by a computer processor, are for performing a network traffic security management method as provided by the above embodiments.
The network traffic safety control method, the network traffic safety control device and the storage medium provided by the embodiment of the invention receive the control strategy issued by the user space from the inquiry strategy interface; generating a user space management and control linked list according to the management and control strategy; converting the user space management and control linked list into a kernel space management and control data table; checking an outbound flow data packet by using a first kernel functional module arranged on a flow controller, determining whether the outbound flow data packet meets the control data requirement in a kernel space control data table, and blocking and discarding the outbound flow data packet when the outbound flow data packet meets the control data requirement; otherwise, the outbound flow data packet is copied, the copied outbound flow data packet is written into an outbound flow grabbing queue, the outbound flow data packet is released, the second kernel function module is used for acquiring the outbound flow data packet in the outbound flow grabbing queue and matching with the flow data packet characteristics in the grabbing flow mapping table, when matching is successful, the outbound flow data packet is stored into a data exchange annular buffer zone, a user space grabbing interface reads and stores the outbound flow data packet from the data exchange annular buffer zone, and the first kernel function module and the second kernel function module do not modify the original kernel code. The query policy interface may be utilized to receive a user-defined set of management policies from the user space and convert them into a kernel space management data table in which kernel space is available. And the set kernel function module is utilized to check and process the flow packet according to the kernel space management and control data table, and the specific flow packet can be captured, copied and stored for the user to review. User-defined policing policies may be performed in kernel space and prevented from being bypassed. Meanwhile, grabbing and synchronous copying can be performed in the kernel space, and on the premise that the outbound efficiency is not affected, the flow packets are flexibly grabbed for users to refer to, so that the overhead generated from the kernel space to the user space is reduced.
Drawings
Other features, objects and advantages of the present invention will become more apparent upon reading of the detailed description of non-limiting embodiments, made with reference to the accompanying drawings in which:
fig. 1 is a flow chart of a network traffic safety control method according to an embodiment of the present invention;
fig. 2 is a flow chart of a network traffic safety control method according to a second embodiment of the present invention;
fig. 3 is a schematic structural diagram of a network traffic security control method device according to a third embodiment of the present invention.
Detailed Description
The invention is described in further detail below with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting thereof. It should be further noted that, for convenience of description, only some, but not all of the structures related to the present invention are shown in the drawings.
Example 1
Fig. 1 is a flowchart of a network traffic safety control method according to an embodiment of the present invention, where the embodiment is applicable to a case of performing safety control on network traffic in a Linux system, and the method may be performed by a network traffic safety control device, and specifically includes the following steps:
step 110, receiving a management and control policy issued by the user space from the query policy interface.
In this embodiment, a user may flexibly and custom set a management and control policy in a user space according to a requirement, where the management and control policy may include a process number of an application program, or network quintuple information, and a corresponding management and control manner, for example: blocking or grasping, etc. A network five-tuple is five fields that uniquely identify a network data flow. Comprises the following five fields: source IP address, destination IP address, source port number, destination port number, transport layer protocol (e.g., TCP, UDP).
And 120, generating a user space management and control linked list according to the management and control strategy.
After the management and control strategy is acquired, the information corresponding to the management and control strategy is converted into a linked list mode and stored in the memory, so that a user space management and control linked list is generated, kernel space acquisition is facilitated, and the management and control strategy is maintained in the later period.
And 130, converting the user space management and control linked list into a kernel space management and control data table.
In order to save the kernel storage space and improve the matching performance, the policies in the kernel only comprise network quintuple information, the data packets are matched only according to the quintuple information, and after the policies issued by the upper layer are received, the user space management and control linked list is subjected to format conversion into kernel space and kernel space management and control data tables of the kernel policy.
And 140, checking the outbound flow data packet by using a first kernel function module arranged on the flow controller, determining whether the outbound flow data packet meets the control data requirement in a kernel space control data table, and blocking and discarding the outbound flow data packet when the outbound flow data packet meets the control data requirement.
In this embodiment, the first kernel function module, the second kernel function module, the third kernel function module and the fourth kernel function module are eBPF program modules, and the third kernel function module is an eBPF program module mounted on the fast data path XDP.
An extended berkeley package filter (extended Berkeley Packet Filter, eBPF), which adds new functionality to the kernel, requires modification of the kernel source code or writing of the kernel module. Whereas the eBPF allows the program to run without modifying the kernel source code or adding additional kernel modules.
The fast data path (eXpress Data Path, XDP) XDP is an eBPF hook in the Linux network processing flow, capable of mounting an eBPF program, which can process network packets when they reach the network card driver layer.
In addition, the second mode may be adopted, that is, the first kernel function module and the second kernel function may also adopt a first outbound hook function based on netfilter, and the third kernel function module and the fourth kernel function module are first inbound hook functions based on netfilter.
