CN117579386B - Network traffic safety control method, device and storage medium - Google Patents
Network traffic safety control method, device and storage medium Download PDFInfo
- Publication number
- CN117579386B CN117579386B CN202410057238.1A CN202410057238A CN117579386B CN 117579386 B CN117579386 B CN 117579386B CN 202410057238 A CN202410057238 A CN 202410057238A CN 117579386 B CN117579386 B CN 117579386B
- Authority
- CN
- China
- Prior art keywords
- data packet
- outbound
- kernel
- control
- inbound
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 88
- 238000007726 management method Methods 0.000 claims abstract description 128
- 230000008569 process Effects 0.000 claims abstract description 47
- 238000011217 control strategy Methods 0.000 claims abstract description 39
- 230000006870 function Effects 0.000 claims description 122
- 230000000903 blocking effect Effects 0.000 claims description 28
- 238000013507 mapping Methods 0.000 claims description 14
- 230000005540 biological transmission Effects 0.000 claims description 7
- 238000011161 development Methods 0.000 claims description 7
- 238000006243 chemical reaction Methods 0.000 claims description 6
- 238000012986 modification Methods 0.000 claims description 3
- 230000004048 modification Effects 0.000 claims description 3
- 230000010076 replication Effects 0.000 claims 1
- 230000003362 replicative effect Effects 0.000 claims 1
- 238000012550 audit Methods 0.000 abstract description 4
- 230000001360 synchronised effect Effects 0.000 abstract description 4
- 230000003287 optical effect Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 239000013307 optical fiber Substances 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 238000012552 review Methods 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000005111 flow chemistry technique Methods 0.000 description 1
- 238000013467 fragmentation Methods 0.000 description 1
- 238000006062 fragmentation reaction Methods 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000008707 rearrangement Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention discloses a network traffic safety control method, a device and a storage medium, which can receive a control strategy which is set by a user in a user space by utilizing a query strategy interface and convert the control strategy into a kernel space control data table with available kernel space. And the set kernel function module is utilized to check and process the flow packets according to the kernel space management and control data table, and the specific flow packets can be captured, copied and stored for further security audit by a user. User-defined policing policies may be performed in kernel space and prevented from being bypassed. Meanwhile, grabbing and synchronous copying can be performed in the kernel space, and on the premise that the outbound efficiency is not affected, the flow packets are flexibly grabbed for users to carry out security audit, so that the cost generated from the kernel space to the user space is reduced.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method and apparatus for controlling network traffic security, and a storage medium.
Background
Network attack means are increasingly complex, and network traffic may contain clues to various threat information, so fine-grained security management and control of network traffic must be implemented. There is a need to more finely identify and manage network traffic, discover and defend against network threats. The requirement of developing network security management and control application based on the Linux operating system is increasing, and more intelligent network management and control is realized by utilizing the flow processing capacity of the operating system, so that organizations and enterprises can be helped to better protect themselves, and increasingly strict data protection and compliance requirements can be met.
In the prior art, a management and control policy is generally set in a user space, network traffic packets are captured through a bottom layer, and the network traffic packets are transmitted to the user space for management and control processing.
Disclosure of Invention
The embodiment of the invention provides a network traffic safety control method, a device and a storage medium, which are used for solving the technical problems of low network traffic safety control efficiency and capability in the prior art.
In a first aspect, an embodiment of the present invention provides a network traffic security control method, including:
receiving a management and control strategy issued by a user space from a query strategy interface;
generating a user space management and control linked list according to the management and control strategy;
converting the user space management and control linked list into a kernel space management and control data table;
checking an outbound flow data packet by using a first kernel functional module arranged on a flow controller, determining whether the outbound flow data packet meets the control data requirement in a kernel space control data table, and blocking and discarding the outbound flow data packet when the outbound flow data packet meets the control data requirement;
otherwise, the outbound flow data packet is copied, the copied outbound flow data packet is written into an outbound flow grabbing queue, the outbound flow data packet is released, the second kernel function module is used for acquiring the outbound flow data packet in the outbound flow grabbing queue and matching with the flow data packet characteristics in the grabbing flow mapping table, when matching is successful, the outbound flow data packet is stored into a data exchange annular buffer zone, a user space grabbing interface reads and stores the outbound flow data packet from the data exchange annular buffer zone, and the first kernel function module and the second kernel function module do not modify the original kernel code.
In a second aspect, an embodiment of the present invention further provides a network traffic security management and control device, including:
the acquisition module is used for receiving a management and control strategy issued by the user space from the inquiry strategy interface;
the generation module is used for generating a user space management and control linked list according to the management and control strategy;
the conversion module is used for converting the user space management and control linked list into a kernel space management and control data list;
the checking module is used for checking the outbound flow data packet by using a first kernel function module arranged on the flow controller, determining whether the outbound flow data packet meets the control data requirement in the kernel space control data table, and blocking and discarding the outbound flow data packet when the outbound flow data packet meets the control data requirement;
and the copying module is used for copying the outbound flow data packet, writing the copied outbound flow data packet into an outbound flow grabbing queue, releasing the outbound flow data packet, acquiring the outbound flow data packet in the outbound flow grabbing queue by using the second kernel function module, matching the outbound flow data packet with the flow data packet characteristics in the grabbing flow mapping table, storing the outbound flow data packet into a data exchange annular buffer area when matching is successful, and reading and storing the outbound flow data packet from the data exchange annular buffer area by using a user space grabbing interface, wherein the first kernel function module and the second kernel function module do not modify the original kernel code.
