WO2021023053A1 - Data processing method and device, and storage medium - Google Patents

Data processing method and device, and storage medium Download PDF

Info

Publication number
WO2021023053A1
WO2021023053A1 PCT/CN2020/105033 CN2020105033W WO2021023053A1 WO 2021023053 A1 WO2021023053 A1 WO 2021023053A1 CN 2020105033 W CN2020105033 W CN 2020105033W WO 2021023053 A1 WO2021023053 A1 WO 2021023053A1
Authority
WO
WIPO (PCT)
Prior art keywords
traffic
current period
defense strategy
period
log data
Prior art date
Application number
PCT/CN2020/105033
Other languages
French (fr)
Chinese (zh)
Inventor
徐道晨
Original Assignee
阿里巴巴集团控股有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 阿里巴巴集团控股有限公司 filed Critical 阿里巴巴集团控股有限公司
Publication of WO2021023053A1 publication Critical patent/WO2021023053A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Definitions

  • This application relates to the field of Internet technology, and in particular to a data processing method, device and storage medium.
  • DDoS Distributed Denial of Service
  • DDoS attack is a form of network attack that consumes target resources to prevent users from normally accessing target services. It is the main threat in current network attacks. DDoS attacks rely on client/server technology to combine multiple computers as an attack platform to launch DDoS attacks against one or more targets, thereby exponentially increasing the power of denial-of-service attacks, causing normal users to fail to receive network responses. It poses a great threat to the Internet and Internet services.
  • a defense strategy against DDoS is generally preset on the target server, for example, source rate limiting of network traffic, and a defense strategy is preset in the case of no DDoS attacks or low frequency of attack sources. Will adversely affect the normal flow.
  • Various aspects of the present application provide a data processing method, device, and storage medium. On the one hand, it ensures that the source server is not overwhelmed by the attack at the first time of an attack, and on the other hand, it ensures that the defense strategy has less impact on normal traffic.
  • the embodiment of the application provides a data processing method, including:
  • data processing is performed on the network traffic in the subsequent period according to the second defense strategy, which is generated based on the normal traffic that has been identified before the current moment.
  • the embodiment of the present application also provides a data processing method, including:
  • the traffic log data in the current period analyze the characteristics of the network traffic in the current period
  • the characteristics of the network traffic in the current period and the baseline characteristics of the known normal traffic identify the abnormal traffic in the current period, where the baseline characteristics of the known normal traffic are obtained from historical traffic log data;
  • a first defense strategy for the abnormal traffic existing in the current period is generated to perform data processing on the network traffic in the subsequent period.
  • An embodiment of the present application also provides a data processing device, including: a memory and a processor;
  • the memory is used to store one or more computer instructions
  • the processor is configured to execute the one or more computer instructions for:
  • data processing is performed on the network traffic in the subsequent period according to the second defense strategy, which is generated based on the normal traffic that has been identified before the current moment.
  • the embodiments of the present application also provide a computer-readable storage medium storing a computer program.
  • the computer program When executed by one or more processors, the one or more processors are caused to perform actions including the following:
  • data processing is performed on the network traffic in the subsequent period according to the second defense strategy, which is generated based on the normal traffic that has been identified before the current moment.
  • An embodiment of the present application also provides a data processing device, including: a memory and a processor;
  • the memory is used to store one or more computer instructions
  • the processor is configured to execute the one or more computer instructions for:
  • the traffic log data in the current period analyze the characteristics of the network traffic in the current period
  • the characteristics of the network traffic in the current period and the baseline characteristics of the known normal traffic identify the abnormal traffic in the current period, where the baseline characteristics of the known normal traffic are obtained from historical traffic log data;
  • the characteristics of the abnormal traffic existing in the current period generate a first defense strategy against the abnormal traffic existing in the current period to perform data processing on the network traffic in the subsequent period;
  • the first defense strategy also provides a computer-readable storage medium storing a computer program.
  • causing the one or more processors to execute includes the following Actions:
  • the traffic log data in the current period analyze the characteristics of the network traffic in the current period
  • the characteristics of the network traffic in the current period and the baseline characteristics of the known normal traffic identify the abnormal traffic in the current period, where the baseline characteristics of the known normal traffic are obtained from historical traffic log data;
  • a first defense strategy for the abnormal traffic existing in the current period is generated to perform data processing on the network traffic in the subsequent period.
  • An embodiment of the present application also provides a data processing device, including: a memory and a processor;
  • the memory is used to store one or more computer instructions
  • the processor is configured to execute the one or more computer instructions for:
  • the embodiments of the present application also provide a computer-readable storage medium storing a computer program.
  • the computer program When executed by one or more processors, the one or more processors are caused to perform actions including the following:
  • An embodiment of the present application also provides a data processing device, including: a memory and a processor;
  • the memory is used to store one or more computer instructions
  • the processor is configured to execute the one or more computer instructions for:
  • the embodiments of the present application also provide a computer-readable storage medium storing a computer program.
  • the computer program When executed by one or more processors, the one or more processors are caused to perform actions including the following:
  • the one hand can analyze whether there is abnormal traffic in the current period according to the traffic log data in the current period, and in the case of abnormal traffic, generate a first defense strategy for the abnormal traffic; On the one hand, it can perform abnormal behavior detection based on the traffic log data in the current period, and determine whether there is a first defense strategy that has been generated when it is determined that the network traffic in the current period has abnormal behavior; if it exists, use the existing one The first defense strategy for data processing in the subsequent period of time; if it does not exist, the second defense strategy generated by known normal traffic is used to perform data processing on the network traffic in the subsequent period, where the second defense strategy and the first One defense strategy is combined to conduct defensive processing on network traffic. On the one hand, it ensures that the source server will not be overwhelmed by the attack in the first time, and on the other hand, it ensures that the impact on normal traffic is small.
  • FIG. 1a is a schematic structural diagram of a defense system provided by an embodiment of this application.
  • FIG. 1b is a schematic diagram of the working principle of the defense system according to another embodiment of the application.
  • FIG. 2a is a schematic flowchart of a data processing method provided by an exemplary embodiment of this application.
  • FIG. 2b is a schematic flowchart of another data processing method provided by an exemplary embodiment of this application.
  • FIG. 2c is a schematic flowchart of another data processing method provided by an exemplary embodiment of this application.
  • FIG. 3 is a schematic flowchart of a data processing method provided by an exemplary embodiment of this application.
  • FIG. 4 is a schematic structural diagram of a data processing device provided by an exemplary embodiment of this application.
  • FIG. 5 is a schematic structural diagram of a data processing device provided by an exemplary embodiment of this application.
  • FIG. 6 is a schematic structural diagram of a data processing device provided by an exemplary embodiment of this application.
  • Fig. 7 is a schematic structural diagram of a data processing device provided by an exemplary embodiment of this application.
  • Method one is to limit the source rate of network traffic.
  • the number of devices behind the export IP is large, so the normal request frequency of the export IP is higher, and the rate limit will accidentally hurt the traffic of the export IP, and there is no defense when the attack source attack frequency is low;
  • the request frequency of a single attack source is extremely low, the total amount of aggregated attacks is quite large, but it can pass the source rate limit smoothly. Therefore, the source rate limitation of network traffic will cause great damage to normal traffic and little effect on defense against DDoS attacks.
  • the second method is to limit the network traffic at a target rate.
  • the third method is to block the historical blacklist of network traffic.
  • Most of the attack sources of DDoS attacks are not the attacker's own, but exploit the vulnerabilities of normal equipment, or the normal equipment is installed with risky software to become the attack source. The ban on them is likely to cause misunderstanding of normal spontaneous traffic. Sealing; if the attack cannot be suppressed, the effect is extremely small.
  • Method four manual intervention in packet capture analysis. From the discovery of an attack on the server, manual intervention to capture packets, to feature analysis, to excluding normal business features, and to adding defense strategies, the entire emergency process often takes more than half an hour, and half an hour of business interruption is for most websites Great influence. Disadvantages: slow response to manual intervention.
  • the traffic log data in the current period is acquired; the abnormal behavior detection is performed on the traffic log data in the current period, and when the current period is determined
  • determine whether the generated first defense strategy exists in the defense strategy library if it exists, use the existing first defense strategy to perform data processing on the network traffic in the subsequent period; if not, use
  • the second defense strategy generated by normal traffic performs data processing on the network traffic in the subsequent period.
  • the embodiment of this application adopts the combination of the second defense strategy set for normal traffic and the first defense strategy set for abnormal traffic. It guarantees that the source server will not be overwhelmed by the attack at the first time. On the other hand, the guarantee has a small impact on current normal traffic.
  • FIG. 1a is a schematic structural diagram of a defense system 10 provided by an embodiment of this application.
  • the defense system 10 includes: a defense strategy calculation device 11 and a defense execution device 12.
  • FIG. 1a also shows the request end device 30 and the data source end device 20 that cooperate with the defense system 10 in practical applications.
  • the defense system 10 acts as an intermediate device between the requesting end device 30 and the data source end device 20 to detect whether the data source end device 20 is attacked by network traffic, and when the data source end device 20 is attacked by the network traffic The access request flow of the requesting end device 30 is flow controlled, so that the source end device can provide good defense performance when it suffers from a DDoS attack, and ensure the normal operation of the data source end device 20.
  • the requesting device 30 may be a browser or other application program installed on a computer device or a handheld smart terminal device; the data source device 20 may be a server that provides data support, computing services, and some management services.
  • the implementation form of the data source device 20 is not limited.
  • the data source device 20 may be a server device such as a conventional server, a cloud server, a cloud host, and a virtual center.
  • the composition of the server equipment mainly includes a processor, a hard disk, a memory, a system bus, etc., and a general computer architecture type.
  • the data source device 20 may include one website server or multiple website servers. The user can access the network data of the data source device 20 through the requesting device 30.
  • the communication connection mode between the defense strategy calculation device 11 and the defense execution device 12 depends on the actual deployment mode.
  • the defense strategy calculation device 11 and the defense execution device 12 may be deployed on the same server, or may be deployed on different servers.
  • the defense strategy calculation device 11 and the defense execution device 12 may be one computer or a computer cluster.
  • the two can communicate through the corresponding hardware interface or software interface on the server.
  • the two can be connected through wired or wireless communication.
  • the communication connection is through the wireless/wired switch in the local area network, or the communication connection is through the mobile network.
  • the network standard of the mobile network can be 2G (GSM), 2.5G (GPRS), 3G (WCDMA, TD-SCDMA, CDMA2000, UTMS), 4G (LTE), 4G+ (LTE+), WiMax Any of these.
  • the defense strategy calculation device 11 and the defense execution device 12 are deployed on different servers in the same computer room or cabinet, the two can also communicate through short-distance communication methods such as Bluetooth, ZigBee, and infrared. This is not limited.
  • this embodiment does not limit the implementation form of the server used to deploy the defense policy calculation device 11 and the defense execution device 12, and may be server devices such as conventional servers, cloud servers, cloud hosts, and virtual centers.
  • the structure of the server device mainly includes a processor, a hard disk, a memory, a system bus, etc., and is similar to a general computer architecture.
  • the protection execution device 12 performs data processing on the data access request of the requesting device 30 and generates traffic log data, and the protection execution device 12 sends the generated log data to the defense strategy calculation device 11 in time intervals. ;
  • the defense strategy calculation device 11 receives the log data in each period sent by the defense execution device 12, and each time it receives the traffic log data in a period, it can analyze the received traffic log data in two aspects, on the one hand Abnormal traffic detection and analysis, on the other hand, attack detection and analysis.
  • this embodiment takes the traffic log data in the current period as an example to expand the description.
  • the defense strategy calculation device 11 receives the traffic log data in the current period sent by the protection execution device 12, on the one hand, it can perform abnormal traffic detection based on the traffic log data in the current period. If abnormal traffic is detected, it can be targeted at the current period. The abnormal traffic detected in the current period generates the first defense strategy; on the other hand, it can detect whether the network traffic in the current period has abnormal behaviors based on the traffic log data in the current period.
  • the defense execution device 12 may be provided with a defense strategy, so that the defense execution device 12 can perform data processing on the network traffic in the subsequent period according to the defense strategy provided by the defense strategy calculation device 11.
  • the data processing here mainly refers to defensive processing to ensure the security of the data source device 20.
  • the defense strategy provided by the defense strategy calculation device 11 to the defense execution device 12 may be the first defense strategy or the second defense strategy.
  • the first defense strategy is generated for the abnormal traffic that has been identified before the current moment, which can be referred to as the real-time defense strategy;
  • the second defense strategy is generated for the normal traffic that has been identified before the current moment, and can be called the default defense strategy .
  • the second defense strategy may be generated in advance based on normal traffic log data in the historical period. Further optionally, when new normal traffic log data appears, the second defense strategy may be updated based on the newly appeared normal traffic log data.
  • the current moment refers to the moment when the protection execution device 12 determines that the network traffic in the current period has abnormal behavior.
  • the defense strategy calculation device 11 will analyze the abnormal traffic based on the traffic log data in each time period, and will generate a first defense strategy based on the abnormal traffic data identified in each time period. These first defense strategies can have certain timeliness, and the corresponding defense strategies can be deleted after the effective time is over.
  • the defense strategy calculation device 11 performs abnormal traffic detection based on the traffic log data in the current period, and the defense strategy calculation device 11 detects abnormal traffic based on the traffic log data in the current period.
  • the network traffic has abnormal behaviors in the order of execution between operations, the two operations can be executed in parallel, of course, can also be executed sequentially. When the two operations are executed in parallel, it is possible to detect abnormal behavior first.
  • the above-mentioned abnormal traffic that has been identified before the current time may include: the abnormal traffic identified according to the traffic log data in the current period (abbreviated as the abnormal traffic identified in the current period), or the abnormal traffic identified in the current period
  • the aforementioned first defense strategy that has existed before the current time may include: a defense strategy generated for abnormal traffic identified in the current period, or may include a defense strategy for abnormal traffic identified at least one period before the current period.
  • the generated defense strategy may also include a defense strategy generated for abnormal traffic identified in the current period and a defense strategy generated for abnormal traffic recognized at least one period before the current period.
  • This embodiment does not limit the time length of each time period, and the time length of each time period may be the same or different, and may be set adaptively according to application requirements. Among them, the smaller the time length of each period, the higher the real-time performance of generating the first defense strategy and determining whether the data source device 20 is attacked.
  • a strategy library can be used to manage each defense strategy, for example, the second defense strategy and the first defense strategy can be put into the strategy database.
  • the defense strategy calculation device 11 issues the first defense strategy and the second defense strategy in the strategy library to the defense execution device 12, so that the protection execution device 12 can use the received first defense strategy according to the received first defense strategy.
  • the defense strategy or the second defense strategy performs data processing on the network traffic in the subsequent period.
  • the protection defense strategy calculation device 11 detects that the data source device 20 is attacked, if there is no first defense strategy in effect locally, the second defense strategy can be first issued to the protection execution device 12. After the new first defense strategy is generated, the new first defense strategy is issued to the protection execution device 12. At this time, the second defense strategy is automatically invalidated.
  • the detection of the defense strategy calculation device 11 has a delay.
  • the second defense strategy can be set to always take effect. In this way, for the protection execution device 12, if there is no first defense strategy, the second defense strategy can always be used to defend network traffic. In the case of the first defense strategy, the first defense strategy is preferred. Defensive processing of network traffic, the second defense strategy automatically fails.
  • the effective time period can be set for the first defense strategy.
  • the first defense strategy can play a role.
  • the first defense strategy can be delete. It is worth noting that the same effective duration may be set for different first defense strategies, or different effective durations may be set for different first defense strategies. Based on this, when the defense strategy calculation device 11 detects that the data source device 20 is attacked, it can combine the first defense strategy that exists and is in effect before the current moment and the first defense strategy that exists and is in effect before the current moment.
  • the effective duration corresponding to the policy is issued to the protection execution device 12, so that the protection execution device 12 performs data processing on the network traffic in the subsequent period according to the received first defense strategy within the corresponding effective duration.
  • the effective duration of the first defense strategy can also be dynamically set according to the time period during which the data source device 20 is attacked; the first defense strategy can be set to detect that the data source device 20 is attacked by the protection defense strategy computing device 11 Failure during an attack, or failure in a set time period after the protection defense strategy calculation device 11 detects that the data source device 20 is attacked. Setting the effective duration of the first defense strategy is conducive to allowing the first defense strategy to function during traffic attacks, and it becomes invalid during non-traffic attacks, which helps reduce the adverse impact of the first defense strategy on normal traffic.
  • the specific implementation of the second defense strategy is not limited.
  • one achievable way of the second defense strategy is: the target rate limit strategy, that is, the target rate limit is performed on the traffic other than the normal traffic, which can make the second defense strategy have as little impact on the normal traffic as possible, The abnormal traffic coverage is as large as possible.
  • an achievable way of the second defense strategy is: source rate limiting, that is, after detecting abnormal behavior of network traffic in the current period, all subsequent network traffic is subjected to rate limiting processing.
  • one achievable way of the second defense strategy is: historical black and white list rate limit, that is, after detecting abnormal behavior of network traffic in the current period, block the traffic in the blacklist in subsequent traffic deal with.
  • an achievable way of the second defense strategy is: area control, that is, rate limiting or blocking the access request of the requesting device in a specific area.
  • an achievable way of the second defense strategy is: precise access control and source count access control, that is, access permission setting and access frequency restriction are performed on the access request from the requesting end device.
  • the second defense strategy is not limited to the foregoing implementation manners, and the second defense strategy may be one or more of the foregoing implementation manners, or may be other forms of defense strategies.
  • the defense strategy calculation device 11 may also update the second defense strategy according to the traffic log data in the current period to minimize the impact on normal traffic as much as possible.
  • the update operation can be performed when it is detected that the data source device 20 has not been attacked.
  • the traffic log data in the current period mainly contains log data of normal traffic, which is suitable for the second
  • the defense strategy is updated; when it is detected that the data source device 20 is under attack, on the one hand, because the traffic log data in the current period contains a large amount of abnormal data, it interferes with the judgment of normal traffic and is not suitable for the second defense
  • resources can also be prioritized for issuing corresponding defense strategies to the protection execution device 12. The efficiency of the defense strategy issuance is convenient for timely defense processing of subsequent network traffic.
  • the first defense strategy is generated based on the identified abnormal traffic, and the first defense strategy is more targeted, which is conducive to more comprehensive coverage of abnormal traffic and ensures the security of the data source device.
  • Different first defense strategies can be set for different abnormal traffic.
  • a first defense strategy is a blocking defense strategy, that is, blocking abnormal traffic.
  • a first defense strategy is a rate limiting defense strategy, that is, rate limiting on abnormal traffic.
  • the second defense strategy and the first defense strategy are not limited to the above implementations.
  • FIG. 1b is a schematic diagram of the working principle of the defense system 10 provided by another embodiment of the application.
  • the protection execution device 12 adopts a locally in effect defense strategy to perform defense processing on the received network traffic, and sends the network traffic after the defense processing to the data source device 20; on the other hand, The log data in the current time period will be sent to the protection defense strategy calculation device 11 to provide a data basis for the protection defense strategy calculation device 11.
  • the protection defense strategy calculation device 11 can process the traffic log data in the current period in three aspects: On the one hand, it can update the second defense strategy based on the traffic log data in the current period; On the other hand, abnormal traffic detection can be performed based on the traffic log data in the current period. If abnormal traffic is detected, the first defense strategy can be generated for the abnormal traffic detected in the current period; on the other hand, it can be based on the current period The traffic log data in the current period of time detects whether there is abnormal behavior in the network traffic during the current period.
  • the defense execution device 12 can be provided or issued a defense strategy for the protection execution device 12 to receive The obtained defense strategy performs data processing on the network traffic in the subsequent period.
  • the obtained defense strategy performs data processing on the network traffic in the subsequent period.
  • the strategy is pushed, where the pushed strategy can be determined from a set of backup strategies.
  • the set of backup strategies includes a default defense strategy and a real-time defense strategy.
  • the pushed policy may be a policy set, and the policy set may carry matching conditions, execution actions, and effective duration.
  • the protection execution equipment of this application includes but is not limited to the following defense strategy execution modules: black and white list library module, area control module, precise access control and source count access control module, and speed limit module.
  • Each defense strategy execution module is responsible for implementing a type of defense strategy.
  • the black and white list library data processing can be performed on the data access request from the requesting device 30, respectively.
  • Area control data processing, precise access control and source count access control data processing and source rate limit and destination rate limit data processing that is, determine whether to release through these modules, if not released, discard, and send the final release request to the data Source device.
  • the protection execution device receives the corresponding defense strategy issued by the defense strategy calculation device, it selects the module corresponding to the defense strategy from the modules of the protection execution device to configure the parameters; to access the data of the requesting device in the subsequent period Request corresponding data processing.
  • the second defense strategy is generated based on historical traffic log data.
  • One possible way is to filter out abnormal log data in historical traffic log data to obtain log data of normal traffic; analyze the baseline characteristics of normal traffic based on the log data of normal traffic; and analyze the baseline characteristics of normal traffic based on the baseline characteristics of normal traffic.
  • the target field characteristics in the generated second defense strategy is included in the generated second defense strategy.
  • the amount of historical traffic log data can be adjusted according to the actual situation. For example, select the traffic log data of the past month or one year, or filter the traffic log data of certain days from the traffic log data of one year as the Historical traffic log data.
  • the abnormal log data in the historical traffic log data is filtered to obtain the log data of the normal traffic, including but not limited to the following implementation methods:
  • Method 1 Obtain the response status code of the historical data request according to the historical traffic log data, obtain the log data corresponding to the abnormal response status code, and filter the log data. For example, when the response status code in a piece of log data is 4 ⁇ , 5 ⁇ , it means that the log data is abnormal log data.
  • Method 2 If the historical traffic log data in a certain period of time is within the period of time when the data source end device is attacked, all log data in this period of time will be filtered as abnormal log data.
  • Method 3 Obtain the response status code of the historical data request according to the historical traffic log data of a certain period, and calculate the proportion of abnormal response status code. When the proportion of abnormal response status code is greater than the set proportion threshold, the All log data in this period are filtered as abnormal log data.
  • the foregoing implementation manner may be a single setting or multiple combinations of settings; this application does not limit the foregoing set ratio threshold, and the foregoing set ratio threshold can be adjusted according to actual conditions.
  • the baseline characteristics of the normal traffic can be analyzed based on the log data of the normal traffic.
  • An achievable way is to extract field characteristics from the log data of normal traffic, and calculate the distribution baseline parameters of the field characteristics as the baseline characteristics of the normal traffic.
  • the field characteristics include but are not limited to at least one of the following fields: HTTP protocol standard fields (such as uri, referer, etc.), website custom fields, field order, and fields obtained by secondary processing of fields (such as uri parsing) Query key etc.).
  • the distribution baseline parameters of the field characteristics include but are not limited to at least one of the following: the proportion of the field characteristics, the frequency of the field characteristics request, and the correlation of the field characteristics combination.
  • the second defense strategy is generated according to the target field characteristics in the baseline characteristics of normal traffic.
  • An achievable way is to analyze the baseline characteristics of normal traffic, filter out the target field characteristics from the field characteristics included in the normal traffic, and generate a second defense strategy for the target field characteristics. For example, from the field features included in normal traffic, a field feature whose baseline feature is greater than the baseline feature threshold is identified as the target field feature. Combining the characteristics of the target field, an implementation manner of the second defense strategy is to limit the rate of traffic that does not contain the characteristics of the target field.
  • the protection strategy calculation device may also update the second defense strategy according to the traffic log data in the current time period.
  • An achievable update method is to identify normal flow log data from the flow log data in the current period, and update the baseline characteristics of the normal flow based on the identified normal flow log data; analyze the updated baseline characteristics from The new target field characteristics are filtered out of the field characteristics contained in the new normal traffic identified; if the new target field characteristics are the same as the original target field characteristics, the original second defense strategy will not be updated; if it is new If the target field characteristics of is different from the original target field characteristics, a new second defense strategy is generated according to the new target field characteristics, and the new second defense strategy is used to supplement the original second defense strategy.
  • the protection defense strategy calculation device analyzes the traffic log data in the current period to generate the first defense strategy.
  • An achievable way is to analyze the characteristics of the network traffic in the current period based on the traffic log data in the current period; identify the current period memory based on the characteristics of the network traffic in the current period and the baseline characteristics of known normal traffic Existing abnormal traffic; According to the characteristics of the abnormal traffic in the current period, generate the first defense strategy against the abnormal traffic in the current period.
  • the characteristics of the network traffic in the current period are analyzed based on the traffic log data in the current period.
  • An alternative embodiment is to extract the field characteristics from the traffic log data in the current period and calculate the field
  • the characteristic distribution parameter is used as the characteristic of the network traffic in the current period.
  • the field characteristics include but are not limited to at least one of the following fields: HTTP protocol standard fields (such as uri, referer, etc.), website custom fields, field order, and fields obtained by secondary processing of fields (such as uri parsing) Query key etc.).
  • the distribution parameters of the field characteristics include but are not limited to at least one of: the proportion of the field characteristics, the frequency of field characteristics request, and the correlation of the combination of field characteristics.
  • the abnormal traffic in the current period is identified based on the characteristics of the network traffic in the current period and the baseline characteristics of the known normal traffic. Including but not limited to at least one of the following implementations:
  • Method 1 Compare the distribution parameters of the field characteristics of the network traffic in the current period with the distribution baseline parameters of the existing field characteristics, and calculate the proportion change rate of the corresponding field characteristics, and the proportion change rate is greater than the set change rate threshold
  • the network traffic corresponding to the field characteristics is regarded as the abnormal traffic in the current period.
  • Method 2 Compare the distribution parameters of the field characteristics of the network traffic in the current period with the distribution baseline parameters of the existing field characteristics, and calculate the request frequency growth rate of the corresponding field characteristics, and make the request frequency growth rate greater than the set growth rate
  • the network traffic corresponding to the field characteristics of the threshold is regarded as the abnormal traffic existing in the current period.
  • this application does not limit the set rate of change threshold and the set growth rate threshold, and the set rate of change threshold and the set growth rate threshold can be adjusted according to actual conditions.
  • the first defense strategy against the abnormal traffic existing in the current period is generated according to the characteristics of the abnormal traffic existing in the current period.
  • the new first defense strategy is a defense strategy for blocking traffic with characteristics of constant traffic.
  • judging whether the network traffic in the current period has abnormal behavior according to the traffic log data in the current period includes at least one of the following methods:
  • Method 1 Obtain the request frequency of data requests in the current time period based on the log data in the current time period. When the request frequency is greater than the first threshold, it is determined that the network traffic in the current time period has abnormal behavior;
  • Method 2 According to the log data in the current period, obtain the abnormal proportion of the response status code of the data request in the current period. When the abnormal proportion of the response status code is greater than the second threshold, it is determined that the network traffic in the current period has abnormal behavior;
  • Method 3 Obtain the growth rate of the number of data requests in the current period relative to the previous period according to the log data in the current period. When the growth rate is greater than the third threshold, it is determined that the network traffic in the current period has abnormal behavior.
  • the above three methods can be used solely as the judgment condition for abnormal behavior of network traffic in the current period, or any two methods or three methods among the three methods can be used as the abnormal behavior of network traffic in the current period. Analyzing conditions. Among them, the present application does not limit the first threshold, the second threshold, and the third threshold, and the first threshold, the second threshold, and the third threshold can be adjusted according to actual conditions.
  • the updated second defense strategy and the new first defense strategy are put into the strategy database and are Each first defense strategy is set with a corresponding effective duration, where the second defense strategy is always effective, but automatically becomes invalid when the first defense strategy appears. Based on this, after receiving the traffic log data in the current period, it can be determined from the traffic log data in the current period that there is abnormal behavior in the network traffic in the current period.
  • the data processing of the network traffic in the subsequent period according to the first defense strategy or the second defense strategy in effect in the strategy database mainly means that the protection execution device 12 is in effect according to the strategy database.
  • the first defense strategy or the second defense strategy in performs data processing on the network traffic in the subsequent period.
  • the devices that perform data processing on the network traffic in the subsequent period according to the first defense strategy or the second defense strategy in effect in the strategy library will also be different.
  • the embodiment of the application adopts the combination of the second defense strategy and the first defense strategy. On the one hand, it ensures that the source server is not overwhelmed by the attack at the first time of the attack, and on the other hand, it ensures that the impact on the current normal access request is minimal.
  • the protection execution device 12 obtains the database operation log data in the current period, and uploads the obtained database operation log data in the current period to the defense strategy computing device 11, and the database operation log data reflects The characteristics of the database operation traffic in the current period; the defense strategy calculation device 11 detects whether there is data leakage in the current period and whether there is abnormal database operation traffic in the current period according to the received database operation log data in the current period, and the defense strategy calculation device 11 When data leakage is detected in the current period, it is judged whether there is a first defense strategy.
  • the first defense strategy is generated for abnormal database operation traffic that has been identified before the current time; if it exists, based on the existing first defense strategy.
  • the first defense strategy performs data processing on the database operation traffic in the subsequent period; if it does not exist, the second defense strategy performs data processing on the database operation traffic in the subsequent period.
  • the second defense strategy is based on the normality that has been identified before the current time. Generated by database operation traffic.
  • the defense strategy calculation device 11 issues the existing first defense strategy to the defense execution device 12 on the database operation traffic channel, so that the defense execution device 12 can perform the protection according to the existing first defense strategy.
  • Data processing is performed on the database operation traffic in the subsequent period.
  • the defense strategy calculation device 11 sends the generated second defense strategy to the defense execution device 12 on the database operation traffic channel, so that the defense execution device 12 performs database operation traffic in the subsequent period according to the existing second defense strategy.
  • data processing is performed.
  • the embodiment of the present application does not limit the data processing method of the database operation flow.
  • the data leakage behavior in the current period is determined according to the database operation log data in the current period, including but not limited to the following methods:
  • Method 1 According to the database operation log data in the current period, obtain the number of query data entries in the current period. When the number of query data entries is greater than the first number threshold, the database operation log data in the current period determines that there is data in the current period Leaking behavior
  • Method 2 According to the database operation log data in the current period, the number of query data bytes in the current period is obtained. When the number of query data bytes is greater than the second number threshold, the database operation log data in the current period determines the current period memory The act of data breach.
  • the first defense strategy is generated for abnormal database operation traffic that has been identified before the current moment.
  • the baseline characteristics of database operation log data include but are not limited to the following: query frequency, query interval, number of single query entries, single query result entries, single query result bytes, cumulative query entries, cumulative query The number of result entries and cumulative query result bytes.
  • the protection execution device 12 obtains the traffic log data in the current period, and uploads the obtained traffic log data in the current period to the defense strategy calculation device 11.
  • the traffic log data reflects the network in the current period The characteristics of the traffic; the defense strategy calculation device 11 detects whether there is abnormal behavior in the current period and whether there is abnormal traffic according to the received traffic log data in the current period. If the defense strategy calculation device 11 determines that the network traffic in the current period has abnormal behavior based on the traffic log data in the current period, it determines whether there is a first defense strategy, and the first defense strategy is for the abnormal traffic that has been identified before the current time.