In this embodiment, the kernel-state policy is saved using a MAP of bpf_map_type_hash TYPE. When using the eBPF program, the usage is shared among a plurality of eBPF programs. In the eBPF responsible for grabbing and blocking network traffic, fast matching can be performed through this kernel mode policy table.
Aiming at the outbound network traffic, a BPF interface of TC is used to realize the data packet grabbing and blocking operation of the network traffic at the TC layer; the outbound flow of the application program firstly passes through the eBPF program 1 to check whether the five-tuple of the network data packet is in the kernel space management and control data table, if so, the blocking is immediately carried out, and the data packet is discarded.
When the second group of modes are adopted, the Hook function 1 and the Hook function 2 are dynamically loaded into the kernel in the form of a KO kernel module, and the data packet grabbing and blocking operation of the network traffic is realized by using the outbound Hook (NF_INET_LOCAL_OUT or NF_INET_POST_ROUTING) in the netfilter; the outbound flow of the application program firstly passes through the Hook function 1 to check whether the quintuple of the network data packet is in the kernel space management data table, if so, the blocking is immediately carried out, and the data packet is discarded.
And 150, if not, copying the outbound flow data packet, writing the copied outbound flow data packet into an outbound flow grabbing queue, simultaneously releasing the outbound flow data packet, acquiring the outbound flow data packet in the outbound flow grabbing queue by using a second kernel function module, matching the outbound flow data packet with the flow data packet characteristics in a grabbing flow mapping table, storing the outbound flow data packet into a data exchange annular buffer area when matching is successful, and reading and storing the outbound flow data packet from the data exchange annular buffer area by a user space grabbing interface, wherein the first kernel function module and the second kernel function module do not modify the original kernel code.
In the first way, if not in the kernel space management data table, copying a network data packet to a Map, and releasing the data packet (avoiding complex operation affecting network performance); meanwhile, another eBPF program 2 is responsible for checking the Map of the stored network data packet according to the grabbing list, if the Map is matched with the grabbing list, the Map is put in perf event buffer for the user mode program to read the grabbing result, and if the Map is not in the grabbing list, the Map is skipped directly.
In the second mode, a network packet is duplicated for the work queue 1 program while the packet is released to avoid complex operations affecting network performance. Meanwhile, in the work queue 1 in the kernel, after receiving the network data packet, the network data packet is responsible for checking whether the network data packet is matched with the grabbing list, if the network data packet is matched with the grabbing list, the network data packet is stored in a ring queue for a user-mode program to read the grabbing result, and if the network data packet is not matched with the grabbing list, the network data packet is skipped directly. The kernel uses ring queue to store the captured data, and uses character device form to read the program in user space. By adopting the annular queue, a producer, namely a capturing data packet and a consumer, namely a transmission mode of reading data, can be conveniently realized, the memory can be efficiently managed, and the problems of overhead and memory fragmentation caused by frequently and dynamically distributing the memory are avoided. Meanwhile, the character type equipment is utilized to provide a data stream form for data transmission, so that network traffic transmission is facilitated.
With the above manner, the inbound traffic may also be managed, and accordingly, the method further includes: checking an inbound traffic data packet by using a third kernel function module, determining whether the inbound traffic data packet meets the control data requirement in a kernel space control data table, and blocking and discarding the inbound traffic data packet when the inbound traffic data packet meets the control data requirement;
otherwise, the inbound traffic data packet is copied, the copied inbound traffic data packet is written into an inbound traffic grabbing queue, meanwhile, the inbound traffic data packet is released, the inbound traffic data packet in the inbound traffic grabbing queue is obtained by utilizing a fourth kernel function module and is matched with the traffic data packet characteristics in the grabbing traffic mapping table, when the matching is successful, the inbound traffic data packet is stored into a data exchange annular buffer zone, a user space grabbing interface reads and stores the inbound traffic data packet from the data exchange annular buffer zone, and the third kernel function module and the fourth kernel function module do not modify the original kernel code. Similarly, the method can also be implemented in two ways, wherein the first kernel function module, the second kernel function module, the third kernel function module and the fourth kernel function module are eBPF program modules, and the third function module is an eBPF program module mounted on XDP in a fast data path of a driving layer.
The second type adopts a hook function, the first kernel function module and the second kernel function module are first outbound hook functions based on netfilter, and the third kernel function module and the fourth kernel function module are first inbound hook functions based on netfilter.
Specifically, in the first way, for inbound network traffic, the inbound traffic is acquired and blocked using the Hook of the XDP. At this time, the XDP is at the driver layer, and the packet does not enter the network protocol stack. The flow adopted at this time is similar to the outbound flow. Checking whether the five-tuple of the current network data packet is in a blocking policy table or not through the eBPF program 3, if so, immediately performing blocking operation, and discarding the data packet; if not, further checking whether the data packet is in the grabbing policy table in the eBPF program 4, and if so, putting the data packet into perf event buffer for the user state program to read; if not, directly skipping.
IN a second approach, for inbound network traffic, inbound traffic is acquired and blocking operations are performed IN an inbound Hook (nf_inet_local_in or nf_inet_pre_routing) using netfilter. The flow adopted at this time is similar to the outbound flow. Checking whether the quintuple of the current network data packet is in a blocking policy table or not through a hook function 2, if so, immediately performing blocking operation, and discarding the data packet; if not, copying a network data packet to a work queue 2 to check whether the network data packet is in a grabbing strategy table, and meanwhile, checking whether the network data packet is matched according to a grabbing list in the work queue 2, and if so, putting the network data packet into a ring queue for a user state program to read; if not, directly skipping.
The embodiment receives a management and control strategy issued by a user space from a query strategy interface; generating a user space management and control linked list according to the management and control strategy; converting the user space management and control linked list into a kernel space management and control data table; checking an outbound flow data packet by using a first kernel functional module arranged on a flow controller, determining whether the outbound flow data packet meets the control data requirement in a kernel space control data table, and blocking and discarding the outbound flow data packet when the outbound flow data packet meets the control data requirement; otherwise, the outbound flow data packet is copied, the copied outbound flow data packet is written into an outbound flow grabbing queue, the outbound flow data packet is released, the second kernel function module is used for acquiring the outbound flow data packet in the outbound flow grabbing queue and matching with the flow data packet characteristics in the grabbing flow mapping table, when matching is successful, the outbound flow data packet is stored into a data exchange annular buffer zone, a user space grabbing interface reads and stores the outbound flow data packet from the data exchange annular buffer zone, and the first kernel function module and the second kernel function module do not modify the original kernel code. The query policy interface may be utilized to receive a user-defined set of management policies from the user space and convert them into a kernel space management data table in which kernel space is available. And the set kernel function module is utilized to check and process the flow packets according to the kernel space management and control data table, and the specific flow packets can be captured, copied and stored for the user to carry out security audit. User-defined policing policies may be performed in kernel space and prevented from being bypassed. Meanwhile, grabbing and synchronous copying can be performed in the kernel space, and on the premise that the outbound efficiency is not affected, the flow packets are flexibly grabbed for users to refer to, so that the overhead generated from the kernel space to the user space is reduced.
In a preferred implementation of this embodiment, the method may further comprise the steps of: receiving a management and control rule sent by a development interface; and generating a management and control strategy of the user space based on the management and control rule. The interface layer is utilized to provide a unified development interface for application developers, the problem of non-uniformity of the interfaces of the existing development library is solved, the function of grabbing and blocking network traffic of the current operating system can be directly realized based on the interfaces through the development library, and the strategy supporting mode is used for carrying out targeted operation so as to further realize corresponding security audit and blocked service functions. The policy supports fields such as process name, process PID, network quintuple information, etc. Mainly the following interfaces are provided: the method comprises the steps of sending down a strategy interface for capturing network traffic, sending down a strategy interface for blocking the network traffic, obtaining a captured network traffic data interface and obtaining a related log interface for blocking the network traffic. The user can flexibly and custom set various control rules by utilizing the development interface.
Example two
Fig. 2 is a flow chart of a network traffic safety control method according to a second embodiment of the present invention, where optimization is performed based on the foregoing embodiment, and the user space management linked list is converted into a kernel space management data table, which is specifically optimized as follows: acquiring incomplete process information and network quintuple information according to the user space management and control linked list; capturing process information and network five-tuple information in the binding and unbinding related functions of the network port according to the management and control strategy by utilizing a plurality of kernel function modules; and generating a kernel space management and control data table by utilizing the network five-tuple information, and storing the kernel space management and control data table in a memory.
Referring to fig. 2, the network traffic security management and control method includes:
step 210, receiving a management and control strategy issued by a user space from a query strategy interface, and generating a user space management and control linked list according to the management and control strategy.
Step 220, obtaining incomplete process information and network five-tuple information according to the user space management and control linked list, and capturing the process information and the network five-tuple information in the binding and unbinding related functions of the network port according to the management and control strategy respectively by utilizing a plurality of kernel function modules.
After receiving the policy issued by the upper layer, format conversion needs to be performed to a kernel mode policy, and the user-defined policy may only contain process information or only several items of five-tuple information. Therefore, it needs to be perfected. For capturing process information, for example, an eBPF technique may be used, multiple BPF programs may be used, process information and network quintuple information may be captured in the binding and unbinding related functions of the network port, respectively, and the captured information may be updated to the same Map data table. There are multiple function locations where the eBPF procedure needs to be added for different network protocols. For the TCP protocol, the eBPF procedure is used on several kernel functions: tcp_connect (), inet_ csk _accept (), tcp_close (), tcp_fin (), __ inet_bind (), and _inet6_bind (); for the UDP protocol, since there is no procedure for connection establishment and release, the eBPF procedure is used on the following functions: udp_lib_unhash (), udp_recvmsg (), and udpv6_recvmsg (). By utilizing the information, the process and quintuple information can be obtained, and the management and control information is perfected.
In addition, an eBPF program may be additionally provided to maintain the data table, for example, to perform old data defining a record for clearing the flag to a released state.
And 230, generating a kernel space management and control data table by utilizing the network five-tuple information, and storing the kernel space management and control data table in a memory.
And generating a kernel space management and control data table by utilizing the five-tuple information obtained in the steps.
And 240, checking the outbound flow data packet by using a first kernel function module arranged by the flow controller, determining whether the outbound flow data packet meets the control data requirement in a kernel space control data table, and blocking and discarding the outbound flow data packet when the outbound flow data packet meets the control data requirement.
And 250, if not, copying the outbound flow data packet, writing the copied outbound flow data packet into an outbound flow grabbing queue, simultaneously releasing the outbound flow data packet, acquiring the outbound flow data packet in the outbound flow grabbing queue by using a second kernel function module, matching the outbound flow data packet with the flow data packet characteristics in a grabbing flow mapping table, storing the outbound flow data packet into a data exchange annular buffer area when matching is successful, and reading and storing the outbound flow data packet from the data exchange annular buffer area by a user space grabbing interface, wherein the first kernel function module and the second kernel function module do not modify the original kernel code.
The embodiment converts the user space management and control linked list into a kernel space management and control data list, and is specifically optimized as follows: acquiring incomplete process information and network quintuple information according to the user space management and control linked list; capturing process information and network five-tuple information in the binding and unbinding related functions of the network port according to the management and control strategy by utilizing a plurality of kernel function modules; and generating a kernel space management and control data table by utilizing the network five-tuple information, and storing the kernel space management and control data table in a memory. Under the condition that five-tuple information is missing in a management and control strategy set in a user space, the kernel function module can be utilized to quickly acquire accurate five-tuple information, so that a kernel space management and control data table is perfected, and network traffic can be safely and accurately managed and controlled.
In a preferred implementation of this embodiment, the method may further comprise the steps of: reading the process number, time and network quintuple information in the outbound traffic packet from an outbound traffic grabbing queue; matching inbound traffic packets in an inbound traffic grabbing queue corresponding to the outbound traffic packets based on time and network quintuple information in the outbound traffic packets; and modifying the process number matched with the corresponding inbound traffic packet according to the process number in the outbound traffic packet or the complete user space management and control linked list. Because the code of the current process information is acquired when the inbound traffic is grabbed, the acquired process information is inaccurate, and sometimes the process number is 0 instead of the information of the application process to which the traffic belongs. Whereas the outbound traffic gets the process information code for that pair. By utilizing the characteristics, the error process number can be corrected. In addition, the error process number can be corrected according to the user space management and control linked list perfected by the method. All the grabbing flows can be correctly matched with the process information to which the grabbing flows belong.
Example III
Fig. 3 is a schematic structural diagram of a network traffic safety control method device provided in a third embodiment of the present invention, referring to fig. 3, where the network traffic safety control method device includes:
the acquisition module is used for receiving a management and control strategy issued by the user space from the inquiry strategy interface;
the generation module is used for generating a user space management and control linked list according to the management and control strategy;
the conversion module is used for converting the user space management and control linked list into a kernel space management and control data list;
the checking module is used for checking the outbound flow data packet by using a first kernel function module arranged on the flow controller, determining whether the outbound flow data packet meets the control data requirement in the kernel space control data table, and blocking and discarding the outbound flow data packet when the outbound flow data packet meets the control data requirement;
and the copying module is used for copying the outbound flow data packet, writing the copied outbound flow data packet into an outbound flow grabbing queue, releasing the outbound flow data packet, acquiring the outbound flow data packet in the outbound flow grabbing queue by using the second kernel function module, matching the outbound flow data packet with the flow data packet characteristics in the grabbing flow mapping table, storing the outbound flow data packet into a data exchange annular buffer area when matching is successful, and reading and storing the outbound flow data packet from the data exchange annular buffer area by using a user space grabbing interface, wherein the first kernel function module and the second kernel function module do not modify the original kernel code.
The network traffic safety control method and device provided by the embodiment receive the control strategy issued by the user space from the inquiry strategy interface; generating a user space management and control linked list according to the management and control strategy; converting the user space management and control linked list into a kernel space management and control data table; checking an outbound flow data packet by using a first kernel functional module arranged on a flow controller, determining whether the outbound flow data packet meets the control data requirement in a kernel space control data table, and blocking and discarding the outbound flow data packet when the outbound flow data packet meets the control data requirement; otherwise, the outbound flow data packet is copied, the copied outbound flow data packet is written into an outbound flow grabbing queue, the outbound flow data packet is released, the second kernel function module is used for acquiring the outbound flow data packet in the outbound flow grabbing queue and matching with the flow data packet characteristics in the grabbing flow mapping table, when matching is successful, the outbound flow data packet is stored into a data exchange annular buffer zone, a user space grabbing interface reads and stores the outbound flow data packet from the data exchange annular buffer zone, and the first kernel function module and the second kernel function module do not modify the original kernel code. The query policy interface may be utilized to receive a user-defined set of management policies from the user space and convert them into a kernel space management data table in which kernel space is available. And the set kernel function module is utilized to check and process the flow packet according to the kernel space management and control data table, and the specific flow packet can be captured, copied and stored for the user to review. User-defined policing policies may be performed in kernel space and prevented from being bypassed. Meanwhile, grabbing and synchronous copying can be performed in the kernel space, and on the premise that the outbound efficiency is not affected, the flow packets are flexibly grabbed for users to refer to, so that the overhead generated from the kernel space to the user space is reduced.
On the basis of the above embodiments, the device further includes:
the inbound checking module is used for checking inbound traffic data packets by utilizing the third kernel functional module, determining whether the inbound traffic data packets meet the control data requirements in the kernel space control data table, and blocking and discarding the inbound traffic data packets when the inbound traffic data packets meet the control data requirements;
the inbound copying module is used for copying the inbound traffic data packet, writing the copied inbound traffic data packet into an inbound traffic grabbing queue, simultaneously releasing the inbound traffic data packet, acquiring the inbound traffic data packet in the inbound traffic grabbing queue by using a fourth kernel function module, matching the inbound traffic data packet with the traffic data packet characteristics in the grabbing traffic mapping table, storing the inbound traffic data packet into a data exchange ring buffer area when matching is successful, and reading and storing the inbound traffic data packet from the data exchange ring buffer area by a user space grabbing interface, wherein the third kernel function module and the fourth kernel function module do not modify original kernel codes.
On the basis of the above embodiments, the first kernel function module, the second kernel function module, the third kernel function module and the fourth kernel function module are eBPF program modules, and the third function module is an eBPF program module mounted on XDP in a fast data path of a driver layer.
Based on the above embodiments, the first kernel function module and the second kernel function module are netfilter-based first outbound hook functions, and the third kernel function module and the fourth kernel function module are netfilter-based first inbound hook functions.
On the basis of the above embodiments, the conversion module includes:
the acquisition unit is used for acquiring incomplete process information and network quintuple information according to the user space management and control linked list;
the capturing unit is used for capturing process information and network five-tuple information in the binding and unbinding related functions of the network port respectively according to the management and control strategy by utilizing the plurality of kernel function modules;
and the generating unit is used for generating a kernel space management and control data table by utilizing the network five-tuple information and storing the kernel space management and control data table in a memory.
On the basis of the above embodiments, the plurality of kernel function modules include:
a plurality of eBPF procedures is performed,
correspondingly, the capturing unit is used for:
aiming at TCP protocol network flow packets, capturing process information and network five-tuple information according to the control strategy by respectively performing TCP connection, TCP closing, TCP receiving passive closing, transmission layer receiving and binding functions;
and aiming at UDP protocol network flow packets, respectively removing a socket tetrad function, defining transmission data and a structure function, and capturing process information and network quintuple information according to the management and control strategy.
On the basis of the above embodiments, the device further includes:
the information reading module is used for reading the process number, time and network quintuple information in the outbound flow packet from the outbound flow grabbing queue;
the inbound traffic packet grabbing module is used for matching inbound traffic packets corresponding to the outbound traffic packets in an inbound traffic grabbing queue based on time and network quintuple information in the outbound traffic packets;
and the modification module is used for modifying the process number matched with the corresponding inbound traffic packet according to the process number in the outbound traffic packet or the complete user space management linked list.
On the basis of the above embodiments, the device further includes:
the management and control rule receiving module is used for receiving management and control rules sent by the development interface;
and the management and control strategy generation module is used for generating a management and control strategy of the user space based on the management and control rule.
The network traffic safety control method device provided by the embodiment of the invention can execute the network traffic safety control method provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
Example IV
A fourth embodiment of the present invention also provides a storage medium containing computer-executable instructions, which when executed by a computer processor, are configured to perform a network traffic security management method as provided in any of the above embodiments.
The computer storage media of embodiments of the invention may take the form of any combination of one or more computer-readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the computer-readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, either in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or device. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider).
Note that the above is only a preferred embodiment of the present invention and the technical principle applied. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, while the invention has been described in connection with the above embodiments, the invention is not limited to the embodiments, but may be embodied in many other equivalent forms without departing from the spirit or scope of the invention, which is set forth in the following claims.

Claims (10)

1. A method for controlling network traffic security, comprising:
receiving a management and control strategy issued by a user space from a query strategy interface;
generating a user space management and control linked list according to the management and control strategy;
converting the user space management and control linked list into a kernel space management and control data table;
checking an outbound flow data packet by using a first kernel functional module arranged on a flow controller, determining whether the outbound flow data packet meets the control data requirement in a kernel space control data table, and blocking and discarding the outbound flow data packet when the outbound flow data packet meets the control data requirement;
otherwise, the outbound flow data packet is copied, the copied outbound flow data packet is written into an outbound flow grabbing queue, the outbound flow data packet is released, the second kernel function module is used for acquiring the outbound flow data packet in the outbound flow grabbing queue and matching with the flow data packet characteristics in the grabbing flow mapping table, when matching is successful, the outbound flow data packet is stored into a data exchange annular buffer zone, a user space grabbing interface reads and stores the outbound flow data packet from the data exchange annular buffer zone, and the first kernel function module and the second kernel function module do not modify the original kernel code.
2. The method according to claim 1, wherein the method further comprises:
checking an inbound traffic data packet by using a third kernel function module, determining whether the inbound traffic data packet meets the control data requirement in a kernel space control data table, and blocking and discarding the inbound traffic data packet when the inbound traffic data packet meets the control data requirement;
otherwise, the inbound traffic data packet is copied, the copied inbound traffic data packet is written into an inbound traffic grabbing queue, meanwhile, the inbound traffic data packet is released, the inbound traffic data packet in the inbound traffic grabbing queue is obtained by utilizing a fourth kernel function module and is matched with the traffic data packet characteristics in the grabbing traffic mapping table, when the matching is successful, the inbound traffic data packet is stored into a data exchange annular buffer zone, a user space grabbing interface reads and stores the inbound traffic data packet from the data exchange annular buffer zone, and the third kernel function module and the fourth kernel function module do not modify the original kernel code.
3. The method of claim 2, wherein the first, second, third, and fourth kernel function modules are eBPF program modules and the third kernel function module is an eBPF program module that is fast data path XDP-mounted.
4. The method of claim 2, wherein the first and second core function modules are netfilter-based first outbound hook functions and the third and fourth core function modules are netfilter-based first inbound hook functions.
5. The method of claim 1, wherein converting the user space management linked list into a kernel space management data table comprises:
acquiring incomplete process information and network quintuple information according to the user space management and control linked list;
capturing process information and network five-tuple information in the binding and unbinding related functions of the network port according to the management and control strategy by utilizing a plurality of kernel function modules;
and generating a kernel space management and control data table by utilizing the network five-tuple information, and storing the kernel space management and control data table in a memory.
6. The method of claim 5, wherein the plurality of kernel function modules comprises:
and capturing process information and network quintuple information according to the management and control strategy in the binding and unbinding related functions of the network ports respectively by the plurality of eBPF programs, wherein the method comprises the following steps:
aiming at TCP protocol network flow packets, capturing process information and network five-tuple information according to the control strategy by respectively performing TCP connection, TCP closing, TCP receiving passive closing, transmission layer receiving and binding functions;
and aiming at UDP protocol network flow packets, respectively removing a socket tetrad function, defining transmission data and a structure function, and capturing process information and network quintuple information according to the management and control strategy.
7. The method according to claim 2, wherein the method further comprises:
reading the process number, time and network quintuple information in the outbound traffic packet from an outbound traffic grabbing queue;
matching inbound traffic packets in an inbound traffic grabbing queue corresponding to the outbound traffic packets based on time and network quintuple information in the outbound traffic packets;
and modifying the process number matched with the corresponding inbound traffic packet according to the process number in the outbound traffic packet or the complete user space management and control linked list.
8. The method according to claim 1, wherein the method further comprises:
receiving a management and control rule sent by a development interface;
and generating a management and control strategy of the user space based on the management and control rule.
9. A network traffic security management and control method apparatus, comprising:
the acquisition module is used for receiving a management and control strategy issued by the user space from the inquiry strategy interface;
the generation module is used for generating a user space management and control linked list according to the management and control strategy;
the conversion module is used for converting the user space management and control linked list into a kernel space management and control data list;
the checking module is used for checking the outbound flow data packet by using a first kernel function module arranged on the flow controller, determining whether the outbound flow data packet meets the control data requirement in the kernel space control data table, and blocking and discarding the outbound flow data packet when the outbound flow data packet meets the control data requirement;
and the copying module is used for copying the outbound flow data packet, writing the copied outbound flow data packet into an outbound flow grabbing queue, releasing the outbound flow data packet, acquiring the outbound flow data packet in the outbound flow grabbing queue by using the second kernel function module, matching the outbound flow data packet with the flow data packet characteristics in the grabbing flow mapping table, storing the outbound flow data packet into a data exchange annular buffer area when matching is successful, and reading and storing the outbound flow data packet from the data exchange annular buffer area by using a user space grabbing interface, wherein the first kernel function module and the second kernel function module do not modify the original kernel code.
10. A storage medium containing computer executable instructions which, when executed by a computer processor, are for performing the network traffic security management method of any of claims 1-8.
CN202410057238.1A 2024-01-16 2024-01-16 Network traffic safety control method, device and storage medium Active CN117579386B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410057238.1A CN117579386B (en) 2024-01-16 2024-01-16 Network traffic safety control method, device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410057238.1A CN117579386B (en) 2024-01-16 2024-01-16 Network traffic safety control method, device and storage medium

Publications (2)

Publication Number Publication Date
CN117579386A true CN117579386A (en) 2024-02-20
CN117579386B CN117579386B (en) 2024-04-12

Family

ID=89886567

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410057238.1A Active CN117579386B (en) 2024-01-16 2024-01-16 Network traffic safety control method, device and storage medium

Country Status (1)

Country Link
CN (1) CN117579386B (en)

Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040010473A1 (en) * 2002-07-11 2004-01-15 Wan-Yen Hsu Rule-based packet selection, storage, and access method and system
WO2009072755A2 (en) * 2007-12-07 2009-06-11 Markany Inc. Digital information security system, kernel driver apparatus and digital information security method
US20090225767A1 (en) * 2008-03-05 2009-09-10 Inventec Corporation Network packet capturing method
US20110170412A1 (en) * 2010-01-11 2011-07-14 Krishna Ramadas Radio access network load and condition aware traffic shaping control
CN103391256A (en) * 2013-07-25 2013-11-13 武汉邮电科学研究院 Base station user plane data processing and optimizing method based on Linux system
US20140293893A1 (en) * 2013-03-28 2014-10-02 Samsung Electronics Co., Ltd. Aggregation of fdd and tdd cells
US20170099228A1 (en) * 2015-10-02 2017-04-06 Headwater Partners I Llc Mobile Device With In-Situ Network Activity Management
US20170185680A1 (en) * 2014-10-17 2017-06-29 Surfilter Network Technology Co., Ltd Chinese website classification method and system based on characteristic analysis of website homepage
CN112148488A (en) * 2020-09-22 2020-12-29 杭州电魂网络科技股份有限公司 Message processing method and system based on multi-cycle cache
WO2021164262A1 (en) * 2020-02-18 2021-08-26 平安科技(深圳)有限公司 Traffic collection method and apparatus for virtual network, and computer device and storage medium
US11588586B2 (en) * 2019-10-30 2023-02-21 Qualcomm Incorporated HARQ operation for broadcast in FR2
CN115834448A (en) * 2022-11-24 2023-03-21 上海交通大学 System and method for monitoring light-weight container flow on host side based on eBPF
US20230136134A1 (en) * 2021-08-24 2023-05-04 Tambora Systems Singapore Pte. Ltd. Light mobile core for networks