In a third aspect, embodiments of the present invention also provide a storage medium containing computer-executable instructions, which when executed by a computer processor, are for performing a network traffic security management method as provided by the above embodiments.
The network traffic safety control method, the network traffic safety control device and the storage medium provided by the embodiment of the invention receive the control strategy issued by the user space from the inquiry strategy interface; generating a user space management and control linked list according to the management and control strategy; converting the user space management and control linked list into a kernel space management and control data table; checking an outbound flow data packet by using a first kernel functional module arranged on a flow controller, determining whether the outbound flow data packet meets the control data requirement in a kernel space control data table, and blocking and discarding the outbound flow data packet when the outbound flow data packet meets the control data requirement; otherwise, the outbound flow data packet is copied, the copied outbound flow data packet is written into an outbound flow grabbing queue, the outbound flow data packet is released, the second kernel function module is used for acquiring the outbound flow data packet in the outbound flow grabbing queue and matching with the flow data packet characteristics in the grabbing flow mapping table, when matching is successful, the outbound flow data packet is stored into a data exchange annular buffer zone, a user space grabbing interface reads and stores the outbound flow data packet from the data exchange annular buffer zone, and the first kernel function module and the second kernel function module do not modify the original kernel code. The query policy interface may be utilized to receive a user-defined set of management policies from the user space and convert them into a kernel space management data table in which kernel space is available. And the set kernel function module is utilized to check and process the flow packet according to the kernel space management and control data table, and the specific flow packet can be captured, copied and stored for the user to review. User-defined policing policies may be performed in kernel space and prevented from being bypassed. Meanwhile, grabbing and synchronous copying can be performed in the kernel space, and on the premise that the outbound efficiency is not affected, the flow packets are flexibly grabbed for users to refer to, so that the overhead generated from the kernel space to the user space is reduced.
Drawings
Other features, objects and advantages of the present invention will become more apparent upon reading of the detailed description of non-limiting embodiments, made with reference to the accompanying drawings in which:
fig. 1 is a flow chart of a network traffic safety control method according to an embodiment of the present invention;
fig. 2 is a flow chart of a network traffic safety control method according to a second embodiment of the present invention;
fig. 3 is a schematic structural diagram of a network traffic security control method device according to a third embodiment of the present invention.
Detailed Description
The invention is described in further detail below with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting thereof. It should be further noted that, for convenience of description, only some, but not all of the structures related to the present invention are shown in the drawings.
Example 1
Fig. 1 is a flowchart of a network traffic safety control method according to an embodiment of the present invention, where the embodiment is applicable to a case of performing safety control on network traffic in a Linux system, and the method may be performed by a network traffic safety control device, and specifically includes the following steps:
step 110, receiving a management and control policy issued by the user space from the query policy interface.
In this embodiment, a user may flexibly and custom set a management and control policy in a user space according to a requirement, where the management and control policy may include a process number of an application program, or network quintuple information, and a corresponding management and control manner, for example: blocking or grasping, etc. A network five-tuple is five fields that uniquely identify a network data flow. Comprises the following five fields: source IP address, destination IP address, source port number, destination port number, transport layer protocol (e.g., TCP, UDP).
And 120, generating a user space management and control linked list according to the management and control strategy.
After the management and control strategy is acquired, the information corresponding to the management and control strategy is converted into a linked list mode and stored in the memory, so that a user space management and control linked list is generated, kernel space acquisition is facilitated, and the management and control strategy is maintained in the later period.
And 130, converting the user space management and control linked list into a kernel space management and control data table.
In order to save the kernel storage space and improve the matching performance, the policies in the kernel only comprise network quintuple information, the data packets are matched only according to the quintuple information, and after the policies issued by the upper layer are received, the user space management and control linked list is subjected to format conversion into kernel space and kernel space management and control data tables of the kernel policy.
And 140, checking the outbound flow data packet by using a first kernel function module arranged on the flow controller, determining whether the outbound flow data packet meets the control data requirement in a kernel space control data table, and blocking and discarding the outbound flow data packet when the outbound flow data packet meets the control data requirement.
In this embodiment, the first kernel function module, the second kernel function module, the third kernel function module and the fourth kernel function module are eBPF program modules, and the third kernel function module is an eBPF program module mounted on the fast data path XDP.
An extended berkeley package filter (extended Berkeley Packet Filter, eBPF), which adds new functionality to the kernel, requires modification of the kernel source code or writing of the kernel module. Whereas the eBPF allows the program to run without modifying the kernel source code or adding additional kernel modules.
The fast data path (eXpress Data Path, XDP) XDP is an eBPF hook in the Linux network processing flow, capable of mounting an eBPF program, which can process network packets when they reach the network card driver layer.
In addition, the second mode may be adopted, that is, the first kernel function module and the second kernel function may also adopt a first outbound hook function based on netfilter, and the third kernel function module and the fourth kernel function module are first inbound hook functions based on netfilter.