  • the second defense strategy is generated based on the normal traffic that has been identified before the current moment.
  • the defense strategy calculation device 11 sends the first visualization data to the display terminal, so that the display terminal generates the first display interface according to the first visualization data.
  • this application does not limit the display content of the first display interface.
  • the display content of the first interface may include, but is not limited to, the following content: abnormal total indicator curve and normal indicator total fluctuation range, abnormal component corresponding indicator and normal fluctuation range comparison table.
  • the second visualization data is sent to the display terminal for the display terminal to use
  • the visualization data generates a second display interface.
  • this application does not limit the display content of the second display interface.
  • the display content of the second interface may include, but is not limited to, the following: current indicator total volume graph and normal indicator total fluctuation range, current indicator chain ratio curve and normal indicator Chain fluctuation range, distribution pie chart of each component, comparison table of current proportion of each component and normal fluctuation range, comparison table of absolute value of each component and normal fluctuation range.
  • the baseline characteristics of traffic log data include but are not limited to the following: absolute value of total index, month-on-month ratio of index compared to the previous cycle, absolute value of each component, proportion of each component, and comparison of each component Chain comparison in the previous cycle.
  • FIG. 2a is a schematic flowchart of a data processing method provided by an exemplary embodiment of this application. As shown in Figure 2a, the method includes:
  • step S202 Determine whether the network traffic in the current period has abnormal behavior according to the traffic log data in the current period; if there is abnormal behavior, execute step S203; if there is no abnormal behavior, end the attack detection;
  • step S203 Determine whether there is a first defense strategy, the first defense strategy is generated for the abnormal traffic that has been identified before the current moment; if it exists, perform step S204, if not, perform step S205;
  • S204 Perform data processing on the network traffic in the subsequent period according to the existing first defense strategy
  • S205 Perform data processing on the network traffic in the subsequent period according to the second defense strategy, and the second defense strategy is generated based on the normal traffic that has been identified before the current moment.
  • the method in this embodiment may be executed by a device with a defense function and a certain computing capability, or may be implemented by the protection strategy calculation device and the protection execution device in the foregoing system embodiment.
  • the protection execution device delivers the generated log data to the protection strategy calculation device, and the protection strategy calculation device receives the log data to obtain the log data.
  • the frequency at which the protection strategy calculation device obtains the log data may be obtained every 1S, 2S, 5S, or 10S according to actual conditions.
  • the second defense strategy is generated based on historical traffic log data.
  • One possible way is to filter out abnormal log data in historical traffic log data to obtain log data of normal traffic; analyze the baseline characteristics of normal traffic based on the log data of normal traffic; and analyze the baseline characteristics of normal traffic based on the baseline characteristics of normal traffic.
  • the target field characteristics in the generated second defense strategy is included in the generated second defense strategy.
  • the amount of historical traffic log data can be adjusted according to the actual situation. For example, select the traffic log data of the past month or one year, or filter the traffic log data of certain days from the traffic log data of one year as the Historical traffic log data.
  • the abnormal log data in the historical traffic log data is filtered to obtain the log data of the normal traffic, including but not limited to the following implementation methods:
  • Method 1 Obtain the response status code of the historical data request according to the historical traffic log data, obtain the log data corresponding to the abnormal response status code, and filter the log data. For example, when the response status code in a piece of log data is 4 ⁇ , 5 ⁇ , it means that the log data is abnormal log data.
  • Method 2 If the historical traffic log data in a certain period of time is within the period of time when the data source end device is attacked, all log data in this period of time will be filtered as abnormal log data.
  • Method 3 Obtain the response status code of the historical data request according to the historical traffic log data of a certain period, and calculate the proportion of abnormal response status code. When the proportion of abnormal response status code is greater than the set proportion threshold, the All log data in this period are filtered as abnormal log data.
  • the foregoing implementation manner may be a single setting or multiple combinations of settings; this application does not limit the foregoing set ratio threshold, and the foregoing set ratio threshold can be adjusted according to actual conditions.
  • the baseline characteristics of the normal traffic can be analyzed based on the log data of the normal traffic.
  • An achievable way is to extract field characteristics from the log data of normal traffic, and calculate the distribution baseline parameters of the field characteristics as the baseline characteristics of the normal traffic.
  • the field characteristics include but are not limited to at least one of the following fields: HTTP protocol standard fields (such as uri, referer, etc.), website custom fields, field order, and fields obtained by secondary processing of fields (such as uri parsing) Query key etc.).
  • the distribution baseline parameters of the field characteristics include but are not limited to at least one of the following: the proportion of the field characteristics, the frequency of the field characteristics request, and the correlation of the field characteristics combination.
  • the second defense strategy is generated according to the target field characteristics in the baseline characteristics of normal traffic.
  • An achievable way is to analyze the baseline characteristics of normal traffic, filter out the target field characteristics from the field characteristics included in the normal traffic, and generate a second defense strategy for the target field characteristics. For example, from the field features included in normal traffic, a field feature whose baseline feature is greater than the baseline feature threshold is identified as the target field feature. Combining the characteristics of the target field, an implementation manner of the second defense strategy is to limit the rate of traffic that does not contain the characteristics of the target field.
  • the log data in the current period is analyzed to update the second defense strategy.
  • An achievable update method is to identify the normal flow log data from the flow log data in the current period, and update the baseline characteristics of the normal flow according to the identified normal flow log data; the distribution baseline parameters of the updated field characteristics Perform analysis and filter out the new target field characteristics from the field characteristics included in the identified new normal traffic; if the new target field characteristics are the same as the original target field characteristics, the original second defense strategy will not be used. Update; if the new target field characteristics are different from the original target field characteristics, a new second defense strategy is generated according to the new target field characteristics to update the original second defense strategy.
  • the traffic log data in the current period can also be analyzed to generate the first defense strategy.
  • An achievable way is to analyze the characteristics of the network traffic in the current period based on the traffic log data in the current period; identify the current period memory based on the characteristics of the network traffic in the current period and the baseline characteristics of known normal traffic Existing abnormal traffic; According to the characteristics of the abnormal traffic in the current period, generate the first defense strategy against the abnormal traffic in the current period.
  • the characteristics of the network traffic in the current period are analyzed based on the traffic log data in the current period.
  • An alternative embodiment is to extract the field characteristics from the traffic log data in the current period and calculate the field
  • the characteristic distribution parameter is used as the characteristic of the network traffic in the current period.
  • the field characteristics include but are not limited to at least one of the following fields: HTTP protocol standard fields (such as uri, referer, etc.), website custom fields, field order, and fields obtained by secondary processing of fields (such as uri parsing) Query key etc.).
  • the distribution parameters of the field characteristics include but are not limited to at least one of: the proportion of the field characteristics, the frequency of field characteristics request, and the correlation of the combination of field characteristics.
  • the abnormal traffic in the current period is identified based on the characteristics of the network traffic in the current period and the baseline characteristics of the known normal traffic. Including but not limited to at least one of the following implementations:
  • Method 1 Compare the distribution parameters of the field characteristics of the network traffic in the current period with the distribution baseline parameters of the existing field characteristics, and calculate the proportion change rate of the corresponding field characteristics, and the proportion change rate is greater than the set change rate threshold
  • the network traffic corresponding to the field characteristics is regarded as the abnormal traffic in the current period.
  • Method 2 Compare the distribution parameters of the field characteristics of the network traffic in the current period with the distribution baseline parameters of the existing field characteristics, and calculate the request frequency growth rate of the corresponding field characteristics, and make the request frequency growth rate greater than the set growth rate
  • the network traffic corresponding to the field characteristics of the threshold is regarded as the abnormal traffic existing in the current period.
  • this application does not limit the set rate of change threshold and the set growth rate threshold, and the set rate of change threshold and the set growth rate threshold can be adjusted according to actual conditions.
  • the first defense strategy against the abnormal traffic existing in the current period is generated according to the characteristics of the abnormal traffic existing in the current period.
  • the new first defense strategy is a defense strategy for blocking traffic with characteristics of constant traffic.
  • judging whether the network traffic in the current period has abnormal behavior according to the traffic log data in the current period includes at least one of the following methods:
  • Method 1 Obtain the request frequency of data requests in the current time period based on the log data in the current time period. When the request frequency is greater than the first threshold, it is determined that the network traffic in the current time period has abnormal behavior;
  • Method 2 According to the log data in the current period, obtain the abnormal proportion of the response status code of the data request in the current period. When the abnormal proportion of the response status code is greater than the second threshold, it is determined that the network traffic in the current period has abnormal behavior;
  • Method 3 Obtain the growth rate of the number of data requests in the current period relative to the previous period according to the log data in the current period. When the growth rate is greater than the third threshold, it is determined that the network traffic in the current period has abnormal behavior.
  • the above three methods can be used solely as the judgment condition for abnormal behavior of network traffic in the current period, or any two methods or three methods among the three methods can be used as the abnormal behavior of network traffic in the current period. Analyzing conditions. Among them, the present application does not limit the first threshold, the second threshold, and the third threshold, and the first threshold, the second threshold, and the third threshold can be adjusted according to actual conditions.
  • the effective duration of the second defense strategy is always effective, but automatically invalidates when the first defense strategy appears. Based on this, after receiving the traffic log data in the current period, it can be determined from the traffic log data in the current period that there is abnormal behavior in the network traffic in the current period.
  • the judgment result is that there is abnormal behavior, then it is judged whether there is a first Defense strategy; if it exists, perform data processing on the network traffic in the subsequent period according to the first defense strategy that is in effect; if it does not exist, perform data processing on the network traffic in the subsequent period according to the second defense strategy; embodiments of the application Using the combination of the second defense strategy and the first defense strategy, on the one hand, it ensures that the source server is not overwhelmed by the attack at the first time of the attack, and on the other hand, it ensures that the impact on current normal access requests is minimal.
  • FIG. 3 is a schematic flowchart of another data processing method provided by an exemplary embodiment of this application. As shown in Figure 3, the method includes:
  • S301 Analyze the characteristics of the network traffic in the current period according to the traffic log data in the current period;
  • S302 Identify the abnormal traffic in the current period according to the characteristics of the network traffic in the current period and the baseline characteristics of the known normal traffic, where the baseline characteristics of the known normal traffic are obtained from historical traffic log data;
  • S303 According to the characteristics of the abnormal traffic existing in the current period, generate a first defense strategy for the abnormal traffic existing in the current period to perform data processing on the network traffic in the subsequent period.
  • the method in this embodiment may be executed by a device with a defense function and a certain computing capability, or may be implemented by the protection strategy calculation device and the protection execution device in the foregoing system embodiment.
  • the protection execution device delivers the generated log data to the protection strategy calculation device, and the protection strategy calculation device receives the log data to obtain the log data.
  • the frequency at which the protection strategy calculation device obtains the log data may be obtained every 1S, 2S, 5S, or 10S according to actual conditions.
  • FIG. 2b is a schematic flowchart of another data processing method provided by an exemplary embodiment of this application. As shown in Figure 2b, the method includes:
  • S221 Acquire database operation log data in the current period, where the database operation log data reflects the characteristics of the database operation traffic in the current period;
  • step S223 Determine whether there is a first defense strategy, the first defense strategy is generated for abnormal database operation traffic that has been identified before the current moment; if it exists, perform step S224, if not, perform step S225;
  • S224 Perform data processing on the database operation traffic in the subsequent period according to the existing first defense strategy
  • S225 Perform data processing on the database operation traffic in the subsequent period according to the second defense strategy.
  • the second defense strategy is generated based on the normal database operation traffic that has been identified before the current moment.
  • the existing first defense strategy is issued to the protection execution device on the database operation traffic channel, so that the protection execution device can perform the database operation traffic in the subsequent period according to the existing first defense strategy.
  • the generated second defense strategy is issued to the defense execution device on the database operation traffic channel, so that the defense execution device performs data processing on the database operation traffic in the subsequent period according to the existing second defense strategy.
  • the embodiment of the present application does not limit the data processing method of the database operation flow.
  • the data leakage behavior in the current period is determined according to the database operation log data in the current period, including but not limited to the following methods:
  • Method 1 According to the database operation log data in the current period, obtain the number of query data entries in the current period. When the number of query data entries is greater than the first number threshold, the database operation log data in the current period determines that there is data in the current period Leaking behavior
  • Method 2 According to the database operation log data in the current period, the number of query data bytes in the current period is obtained. When the number of query data bytes is greater than the second number threshold, the database operation log data in the current period determines the current period memory The act of data breach.
  • the first defense strategy is generated for abnormal database operation traffic that has been identified before the current moment.
  • the baseline characteristics of database operation log data include but are not limited to the following: query frequency, query interval, number of single query entries, single query result entries, single query result bytes, cumulative query entries, cumulative query The number of result entries and cumulative query result bytes.
  • FIG. 2c is a schematic flowchart of a data processing method provided by an exemplary embodiment of this application. As shown in Figure 2c, the method includes:
  • S231 Obtain traffic log data in the current time period, where the traffic log data reflects the characteristics of the network traffic in the current time period;
  • S234 Generate first visualization data for network traffic in the subsequent period according to the existing first defense strategy
  • S235 Generate second visual data for network traffic in the subsequent period according to the second defense strategy, where the second defense strategy is generated based on the normal traffic that has been identified before the current moment.
  • the first visualization data is sent to the display terminal for the display terminal to generate the first display interface according to the first visualization data.
  • this application does not limit the display content of the first display interface.
  • the display content of the first interface may include, but is not limited to, the following content: abnormal total indicator curve and normal indicator total fluctuation range, abnormal component corresponding indicator and normal fluctuation range comparison table.
  • the second visualization data is sent to the display terminal for the display terminal to generate the second display based on the second visualization data interface.
  • this application does not limit the display content of the second display interface.
  • the display content of the second interface may include, but is not limited to, the following: current indicator total volume graph and normal indicator total fluctuation range, current indicator chain ratio curve and normal indicator Chain fluctuation range, distribution pie chart of each component, comparison table of current proportion of each component and normal fluctuation range, comparison table of absolute value of each component and normal fluctuation range.
  • the baseline characteristics of the traffic log data include but are not limited to the following: absolute value of the total index, the month-on-month ratio of the index compared to the previous cycle, the absolute value of each component, the proportion of each component, and the comparison of each component. Cycle to cycle.
  • This embodiment is a data processing method described based on the generation of the first defense strategy. The steps in this embodiment are described in detail in the embodiments of the foregoing data processing method. According to the foregoing embodiments of the data processing method, the embodiment of the data processing method can be obtained and the corresponding beneficial effects can be obtained. This will not be repeated here.
  • Fig. 4 is a schematic structural diagram of a data processing device provided by an exemplary embodiment of this application.
  • the data processing device includes a memory 401 and a processor 402, and also includes necessary components of a communication component 403 and a power supply component 404.
  • the memory 401 is used to store computer programs and can be configured to store other various data to support operations on the data processing device. Examples of such data include instructions for any application or method operating on the data processing device.
  • the memory 401 can be implemented by any type of volatile or non-volatile storage device or a combination thereof, such as static random access memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable Programmable read only memory (EPROM), programmable read only memory (PROM), read only memory (ROM), magnetic memory, flash memory, magnetic disk or optical disk.
  • SRAM static random access memory
  • EEPROM electrically erasable programmable read-only memory
  • EPROM erasable Programmable read only memory
  • PROM programmable read only memory
  • ROM read only memory
  • magnetic memory magnetic memory
  • flash memory magnetic disk or optical disk.
  • the communication component 403 is used to establish a communication connection with other devices.
  • the processor 402 can execute the computer instructions stored in the memory 401 to obtain the traffic log data in the current period, the traffic log data reflects the characteristics of the network traffic in the current period; if based on the traffic log data in the current period Determine whether there is abnormal behavior in network traffic during the current period, and determine whether there is a first defense strategy.
  • the first defense strategy is generated for abnormal traffic that has been identified before the current moment; if it exists, based on the existing first defense strategy Perform data processing on the network traffic in the subsequent period; if it does not exist, perform data processing on the network traffic in the subsequent period according to the second defense strategy, which is generated based on the normal traffic that has been identified before the current moment.
  • the processor 402 may also be used to: analyze the characteristics of the network traffic in the current period according to the traffic log data in the current period; and to identify the characteristics of the network traffic in the current period and the baseline characteristics of known normal traffic The abnormal traffic existing in the current period is generated; according to the characteristics of the abnormal traffic existing in the current period, the first defense strategy against the abnormal traffic existing in the current period is generated.
  • the processor 402 when the processor 402 performs data processing on the network traffic in the subsequent period according to the existing first defense strategy, it is specifically configured to: issue the existing first defense strategy to the protection execution on the network traffic channel
  • the device is used for the protection execution device to perform data processing on the network traffic in the subsequent period according to the existing first defense strategy.
  • the processor 402 may be further configured to: issue the effective duration corresponding to the existing first defense strategy to the protection execution device, so that the protection execution device can perform the following actions according to the existing first defense strategy within the effective duration. Data processing is performed on the network traffic during the period.
  • the first defense strategy The first defense strategy
  • the processor 402 can also be used to filter out abnormal log data in the traffic log data in the historical period to obtain log data of normal traffic; according to the log data of normal traffic, Analyze the baseline characteristics of normal traffic; generate a second defense strategy based on the target field characteristics in the baseline characteristics of normal traffic.
  • the processor 402 when the processor 402 performs data processing on the network traffic in the subsequent period according to the second defense strategy, it is specifically configured to: issue the generated second defense strategy to the defense execution device on the network traffic channel to The protection execution device performs data processing on the network traffic in the subsequent period according to the generated second defense strategy.
  • the processor 402 when the processor 402 determines that the network traffic in the current period has abnormal behavior based on the traffic log data in the current period, includes at least one of the following: according to the log data in the current period, the request for acquiring the data in the current period When the request frequency is greater than the first threshold, it is determined that the network traffic in the current period has abnormal behavior; according to the log data in the current period, the abnormal proportion of the response status code of the data request in the current period is obtained, and in the response state When the code abnormal ratio is greater than the second threshold, it is determined that the network traffic in the current period has abnormal behavior; according to the log data in the current period, the number of data requests in the current period is obtained relative to the growth rate of the previous period. When it is greater than the third threshold, it is determined that the network traffic in the current period has abnormal behavior.
  • the embodiment of the present application also provides a computer-readable storage medium storing a computer program.
  • the computer-readable storage medium stores a computer program
  • the computer program is executed by one or more processors
  • the one or more processors are caused to execute each step in the method embodiment of FIG. 2a.
  • the traffic log data in the current period is acquired; the abnormal behavior detection is performed on the traffic log data in the current period, and when it is determined that the network traffic in the current period has abnormal behavior, the defense strategy is determined Whether there is a generated first defense strategy in the database; if it exists, use the existing first defense strategy to perform data processing on the network traffic in the subsequent period; if not, use the second defense strategy generated by known normal traffic to perform data processing on the subsequent period Data processing is performed on the network traffic within the time period.
  • This application adopts the combination of the second defense strategy and the first defense strategy. On the one hand, it ensures that the source server is not overwhelmed by the attack at the first time, and on the other hand, it guarantees the impact on current normal access requests The smallest.
  • Fig. 5 is a schematic structural diagram of a data processing device provided by an exemplary embodiment of this application.
  • the data processing device includes a memory 501 and a processor 502, and also includes necessary components of a communication component 503 and a power supply component 504.
  • the memory 501 is used to store computer programs, and can be configured to store other various data to support operations on the data processing device. Examples of such data include instructions for any application or method operating on the data processing device.
  • the memory 501 can be implemented by any type of volatile or non-volatile storage device or their combination, such as static random access memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable Programmable read only memory (EPROM), programmable read only memory (PROM), read only memory (ROM), magnetic memory, flash memory, magnetic disk or optical disk.
  • SRAM static random access memory
  • EEPROM electrically erasable programmable read-only memory
  • EPROM erasable Programmable read only memory
  • PROM programmable read only memory
  • ROM read only memory
  • magnetic memory magnetic memory
  • flash memory magnetic disk or optical disk.
  • the communication component 503 is used to establish a communication connection with other devices.
  • the processor 502 can execute the computer instructions stored in the memory 501 for: analyzing the characteristics of the network traffic in the current period according to the traffic log data in the current period; according to the characteristics of the network traffic in the current period and the known normal Baseline characteristics of traffic to identify abnormal traffic in the current period.
  • the baseline characteristics of known normal traffic are obtained from historical traffic log data; according to the characteristics of abnormal traffic in the current period, generate memory for the current period.
  • the first defense strategy for abnormal traffic in the current period the first defense strategy for data processing of network traffic in the subsequent period.
  • the embodiment of the present application also provides a computer-readable storage medium storing a computer program.
  • the computer-readable storage medium stores a computer program
  • the computer program is executed by one or more processors
  • the one or more processors are caused to execute each step in the method embodiment in FIG. 3.
  • the traffic log data in the current period is acquired; the abnormal behavior detection is performed on the traffic log data in the current period, and when it is determined that the network traffic in the current period has abnormal behavior, the defense strategy is determined Whether there is a generated first defense strategy in the database; if it exists, use the existing first defense strategy to perform data processing on the network traffic in the subsequent period; if not, use the second defense strategy generated by known normal traffic to perform data processing on the subsequent period Data processing is performed on the network traffic within the time period.
  • This application adopts the combination of the second defense strategy and the first defense strategy. On the one hand, it ensures that the source server is not overwhelmed by the attack at the first time, and on the other hand, it guarantees the impact on current normal access requests The smallest.
  • Fig. 6 is a schematic structural diagram of a data processing device provided by an exemplary embodiment of this application.
  • the data processing device includes a memory 601 and a processor 602, and also includes necessary components of a communication component 603 and a power supply component 604.
  • the memory 601 is used to store computer programs and can be configured to store other various data to support operations on the data processing device. Examples of such data include instructions for any application or method operating on the data processing device.
  • the memory 601 can be implemented by any type of volatile or non-volatile storage devices or their combination, such as static random access memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable Programmable read only memory (EPROM), programmable read only memory (PROM), read only memory (ROM), magnetic memory, flash memory, magnetic disk or optical disk.
  • SRAM static random access memory
  • EEPROM electrically erasable programmable read-only memory
  • EPROM erasable Programmable read only memory
  • PROM programmable read only memory
  • ROM read only memory
  • magnetic memory flash memory
  • flash memory magnetic disk or optical disk.
  • the communication component 603 is used to establish a communication connection with other devices.
  • the processor 602 can execute the computer instructions stored in the memory 601 to obtain the database operation log data in the current period.
  • the database operation log data reflects the characteristics of the database operation flow in the current period;
  • the database operation log data in the database determines that there is data leakage in the current period, and determines whether there is a first defense strategy, which is generated for abnormal database operation traffic that has been identified before the current time; if it exists, Perform data processing on the database operation traffic in the subsequent period according to the existing first defense strategy; if not, perform data processing on the database operation traffic in the subsequent period according to the second defense strategy, which is based on the current Generated by normal database operation traffic that has been identified before the time.
  • the processor 602 when the processor 602 performs data processing on the database operation traffic in the subsequent period according to the existing first defense strategy, it is specifically configured to: issue the existing first defense strategy to the database operation traffic channel
  • the protection execution device is used for the protection execution device to perform data processing on the database operation traffic in the subsequent period according to the existing first defense strategy.
  • the processor 602 when the processor 602 performs data processing on the network traffic in the subsequent period according to the second defense strategy, it is specifically configured to: deliver the generated second defense strategy to the protection execution device on the database operation traffic channel, This allows the protection execution device to perform data processing on the database operation traffic in the subsequent period according to the existing second defense strategy.
  • the processor 602 when the processor 602 determines that there is a data leakage behavior in the current period according to the database operation log data in the current period, includes at least one of the following: obtaining query data in the current period according to the database operation log data in the current period The number of entries. When the number of query data entries is greater than the first number threshold, the database operation log data in the current period determines that there is data leakage in the current period; according to the database operation log data in the current period, the query data in the current period is obtained The number of bytes, when the number of query data bytes is greater than the second number threshold, the database operation log data in the current period determines that there is a data leakage behavior in the current period.
  • the database operation log data in the current period is acquired; the data leakage behavior detection is performed on the database operation log data in the current period.
  • the defense is determined Whether there is a generated first defense strategy in the strategy database; if it exists, use the existing first defense strategy to perform data processing on the database operation traffic in the subsequent period; if not, use the second defense strategy to perform data processing on the database operation traffic in the subsequent period
  • Database operation traffic is used for data processing.
  • This application adopts the combination of the second defense strategy and the first defense strategy to reduce the loss caused by data leakage.
  • Fig. 7 is a schematic structural diagram of a data processing device provided by an exemplary embodiment of this application.
  • the data processing device includes: a memory 701 and a processor 702, and also includes necessary components of a communication component 703 and a power supply component 704.
  • the memory 701 is used to store computer programs, and can be configured to store various other data to support operations on the data processing device. Examples of such data include instructions for any application or method operating on the data processing device.
  • the memory 701 can be implemented by any type of volatile or non-volatile storage devices or their combination, such as static random access memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable Programmable read only memory (EPROM), programmable read only memory (PROM), read only memory (ROM), magnetic memory, flash memory, magnetic disk or optical disk.
  • SRAM static random access memory
  • EEPROM electrically erasable programmable read-only memory
  • EPROM erasable Programmable read only memory
  • PROM programmable read only memory
  • ROM read only memory
  • magnetic memory magnetic memory
  • flash memory magnetic disk or optical disk.
  • the communication component 703 is used to establish a communication connection with other devices.
  • the processor 702 can execute the computer instructions stored in the memory 701 to obtain traffic log data in the current period, and the traffic log data reflects the characteristics of the network traffic in the current period; if it is based on the traffic in the current period
  • the log data determines that the network traffic in the current period of time has abnormal behavior, and determines whether there is a first defense strategy.
  • the first defense strategy is generated for the abnormal traffic that has been identified before the current time; if it exists, based on the existing
  • the first defense strategy generates first visualization data for the network traffic in the subsequent period; if not, the second defense strategy generates second visualization data for the network traffic in the subsequent period according to the second defense strategy. Generated by normal traffic that has been identified.
  • the processor 702 may also be used to: send the first visualization data to the display terminal for the display terminal A first display interface is generated according to the first visualization data.
  • the processor 702 may also be configured to: send the second visualization data to the display terminal, so that the display terminal can use the second visualization data according to the second
  • the visualization data generates a second display interface.
  • the present application on the one hand, it can analyze whether there is abnormal traffic in the current period according to the traffic log data in the current period, and in the case of abnormal traffic, generate a first defense strategy for the abnormal traffic; On the one hand, it can perform abnormal behavior detection based on the traffic log data in the current period, and determine whether there is a first defense strategy that has been generated when it is determined that the network traffic in the current period has abnormal behavior; if it exists, use the existing one The first defense strategy generates first visualization data for the network traffic in the subsequent period; if it does not exist, the second defense strategy generated by known normal traffic is used to generate second visualization data for the network traffic in the subsequent period, where the second The defense strategy and the first defense strategy are combined to perform data processing on network traffic, so as to visually display various indicators of abnormal behavior and quickly take defense measures.
  • the communication components in FIGS. 4 to 7 described above are configured to facilitate wired or wireless communication between the device where the communication component is located and other devices.
  • the device where the communication component is located can access a wireless network based on communication standards, such as WiFi, 2G or 3G, or a combination of them.
  • the communication component receives a broadcast signal or broadcast related information from an external broadcast management system via a broadcast channel.
  • the communication component further includes near field communication (NFC) technology, radio frequency identification (RFID) technology, infrared data association (IrDA) technology, ultra-wideband (UWB) technology, Bluetooth (BT) technology, etc.
  • NFC near field communication
  • RFID radio frequency identification
  • IrDA infrared data association
  • UWB ultra-wideband
  • Bluetooth Bluetooth
  • the power supply components in Figures 4 to 7 above provide power for various components of the equipment where the power supply component is located.
  • the power supply component may include a power management system, one or more power supplies, and other components associated with generating, managing, and distributing power for the device where the power supply component is located.
  • the embodiments of the present invention may be provided as methods, systems, or computer program products. Therefore, the present invention may adopt the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Moreover, the present invention may adopt the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program codes.
  • a computer-usable storage media including but not limited to disk storage, CD-ROM, optical storage, etc.
  • These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device.
  • the device implements the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
  • These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment.
  • the instructions provide steps for implementing functions specified in a flow or multiple flows in the flowchart and/or a block or multiple blocks in the block diagram.
  • the computing device includes one or more processors (CPU), input/output interfaces, network interfaces, and memory.
  • processors CPU
  • input/output interfaces network interfaces
  • memory volatile and non-volatile memory
  • the memory may include non-permanent memory in computer readable media, random access memory (RAM) and/or non-volatile memory, such as read-only memory (ROM) or flash memory (flash RAM). Memory is an example of computer readable media.
  • RAM random access memory
  • ROM read-only memory
  • flash RAM flash memory
  • Computer-readable media include permanent and non-permanent, removable and non-removable media, and information storage can be realized by any method or technology.
  • the information can be computer-readable instructions, data structures, program modules, or other data.
  • Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technology, CD-ROM, digital versatile disc (DVD) or other optical storage, Magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices or any other non-transmission media can be used to store information that can be accessed by computing devices. According to the definition in this article, computer-readable media does not include transitory media, such as modulated data signals and carrier waves.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Provided are a data processing method and device, and a storage medium. In some exemplary embodiments of the present application, the method comprises: acquiring traffic log data within a current period; performing abnormal behavior detection on the traffic log data within the current period; when it is determined that an abnormal behavior is present in network traffic within the current period, determining whether a generated first defense strategy is present in a defense strategy library; if the first defense strategy is present, using the present first defense strategy to perform data processing on network traffic in a subsequent period; and if the first defense strategy is not present, using a second defense strategy generated by known normal traffic to perform data processing on the network traffic within the subsequent period. In the present application, using a combination of a second defense strategy and a first defense strategy ensures that a source server is not broken by an attack at the first time, and also ensures that the influence on a current normal access request is minimal.

Description

数据处理方法、设备及存储介质Data processing method, equipment and storage medium
本申请要求2019年08月05日递交的申请号为201910717614.4、发明名称为“数据处理方法、设备及存储介质”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese patent application with the application number 201910717614.4 and the invention title of "data processing method, equipment and storage medium" filed on August 05, 2019, the entire content of which is incorporated into this application by reference.
技术领域Technical field
本申请涉及互联网技术领域,尤其涉及一种数据处理方法、设备及存储介质。This application relates to the field of Internet technology, and in particular to a data processing method, device and storage medium.
背景技术Background technique
分布式拒绝服务(DDoS:Distributed Denial of Service)攻击,是一种通过消耗目标资源来阻止用户正常访问目标服务的网络攻击形式,是当前网络攻击中的主要威胁。DDoS攻击借助于客户/服务器技术,将多个计算机联合起来作为攻击平台,对一个或多个目标发动DDoS攻击,从而成倍地提高拒绝服务攻击的威力,导致正常用户得不到网络响应,它对互联网与互联网服务造成了很大的威胁。Distributed Denial of Service (DDoS: Distributed Denial of Service) attack is a form of network attack that consumes target resources to prevent users from normally accessing target services. It is the main threat in current network attacks. DDoS attacks rely on client/server technology to combine multiple computers as an attack platform to launch DDoS attacks against one or more targets, thereby exponentially increasing the power of denial-of-service attacks, causing normal users to fail to receive network responses. It poses a great threat to the Internet and Internet services.
目前,为了防御DDoS攻击,一般会在目标服务端预置针对DDos的防御策略,例如,对网络流量进行源限速,在未遭受DDos攻击或攻击源攻击频率低的情况下,预置防御策略会对正常流量造成不利影响。Currently, in order to defend against DDoS attacks, a defense strategy against DDoS is generally preset on the target server, for example, source rate limiting of network traffic, and a defense strategy is preset in the case of no DDoS attacks or low frequency of attack sources. Will adversely affect the normal flow.
发明内容Summary of the invention
本申请的多个方面提供一种数据处理方法、设备及存储介质,一方面保障源服务器在攻击第一时间不被攻击冲垮,另一方面保障防御策略对正常流量的影响较小。Various aspects of the present application provide a data processing method, device, and storage medium. On the one hand, it ensures that the source server is not overwhelmed by the attack at the first time of an attack, and on the other hand, it ensures that the defense strategy has less impact on normal traffic.
本申请实施例提供一种数据处理方法,包括:The embodiment of the application provides a data processing method, including:
获取当前时段内的流量日志数据,所述流量日志数据反映当前时段内的网络流量具有的特征;Acquiring traffic log data in the current period, where the traffic log data reflects the characteristics of the network traffic in the current period;
若根据当前时段内的流量日志数据确定出当前时段内的网络流量存在异常行为,判断是否存在第一防御策略,所述第一防御策略是针对在当前时刻之前已识别到的异常流量生成的;If it is determined from the traffic log data in the current period that there is abnormal behavior in the network traffic in the current period, determine whether there is a first defense strategy, and the first defense strategy is generated for the abnormal traffic that has been identified before the current moment;
若存在,根据已存在的第一防御策略对后续时段内的网络流量进行数据处理;If it exists, perform data processing on the network traffic in the subsequent period according to the existing first defense strategy;
若不存在,根据第二防御策略对后续时段内的网络流量进行数据处理,所述第二防御策略是根据当前时刻之前已经识别到的正常流量生成的。If it does not exist, data processing is performed on the network traffic in the subsequent period according to the second defense strategy, which is generated based on the normal traffic that has been identified before the current moment.
本申请实施例还提供一种数据处理方法,包括:The embodiment of the present application also provides a data processing method, including:
根据当前时段内的流量日志数据,分析当前时段内的网络流量的特征;According to the traffic log data in the current period, analyze the characteristics of the network traffic in the current period;
根据所述当前时段内的网络流量的特征和已知正常流量的基线特征,识别出当前时段内存在的异常流量,其中,已知正常流量的基线特征是从历史流量日志数据中获得的;According to the characteristics of the network traffic in the current period and the baseline characteristics of the known normal traffic, identify the abnormal traffic in the current period, where the baseline characteristics of the known normal traffic are obtained from historical traffic log data;
根据所述当前时段内存在的异常流量的特征,生成针对当前时段内存在的异常流量的第一防御策略,以对后续时段内的网络流量进行数据处理。According to the characteristics of the abnormal traffic existing in the current period, a first defense strategy for the abnormal traffic existing in the current period is generated to perform data processing on the network traffic in the subsequent period.
本申请实施例还提供一种数据处理设备,包括:存储器和处理器;An embodiment of the present application also provides a data processing device, including: a memory and a processor;
所述存储器,用于存储一条或多条计算机指令;The memory is used to store one or more computer instructions;
所述处理器,用于执行所述一条或多条计算机指令以用于:The processor is configured to execute the one or more computer instructions for:
获取当前时段内的流量日志数据,所述流量日志数据反映当前时段内的网络流量具有的特征;Acquiring traffic log data in the current period, where the traffic log data reflects the characteristics of the network traffic in the current period;
若根据当前时段内的流量日志数据确定出当前时段内的网络流量存在异常行为,判断是否存在第一防御策略,所述第一防御策略是针对在当前时刻之前已识别到的异常流量生成的;If it is determined from the traffic log data in the current period that there is abnormal behavior in the network traffic in the current period, determine whether there is a first defense strategy, and the first defense strategy is generated for the abnormal traffic that has been identified before the current moment;
若存在,根据已存在的第一防御策略对后续时段内的网络流量进行数据处理;If it exists, perform data processing on the network traffic in the subsequent period according to the existing first defense strategy;
若不存在,根据第二防御策略对后续时段内的网络流量进行数据处理,所述第二防御策略是根据当前时刻之前已经识别到的正常流量生成的。If it does not exist, data processing is performed on the network traffic in the subsequent period according to the second defense strategy, which is generated based on the normal traffic that has been identified before the current moment.
本申请实施例还提供一种存储有计算机程序的计算机可读存储介质,当所述计算机程序被一个或多个处理器执行时,致使所述一个或多个处理器执行包括以下的动作:The embodiments of the present application also provide a computer-readable storage medium storing a computer program. When the computer program is executed by one or more processors, the one or more processors are caused to perform actions including the following:
获取当前时段内的流量日志数据,所述流量日志数据反映当前时段内的网络流量具有的特征;Acquiring traffic log data in the current period, where the traffic log data reflects the characteristics of the network traffic in the current period;
若根据当前时段内的流量日志数据确定出当前时段内的网络流量存在异常行为,判断是否存在第一防御策略,所述第一防御策略是针对在当前时刻之前已识别到的异常流量生成的;If it is determined from the traffic log data in the current period that there is abnormal behavior in the network traffic in the current period, determine whether there is a first defense strategy, and the first defense strategy is generated for the abnormal traffic that has been identified before the current moment;
若存在,根据已存在的第一防御策略对后续时段内的网络流量进行数据处理;If it exists, perform data processing on the network traffic in the subsequent period according to the existing first defense strategy;
若不存在,根据第二防御策略对后续时段内的网络流量进行数据处理,所述第二防御策略是根据当前时刻之前已经识别到的正常流量生成的。If it does not exist, data processing is performed on the network traffic in the subsequent period according to the second defense strategy, which is generated based on the normal traffic that has been identified before the current moment.
本申请实施例还提供一种数据处理设备,包括:存储器和处理器;An embodiment of the present application also provides a data processing device, including: a memory and a processor;
所述存储器,用于存储一条或多条计算机指令;The memory is used to store one or more computer instructions;
所述处理器,用于执行所述一条或多条计算机指令以用于:The processor is configured to execute the one or more computer instructions for:
根据当前时段内的流量日志数据,分析当前时段内的网络流量的特征;According to the traffic log data in the current period, analyze the characteristics of the network traffic in the current period;
根据所述当前时段内的网络流量的特征和已知正常流量的基线特征,识别出当前时段内存在的异常流量,其中,已知正常流量的基线特征是从历史流量日志数据中获得的;According to the characteristics of the network traffic in the current period and the baseline characteristics of the known normal traffic, identify the abnormal traffic in the current period, where the baseline characteristics of the known normal traffic are obtained from historical traffic log data;
根据所述当前时段内存在的异常流量的特征,生成针对当前时段内存在的异常流量的第一防御策略,以对后续时段内的网络流量进行数据处理;According to the characteristics of the abnormal traffic existing in the current period, generate a first defense strategy against the abnormal traffic existing in the current period to perform data processing on the network traffic in the subsequent period;
第一防御策略本申请实施例还提供一种存储有计算机程序的计算机可读存储介质,当所述计算机程序被一个或多个处理器执行时,致使所述一个或多个处理器执行包括以下的动作:The first defense strategy This embodiment of the application also provides a computer-readable storage medium storing a computer program. When the computer program is executed by one or more processors, causing the one or more processors to execute includes the following Actions:
根据当前时段内的流量日志数据,分析当前时段内的网络流量的特征;According to the traffic log data in the current period, analyze the characteristics of the network traffic in the current period;
根据所述当前时段内的网络流量的特征和已知正常流量的基线特征,识别出当前时段内存在的异常流量,其中,已知正常流量的基线特征是从历史流量日志数据中获得的;According to the characteristics of the network traffic in the current period and the baseline characteristics of the known normal traffic, identify the abnormal traffic in the current period, where the baseline characteristics of the known normal traffic are obtained from historical traffic log data;
根据所述当前时段内存在的异常流量的特征,生成针对当前时段内存在的异常流量的第一防御策略,以对后续时段内的网络流量进行数据处理。According to the characteristics of the abnormal traffic existing in the current period, a first defense strategy for the abnormal traffic existing in the current period is generated to perform data processing on the network traffic in the subsequent period.
本申请实施例还提供一种数据处理设备,包括:存储器和处理器;An embodiment of the present application also provides a data processing device, including: a memory and a processor;
所述存储器,用于存储一条或多条计算机指令;The memory is used to store one or more computer instructions;
所述处理器,用于执行所述一条或多条计算机指令以用于:The processor is configured to execute the one or more computer instructions for:
获取当前时段内的数据库操作日志数据,所述数据库操作日志数据反映当前时段内的数据库操作流量具有的特征;Acquiring database operation log data in the current period, where the database operation log data reflects the characteristics of the database operation traffic in the current period;
若根据当前时段内的数据库操作日志数据确定出当前时段内存在数据泄露行为,判断是否存在第一防御策略,所述第一防御策略是针对在当前时刻之前已识别到的数据库异常操作流量生成的;If it is determined based on the database operation log data in the current period that there is a data leakage behavior in the current period, determine whether there is a first defense strategy, which is generated for abnormal database operation traffic that has been identified before the current time ;
若存在,根据已存在的第一防御策略对后续时段内的数据库操作流量进行数据处理;If it exists, perform data processing on the database operation traffic in the subsequent period according to the existing first defense strategy;
若不存在,根据第二防御策略对后续时段内的数据库操作流量进行数据处理,所述第二防御策略是根据当前时刻之前已经识别到的正常数据库操作流量生成的。If it does not exist, perform data processing on the database operation traffic in the subsequent period according to the second defense strategy, which is generated based on the normal database operation traffic that has been identified before the current moment.
本申请实施例还提供一种存储有计算机程序的计算机可读存储介质,当所述计算机程序被一个或多个处理器执行时,致使所述一个或多个处理器执行包括以下的动作:The embodiments of the present application also provide a computer-readable storage medium storing a computer program. When the computer program is executed by one or more processors, the one or more processors are caused to perform actions including the following:
获取当前时段内的数据库操作日志数据,所述数据库操作日志数据反映当前时段内的数据库操作流量具有的特征;Acquiring database operation log data in the current period, where the database operation log data reflects the characteristics of the database operation traffic in the current period;
若根据当前时段内的数据库操作日志数据确定出当前时段内存在数据泄露行为,判断是否存在第一防御策略,所述第一防御策略是针对在当前时刻之前已识别到的数据库 异常操作流量生成的;If it is determined based on the database operation log data in the current period that there is a data leakage behavior in the current period, determine whether there is a first defense strategy, which is generated for abnormal database operation traffic that has been identified before the current time ;
若存在,根据已存在的第一防御策略对后续时段内的数据库操作流量进行数据处理;If it exists, perform data processing on the database operation traffic in the subsequent period according to the existing first defense strategy;
若不存在,根据第二防御策略对后续时段内的数据库操作流量进行数据处理,所述第二防御策略是根据当前时刻之前已经识别到的正常数据库操作流量生成的。If it does not exist, perform data processing on the database operation traffic in the subsequent period according to the second defense strategy, which is generated based on the normal database operation traffic that has been identified before the current moment.
本申请实施例还提供一种数据处理设备,包括:存储器和处理器;An embodiment of the present application also provides a data processing device, including: a memory and a processor;
所述存储器,用于存储一条或多条计算机指令;The memory is used to store one or more computer instructions;
所述处理器,用于执行所述一条或多条计算机指令以用于:The processor is configured to execute the one or more computer instructions for:
获取当前时段内的流量日志数据,所述流量日志数据反映当前时段内的网络流量具有的特征;Acquiring traffic log data in the current period, where the traffic log data reflects the characteristics of the network traffic in the current period;
若根据当前时段内的流量日志数据确定出当前时段内的网络流量存在异常行为,判断是否存在第一防御策略,所述第一防御策略是针对在当前时刻之前已识别到的异常流量生成的;If it is determined from the traffic log data in the current period that there is abnormal behavior in the network traffic in the current period, determine whether there is a first defense strategy, and the first defense strategy is generated for the abnormal traffic that has been identified before the current moment;
若存在,根据已存在的第一防御策略对后续时段内的网络流量生成第一可视化数据;If it exists, generate first visualization data for network traffic in the subsequent period according to the existing first defense strategy;
若不存在,根据第二防御策略对后续时段内的网络流量生成第二可视化数据,所述第二防御策略是根据当前时刻之前已经识别到的正常流量生成的。If it does not exist, generate second visualization data for the network traffic in the subsequent period according to the second defense strategy, which is generated based on the normal traffic that has been identified before the current moment.
本申请实施例还提供一种存储有计算机程序的计算机可读存储介质,当所述计算机程序被一个或多个处理器执行时,致使所述一个或多个处理器执行包括以下的动作:The embodiments of the present application also provide a computer-readable storage medium storing a computer program. When the computer program is executed by one or more processors, the one or more processors are caused to perform actions including the following:
获取当前时段内的流量日志数据,所述流量日志数据反映当前时段内的网络流量具有的特征;Acquiring traffic log data in the current period, where the traffic log data reflects the characteristics of the network traffic in the current period;
若根据当前时段内的流量日志数据确定出当前时段内的网络流量存在异常行为,判断是否存在第一防御策略,所述第一防御策略是针对在当前时刻之前已识别到的异常流量生成的;If it is determined from the traffic log data in the current period that there is abnormal behavior in the network traffic in the current period, determine whether there is a first defense strategy, and the first defense strategy is generated for the abnormal traffic that has been identified before the current moment;
若存在,根据已存在的第一防御策略对后续时段内的网络流量生成第一可视化数据;If it exists, generate first visualization data for network traffic in the subsequent period according to the existing first defense strategy;
若不存在,根据第二防御策略对后续时段内的网络流量生成第二可视化数据,所述第二防御策略是根据当前时刻之前已经识别到的正常流量生成的。If it does not exist, generate second visualization data for the network traffic in the subsequent period according to the second defense strategy, which is generated based on the normal traffic that has been identified before the current moment.
在本申请一些示例性实施例中,一方面可根据当前时段内的流量日志数据,分析当前时段内是否存在异常流量,并在存在异常流量的情况下,针对异常流量生成第一防御策略;另一方面,可根据当前时段内的流量日志数据进行异常行为检测,并在确定当前时段内的网络流量存在异常行为的情况下,判断是否存在已生成的第一防御策略;若存在,使用已存在的第一防御策略对后续时段内的网络流量进行数据处理;若不存在,使 用已知正常流量生成的第二防御策略对后续时段内的网络流量进行数据处理,其中将第二防御策略和第一防御策略相结合对网络流量进行防御处理,一方面保障源服务器在攻击第一时间不被攻击冲垮,另一方面保障对正常流量的影响较小。In some exemplary embodiments of the present application, on the one hand, it can analyze whether there is abnormal traffic in the current period according to the traffic log data in the current period, and in the case of abnormal traffic, generate a first defense strategy for the abnormal traffic; On the one hand, it can perform abnormal behavior detection based on the traffic log data in the current period, and determine whether there is a first defense strategy that has been generated when it is determined that the network traffic in the current period has abnormal behavior; if it exists, use the existing one The first defense strategy for data processing in the subsequent period of time; if it does not exist, the second defense strategy generated by known normal traffic is used to perform data processing on the network traffic in the subsequent period, where the second defense strategy and the first One defense strategy is combined to conduct defensive processing on network traffic. On the one hand, it ensures that the source server will not be overwhelmed by the attack in the first time, and on the other hand, it ensures that the impact on normal traffic is small.
附图说明Description of the drawings
此处所说明的附图用来提供对本申请的进一步理解,构成本申请的一部分,本申请的示意性实施例及其说明用于解释本申请,并不构成对本申请的不当限定。在附图中:The drawings described here are used to provide a further understanding of the application and constitute a part of the application. The exemplary embodiments and descriptions of the application are used to explain the application and do not constitute an improper limitation of the application. In the attached picture:
图1a为本申请一实施例提供的一种防御系统的结构示意图;FIG. 1a is a schematic structural diagram of a defense system provided by an embodiment of this application;
图1b为本申请另一实施例防御系统的工作原理示意图;FIG. 1b is a schematic diagram of the working principle of the defense system according to another embodiment of the application;
图2a为本申请示例性实施例提供的一种数据处理方法的流程示意图;FIG. 2a is a schematic flowchart of a data processing method provided by an exemplary embodiment of this application;
图2b为本申请示例性实施例提供的另一种数据处理方法的流程示意图;2b is a schematic flowchart of another data processing method provided by an exemplary embodiment of this application;
图2c为本申请示例性实施例提供的另一种数据处理方法的流程示意图;FIG. 2c is a schematic flowchart of another data processing method provided by an exemplary embodiment of this application;
图3为本申请示例性实施例提供的一种数据处理方法的流程示意图;FIG. 3 is a schematic flowchart of a data processing method provided by an exemplary embodiment of this application;
图4为本申请一示例性实施例提供的一种数据处理设备的结构示意图;FIG. 4 is a schematic structural diagram of a data processing device provided by an exemplary embodiment of this application;
图5为本申请一示例性实施例提供的一种数据处理设备的结构示意图;5 is a schematic structural diagram of a data processing device provided by an exemplary embodiment of this application;
图6为本申请一示例性实施例提供的一种数据处理设备的结构示意图;FIG. 6 is a schematic structural diagram of a data processing device provided by an exemplary embodiment of this application;
图7为本申请一示例性实施例提供的一种数据处理设备的结构示意图。Fig. 7 is a schematic structural diagram of a data processing device provided by an exemplary embodiment of this application.
具体实施方式detailed description
为使本申请的目的、技术方案和优点更加清楚,下面将结合本申请具体实施例及相应的附图对本申请技术方案进行清楚、完整地描述。显然,所描述的实施例仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。In order to make the purpose, technical solutions, and advantages of the present application clearer, the technical solutions of the present application will be described clearly and completely in conjunction with specific embodiments of the present application and the corresponding drawings. Obviously, the described embodiments are only a part of the embodiments of the present application, rather than all the embodiments. Based on the embodiments in this application, all other embodiments obtained by those of ordinary skill in the art without creative work shall fall within the protection scope of this application.
针对资源耗尽式DDoS攻击的防御方而言,目前主要采用下列防御方式:For the defense of resource-exhausted DDoS attacks, the following defense methods are currently used:
方式一,对网络流量进行源限速。一方面,出口IP背后的设备数较多,因此出口IP的正常请求频率较高,限速会误伤出口IP的流量,攻击源攻击频率低时无防御作用;另一方面,在攻击源攻击频率较高时,哪怕单个攻击源请求频率极低,聚合起来的总攻击量也相当庞大,但却能顺利通过源限速。因此,对网络流量进行源限速,对正常流量误伤大、对防御DDoS攻击作用小。Method one is to limit the source rate of network traffic. On the one hand, the number of devices behind the export IP is large, so the normal request frequency of the export IP is higher, and the rate limit will accidentally hurt the traffic of the export IP, and there is no defense when the attack source attack frequency is low; When it is higher, even if the request frequency of a single attack source is extremely low, the total amount of aggregated attacks is quite large, but it can pass the source rate limit smoothly. Therefore, the source rate limitation of network traffic will cause great damage to normal traffic and little effect on defense against DDoS attacks.
方式二,对网络流量进行目的限速。当总攻击频率高时正常流量通过概率极低:假 设网站正常请求频率为10请求/秒,限速阈值为100请求/秒,当总攻击频率较高,如10W请求/秒,那此时总请求频率为100010请求/秒,正常请求仅通过10/100010*100=0.009999请求/秒,通过概率极低。总攻击频率低时无防御作用:100个搜索请求(高资源消耗)/秒对服务器造成对开销很可能大于百万次/秒的静态资源请求,限速很可能限制了低资源消耗的正常请求,而放过了高资源消耗的攻击请求。The second method is to limit the network traffic at a target rate. When the total attack frequency is high, the normal traffic passing probability is extremely low: suppose that the normal request frequency of the website is 10 requests/sec, and the rate limit threshold is 100 requests/sec. When the total attack frequency is high, such as 10W requests/sec, then the total The request frequency is 100010 requests/sec. Normal requests only pass 10/100010*100=0.009999 requests/sec, and the passing probability is extremely low. There is no defense when the total attack frequency is low: 100 search requests (high resource consumption)/sec cause static resource requests to the server that are likely to cost more than one million times/sec, and the rate limit is likely to limit normal requests with low resource consumption , And missed the high resource consumption attack request.
方式三,对网络流量进行历史黑名单封禁。出口IP背后设备数极多,攻击源如果位于出口IP后,一旦将这些IP作为历史攻击黑名单拉黑,会大范围误伤背后的正常设备。当前大多DDoS攻击的攻击源均非攻击者自有,而是利用了正常设备的漏洞,或正常设备安装了存在风险的软件而成为攻击源,对他们的封禁很可能导致对正常自发流量的误封;如果不能压制攻击,那作用就极小。由于运营商的IP定时更换防御策略、移动端攻击源的地点频繁变动使得IP变化等问题,历史黑名单对攻击流量的覆盖比例往往较低,而攻击流量造成的资源消耗往往远超目标服务器的承受能力,封禁一部分攻击流量并不能压制攻击。缺点:作用小、误伤不可控。The third method is to block the historical blacklist of network traffic. There are many devices behind the export IP. If the attack source is behind the export IP, once these IPs are blacklisted as historical attack blacklists, the normal devices behind it will be accidentally injured on a large scale. At present, most of the attack sources of DDoS attacks are not the attacker's own, but exploit the vulnerabilities of normal equipment, or the normal equipment is installed with risky software to become the attack source. The ban on them is likely to cause misunderstanding of normal spontaneous traffic. Sealing; if the attack cannot be suppressed, the effect is extremely small. Due to the regular replacement of IP defense strategies of operators, frequent changes in the location of mobile attack sources and IP changes, historical blacklists often cover a low percentage of attack traffic, and the resource consumption caused by attack traffic often far exceeds that of the target server. Withstandability, blocking part of the attack traffic does not suppress the attack. Disadvantages: small effect, uncontrollable accidental injury.
方式四,人工介入抓包分析。从服务器发现被攻击,人工介入抓包、到特征分析、到排除正常业务特征以及再到添加防御策略,整个应急流程往往耗时在半小时以上,半小时的业务中断对绝大多数网站而言影响极大。缺点:人工介入响应速度慢。Method four, manual intervention in packet capture analysis. From the discovery of an attack on the server, manual intervention to capture packets, to feature analysis, to excluding normal business features, and to adding defense strategies, the entire emergency process often takes more than half an hour, and half an hour of business interruption is for most websites Great influence. Disadvantages: slow response to manual intervention.
针对现有技术在DDoS攻击防御方面存在的技术问题,在本申请一些示例性实施例中,获取当前时段内的流量日志数据;对当前时段内的流量日志数据进行异常行为检测,当确定当前时段内的网络流量存在异常行为时,判断防御策略库中是否存在生成的第一防御策略;若存在,使用已存在的第一防御策略对后续时段内的网络流量进行数据处理;若不存在,使用已知正常流量生成的第二防御策略对后续时段内的网络流量进行数据处理,本申请实施例采用针对正常流量设置的第二防御策略和针对异常流量设置的第一防御策略的结合,一方面保障源服务器在攻击第一时间不被攻击冲垮,另一方面保障对当前正常流量具有较小的影响。In view of the technical problems existing in the DDoS attack defense in the prior art, in some exemplary embodiments of this application, the traffic log data in the current period is acquired; the abnormal behavior detection is performed on the traffic log data in the current period, and when the current period is determined When there is abnormal behavior in the network traffic within the network, determine whether the generated first defense strategy exists in the defense strategy library; if it exists, use the existing first defense strategy to perform data processing on the network traffic in the subsequent period; if not, use It is known that the second defense strategy generated by normal traffic performs data processing on the network traffic in the subsequent period. The embodiment of this application adopts the combination of the second defense strategy set for normal traffic and the first defense strategy set for abnormal traffic. It guarantees that the source server will not be overwhelmed by the attack at the first time. On the other hand, the guarantee has a small impact on current normal traffic.
以下结合附图,详细说明本申请各实施例提供的技术方案。The technical solutions provided by the embodiments of the present application will be described in detail below with reference to the accompanying drawings.
图1a为本申请一实施例提供的一种防御系统10的结构示意图。如图1a所示,该防御系统10包括:防御策略计算设备11和防护执行设备12。图1a中还示意了实际应用中,与该防御系统10配合的请求端设备30和数据源端设备20。在实际应用中,该防御系统10作为请求端设备30和数据源端设备20的中间设备,检测数据源端设备20是否遭受网络流量攻击,并在数据源端设备20遭受网络流量攻击时对来自请求端设备30的 访问请求流进行流量控制,以供源端设备在遭受DDoS攻击时,提供良好的防御性能,保证数据源端设备20正常的运行。FIG. 1a is a schematic structural diagram of a defense system 10 provided by an embodiment of this application. As shown in FIG. 1a, the defense system 10 includes: a defense strategy calculation device 11 and a defense execution device 12. FIG. 1a also shows the request end device 30 and the data source end device 20 that cooperate with the defense system 10 in practical applications. In practical applications, the defense system 10 acts as an intermediate device between the requesting end device 30 and the data source end device 20 to detect whether the data source end device 20 is attacked by network traffic, and when the data source end device 20 is attacked by the network traffic The access request flow of the requesting end device 30 is flow controlled, so that the source end device can provide good defense performance when it suffers from a DDoS attack, and ensure the normal operation of the data source end device 20.
在本实施例中,请求端设备30可以表现为计算机设备或者手持智能终端设备上安装的浏览器或者其他应用程序;数据源端设备20可以为提供数据支持、计算服务以及一些管理服务的服务器,在本实施例中,并不限定数据源端设备20的实现形态,例如数据源端设备20可以是常规服务器、云服务器、云主机、虚拟中心等服务器设备。其中,服务器设备的构成主要包括处理器、硬盘、内存、系统总线等,和通用的计算机架构类型。数据源端设备20可以包含一台网站服务器,也可以包含多台网站服务器。用户可以通过请求端设备30访问数据源端设备20的网络数据。In this embodiment, the requesting device 30 may be a browser or other application program installed on a computer device or a handheld smart terminal device; the data source device 20 may be a server that provides data support, computing services, and some management services. In this embodiment, the implementation form of the data source device 20 is not limited. For example, the data source device 20 may be a server device such as a conventional server, a cloud server, a cloud host, and a virtual center. Among them, the composition of the server equipment mainly includes a processor, a hard disk, a memory, a system bus, etc., and a general computer architecture type. The data source device 20 may include one website server or multiple website servers. The user can access the network data of the data source device 20 through the requesting device 30.
在本实施例中,防御策略计算设备11和防护执行设备12之间的通信连接方式依赖于实际部署方式。实际中,防御策略计算设备11和防护执行设备12可部署在同一服务器上,也可以分别部署在不同的服务器上。防御策略计算设备11和防护执行设备12可以为一台计算机,也可以为计算机集群。In this embodiment, the communication connection mode between the defense strategy calculation device 11 and the defense execution device 12 depends on the actual deployment mode. In practice, the defense strategy calculation device 11 and the defense execution device 12 may be deployed on the same server, or may be deployed on different servers. The defense strategy calculation device 11 and the defense execution device 12 may be one computer or a computer cluster.
当防御策略计算设备11和防护执行设备12部署在同一服务器上时,二者可以通过该服务器上相应的硬件接口或者软件接口进行通信。当防御策略计算设备11和防护执行设备12部署在不同服务器上时,二者可通过有线或者无线通信方式进行连接。例如,通过局域网内的无线/有线交换机进行通信连接,或者通过移动网络进行通信连接。当通过移动网络通信连接时,移动网络的网络制式可以为2G(GSM)、2.5G(GPRS)、3G(WCDMA、TD-SCDMA、CDMA2000、UTMS)、4G(LTE)、4G+(LTE+)、WiMax等中的任意一种。可选地,防御策略计算设备11和防护执行设备12部署在同一机房或机柜内的不同服务器上时,二者也可以通过蓝牙、ZigBee、红外线等短距离通信方式进行通信连接,本实施例对此不作限制。When the defense strategy calculation device 11 and the defense execution device 12 are deployed on the same server, the two can communicate through the corresponding hardware interface or software interface on the server. When the defense strategy calculation device 11 and the defense execution device 12 are deployed on different servers, the two can be connected through wired or wireless communication. For example, the communication connection is through the wireless/wired switch in the local area network, or the communication connection is through the mobile network. When connected through mobile network communication, the network standard of the mobile network can be 2G (GSM), 2.5G (GPRS), 3G (WCDMA, TD-SCDMA, CDMA2000, UTMS), 4G (LTE), 4G+ (LTE+), WiMax Any of these. Optionally, when the defense strategy calculation device 11 and the defense execution device 12 are deployed on different servers in the same computer room or cabinet, the two can also communicate through short-distance communication methods such as Bluetooth, ZigBee, and infrared. This is not limited.
需要说明的是,本实施例并不限定用于部署防御策略计算设备11和防护执行设备12的服务器的实现形式,可以是常规服务器、云服务器、云主机、虚拟中心等服务器设备。其中,服务器设备的构成主要包括处理器、硬盘、内存、系统总线等,和通用的计算机架构类似。It should be noted that this embodiment does not limit the implementation form of the server used to deploy the defense policy calculation device 11 and the defense execution device 12, and may be server devices such as conventional servers, cloud servers, cloud hosts, and virtual centers. Among them, the structure of the server device mainly includes a processor, a hard disk, a memory, a system bus, etc., and is similar to a general computer architecture.
在本实施例防御系统10中,防护执行设备12对请求端设备30的数据访问请求进行数据处理,并生成流量日志数据,防护执行设备12将生成的日志数据分时段发送至防御策略计算设备11;防御策略计算设备11接收防护执行设备12发送的各个时段内的日志数据,每当接收到一个时段内的流量日志数据时,可对接收到的流量日志数据进行两方 面的分析,一方面进行异常流量检测分析,另一方面进行攻击检测分析。In the defense system 10 of this embodiment, the protection execution device 12 performs data processing on the data access request of the requesting device 30 and generates traffic log data, and the protection execution device 12 sends the generated log data to the defense strategy calculation device 11 in time intervals. ; The defense strategy calculation device 11 receives the log data in each period sent by the defense execution device 12, and each time it receives the traffic log data in a period, it can analyze the received traffic log data in two aspects, on the one hand Abnormal traffic detection and analysis, on the other hand, attack detection and analysis.
为便于描述,本实施例以当前时段内的流量日志数据为例展开说明。防御策略计算设备11在接收到防护执行设备12发送的当前时段内的流量日志数据后,一方面可根据当前时段内的流量日志数据进行异常流量检测,若检测到异常流量,可针对在当前时段内检测到的异常流量生成第一防御策略;另一方面,可根据当前时段内的流量日志数据检测当前时段内的网络流量是否存在异常行为,若检测到当前时段内的网络流量是存在异常行为,可向防护执行设备12提供防御策略,以供防护执行设备12根据防御策略计算设备11提供的防御策略对后续时段内的网络流量进行数据处理。这里的数据处理主要是指防御处理,以确保数据源端设备20的安全性。For ease of description, this embodiment takes the traffic log data in the current period as an example to expand the description. After the defense strategy calculation device 11 receives the traffic log data in the current period sent by the protection execution device 12, on the one hand, it can perform abnormal traffic detection based on the traffic log data in the current period. If abnormal traffic is detected, it can be targeted at the current period. The abnormal traffic detected in the current period generates the first defense strategy; on the other hand, it can detect whether the network traffic in the current period has abnormal behaviors based on the traffic log data in the current period. If the network traffic in the current period is detected as abnormal behavior , The defense execution device 12 may be provided with a defense strategy, so that the defense execution device 12 can perform data processing on the network traffic in the subsequent period according to the defense strategy provided by the defense strategy calculation device 11. The data processing here mainly refers to defensive processing to ensure the security of the data source device 20.
其中,防御策略计算设备11向防护执行设备12提供的防御策略可以是第一防御策略,或者是第二防御策略。第一防御策略是针对当前时刻之前已经识别到的异常流量生成的,可简称为实时防御策略;第二防御策略是针对当前时刻之前已经识别到的正常流量生成的,可以称之为默认防御策略。其中,第二防御策略可基于历史时段内的正常流量日志数据预先生成。进一步可选地,当有新的正常流量日志数据出现时,基于新出现的正常流量日志数据可以对第二防御策略进行更新。其中,当前时刻是指防护执行设备12确定出当前时段内的网络流量存在异常行为的时刻。The defense strategy provided by the defense strategy calculation device 11 to the defense execution device 12 may be the first defense strategy or the second defense strategy. The first defense strategy is generated for the abnormal traffic that has been identified before the current moment, which can be referred to as the real-time defense strategy; the second defense strategy is generated for the normal traffic that has been identified before the current moment, and can be called the default defense strategy . Among them, the second defense strategy may be generated in advance based on normal traffic log data in the historical period. Further optionally, when new normal traffic log data appears, the second defense strategy may be updated based on the newly appeared normal traffic log data. The current moment refers to the moment when the protection execution device 12 determines that the network traffic in the current period has abnormal behavior.
在本实施例中,防御策略计算设备11会针对每个时段内的流量日志数据进行异常流量的分析,并会针对在各时段内识别到的异常流量数据生成第一防御策略。这些第一防御策略可以具有一定时效性,当生效时间结束后,可将相应防御策略删除。另外,在本实施例中,并不限定防御策略计算设备11根据当前时段内的流量日志数据进行异常流量检测的操作,与防御策略计算设备11根据当前时段内的流量日志数据检测当前时段内的网络流量是否存在异常行为的操作之间的执行顺序,两个操作可以并行执行,当然也可以顺序执行。在两种操作并行执行的情况下,有可能先检测出异常行为。基于上述分析,上述当前时刻之前已经识别到的异常流量可能包括:根据当前时段内的流量日志数据识别出的异常流量(简称为在当前时段内识别出的异常流量),也可以包括根据当前时段之前至少一个时段内的流量日志数据识别出的异常流量(简称为在当前时段之前至少一个时段内识别出的异常流量),当然也可能同时包括在当前时段内以及在当前时段之前至少一个时段内识别出的异常流量。相应地,上述在当前时刻之前已经存在的第一防御策略可能包括:针对在当前时段内识别出的异常流量生成的防御策略,也可能包括针对在当前时段之前至少一个时段内识别出的异常流量生成的防御策略,当然,也可能包括 针对在当前时段内识别出的异常流量生成的防御策略和针对在当前时段之前至少一个时段内识别出的异常流量生成的防御策略。In this embodiment, the defense strategy calculation device 11 will analyze the abnormal traffic based on the traffic log data in each time period, and will generate a first defense strategy based on the abnormal traffic data identified in each time period. These first defense strategies can have certain timeliness, and the corresponding defense strategies can be deleted after the effective time is over. In addition, in this embodiment, it is not limited that the defense strategy calculation device 11 performs abnormal traffic detection based on the traffic log data in the current period, and the defense strategy calculation device 11 detects abnormal traffic based on the traffic log data in the current period. Whether the network traffic has abnormal behaviors in the order of execution between operations, the two operations can be executed in parallel, of course, can also be executed sequentially. When the two operations are executed in parallel, it is possible to detect abnormal behavior first. Based on the above analysis, the above-mentioned abnormal traffic that has been identified before the current time may include: the abnormal traffic identified according to the traffic log data in the current period (abbreviated as the abnormal traffic identified in the current period), or the abnormal traffic identified in the current period The abnormal traffic identified by the traffic log data in at least one period before (abbreviated as the abnormal traffic identified in at least one period before the current period), of course, may also be included in the current period and at least one period before the current period Identified abnormal traffic. Correspondingly, the aforementioned first defense strategy that has existed before the current time may include: a defense strategy generated for abnormal traffic identified in the current period, or may include a defense strategy for abnormal traffic identified at least one period before the current period. The generated defense strategy, of course, may also include a defense strategy generated for abnormal traffic identified in the current period and a defense strategy generated for abnormal traffic recognized at least one period before the current period.
本实施例并不限定每个时段的时间长度,各时段的时间长度可以相同,也可以不相同,具体可根据应用需求适应性设定。其中,每个时段的时间长度越小,生成第一防御策略以及判断数据源端设备20是否遭受攻击的实时性越高。This embodiment does not limit the time length of each time period, and the time length of each time period may be the same or different, and may be set adaptively according to application requirements. Among them, the smaller the time length of each period, the higher the real-time performance of generating the first defense strategy and determining whether the data source device 20 is attacked.
可选地,在本实施例中,可以采用策略库管理各个防御策略,例如可以将第二防御策略和第一防御策略放入策略库中。在检测到数据源端设备20遭受攻击时,防御策略计算设备11将策略库中的第一防御策略第二防御策略下发至防护执行设备12,以供防护执行设备12根据接收到的第一防御策略或者第二防御策略对后续时段内的网络流量进行数据处理。Optionally, in this embodiment, a strategy library can be used to manage each defense strategy, for example, the second defense strategy and the first defense strategy can be put into the strategy database. When detecting that the data source device 20 is under attack, the defense strategy calculation device 11 issues the first defense strategy and the second defense strategy in the strategy library to the defense execution device 12, so that the protection execution device 12 can use the received first defense strategy according to the received first defense strategy. The defense strategy or the second defense strategy performs data processing on the network traffic in the subsequent period.
在本实施例中,在防护防御策略计算设备11在检测到数据源端设备20遭受攻击时,若本地没有任何生效中的第一防御策略,可以先将第二防御策略下发至防护执行设备12,并且在新的第一防御策略生成后,将新的第一防御策略下发至防护执行设备12,此时,第二防御策略自动失效。In this embodiment, when the protection defense strategy calculation device 11 detects that the data source device 20 is attacked, if there is no first defense strategy in effect locally, the second defense strategy can be first issued to the protection execution device 12. After the new first defense strategy is generated, the new first defense strategy is issued to the protection execution device 12. At this time, the second defense strategy is automatically invalidated.
需要说明的是,防御策略计算设备11检测具有延时性,在防御策略计算设备11在检测到数据源端设备20遭受攻击时,有可能数据源端设备20已经遭受到了很短时间的攻击,可选地,可以将第二防御策略设置为一直生效状态。这样,对防护执行设备12来说,在没有第一防御策略的情况下,可以一直使用第二防御策略对网络流量进行防御处理,在有第一防御策略的情况下,优先使用第一防御策略对网络流量进行防御处理,第二防御策略自动失效。It should be noted that the detection of the defense strategy calculation device 11 has a delay. When the defense strategy calculation device 11 detects that the data source device 20 is attacked, it is possible that the data source device 20 has been attacked for a short time. Optionally, the second defense strategy can be set to always take effect. In this way, for the protection execution device 12, if there is no first defense strategy, the second defense strategy can always be used to defend network traffic. In the case of the first defense strategy, the first defense strategy is preferred. Defensive processing of network traffic, the second defense strategy automatically fails.
可选地,考虑到流量攻击一般是动态变化的,故可针对第一防御策略设置生效时长,在生效时长内,第一防御策略可发挥作用,在生效时长结束后,第一防御策略可被删除。值得说明的是,可以为不同第一防御策略设置相同的生效时长,也可以为不同第一防御策略分别设置不相同的生效时长。基于此,防御策略计算设备11在检测到数据源端设备20遭受攻击时,可以将在当前时刻之前已存在且生效中的第一防御策略以及在当前时刻之前已存在且生效中的第一防御策略对应的生效时长下发给防护执行设备12,以供防护执行设备12在相应生效时长内根据接收到的第一防御策略对后续时段内的网络流量进行数据处理。可选地,也可根据数据源端设备20遭受攻击的时间段动态地设置第一防御策略的生效时长;第一防御策略可以设置为在防护防御策略计算设备11检测到数据源端设备20遭受攻击时失效,或者在防护防御策略计算设备11检测到数据源端设备20遭受 攻击后的设定时间段失效。通过第一防御策略设置生效时长,有利于让第一防御策略在流量攻击期间发挥作用,在非流量攻击期间失效,有利于降低第一防御策略对正常流量造成的不利影响。Optionally, considering that traffic attacks generally change dynamically, the effective time period can be set for the first defense strategy. Within the effective time period, the first defense strategy can play a role. After the effective time period ends, the first defense strategy can be delete. It is worth noting that the same effective duration may be set for different first defense strategies, or different effective durations may be set for different first defense strategies. Based on this, when the defense strategy calculation device 11 detects that the data source device 20 is attacked, it can combine the first defense strategy that exists and is in effect before the current moment and the first defense strategy that exists and is in effect before the current moment. The effective duration corresponding to the policy is issued to the protection execution device 12, so that the protection execution device 12 performs data processing on the network traffic in the subsequent period according to the received first defense strategy within the corresponding effective duration. Optionally, the effective duration of the first defense strategy can also be dynamically set according to the time period during which the data source device 20 is attacked; the first defense strategy can be set to detect that the data source device 20 is attacked by the protection defense strategy computing device 11 Failure during an attack, or failure in a set time period after the protection defense strategy calculation device 11 detects that the data source device 20 is attacked. Setting the effective duration of the first defense strategy is conducive to allowing the first defense strategy to function during traffic attacks, and it becomes invalid during non-traffic attacks, which helps reduce the adverse impact of the first defense strategy on normal traffic.
在本申请各实施例中,并不限定第二防御策略的具体实现。例如第二防御策略的一种可实现的方式为:目的限速策略,即对正常流量之外的其它流量进行目的限速,这可以使第二防御策略对正常流量的影响尽可能小,对异常流量覆盖尽可能大。又例如,第二防御策略的一种可实现的方式为:源限速,即在检测到当前时段内的网络流量存在异常行为后,对后续网络流量全部进行限速处理。又例如,第二防御策略的一种可实现的方式为:历史黑白名单限速,即在检测到当前时段内的网络流量存在异常行为后,对后续流量中处于黑名单中的流量进行阻断处理。又例如,第二防御策略的一种可实现的方式为:区域控制,即对特定区域的请求端设备的访问请求进行限速或阻拦等。又例如,第二防御策略的一种可实现的方式为:精准访问控制及源计数访问控制,即对来自请求端设备的访问请求进行访问权限设置和访问频次限定。显然,第二防御策略并不限于上述实现方式,第二防御策略可以为上述实现方式中的一种或者几种,也可以为其他形式的防御策略。In the embodiments of the present application, the specific implementation of the second defense strategy is not limited. For example, one achievable way of the second defense strategy is: the target rate limit strategy, that is, the target rate limit is performed on the traffic other than the normal traffic, which can make the second defense strategy have as little impact on the normal traffic as possible, The abnormal traffic coverage is as large as possible. For another example, an achievable way of the second defense strategy is: source rate limiting, that is, after detecting abnormal behavior of network traffic in the current period, all subsequent network traffic is subjected to rate limiting processing. For another example, one achievable way of the second defense strategy is: historical black and white list rate limit, that is, after detecting abnormal behavior of network traffic in the current period, block the traffic in the blacklist in subsequent traffic deal with. For another example, an achievable way of the second defense strategy is: area control, that is, rate limiting or blocking the access request of the requesting device in a specific area. For another example, an achievable way of the second defense strategy is: precise access control and source count access control, that is, access permission setting and access frequency restriction are performed on the access request from the requesting end device. Obviously, the second defense strategy is not limited to the foregoing implementation manners, and the second defense strategy may be one or more of the foregoing implementation manners, or may be other forms of defense strategies.
可选地,防御策略计算设备11在接收到当前时段内的流量日志数据后,还可以根据当前时段内的流量日志数据对第二防御策略进行更新,以尽可能地对正常流量影响最小化。可选地,该更新操作可在检测到数据源端设备20未遭受攻击的情况下进行,该情况下当前时段内的流量日志数据中包含的主要是正常流量的日志数据,适于对第二防御策略进行更新;在检测到数据源端设备20遭受攻击的情况下,一方面因为当前时段内的流量日志数据中会包含大量异常数据,对正常流量的判断产生干扰,不适于对第二防御策略进行更新,另一方面也可将资源优先用于向防护执行设备12下发相应防御策略,防御策略下发效率,便于及时对后续网络流量进行防御处理。Optionally, after receiving the traffic log data in the current period, the defense strategy calculation device 11 may also update the second defense strategy according to the traffic log data in the current period to minimize the impact on normal traffic as much as possible. Optionally, the update operation can be performed when it is detected that the data source device 20 has not been attacked. In this case, the traffic log data in the current period mainly contains log data of normal traffic, which is suitable for the second The defense strategy is updated; when it is detected that the data source device 20 is under attack, on the one hand, because the traffic log data in the current period contains a large amount of abnormal data, it interferes with the judgment of normal traffic and is not suitable for the second defense The strategy is updated. On the other hand, resources can also be prioritized for issuing corresponding defense strategies to the protection execution device 12. The efficiency of the defense strategy issuance is convenient for timely defense processing of subsequent network traffic.
在本申请上述或下述实施例中,第一防御策略根据识别到的异常流量生成的,第一防御策略针对性更强,有利于更加全面的覆盖异常流量,保证数据源设备的安全性。针对不同异常流量可设置不同的第一防御策略。例如,一种第一防御策略为阻断防御策略,即对异常流量进行阻断处理。又例如,一种第一防御策略为限速的防御策略,即对异常流量进行限速。显然,第二防御策略和第一防御策略并不限于上述实现方式。In the foregoing or following embodiments of the present application, the first defense strategy is generated based on the identified abnormal traffic, and the first defense strategy is more targeted, which is conducive to more comprehensive coverage of abnormal traffic and ensures the security of the data source device. Different first defense strategies can be set for different abnormal traffic. For example, a first defense strategy is a blocking defense strategy, that is, blocking abnormal traffic. For another example, a first defense strategy is a rate limiting defense strategy, that is, rate limiting on abnormal traffic. Obviously, the second defense strategy and the first defense strategy are not limited to the above implementations.
图1b为本申请另一实施例提供的防御系统10的工作原理示意图。如图1b所示,防护执行设备12一方面采用本地处于生效状态的防御策略对接收到的网络流量进行防御 处理,并将通过防御处理后的网络流量发送给数据源端设备20;另一方面会将当前时段内的日志数据发送至防护防御策略计算设备11,为防护防御策略计算设备11提供数据基础。FIG. 1b is a schematic diagram of the working principle of the defense system 10 provided by another embodiment of the application. As shown in Figure 1b, on the one hand, the protection execution device 12 adopts a locally in effect defense strategy to perform defense processing on the received network traffic, and sends the network traffic after the defense processing to the data source device 20; on the other hand, The log data in the current time period will be sent to the protection defense strategy calculation device 11 to provide a data basis for the protection defense strategy calculation device 11.
如图1b所示,防护防御策略计算设备11(流计算集群)对当前时段内的流量日志数据可进行三方面的处理:一方面,可以根据当前时段内的流量日志数据更新第二防御策略;另一方面,可根据当前时段内的流量日志数据进行异常流量检测,若检测到异常流量,可针对在当前时段内检测到的异常流量生成第一防御策略;再一方面,可根据当前时段内的流量日志数据检测当前时段内的网络流量是否存在异常行为,若检测到当前时段内的网络流量存在异常行为,可向防护执行设备12提供或下发防御策略,以供防护执行设备12根据接收到的防御策略对后续时段内的网络流量进行数据处理。关于上述三个方面处理的详细描述,可参见前述实施例或后续实施例中的详细描述,在此不再赘述。具体的,可以从实时日志数据中进行微批次数据收集,然后进行数据过滤、特征提取、基线训练,再根据基线参数等进行异常检测,或者对微批次数据收集的数据直接进行特征抽取,然后进行异常检测。进一步的,可以确定是否处于攻击中,如果处于攻击中,则推送策略,其中推送的策略可以是从备用策略集合中确定的,备用策略集合中有默认防御策略和实时防御策略。推送的策略可以是一个策略集合,该策略集合可携带有匹配条件、执行动作和生效时长。As shown in Figure 1b, the protection defense strategy calculation device 11 (stream computing cluster) can process the traffic log data in the current period in three aspects: On the one hand, it can update the second defense strategy based on the traffic log data in the current period; On the other hand, abnormal traffic detection can be performed based on the traffic log data in the current period. If abnormal traffic is detected, the first defense strategy can be generated for the abnormal traffic detected in the current period; on the other hand, it can be based on the current period The traffic log data in the current period of time detects whether there is abnormal behavior in the network traffic during the current period. If abnormal behavior is detected in the network traffic in the current period, the defense execution device 12 can be provided or issued a defense strategy for the protection execution device 12 to receive The obtained defense strategy performs data processing on the network traffic in the subsequent period. For the detailed description of the above-mentioned three aspects of processing, please refer to the detailed description in the foregoing embodiment or subsequent embodiments, which will not be repeated here. Specifically, you can collect micro-batch data from real-time log data, then perform data filtering, feature extraction, baseline training, and then perform anomaly detection based on baseline parameters, or directly perform feature extraction on the data collected by micro-batch data. Then perform anomaly detection. Further, it can be determined whether it is under attack, and if it is under attack, the strategy is pushed, where the pushed strategy can be determined from a set of backup strategies. The set of backup strategies includes a default defense strategy and a real-time defense strategy. The pushed policy may be a policy set, and the policy set may carry matching conditions, execution actions, and effective duration.
如图1b所示,本申请防护执行设备包括但不限于以下防御策略执行模块:黑白名单库模块、区域控制模块、精准访问控制及源计数访问控制模块以及限速模块。每个防御策略执行模块负责实现一种类型的防御策略。对于实时访问请求,可以基于上述黑白名单库模块、区域控制模块、精准访问控制及源计数访问控制模块以及限速模块,可以分别对来自请求端设备30的数据访问请求进行黑白名单库数据处理、区域控制数据处理、精准访问控制及源计数访问控制数据处理和源限速及目的限速数据处理,即,通过这些模块确定是否放行,如果不放行就丢弃,对于最终确定的放行请求传送至数据源端设备。防护执行设备接收防御策略计算设备下发的相应防御策略后,从防护执行设备的各模块中选出选择出与防御策略对应的模块进行参数配置;以对后续时段内的请求端设备的数据访问请求进行相应的数据处理。As shown in Figure 1b, the protection execution equipment of this application includes but is not limited to the following defense strategy execution modules: black and white list library module, area control module, precise access control and source count access control module, and speed limit module. Each defense strategy execution module is responsible for implementing a type of defense strategy. For real-time access requests, based on the black and white list library module, area control module, precise access control and source count access control module, and speed limit module, the black and white list library data processing can be performed on the data access request from the requesting device 30, respectively. Area control data processing, precise access control and source count access control data processing and source rate limit and destination rate limit data processing, that is, determine whether to release through these modules, if not released, discard, and send the final release request to the data Source device. After the protection execution device receives the corresponding defense strategy issued by the defense strategy calculation device, it selects the module corresponding to the defense strategy from the modules of the protection execution device to configure the parameters; to access the data of the requesting device in the subsequent period Request corresponding data processing.
在本申请的一些实施实施例中,第二防御策略根据历史的流量日志数据生成。一种可实现的方式为,对历史的流量日志数据中的异常日志数据进行滤除,得到正常流量的日志数据;根据正常流量的日志数据,分析正常流量的基线特征;根据正常流量的基线 特征中的目标字段特征,生成第二防御策略。其中,历史的流量日志数据的数量可以根据实际情况进行调整,例如选择近一个月或者一年的流量日志数据,再或者从一年的流量日志数据中筛选出某些天内的流量日志数据作为该历史的流量日志数据。In some embodiments of the present application, the second defense strategy is generated based on historical traffic log data. One possible way is to filter out abnormal log data in historical traffic log data to obtain log data of normal traffic; analyze the baseline characteristics of normal traffic based on the log data of normal traffic; and analyze the baseline characteristics of normal traffic based on the baseline characteristics of normal traffic. The target field characteristics in the generated second defense strategy. Among them, the amount of historical traffic log data can be adjusted according to the actual situation. For example, select the traffic log data of the past month or one year, or filter the traffic log data of certain days from the traffic log data of one year as the Historical traffic log data.
在上述实施例中,对历史的流量日志数据中的异常日志数据进行滤除,得到正常流量的日志数据,包括但不限于下列几种实现方式:In the foregoing embodiment, the abnormal log data in the historical traffic log data is filtered to obtain the log data of the normal traffic, including but not limited to the following implementation methods:
方式一:根据历史的流量日志数据获取历史数据请求的响应状态码,获取异常的响应状态码对应的日志数据,并对该日志数据进行滤除。例如,当某条日志数据中的响应状态码为4××、5××时,表示该日志数据为异常日志数据。Method 1: Obtain the response status code of the historical data request according to the historical traffic log data, obtain the log data corresponding to the abnormal response status code, and filter the log data. For example, when the response status code in a piece of log data is 4××, 5××, it means that the log data is abnormal log data.
方式二:若某时段的历史的流量日志数据处于数据源端设备遭受攻击的时间段内,则将该时段内的所有日志数据均作为异常日志数据进行滤除。Method 2: If the historical traffic log data in a certain period of time is within the period of time when the data source end device is attacked, all log data in this period of time will be filtered as abnormal log data.
方式三:根据某时段的历史的流量日志数据获取历史数据请求的响应状态码,并计算异常的响应状态码的占有比例,当异常的响应状态码的占有比例大于设定比例阈值时,则将该时段内的所有日志数据均作为异常日志数据进行滤除。Method 3: Obtain the response status code of the historical data request according to the historical traffic log data of a certain period, and calculate the proportion of abnormal response status code. When the proportion of abnormal response status code is greater than the set proportion threshold, the All log data in this period are filtered as abnormal log data.
需要说明的是,上述实现方式可以为单一设定,也可以多种组合设定;本申请对上述设定比例阈值不作限定,上述设定比例阈值可以根据实际情况作出调整。It should be noted that the foregoing implementation manner may be a single setting or multiple combinations of settings; this application does not limit the foregoing set ratio threshold, and the foregoing set ratio threshold can be adjusted according to actual conditions.
在本申请上述或下述实施例中,得到正常流量的日志数据后,可根据正常流量的日志数据,分析正常流量的基线特征。一种可实现的方式为,从正常流量的日志数据中,抽取字段特征,并计算字段特征的分布基线参数,作为该正常流量的基线特征。其中,字段特征包括但不限于下列字段中的至少一种特征:HTTP协议标准字段(如uri、referer等)、网站自定义字段、字段顺序和字段的二次处理获得的字段(如对uri解析出的query key等)。字段特征的分布基线参数包括但不限于中的至少一种:字段特征占比、字段特征请求频率和字段特征组合相关性。In the foregoing or following embodiments of the present application, after the log data of the normal traffic is obtained, the baseline characteristics of the normal traffic can be analyzed based on the log data of the normal traffic. An achievable way is to extract field characteristics from the log data of normal traffic, and calculate the distribution baseline parameters of the field characteristics as the baseline characteristics of the normal traffic. Among them, the field characteristics include but are not limited to at least one of the following fields: HTTP protocol standard fields (such as uri, referer, etc.), website custom fields, field order, and fields obtained by secondary processing of fields (such as uri parsing) Query key etc.). The distribution baseline parameters of the field characteristics include but are not limited to at least one of the following: the proportion of the field characteristics, the frequency of the field characteristics request, and the correlation of the field characteristics combination.
在上述实施例中,根据正常流量的基线特征中的目标字段特征,生成第二防御策略。一种可实现的方式为,对正常流量的基线特征进行分析,从正常流量包含的字段特征中筛选出目标字段特征;针对目标字段特征,生成第二防御策略。例如,从正常流量包含的字段特征中,识别出基线特征大于基线特征阈值的字段特征作为目标字段特征。结合目标字段特征,第二防御策略的一种实现方式为:对不包含目标字段特征的流量进行限速处理。In the foregoing embodiment, the second defense strategy is generated according to the target field characteristics in the baseline characteristics of normal traffic. An achievable way is to analyze the baseline characteristics of normal traffic, filter out the target field characteristics from the field characteristics included in the normal traffic, and generate a second defense strategy for the target field characteristics. For example, from the field features included in normal traffic, a field feature whose baseline feature is greater than the baseline feature threshold is identified as the target field feature. Combining the characteristics of the target field, an implementation manner of the second defense strategy is to limit the rate of traffic that does not contain the characteristics of the target field.
在上述实施例中,防护策略计算设备获取到当前时段内的流量日志数据后,还可以根据当前时段内的流量日志数据更新第二防御策略。一种可实现的更新方式为,从当前 时段内的流量日志数据中识别出正常流量日志数据,根据识别出的正常流量日志数据更新正常流量的基线特征;对更新后的基线特征进行分析,从所识别出的新的正常流量包含的字段特征中筛选出新的目标字段特征;若新的目标字段特征与原有的目标字段特征相同,则不对原有的第二防御策略作更新;若新的目标字段特征与原有的目标字段特征不相同,则根据新的目标字段特征,生成新的第二防御策略,并利用新的第二防御策略对原有的第二防御策略进行补充。In the foregoing embodiment, after the protection strategy calculation device obtains the traffic log data in the current time period, it may also update the second defense strategy according to the traffic log data in the current time period. An achievable update method is to identify normal flow log data from the flow log data in the current period, and update the baseline characteristics of the normal flow based on the identified normal flow log data; analyze the updated baseline characteristics from The new target field characteristics are filtered out of the field characteristics contained in the new normal traffic identified; if the new target field characteristics are the same as the original target field characteristics, the original second defense strategy will not be updated; if it is new If the target field characteristics of is different from the original target field characteristics, a new second defense strategy is generated according to the new target field characteristics, and the new second defense strategy is used to supplement the original second defense strategy.
在本申请的一些实施例中,防护防御策略计算设备获取到当前时段内的流量日志数据后,对当前时段内的流量日志数据进行分析,生成第一防御策略。一种可实现的方式为,根据当前时段内的流量日志数据,分析当前时段内的网络流量的特征;根据当前时段内的网络流量的特征和已知正常流量的基线特征,识别出当前时段内存在的异常流量;根据当前时段内存在的异常流量的特征,生成针对当前时段内存在的异常流量的第一防御策略。In some embodiments of the present application, after acquiring the traffic log data in the current period, the protection defense strategy calculation device analyzes the traffic log data in the current period to generate the first defense strategy. An achievable way is to analyze the characteristics of the network traffic in the current period based on the traffic log data in the current period; identify the current period memory based on the characteristics of the network traffic in the current period and the baseline characteristics of known normal traffic Existing abnormal traffic; According to the characteristics of the abnormal traffic in the current period, generate the first defense strategy against the abnormal traffic in the current period.
在上述实施例中,根据当前时段内的流量日志数据,分析当前时段内的网络流量的特征,一种可选实施例为,从当前时段内的流量日志数据中,抽取字段特征,并计算字段特征的分布参数,作为该当前时段内的网络流量的特征。其中,字段特征包括但不限于下列字段中的至少一种特征:HTTP协议标准字段(如uri、referer等)、网站自定义字段、字段顺序和字段的二次处理获得的字段(如对uri解析出的query key等)。字段特征的分布参数包括但不限于中的至少一种:字段特征占比、字段特征请求频率和字段特征组合相关性。In the above embodiment, the characteristics of the network traffic in the current period are analyzed based on the traffic log data in the current period. An alternative embodiment is to extract the field characteristics from the traffic log data in the current period and calculate the field The characteristic distribution parameter is used as the characteristic of the network traffic in the current period. Among them, the field characteristics include but are not limited to at least one of the following fields: HTTP protocol standard fields (such as uri, referer, etc.), website custom fields, field order, and fields obtained by secondary processing of fields (such as uri parsing) Query key etc.). The distribution parameters of the field characteristics include but are not limited to at least one of: the proportion of the field characteristics, the frequency of field characteristics request, and the correlation of the combination of field characteristics.
在上述实施例中,根据当前时段内的网络流量的特征和已知正常流量的基线特征,识别出当前时段内存在的异常流量。包括但不限于下列至少一种实现方式:In the foregoing embodiment, the abnormal traffic in the current period is identified based on the characteristics of the network traffic in the current period and the baseline characteristics of the known normal traffic. Including but not limited to at least one of the following implementations:
方式一,将当前时段内的网络流量的字段特征的分布参数与已有的字段特征的分布基线参数作对比,并计算相应字段特征的比例变化率,将比例变化率大于设定变化率阈值的字段特征对应的网络流量,作为当前时段内存在的异常流量。Method 1: Compare the distribution parameters of the field characteristics of the network traffic in the current period with the distribution baseline parameters of the existing field characteristics, and calculate the proportion change rate of the corresponding field characteristics, and the proportion change rate is greater than the set change rate threshold The network traffic corresponding to the field characteristics is regarded as the abnormal traffic in the current period.
方式二,将当前时段内的网络流量的字段特征的分布参数与已有的字段特征的分布基线参数作对比,并计算相应字段特征的请求频率增长率,将请求频率增长率大于设定增长率阈值的字段特征对应的网络流量,作为当前时段内存在的异常流量。Method 2: Compare the distribution parameters of the field characteristics of the network traffic in the current period with the distribution baseline parameters of the existing field characteristics, and calculate the request frequency growth rate of the corresponding field characteristics, and make the request frequency growth rate greater than the set growth rate The network traffic corresponding to the field characteristics of the threshold is regarded as the abnormal traffic existing in the current period.
需要说明的是,本申请对设定变化率阈值和设定增长率阈值不作限定,可以根据实际情况对设定变化率阈值和设定增长率阈值作出调整。It should be noted that this application does not limit the set rate of change threshold and the set growth rate threshold, and the set rate of change threshold and the set growth rate threshold can be adjusted according to actual conditions.
在上述实施例中,在识别出当前时段内存在的异常流量后,根据当前时段内存在的 异常流量的特征,生成针对当前时段内存在的异常流量的第一防御策略。可选地,新的第一防御策略为针对常流量的特征的流量进行阻断处理的防御策略。In the above embodiment, after identifying the abnormal traffic existing in the current period, the first defense strategy against the abnormal traffic existing in the current period is generated according to the characteristics of the abnormal traffic existing in the current period. Optionally, the new first defense strategy is a defense strategy for blocking traffic with characteristics of constant traffic.
在本申请的一些实施例中,获取当前时段内的流量日志数据后,根据当前时段内的流量日志数据判断当前时段内的网络流量是否存在异常行为,包括以下至少一种方式:In some embodiments of the present application, after obtaining the traffic log data in the current period, judging whether the network traffic in the current period has abnormal behavior according to the traffic log data in the current period includes at least one of the following methods:
方式一,根据当前时段内的日志数据,获取当前时段内的数据请求的请求频率,在请求频率大于第一阈值时,则确定当前时段内的网络流量存在异常行为;Method 1: Obtain the request frequency of data requests in the current time period based on the log data in the current time period. When the request frequency is greater than the first threshold, it is determined that the network traffic in the current time period has abnormal behavior;
方式二,根据当前时段内的日志数据,获取当前时段内的数据请求的响应状态码异常比例,在响应状态码异常比例大于第二阈值时,则确定当前时段内的网络流量存在异常行为;Method 2: According to the log data in the current period, obtain the abnormal proportion of the response status code of the data request in the current period. When the abnormal proportion of the response status code is greater than the second threshold, it is determined that the network traffic in the current period has abnormal behavior;
方式三,根据当前时段内的日志数据,获取当前时段内的数据请求的数量相对于上一时段的增长率,在增长率大于第三阈值时,则确定当前时段内的网络流量存在异常行为。Method 3: Obtain the growth rate of the number of data requests in the current period relative to the previous period according to the log data in the current period. When the growth rate is greater than the third threshold, it is determined that the network traffic in the current period has abnormal behavior.
上述三种方式之间可以单一作为当前时段内的网络流量存在异常行为的判断条件,也可以为三种方式之间的任意两种方式或者三种方式作为当前时段内的网络流量存在异常行为的判断条件。其中,本申请对第一阈值、第二阈值和第三阈值不作限定,第一阈值、第二阈值和第三阈值可以根据实际情况做出调整。The above three methods can be used solely as the judgment condition for abnormal behavior of network traffic in the current period, or any two methods or three methods among the three methods can be used as the abnormal behavior of network traffic in the current period. Analyzing conditions. Among them, the present application does not limit the first threshold, the second threshold, and the third threshold, and the first threshold, the second threshold, and the third threshold can be adjusted according to actual conditions.
在一可选实施例中,在对第二防御策略作更新后以及生成新的第一防御策略后,将更新后的第二防御策略和新的第一防御策略放入策略库中,并为各个第一防御策略设置相应的生效时长,其中第二防御策略为一直生效,但在第一防御策略出现时自动失效。基于此,在接收到当前时段内的流量日志数据后,可根据当前时段内的流量日志数据确定出当前时段内的网络流量存在异常行为,若判断结果为存在异常行为,则判断策略库中是否存在处于生效中的第一防御策略;若存在,根据策略库中处于生效中的第一防御策略对后续时段内的网络流量进行数据处理;若不存在,根据策略库中的第二防御策略对后续时段内的网络流量进行数据处理。与上述系统实施例相结合,根据策略库中处于生效中的第一防御策略或第二防御策略对后续时段内的网络流量进行数据处理,主要是指由防护执行设备12根据策略库中处于生效中的第一防御策略或第二防御策略对后续时段内的网络流量进行数据处理。当然,根据应用场景或系统架构的不同,根据策略库中处于生效中的第一防御策略或第二防御策略对后续时段内的网络流量进行数据处理的设备也会有所不同。本申请实施例采用第二防御策略和第一防御策略的结合,一方面保障源服务器在攻击第一时间不被攻击冲垮,另一方面保障对当前正常访问请求的影响最 小。In an optional embodiment, after the second defense strategy is updated and the new first defense strategy is generated, the updated second defense strategy and the new first defense strategy are put into the strategy database and are Each first defense strategy is set with a corresponding effective duration, where the second defense strategy is always effective, but automatically becomes invalid when the first defense strategy appears. Based on this, after receiving the traffic log data in the current period, it can be determined from the traffic log data in the current period that there is abnormal behavior in the network traffic in the current period. If the result of the judgment is that there is abnormal behavior, then determine whether there is abnormal behavior in the policy database There is the first defense strategy in effect; if it exists, the network traffic in the subsequent period is processed according to the first defense strategy in effect in the strategy database; if it does not exist, the data processing is performed according to the second defense strategy in the strategy database. Data processing is performed on the network traffic in the subsequent period. Combined with the above system embodiment, the data processing of the network traffic in the subsequent period according to the first defense strategy or the second defense strategy in effect in the strategy database mainly means that the protection execution device 12 is in effect according to the strategy database. The first defense strategy or the second defense strategy in, performs data processing on the network traffic in the subsequent period. Of course, according to different application scenarios or system architectures, the devices that perform data processing on the network traffic in the subsequent period according to the first defense strategy or the second defense strategy in effect in the strategy library will also be different. The embodiment of the application adopts the combination of the second defense strategy and the first defense strategy. On the one hand, it ensures that the source server is not overwhelmed by the attack at the first time of the attack, and on the other hand, it ensures that the impact on the current normal access request is minimal.
以下结合其他应用场景对本申请作出进一步说明:The following is a further explanation of this application in combination with other application scenarios:
在本申请的另一些应用场景中,防护执行设备12获取当前时段内的数据库操作日志数据,并将获取到的当前时段内的数据库操作日志数据上传至防御策略计算设备11,数据库操作日志数据反映当前时段内的数据库操作流量具有的特征;防御策略计算设备11根据接收到的当前时段内的数据库操作日志数据,检测当前时段内是否存在数据泄露行为以及是否存在数据库异常操作流量,防御策略计算设备11在检测到当前时段内存在数据泄露行为时,判断是否存在第一防御策略,第一防御策略是针对在当前时刻之前已识别到的数据库异常操作流量生成的;若存在,根据已存在的第一防御策略对后续时段内的数据库操作流量进行数据处理;若不存在,根据第二防御策略对后续时段内的数据库操作流量进行数据处理,第二防御策略是根据当前时刻之前已经识别到的正常数据库操作流量生成的。In some other application scenarios of this application, the protection execution device 12 obtains the database operation log data in the current period, and uploads the obtained database operation log data in the current period to the defense strategy computing device 11, and the database operation log data reflects The characteristics of the database operation traffic in the current period; the defense strategy calculation device 11 detects whether there is data leakage in the current period and whether there is abnormal database operation traffic in the current period according to the received database operation log data in the current period, and the defense strategy calculation device 11 When data leakage is detected in the current period, it is judged whether there is a first defense strategy. The first defense strategy is generated for abnormal database operation traffic that has been identified before the current time; if it exists, based on the existing first defense strategy. The first defense strategy performs data processing on the database operation traffic in the subsequent period; if it does not exist, the second defense strategy performs data processing on the database operation traffic in the subsequent period. The second defense strategy is based on the normality that has been identified before the current time. Generated by database operation traffic.
在本申请上述应用场景中,防御策略计算设备11将已存在的第一防御策略下发给数据库操作流量通道上的防护执行设备12,以供防护执行设备12根据已存在的第一防御策略对后续时段内的数据库操作流量进行数据处理。防御策略计算设备11将已生成的第二防御策略下发给数据库操作流量通道上的防护执行设备12,以供防护执行设备12根据已存在的第二防御策略对后续时段内的数据库操作流量进行数据处理。其中,本申请实施例对数据库操作流量进行数据处理的方式不作限定。In the above-mentioned application scenario of the present application, the defense strategy calculation device 11 issues the existing first defense strategy to the defense execution device 12 on the database operation traffic channel, so that the defense execution device 12 can perform the protection according to the existing first defense strategy. Data processing is performed on the database operation traffic in the subsequent period. The defense strategy calculation device 11 sends the generated second defense strategy to the defense execution device 12 on the database operation traffic channel, so that the defense execution device 12 performs database operation traffic in the subsequent period according to the existing second defense strategy. data processing. Among them, the embodiment of the present application does not limit the data processing method of the database operation flow.
在本申请上述应用场景中,根据当前时段内的数据库操作日志数据确定出当前时段内存在数据泄露行为,包括但不限于以下几种方式:In the above application scenario of this application, the data leakage behavior in the current period is determined according to the database operation log data in the current period, including but not limited to the following methods:
方式一,根据当前时段内的数据库操作日志数据,获取当前时段内查询数据条目数量,在查询数据条目数大于第一数量阈值时,则当前时段内的数据库操作日志数据确定出当前时段内存在数据泄露行为;Method 1: According to the database operation log data in the current period, obtain the number of query data entries in the current period. When the number of query data entries is greater than the first number threshold, the database operation log data in the current period determines that there is data in the current period Leaking behavior
方式二,根据当前时段内的数据库操作日志数据,获取当前时段内查询数据字节数,在查询数据字节数大于第二数量阈值时,则当前时段内的数据库操作日志数据确定出当前时段内存在数据泄露行为。Method 2: According to the database operation log data in the current period, the number of query data bytes in the current period is obtained. When the number of query data bytes is greater than the second number threshold, the database operation log data in the current period determines the current period memory The act of data breach.
在本申请上述应用场景中,第一防御策略是针对在当前时刻之前已识别到的数据库异常操作流量生成的。数据库操作日志数据的基线特征包括但不限于以下几种:查询频率、查询时间间隔、单次查询条目数、单次查询结果条目数、单次查询结果字节数、累计查询条目数、累计查询结果条目数和累计查询结果字节数。In the above-mentioned application scenario of this application, the first defense strategy is generated for abnormal database operation traffic that has been identified before the current moment. The baseline characteristics of database operation log data include but are not limited to the following: query frequency, query interval, number of single query entries, single query result entries, single query result bytes, cumulative query entries, cumulative query The number of result entries and cumulative query result bytes.
在本申请的另一些应用场景中,防护执行设备12获取当前时段内的流量日志数据,并将获取当前时段内的流量日志数据上传至防御策略计算设备11,流量日志数据反映当前时段内的网络流量具有的特征;防御策略计算设备11根据接收到的当前时段内的流量日志数据,检测当前时段内是否存在异常行为以及是否存在异常流量。若防御策略计算设备11根据当前时段内的流量日志数据确定出当前时段内的网络流量存在异常行为,判断是否存在第一防御策略,第一防御策略是针对在当前时刻之前已识别到的异常流量生成的;若存在,根据已存在的第一防御策略对后续时段内的网络流量生成第一可视化数据;若不存在,根据第二防御策略对后续时段内的网络流量生成第二可视化数据,第二防御策略是根据当前时刻之前已经识别到的正常流量生成的。In some other application scenarios of this application, the protection execution device 12 obtains the traffic log data in the current period, and uploads the obtained traffic log data in the current period to the defense strategy calculation device 11. The traffic log data reflects the network in the current period The characteristics of the traffic; the defense strategy calculation device 11 detects whether there is abnormal behavior in the current period and whether there is abnormal traffic according to the received traffic log data in the current period. If the defense strategy calculation device 11 determines that the network traffic in the current period has abnormal behavior based on the traffic log data in the current period, it determines whether there is a first defense strategy, and the first defense strategy is for the abnormal traffic that has been identified before the current time. Generated; if it exists, generate first visualization data for the network traffic in the subsequent period according to the existing first defense strategy; if not, generate second visualization data for the network traffic in the subsequent period according to the second defense strategy, first The second defense strategy is generated based on the normal traffic that has been identified before the current moment.
在本申请上述应用场景中,防御策略计算设备11将第一可视化数据发送至显示终端,以供显示终端根据第一可视化数据生成第一展示界面。其中,本申请对第一展示界面的展示内容不作限定,第一界面展示内容可以包括但不限于以下内容:异常总指标曲线图及正常指标总量波动范围、异常成分对应指标及正常波动范围对比表。In the above application scenario of this application, the defense strategy calculation device 11 sends the first visualization data to the display terminal, so that the display terminal generates the first display interface according to the first visualization data. Among them, this application does not limit the display content of the first display interface. The display content of the first interface may include, but is not limited to, the following content: abnormal total indicator curve and normal indicator total fluctuation range, abnormal component corresponding indicator and normal fluctuation range comparison table.
在本申请上述应用场景中,防御策略计算设备11在根据第二防御策略对后续时段内的网络流量生成第二可视化数据之后,将第二可视化数据发送至显示终端,以供显示终端根据第二可视化数据生成第二展示界面。其中,本申请对第二展示界面的展示内容不作限定,第二界面展示内容可以包括但不限于以下内容:当前指标总量曲线图及正常指标总量波动范围、当前指标环比曲线图及正常指标环比波动范围、各成分分布饼图、各成分当前占比及正常波动范围对比表、各成分绝对值及正常波动范围对比表。In the above-mentioned application scenario of this application, after the defense strategy calculation device 11 generates the second visualization data for the network traffic in the subsequent period according to the second defense strategy, the second visualization data is sent to the display terminal for the display terminal to use The visualization data generates a second display interface. Among them, this application does not limit the display content of the second display interface. The display content of the second interface may include, but is not limited to, the following: current indicator total volume graph and normal indicator total fluctuation range, current indicator chain ratio curve and normal indicator Chain fluctuation range, distribution pie chart of each component, comparison table of current proportion of each component and normal fluctuation range, comparison table of absolute value of each component and normal fluctuation range.
在本申请上述应用场景中,流量日志数据的基线特征包括但不限于以下几种:指标总量绝对值、指标相比上一周期环比、各成分绝对值、各成分占比和各成分相比上一周期环比。In the above-mentioned application scenarios of this application, the baseline characteristics of traffic log data include but are not limited to the following: absolute value of total index, month-on-month ratio of index compared to the previous cycle, absolute value of each component, proportion of each component, and comparison of each component Chain comparison in the previous cycle.
除上述提供的防御系统之外,本申请一些实施例还提供一种数据处理方法,本申请所提供的数据处理方法可应用于上述防御系统,但并不限于上述实施例提供的防御系统。图2a为本申请示例性实施例提供的一种数据处理方法的流程示意图。如图2a所示,该方法包括:In addition to the defense system provided above, some embodiments of this application also provide a data processing method. The data processing method provided in this application can be applied to the above defense system, but is not limited to the defense system provided in the above embodiment. Fig. 2a is a schematic flowchart of a data processing method provided by an exemplary embodiment of this application. As shown in Figure 2a, the method includes:
S201:获取当前时段内的流量日志数据,流量日志数据反映当前时段内的网络流量具有的特征;S201: Obtain traffic log data in the current period, where the traffic log data reflects the characteristics of the network traffic in the current period;
S202:根据当前时段内的流量日志数据,确定当前时段内的网络流量是否存在异常行为;若存在异常行为,则执行步骤S203;若不存在异常行为,则结束攻击检测;S202: Determine whether the network traffic in the current period has abnormal behavior according to the traffic log data in the current period; if there is abnormal behavior, execute step S203; if there is no abnormal behavior, end the attack detection;
S203:判断是否存在第一防御策略,第一防御策略是针对在当前时刻之前已识别到的异常流量生成的;若存在,则执行步骤S204,若不存在则执行步骤S205;S203: Determine whether there is a first defense strategy, the first defense strategy is generated for the abnormal traffic that has been identified before the current moment; if it exists, perform step S204, if not, perform step S205;
S204:根据已存在的第一防御策略对后续时段内的网络流量进行数据处理;S204: Perform data processing on the network traffic in the subsequent period according to the existing first defense strategy;
S205:根据第二防御策略对后续时段内的网络流量进行数据处理,第二防御策略是根据当前时刻之前已经识别到的正常流量生成的。S205: Perform data processing on the network traffic in the subsequent period according to the second defense strategy, and the second defense strategy is generated based on the normal traffic that has been identified before the current moment.
本实施例的方法,可由一台具有防御功能和一定计算能力的设备执行,也可以由上述系统实施例中的防护策略计算设备和防护执行设备配合实施。在防护策略计算设备和防护执行设备配合实施的场景中,防护执行设备将生成的日志数据下发至防护策略计算设备,防护策略计算设备接收该日志数据,以获取该日志数据。其中,防护策略计算设备获取日志数据的频率可以根据实际情况,每1S、2S、5S或者10S获取一次。The method in this embodiment may be executed by a device with a defense function and a certain computing capability, or may be implemented by the protection strategy calculation device and the protection execution device in the foregoing system embodiment. In a scenario where the protection strategy calculation device and the protection execution device are implemented in cooperation, the protection execution device delivers the generated log data to the protection strategy calculation device, and the protection strategy calculation device receives the log data to obtain the log data. Among them, the frequency at which the protection strategy calculation device obtains the log data may be obtained every 1S, 2S, 5S, or 10S according to actual conditions.
在本实施例中,第二防御策略根据历史的流量日志数据生成。一种可实现的方式为,对历史的流量日志数据中的异常日志数据进行滤除,得到正常流量的日志数据;根据正常流量的日志数据,分析正常流量的基线特征;根据正常流量的基线特征中的目标字段特征,生成第二防御策略。其中,历史的流量日志数据的数量可以根据实际情况进行调整,例如选择近一个月或者一年的流量日志数据,再或者从一年的流量日志数据中筛选出某些天内的流量日志数据作为该历史的流量日志数据。In this embodiment, the second defense strategy is generated based on historical traffic log data. One possible way is to filter out abnormal log data in historical traffic log data to obtain log data of normal traffic; analyze the baseline characteristics of normal traffic based on the log data of normal traffic; and analyze the baseline characteristics of normal traffic based on the baseline characteristics of normal traffic. The target field characteristics in the generated second defense strategy. Among them, the amount of historical traffic log data can be adjusted according to the actual situation. For example, select the traffic log data of the past month or one year, or filter the traffic log data of certain days from the traffic log data of one year as the Historical traffic log data.
在上述实施例中,对历史的流量日志数据中的异常日志数据进行滤除,得到正常流量的日志数据,包括但不限于下列几种实现方式:In the foregoing embodiment, the abnormal log data in the historical traffic log data is filtered to obtain the log data of the normal traffic, including but not limited to the following implementation methods:
方式一:根据历史的流量日志数据获取历史数据请求的响应状态码,获取异常的响应状态码对应的日志数据,并对该日志数据进行滤除。例如,当某条日志数据中的响应状态码为4××、5××时,表示该日志数据为异常日志数据。Method 1: Obtain the response status code of the historical data request according to the historical traffic log data, obtain the log data corresponding to the abnormal response status code, and filter the log data. For example, when the response status code in a piece of log data is 4××, 5××, it means that the log data is abnormal log data.
方式二:若某时段的历史的流量日志数据处于数据源端设备遭受攻击的时间段内,则将该时段内的所有日志数据均作为异常日志数据进行滤除。Method 2: If the historical traffic log data in a certain period of time is within the period of time when the data source end device is attacked, all log data in this period of time will be filtered as abnormal log data.
方式三:根据某时段的历史的流量日志数据获取历史数据请求的响应状态码,并计算异常的响应状态码的占有比例,当异常的响应状态码的占有比例大于设定比例阈值时,则将该时段内的所有日志数据均作为异常日志数据进行滤除。Method 3: Obtain the response status code of the historical data request according to the historical traffic log data of a certain period, and calculate the proportion of abnormal response status code. When the proportion of abnormal response status code is greater than the set proportion threshold, the All log data in this period are filtered as abnormal log data.
需要说明的是,上述实现方式可以为单一设定,也可以多种组合设定;本申请对上述设定比例阈值不作限定,上述设定比例阈值可以根据实际情况作出调整。It should be noted that the foregoing implementation manner may be a single setting or multiple combinations of settings; this application does not limit the foregoing set ratio threshold, and the foregoing set ratio threshold can be adjusted according to actual conditions.
在本申请上述或下述实施例中,得到正常流量的日志数据后,可根据正常流量的日志数据,分析正常流量的基线特征。一种可实现的方式为,从正常流量的日志数据中, 抽取字段特征,并计算字段特征的分布基线参数,作为该正常流量的基线特征。其中,字段特征包括但不限于下列字段中的至少一种特征:HTTP协议标准字段(如uri、referer等)、网站自定义字段、字段顺序和字段的二次处理获得的字段(如对uri解析出的query key等)。字段特征的分布基线参数包括但不限于中的至少一种:字段特征占比、字段特征请求频率和字段特征组合相关性。In the foregoing or following embodiments of the present application, after the log data of the normal traffic is obtained, the baseline characteristics of the normal traffic can be analyzed based on the log data of the normal traffic. An achievable way is to extract field characteristics from the log data of normal traffic, and calculate the distribution baseline parameters of the field characteristics as the baseline characteristics of the normal traffic. Among them, the field characteristics include but are not limited to at least one of the following fields: HTTP protocol standard fields (such as uri, referer, etc.), website custom fields, field order, and fields obtained by secondary processing of fields (such as uri parsing) Query key etc.). The distribution baseline parameters of the field characteristics include but are not limited to at least one of the following: the proportion of the field characteristics, the frequency of the field characteristics request, and the correlation of the field characteristics combination.
在上述实施例中,根据正常流量的基线特征中的目标字段特征,生成第二防御策略。一种可实现的方式为,对正常流量的基线特征进行分析,从正常流量包含的字段特征中筛选出目标字段特征;针对目标字段特征,生成第二防御策略。例如,从正常流量包含的字段特征中,识别出基线特征大于基线特征阈值的字段特征作为目标字段特征。结合目标字段特征,第二防御策略的一种实现方式为:对不包含目标字段特征的流量进行限速处理。In the foregoing embodiment, the second defense strategy is generated according to the target field characteristics in the baseline characteristics of normal traffic. An achievable way is to analyze the baseline characteristics of normal traffic, filter out the target field characteristics from the field characteristics included in the normal traffic, and generate a second defense strategy for the target field characteristics. For example, from the field features included in normal traffic, a field feature whose baseline feature is greater than the baseline feature threshold is identified as the target field feature. Combining the characteristics of the target field, an implementation manner of the second defense strategy is to limit the rate of traffic that does not contain the characteristics of the target field.
在上述实施例中,在获取到日志数据后,对当前时段内的日志数据进行分析,更新第二防御策略。一种可实现的更新方式为,从当前时段内的流量日志数据中识别出正常流量日志数据,根据识别出的正常流量日志数据更新正常流量的基线特征;对更新后的字段特征的分布基线参数进行分析,从所识别出的新的正常流量包含的字段特征中筛选出新的目标字段特征;若新的目标字段特征与原有的目标字段特征相同,则不对原有的第二防御策略作更新;若新的目标字段特征与原有的目标字段特征不相同,则根据新的目标字段特征,生成新的第二防御策略对原有的第二防御策略作更新。In the foregoing embodiment, after the log data is acquired, the log data in the current period is analyzed to update the second defense strategy. An achievable update method is to identify the normal flow log data from the flow log data in the current period, and update the baseline characteristics of the normal flow according to the identified normal flow log data; the distribution baseline parameters of the updated field characteristics Perform analysis and filter out the new target field characteristics from the field characteristics included in the identified new normal traffic; if the new target field characteristics are the same as the original target field characteristics, the original second defense strategy will not be used. Update; if the new target field characteristics are different from the original target field characteristics, a new second defense strategy is generated according to the new target field characteristics to update the original second defense strategy.
在上述实施例中,在获取到当前时段内的流量日志数据后,还可以对当前时段内的流量日志数据进行分析,生成第一防御策略。一种可实现的方式为,根据当前时段内的流量日志数据,分析当前时段内的网络流量的特征;根据当前时段内的网络流量的特征和已知正常流量的基线特征,识别出当前时段内存在的异常流量;根据当前时段内存在的异常流量的特征,生成针对当前时段内存在的异常流量的第一防御策略。In the foregoing embodiment, after the traffic log data in the current period is acquired, the traffic log data in the current period can also be analyzed to generate the first defense strategy. An achievable way is to analyze the characteristics of the network traffic in the current period based on the traffic log data in the current period; identify the current period memory based on the characteristics of the network traffic in the current period and the baseline characteristics of known normal traffic Existing abnormal traffic; According to the characteristics of the abnormal traffic in the current period, generate the first defense strategy against the abnormal traffic in the current period.
在上述实施例中,根据当前时段内的流量日志数据,分析当前时段内的网络流量的特征,一种可选实施例为,从当前时段内的流量日志数据中,抽取字段特征,并计算字段特征的分布参数,作为该当前时段内的网络流量的特征。其中,字段特征包括但不限于下列字段中的至少一种特征:HTTP协议标准字段(如uri、referer等)、网站自定义字段、字段顺序和字段的二次处理获得的字段(如对uri解析出的query key等)。字段特征的分布参数包括但不限于中的至少一种:字段特征占比、字段特征请求频率和字段特征组合相关性。In the above embodiment, the characteristics of the network traffic in the current period are analyzed based on the traffic log data in the current period. An alternative embodiment is to extract the field characteristics from the traffic log data in the current period and calculate the field The characteristic distribution parameter is used as the characteristic of the network traffic in the current period. Among them, the field characteristics include but are not limited to at least one of the following fields: HTTP protocol standard fields (such as uri, referer, etc.), website custom fields, field order, and fields obtained by secondary processing of fields (such as uri parsing) Query key etc.). The distribution parameters of the field characteristics include but are not limited to at least one of: the proportion of the field characteristics, the frequency of field characteristics request, and the correlation of the combination of field characteristics.
在上述实施例中,根据当前时段内的网络流量的特征和已知正常流量的基线特征,识别出当前时段内存在的异常流量。包括但不限于下列至少一种实现方式:In the foregoing embodiment, the abnormal traffic in the current period is identified based on the characteristics of the network traffic in the current period and the baseline characteristics of the known normal traffic. Including but not limited to at least one of the following implementations:
方式一,将当前时段内的网络流量的字段特征的分布参数与已有的字段特征的分布基线参数作对比,并计算相应字段特征的比例变化率,将比例变化率大于设定变化率阈值的字段特征对应的网络流量,作为当前时段内存在的异常流量。Method 1: Compare the distribution parameters of the field characteristics of the network traffic in the current period with the distribution baseline parameters of the existing field characteristics, and calculate the proportion change rate of the corresponding field characteristics, and the proportion change rate is greater than the set change rate threshold The network traffic corresponding to the field characteristics is regarded as the abnormal traffic in the current period.
方式二,将当前时段内的网络流量的字段特征的分布参数与已有的字段特征的分布基线参数作对比,并计算相应字段特征的请求频率增长率,将请求频率增长率大于设定增长率阈值的字段特征对应的网络流量,作为当前时段内存在的异常流量。Method 2: Compare the distribution parameters of the field characteristics of the network traffic in the current period with the distribution baseline parameters of the existing field characteristics, and calculate the request frequency growth rate of the corresponding field characteristics, and make the request frequency growth rate greater than the set growth rate The network traffic corresponding to the field characteristics of the threshold is regarded as the abnormal traffic existing in the current period.
需要说明的是,本申请对设定变化率阈值和设定增长率阈值不作限定,可以根据实际情况对设定变化率阈值和设定增长率阈值作出调整。It should be noted that this application does not limit the set rate of change threshold and the set growth rate threshold, and the set rate of change threshold and the set growth rate threshold can be adjusted according to actual conditions.
在上述实施例中,在识别出当前时段内存在的异常流量后,根据当前时段内存在的异常流量的特征,生成针对当前时段内存在的异常流量的第一防御策略。可选地,新的第一防御策略为针对常流量的特征的流量进行阻断处理的防御策略。In the above embodiment, after the abnormal traffic existing in the current period is identified, the first defense strategy against the abnormal traffic existing in the current period is generated according to the characteristics of the abnormal traffic existing in the current period. Optionally, the new first defense strategy is a defense strategy for blocking traffic with characteristics of constant traffic.
在上述实施例中,获取当前时段内的流量日志数据后,根据当前时段内的流量日志数据判断当前时段内的网络流量是否存在异常行为,包括以下至少一种方式:In the foregoing embodiment, after obtaining the traffic log data in the current period, judging whether the network traffic in the current period has abnormal behavior according to the traffic log data in the current period includes at least one of the following methods:
方式一,根据当前时段内的日志数据,获取当前时段内的数据请求的请求频率,在请求频率大于第一阈值时,则确定当前时段内的网络流量存在异常行为;Method 1: Obtain the request frequency of data requests in the current time period based on the log data in the current time period. When the request frequency is greater than the first threshold, it is determined that the network traffic in the current time period has abnormal behavior;
方式二,根据当前时段内的日志数据,获取当前时段内的数据请求的响应状态码异常比例,在响应状态码异常比例大于第二阈值时,则确定当前时段内的网络流量存在异常行为;Method 2: According to the log data in the current period, obtain the abnormal proportion of the response status code of the data request in the current period. When the abnormal proportion of the response status code is greater than the second threshold, it is determined that the network traffic in the current period has abnormal behavior;
方式三,根据当前时段内的日志数据,获取当前时段内的数据请求的数量相对于上一时段的增长率,在增长率大于第三阈值时,则确定当前时段内的网络流量存在异常行为。Method 3: Obtain the growth rate of the number of data requests in the current period relative to the previous period according to the log data in the current period. When the growth rate is greater than the third threshold, it is determined that the network traffic in the current period has abnormal behavior.
上述三种方式之间可以单一作为当前时段内的网络流量存在异常行为的判断条件,也可以为三种方式之间的任意两种方式或者三种方式作为当前时段内的网络流量存在异常行为的判断条件。其中,本申请对第一阈值、第二阈值和第三阈值不作限定,第一阈值、第二阈值和第三阈值可以根据实际情况做出调整。The above three methods can be used solely as the judgment condition for abnormal behavior of network traffic in the current period, or any two methods or three methods among the three methods can be used as the abnormal behavior of network traffic in the current period. Analyzing conditions. Among them, the present application does not limit the first threshold, the second threshold, and the third threshold, and the first threshold, the second threshold, and the third threshold can be adjusted according to actual conditions.
在对第二防御策略作更新后以及生成新的第一防御策略后,将更新后的第二防御策略和新的第一防御策略放入防御策略库中,并为各个第一防御策略设置相应的生效时长,其中第二防御策略为一直生效,但在第一防御策略出现时自动失效。基于此,在接收到 当前时段内的流量日志数据后,可根据当前时段内的流量日志数据确定出当前时段内的网络流量存在异常行为,若判断结果为存在异常行为,则判断是否存在第一防御策略;若存在,根据处于生效中的第一防御策略对后续时段内的网络流量进行数据处理;若不存在,根据第二防御策略对后续时段内的网络流量进行数据处理;本申请实施例采用第二防御策略和第一防御策略的结合,一方面保障源服务器在攻击第一时间不被攻击冲垮,另一方面保障对当前正常访问请求的影响最小。After updating the second defense strategy and generating a new first defense strategy, put the updated second defense strategy and the new first defense strategy into the defense strategy library, and set corresponding settings for each first defense strategy The effective duration of the second defense strategy is always effective, but automatically invalidates when the first defense strategy appears. Based on this, after receiving the traffic log data in the current period, it can be determined from the traffic log data in the current period that there is abnormal behavior in the network traffic in the current period. If the judgment result is that there is abnormal behavior, then it is judged whether there is a first Defense strategy; if it exists, perform data processing on the network traffic in the subsequent period according to the first defense strategy that is in effect; if it does not exist, perform data processing on the network traffic in the subsequent period according to the second defense strategy; embodiments of the application Using the combination of the second defense strategy and the first defense strategy, on the one hand, it ensures that the source server is not overwhelmed by the attack at the first time of the attack, and on the other hand, it ensures that the impact on current normal access requests is minimal.
图3为本申请示例性实施例提供的另一种数据处理方法的流程示意图。如图3所示,该方法包括:FIG. 3 is a schematic flowchart of another data processing method provided by an exemplary embodiment of this application. As shown in Figure 3, the method includes:
S301:根据当前时段内的流量日志数据,分析当前时段内的网络流量的特征;S301: Analyze the characteristics of the network traffic in the current period according to the traffic log data in the current period;
S302:根据当前时段内的网络流量的特征和已知正常流量的基线特征,识别出当前时段内存在的异常流量,其中,已知正常流量的基线特征是从历史流量日志数据中获得的;S302: Identify the abnormal traffic in the current period according to the characteristics of the network traffic in the current period and the baseline characteristics of the known normal traffic, where the baseline characteristics of the known normal traffic are obtained from historical traffic log data;
S303:根据当前时段内存在的异常流量的特征,生成针对当前时段内存在的异常流量的第一防御策略,以对后续时段内的网络流量进行数据处理。S303: According to the characteristics of the abnormal traffic existing in the current period, generate a first defense strategy for the abnormal traffic existing in the current period to perform data processing on the network traffic in the subsequent period.
本实施例的方法,可由一台具有防御功能和一定计算能力的设备执行,也可以由上述系统实施例中的防护策略计算设备和防护执行设备配合实施。在防护策略计算设备和防护执行设备配合实施的场景中,防护执行设备将生成的日志数据下发至防护策略计算设备,防护策略计算设备接收该日志数据,以获取该日志数据。其中,防护策略计算设备获取日志数据的频率可以根据实际情况,每1S、2S、5S或者10S获取一次。The method in this embodiment may be executed by a device with a defense function and a certain computing capability, or may be implemented by the protection strategy calculation device and the protection execution device in the foregoing system embodiment. In a scenario where the protection strategy calculation device and the protection execution device are implemented in cooperation, the protection execution device delivers the generated log data to the protection strategy calculation device, and the protection strategy calculation device receives the log data to obtain the log data. Among them, the frequency at which the protection strategy calculation device obtains the log data may be obtained every 1S, 2S, 5S, or 10S according to actual conditions.
图2b为本申请示例性实施例提供的另一种数据处理方法的流程示意图。如图2b所示,该方法包括:FIG. 2b is a schematic flowchart of another data processing method provided by an exemplary embodiment of this application. As shown in Figure 2b, the method includes:
S221:获取当前时段内的数据库操作日志数据,数据库操作日志数据反映当前时段内的数据库操作流量具有的特征;S221: Acquire database operation log data in the current period, where the database operation log data reflects the characteristics of the database operation traffic in the current period;
S222:根据当前时段内的数据库操作日志数据确定当前时段内是否存在数据泄露行为;若存在,则执行步骤S223;若不存在,则结束数据泄露行为检测;S222: Determine whether there is a data leakage behavior in the current period according to the database operation log data in the current period; if it exists, perform step S223; if it does not exist, end the data leakage behavior detection;
S223:判断是否存在第一防御策略,第一防御策略是针对在当前时刻之前已识别到的数据库异常操作流量生成的;若存在执行步骤S224,若不存在则执行步骤S225;S223: Determine whether there is a first defense strategy, the first defense strategy is generated for abnormal database operation traffic that has been identified before the current moment; if it exists, perform step S224, if not, perform step S225;
S224:根据已存在的第一防御策略对后续时段内的数据库操作流量进行数据处理;S224: Perform data processing on the database operation traffic in the subsequent period according to the existing first defense strategy;
S225:根据第二防御策略对后续时段内的数据库操作流量进行数据处理,第二防御策略是根据当前时刻之前已经识别到的正常数据库操作流量生成的。S225: Perform data processing on the database operation traffic in the subsequent period according to the second defense strategy. The second defense strategy is generated based on the normal database operation traffic that has been identified before the current moment.
在本申请实施例中,将已存在的第一防御策略下发给数据库操作流量通道上的防护执行设备,以供防护执行设备根据已存在的第一防御策略对后续时段内的数据库操作流量进行数据处理。将已生成的第二防御策略下发给数据库操作流量通道上的防护执行设备,以供防护执行设备根据已存在的第二防御策略对后续时段内的数据库操作流量进行数据处理。其中,本申请实施例对数据库操作流量进行数据处理的方式不作限定。In the embodiment of this application, the existing first defense strategy is issued to the protection execution device on the database operation traffic channel, so that the protection execution device can perform the database operation traffic in the subsequent period according to the existing first defense strategy. data processing. The generated second defense strategy is issued to the defense execution device on the database operation traffic channel, so that the defense execution device performs data processing on the database operation traffic in the subsequent period according to the existing second defense strategy. Among them, the embodiment of the present application does not limit the data processing method of the database operation flow.
在本申请实施例中,根据当前时段内的数据库操作日志数据确定出当前时段内存在数据泄露行为,包括但不限于以下几种方式:In the embodiment of the present application, the data leakage behavior in the current period is determined according to the database operation log data in the current period, including but not limited to the following methods:
方式一,根据当前时段内的数据库操作日志数据,获取当前时段内查询数据条目数量,在查询数据条目数大于第一数量阈值时,则当前时段内的数据库操作日志数据确定出当前时段内存在数据泄露行为;Method 1: According to the database operation log data in the current period, obtain the number of query data entries in the current period. When the number of query data entries is greater than the first number threshold, the database operation log data in the current period determines that there is data in the current period Leaking behavior
方式二,根据当前时段内的数据库操作日志数据,获取当前时段内查询数据字节数,在查询数据字节数大于第二数量阈值时,则当前时段内的数据库操作日志数据确定出当前时段内存在数据泄露行为。Method 2: According to the database operation log data in the current period, the number of query data bytes in the current period is obtained. When the number of query data bytes is greater than the second number threshold, the database operation log data in the current period determines the current period memory The act of data breach.
在本申请上述应用场景中,第一防御策略是针对在当前时刻之前已识别到的数据库异常操作流量生成的。数据库操作日志数据的基线特征包括但不限于以下几种:查询频率、查询时间间隔、单次查询条目数、单次查询结果条目数、单次查询结果字节数、累计查询条目数、累计查询结果条目数和累计查询结果字节数。In the above-mentioned application scenario of this application, the first defense strategy is generated for abnormal database operation traffic that has been identified before the current moment. The baseline characteristics of database operation log data include but are not limited to the following: query frequency, query interval, number of single query entries, single query result entries, single query result bytes, cumulative query entries, cumulative query The number of result entries and cumulative query result bytes.
图2c为本申请示例性实施例提供的一种数据处理方法的流程示意图。如图2c所示,该方法包括:FIG. 2c is a schematic flowchart of a data processing method provided by an exemplary embodiment of this application. As shown in Figure 2c, the method includes:
S231:获取当前时段内的流量日志数据,流量日志数据反映当前时段内的网络流量具有的特征;S231: Obtain traffic log data in the current time period, where the traffic log data reflects the characteristics of the network traffic in the current time period;
S232:根据当前时段内的流量日志数据,确定当前时段内的网络流量是否存在异常行为;若存在异常行为,则执行步骤S233;若不存在异常行为,则结束异常行为检测;S232: Determine whether there is abnormal behavior in the network traffic in the current period according to the traffic log data in the current period; if there is abnormal behavior, perform step S233; if there is no abnormal behavior, end the abnormal behavior detection;
S233:判断是否存在第一防御策略,第一防御策略是针对在当前时刻之前已识别到的异常流量生成的;若存在,则执行步骤S234,若不存在则执行步骤S235;S233: Determine whether there is a first defense strategy, the first defense strategy is generated for the abnormal traffic that has been identified before the current moment; if it exists, execute step S234, if it does not exist, execute step S235;
S234:根据已存在的第一防御策略对后续时段内的网络流量生成第一可视化数据;S234: Generate first visualization data for network traffic in the subsequent period according to the existing first defense strategy;
S235:根据第二防御策略对后续时段内的网络流量生成第二可视化数据,第二防御策略是根据当前时刻之前已经识别到的正常流量生成的。S235: Generate second visual data for network traffic in the subsequent period according to the second defense strategy, where the second defense strategy is generated based on the normal traffic that has been identified before the current moment.
在本申请实施例中,将第一可视化数据发送至显示终端,以供显示终端根据第一可视化数据生成第一展示界面。其中,本申请对第一展示界面的展示内容不作限定,第一 界面展示内容可以包括但不限于以下内容:异常总指标曲线图及正常指标总量波动范围、异常成分对应指标及正常波动范围对比表。In the embodiment of the present application, the first visualization data is sent to the display terminal for the display terminal to generate the first display interface according to the first visualization data. Among them, this application does not limit the display content of the first display interface. The display content of the first interface may include, but is not limited to, the following content: abnormal total indicator curve and normal indicator total fluctuation range, abnormal component corresponding indicator and normal fluctuation range comparison table.
在本申请实施例中,在根据第二防御策略对后续时段内的网络流量生成第二可视化数据之后,将第二可视化数据发送至显示终端,以供显示终端根据第二可视化数据生成第二展示界面。其中,本申请对第二展示界面的展示内容不作限定,第二界面展示内容可以包括但不限于以下内容:当前指标总量曲线图及正常指标总量波动范围、当前指标环比曲线图及正常指标环比波动范围、各成分分布饼图、各成分当前占比及正常波动范围对比表、各成分绝对值及正常波动范围对比表。In the embodiment of the present application, after generating the second visualization data for the network traffic in the subsequent period according to the second defense strategy, the second visualization data is sent to the display terminal for the display terminal to generate the second display based on the second visualization data interface. Among them, this application does not limit the display content of the second display interface. The display content of the second interface may include, but is not limited to, the following: current indicator total volume graph and normal indicator total fluctuation range, current indicator chain ratio curve and normal indicator Chain fluctuation range, distribution pie chart of each component, comparison table of current proportion of each component and normal fluctuation range, comparison table of absolute value of each component and normal fluctuation range.
在本申请实施例中,流量日志数据的基线特征包括但不限于以下几种:指标总量绝对值、指标相比上一周期环比、各成分绝对值、各成分占比和各成分相比上一周期环比。In the embodiments of this application, the baseline characteristics of the traffic log data include but are not limited to the following: absolute value of the total index, the month-on-month ratio of the index compared to the previous cycle, the absolute value of each component, the proportion of each component, and the comparison of each component. Cycle to cycle.
本实施例是基于第一防御策略的生成的角度进行描述的数据处理方法。关于本实施例下的各步骤在前述数据处理方法的各实施例中均有详细说明,依照前述各数据处理方法的实施例,可得到该数据处理方法的实施例以及产生相应的有益效果,在此不再赘述。This embodiment is a data processing method described based on the generation of the first defense strategy. The steps in this embodiment are described in detail in the embodiments of the foregoing data processing method. According to the foregoing embodiments of the data processing method, the embodiment of the data processing method can be obtained and the corresponding beneficial effects can be obtained. This will not be repeated here.
图4为本申请一示例性实施例提供的一种数据处理设备的结构示意图。如图4所示,该数据处理设备包括:存储器401和处理器402,还包括通信组件403和电源组件404的必须组件。Fig. 4 is a schematic structural diagram of a data processing device provided by an exemplary embodiment of this application. As shown in FIG. 4, the data processing device includes a memory 401 and a processor 402, and also includes necessary components of a communication component 403 and a power supply component 404.
存储器401,用于存储计算机程序,并可被配置为存储其它各种数据以支持在数据处理设备上的操作。这些数据的示例包括用于在数据处理设备上操作的任何应用程序或方法的指令。The memory 401 is used to store computer programs and can be configured to store other various data to support operations on the data processing device. Examples of such data include instructions for any application or method operating on the data processing device.
存储器401,可以由任何类型的易失性或非易失性存储设备或者它们的组合实现,如静态随机存取存储器(SRAM),电可擦除可编程只读存储器(EEPROM),可擦除可编程只读存储器(EPROM),可编程只读存储器(PROM),只读存储器(ROM),磁存储器,快闪存储器,磁盘或光盘。The memory 401 can be implemented by any type of volatile or non-volatile storage device or a combination thereof, such as static random access memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable Programmable read only memory (EPROM), programmable read only memory (PROM), read only memory (ROM), magnetic memory, flash memory, magnetic disk or optical disk.
通信组件403,用于与其他设备建立通信连接。The communication component 403 is used to establish a communication connection with other devices.
处理器402,可执行存储器401中存储的计算机指令,以用于:获取当前时段内的流量日志数据,流量日志数据反映当前时段内的网络流量具有的特征;若根据当前时段内的流量日志数据确定出当前时段内的网络流量存在异常行为,判断是否存在第一防御策略,第一防御策略是针对在当前时刻之前已识别到的异常流量生成的;若存在,根据已存在的第一防御策略对后续时段内的网络流量进行数据处理;若不存在,根据第二防御策略对后续时段内的网络流量进行数据处理,第二防御策略是根据当前时刻之前已经 识别到的正常流量生成的。The processor 402 can execute the computer instructions stored in the memory 401 to obtain the traffic log data in the current period, the traffic log data reflects the characteristics of the network traffic in the current period; if based on the traffic log data in the current period Determine whether there is abnormal behavior in network traffic during the current period, and determine whether there is a first defense strategy. The first defense strategy is generated for abnormal traffic that has been identified before the current moment; if it exists, based on the existing first defense strategy Perform data processing on the network traffic in the subsequent period; if it does not exist, perform data processing on the network traffic in the subsequent period according to the second defense strategy, which is generated based on the normal traffic that has been identified before the current moment.
可选地,处理器402,还可用于:根据当前时段内的流量日志数据,分析当前时段内的网络流量的特征;根据当前时段内的网络流量的特征和已知正常流量的基线特征,识别出当前时段内存在的异常流量;根据当前时段内存在的异常流量的特征,生成针对当前时段内存在的异常流量的第一防御策略。Optionally, the processor 402 may also be used to: analyze the characteristics of the network traffic in the current period according to the traffic log data in the current period; and to identify the characteristics of the network traffic in the current period and the baseline characteristics of known normal traffic The abnormal traffic existing in the current period is generated; according to the characteristics of the abnormal traffic existing in the current period, the first defense strategy against the abnormal traffic existing in the current period is generated.
可选地,处理器402在根据已存在的第一防御策略对后续时段内的网络流量进行数据处理时,具体用于:将已存在的第一防御策略下发给网络流量通道上的防护执行设备,以供防护执行设备根据已存在的第一防御策略对后续时段内的网络流量进行数据处理。Optionally, when the processor 402 performs data processing on the network traffic in the subsequent period according to the existing first defense strategy, it is specifically configured to: issue the existing first defense strategy to the protection execution on the network traffic channel The device is used for the protection execution device to perform data processing on the network traffic in the subsequent period according to the existing first defense strategy.
可选地,处理器402,还可用于:将已存在的第一防御策略对应的生效时长下发给防护执行设备,以供防护执行设备在生效时长内根据已存在的第一防御策略对后续时段内的网络流量进行数据处理。Optionally, the processor 402 may be further configured to: issue the effective duration corresponding to the existing first defense strategy to the protection execution device, so that the protection execution device can perform the following actions according to the existing first defense strategy within the effective duration. Data processing is performed on the network traffic during the period.
第一防御策略第一防御策略可选地,处理器402,还可用于:将历史时段内的流量日志数据中的异常日志数据滤除,得到正常流量的日志数据;根据正常流量的日志数据,分析正常流量的基线特征;根据正常流量的基线特征中的目标字段特征,生成第二防御策略。The first defense strategy The first defense strategy Optionally, the processor 402 can also be used to filter out abnormal log data in the traffic log data in the historical period to obtain log data of normal traffic; according to the log data of normal traffic, Analyze the baseline characteristics of normal traffic; generate a second defense strategy based on the target field characteristics in the baseline characteristics of normal traffic.
可选地,处理器402在根据第二防御策略对后续时段内的网络流量进行数据处理时,具体用于:将已生成的第二防御策略下发给网络流量通道上的防护执行设备,以供防护执行设备根据已生成的第二防御策略对后续时段内的网络流量进行数据处理。Optionally, when the processor 402 performs data processing on the network traffic in the subsequent period according to the second defense strategy, it is specifically configured to: issue the generated second defense strategy to the defense execution device on the network traffic channel to The protection execution device performs data processing on the network traffic in the subsequent period according to the generated second defense strategy.
可选地,处理器402在根据当前时段内的流量日志数据确定出当前时段内的网络流量存在异常行为时,包括以下至少一种:根据当前时段内的日志数据,获取当前时段内的数据请求的请求频率,在请求频率大于第一阈值时,则确定当前时段内的网络流量存在异常行为;根据当前时段内的日志数据,获取当前时段内的数据请求的响应状态码异常比例,在响应状态码异常比例大于第二阈值时,则确定当前时段内的网络流量存在异常行为;根据当前时段内的日志数据,获取当前时段内的数据请求的数量相对于上一时段的增长率,在增长率大于第三阈值时,则确定当前时段内的网络流量存在异常行为。Optionally, when the processor 402 determines that the network traffic in the current period has abnormal behavior based on the traffic log data in the current period, the processor 402 includes at least one of the following: according to the log data in the current period, the request for acquiring the data in the current period When the request frequency is greater than the first threshold, it is determined that the network traffic in the current period has abnormal behavior; according to the log data in the current period, the abnormal proportion of the response status code of the data request in the current period is obtained, and in the response state When the code abnormal ratio is greater than the second threshold, it is determined that the network traffic in the current period has abnormal behavior; according to the log data in the current period, the number of data requests in the current period is obtained relative to the growth rate of the previous period. When it is greater than the third threshold, it is determined that the network traffic in the current period has abnormal behavior.
相应地,本申请实施例还提供一种存储有计算机程序的计算机可读存储介质。当计算机可读存储介质存储计算机程序,且计算机程序被一个或多个处理器执行时,致使一个或多个处理器执行图2a方法实施例中的各步骤。Correspondingly, the embodiment of the present application also provides a computer-readable storage medium storing a computer program. When the computer-readable storage medium stores a computer program, and the computer program is executed by one or more processors, the one or more processors are caused to execute each step in the method embodiment of FIG. 2a.
在上述数据处理设备以及存储介质实施例中,获取当前时段内的流量日志数据;对当前时段内的流量日志数据进行异常行为检测,当确定当前时段内的网络流量存在异常 行为时,判断防御策略库中是否存在生成的第一防御策略;若存在,使用已存在的第一防御策略对后续时段内的网络流量进行数据处理;若不存在,使用已知正常流量生成的第二防御策略对后续时段内的网络流量进行数据处理,本申请采用第二防御策略和第一防御策略的结合,一方面保障源服务器在攻击第一时间不被攻击冲垮,另一方面保障对当前正常访问请求的影响最小。In the above data processing device and storage medium embodiments, the traffic log data in the current period is acquired; the abnormal behavior detection is performed on the traffic log data in the current period, and when it is determined that the network traffic in the current period has abnormal behavior, the defense strategy is determined Whether there is a generated first defense strategy in the database; if it exists, use the existing first defense strategy to perform data processing on the network traffic in the subsequent period; if not, use the second defense strategy generated by known normal traffic to perform data processing on the subsequent period Data processing is performed on the network traffic within the time period. This application adopts the combination of the second defense strategy and the first defense strategy. On the one hand, it ensures that the source server is not overwhelmed by the attack at the first time, and on the other hand, it guarantees the impact on current normal access requests The smallest.
图5为本申请一示例性实施例提供的一种数据处理设备的结构示意图。如图5所示,该数据处理设备包括:存储器501和处理器502,还包括通信组件503和电源组件504的必须组件。Fig. 5 is a schematic structural diagram of a data processing device provided by an exemplary embodiment of this application. As shown in FIG. 5, the data processing device includes a memory 501 and a processor 502, and also includes necessary components of a communication component 503 and a power supply component 504.
存储器501,用于存储计算机程序,并可被配置为存储其它各种数据以支持在数据处理设备上的操作。这些数据的示例包括用于在数据处理设备上操作的任何应用程序或方法的指令。The memory 501 is used to store computer programs, and can be configured to store other various data to support operations on the data processing device. Examples of such data include instructions for any application or method operating on the data processing device.
存储器501,可以由任何类型的易失性或非易失性存储设备或者它们的组合实现,如静态随机存取存储器(SRAM),电可擦除可编程只读存储器(EEPROM),可擦除可编程只读存储器(EPROM),可编程只读存储器(PROM),只读存储器(ROM),磁存储器,快闪存储器,磁盘或光盘。The memory 501 can be implemented by any type of volatile or non-volatile storage device or their combination, such as static random access memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable Programmable read only memory (EPROM), programmable read only memory (PROM), read only memory (ROM), magnetic memory, flash memory, magnetic disk or optical disk.
通信组件503,用于与其他设备建立通信连接。The communication component 503 is used to establish a communication connection with other devices.
处理器502,可执行存储器501中存储的计算机指令,以用于:根据当前时段内的流量日志数据,分析当前时段内的网络流量的特征;根据当前时段内的网络流量的特征和已知正常流量的基线特征,识别出当前时段内存在的异常流量,其中,已知正常流量的基线特征是从历史流量日志数据中获得的;根据当前时段内存在的异常流量的特征,生成针对当前时段内存在的异常流量的第一防御策略;以对后续时段内的网络流量进行数据处理第一防御策略。The processor 502 can execute the computer instructions stored in the memory 501 for: analyzing the characteristics of the network traffic in the current period according to the traffic log data in the current period; according to the characteristics of the network traffic in the current period and the known normal Baseline characteristics of traffic to identify abnormal traffic in the current period. Among them, the baseline characteristics of known normal traffic are obtained from historical traffic log data; according to the characteristics of abnormal traffic in the current period, generate memory for the current period The first defense strategy for abnormal traffic in the current period; the first defense strategy for data processing of network traffic in the subsequent period.
相应地,本申请实施例还提供一种存储有计算机程序的计算机可读存储介质。当计算机可读存储介质存储计算机程序,且计算机程序被一个或多个处理器执行时,致使一个或多个处理器执行图3方法实施例中的各步骤。Correspondingly, the embodiment of the present application also provides a computer-readable storage medium storing a computer program. When the computer-readable storage medium stores a computer program, and the computer program is executed by one or more processors, the one or more processors are caused to execute each step in the method embodiment in FIG. 3.
在上述数据处理设备以及存储介质实施例中,获取当前时段内的流量日志数据;对当前时段内的流量日志数据进行异常行为检测,当确定当前时段内的网络流量存在异常行为时,判断防御策略库中是否存在生成的第一防御策略;若存在,使用已存在的第一防御策略对后续时段内的网络流量进行数据处理;若不存在,使用已知正常流量生成的第二防御策略对后续时段内的网络流量进行数据处理,本申请采用第二防御策略和第一 防御策略的结合,一方面保障源服务器在攻击第一时间不被攻击冲垮,另一方面保障对当前正常访问请求的影响最小。In the above data processing device and storage medium embodiments, the traffic log data in the current period is acquired; the abnormal behavior detection is performed on the traffic log data in the current period, and when it is determined that the network traffic in the current period has abnormal behavior, the defense strategy is determined Whether there is a generated first defense strategy in the database; if it exists, use the existing first defense strategy to perform data processing on the network traffic in the subsequent period; if not, use the second defense strategy generated by known normal traffic to perform data processing on the subsequent period Data processing is performed on the network traffic within the time period. This application adopts the combination of the second defense strategy and the first defense strategy. On the one hand, it ensures that the source server is not overwhelmed by the attack at the first time, and on the other hand, it guarantees the impact on current normal access requests The smallest.
图6为本申请一示例性实施例提供的一种数据处理设备的结构示意图。如图6所示,该数据处理设备包括:存储器601和处理器602,还包括通信组件603和电源组件604的必须组件。Fig. 6 is a schematic structural diagram of a data processing device provided by an exemplary embodiment of this application. As shown in FIG. 6, the data processing device includes a memory 601 and a processor 602, and also includes necessary components of a communication component 603 and a power supply component 604.
存储器601,用于存储计算机程序,并可被配置为存储其它各种数据以支持在数据处理设备上的操作。这些数据的示例包括用于在数据处理设备上操作的任何应用程序或方法的指令。The memory 601 is used to store computer programs and can be configured to store other various data to support operations on the data processing device. Examples of such data include instructions for any application or method operating on the data processing device.
存储器601,可以由任何类型的易失性或非易失性存储设备或者它们的组合实现,如静态随机存取存储器(SRAM),电可擦除可编程只读存储器(EEPROM),可擦除可编程只读存储器(EPROM),可编程只读存储器(PROM),只读存储器(ROM),磁存储器,快闪存储器,磁盘或光盘。The memory 601 can be implemented by any type of volatile or non-volatile storage devices or their combination, such as static random access memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable Programmable read only memory (EPROM), programmable read only memory (PROM), read only memory (ROM), magnetic memory, flash memory, magnetic disk or optical disk.
通信组件603,用于与其他设备建立通信连接。The communication component 603 is used to establish a communication connection with other devices.
处理器602,可执行存储器601中存储的计算机指令,以用于:获取当前时段内的数据库操作日志数据,所述数据库操作日志数据反映当前时段内的数据库操作流量具有的特征;若根据当前时段内的数据库操作日志数据确定出当前时段内存在数据泄露行为,判断是否存在第一防御策略,所述第一防御策略是针对在当前时刻之前已识别到的数据库异常操作流量生成的;若存在,根据已存在的第一防御策略对后续时段内的数据库操作流量进行数据处理;若不存在,根据第二防御策略对后续时段内的数据库操作流量进行数据处理,所述第二防御策略是根据当前时刻之前已经识别到的正常数据库操作流量生成的。The processor 602 can execute the computer instructions stored in the memory 601 to obtain the database operation log data in the current period. The database operation log data reflects the characteristics of the database operation flow in the current period; The database operation log data in the database determines that there is data leakage in the current period, and determines whether there is a first defense strategy, which is generated for abnormal database operation traffic that has been identified before the current time; if it exists, Perform data processing on the database operation traffic in the subsequent period according to the existing first defense strategy; if not, perform data processing on the database operation traffic in the subsequent period according to the second defense strategy, which is based on the current Generated by normal database operation traffic that has been identified before the time.
可选地,处理器602在根据已存在的第一防御策略对后续时段内的数据库操作流量进行数据处理时,具体用于:将已存在的第一防御策略下发给数据库操作流量通道上的防护执行设备,以供所述防护执行设备根据已存在的第一防御策略对后续时段内的数据库操作流量进行数据处理。Optionally, when the processor 602 performs data processing on the database operation traffic in the subsequent period according to the existing first defense strategy, it is specifically configured to: issue the existing first defense strategy to the database operation traffic channel The protection execution device is used for the protection execution device to perform data processing on the database operation traffic in the subsequent period according to the existing first defense strategy.
可选地,处理器602在根据第二防御策略对后续时段内的网络流量进行数据处理时,具体用于:将已生成的第二防御策略下发给数据库操作流量通道上的防护执行设备,以供所述防护执行设备根据已存在的第二防御策略对后续时段内的数据库操作流量进行数据处理。Optionally, when the processor 602 performs data processing on the network traffic in the subsequent period according to the second defense strategy, it is specifically configured to: deliver the generated second defense strategy to the protection execution device on the database operation traffic channel, This allows the protection execution device to perform data processing on the database operation traffic in the subsequent period according to the existing second defense strategy.
可选地,处理器602在根据当前时段内的数据库操作日志数据确定出当前时段内存 在数据泄露行为时,包括以下至少一种:根据当前时段内的数据库操作日志数据,获取当前时段内查询数据条目数量,在查询数据条目数大于第一数量阈值时,则当前时段内的数据库操作日志数据确定出当前时段内存在数据泄露行为;根据当前时段内的数据库操作日志数据,获取当前时段内查询数据字节数,在查询数据字节数大于第二数量阈值时,则当前时段内的数据库操作日志数据确定出当前时段内存在数据泄露行为。Optionally, when the processor 602 determines that there is a data leakage behavior in the current period according to the database operation log data in the current period, the processor 602 includes at least one of the following: obtaining query data in the current period according to the database operation log data in the current period The number of entries. When the number of query data entries is greater than the first number threshold, the database operation log data in the current period determines that there is data leakage in the current period; according to the database operation log data in the current period, the query data in the current period is obtained The number of bytes, when the number of query data bytes is greater than the second number threshold, the database operation log data in the current period determines that there is a data leakage behavior in the current period.
在上述数据处理设备以及存储介质实施例中,获取当前时段内的数据库操作日志数据;对当前时段内的数据库操作日志数据进行数据泄露行为检测,当确定当前时段内存在数据泄露行为时,判断防御策略库中是否存在生成的第一防御策略;若存在,使用已存在的第一防御策略对对后续时段内的数据库操作流量进行数据处理;若不存在,根据第二防御策略对后续时段内的数据库操作流量进行数据处理,本申请采用第二防御策略和第一防御策略的结合,降低数据泄露行为带来的损失。In the above embodiments of the data processing device and storage medium, the database operation log data in the current period is acquired; the data leakage behavior detection is performed on the database operation log data in the current period. When it is determined that there is a data leakage behavior in the current period, the defense is determined Whether there is a generated first defense strategy in the strategy database; if it exists, use the existing first defense strategy to perform data processing on the database operation traffic in the subsequent period; if not, use the second defense strategy to perform data processing on the database operation traffic in the subsequent period Database operation traffic is used for data processing. This application adopts the combination of the second defense strategy and the first defense strategy to reduce the loss caused by data leakage.
图7为本申请一示例性实施例提供的一种数据处理设备的结构示意图。如图7所示,该数据处理设备包括:存储器701和处理器702,还包括通信组件703和电源组件704的必须组件。Fig. 7 is a schematic structural diagram of a data processing device provided by an exemplary embodiment of this application. As shown in FIG. 7, the data processing device includes: a memory 701 and a processor 702, and also includes necessary components of a communication component 703 and a power supply component 704.
存储器701,用于存储计算机程序,并可被配置为存储其它各种数据以支持在数据处理设备上的操作。这些数据的示例包括用于在数据处理设备上操作的任何应用程序或方法的指令。The memory 701 is used to store computer programs, and can be configured to store various other data to support operations on the data processing device. Examples of such data include instructions for any application or method operating on the data processing device.
存储器701,可以由任何类型的易失性或非易失性存储设备或者它们的组合实现,如静态随机存取存储器(SRAM),电可擦除可编程只读存储器(EEPROM),可擦除可编程只读存储器(EPROM),可编程只读存储器(PROM),只读存储器(ROM),磁存储器,快闪存储器,磁盘或光盘。The memory 701 can be implemented by any type of volatile or non-volatile storage devices or their combination, such as static random access memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable Programmable read only memory (EPROM), programmable read only memory (PROM), read only memory (ROM), magnetic memory, flash memory, magnetic disk or optical disk.
通信组件703,用于与其他设备建立通信连接。The communication component 703 is used to establish a communication connection with other devices.
处理器702,可执行存储器701中存储的计算机指令,以用于:获取当前时段内的流量日志数据,所述流量日志数据反映当前时段内的网络流量具有的特征;若根据当前时段内的流量日志数据确定出当前时段内的网络流量存在异常行为,判断是否存在第一防御策略,所述第一防御策略是针对在当前时刻之前已识别到的异常流量生成的;若存在,根据已存在的第一防御策略对后续时段内的网络流量生成第一可视化数据;若不存在,根据第二防御策略对后续时段内的网络流量生成第二可视化数据,所述第二防御策略是根据当前时刻之前已经识别到的正常流量生成的。The processor 702 can execute the computer instructions stored in the memory 701 to obtain traffic log data in the current period, and the traffic log data reflects the characteristics of the network traffic in the current period; if it is based on the traffic in the current period The log data determines that the network traffic in the current period of time has abnormal behavior, and determines whether there is a first defense strategy. The first defense strategy is generated for the abnormal traffic that has been identified before the current time; if it exists, based on the existing The first defense strategy generates first visualization data for the network traffic in the subsequent period; if not, the second defense strategy generates second visualization data for the network traffic in the subsequent period according to the second defense strategy. Generated by normal traffic that has been identified.
可选地,处理器702在根据已存在的第一防御策略对后续时段内的网络流量生成第 一可视化数据之后,还可用于:将所述第一可视化数据发送至显示终端,以供显示终端根据第一可视化数据生成第一展示界面。Optionally, after the processor 702 generates the first visualization data for the network traffic in the subsequent period according to the existing first defense strategy, it may also be used to: send the first visualization data to the display terminal for the display terminal A first display interface is generated according to the first visualization data.
可选地,处理器702在根据第二防御策略对后续时段内的网络流量生成第二可视化数据之后,还可用于:将所述第二可视化数据发送至显示终端,以供显示终端根据第二可视化数据生成第二展示界面。Optionally, after the processor 702 generates the second visualization data for the network traffic in the subsequent period according to the second defense strategy, it may also be configured to: send the second visualization data to the display terminal, so that the display terminal can use the second visualization data according to the second The visualization data generates a second display interface.
在本申请一些示例性实施例中,一方面可根据当前时段内的流量日志数据,分析当前时段内是否存在异常流量,并在存在异常流量的情况下,针对异常流量生成第一防御策略;另一方面,可根据当前时段内的流量日志数据进行异常行为检测,并在确定当前时段内的网络流量存在异常行为的情况下,判断是否存在已生成的第一防御策略;若存在,使用已存在的第一防御策略对后续时段内的网络流量生成第一可视化数据;若不存在,使用已知正常流量生成的第二防御策略对后续时段内的网络流量生成第二可视化数据,其中将第二防御策略和第一防御策略相结合对网络流量进行数据化处理,以便于直观展示异常行为的各项指标,以快速采取防御措施。In some exemplary embodiments of the present application, on the one hand, it can analyze whether there is abnormal traffic in the current period according to the traffic log data in the current period, and in the case of abnormal traffic, generate a first defense strategy for the abnormal traffic; On the one hand, it can perform abnormal behavior detection based on the traffic log data in the current period, and determine whether there is a first defense strategy that has been generated when it is determined that the network traffic in the current period has abnormal behavior; if it exists, use the existing one The first defense strategy generates first visualization data for the network traffic in the subsequent period; if it does not exist, the second defense strategy generated by known normal traffic is used to generate second visualization data for the network traffic in the subsequent period, where the second The defense strategy and the first defense strategy are combined to perform data processing on network traffic, so as to visually display various indicators of abnormal behavior and quickly take defense measures.
上述图4至图7中的通信组件被配置为便于通信组件所在设备和其他设备之间有线或无线方式的通信。通信组件所在设备可以接入基于通信标准的无线网络,如WiFi,2G或3G,或它们的组合。在一个示例性实施例中,通信组件经由广播信道接收来自外部广播管理系统的广播信号或广播相关信息。在一个示例性实施例中,所述通信组件还包括近场通信(NFC)技术、射频识别(RFID)技术、红外数据协会(IrDA)技术、超宽带(UWB)技术和蓝牙(BT)技术等,以促进短程通信。The communication components in FIGS. 4 to 7 described above are configured to facilitate wired or wireless communication between the device where the communication component is located and other devices. The device where the communication component is located can access a wireless network based on communication standards, such as WiFi, 2G or 3G, or a combination of them. In an exemplary embodiment, the communication component receives a broadcast signal or broadcast related information from an external broadcast management system via a broadcast channel. In an exemplary embodiment, the communication component further includes near field communication (NFC) technology, radio frequency identification (RFID) technology, infrared data association (IrDA) technology, ultra-wideband (UWB) technology, Bluetooth (BT) technology, etc. To facilitate short-range communications.
上述图4至图7中的电源组件,为电源组件所在设备的各种组件提供电力。电源组件可以包括电源管理系统,一个或多个电源,及其他与为电源组件所在设备生成、管理和分配电力相关联的组件。The power supply components in Figures 4 to 7 above provide power for various components of the equipment where the power supply component is located. The power supply component may include a power management system, one or more power supplies, and other components associated with generating, managing, and distributing power for the device where the power supply component is located.
本领域内的技术人员应明白,本发明的实施例可提供为方法、系统、或计算机程序产品。因此,本发明可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art should understand that the embodiments of the present invention may be provided as methods, systems, or computer program products. Therefore, the present invention may adopt the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Moreover, the present invention may adopt the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program codes.
本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些 计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention is described with reference to flowcharts and/or block diagrams of methods, devices (systems), and computer program products according to embodiments of the present invention. It should be understood that each process and/or block in the flowchart and/or block diagram, and the combination of processes and/or blocks in the flowchart and/or block diagram can be implemented by computer program instructions. These computer program instructions can be provided to the processor of a general-purpose computer, a special-purpose computer, an embedded processor, or other programmable data processing equipment to generate a machine, so that the instructions executed by the processor of the computer or other programmable data processing equipment are generated It is a device that realizes the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device. The device implements the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment. The instructions provide steps for implementing functions specified in a flow or multiple flows in the flowchart and/or a block or multiple blocks in the block diagram.
在一个典型的配置中,计算设备包括一个或多个处理器(CPU)、输入/输出接口、网络接口和内存。In a typical configuration, the computing device includes one or more processors (CPU), input/output interfaces, network interfaces, and memory.
内存可能包括计算机可读介质中的非永久性存储器,随机存取存储器(RAM)和/或非易失性内存等形式,如只读存储器(ROM)或闪存(flash RAM)。内存是计算机可读介质的示例。The memory may include non-permanent memory in computer readable media, random access memory (RAM) and/or non-volatile memory, such as read-only memory (ROM) or flash memory (flash RAM). Memory is an example of computer readable media.
计算机可读介质包括永久性和非永久性、可移动和非可移动媒体可以由任何方法或技术来实现信息存储。信息可以是计算机可读指令、数据结构、程序的模块或其他数据。计算机的存储介质的例子包括,但不限于相变内存(PRAM)、静态随机存取存储器(SRAM)、动态随机存取存储器(DRAM)、其他类型的随机存取存储器(RAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、快闪记忆体或其他内存技术、只读光盘只读存储器(CD-ROM)、数字多功能光盘(DVD)或其他光学存储、磁盒式磁带,磁带磁磁盘存储或其他磁性存储设备或任何其他非传输介质,可用于存储可以被计算设备访问的信息。按照本文中的界定,计算机可读介质不包括暂存电脑可读媒体(transitory media),如调制的数据信号和载波。Computer-readable media include permanent and non-permanent, removable and non-removable media, and information storage can be realized by any method or technology. The information can be computer-readable instructions, data structures, program modules, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technology, CD-ROM, digital versatile disc (DVD) or other optical storage, Magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices or any other non-transmission media can be used to store information that can be accessed by computing devices. According to the definition in this article, computer-readable media does not include transitory media, such as modulated data signals and carrier waves.
还需要说明的是,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、商品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、商品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排 除在包括所述要素的过程、方法、商品或者设备中还存在另外的相同要素。It should also be noted that the terms "include", "include" or any other variants thereof are intended to cover non-exclusive inclusion, so that a process, method, product or equipment including a series of elements not only includes those elements, but also includes Other elements that are not explicitly listed, or include elements inherent to this process, method, commodity, or equipment. If there are no more restrictions, the elements defined by the sentence "including a..." do not exclude the existence of other identical elements in the process, method, commodity or equipment that includes the element.
以上所述仅为本申请的实施例而已,并不用于限制本申请。对于本领域技术人员来说,本申请可以有各种更改和变化。凡在本申请的精神和原理之内所作的任何修改、等同替换、改进等,均应包含在本申请的权利要求范围之内。The above descriptions are only examples of this application and are not used to limit this application. For those skilled in the art, this application can have various modifications and changes. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of this application shall be included in the scope of the claims of this application.

Claims (23)

  1. 一种数据处理方法,包括:A data processing method, including:
    获取当前时段内的流量日志数据,所述流量日志数据反映当前时段内的网络流量具有的特征;Acquiring traffic log data in the current period, where the traffic log data reflects the characteristics of the network traffic in the current period;
    若根据当前时段内的流量日志数据确定出当前时段内的网络流量存在异常行为,判断是否存在第一防御策略,所述第一防御策略是针对在当前时刻之前已识别到的异常流量生成的;If it is determined from the traffic log data in the current period that there is abnormal behavior in the network traffic in the current period, determine whether there is a first defense strategy, and the first defense strategy is generated for the abnormal traffic that has been identified before the current moment;
    若存在,根据已存在的第一防御策略对后续时段内的网络流量进行数据处理;If it exists, perform data processing on the network traffic in the subsequent period according to the existing first defense strategy;
    若不存在,根据第二防御策略对后续时段内的网络流量进行数据处理,所述第二防御策略是根据当前时刻之前已经识别到的正常流量生成的。If it does not exist, data processing is performed on the network traffic in the subsequent period according to the second defense strategy, which is generated based on the normal traffic that has been identified before the current moment.
  2. 根据权利要求1所述的方法,其中,还包括:The method according to claim 1, further comprising:
    根据当前时段内的流量日志数据,分析当前时段内的网络流量的特征;According to the traffic log data in the current period, analyze the characteristics of the network traffic in the current period;
    根据所述当前时段内的网络流量的特征和已知正常流量的基线特征,识别出当前时段内存在的异常流量;According to the characteristics of the network traffic in the current period and the baseline characteristics of the known normal traffic, identify the abnormal traffic in the current period;
    根据所述当前时段内存在的异常流量的特征,生成针对当前时段内存在的异常流量的第一防御策略。According to the characteristics of the abnormal traffic existing in the current period, a first defense strategy against the abnormal traffic existing in the current period is generated.
  3. 根据权利要求1所述的方法,其中,根据已存在的第一防御策略对后续时段内的网络流量进行数据处理,包括:The method according to claim 1, wherein performing data processing on the network traffic in the subsequent period according to the existing first defense strategy comprises:
    将已存在的第一防御策略下发给网络流量通道上的防护执行设备,以供所述防护执行设备根据已存在的第一防御策略对后续时段内的网络流量进行数据处理。The existing first defense strategy is issued to the protection execution device on the network traffic channel, so that the protection execution device performs data processing on the network traffic in the subsequent period according to the existing first defense strategy.
  4. 根据权利要求3所述的方法,其中,还包括:The method according to claim 3, further comprising:
    将已存在的第一防御策略对应的生效时长下发给所述防护执行设备,以供所述防护执行设备在所述生效时长内根据已存在的第一防御策略对后续时段内的网络流量进行数据处理。The effective duration corresponding to the existing first defense strategy is issued to the protection execution device, so that the protection execution device performs network traffic in the subsequent period according to the existing first defense strategy within the effective duration. data processing.
  5. 根据权利要求1所述的方法,其中,还包括:The method according to claim 1, further comprising:
    将历史时段内的流量日志数据中的异常日志数据滤除,得到正常流量的日志数据;Filter out abnormal log data in the traffic log data in the historical period to obtain log data of normal traffic;
    根据所述正常流量的日志数据,分析正常流量的基线特征;According to the log data of the normal flow, analyze the baseline characteristics of the normal flow;
    根据所述正常流量的基线特征中的目标字段特征,生成所述第二防御策略。The second defense strategy is generated according to the target field characteristics in the baseline characteristics of the normal traffic.
  6. 根据权利要求1所述的方法,其中,根据第二防御策略对后续时段内的网络流量进行数据处理,包括:The method according to claim 1, wherein performing data processing on the network traffic in the subsequent period according to the second defense strategy comprises:
    将已生成的第二防御策略下发给网络流量通道上的防护执行设备,以供所述防护执行设备根据已生成的第二防御策略对后续时段内的网络流量进行数据处理。The generated second defense strategy is issued to the defense execution device on the network traffic channel, so that the defense execution device performs data processing on the network traffic in the subsequent period according to the generated second defense strategy.
  7. 根据权利要求1所述的方法,其中,根据当前时段内的流量日志数据确定出当前时段内的网络流量存在异常行为,包括以下至少一种:The method according to claim 1, wherein the determining that the network traffic in the current period has abnormal behavior according to the traffic log data in the current period includes at least one of the following:
    根据当前时段内的日志数据,获取当前时段内数据请求的请求频率,在请求频率大于第一阈值时,则确定当前时段内的网络流量存在异常行为;According to the log data in the current period, obtain the request frequency of data requests in the current period, and when the request frequency is greater than the first threshold, it is determined that the network traffic in the current period has abnormal behavior;
    根据当前时段内的日志数据,获取当前时段内数据请求的响应状态码异常比例,在响应状态码异常比例大于第二阈值时,则确定当前时段内的网络流量存在异常行为;According to the log data in the current period, obtain the abnormal proportion of the response status code of the data request in the current period. When the abnormal proportion of the response status code is greater than the second threshold, it is determined that the network traffic in the current period has abnormal behavior;
    根据当前时段内的日志数据,获取当前时段内数据请求的数量相对于上一时段的增长率,在增长率大于第三阈值时,则确定当前时段内的网络流量存在异常行为。According to the log data in the current period, the growth rate of the number of data requests in the current period relative to the previous period is obtained. When the growth rate is greater than the third threshold, it is determined that the network traffic in the current period has abnormal behavior.
  8. 一种数据处理方法,包括:A data processing method, including:
    根据当前时段内的流量日志数据,分析当前时段内的网络流量的特征;According to the traffic log data in the current period, analyze the characteristics of the network traffic in the current period;
    根据所述当前时段内的网络流量的特征和已知正常流量的基线特征,识别出当前时段内存在的异常流量,其中,已知正常流量的基线特征是从历史流量日志数据中获得的;According to the characteristics of the network traffic in the current period and the baseline characteristics of the known normal traffic, identify the abnormal traffic in the current period, where the baseline characteristics of the known normal traffic are obtained from historical traffic log data;
    根据所述当前时段内存在的异常流量的特征,生成针对当前时段内存在的异常流量的第一防御策略,以对后续时段内的网络流量进行数据处理。According to the characteristics of the abnormal traffic existing in the current period, a first defense strategy for the abnormal traffic existing in the current period is generated to perform data processing on the network traffic in the subsequent period.
  9. 一种数据处理方法,包括:A data processing method, including:
    获取当前时段内的数据库操作日志数据,所述数据库操作日志数据反映当前时段内的数据库操作流量具有的特征;Acquiring database operation log data in the current period, where the database operation log data reflects the characteristics of the database operation traffic in the current period;
    若根据当前时段内的数据库操作日志数据确定出当前时段内存在数据泄露行为,判断是否存在第一防御策略,所述第一防御策略是针对在当前时刻之前已识别到的数据库异常操作流量生成的;If it is determined based on the database operation log data in the current period that there is a data leakage behavior in the current period, determine whether there is a first defense strategy, which is generated for abnormal database operation traffic that has been identified before the current time ;
    若存在,根据已存在的第一防御策略对后续时段内的数据库操作流量进行数据处理;If it exists, perform data processing on the database operation traffic in the subsequent period according to the existing first defense strategy;
    若不存在,根据第二防御策略对后续时段内的数据库操作流量进行数据处理,所述第二防御策略是根据当前时刻之前已经识别到的正常数据库操作流量生成的。If it does not exist, perform data processing on the database operation traffic in the subsequent period according to the second defense strategy, which is generated based on the normal database operation traffic that has been identified before the current moment.
  10. 根据权利要求9所述的方法,其中,根据已存在的第一防御策略对后续时段内的数据库操作流量进行数据处理,包括:The method according to claim 9, wherein the data processing of the database operation traffic in the subsequent period according to the existing first defense strategy comprises:
    将已存在的第一防御策略下发给数据库操作流量通道上的防护执行设备,以供所述防护执行设备根据已存在的第一防御策略对后续时段内的数据库操作流量进行数据处 理。The existing first defense strategy is issued to the protection execution device on the database operation traffic channel, so that the protection execution device performs data processing on the database operation traffic in the subsequent period according to the existing first defense strategy.
  11. 根据权利要求9所述的方法,其中,根据第二防御策略对后续时段内的网络流量进行数据处理,包括:The method according to claim 9, wherein performing data processing on the network traffic in the subsequent period according to the second defense strategy comprises:
    将已生成的第二防御策略下发给数据库操作流量通道上的防护执行设备,以供所述防护执行设备根据已存在的第二防御策略对后续时段内的数据库操作流量进行数据处理。The generated second defense strategy is issued to the defense execution device on the database operation traffic channel, so that the defense execution device performs data processing on the database operation traffic in the subsequent period according to the existing second defense strategy.
  12. 根据权利要求9所述的方法,其中,根据当前时段内的数据库操作日志数据确定出当前时段内存在数据泄露行为,包括以下至少一种:The method according to claim 9, wherein determining that there is a data leakage behavior in the current period according to the database operation log data in the current period includes at least one of the following:
    根据当前时段内的数据库操作日志数据,获取当前时段内查询数据条目数量,在查询数据条目数大于第一数量阈值时,则当前时段内的数据库操作日志数据确定出当前时段内存在数据泄露行为;According to the database operation log data in the current period, the number of query data entries in the current period is obtained. When the number of query data entries is greater than the first number threshold, the database operation log data in the current period determines that there is a data leakage behavior in the current period;
    根据当前时段内的数据库操作日志数据,获取当前时段内查询数据字节数,在查询数据字节数大于第二数量阈值时,则当前时段内的数据库操作日志数据确定出当前时段内存在数据泄露行为。According to the database operation log data in the current period, the number of query data bytes in the current period is obtained. When the number of query data bytes is greater than the second number threshold, the database operation log data in the current period determines that there is a data leak in the current period behavior.
  13. 一种数据处理方法,包括:A data processing method, including:
    获取当前时段内的流量日志数据,所述流量日志数据反映当前时段内的网络流量具有的特征;Acquiring traffic log data in the current period, where the traffic log data reflects the characteristics of the network traffic in the current period;
    若根据当前时段内的流量日志数据确定出当前时段内的网络流量存在异常行为,判断是否存在第一防御策略,所述第一防御策略是针对在当前时刻之前已识别到的异常流量生成的;If it is determined from the traffic log data in the current period that there is abnormal behavior in the network traffic in the current period, determine whether there is a first defense strategy, and the first defense strategy is generated for the abnormal traffic that has been identified before the current moment;
    若存在,根据已存在的第一防御策略对后续时段内的网络流量生成第一可视化数据;If it exists, generate first visualization data for network traffic in the subsequent period according to the existing first defense strategy;
    若不存在,根据第二防御策略对后续时段内的网络流量生成第二可视化数据,所述第二防御策略是根据当前时刻之前已经识别到的正常流量生成的。If it does not exist, generate second visualization data for the network traffic in the subsequent period according to the second defense strategy, which is generated based on the normal traffic that has been identified before the current moment.
  14. 根据权利要求13所述的方法,其中,在根据已存在的第一防御策略对后续时段内的网络流量生成第一可视化数据之后,还包括:The method according to claim 13, wherein after generating the first visualization data for the network traffic in the subsequent period according to the existing first defense strategy, the method further comprises:
    将所述第一可视化数据发送至显示终端,以供显示终端根据第一可视化数据生成第一展示界面。The first visualization data is sent to the display terminal, so that the display terminal generates a first display interface according to the first visualization data.
  15. 根据权利要求13所述的方法,其中,在根据第二防御策略对后续时段内的网络流量生成第二可视化数据之后,还包括:The method according to claim 13, wherein after generating the second visualization data for the network traffic in the subsequent period according to the second defense strategy, the method further comprises:
    将所述第二可视化数据发送至显示终端,以供显示终端根据第二可视化数据生成第二展示界面。The second visualization data is sent to the display terminal for the display terminal to generate a second display interface according to the second visualization data.
  16. 一种数据处理设备,包括:存储器和处理器;A data processing device, including: a memory and a processor;
    所述存储器,用于存储一条或多条计算机指令;The memory is used to store one or more computer instructions;
    所述处理器,用于执行所述一条或多条计算机指令以用于:The processor is configured to execute the one or more computer instructions for:
    获取当前时段内的流量日志数据,所述流量日志数据反映当前时段内的网络流量具有的特征;Acquiring traffic log data in the current period, where the traffic log data reflects the characteristics of the network traffic in the current period;
    若根据当前时段内的流量日志数据确定出当前时段内的网络流量存在异常行为,判断是否存在第一防御策略,所述第一防御策略是针对在当前时刻之前已识别到的异常流量生成的;If it is determined from the traffic log data in the current period that there is abnormal behavior in the network traffic in the current period, determine whether there is a first defense strategy, and the first defense strategy is generated for the abnormal traffic that has been identified before the current moment;
    若存在,根据已存在的第一防御策略对后续时段内的网络流量进行数据处理;If it exists, perform data processing on the network traffic in the subsequent period according to the existing first defense strategy;
    若不存在,根据第二防御策略对后续时段内的网络流量进行数据处理,所述第二防御策略是根据当前时刻之前已经识别到的正常流量生成的。If it does not exist, data processing is performed on the network traffic in the subsequent period according to the second defense strategy, which is generated based on the normal traffic that has been identified before the current moment.
  17. 一种存储有计算机程序的计算机可读存储介质,当所述计算机程序被一个或多个处理器执行时,致使所述一个或多个处理器执行包括以下的动作:A computer-readable storage medium storing a computer program. When the computer program is executed by one or more processors, the one or more processors are caused to perform actions including the following:
    获取当前时段内的流量日志数据,所述流量日志数据反映当前时段内的网络流量具有的特征;Acquiring traffic log data in the current period, where the traffic log data reflects the characteristics of the network traffic in the current period;
    若根据当前时段内的流量日志数据确定出当前时段内的网络流量存在异常行为,判断是否存在第一防御策略,所述第一防御策略是针对在当前时刻之前已识别到的异常流量生成的;If it is determined from the traffic log data in the current period that there is abnormal behavior in the network traffic in the current period, determine whether there is a first defense strategy, and the first defense strategy is generated for the abnormal traffic that has been identified before the current moment;
    若存在,根据已存在的第一防御策略对后续时段内的网络流量进行数据处理;If it exists, perform data processing on the network traffic in the subsequent period according to the existing first defense strategy;
    若不存在,根据第二防御策略对后续时段内的网络流量进行数据处理,所述第二防御策略是根据当前时刻之前已经识别到的正常流量生成的。If it does not exist, data processing is performed on the network traffic in the subsequent period according to the second defense strategy, which is generated based on the normal traffic that has been identified before the current moment.
  18. 一种数据处理设备,包括:存储器和处理器;A data processing device, including: a memory and a processor;
    所述存储器,用于存储一条或多条计算机指令;The memory is used to store one or more computer instructions;
    所述处理器,用于执行所述一条或多条计算机指令以用于:The processor is configured to execute the one or more computer instructions for:
    根据当前时段内的流量日志数据,分析当前时段内的网络流量的特征;According to the traffic log data in the current period, analyze the characteristics of the network traffic in the current period;
    根据所述当前时段内的网络流量的特征和已知正常流量的基线特征,识别出当前时段内存在的异常流量,其中,已知正常流量的基线特征是从历史流量日志数据中获得的;According to the characteristics of the network traffic in the current period and the baseline characteristics of the known normal traffic, identify the abnormal traffic in the current period, where the baseline characteristics of the known normal traffic are obtained from historical traffic log data;
    根据所述当前时段内存在的异常流量的特征,生成针对当前时段内存在的异常流量 的第一防御策略,以对后续时段内的网络流量进行数据处理。According to the characteristics of the abnormal traffic existing in the current period, a first defense strategy for the abnormal traffic existing in the current period is generated to perform data processing on the network traffic in the subsequent period.
  19. 一种存储有计算机程序的计算机可读存储介质,当所述计算机程序被一个或多个处理器执行时,致使所述一个或多个处理器执行包括以下的动作:A computer-readable storage medium storing a computer program. When the computer program is executed by one or more processors, the one or more processors are caused to perform actions including the following:
    根据当前时段内的流量日志数据,分析当前时段内的网络流量的特征;According to the traffic log data in the current period, analyze the characteristics of the network traffic in the current period;
    根据所述当前时段内的网络流量的特征和已知正常流量的基线特征,识别出当前时段内存在的异常流量,其中,已知正常流量的基线特征是从历史流量日志数据中获得的;According to the characteristics of the network traffic in the current period and the baseline characteristics of the known normal traffic, identify the abnormal traffic in the current period, where the baseline characteristics of the known normal traffic are obtained from historical traffic log data;
    根据所述当前时段内存在的异常流量的特征,生成针对当前时段内存在的异常流量的第一防御策略,以对后续时段内的网络流量进行数据处理。According to the characteristics of the abnormal traffic existing in the current period, a first defense strategy for the abnormal traffic existing in the current period is generated to perform data processing on the network traffic in the subsequent period.
  20. 一种数据处理设备,包括:存储器和处理器;A data processing device, including: a memory and a processor;
    所述存储器,用于存储一条或多条计算机指令;The memory is used to store one or more computer instructions;
    所述处理器,用于执行所述一条或多条计算机指令以用于:The processor is configured to execute the one or more computer instructions for:
    获取当前时段内的数据库操作日志数据,所述数据库操作日志数据反映当前时段内的数据库操作流量具有的特征;Acquiring database operation log data in the current period, where the database operation log data reflects the characteristics of the database operation traffic in the current period;
    若根据当前时段内的数据库操作日志数据确定出当前时段内存在数据泄露行为,判断是否存在第一防御策略,所述第一防御策略是针对在当前时刻之前已识别到的数据库异常操作流量生成的;If it is determined based on the database operation log data in the current period that there is a data leakage behavior in the current period, determine whether there is a first defense strategy, which is generated for abnormal database operation traffic that has been identified before the current time ;
    若存在,根据已存在的第一防御策略对后续时段内的数据库操作流量进行数据处理;If it exists, perform data processing on the database operation traffic in the subsequent period according to the existing first defense strategy;
    若不存在,根据第二防御策略对后续时段内的数据库操作流量进行数据处理,所述第二防御策略是根据当前时刻之前已经识别到的正常数据库操作流量生成的。If it does not exist, perform data processing on the database operation traffic in the subsequent period according to the second defense strategy, which is generated based on the normal database operation traffic that has been identified before the current moment.
  21. 一种存储有计算机程序的计算机可读存储介质,当所述计算机程序被一个或多个处理器执行时,致使所述一个或多个处理器执行包括以下的动作:A computer-readable storage medium storing a computer program. When the computer program is executed by one or more processors, the one or more processors are caused to perform actions including the following:
    获取当前时段内的数据库操作日志数据,所述数据库操作日志数据反映当前时段内的数据库操作流量具有的特征;Acquiring database operation log data in the current period, where the database operation log data reflects the characteristics of the database operation traffic in the current period;
    若根据当前时段内的数据库操作日志数据确定出当前时段内存在数据泄露行为,判断是否存在第一防御策略,所述第一防御策略是针对在当前时刻之前已识别到的数据库异常操作流量生成的;If it is determined based on the database operation log data in the current period that there is a data leakage behavior in the current period, determine whether there is a first defense strategy, which is generated for abnormal database operation traffic that has been identified before the current time ;
    若存在,根据已存在的第一防御策略对后续时段内的数据库操作流量进行数据处理;If it exists, perform data processing on the database operation traffic in the subsequent period according to the existing first defense strategy;
    若不存在,根据第二防御策略对后续时段内的数据库操作流量进行数据处理,所述 第二防御策略是根据当前时刻之前已经识别到的正常数据库操作流量生成的。If it does not exist, perform data processing on the database operation traffic in the subsequent period according to the second defense strategy, which is generated based on the normal database operation traffic that has been identified before the current moment.
  22. 一种数据处理设备,包括:存储器和处理器;A data processing device, including: a memory and a processor;
    所述存储器,用于存储一条或多条计算机指令;The memory is used to store one or more computer instructions;
    所述处理器,用于执行所述一条或多条计算机指令以用于:The processor is configured to execute the one or more computer instructions for:
    获取当前时段内的流量日志数据,所述流量日志数据反映当前时段内的网络流量具有的特征;Acquiring traffic log data in the current period, where the traffic log data reflects the characteristics of the network traffic in the current period;
    若根据当前时段内的流量日志数据确定出当前时段内的网络流量存在异常行为,判断是否存在第一防御策略,所述第一防御策略是针对在当前时刻之前已识别到的异常流量生成的;If it is determined from the traffic log data in the current period that there is abnormal behavior in the network traffic in the current period, determine whether there is a first defense strategy, and the first defense strategy is generated for the abnormal traffic that has been identified before the current moment;
    若存在,根据已存在的第一防御策略对后续时段内的网络流量生成第一可视化数据;If it exists, generate first visualization data for network traffic in the subsequent period according to the existing first defense strategy;
    若不存在,根据第二防御策略对后续时段内的网络流量生成第二可视化数据,所述第二防御策略是根据当前时刻之前已经识别到的正常流量生成的。If it does not exist, generate second visualization data for the network traffic in the subsequent period according to the second defense strategy, which is generated based on the normal traffic that has been identified before the current moment.
  23. 一种存储有计算机程序的计算机可读存储介质,当所述计算机程序被一个或多个处理器执行时,致使所述一个或多个处理器执行包括以下的动作:A computer-readable storage medium storing a computer program. When the computer program is executed by one or more processors, the one or more processors are caused to perform actions including the following:
    获取当前时段内的流量日志数据,所述流量日志数据反映当前时段内的网络流量具有的特征;Acquiring traffic log data in the current period, where the traffic log data reflects the characteristics of the network traffic in the current period;
    若根据当前时段内的流量日志数据确定出当前时段内的网络流量存在异常行为,判断是否存在第一防御策略,所述第一防御策略是针对在当前时刻之前已识别到的异常流量生成的;If it is determined from the traffic log data in the current period that there is abnormal behavior in the network traffic in the current period, determine whether there is a first defense strategy, and the first defense strategy is generated for the abnormal traffic that has been identified before the current moment;
    若存在,根据已存在的第一防御策略对后续时段内的网络流量生成第一可视化数据;If it exists, generate first visualization data for network traffic in the subsequent period according to the existing first defense strategy;
    若不存在,根据第二防御策略对后续时段内的网络流量生成第二可视化数据,所述第二防御策略是根据当前时刻之前已经识别到的正常流量生成的。If it does not exist, generate second visualization data for the network traffic in the subsequent period according to the second defense strategy, which is generated based on the normal traffic that has been identified before the current moment.
PCT/CN2020/105033 2019-08-05 2020-07-28 Data processing method and device, and storage medium WO2021023053A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910717614.4 2019-08-05
CN201910717614.4A CN112333130B (en) 2019-08-05 2019-08-05 Data processing method, device and storage medium

Publications (1)

Publication Number Publication Date
WO2021023053A1 true WO2021023053A1 (en) 2021-02-11

Family

ID=74319270

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/105033 WO2021023053A1 (en) 2019-08-05 2020-07-28 Data processing method and device, and storage medium

Country Status (3)

Country Link
CN (1) CN112333130B (en)
TW (1) TW202107312A (en)
WO (1) WO2021023053A1 (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113115351A (en) * 2021-03-31 2021-07-13 深圳市优克联新技术有限公司 Network exception processing method and device, terminal equipment and medium
CN113573350A (en) * 2021-06-16 2021-10-29 新浪网技术(中国)有限公司 Wireless equipment risk monitoring method and device
CN113608909A (en) * 2021-07-29 2021-11-05 阿里巴巴(中国)有限公司 Data processing method, device, equipment, system, storage medium and program product
CN113645233A (en) * 2021-08-10 2021-11-12 康键信息技术(深圳)有限公司 Wind control intelligent decision method and device for flow data, electronic equipment and medium
CN113660215A (en) * 2021-07-26 2021-11-16 杭州安恒信息技术股份有限公司 Attack behavior detection method and device based on Web application firewall
CN114338147A (en) * 2021-12-28 2022-04-12 中国银联股份有限公司 Method and device for detecting password blasting attack
CN115396314A (en) * 2022-08-26 2022-11-25 湖北天融信网络安全技术有限公司 Method, device, system and medium for obtaining protection strategy set and message detection
CN117857222A (en) * 2024-03-07 2024-04-09 国网江西省电力有限公司电力科学研究院 Dynamic IP-based network dynamic defense system and method for new energy centralized control station

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113660214B (en) * 2021-07-26 2023-02-28 杭州安恒信息技术股份有限公司 Protection method of Web server
CN114070619A (en) * 2021-11-12 2022-02-18 中国工商银行股份有限公司 Monitoring method, monitoring system, equipment and storage medium for abnormal access of database
CN114244564B (en) * 2021-11-16 2024-04-16 北京网宿科技有限公司 Attack defense method, device, equipment and readable storage medium
CN114567498B (en) * 2022-03-04 2024-02-02 科来网络技术股份有限公司 Metadata extraction and processing method and system for network behavior visualization

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140157405A1 (en) * 2012-12-04 2014-06-05 Bill Joll Cyber Behavior Analysis and Detection Method, System and Architecture
CN105429963A (en) * 2015-11-04 2016-03-23 北京工业大学 Invasion detection analysis method based on Modbus/Tcp
CN105471854A (en) * 2015-11-18 2016-04-06 国网智能电网研究院 Adaptive boundary abnormity detection method based on multistage strategies
CN106899601A (en) * 2017-03-10 2017-06-27 北京华清信安科技有限公司 Network attack defence installation and method based on cloud and local platform
CN108270600A (en) * 2016-12-30 2018-07-10 中国移动通信集团黑龙江有限公司 A kind of processing method and associated server to malicious attack flow
CN109347814A (en) * 2018-10-05 2019-02-15 李斌 A kind of container cloud security means of defence and system based on Kubernetes building
CN109347794A (en) * 2018-09-06 2019-02-15 国家电网有限公司 A kind of Web server safety defense method

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7373659B1 (en) * 2001-12-20 2008-05-13 Mcafee, Inc. System, method and computer program product for applying prioritized security policies with predetermined limitations
US8856926B2 (en) * 2008-06-27 2014-10-07 Juniper Networks, Inc. Dynamic policy provisioning within network security devices
CN101505302A (en) * 2009-02-26 2009-08-12 中国联合网络通信集团有限公司 Dynamic regulating method and system for security policy
US8806638B1 (en) * 2010-12-10 2014-08-12 Symantec Corporation Systems and methods for protecting networks from infected computing devices
CN107682341A (en) * 2017-10-17 2018-02-09 北京奇安信科技有限公司 The means of defence and device of CC attacks

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140157405A1 (en) * 2012-12-04 2014-06-05 Bill Joll Cyber Behavior Analysis and Detection Method, System and Architecture
CN105429963A (en) * 2015-11-04 2016-03-23 北京工业大学 Invasion detection analysis method based on Modbus/Tcp
CN105471854A (en) * 2015-11-18 2016-04-06 国网智能电网研究院 Adaptive boundary abnormity detection method based on multistage strategies
CN108270600A (en) * 2016-12-30 2018-07-10 中国移动通信集团黑龙江有限公司 A kind of processing method and associated server to malicious attack flow
CN106899601A (en) * 2017-03-10 2017-06-27 北京华清信安科技有限公司 Network attack defence installation and method based on cloud and local platform
CN109347794A (en) * 2018-09-06 2019-02-15 国家电网有限公司 A kind of Web server safety defense method
CN109347814A (en) * 2018-10-05 2019-02-15 李斌 A kind of container cloud security means of defence and system based on Kubernetes building

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113115351A (en) * 2021-03-31 2021-07-13 深圳市优克联新技术有限公司 Network exception processing method and device, terminal equipment and medium
CN113115351B (en) * 2021-03-31 2023-06-02 深圳市优克联新技术有限公司 Network exception processing method, processing device, terminal equipment and medium
CN113573350A (en) * 2021-06-16 2021-10-29 新浪网技术(中国)有限公司 Wireless equipment risk monitoring method and device
CN113660215A (en) * 2021-07-26 2021-11-16 杭州安恒信息技术股份有限公司 Attack behavior detection method and device based on Web application firewall
CN113608909A (en) * 2021-07-29 2021-11-05 阿里巴巴(中国)有限公司 Data processing method, device, equipment, system, storage medium and program product
CN113608909B (en) * 2021-07-29 2024-02-02 阿里巴巴(中国)有限公司 Data processing method, apparatus, device, system, storage medium and program product
CN113645233A (en) * 2021-08-10 2021-11-12 康键信息技术(深圳)有限公司 Wind control intelligent decision method and device for flow data, electronic equipment and medium
CN114338147A (en) * 2021-12-28 2022-04-12 中国银联股份有限公司 Method and device for detecting password blasting attack
CN114338147B (en) * 2021-12-28 2023-08-11 中国银联股份有限公司 Password blasting attack detection method and device
CN115396314A (en) * 2022-08-26 2022-11-25 湖北天融信网络安全技术有限公司 Method, device, system and medium for obtaining protection strategy set and message detection
CN115396314B (en) * 2022-08-26 2024-04-26 湖北天融信网络安全技术有限公司 Method, device, system and medium for obtaining protection policy set and message detection
CN117857222A (en) * 2024-03-07 2024-04-09 国网江西省电力有限公司电力科学研究院 Dynamic IP-based network dynamic defense system and method for new energy centralized control station

Also Published As

Publication number Publication date
CN112333130A (en) 2021-02-05
TW202107312A (en) 2021-02-16
CN112333130B (en) 2023-04-07

Similar Documents

Publication Publication Date Title
WO2021023053A1 (en) Data processing method and device, and storage medium
US11805148B2 (en) Modifying incident response time periods based on incident volume
US11212306B2 (en) Graph database analysis for network anomaly detection systems
US10432650B2 (en) System and method to protect a webserver against application exploits and attacks
US10735455B2 (en) System for anonymously detecting and blocking threats within a telecommunications network
US11323453B2 (en) Data processing method, device, access control system, and storage media
US20190098027A1 (en) Joint defence method and apparatus for network security, and server and storage medium
AU2014244137B2 (en) Internet protocol threat prevention
US11516233B2 (en) Cyber defense system
US10587634B2 (en) Distributed denial-of-service attack detection based on shared network flow information
JP2015502060A (en) Streaming method and system for processing network metadata
US9306957B2 (en) Proactive security system for distributed computer networks
US10142360B2 (en) System and method for iteratively updating network attack mitigation countermeasures
CN110875907A (en) Access request control method and device
US10462166B2 (en) System and method for managing tiered blacklists for mitigating network attacks
US10491625B2 (en) Retrieving network packets corresponding to detected abnormal application activity
CN108959923B (en) Comprehensive security sensing method and device, computer equipment and storage medium
Tang et al. FTODefender: An efficient flow table overflow attacks defending system in SDN
Lee et al. Managing cyber threat intelligence in a graph database: Methods of analyzing intrusion sets, threat actors, and campaigns
CN111131175A (en) Threat intelligence domain name protection system and method
KR20200054495A (en) Method for security operation service and apparatus therefor
EP4274160A1 (en) System and method for machine learning based malware detection
US20230370479A1 (en) Automatic generation of attack patterns for threat detection
Yuxiang et al. Big data information security risk framework design and countermeasures based on DDoS analysis
CN117896166A (en) Method, device, equipment and storage medium for monitoring computer network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20850419

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20850419

Country of ref document: EP

Kind code of ref document: A1