Patent Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040010473A1 (en) * 2002-07-11 2004-01-15 Wan-Yen Hsu Rule-based packet selection, storage, and access method and system
WO2009072755A2 (en) * 2007-12-07 2009-06-11 Markany Inc. Digital information security system, kernel driver apparatus and digital information security method
US20090225767A1 (en) * 2008-03-05 2009-09-10 Inventec Corporation Network packet capturing method
US20110170412A1 (en) * 2010-01-11 2011-07-14 Krishna Ramadas Radio access network load and condition aware traffic shaping control
US20140293893A1 (en) * 2013-03-28 2014-10-02 Samsung Electronics Co., Ltd. Aggregation of fdd and tdd cells
CN103391256A (en) * 2013-07-25 2013-11-13 武汉邮电科学研究院 Base station user plane data processing and optimizing method based on Linux system
US20170185680A1 (en) * 2014-10-17 2017-06-29 Surfilter Network Technology Co., Ltd Chinese website classification method and system based on characteristic analysis of website homepage
US20170099228A1 (en) * 2015-10-02 2017-04-06 Headwater Partners I Llc Mobile Device With In-Situ Network Activity Management
US11588586B2 (en) * 2019-10-30 2023-02-21 Qualcomm Incorporated HARQ operation for broadcast in FR2
WO2021164262A1 (en) * 2020-02-18 2021-08-26 平安科技(深圳)有限公司 Traffic collection method and apparatus for virtual network, and computer device and storage medium
CN112148488A (en) * 2020-09-22 2020-12-29 杭州电魂网络科技股份有限公司 Message processing method and system based on multi-cycle cache
US20230136134A1 (en) * 2021-08-24 2023-05-04 Tambora Systems Singapore Pte. Ltd. Light mobile core for networks
CN115834448A (en) * 2022-11-24 2023-03-21 上海交通大学 System and method for monitoring light-weight container flow on host side based on eBPF

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
马相林;张红旗;杜学绘;曹利峰;: "Netfilter框架下多策略边界网关的研究与设计", 计算机工程与设计, no. 17, 16 September 2010 (2010-09-16), pages 3758 - 3761 *

Also Published As

Publication number Publication date
CN117579386B (en) 2024-04-12

Similar Documents

Publication Publication Date Title
US9876701B1 (en) Arrangement for efficient search and retrieval of indexes used to locate captured packets
CN109547580B (en) Method and device for processing data message
KR101948049B1 (en) Enhancing network controls in mandatory access control computing environments
US9356844B2 (en) Efficient application recognition in network traffic
US20030231632A1 (en) Method and system for packet-level routing
US20090092057A1 (en) Network Monitoring System with Enhanced Performance
US20070022474A1 (en) Portable firewall
CN111262784A (en) Message forwarding method, message forwarding device, storage medium and electronic equipment
US8307417B2 (en) Port enablement
WO2018032399A1 (en) Server and method having high concurrency capability
CN104115463A (en) A streaming method and system for processing network metadata
CN112532538A (en) Flow control method and device, electronic equipment and computer readable storage medium
US11178105B2 (en) Secure enclave-based guest firewall
Alexander ALIEN: A generalized computing model of active networks
US11347488B2 (en) Compiling domain-specific language code to generate executable code targeting an appropriate type of processor of a network device
CN111800490A (en) Method and device for acquiring network behavior data and terminal equipment
WO2009051997A1 (en) Sharing policy and workload among network access devices
CN109104424B (en) Safety protection method and device for OPC communication
CN117579386B (en) Network traffic safety control method, device and storage medium
CN113810397A (en) Protocol data processing method and device
US11930045B1 (en) Secure network access from sandboxed applications
CN101582880B (en) Method and system for filtering messages based on audited object
CN115913778A (en) Network strategy updating method, system and storage medium based on sidecar mode
US11736400B2 (en) Network traffic engineering with multi-virtual routing and forwarding lookup
CN110311868B (en) Service processing method, device, member equipment and machine-readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant