CN116455801A - Method and device for acquiring full path network access relation - Google Patents

Abstract

The present application discloses a method and a device for acquiring full-path network access relationships. Wherein, the method includes: obtaining a structured session log corresponding to each NAT device in a plurality of NAT devices; extracting the local network access relationship of the network session at each NAT device according to the structured session log corresponding to each NAT device , wherein the network session is a session between a device within the network boundary to which each NAT device belongs and a device outside the network boundary to which each NAT device belongs; the network session is accessed locally at each NAT device Relationships are concatenated to obtain the full-path network access relationship of the network boundary to which each NAT device belongs. The present application solves the technical problem that related technologies cannot efficiently and accurately obtain the full-path network access relationship traversing the NAT device due to the complexity of the NAT environment.

Description

Method and device for obtaining full-path network access relationship

technical field

The present application relates to the technical field of network communication, in particular, to a method and device for obtaining full-path network access relationships.

Background technique

With the development of online business, the communication between the enterprise intranet and the Internet and extranet is becoming more and more frequent. At the same time, the security risk of the exposed surface of the network security boundary is also increasing; quickly obtaining the network access relationship of the security boundary is very important for locating the boundary attack incident . Since the network access communication session passes through the security boundary, information such as the source network address (Internet Protocol, IP), target IP, and target port in the access relationship may undergo one or more conversions. In an address translation (Network Address Translation, NAT) environment, the full-path network access relationship across the security boundary is efficiently and accurately obtained.

For the above problems, no effective solution has been proposed yet.

Contents of the invention

Embodiments of the present application provide a method and device for obtaining full-path network access relationships, to at least solve the technical problem that related technologies cannot efficiently and accurately obtain full-path network access relationships traversing NAT devices due to the complexity of the NAT environment.

According to an aspect of the embodiment of the present application, there is provided a method for obtaining a full-path network access relationship, including: obtaining a structured session log corresponding to each NAT device in a plurality of NAT devices; according to the structure corresponding to each NAT device The session log is extracted to extract the local network access relationship of the network session at each NAT device, where the network session is between the device within the network boundary to which each NAT device belongs and the device outside the network boundary to which each NAT device belongs Conversations conducted between them; the local network access relationship of the network session at each NAT device is connected in series to obtain the full-path network access relationship of the network boundary to which each NAT device belongs.

Optionally, according to the structural session log corresponding to each NAT device, extract the local network access relationship of the network session at each NAT device, including: obtaining the network boundary topology relationship of the NAT device, and generating the NAT device according to the network boundary topology relationship The entry and exit path table of the NAT device, wherein the entry and exit path table of the NAT device includes: the identification information of the NAT device, the name of the network boundary where the NAT device is located, the cascading level of the NAT device, the access direction of the network session passing through the NAT device, and the The name and the name of the outgoing interface, the incoming interface is the interface through which the network session enters the NAT device, and the outgoing interface is the interface through which the network session exits from the NAT device; the log aggregation table is generated according to the structured session log, and based on the entry and exit path table and logs of the NAT device The aggregation table determines the access direction of the network session passing through the NAT device; extracts the local network access relationship of the network session at the NAT device according to the access direction.

Optionally, obtaining a structured session log corresponding to each NAT device in the multiple NAT devices includes: obtaining multiple logs of the multiple NAT devices, and obtaining key element information from the multiple logs, wherein the key element information includes : Timestamp, source network address, destination network address, destination port, source-mapped network address, destination-mapped network address, destination-mapped port, protocol type, source interface, and destination interface; obtain the identification information of each NAT device, among which, the identification The information includes at least one of the following: the name of the NAT device and the network address of the NAT device; the key element information of each NAT device and the identification information of each NAT device are combined to obtain a structured session log corresponding to each NAT device.

Optionally, generating a log aggregation table according to the structured session log includes: determining a preset period, and collecting multiple structured session logs within the preset period; Data with exactly the same key element information is classified into one set of data to obtain multiple sets of data; a log aggregation table is generated based on multiple sets of data, wherein the log aggregation table includes: NAT device identification information, key element information, and the occurrence of each set of data frequency.

Optionally, generate a log aggregation table according to the structured session log, and determine the access direction of the network session passing through the NAT device according to the in-out path table and the log aggregation table of the NAT device, including: obtaining the identification information of the NAT device in the log aggregation table , the name of the source interface corresponding to the identification information of the NAT device and the name of the destination interface corresponding to the identification information of the NAT device; using the identification information of the NAT device, the name of the source interface corresponding to the identification information of the NAT device and the The name of the destination interface corresponding to the identification information of the NAT device determines the access direction of the network session passing through the NAT device indicated by the identification information of the NAT device through the ingress and egress path table of the NAT device.

Optionally, extracting the local network access relationship of the network session at the NAT device according to the access direction includes: if the access direction is inbound, determining the source mapping network address corresponding to the identification information of the NAT device as the internal interface source network address, Determine the destination network address corresponding to the identification information of the NAT device as the internal interface destination network address, determine the destination port corresponding to the identification information of the NAT device as the destination port of the internal interface, and determine the source network address corresponding to the identification information of the NAT device Determine as the external interface source network address, determine the destination mapping network address corresponding to the identification information of the NAT equipment as the external interface destination network address, and determine the destination mapping port corresponding to the identification information of the NAT equipment as the external interface destination port, wherein , ingress indicates that a device outside the network boundary accesses a device inside the network boundary; according to the source network address of the internal interface, the destination network address of the internal interface, the destination port of the internal interface, the source network address of the external interface, the destination network address of the external interface, and the destination network address of the external interface When the port determines that the access direction is inbound, the network session has multiple local network access relationships at the NAT device; if the access direction is outbound, the source network address corresponding to the identification information of the NAT device is determined as the source network address of the internal interface, and will be related to The destination mapping network address corresponding to the identification information of the NAT device is determined as the internal interface destination network address, the destination mapping port corresponding to the identification information of the NAT device is determined as the destination port of the internal interface, and the source mapping network corresponding to the identification information of the NAT device is determined. The address is determined as the source network address of the external interface, the destination network address corresponding to the identification information of the NAT device is determined as the destination network address of the external interface, and the destination port corresponding to the identification information of the NAT device is determined as the destination port of the external interface, wherein, Out-of-bounds indicates access to devices outside the network boundary from devices within the network boundary; determined according to the source network address of the internal interface, the destination network address of the internal interface, the destination port of the internal interface, the source network address of the external interface, the destination network address of the external interface, and the destination port of the external interface When the access direction is out of bounds, multiple local network access relationships of the network session at the NAT device.

Optionally, the local network access relationship of each NAT device is connected in series to obtain the full-path network access relationship of the network boundary to which each NAT device belongs, including: determining the network boundary to which the NAT device belongs from the in-out path table of the NAT device The number of NAT devices in the network; if the number is greater than one, connect the multiple local network access relationships of multiple NAT devices within the same network boundary in series according to the concatenation rules to obtain the full-path network access relationship; if the number is equal to one, connect the NAT devices The partial network access relationship of is determined as the full path network access relationship.

Optionally, the multiple local network access relationships of multiple NAT devices within the same network boundary are connected in series according to the concatenation rules, including: if the internal interface source network address of the first NAT device among the multiple NAT devices is equal to multiple The external interface source network address of the second NAT equipment in the NAT equipment, the internal interface destination network address of the first NAT equipment is equal to the external interface destination network address of the second NAT equipment, and the internal interface destination port of the first NAT equipment is equal to the second The destination port of the external interface of the NAT device connects the local network access relationship of the first NAT device and the local network access relationship of the second NAT device in series to form a full-path access relationship at the network boundary, wherein the first NAT device and the second NAT device are Belonging to the same network boundary, the first NAT device and the second NAT device have an adjacent relationship, and the cascading level of the first NAT device is smaller than the cascading level of the second NAT device.

Optionally, the method for obtaining the full-path network access relationship further includes: determining the node corresponding to the device that initiates the access request in the full-path network access relationship as the starting node, and determining the node corresponding to the device that receives the access request in the full-path network access relationship Determine as the end node, and determine the NAT device in the full-path network access relationship as the intermediate node; determine the line segment connecting the start node, the intermediate node and the end node as an edge, wherein the direction of the edge passes through the network boundary according to the network session The access direction is determined, and the direction of the edge is indicated by an arrow; a visual view of the full-path network access relationship is generated according to the start node, intermediate node, end node, and edge; a visual view of the full-path network access relationship is displayed.

According to another aspect of the embodiment of the present application, there is also provided a system for displaying full-path network access relationships, including: a terminal device, a data visualization server, and a data processing server, wherein the terminal device is connected to the data visualization server for Send a query request to the data visualization server to request access to the full-path network access relationship of the network boundary, and display the full-path network access relationship; the data visualization server, connected to the data processing server, is used to respond to the query request and obtain information related to the full-path network The data corresponding to the access relationship; the data processing server is used to obtain multiple logs of multiple NAT devices, and convert the multiple logs into structured session logs corresponding to each NAT device in the multiple NAT devices, according to each NAT device The corresponding structured session log extracts the local network access relationship of the network session at each NAT device, connects the local network access relations at each NAT device in series, and obtains the full-path network of the network boundary to which each NAT device belongs Access relationship, store the data corresponding to the full-path network access relationship, and send the data corresponding to the full-path network access relationship to the data visualization server, where the network session is between a device within the network boundary and a device outside the network boundary conversations in between.

According to another aspect of the embodiment of the present application, there is also provided an apparatus for obtaining a full-path network access relationship, including: an obtaining module, configured to obtain a structured session log corresponding to each NAT device in a plurality of NAT devices; extract A module, configured to extract the local network access relationship of the network session at each NAT device according to the structured session log corresponding to each NAT device, wherein the network session is a device within the network boundary to which each NAT device belongs and at the Conversations between devices outside the network boundary to which each NAT device belongs; a processing module, configured to connect the local network access relationships of network sessions at each NAT device in series, to obtain a full view of the network boundary to which each NAT device belongs Path network access relationship.

According to another aspect of the embodiment of the present application, there is also provided a non-volatile storage medium, which stores a computer program, wherein the device where the non-volatile storage medium is located executes the computer program by running the computer program. The above-mentioned full-path network access relationship method.

According to another aspect of the embodiments of the present application, there is also provided an electronic device, including a memory and a processor, wherein a computer program is stored in the memory, and the processor is configured to execute the above-mentioned full-path network access relationship method through the computer program.

In the embodiment of the present application, the structured session log corresponding to each NAT device in multiple NAT devices is obtained; according to the structured session log corresponding to each NAT device, the local network of the network session at each NAT device is extracted Access relationship, wherein, the network session is a session between a device within the network boundary to which each NAT device belongs and a device outside the network boundary to which each NAT device belongs; the network session is localized at each NAT device The network access relationship is connected in series to obtain the full-path network access relationship of the network boundary to which each NAT device belongs. The local network access relationship of the NAT device is serially matched to achieve the purpose of obtaining and displaying the full-path network access relationship across the network boundary where the NAT device is located, thereby realizing the existence of one-to-many mapping, many-to-one mapping, and association in the NAT device. In the application scenarios of complex NAT configurations such as Policy Based Routing (PBR) address mapping and port mapping, and in complex application scenarios where multiple NAT devices are cascaded, it is still possible to accurately and efficiently obtain the full information of traversing NAT devices. The technical effect of the path network access relationship further solves the technical problem that related technologies cannot efficiently and accurately obtain the full path network access relationship through the NAT device due to the complexity of the NAT environment.

Description of drawings

The drawings described here are used to provide a further understanding of the application and constitute a part of the application. The schematic embodiments and descriptions of the application are used to explain the application and do not constitute an improper limitation to the application. In the attached picture:

FIG. 1 is a flow chart of a method for acquiring full-path network access relationships according to an embodiment of the present application;

FIG. 2 is a schematic diagram of a log aggregation table according to an embodiment of the present application;

FIG. 3 is a schematic diagram of a network boundary topology diagram according to an embodiment of the present application;

FIG. 4 is a schematic diagram of an ingress and egress path table of a NAT device according to an embodiment of the present application;

FIG. 5 is a schematic diagram of an all-path network access relationship table according to an embodiment of the present application;

FIG. 6 is a schematic diagram of a full-path network access relationship visual view according to an embodiment of the present application;

FIG. 7 is a structural diagram of a system for displaying full-path network access relationships according to an embodiment of the present application;

Fig. 8 is a working flow diagram of a system for displaying full-path network access relationships according to an embodiment of the present application;

FIG. 9 is a structural diagram of an apparatus for an all-path network access relationship according to an embodiment of the present application.

Detailed ways

In order to enable those skilled in the art to better understand the solution of the present application, the technical solution in the embodiment of the application will be clearly and completely described below in conjunction with the accompanying drawings in the embodiment of the application. Obviously, the described embodiment is only It is an embodiment of a part of the application, but not all of the embodiments. Based on the embodiments in this application, all other embodiments obtained by persons of ordinary skill in the art without creative efforts shall fall within the scope of protection of this application.

It should be noted that the terms "first" and "second" in the description and claims of the present application and the above drawings are used to distinguish similar objects, but not necessarily used to describe a specific sequence or sequence. It is to be understood that the data so used are interchangeable under appropriate circumstances such that the embodiments of the application described herein can be practiced in sequences other than those illustrated or described herein. Furthermore, the terms "comprising" and "having", as well as any variations thereof, are intended to cover a non-exclusive inclusion, for example, a process, method, system, product or device comprising a sequence of steps or elements is not necessarily limited to the expressly listed instead, may include other steps or elements not explicitly listed or inherent to the process, method, product or apparatus.

In order to better understand the embodiments of the present application, the technical terms involved in the embodiments of the present application are explained as follows:

NAT device: a device capable of converting source IP, destination IP, and destination port in IP data packets in network communication; the NAT device in the embodiment of the present application can be a firewall, a load balancer, a switch, a router, or a NAT Devices with NAT functions such as gateways can be physical devices, virtual servers and cloud servers in terms of device form.

Timestamp: The data generated by digital signature technology is used to verify the generation time of the signature object. In the embodiment of this application, the timestamp of each log is used to indicate the generation time of each log.

Source network address (source IP): Indicates the real source IP, that is, the IP value of the source address field in the IP packet before the data packet initiated by the client side enters the NAT device.

Source-mapped network address (source-mapped IP): Indicates the IP value of the source address field in the IP packet message after the data packet initiated by the client side passes through the NAT device.

Destination network address (destination IP): Indicates the real destination IP, that is, the IP value of the destination address field in the IP packet after the data packet initiated by the client side passes through the NAT device.

Destination mapping network address (destination mapping IP): Indicates the IP value of the destination address field in the IP packet message before the data packet initiated by the client side enters the NAT device.

Destination port: Indicates the real destination port, that is, the port value of the destination port field in the IP packet after the data packet initiated by the client side passes through the NAT device.

Destination mapping port: Indicates the port value of the destination port field in the IP packet before the data packet initiated by the client side enters the NAT device.

Internal interface: indicates the interface on the side of the NAT device close to the internal network; when the external network client actively accesses the internal network, it is the outgoing interface of the data packet; when the internal network client actively accesses the external network, it is the incoming interface of the data packet .

External interface: indicates the interface on the side of the NAT device close to the external network; when the external network client actively accesses the internal network, it is the incoming interface of the data packet; when the internal network client actively accesses the external network, it is the outgoing interface of the data packet.

Internal interface source network address (internal interface source IP): Indicates the IP value of the source IP field in the IP packet message on the internal interface side of the NAT device for data packets initiated by the client side.

Internal interface destination network address (internal interface destination IP): Indicates the IP value of the destination IP field in the IP packet message on the internal interface side of the NAT device for data packets initiated by the client side.

Destination port of internal interface: Indicates the port value of the destination port field in the IP packet message of the internal interface side of the NAT device for the data packet initiated by the client side.

External interface source network address (external interface source IP): Indicates the IP value of the source IP field in the IP packet message on the external interface side of the NAT device for data packets initiated by the client side.

Destination network address of the external interface (destination IP of the external interface): indicates the IP value of the destination IP field in the IP packet message on the external interface side of the NAT device of the data packet initiated by the client side.

External interface destination port: Indicates the port value of the destination port field in the IP packet message on the external interface side of the NAT device for data packets initiated by the client side.

Local network access relationship: the access relationship in the network traffic observed at a specific location in the topological path of the network security boundary. In the embodiment of this application, the "source IP, destination IP, destination port and Agreement" collectively represent a network access relationship.

Full-path network access relationship: After passing through the NAT device, the local network access relationship will be converted. After the local network access relationship before and after each NAT device in the network security boundary path is serially matched, the full-path network access relationship across the entire network security boundary is obtained.

In related technologies, by setting up an agent program on the server, the agent program reports the server's network access information to the central monitoring server to obtain the server's local network access relationship; or, deploy a network traffic probe to capture The flow data packet is analyzed by the network flow analysis device to obtain the network session data, and then aggregated to obtain the network access relationship across the network boundary. However, the network access relationship collected by the proxy program is mixed with the access relationship of intranet and internal mutual access, and it needs to be screened in combination with another database, such as Configuration Management Database (CMDB) to identify the network that crosses the network boundary. Access relationship; and because the data center generates a large amount of cross-boundary business traffic every day, the method of analyzing the traffic data packets captured by the network traffic probe to obtain the network access relationship across the network boundary has high requirements for CPU storage and configuration, so , there are problems such as only obtaining local network access relationships across network boundaries and the methods are cumbersome and costly. In order to solve this problem, a related solution is provided in the embodiment of the present application, which will be described in detail below.

According to the embodiment of the present application, an embodiment of a method for obtaining a full-path network access relationship is provided. It should be noted that the steps shown in the flow chart of the accompanying drawings can be executed in a computer system such as a set of computer-executable instructions , and, although a logical order is shown in the flowcharts, in some cases the steps shown or described may be performed in an order different from that shown or described herein.

Fig. 1 is a flowchart of a method for obtaining a full-path network access relationship according to an embodiment of the present application. As shown in Fig. 1, the method includes the following steps:

Step S102, acquiring a structured session log corresponding to each NAT device in the multiple NAT devices.

The method provided by the present application is realized on the basis of obtaining the session log of the NAT device. Therefore, in step S102, first obtain the structured session log of each NAT device in the network boundary, and because there are usually different types of session logs in the network boundary Multiple NAT devices, different device types, the format of the collected logs is also different, and the logs collected initially are usually a large string of irregular characters; therefore, when obtaining the structured session logs of each NAT device, you first need to Identify the interface protocol of the log interface provided by each NAT device. Specifically, the interface protocol can be a system log protocol (syslog), a file transfer protocol (File Transfer Protocol, FTP), a secure file transfer protocol (SecretFile Transfer Protocol, SFTP), Hypertext Transfer Protocol (HyperText Transfer Protocol, HTTP) and other types of protocols collect session logs of each NAT device according to the interface protocol. For example, if the log interface provided by the NAT device uses the syslog protocol (syslog), then Get session logs of NAT devices through syslog; then convert them into structured session logs in standard form.

According to an optional embodiment of the present application, obtaining a structured session log corresponding to each NAT device in a plurality of NAT devices includes the following steps: obtaining a plurality of logs of a plurality of NAT devices, and obtaining key elements from the plurality of logs Information, wherein the key element information includes at least one of the following: timestamp, source network address, destination network address, destination port, source-mapped network address, destination-mapped network address, destination-mapped port, protocol type, source interface, and destination interface; Acquiring the identification information of each NAT device, wherein the identification information includes at least one of the following: the name of the NAT device and the network address of the NAT device; combining the key element information of each NAT device with the identification information of each NAT device, Get the structured session log corresponding to each NAT device.

In this embodiment, the method for converting the collected log into a structured session log in a standard form is as follows: analyze the collected log, and extract from each log entry by time stamp, data packet from the client side The IP value of the source address field in the IP packet message before the NAT device (i.e. source network address, source IP), the IP value of the destination address field in the IP packet message after the data packet from the client side passes through the NAT device (i.e. Destination network address, destination IP), the port value of the destination port field in the IP packet after the data packet from the client side traverses the NAT device (that is, the destination port), and the data packet from the client side after passing through the NAT device The IP value of the source address field in the IP packet message (that is, the source mapping network address, source mapping IP), the IP value of the destination address field in the IP packet message before the data packet from the client side enters the NAT device (that is, the destination mapping network address) Address, destination IP), the port value of the destination port field in the IP packet message before the data packet from the client side enters the NAT device (that is, the destination mapping port), the protocol used by the network session corresponding to the log, and the data packet entering the NAT The interface through which the device passes (that is, the source interface), and the interface through which the data packet passes through the NAT device (that is, the destination interface) and other key elements; at the same time, the name of the NAT device or the IP address of the NAT device is extracted from the collected logs Identification information that can identify the identity of the NAT device; identify the name of the NAT device or the IP address of the NAT device with the source IP, destination IP, destination port, source mapping IP, and destination IP of the NAT device indicated by the name/IP address of the NAT device , Destination mapping port, source interface and destination interface and other key elements are combined to generate a structured session log for each NAT device. For example, the first field is the NAT device name, the second field is the source IP, the third field is the destination IP, the fourth field is the destination port, the fifth field is the protocol type, the sixth field is the source mapping IP, and the seventh field is The sequence of mapping IP for the destination, the eighth field for the destination mapping port, the ninth field for the source interface, and the tenth field for the destination interface are combined to obtain the structured session log of each NAT device.

Step S104, according to the structured session log corresponding to each NAT device, extract the local network access relationship of the network session at each NAT device, wherein the network session is a device within the network boundary to which each NAT device belongs and in each Sessions between devices outside the network boundaries to which a NAT device belongs.

After the structured session log of each NAT device is obtained through the method provided in step S102, in step S104, the network information observed at each NAT device is extracted according to the information recorded in the structured session log of each NAT device An access relationship between sessions (that is, a local network access relationship), wherein a network session is a session between a device within the network boundary to which the NAT device belongs and a device outside the network boundary to which the NAT device belongs.

According to another optional embodiment of the present application, according to the structural session log corresponding to each NAT device, extracting the local network access relationship of the network session at each NAT device includes the following steps: obtaining the network boundary topology relationship of the NAT device , according to the topological relationship of the network boundary, the ingress and egress path table of the NAT device is generated, wherein the ingress and egress path table of the NAT device includes: the identification information of the NAT device, the name of the network boundary where the NAT device is located, the cascading level of the NAT device, and the The access direction of the network session, the name of the incoming interface and the name of the outgoing interface. The incoming interface is the interface through which the network session enters the NAT device, and the outgoing interface is the interface through which the network session exits the NAT device; generate a log aggregation table based on the structured session log, and Determine the access direction of the network session passing through the NAT device according to the in-out path table and the log aggregation table of the NAT device; extract the local network access relationship of the network session at the NAT device according to the access direction.

In this embodiment, the local network access relationship at each NAT device is obtained by extracting the information recorded in the structured session log of each NAT device through the following steps: First, with each NAT device acquired in step S102 Generate a log aggregation table based on the structured session log of the NAT device; then obtain the name/IP address of the NAT device (that is, the identification information of the NAT device), the name of the network boundary where the NAT device is located, the cascading level of the NAT device, and the network session The network boundary topology of the network boundary to which the NAT device belongs through information such as the access direction of the NAT device, the name of the interface through which the network session enters the NAT device (ie, the inbound interface), and the name of the interface through which the network session exits the NAT device (ie, the outbound interface) Figure, according to the network boundary topology diagram and the log aggregation table to determine the direction of network access to the NAT device, that is, to determine whether the access direction is from the external network→NAT device→internal network, or from the internal network→NAT device→external network; finally , extracting the local network access relationship of the network session at each NAT device according to the determined access direction.

According to some preferred embodiments of the present application, generating the log aggregation table according to the structured session log includes: determining a preset period, and collecting multiple structured session logs within the preset period; Data with the same key element information other than the time stamp is classified into one set of data to obtain multiple sets of data; a log aggregation table is generated based on the multiple sets of data, where the log aggregation table includes: identification information of the NAT device, key element information and The number of occurrences of each data set.

In some preferred embodiments, the method of generating the log aggregation table according to the structured session log is as follows: Since the NAT device will generate a log every time a session is established, in the embodiment of the present application, when collecting the log of the NAT device in real time, it will A large amount of data is obtained, and the large amount of data includes multiple pieces of identical data except for the time stamp. Therefore, in some preferred embodiments, the processing cycle (ie, the preset cycle) is preset, such as one hour, one day or One month, collect structured session logs during the processing period, and aggregate the logs within the processing period. Specifically, key elements such as the name/IP address of the NAT device, source IP, destination IP, destination port, and protocol type The identical structured session logs are aggregated into a set of data, and multiple sets of data aggregated through the above methods are saved to generate a log aggregation table. Figure 2 is a schematic diagram of the log aggregation table. As shown in Figure 2, the row identifiers of the log aggregation table are date, NAT device, source IP, destination IP, destination port, protocol, source mapping IP, destination mapping IP, and destination mapping port , source interface, destination interface, and connection times (that is, the number of occurrences of each set of data), where the date is used to indicate the date when the log was generated, the NAT device is used to indicate the name/IP address of the NAT device, and the number of connections is used to indicate when a The number of occurrences of this group of data in the processing cycle, as shown in Figure 2, among the data collected in a certain processing cycle on January 1, 2022, there are 100 pieces of source IP 211.0.0.2 for device 2-1, The destination IP is 172.16.0.2, the destination port is 8080, the protocol type is Transmission Control Protocol (TCP), the source mapping IP is 211.0.0.2, the destination mapping IP is 112.0.0.2, the destination mapping port is 80, the source interface If the log is extranet and the destination interface is inside, record the log in the above form once in the log table, and then mark the number of occurrences behind the log; in addition, how many different types of logs appear in a processing cycle For logs, several groups of data are recorded in the log aggregation table, that is to say, the number of groups is the same as the type of logs, among which, any one of the name/IP address, source IP, destination IP, destination port and protocol type of the NAT device Different data means different types of logs.

It should be noted that if the source IP and the source mapping IP are the same, it means that the NAT device has not converted the source IP field; if the destination IP and the destination mapping IP are the same, it means that the NAT device has not converted the destination IP field; if the destination port and the destination The mapped ports are the same, indicating that the NAT device has not translated the destination port field.

According to an optional embodiment of the present application, the log aggregation table is generated according to the structured session log, and the access direction of the network session passing through the NAT device is determined according to the in-out path table and the log aggregation table of the NAT device, including: obtaining the log aggregation table The identification information of the NAT device, the name of the source interface corresponding to the identification information of the NAT device, and the name of the destination interface corresponding to the identification information of the NAT device; using the identification information of the NAT device, the source interface corresponding to the identification information of the NAT device and the name of the destination interface corresponding to the identification information of the NAT device determines the access direction of the network session passing through the NAT device indicated by the identification information of the NAT device through the ingress and egress path table of the NAT device.

Figure 3 is a schematic diagram of a network boundary topology diagram. As shown in Figure 3, the path of a network session passing through a NAT device is recorded in the form of a topology diagram. The network boundary topology diagram includes: the name of the network boundary where the NAT device is located, the name of the NAT device where the The name of each NAT device in the network boundary, the cascading level of each NAT device, the name of the incoming interface and the name of the outgoing interface of each NAT device, the name of the network accessing the network boundary where the NAT device is located, and the The name of the network reached after the network boundary where the NAT device is located, as shown in Figure 3, the name of the network boundary is network boundary 1, and network boundary 1 includes device 2-1 and device 2-2, wherein, " in device 2-1 -1" indicates that the cascading level of the NAT device is 1. Similarly, "-2" in device 2-2 indicates that the cascading level of the NAT device is 2; when accessing internal network 2 and/or In internal network 3, the incoming interface of device 2-1 is extranet and the outgoing interface is inside, the incoming interface of device 2-2 is outside, and the outgoing interface is dmz and intranet. When determining the access direction, according to the records recorded in the log aggregation table The values of the three fields of NAT device, source interface, and destination interface in each group of logs comprehensively query the access direction of the network session corresponding to the group of logs. For example, if the value of the NAT device field in a group of logs recorded in the log aggregation table is device 2-1, the value of the source interface field is extranet, and the value of the destination interface field is inside, then if the network boundary topology shown in Figure 3 In the figure, it can be found that there is a NAT device named device 2-1 in network boundary 1, the value of the entry field is extranet, and the value of the outbound interface field is inside, then the NAT device and network topology recorded in this group of logs can be determined The NAT device in the figure is the same NAT device, and from the network boundary topology diagram, it can be determined that the access from the interface extranet to the interface inside is from the external network to the internal network, that is, it can be determined that the access direction of the network session on the NAT device 2-1 is Inbound. On the contrary, if the value of the NAT device field in another group of logs recorded in the log aggregation table is device 2-2, the value of the source interface field is intranet, and the value of the destination interface field is outside, then if the In the network boundary topology diagram, it can be found that there is a NAT device named device 2-2 in network boundary 1, and the value of the inbound interface field is intranet, and the value of the outbound interface field is outside, then it can be determined that this group of logs records The NAT device and the device in the network topology diagram are the same NAT device, and from the network boundary topology diagram, it can be determined that from the interface intranet to the interface outside is accessing the external network from the internal network, that is, it can be determined that the network session is on the NAT device 2-2 The access direction is out of bounds.

It should be noted that after obtaining the topological relationship of the network boundary, the server performing data processing stores it in the form of the table shown in Figure 4. Figure 4 is the entry and exit route table of the NAT device, and the content recorded in this table is the same as that recorded in Figure 3 The information is exactly the same, for example, it records the name of the network boundary where the NAT device is located, the cascading level of the network boundary, the name of each NAT device in the network boundary where the NAT device is located, the cascading level of each NAT device, and the network session Through the access direction of the NAT device, the interface through which the network session enters the NAT device (ie, the inbound interface) and the interface through which the network session exits the NAT device (ie, the outbound interface). As shown in Figure 4, when the above information is recorded in Figure 3, it also correspondingly records the access direction when accessing the internal network 2 from the external network 1 through the network boundary 1 in the network boundary 1 including two NAT devices The inbound interface of device 2-1 with cascade level 1 is extranet, and the outbound interface is inside; the inbound interface of device 2-2 with cascade level 2 is outside, and the outbound interface is dmz; from internal network 2 When accessing external network 1 through network boundary 1, the access direction is outbound, the inbound interface of device 2-1 with cascade level 1 is inside, the outbound interface is extranet, and the inbound interface of device 2-2 with cascade level 2 is dmz , the outbound interface is outside; when accessing external network 1 from internal network 3 through network boundary 1, the access direction is outbound, the inbound interface of device 2-1 with cascading level 1 is inside, the outbound interface is extranet, and the cascading level is 2 The incoming interface of device 2-2 is intranet, and the outgoing interface is outside. The topology relationship of the network boundary only needs to be initialized once and can be saved for repeated use. It is only updated when the topology of the NAT device in the network boundary is detected to change.

According to another optional embodiment of the present application, extracting the local network access relationship of the network session at the NAT device according to the access direction includes: if the access direction is inbound, determining the source mapping network address corresponding to the identification information of the NAT device is the source network address of the internal interface, the destination network address corresponding to the identification information of the NAT device is determined as the destination network address of the internal interface, the destination port corresponding to the identification information of the NAT device is determined as the destination port of the internal interface, and the The source network address corresponding to the identification information is determined as the source network address of the external interface, the destination mapping network address corresponding to the identification information of the NAT device is determined as the destination network address of the external interface, and the destination mapping port corresponding to the identification information of the NAT device is determined It is the destination port of the external interface, where the inbound indicates accessing the device within the network boundary from the device outside the network boundary; according to the source network address of the internal interface, the destination network address of the internal interface, the port of the internal interface, the source network address of the external interface, and the destination of the external interface The network address and the external interface destination port determine the multiple local network access relationships of the network session at the NAT device when the NAT device access direction is inbound; if the access direction is outbound, the source network address corresponding to the identification information of the NAT device is determined as The internal interface source network address, the destination mapping network address corresponding to the identification information of the NAT device is determined as the internal interface destination network address, the destination mapping port corresponding to the identification information of the NAT device is determined as the internal interface destination port, and the NAT device Determine the source mapping network address corresponding to the identification information of the external interface as the source network address of the external interface, determine the destination network address corresponding to the identification information of the NAT device as the destination network address of the external interface, and determine the destination port corresponding to the identification information of the NAT device is the destination port of the external interface, where out-of-boundary indicates accessing the device outside the network boundary from the device inside the network boundary; according to the source network address of the internal interface, the destination network address of the internal interface, the destination port of the internal interface, the source network address of the external interface, and the destination The network address and the destination port of the external interface determine the multiple local network access relationships of the network session at the NAT device when the access direction is out of bounds.

In this embodiment, after the access direction of the NAT device is determined by the above-mentioned embodiment, the method of extracting the local network access relationship of the NAT device according to the access direction is as follows: when the access direction is inbound, record the log in the NAT device The value of the source mapping IP field of the NAT device is determined as the network address (that is, the source network address of the internal interface) of the interface (that is, the internal interface) close to the internal network side of the NAT device, and the value of the destination IP field recorded in the log of the NAT device is determined as NAT The destination network address of the internal interface of the device, the value of the destination port field recorded in the log of the NAT device is determined as the destination port of the internal interface of the NAT device, and the value of the source IP field recorded in the log of the NAT device is determined as the NAT device is close to the outside The network address of the interface on the network side (i.e. the external interface) (i.e. the source network address of the external interface), the value of the destination mapping IP field recorded in the log of the NAT device is determined as the destination network address of the external interface of the NAT device, and the NAT device The destination mapping port recorded in the log is determined to be the destination port of the external interface of the NAT device. When the access direction is out of bounds, the value of the source IP field recorded in the log of the NAT device is determined to be the network address (i.e. the source network address of the internal interface) of the interface (i.e. the internal interface) of the NAT device close to the internal network side, and the NAT device The value of the destination mapping IP field recorded in the log of the NAT device is determined as the destination network address of the internal interface of the NAT device, and the value of the destination mapping port field recorded in the log of the NAT device is determined as the destination port of the internal interface of the NAT device. The value of the source mapping IP field recorded in the log is determined as the network address (ie, the source network address of the external interface) of the interface (ie, the external interface) of the NAT device close to the external network side, and the value of the destination IP field recorded in the log of the NAT device Determine the destination network address of the external interface of the NAT device, and determine the destination port recorded in the log of the NAT device as the destination port of the external interface of the NAT device. Therefore, the internal interface source network address, the internal interface destination network address, the internal interface destination port, the external interface source network address, the external interface destination network address, and the external interface destination port of the NAT device can be determined according to whether the access direction is inbound or outbound, and Further determine the local network access relationship at the NAT device of the network session consisting of the source network address of the internal interface, the destination network address of the internal interface, the destination port of the internal interface, the source network address of the external interface, the destination network address of the external interface, and the destination port of the external interface , where, if there is only one NAT device in the network boundary, two local network access relationships of a NAT device should be obtained by this method, one is the local network access relationship from the external network to the external interface of the NAT device, and the other is The local network access relationship from the internal interface of the NAT device to the internal network; if there are multiple NAT devices in the network boundary, two local network access relationships should be obtained for each NAT device. For example, the source IP of device 2-1 in Figure 2 is 211.0.0.2, the destination IP is 172.16.0.2, the destination port is 8080, the source mapping IP is 211.0.0.2, the destination mapping IP is 112.0.0.2, and the destination mapping port is 80 , combined with Figure 3, it can be determined that when accessing the internal network 2 from the external network 1, the access direction is inbound, then when the access direction is inbound, the network session has the following two sections of local network access relationships at the device 2-1, where one section is The local network access relationship from the external network 1 to the external interface of the NAT device 2-1 composed of the source network address of the external interface is 211.0.0.2, the destination network address of the external interface is 112.0.0.2, and the destination port of the external interface is 80; The part from the internal interface of NAT device 2-1 to the internal interface of NAT device 2-2 is composed of internal interface source network address 211.0.0.2, internal interface destination network address 172.16.0.2, internal interface destination port 8080 network access relationship.

Step S106, concatenating the partial network access relationship of the network session at each NAT device to obtain the full-path network access relationship of the network boundary to which each NAT device belongs.

In step S106, after the local network access relationship of the NAT device is determined by the above method, multiple local network access relationships of the network session at each NAT device are connected in series to obtain the full path of the network boundary to which the NAT device belongs network access relationship.

According to an optional embodiment of the present application, the local network access relationship of each NAT device is connected in series to obtain the full-path network access relationship of the network boundary to which each NAT device belongs, including: determining from the in-out path table of the NAT device The number of NAT devices in the network boundary to which the NAT device belongs; if the number is greater than one, connect multiple local network access relationships of multiple NAT devices in the same network boundary in series according to the concatenation rules to obtain the full-path network access relationship; if the number is equal to one, and the partial network access relationship of the NAT device is determined as the full-path network access relationship.

In this embodiment, when connecting the local network access relationship of each NAT device in series, first determine the network boundary to which the NAT device belongs and the NAT of the NAT device in the network boundary from the ingress and egress path table of the NAT device shown in Figure 4. The number of devices, if there is only one NAT device in the network boundary, then the local network access relationship of this NAT device is the full-path network access relationship of the network boundary; if there are 2 or more NAT devices in the network boundary, then , the full-path network access relationship of the network boundary is obtained by concatenating the multiple partial network access relationships of the multiple NAT devices in the network boundary.

According to other preferred embodiments of the present application, the multiple local network access relationships of multiple NAT devices within the same network boundary are connected in series according to the concatenation rules, including: if the internal interface of the first NAT device among the multiple NAT devices The source network address is equal to the source network address of the external interface of the second NAT device among the multiple NAT devices, the destination network address of the internal interface of the first NAT device is equal to the destination network address of the external interface of the second NAT device, and the internal interface of the first NAT device The destination port of the interface is equal to the destination port of the external interface of the second NAT device, and the local network access relationship of the first NAT device and the local network access relationship of the second NAT device are connected in series to form a full-path access relationship of the network boundary, wherein the first NAT device The first NAT device and the second NAT device belong to the same network boundary, and the first NAT device is adjacent to the second NAT device, and the cascading level of the first NAT device is smaller than that of the second NAT device.

In other preferred embodiments, multiple local network access relationships of multiple NAT devices in the same network boundary are connected in series by the following method, and the cascading levels of multiple NAT devices in the same network boundary are determined. The source network address of the internal interface recorded in the local network access relationship of the hierarchical NAT device is the same as the source network address of the external interface recorded in the local network access relationship of the adjacent higher-level NAT device, and the lower-level NAT device's The destination network address of the internal interface recorded in the local network access relationship is the same as the destination network address of the external interface recorded in the local network access relationship of the adjacent high-level NAT device, and the local network access relationship of the lower-level NAT device The destination port of the internal interface recorded in is the same as the destination port of the external interface recorded in the local network access relationship of the adjacent high-level NAT device, then start from the lowest level and sequentially connect the NAT devices of the lower cascade level The local network access relationship of the local network is connected in series with the local network access relationship of the NAT device at a higher cascading level, until it is connected in series to the NAT device with the highest cascading level in the network boundary, and the result of the series connection is used as the full-path network access relationship of the network boundary. For example, network boundary 1 includes level 1 NAT device 2-1 and level 2 NAT device 2-2, the source network address of the internal interface of NAT device 2-1 is 211.0.0.2, and the destination network address of the internal interface is 172.16.0.2 , the destination port of the internal interface is 8080, the source network address of the external interface of NAT device 2-2 is 211.0.0.2, the destination network address of the external interface is 172.16.0.2, and the destination port of the external interface is 8080, then the local The network access relationship and the local network access relationship of the NAT device 2-2 are connected in series to form the full-path network access relationship of the network boundary 1.

Fig. 5 is a schematic diagram of the full-path network access relationship table. It should be noted that after obtaining the full-path network access relationship at the network boundary, it can also be recorded and saved in the form shown in Fig. 5. The full-path network access relationship table Records the name of the network boundary, the access direction of the network session to the network boundary, the local network access relationship of the outer interface of the lowest cascade level, the local network access relationship of the inner interface of the highest cascade level, and the relationship between adjacent NAT devices. The local network access relationship, the protocol used by the network session, and the number of occurrences of the same full-path network access relationship (that is, the number of connections). Among them, the local network access relationship of the external interface at the lowest cascade level, and the local The network access relationship, and the partial network access relationship between adjacent NAT devices, these three partial network access relationships are composed of a source IP field, a destination IP field and a destination port field. As shown in Figure 3, the network boundary 1 includes the NAT device 2-1 of the lowest cascading level and the NAT device 2-2 of the highest cascading level. When accessing the internal network 2 or the internal network 3 through the external network 1, the network In the full-path network access relationship table of boundary 1, the access direction is recorded as inbound, and the local network access relationship of the external interface of device 2-1 is composed of source IP 211.0.0.2, destination IP 112.0.0.2, and destination port 80. The local network access relationship of the internal interface of device 2-2 is composed of source IP 211.0.0.2, destination IP 172.16.0.2, and destination port 8080. The local network access relationship between device 2-1 and device 2-2 is composed of source It consists of IP211.0.0.2, destination IP172.16.0.2, and destination port 8080. At the same time, the number of occurrences of this full-path access relationship (for example, 100 times) is recorded in the full-path network access relationship table of network boundary 1. When accessing external network 1 through internal network 2 or internal network 3, in the full-path network access relationship table of network boundary 1, the access direction is recorded as out of bounds, and the local network access relationship of the external interface of device 2-1 is determined by the source IP112. 0.10.3, destination IP 211.0.0.3, destination port 443, the local network access relationship of the internal interface of device 2-2 is composed of source IP 172.16.0.3, destination IP 192.168.0.3, destination port 443, device 2 The local network access relationship between -1 and device 2-2 is composed of source IP172.16.0.3, destination IP211.0.0.3, and destination port 443. At the same time, this entry is recorded in the full-path network access relationship table of network boundary 1 The number of occurrences of the full path access relationship (for example, 200 times).

Through the above steps, the local network access relationship before and after passing through the NAT device can be extracted through the NAT session log, and multiple local network access relationships can be connected in series in combination with the NAT device topology map at the network boundary to form a full-path network access at the network boundary where the NAT device is located. relationship; since the full-path network access relationship of the network session passing through the network boundary is extracted from the session log, it is not necessary to obtain the full-path network access relationship of the network session passing through the network boundary based on the mapping configuration data of the NAT device. Therefore, it is suitable for There are complex NAT configuration application scenarios such as one-to-many mapping, many-to-one mapping, and mapping associated with policy routing in the NAT device, and are applicable to application scenarios where multiple NAT devices are cascaded. On the basis of capturing and analyzing massive business traffic data packets, it can accurately and efficiently obtain the full-path network access relationship of the network boundary while reducing operation and maintenance costs.

According to an optional embodiment of the present application, the method for obtaining the full-path network access relationship further includes: determining the node corresponding to the device that initiates the access request in the full-path network access relationship as the starting node, and determining the node that receives the access request in the full-path network access relationship The node corresponding to the requested device is determined as the end node, and the NAT device in the full-path network access relationship is determined as the intermediate node; the line segment connecting the start node, the intermediate node and the end node is determined as an edge, where the direction of the edge is determined according to the network The access direction of the session passing through the network boundary is determined, and the direction of the edge is indicated by an arrow; a visual view of the full-path network access relationship is generated according to the start node, intermediate node, end node, and edge; the visual view of the full-path network access relationship is displayed.

According to the method provided in the embodiment of the present application, the full-path network access relationship can also be displayed. FIG. 6 is a schematic diagram of a full-path network access relationship view. As shown in FIG. 6, the full-path network access relationship view includes external network areas and network boundaries. Area and internal network area, wherein, the network session is initiated by the internal network, the internal network area shows the name of the device in the internal network (that is, the client) and the network address of the device (such as 172.16.0.3) and the network session enters from the internal network Local network access relationship at the network boundary; the network boundary area displays the name of each NAT device (such as NAT device 1, NAT device 2), source interface (such as inside, intranet) and destination interface (such as extranet, outside ), and the local network access relationship between the NAT devices in the network boundary of the network session; the external network area shows the name of the device in the external network (such as a server) and the network address of the device (such as 112.0.10.3:443) and The network session accesses the partial network access relationship of the external network through the network boundary; the partial network access relationship of the external network accessing the network boundary is displayed in the form of a label, including the source network address (such as 112.00.10.3), and the destination network address (such as 211.0. 10.3) and destination port (such as 443); the local network access relationship of the internal network access network boundary is displayed in the form of labels, including source network address (such as 172.16.0.3), destination network address (such as 192.168.0.3) and destination port ( Such as 443); the local network access relationship between the network sessions between NAT devices is displayed in the form of labels, including source network address (such as 172.16.0.3), destination network address (such as 211.0.0.3) and destination port (such as 443). When displaying the access path, the node corresponding to the accessed device is used as the end node, multiple nodes corresponding to multiple NAT devices are used as multiple intermediate nodes, and the node corresponding to the device that initiates the access request in the entire path is used as the starting node. The nodes corresponding to the devices in the access path are connected as edges by line segments, and the access direction is indicated by arrows.

FIG. 7 is a structural diagram of a display system for a full-path network access relationship provided according to an embodiment of the present application, including: a terminal device 70, a data visualization server 72, and a data processing server 74, wherein the terminal device 70 and the data visualization server 72 connections, for sending to the data visualization server 72 a query request for requesting access to the full-path network access relationship of the network boundary, and displaying the full-path network access relationship; the data visualization server 72, connected with the data processing server 74, for responding Query request and obtain the data corresponding to the full-path network access relationship; the data processing server 74 is used to obtain multiple logs of multiple NAT devices, and convert the multiple logs into a structure corresponding to each NAT device in the multiple NAT devices According to the structured session log corresponding to each NAT device, the local network access relationship of the network session at each NAT device is extracted, and the local network access relationship at each NAT device is connected in series to obtain each NAT The full-path network access relationship of the network boundary to which the device belongs stores the data corresponding to the full-path network access relationship, and sends the data corresponding to the full-path network access relationship to the data visualization server 72, wherein the network session is within the network boundary Sessions between devices on the network and devices outside the network perimeter.

Fig. 8 is a working flow chart of the display system showing the full-path network access relationship at the network border where the NAT device is located. As shown in Fig. 8, the terminal device 70 first initiates a query request to the data visualization server 72 to query the full-path network at the network border where the NAT device is located Access relationship, after the data visualization server 72 receives the query request, it obtains the full-path network access relationship from the data processing server 74; the data processing server 74 sends the stored data for identifying the full-path network access relationship to the data visualization server 72 , wherein, the data processing server 74 collects the session log of each NAT device in the network boundary in a predetermined cycle and converts each session log into a standard structured session log, and then passes the structured session log of each NAT device Extract the local network access relationship of each NAT device, connect the local network access relationship of each NAT device in series as the full-path network access relationship of the network boundary where these multiple NAT devices are located and store; the data visualization server 72 will process Afterwards, the visualized full-path network access relationship is sent to the terminal device 70, and the terminal device 70 generates a visual view representing the full-path network access relationship, and displays the visual view.

FIG. 9 is a structural diagram of an apparatus for obtaining a full-path network access relationship according to an embodiment of the present application, including: an obtaining module 90 configured to obtain a structured session log corresponding to each NAT device in a plurality of NAT devices; The extraction module 92 is configured to extract the local network access relationship of the network session at each NAT device according to the structured session log corresponding to each NAT device, wherein the network session is a device within the network boundary to which each NAT device belongs Conversations with devices outside the network boundaries to which each NAT device belongs; processing module 94, configured to connect the local network access relationships of network sessions at each NAT device in series to obtain the network to which each NAT device belongs The full-path network access relationship of the boundary.

When the device for obtaining the full-path network access relationship is working, the acquisition module 90 collects and analyzes the session log of each NAT device in the network boundary in real time, and converts the collected original session log into a standard structured session log; the extraction module 92 Obtain and store the structured session logs obtained through the acquisition module 90, and collect and classify the data within one hour, the data within one day, or the data within one month according to a preset period such as one hour, one day, or one month, and extract them The local network access relationship before and after passing through the NAT device; through the processing module 94, the local network access relationship before and after passing through the NAT device obtained by the extraction module 92 is connected in series as the full-path network access relationship of the network device where the NAT device is located.

It should be noted that, for preferred implementation manners of the embodiment shown in FIG. 9 , reference may be made to relevant descriptions of the embodiment shown in FIG. 1 , and details are not repeated here.

The method provided in this embodiment can be applied to any network boundary where NAT devices are deployed, for example, it can be applied to the boundary between the intranet of the data center and the Internet, the boundary of different service isolation areas inside the data center, the boundary between the public cloud and the Internet, and the like. Collect the NAT session log of the network security border NAT device through the method provided by the embodiment of the present application, extract the local network access relationship before and after passing through the NAT device, and perform serial matching on the local network access relationship before and after multiple NAT device nodes on the border network path , so as to accurately obtain the full-path access relationship of the security boundary. In a complex multi-NAT device cascading environment, and in a complex NAT device configuration environment, such as one-to-many mapping, many-to-one mapping, and address mapping associated with Policy Based Routing (PBR) in the NAT device In the application environment of complex NAT configurations such as , port mapping, etc., while accurately and efficiently obtaining the full-path network access relationship of the network border, there is no need to deploy agents on a large number of business servers, and there is no need to capture and analyze massive business traffic data packets. , reducing operation and maintenance costs.

The embodiment of the present application also provides a non-volatile storage medium, in which a computer program is stored, wherein, the device where the non-volatile storage medium is located executes the above full-path network access by running the computer program method of relationship.

The above-mentioned non-volatile storage medium is used to store the program that performs the following functions: obtain the structured session log corresponding to each NAT device in the plurality of NAT devices; extract the network session according to the structured session log corresponding to each NAT device The local network access relationship at each NAT device, wherein the network session is a session between a device within the network boundary to which each NAT device belongs and a device outside the network boundary to which each NAT device belongs; the network session The local network access relationship at each NAT device is connected in series to obtain the full-path network access relationship of the network boundary to which each NAT device belongs.

The embodiment of the present application also provides an electronic device, which includes a memory and a processor, where a computer program is stored in the memory, and the processor is configured to execute the above method for the full-path network access relationship through the computer program.

The processor in the above-mentioned electronic device is configured to run a program that performs the following functions: obtain a structured session log corresponding to each NAT device in a plurality of NAT devices; extract the network session in each A local network access relationship at each NAT device, wherein the network session is a session between a device within the network boundary to which each NAT device belongs and a device outside the network boundary to which each NAT device belongs; The partial network access relationship at each NAT device is connected in series to obtain the full-path network access relationship of the network boundary to which each NAT device belongs.

It should be noted that each module in the above-mentioned device for obtaining the full-path network access relationship may be a program module (for example, a set of program instructions to realize a certain function), or a hardware module. For the latter, it may be expressed as The form is as follows, but not limited thereto: each of the above-mentioned modules is represented by one processor, or the functions of the above-mentioned modules are realized by one processor.

The serial numbers of the above embodiments of the present application are for description only, and do not represent the advantages and disadvantages of the embodiments.

In the above-mentioned embodiments of the present application, the descriptions of each embodiment have their own emphases, and for parts not described in detail in a certain embodiment, reference may be made to relevant descriptions of other embodiments.

In the several embodiments provided in this application, it should be understood that the disclosed technical content can be realized in other ways. Wherein, the device embodiments described above are only illustrative. For example, the division of the units may be a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or may be Integrate into another system, or some features may be ignored, or not implemented. In another point, the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of units or modules may be in electrical or other forms.

The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or may be distributed to multiple units. Part or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, each unit may exist separately physically, or two or more units may be integrated into one unit. The above-mentioned integrated units can be implemented in the form of hardware or in the form of software functional units.

If the integrated unit is realized in the form of a software function unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the essence of the technical solution of this application or the part that contributes to the related technology or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium. Several instructions are included to make a computer device (which may be a personal computer, server or network device, etc.) execute all or part of the steps of the methods described in the various embodiments of the present application. The aforementioned storage media include: U disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), mobile hard disk, magnetic disk or optical disk and other media that can store program codes. .

The above description is only the preferred embodiment of the present application. It should be pointed out that for those of ordinary skill in the art, without departing from the principle of the present application, some improvements and modifications can also be made. These improvements and modifications are also It should be regarded as the protection scope of this application.

Claims (13)

1. A method for obtaining a full-path network access relationship, comprising: obtaining a structured session log corresponding to each of the plurality of NAT devices; According to the structured session log corresponding to each NAT device, extract the local network access relationship of the network session at each NAT device, wherein the network session is a device within the network boundary to which each NAT device belongs and sessions performed between devices outside the network boundary to which each NAT device belongs; The local network access relationship of the network session at each NAT device is connected in series to obtain the full-path network access relationship of the network boundary to which each NAT device belongs. 2. The method according to claim 1, wherein, according to the structured session log corresponding to each NAT device, extracting the local network access relationship of the network session at each NAT device, comprising: Obtain the network boundary topology relationship of the NAT device, and generate an ingress and egress path table of the NAT device according to the network boundary topology relationship, wherein the ingress and egress path table of the NAT device includes: identification information of the NAT device, the The name of the network boundary where the NAT device is located, the cascading level of the NAT device, the access direction of the network session passing through the NAT device, the name of the incoming interface and the name of the outgoing interface, the incoming interface is the entry of the network session The interface of the NAT device, the outgoing interface is the interface through which the network session exits from the NAT device; Generate a log aggregation table according to the structured session log, and determine the access direction of the network session passing through the NAT device according to the entry and exit path table of the NAT device and the log aggregation table; Extracting the local network access relationship of the network session at the NAT device according to the access direction. 3. The method according to claim 1, wherein obtaining a structured session log corresponding to each NAT device in a plurality of NAT devices comprises: Obtain multiple logs of multiple NAT devices, and obtain key element information from the multiple logs, wherein the key element information includes: time stamp, source network address, destination network address, destination port, source mapping network address, Destination mapping network address, destination mapping port, protocol type, source interface and destination interface; Obtain the identification information of each NAT device, wherein the identification information includes at least one of the following: the name of the NAT device and the network address of the NAT device; Combining the key element information of each NAT device with the identification information of each NAT device to obtain a structured session log corresponding to each NAT device. 4. The method according to claim 3, wherein generating a log aggregation table according to the structured session log includes: determining a preset period, and collecting multiple structured session logs within the preset period; Classify the data in the plurality of structured session logs that have the same key element information except for the time stamp into a group of data to obtain multiple groups of data; A log aggregation table is generated according to the multiple sets of data, wherein the log aggregation table includes: the identification information of the NAT device, the key element information, and the number of occurrences of each set of data. 5. The method according to claim 2, characterized in that, generating a log aggregation table according to the structured session log, and determining the route through the NAT device according to the ingress and egress path table of the NAT device and the log aggregation table. The access direction of the network session, including: Obtain the identification information of the NAT device in the log aggregation table, the name of the source interface corresponding to the identification information of the NAT device, and the name of the destination interface corresponding to the identification information of the NAT device; Use the identification information of the NAT device, the name of the source interface corresponding to the identification information of the NAT device, and the name of the destination interface corresponding to the identification information of the NAT device to determine through the ingress and egress path table of the NAT device. The access direction of the network session of the NAT device indicated by the identification information of the NAT device. 6. The method according to claim 2, wherein extracting the local network access relationship of the network session at the NAT device according to the access direction comprises: If the access direction is inbound, determine the source mapping network address corresponding to the identification information of the NAT device as the internal interface source network address, and determine the destination network address corresponding to the identification information of the NAT device as the internal interface Destination network address, determine the destination port corresponding to the identification information of the NAT device as the internal interface destination port, determine the source network address corresponding to the identification information of the NAT device as the external interface source network address, and use the The destination mapping network address corresponding to the identification information of the NAT device is determined as the destination network address of the external interface, and the destination mapping port corresponding to the identification information of the NAT device is determined as the destination port of the external interface, wherein the inbound indication is from the devices outside the network boundary to access devices within the network boundary; Determine the access according to the source network address of the internal interface, the destination network address of the internal interface, the destination port of the internal interface, the source network address of the external interface, the destination network address of the external interface, and the destination port of the external interface Multiple local network access relationships of the network session at the NAT device when the direction is inbound; If the access direction is out of bounds, determine the source network address corresponding to the identification information of the NAT device as the internal interface source network address, and determine the destination mapping network address corresponding to the identification information of the NAT device as the the destination network address of the internal interface, determine the destination mapping port corresponding to the identification information of the NAT device as the destination port of the internal interface, and determine the source mapping network address corresponding to the identification information of the NAT device as the external Interface source network address, determining the destination network address corresponding to the identification information of the NAT device as the destination network address of the external interface, and determining the destination port corresponding to the identification information of the NAT device as the destination of the external interface a port, wherein the out-of-bounds indicates access from a device within the network boundary to a device outside the network boundary; Determine the access according to the source network address of the internal interface, the destination network address of the internal interface, the destination port of the internal interface, the source network address of the external interface, the destination network address of the external interface, and the destination port of the external interface The direction is multiple local network access relationships of the network session at the NAT device when the network session is out of bounds. 7. The method according to claim 2, wherein the local network access relationship of each NAT device is connected in series to obtain the full-path network access relationship of the network boundary to which each NAT device belongs, including: determining the number of NAT devices in the network boundary to which the NAT device belongs from the ingress and egress path table of the NAT device; If the number is greater than one, concatenating multiple local network access relationships of multiple NAT devices within the same network boundary according to a concatenation rule to obtain the full-path network access relationship; If the number is equal to one, determine the partial network access relationship of the NAT device as the full path network access relationship. 8. The method according to claim 7, wherein, according to a concatenation rule, concatenating a plurality of local network access relationships of a plurality of said NAT devices in the same network boundary, comprising: If the source network address of the internal interface of the first NAT device in the multiple NAT devices is equal to the source network address of the external interface of the second NAT device in the multiple NAT devices, the destination network of the internal interface of the first NAT device The address is equal to the destination network address of the external interface of the second NAT device, and the destination port of the internal interface of the first NAT device is equal to the destination port of the external interface of the second NAT device, and the local network of the first NAT device The access relationship and the local network access relationship of the second NAT device are concatenated into a full-path access relationship of a network boundary, wherein the first NAT device and the second NAT device belong to the same network boundary, and the The first NAT device is adjacent to the second NAT device, and the cascading level of the first NAT device is smaller than the cascading level of the second NAT device. 9. The method according to claim 1, further comprising: Determining the node corresponding to the device initiating the access request in the full-path network access relationship as the start node, determining the node corresponding to the device receiving the access request in the full-path network access relationship as the end node, and setting the The NAT device in the full-path network access relationship is determined as an intermediate node; Determining the line segment connecting the start node, the intermediate node and the end node as an edge, wherein the direction of the edge is determined according to the access direction of the network session passing through the network boundary, and the direction of the edge indicated by an arrow; generating a visual view of the full-path network access relationship according to the start node, the intermediate node, the end node and the edge; A visual view showing the full-path network access relationship. 10. A display system for a full-path network access relationship, characterized in that it includes: a terminal device, a data visualization server and a data processing server, wherein, The terminal device is connected to the data visualization server, and is used to send a query request to the data visualization server for requesting access to the full-path network access relationship of the network boundary, and display the full-path network access relationship; The data visualization server is connected to the data processing server, and is used to respond to the query request and obtain data corresponding to the full-path network access relationship; The data processing server is configured to obtain multiple logs of multiple NAT devices, convert the multiple logs into structured session logs corresponding to each NAT device in the multiple NAT devices, and according to each The structured session log corresponding to the NAT device extracts the local network access relationship of the network session at each NAT device, connects the local network access relationships at each NAT device in series, and obtains the local network access relationship to which each NAT device belongs The full-path network access relationship at the network boundary stores the data corresponding to the full-path network access relationship, and sends the data corresponding to the full-path network access relationship to the data visualization server, wherein the network session is A session between a device within the network boundary and a device outside the network boundary. 11. A device for obtaining a full-path network access relationship, characterized in that it comprises: An acquisition module, configured to acquire a structured session log corresponding to each NAT device in a plurality of NAT devices; An extracting module, configured to extract the local network access relationship of the network session at each NAT device according to the structured session log corresponding to each NAT device, wherein the network session is the network session to which each NAT device belongs a session between a device within the network boundary and a device outside the network boundary to which each of said NAT devices belongs; A processing module, configured to concatenate the partial network access relationship of the network session at each NAT device to obtain the full-path network access relationship of the network boundary to which each NAT device belongs. 12. A non-volatile storage medium, wherein a computer program is stored in the non-volatile storage medium, wherein the device where the non-volatile storage medium is located executes the claim by running the computer program The method for the full-path network access relationship described in any one of 1 to 9. 13. An electronic device, comprising a memory and a processor, wherein a computer program is stored in the memory, and the processor is configured to execute the computer program described in any one of claims 1 to 9 through the computer program. The full-path network access method for relationships.