In this embodiment, the kernel-state policy is saved using a MAP of bpf_map_type_hash TYPE. When using the eBPF program, the usage is shared among a plurality of eBPF programs. In the eBPF responsible for grabbing and blocking network traffic, fast matching can be performed through this kernel mode policy table.
Aiming at the outbound network traffic, a BPF interface of TC is used to realize the data packet grabbing and blocking operation of the network traffic at the TC layer; the outbound flow of the application program firstly passes through the eBPF program 1 to check whether the five-tuple of the network data packet is in the kernel space management and control data table, if so, the blocking is immediately carried out, and the data packet is discarded.
When the second group of modes are adopted, the Hook function 1 and the Hook function 2 are dynamically loaded into the kernel in the form of a KO kernel module, and the data packet grabbing and blocking operation of the network traffic is realized by using the outbound Hook (NF_INET_LOCAL_OUT or NF_INET_POST_ROUTING) in the netfilter; the outbound flow of the application program firstly passes through the Hook function 1 to check whether the quintuple of the network data packet is in the kernel space management data table, if so, the blocking is immediately carried out, and the data packet is discarded.
And 150, if not, copying the outbound flow data packet, writing the copied outbound flow data packet into an outbound flow grabbing queue, simultaneously releasing the outbound flow data packet, acquiring the outbound flow data packet in the outbound flow grabbing queue by using a second kernel function module, matching the outbound flow data packet with the flow data packet characteristics in a grabbing flow mapping table, storing the outbound flow data packet into a data exchange annular buffer area when matching is successful, and reading and storing the outbound flow data packet from the data exchange annular buffer area by a user space grabbing interface, wherein the first kernel function module and the second kernel function module do not modify the original kernel code.
In the first way, if not in the kernel space management data table, copying a network data packet to a Map, and releasing the data packet (avoiding complex operation affecting network performance); meanwhile, another eBPF program 2 is responsible for checking the Map of the stored network data packet according to the grabbing list, if the Map is matched with the grabbing list, the Map is put in perf event buffer for the user mode program to read the grabbing result, and if the Map is not in the grabbing list, the Map is skipped directly.
In the second mode, a network packet is duplicated for the work queue 1 program while the packet is released to avoid complex operations affecting network performance. Meanwhile, in the work queue 1 in the kernel, after receiving the network data packet, the network data packet is responsible for checking whether the network data packet is matched with the grabbing list, if the network data packet is matched with the grabbing list, the network data packet is stored in a ring queue for a user-mode program to read the grabbing result, and if the network data packet is not matched with the grabbing list, the network data packet is skipped directly. The kernel uses ring queue to store the captured data, and uses character device form to read the program in user space. By adopting the annular queue, a producer, namely a capturing data packet and a consumer, namely a transmission mode of reading data, can be conveniently realized, the memory can be efficiently managed, and the problems of overhead and memory fragmentation caused by frequently and dynamically distributing the memory are avoided. Meanwhile, the character type equipment is utilized to provide a data stream form for data transmission, so that network traffic transmission is facilitated.
With the above manner, the inbound traffic may also be managed, and accordingly, the method further includes: checking an inbound traffic data packet by using a third kernel function module, determining whether the inbound traffic data packet meets the control data requirement in a kernel space control data table, and blocking and discarding the inbound traffic data packet when the inbound traffic data packet meets the control data requirement;
otherwise, the inbound traffic data packet is copied, the copied inbound traffic data packet is written into an inbound traffic grabbing queue, meanwhile, the inbound traffic data packet is released, the inbound traffic data packet in the inbound traffic grabbing queue is obtained by utilizing a fourth kernel function module and is matched with the traffic data packet characteristics in the grabbing traffic mapping table, when the matching is successful, the inbound traffic data packet is stored into a data exchange annular buffer zone, a user space grabbing interface reads and stores the inbound traffic data packet from the data exchange annular buffer zone, and the third kernel function module and the fourth kernel function module do not modify the original kernel code. Similarly, the method can also be implemented in two ways, wherein the first kernel function module, the second kernel function module, the third kernel function module and the fourth kernel function module are eBPF program modules, and the third function module is an eBPF program module mounted on XDP in a fast data path of a driving layer.
The second type adopts a hook function, the first kernel function module and the second kernel function module are first outbound hook functions based on netfilter, and the third kernel function module and the fourth kernel function module are first inbound hook functions based on netfilter.
Specifically, in the first way, for inbound network traffic, the inbound traffic is acquired and blocked using the Hook of the XDP. At this time, the XDP is at the driver layer, and the packet does not enter the network protocol stack. The flow adopted at this time is similar to the outbound flow. Checking whether the five-tuple of the current network data packet is in a blocking policy table or not through the eBPF program 3, if so, immediately performing blocking operation, and discarding the data packet; if not, further checking whether the data packet is in the grabbing policy table in the eBPF program 4, and if so, putting the data packet into perf event buffer for the user state program to read; if not, directly skipping.
IN a second approach, for inbound network traffic, inbound traffic is acquired and blocking operations are performed IN an inbound Hook (nf_inet_local_in or nf_inet_pre_routing) using netfilter. The flow adopted at this time is similar to the outbound flow. Checking whether the quintuple of the current network data packet is in a blocking policy table or not through a hook function 2, if so, immediately performing blocking operation, and discarding the data packet; if not, copying a network data packet to a work queue 2 to check whether the network data packet is in a grabbing strategy table, and meanwhile, checking whether the network data packet is matched according to a grabbing list in the work queue 2, and if so, putting the network data packet into a ring queue for a user state program to read; if not, directly skipping.
The embodiment receives a management and control strategy issued by a user space from a query strategy interface; generating a user space management and control linked list according to the management and control strategy; converting the user space management and control linked list into a kernel space management and control data table; checking an outbound flow data packet by using a first kernel functional module arranged on a flow controller, determining whether the outbound flow data packet meets the control data requirement in a kernel space control data table, and blocking and discarding the outbound flow data packet when the outbound flow data packet meets the control data requirement; otherwise, the outbound flow data packet is copied, the copied outbound flow data packet is written into an outbound flow grabbing queue, the outbound flow data packet is released, the second kernel function module is used for acquiring the outbound flow data packet in the outbound flow grabbing queue and matching with the flow data packet characteristics in the grabbing flow mapping table, when matching is successful, the outbound flow data packet is stored into a data exchange annular buffer zone, a user space grabbing interface reads and stores the outbound flow data packet from the data exchange annular buffer zone, and the first kernel function module and the second kernel function module do not modify the original kernel code. The query policy interface may be utilized to receive a user-defined set of management policies from the user space and convert them into a kernel space management data table in which kernel space is available. And the set kernel function module is utilized to check and process the flow packets according to the kernel space management and control data table, and the specific flow packets can be captured, copied and stored for the user to carry out security audit. User-defined policing policies may be performed in kernel space and prevented from being bypassed. Meanwhile, grabbing and synchronous copying can be performed in the kernel space, and on the premise that the outbound efficiency is not affected, the flow packets are flexibly grabbed for users to refer to, so that the overhead generated from the kernel space to the user space is reduced.
In a preferred implementation of this embodiment, the method may further comprise the steps of: receiving a management and control rule sent by a development interface; and generating a management and control strategy of the user space based on the management and control rule. The interface layer is utilized to provide a unified development interface for application developers, the problem of non-uniformity of the interfaces of the existing development library is solved, the function of grabbing and blocking network traffic of the current operating system can be directly realized based on the interfaces through the development library, and the strategy supporting mode is used for carrying out targeted operation so as to further realize corresponding security audit and blocked service functions. The policy supports fields such as process name, process PID, network quintuple information, etc. Mainly the following interfaces are provided: the method comprises the steps of sending down a strategy interface for capturing network traffic, sending down a strategy interface for blocking the network traffic, obtaining a captured network traffic data interface and obtaining a related log interface for blocking the network traffic. The user can flexibly and custom set various control rules by utilizing the development interface.
Example two
Fig. 2 is a flow chart of a network traffic safety control method according to a second embodiment of the present invention, where optimization is performed based on the foregoing embodiment, and the user space management linked list is converted into a kernel space management data table, which is specifically optimized as follows: acquiring incomplete process information and network quintuple information according to the user space management and control linked list; capturing process information and network five-tuple information in the binding and unbinding related functions of the network port according to the management and control strategy by utilizing a plurality of kernel function modules; and generating a kernel space management and control data table by utilizing the network five-tuple information, and storing the kernel space management and control data table in a memory.
Referring to fig. 2, the network traffic security management and control method includes:
step 210, receiving a management and control strategy issued by a user space from a query strategy interface, and generating a user space management and control linked list according to the management and control strategy.
Step 220, obtaining incomplete process information and network five-tuple information according to the user space management and control linked list, and capturing the process information and the network five-tuple information in the binding and unbinding related functions of the network port according to the management and control strategy respectively by utilizing a plurality of kernel function modules.
After receiving the policy issued by the upper layer, format conversion needs to be performed to a kernel mode policy, and the user-defined policy may only contain process information or only several items of five-tuple information. Therefore, it needs to be perfected. For capturing process information, for example, an eBPF technique may be used, multiple BPF programs may be used, process information and network quintuple information may be captured in the binding and unbinding related functions of the network port, respectively, and the captured information may be updated to the same Map data table. There are multiple function locations where the eBPF procedure needs to be added for different network protocols. For the TCP protocol, the eBPF procedure is used on several kernel functions: tcp_connect (), inet_ csk _accept (), tcp_close (), tcp_fin (), __ inet_bind (), and _inet6_bind (); for the UDP protocol, since there is no procedure for connection establishment and release, the eBPF procedure is used on the following functions: udp_lib_unhash (), udp_recvmsg (), and udpv6_recvmsg (). By utilizing the information, the process and quintuple information can be obtained, and the management and control information is perfected.
In addition, an eBPF program may be additionally provided to maintain the data table, for example, to perform old data defining a record for clearing the flag to a released state.
And 230, generating a kernel space management and control data table by utilizing the network five-tuple information, and storing the kernel space management and control data table in a memory.
And generating a kernel space management and control data table by utilizing the five-tuple information obtained in the steps.
And 240, checking the outbound flow data packet by using a first kernel function module arranged by the flow controller, determining whether the outbound flow data packet meets the control data requirement in a kernel space control data table, and blocking and discarding the outbound flow data packet when the outbound flow data packet meets the control data requirement.
And 250, if not, copying the outbound flow data packet, writing the copied outbound flow data packet into an outbound flow grabbing queue, simultaneously releasing the outbound flow data packet, acquiring the outbound flow data packet in the outbound flow grabbing queue by using a second kernel function module, matching the outbound flow data packet with the flow data packet characteristics in a grabbing flow mapping table, storing the outbound flow data packet into a data exchange annular buffer area when matching is successful, and reading and storing the outbound flow data packet from the data exchange annular buffer area by a user space grabbing interface, wherein the first kernel function module and the second kernel function module do not modify the original kernel code.
The embodiment converts the user space management and control linked list into a kernel space management and control data list, and is specifically optimized as follows: acquiring incomplete process information and network quintuple information according to the user space management and control linked list; capturing process information and network five-tuple information in the binding and unbinding related functions of the network port according to the management and control strategy by utilizing a plurality of kernel function modules; and generating a kernel space management and control data table by utilizing the network five-tuple information, and storing the kernel space management and control data table in a memory. Under the condition that five-tuple information is missing in a management and control strategy set in a user space, the kernel function module can be utilized to quickly acquire accurate five-tuple information, so that a kernel space management and control data table is perfected, and network traffic can be safely and accurately managed and controlled.
In a preferred implementation of this embodiment, the method may further comprise the steps of: reading the process number, time and network quintuple information in the outbound traffic packet from an outbound traffic grabbing queue; matching inbound traffic packets in an inbound traffic grabbing queue corresponding to the outbound traffic packets based on time and network quintuple information in the outbound traffic packets; and modifying the process number matched with the corresponding inbound traffic packet according to the process number in the outbound traffic packet or the complete user space management and control linked list. Because the code of the current process information is acquired when the inbound traffic is grabbed, the acquired process information is inaccurate, and sometimes the process number is 0 instead of the information of the application process to which the traffic belongs. Whereas the outbound traffic gets the process information code for that pair. By utilizing the characteristics, the error process number can be corrected. In addition, the error process number can be corrected according to the user space management and control linked list perfected by the method. All the grabbing flows can be correctly matched with the process information to which the grabbing flows belong.
Example III
Fig. 3 is a schematic structural diagram of a network traffic safety control method device provided in a third embodiment of the present invention, referring to fig. 3, where the network traffic safety control method device includes:
the acquisition module is used for receiving a management and control strategy issued by the user space from the inquiry strategy interface;
the generation module is used for generating a user space management and control linked list according to the management and control strategy;
the conversion module is used for converting the user space management and control linked list into a kernel space management and control data list;
the checking module is used for checking the outbound flow data packet by using a first kernel function module arranged on the flow controller, determining whether the outbound flow data packet meets the control data requirement in the kernel space control data table, and blocking and discarding the outbound flow data packet when the outbound flow data packet meets the control data requirement;
and the copying module is used for copying the outbound flow data packet, writing the copied outbound flow data packet into an outbound flow grabbing queue, releasing the outbound flow data packet, acquiring the outbound flow data packet in the outbound flow grabbing queue by using the second kernel function module, matching the outbound flow data packet with the flow data packet characteristics in the grabbing flow mapping table, storing the outbound flow data packet into a data exchange annular buffer area when matching is successful, and reading and storing the outbound flow data packet from the data exchange annular buffer area by using a user space grabbing interface, wherein the first kernel function module and the second kernel function module do not modify the original kernel code.
The network traffic safety control method and device provided by the embodiment receive the control strategy issued by the user space from the inquiry strategy interface; generating a user space management and control linked list according to the management and control strategy; converting the user space management and control linked list into a kernel space management and control data table; checking an outbound flow data packet by using a first kernel functional module arranged on a flow controller, determining whether the outbound flow data packet meets the control data requirement in a kernel space control data table, and blocking and discarding the outbound flow data packet when the outbound flow data packet meets the control data requirement; otherwise, the outbound flow data packet is copied, the copied outbound flow data packet is written into an outbound flow grabbing queue, the outbound flow data packet is released, the second kernel function module is used for acquiring the outbound flow data packet in the outbound flow grabbing queue and matching with the flow data packet characteristics in the grabbing flow mapping table, when matching is successful, the outbound flow data packet is stored into a data exchange annular buffer zone, a user space grabbing interface reads and stores the outbound flow data packet from the data exchange annular buffer zone, and the first kernel function module and the second kernel function module do not modify the original kernel code. The query policy interface may be utilized to receive a user-defined set of management policies from the user space and convert them into a kernel space management data table in which kernel space is available. And the set kernel function module is utilized to check and process the flow packet according to the kernel space management and control data table, and the specific flow packet can be captured, copied and stored for the user to review. User-defined policing policies may be performed in kernel space and prevented from being bypassed. Meanwhile, grabbing and synchronous copying can be performed in the kernel space, and on the premise that the outbound efficiency is not affected, the flow packets are flexibly grabbed for users to refer to, so that the overhead generated from the kernel space to the user space is reduced.
On the basis of the above embodiments, the device further includes:
the inbound checking module is used for checking inbound traffic data packets by utilizing the third kernel functional module, determining whether the inbound traffic data packets meet the control data requirements in the kernel space control data table, and blocking and discarding the inbound traffic data packets when the inbound traffic data packets meet the control data requirements;
the inbound copying module is used for copying the inbound traffic data packet, writing the copied inbound traffic data packet into an inbound traffic grabbing queue, simultaneously releasing the inbound traffic data packet, acquiring the inbound traffic data packet in the inbound traffic grabbing queue by using a fourth kernel function module, matching the inbound traffic data packet with the traffic data packet characteristics in the grabbing traffic mapping table, storing the inbound traffic data packet into a data exchange ring buffer area when matching is successful, and reading and storing the inbound traffic data packet from the data exchange ring buffer area by a user space grabbing interface, wherein the third kernel function module and the fourth kernel function module do not modify original kernel codes.
On the basis of the above embodiments, the first kernel function module, the second kernel function module, the third kernel function module and the fourth kernel function module are eBPF program modules, and the third function module is an eBPF program module mounted on XDP in a fast data path of a driver layer.
Based on the above embodiments, the first kernel function module and the second kernel function module are netfilter-based first outbound hook functions, and the third kernel function module and the fourth kernel function module are netfilter-based first inbound hook functions.
On the basis of the above embodiments, the conversion module includes:
the acquisition unit is used for acquiring incomplete process information and network quintuple information according to the user space management and control linked list;
the capturing unit is used for capturing process information and network five-tuple information in the binding and unbinding related functions of the network port respectively according to the management and control strategy by utilizing the plurality of kernel function modules;
and the generating unit is used for generating a kernel space management and control data table by utilizing the network five-tuple information and storing the kernel space management and control data table in a memory.
On the basis of the above embodiments, the plurality of kernel function modules include:
a plurality of eBPF procedures is performed,
correspondingly, the capturing unit is used for:
aiming at TCP protocol network flow packets, capturing process information and network five-tuple information according to the control strategy by respectively performing TCP connection, TCP closing, TCP receiving passive closing, transmission layer receiving and binding functions;
and aiming at UDP protocol network flow packets, respectively removing a socket tetrad function, defining transmission data and a structure function, and capturing process information and network quintuple information according to the management and control strategy.
On the basis of the above embodiments, the device further includes:
the information reading module is used for reading the process number, time and network quintuple information in the outbound flow packet from the outbound flow grabbing queue;
the inbound traffic packet grabbing module is used for matching inbound traffic packets corresponding to the outbound traffic packets in an inbound traffic grabbing queue based on time and network quintuple information in the outbound traffic packets;
and the modification module is used for modifying the process number matched with the corresponding inbound traffic packet according to the process number in the outbound traffic packet or the complete user space management linked list.
On the basis of the above embodiments, the device further includes:
the management and control rule receiving module is used for receiving management and control rules sent by the development interface;
and the management and control strategy generation module is used for generating a management and control strategy of the user space based on the management and control rule.
The network traffic safety control method device provided by the embodiment of the invention can execute the network traffic safety control method provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
Example IV
A fourth embodiment of the present invention also provides a storage medium containing computer-executable instructions, which when executed by a computer processor, are configured to perform a network traffic security management method as provided in any of the above embodiments.
The computer storage media of embodiments of the invention may take the form of any combination of one or more computer-readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the computer-readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, either in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or device. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider).
Note that the above is only a preferred embodiment of the present invention and the technical principle applied. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, while the invention has been described in connection with the above embodiments, the invention is not limited to the embodiments, but may be embodied in many other equivalent forms without departing from the spirit or scope of the invention, which is set forth in the following claims.
Claims (8)
1. A method for controlling network traffic security, comprising:
receiving a management and control strategy issued by a user space from a query strategy interface;
generating a user space management and control linked list according to the management and control strategy;
converting the user space management and control linked list into a kernel space management and control data table;
checking an outbound flow data packet by using a first kernel functional module arranged on a flow controller, determining whether the outbound flow data packet meets the control data requirement in a kernel space control data table, and blocking and discarding the outbound flow data packet when the outbound flow data packet meets the control data requirement;
otherwise, copying the outbound flow data packet, writing the copied outbound flow data packet into an outbound flow grabbing queue, releasing the outbound flow data packet, acquiring the outbound flow data packet in the outbound flow grabbing queue by using a second kernel function module, matching the outbound flow data packet with the flow data packet characteristics in a grabbing flow mapping table, storing the outbound flow data packet into a data exchange annular buffer area when matching is successful, and reading and storing the outbound flow data packet from the data exchange annular buffer area by a user space grabbing interface, wherein the first kernel function module and the second kernel function module do not modify the original kernel code;
checking an inbound traffic data packet by using a third kernel function module, determining whether the inbound traffic data packet meets the control data requirement in a kernel space control data table, and blocking and discarding the inbound traffic data packet when the inbound traffic data packet meets the control data requirement;
otherwise, copying the inbound traffic data packet, writing the copied inbound traffic data packet into an inbound traffic grabbing queue, simultaneously releasing the inbound traffic data packet, acquiring the inbound traffic data packet in the inbound traffic grabbing queue by using a fourth kernel function module, matching the inbound traffic data packet with the traffic data packet characteristics in a grabbing traffic mapping table, storing the inbound traffic data packet into a data exchange annular buffer area when matching is successful, and reading and storing the inbound traffic data packet from the data exchange annular buffer area by a user space grabbing interface, wherein the third kernel function module and the fourth kernel function module do not modify the original kernel code;
reading the process number, time and network quintuple information in the outbound traffic packet from an outbound traffic grabbing queue;
matching inbound traffic packets in an inbound traffic grabbing queue corresponding to the outbound traffic packets based on time and network quintuple information in the outbound traffic packets;
and modifying the process number matched with the corresponding inbound traffic packet according to the process number in the outbound traffic packet or the complete user space management and control linked list.
2. The method of claim 1, wherein the first, second, third, and fourth kernel function modules are eBPF program modules and the third kernel function module is an eBPF program module that is fast data path XDP-mounted.
3. The method of claim 1, wherein the first and second core function modules are netfilter-based first outbound hook functions and the third and fourth core function modules are netfilter-based first inbound hook functions.
4. The method of claim 1, wherein converting the user space management linked list into a kernel space management data table comprises:
acquiring incomplete process information and network quintuple information according to the user space management and control linked list;
capturing process information and network five-tuple information in the binding and unbinding related functions of the network port according to the management and control strategy by utilizing a plurality of kernel function modules;
and generating a kernel space management and control data table by utilizing the network five-tuple information, and storing the kernel space management and control data table in a memory.
5. The method of claim 4, wherein the plurality of kernel function modules comprises:
and capturing process information and network quintuple information according to the management and control strategy in the binding and unbinding related functions of the network ports respectively by the plurality of eBPF programs, wherein the method comprises the following steps:
aiming at TCP protocol network flow packets, capturing process information and network five-tuple information according to the control strategy by respectively performing TCP connection, TCP closing, TCP receiving passive closing, transmission layer receiving and binding functions;
and aiming at UDP protocol network flow packets, respectively removing a socket tetrad function, defining transmission data and a structure function, and capturing process information and network quintuple information according to the management and control strategy.
6. The method according to claim 1, wherein the method further comprises:
receiving a management and control rule sent by a development interface;
and generating a management and control strategy of the user space based on the management and control rule.
7. A network traffic security management and control method apparatus, comprising:
the acquisition module is used for receiving a management and control strategy issued by the user space from the inquiry strategy interface;
the generation module is used for generating a user space management and control linked list according to the management and control strategy;
the conversion module is used for converting the user space management and control linked list into a kernel space management and control data list;
the checking module is used for checking the outbound flow data packet by using a first kernel function module arranged on the flow controller, determining whether the outbound flow data packet meets the control data requirement in the kernel space control data table, and blocking and discarding the outbound flow data packet when the outbound flow data packet meets the control data requirement;
the replication module is used for replicating the outbound flow data packet, writing the replicated outbound flow data packet into an outbound flow grabbing queue, simultaneously releasing the outbound flow data packet, acquiring the outbound flow data packet in the outbound flow grabbing queue by using a second kernel function module, matching the outbound flow data packet with the flow data packet characteristics in a grabbing flow mapping table, storing the outbound flow data packet into a data exchange annular buffer area when matching is successful, and reading and storing the outbound flow data packet from the data exchange annular buffer area by a user space grabbing interface, wherein the first kernel function module and the second kernel function module do not modify the original kernel code;
the inbound checking module is used for checking inbound traffic data packets by utilizing the third kernel functional module, determining whether the inbound traffic data packets meet the control data requirements in the kernel space control data table, and blocking and discarding the inbound traffic data packets when the inbound traffic data packets meet the control data requirements;
the inbound copying module is used for copying the inbound flow data packet, writing the copied inbound flow data packet into an inbound flow grabbing queue, simultaneously releasing the inbound flow data packet, acquiring the inbound flow data packet in the inbound flow grabbing queue by using a fourth kernel function module, matching the inbound flow data packet with the flow data packet characteristics in a grabbing flow mapping table, storing the inbound flow data packet into a data exchange annular buffer area when matching is successful, and reading and storing the inbound flow data packet from the data exchange annular buffer area by a user space grabbing interface, wherein the third kernel function module and the fourth kernel function module do not modify original kernel codes;
the information reading module is used for reading the process number, time and network quintuple information in the outbound flow packet from the outbound flow grabbing queue;
the inbound traffic packet grabbing module is used for matching inbound traffic packets corresponding to the outbound traffic packets in an inbound traffic grabbing queue based on time and network quintuple information in the outbound traffic packets;
and the modification module is used for modifying the process number matched with the corresponding inbound traffic packet according to the process number in the outbound traffic packet or the complete user space management linked list.
8. A storage medium containing computer executable instructions which, when executed by a computer processor, are for performing the network traffic security management method of any of claims 1-6.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202410057238.1A CN117579386B (en) | 2024-01-16 | 2024-01-16 | Network traffic safety control method, device and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202410057238.1A CN117579386B (en) | 2024-01-16 | 2024-01-16 | Network traffic safety control method, device and storage medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN117579386A CN117579386A (en) | 2024-02-20 |
CN117579386B true CN117579386B (en) | 2024-04-12 |
Family
ID=89886567
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202410057238.1A Active CN117579386B (en) | 2024-01-16 | 2024-01-16 | Network traffic safety control method, device and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN117579386B (en) |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2009072755A2 (en) * | 2007-12-07 | 2009-06-11 | Markany Inc. | Digital information security system, kernel driver apparatus and digital information security method |
CN103391256A (en) * | 2013-07-25 | 2013-11-13 | 武汉邮电科学研究院 | Base station user plane data processing and optimizing method based on Linux system |
CN112148488A (en) * | 2020-09-22 | 2020-12-29 | 杭州电魂网络科技股份有限公司 | Message processing method and system based on multi-cycle cache |
WO2021164262A1 (en) * | 2020-02-18 | 2021-08-26 | 平安科技(深圳)有限公司 | Traffic collection method and apparatus for virtual network, and computer device and storage medium |
US11588586B2 (en) * | 2019-10-30 | 2023-02-21 | Qualcomm Incorporated | HARQ operation for broadcast in FR2 |
CN115834448A (en) * | 2022-11-24 | 2023-03-21 | 上海交通大学 | System and method for monitoring light-weight container flow on host side based on eBPF |
Family Cites Families (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7254562B2 (en) * | 2002-07-11 | 2007-08-07 | Hewlett-Packard Development Company, L.P. | Rule-based packet selection, storage, and access method and system |
US20090225767A1 (en) * | 2008-03-05 | 2009-09-10 | Inventec Corporation | Network packet capturing method |
US8780720B2 (en) * | 2010-01-11 | 2014-07-15 | Venturi Ip Llc | Radio access network load and condition aware traffic shaping control |
US9538503B2 (en) * | 2013-03-28 | 2017-01-03 | Samsung Electronics Co., Ltd. | Aggregation of FDD and TDD cells |
CN105574047A (en) * | 2014-10-17 | 2016-05-11 | 任子行网络技术股份有限公司 | Website main page feature analysis based Chinese website sorting method and system |
US20170099228A1 (en) * | 2015-10-02 | 2017-04-06 | Headwater Partners I Llc | Mobile Device With In-Situ Network Activity Management |
US20230136134A1 (en) * | 2021-08-24 | 2023-05-04 | Tambora Systems Singapore Pte. Ltd. | Light mobile core for networks |
-
2024
- 2024-01-16 CN CN202410057238.1A patent/CN117579386B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2009072755A2 (en) * | 2007-12-07 | 2009-06-11 | Markany Inc. | Digital information security system, kernel driver apparatus and digital information security method |
CN103391256A (en) * | 2013-07-25 | 2013-11-13 | 武汉邮电科学研究院 | Base station user plane data processing and optimizing method based on Linux system |
US11588586B2 (en) * | 2019-10-30 | 2023-02-21 | Qualcomm Incorporated | HARQ operation for broadcast in FR2 |
WO2021164262A1 (en) * | 2020-02-18 | 2021-08-26 | 平安科技(深圳)有限公司 | Traffic collection method and apparatus for virtual network, and computer device and storage medium |
CN112148488A (en) * | 2020-09-22 | 2020-12-29 | 杭州电魂网络科技股份有限公司 | Message processing method and system based on multi-cycle cache |
CN115834448A (en) * | 2022-11-24 | 2023-03-21 | 上海交通大学 | System and method for monitoring light-weight container flow on host side based on eBPF |
Non-Patent Citations (1)
Title |
---|
Netfilter框架下多策略边界网关的研究与设计;马相林;张红旗;杜学绘;曹利峰;;计算机工程与设计;20100916(第17期);正文第3758-3761页 * |
Also Published As
Publication number | Publication date |
---|---|
CN117579386A (en) | 2024-02-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9876701B1 (en) | Arrangement for efficient search and retrieval of indexes used to locate captured packets | |
CN111262784B (en) | Message forwarding method, message forwarding device, storage medium and electronic equipment | |
CN109547580B (en) | Method and device for processing data message | |
WO2020242649A1 (en) | Leveraging remote direct memory access (rdma) for packet capture | |
US9356844B2 (en) | Efficient application recognition in network traffic | |
US20090092057A1 (en) | Network Monitoring System with Enhanced Performance | |
KR101948049B1 (en) | Enhancing network controls in mandatory access control computing environments | |
US8307417B2 (en) | Port enablement | |
WO2018032399A1 (en) | Server and method having high concurrency capability | |
JP2015502060A (en) | Streaming method and system for processing network metadata | |
CN112532538A (en) | Flow control method and device, electronic equipment and computer readable storage medium | |
US10015205B1 (en) | Techniques for traffic capture and reconstruction | |
US11347488B2 (en) | Compiling domain-specific language code to generate executable code targeting an appropriate type of processor of a network device | |
WO2022267815A1 (en) | Data packet filtering method and apparatus, and electronic device and computer-readable storage medium | |
CN111800490A (en) | Method and device for acquiring network behavior data and terminal equipment | |
Alexander | ALIEN: A generalized computing model of active networks | |
US20090100162A1 (en) | Sharing Policy and Workload among Network Access Devices | |
CN116582365A (en) | Network traffic safety control method and device and computer equipment | |
US8045564B2 (en) | Protocol-level filtering | |
CN117579386B (en) | Network traffic safety control method, device and storage medium | |
CN113810397A (en) | Protocol data processing method and device | |
CN101582880B (en) | Method and system for filtering messages based on audited object | |
CN115913778A (en) | Network strategy updating method, system and storage medium based on sidecar mode | |
US11762995B2 (en) | Antivirus scanning architecture for uploaded files | |
US11736400B2 (en) | Network traffic engineering with multi-virtual routing and forwarding lookup |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |