CN116455801B - Method and device for obtaining full-path network access relationship - Google Patents

Abstract

The application discloses a method and a device for acquiring a full path network access relationship. The method comprises the steps of obtaining a structured session log corresponding to each NAT device in a plurality of NAT devices, extracting a local network access relation of a network session at each NAT device according to the structured session log corresponding to each NAT device, wherein the network session is a session between devices in a network boundary to which each NAT device belongs and devices outside the network boundary to which each NAT device belongs, and connecting the local network access relation of the network session at each NAT device in series to obtain a full path network access relation of the network boundary to which each NAT device belongs. The application solves the technical problem that the related technology cannot efficiently and accurately acquire the full-path network access relation penetrating through the NAT equipment due to the complex NAT environment.

Description

Method and device for acquiring full path network access relation

Technical Field

The application relates to the technical field of network communication, in particular to a method and a device for acquiring a full-path network access relationship.

Background

Along with the development of online service, communication between the enterprise intranet and the Internet and between the enterprise intranet and the extranet are increasingly frequent, and meanwhile, the security risk of the exposed surface of the network security boundary is also increasingly increased, and the rapid acquisition of the network access relationship of the security boundary is critical to the positioning of boundary attack events. Because the network access communication session passes through the security boundary, the information of the source network address (Internet Protocol, IP), the target IP, the target port, etc. in the access relationship may be converted one or more times, and the related art cannot efficiently and accurately obtain the full path network access relationship crossing the security boundary in an environment similar to the above-mentioned environment where the complex network address conversion (Network Address Translation, NAT) exists.

In view of the above problems, no effective solution has been proposed at present.

Disclosure of Invention

The embodiment of the application provides a method and a device for acquiring a full-path network access relationship, which at least solve the technical problem that the related technology cannot efficiently and accurately acquire the full-path network access relationship penetrating through NAT equipment due to the complex NAT environment.

According to one aspect of the embodiment of the application, a method for acquiring a full path network access relation is provided, which comprises the steps of acquiring a structured session log corresponding to each NAT device in a plurality of NAT devices, extracting a local network access relation of a network session at each NAT device according to the structured session log corresponding to each NAT device, wherein the network session is a session between a device in a network boundary to which each NAT device belongs and a device outside the network boundary to which each NAT device belongs, and connecting the local network access relation of the network session at each NAT device in series to obtain the full path network access relation of the network boundary to which each NAT device belongs.

The method comprises the steps of obtaining network boundary topological relation of NAT equipment, generating an access path table of the NAT equipment according to the network boundary topological relation, wherein the access path table of the NAT equipment comprises identification information of the NAT equipment, names of network boundaries of the NAT equipment and cascade levels of the NAT equipment, an access direction of the network session passing through the NAT equipment, names of an in interface and names of an out interface, the in interface is an interface for the network session to enter the NAT equipment, the out interface is an interface for the network session to come out of the NAT equipment, generating a log aggregation table according to the structured session log, determining the access direction of the network session passing through the NAT equipment according to the access path table and the log aggregation table of the NAT equipment, and extracting the local network access relation of the network session at the NAT equipment according to the access direction.

Optionally, obtaining structured session logs corresponding to each of the plurality of NAT devices includes obtaining a plurality of logs of the plurality of NAT devices, and obtaining key element information from the plurality of logs, where the key element information includes a timestamp, a source network address, a destination port, a source mapping network address, a destination mapping port, a protocol type, a source interface, and a destination interface, obtaining identification information of each NAT device, where the identification information includes at least one of a name of the NAT device and a network address of the NAT device, and combining the key element information of each NAT device and the identification information of each NAT device to obtain the structured session log corresponding to each NAT device.

Optionally, generating a log aggregation table according to the structured session log includes determining a preset period, collecting a plurality of structured session logs in the preset period, classifying data which are identical in key element information except for time stamps in the structured session logs into a group of data to obtain a plurality of groups of data, and generating the log aggregation table according to the plurality of groups of data, wherein the log aggregation table includes identification information of NAT equipment, key element information and the occurrence frequency of each group of data.

Optionally, generating a log aggregation table according to the structured session log, and determining the access direction of the network session passing through the NAT device according to the access path table and the log aggregation table of the NAT device, wherein the method comprises the steps of obtaining the identification information of the NAT device, the name of a source interface corresponding to the identification information of the NAT device and the name of a destination interface corresponding to the identification information of the NAT device in the log aggregation table, and determining the access direction of the network session passing through the NAT device indicated by the identification information of the NAT device through the access path table of the NAT device by utilizing the identification information of the NAT device, the name of the source interface corresponding to the identification information of the NAT device and the name of the destination interface corresponding to the identification information of the NAT device.

Optionally, extracting the local network access relationship of the network session at the NAT device according to the access direction comprises determining a source mapping network address corresponding to the identification information of the NAT device as an internal interface source network address if the access direction is an access, determining a destination network address corresponding to the identification information of the NAT device as an internal interface destination network address, determining a destination port corresponding to the identification information of the NAT device as an internal interface destination port, determining a source network address corresponding to the identification information of the NAT device as an external interface source network address, determining a destination mapping network address corresponding to the identification information of the NAT device as an external interface destination network address, and determining a destination mapping port corresponding to the identification information of the NAT device as an external interface destination network address if the access direction is an access, wherein the network interface indicates a device within the network boundary from the network boundary, determining a plurality of local network access relationships of the network session at the NAT device according to the internal interface source network address, the internal interface destination network address, the external interface destination network address and the external interface destination network address, and the network address corresponding to the identification information of the NAT device are determined as an interface network address, and the network address corresponding to the identification information of the NAT device is determined as an interface destination network address if the access direction is an access address, and determining a plurality of local network access relations of the network session at the NAT device when the access direction is out of range according to the internal interface source network address, the internal interface destination port, the external interface source network address, the external interface destination network address and the external interface destination port.

Optionally, the local network access relation of each NAT device is connected in series to obtain a full path network access relation of a network boundary to which each NAT device belongs, wherein the method comprises the steps of determining the number of NAT devices in the network boundary to which each NAT device belongs from an access path table of the NAT device, connecting a plurality of local network access relations of a plurality of NAT devices in the same network boundary in series according to a series rule if the number is greater than one to obtain the full path network access relation, and determining the local network access relation of the NAT device as the full path network access relation if the number is equal to one.

Optionally, concatenating the local network access relationships of the plurality of NAT devices within the same network boundary according to the concatenation rule includes concatenating the local network access relationship of the first NAT device and the local network access relationship of the second NAT device into a full path access relationship of the network boundary if an internal interface source network address of a first NAT device of the plurality of NAT devices is equal to an external interface source network address of a second NAT device of the plurality of NAT devices, an internal interface destination network address of the first NAT device is equal to an external interface destination network address of the second NAT device, and an internal interface destination port of the first NAT device is equal to an external interface destination port of the second NAT device, wherein the first NAT device and the second NAT device are in an adjacent relationship, and a concatenation hierarchy of the first NAT device is smaller than a concatenation hierarchy of the second NAT device.

Optionally, the method for acquiring the full path network access relation further comprises the steps of determining a node corresponding to a device for initiating the access request in the full path network access relation as a starting node, determining a node corresponding to a device for receiving the access request in the full path network access relation as an ending node, determining NAT devices in the full path network access relation as intermediate nodes, determining line segments for connecting the starting node, the intermediate nodes and the ending nodes as edges, determining the direction of the edges according to the access direction of the network session passing through the network boundary, indicating the direction of the edges by arrows, generating a visible view of the full path network access relation according to the starting node, the intermediate nodes, the ending nodes and the edges, and displaying the visible view of the full path network access relation.

According to another aspect of the embodiment of the application, a system for displaying full path network access relations is provided, which comprises a terminal device, a data visualization server and a data processing server, wherein the terminal device is connected with the data visualization server and used for sending a query request for requesting access to the full path network access relations of network boundaries to the data visualization server and displaying the full path network access relations, the data visualization server is connected with the data processing server and used for responding the query request and acquiring data corresponding to the full path network access relations, the data processing server is used for acquiring a plurality of logs of a plurality of NAT devices, converting the logs into structured session logs corresponding to each NAT device in the plurality of NAT devices, extracting local network access relations of network sessions at each NAT device according to the structured session logs corresponding to each NAT device, connecting the local network access relations at each NAT device in series to obtain the full path network access relations of the network boundaries of each NAT device, storing the data corresponding to the full path network access relations, and sending the data corresponding to the full path network access relations to the data visualization server to the network access relations between the network access boundaries and the network devices.

According to another aspect of the embodiment of the application, an apparatus for acquiring a full path network access relationship is provided, which comprises an acquisition module, an extraction module and a processing module, wherein the acquisition module is used for acquiring a structured session log corresponding to each NAT device in a plurality of NAT devices, the extraction module is used for extracting a local network access relationship of a network session at each NAT device according to the structured session log corresponding to each NAT device, the network session is a session between a device in a network boundary to which each NAT device belongs and a device outside the network boundary to which each NAT device belongs, and the processing module is used for connecting the local network access relationship of the network session at each NAT device in series to obtain the full path network access relationship of the network boundary to which each NAT device belongs.

According to another aspect of the embodiment of the present application, there is further provided a nonvolatile storage medium, in which a computer program is stored, where a device in which the nonvolatile storage medium is located executes the above-described method for full path network access relation by running the computer program.

According to another aspect of an embodiment of the present application, there is also provided an electronic device comprising a memory in which a computer program is stored, and a processor arranged to perform the method of full path network access relation described above by the computer program.

According to the method, the system and the device, the local network access relation of the network session at each NAT device is extracted according to the structured session logs corresponding to each NAT device, wherein the network session is a session between the device in the network boundary of each NAT device and the device outside the network boundary of each NAT device, the local network access relation of the network session at each NAT device is connected in series to obtain the full-path network access relation of the network boundary of each NAT device, the local network access relation of the plurality of NAT device nodes in the boundary network path is acquired, and the local network access relation acquired by the plurality of nodes in the boundary network path is matched in series, so that the purposes of acquiring and displaying the full-path network access relation of the network boundary of each NAT device are achieved, and the problems of acquiring and displaying the full-path network access relation of the NAT device under the complex configuration scene such as one-to-many mapping, multi-pair mapping, associated policy routing (Policy Based Routing, PBR) and the like are realized.

Drawings

The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute a limitation on the application. In the drawings:

FIG. 1 is a flow chart of a method of obtaining full path network access relationships according to an embodiment of the application;

FIG. 2 is a schematic diagram of a log aggregation table according to an embodiment of the present application;

FIG. 3 is a schematic diagram of a network boundary topology according to an embodiment of the application;

FIG. 4 is a schematic diagram of an access path table of a NAT device according to an embodiment of the present application;

FIG. 5 is a schematic diagram of a full path network access relationship table according to an embodiment of the application;

FIG. 6 is a schematic diagram of a full path network access relationship view in accordance with an embodiment of the present application;

FIG. 7 is a block diagram of a system for exposing full path network access relationships in accordance with an embodiment of the present application;

FIG. 8 is a workflow diagram of a system for exposing full path network access relationships according to an embodiment of the application;

Fig. 9 is a block diagram of an apparatus for a full path network access relationship according to an embodiment of the present application.

Detailed Description

In order that those skilled in the art will better understand the present application, a technical solution in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present application without making any inventive effort, shall fall within the scope of the present application.

It should be noted that the terms "first," "second," and the like in the description and the claims of the present application and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the application described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

In order to better understand the embodiments of the present application, technical terms related to the embodiments of the present application are explained as follows:

the NAT equipment in the embodiment of the application can be equipment with NAT functions such as a firewall, a load balancer, a switch, a router, a NAT gateway and the like, and can be physical equipment, virtual servers and cloud servers in equipment form.

Time stamp, which is data generated by digital signature technology and used for authenticating the generation time of a signature object, in the embodiment of the application, the time stamp of each log is used for indicating the generation time of each log.

Source network address (source IP) the IP value representing the source address field in the IP packet message before the client side originated data packet enters the NAT device.

Source mapping network address (source mapping IP), which represents the IP value of the source address field in the IP packet message after the data packet initiated by the client side passes through the NAT device.

Destination network address (destination IP) the IP value representing the real destination IP, i.e. the destination address field in the IP packet message after the client side initiated packet traverses the NAT device.

Destination mapped network address (destination mapped IP) an IP value representing the destination address field in the IP packet message before the client side initiated packet enters the NAT device.

Destination port, namely, the port value of the destination port field in the IP packet message after the data packet initiated by the client side passes through the NAT equipment.

Destination mapping port, which is a port value of a destination port field in an IP packet message before a data packet initiated by a client side enters NAT equipment.

The internal interface is an interface which represents one side of the NAT equipment close to the internal network, is an outlet interface of a data packet when the external network client actively accesses the internal network, and is an inlet interface of the data packet when the internal network client actively accesses the external network.

The external interface is an interface which represents one side of the NAT equipment close to the external network, is an input interface of a data packet when the external network client actively accesses the internal network, and is an output interface of the data packet when the internal network client actively accesses the external network.

The internal interface source network address (internal interface source IP) indicates the IP value of the source IP field in the internal interface side IP packet message of the NAT device for the client side initiated data packet.

And the internal interface destination network address (internal interface destination IP) is used for indicating the IP value of the destination IP field in the IP packet message of the interface side in the NAT equipment of the data packet initiated by the client side.

And the internal interface destination port is a port value representing a destination port field of a data packet initiated by the client side in an IP packet message of the internal interface side of the NAT equipment.

The external interface source network address (external interface source IP) represents the IP value of the source IP field in the IP packet message of the external interface side of the NAT equipment of the data packet initiated by the client side.

The external interface destination network address (external interface destination IP) represents the IP value of the destination IP field in the IP packet message of the external interface side of the NAT equipment of the data packet initiated by the client side.

And the external interface destination port is a port value representing a destination port field of the data packet initiated by the client side in the IP packet message of the external interface side of the NAT equipment.

Local network access relationship, which is an access relationship in network traffic observed at a specific location in a network security boundary topology path, in the embodiment of the present application, a "source IP, destination port, and protocol" in a data packet initiated by a client are used to jointly represent a network access relationship.

Full path network access relationship, namely, after passing through NAT equipment, local network access relationship will be converted. And sequentially carrying out series matching on the local network access relations before and after each NAT device in the network security boundary path to obtain a full-path network access relation penetrating through the whole network security boundary.

In the related art, an agent program is arranged on a server, network access information of the server is reported to a central monitoring server through the agent program so as to acquire a local network access relation of the server, or a network flow probe is deployed, a flow data packet is captured through the network flow probe, the data packet is analyzed through network flow analysis equipment to acquire network session data, and then aggregation processing is carried out to acquire the network access relation crossing a network boundary. However, the network access relationship acquired by the agent program is mixed with the internal inter-access relationship of the intranet, and the network access relationship crossing the network boundary can be identified by combining with other databases, such as configuration management data (Configuration Management Database, CMDB), and because a large amount of cross-boundary traffic flow can be generated by the data center every day, the method for analyzing the traffic data packet captured by the network traffic probe to obtain the network access relationship crossing the network boundary has higher requirements on the storage and configuration of the CPU, and therefore, the problems of complicated method, high cost and the like, which only can obtain the local network access relationship crossing the network boundary, exist. In order to solve this problem, related solutions are provided in the embodiments of the present application, and are described in detail below.

In accordance with an embodiment of the present application, there is provided a method embodiment for obtaining full path network access relationships, it being noted that the steps shown in the flowchart of the figures may be performed in a computer system, such as a set of computer executable instructions, and, although a logical order is shown in the flowchart, in some cases, the steps shown or described may be performed in an order other than that shown or described herein.

Fig. 1 is a flowchart of a method for obtaining a full path network access relationship according to an embodiment of the present application, as shown in fig. 1, the method includes the following steps:

step S102, a structured session log corresponding to each NAT device in the plurality of NAT devices is obtained.

The method provided by the application is realized on the basis of acquiring the session logs of the NAT devices, so that in step S102, firstly, the structured session logs of each NAT device in the network boundary are acquired, and because a plurality of NAT devices of different types are usually arranged in the network boundary, the types of the acquired logs are different, and the initially acquired logs are usually a large string of irregular characters, therefore, when the structured session logs of each NAT device are acquired, firstly, the interface Protocol of the log interface provided by each NAT device is required to be identified, specifically, the interface Protocol can be a plurality of types of protocols such as a system log Protocol (syslog), a file transfer Protocol (FILE TRANSFER Protocol, FTP), a security file transfer Protocol (SECRET FILE TRANSFER Protocol, SFTP), a hypertext transfer Protocol (HyperText Transfer Protocol, HTTP) and the like, and the session logs of each NAT device are acquired according to the interface Protocol, for example, if the log interface provided by the NAT device uses the system log Protocol (syslog), the session log of the device is acquired through the syslog, and then the session log is converted into the standardized form of the structured session log of the NAT device.

According to an optional embodiment of the application, the method comprises the steps of obtaining a plurality of logs of a plurality of NAT devices, obtaining key element information from the logs, wherein the key element information comprises at least one of a timestamp, a source network address, a destination port, a source mapping network address, a destination mapping port, a protocol type, a source interface and a destination interface, obtaining identification information of each NAT device, wherein the identification information comprises at least one of a name of the NAT device and a network address of the NAT device, and combining the key element information of each NAT device and the identification information of each NAT device to obtain the structured session log corresponding to each NAT device.

In this embodiment, the method for converting the collected logs into the structured session log in the standard form includes the steps of analyzing the collected logs, extracting from each log a timestamp, an IP value of a source address field (i.e., a source network address, a source IP) in an IP packet message before a data packet from a client side enters an NAT device, obtaining a port value of a destination address field (i.e., a destination network address, a destination IP) in an IP packet message after the data packet from the client side passes through the NAT device, obtaining a port value of a destination port field (i.e., a destination port) in the IP packet message after the data packet from the client side passes through the NAT device, extracting an IP value of a source address field (i.e., a source mapping network address, a source mapping IP) in the IP packet message after the data packet from the client side passes through the NAT device, obtaining a port value of a destination port field (i.e., a destination port) in the IP packet from the NAT device, extracting a key element name of a data packet from the NAT device by using an interface, extracting a key element of a source address, a source element of a data packet from the NAT device, or an identifier of a source element of an NAT device, and the like, and combining key element information such as destination IP, destination port, source mapping IP, destination mapping port, source interface, destination interface and the like to generate a structured session log of each NAT device. For example, the structured session log of each NAT device is obtained by combining the first field which is the NAT device name, the second field which is the source IP, the third field which is the destination IP, the fourth field which is the destination port, the fifth field which is the protocol type, the sixth field which is the source mapping IP, the seventh field which is the destination mapping IP, the eighth field which is the destination mapping port, the ninth field which is the source interface, and the tenth field which is the destination interface.

Step S104, extracting the local network access relation of the network session at each NAT device according to the structured session log corresponding to each NAT device, wherein the network session is a session between the device in the network boundary to which each NAT device belongs and the device outside the network boundary to which each NAT device belongs.

After the structured session log of each NAT device is obtained by the method provided in step S102, in step S104, an access relationship (i.e., a local network access relationship) between network sessions observed at each NAT device is extracted according to information recorded in the structured session log of each NAT device, where a network session is a session occurring between a device within a network boundary to which the NAT device belongs and a device outside the network boundary to which the NAT device belongs.

According to another optional embodiment of the application, a local network access relation of a network session at each NAT device is extracted according to a structural conversation log corresponding to each NAT device, the method comprises the steps of obtaining a network boundary topological relation of the NAT device, generating an access path table of the NAT device according to the network boundary topological relation, wherein the access path table of the NAT device comprises identification information of the NAT device, a name of a network boundary where the NAT device is located, a cascade level of the NAT device, an access direction of the network session passing through the NAT device, a name of an in interface and a name of an out interface, the in interface is an interface of the network session entering the NAT device, the out interface is an interface of the network session exiting the NAT device, generating a log aggregation table according to the structural conversation log, determining an access direction of the network session passing through the NAT device according to the access path table and the log aggregation table of the NAT device, and extracting the local network access relation of the network session at the NAT device according to the access direction.

In this embodiment, the local network access relationship at each NAT device is obtained by extracting information recorded in the structured session log of each NAT device, by first generating a log aggregation table based on the structured session log of each NAT device obtained in step S102, then obtaining a network boundary topology map recording information such as the name/IP address of the NAT device (i.e., the identification information of the NAT device), the name of the network boundary where the NAT device is located, the cascade hierarchy of the NAT device, the access direction of the network session through the NAT device, the name of the interface (i.e., the ingress interface) where the network session enters the NAT device, and the name of the interface (i.e., the egress interface) where the network session exits the NAT device, and determining the direction of the network access NAT device according to the network boundary topology map and the log aggregation table, i.e., determining the access direction from the external network to the internal network, and finally extracting the local network access relationship of the network session at each NAT device according to the determined access direction.

According to some preferred embodiments of the present application, generating a log aggregation table from structured session logs includes determining a preset period and collecting a plurality of structured session logs within the preset period; the method comprises the steps of classifying data which are completely identical in key element information except for time stamps in a plurality of structured conversation logs into a group of data to obtain a plurality of groups of data, and generating a log convergence table according to the plurality of groups of data, wherein the log convergence table comprises identification information of NAT equipment, the key element information and the occurrence frequency of each group of data.

In some preferred embodiments, the method for generating the log aggregation table according to the structured session log includes that since the NAT device generates a log every time a session is established, in the embodiment of the present application, a large amount of data is obtained when the NAT device logs are collected in real time, and the large amount of data includes a plurality of pieces of data that are identical except for a timestamp, in some preferred embodiments, a processing period (i.e., a preset period) is preset, for example, one hour, one day or one month, the structured session log is collected in the processing period, the logs in the processing period are aggregated, specifically, the structured session log with identical key element information such as name/IP address, source IP, destination port, protocol type of the NAT device is aggregated into a set of data, and multiple sets of data obtained by the aggregation by the above method are saved to generate the log aggregation table. Fig. 2 is a schematic diagram of a log aggregation table, as shown in fig. 2, where the line identifier of the log aggregation table is sequentially a date, a NAT device, a source IP, a destination port, a protocol, a source mapping IP, a destination mapping port, a source interface, a destination interface, and a connection number (i.e., the number of occurrences of each group of data), where the date is used to indicate the date when the log is generated, the NAT device is used to indicate the name/IP address of the NAT device, and the connection number is used to indicate the number of occurrences of the group of data in one processing period, as shown in fig. 2, in the data collected in one processing period of 2022 and 01, there are 100 source IPs as 211.0.0.2 for the device 2-1, a destination IP as 172.16.0.2, a destination port as 8080, a protocol type as a transmission control protocol (Transmission Control Protocol, TCP), a source mapping IP as 211.0.0.2, a destination mapping IP as 112.0.0.2, a destination mapping port as 80, an extra interface as an log of an instance, and a log of an instance of the log in the log table, and then recording the number of occurrences of the log in the log table, and the log types of the log types in the log types after the instance, and the log types are recorded in the log types and the log types.

It should be noted that if the source IP and the source mapping IP are the same, it means that the NAT device does not translate the source IP field, if the destination IP and the destination mapping IP are the same, it means that the NAT device does not translate the destination IP field, and if the destination port and the destination mapping port are the same, it means that the NAT device does not translate the destination port field.

According to an optional embodiment of the application, a log aggregation table is generated according to the structured session log, and the access direction of the network session passing through the NAT device is determined according to the access path table and the log aggregation table of the NAT device, comprising the steps of obtaining the identification information of the NAT device in the log aggregation table, the name of a source interface corresponding to the identification information of the NAT device and the name of a destination interface corresponding to the identification information of the NAT device; and determining the access direction of the network session of the NAT device indicated by the identification information of the NAT device through an access path table of the NAT device by utilizing the identification information of the NAT device, the name of the source interface corresponding to the identification information of the NAT device and the name of the destination interface corresponding to the identification information of the NAT device.

Fig. 3 is a schematic diagram of a network boundary topology chart, as shown in fig. 3, in which a path of a network session passing through a NAT device is recorded in the form of the topology chart, the network boundary topology chart includes a name of a network boundary where the NAT device is located, a name of each NAT device in the network boundary where the NAT device is located, a cascade hierarchy of each NAT device, a name of an in interface and an out interface of each NAT device, a name of a network accessing the network boundary where the NAT device is located, and a name of a network arriving after passing through the network boundary where the NAT device is located, as shown in fig. 3, the name of the network boundary is a network boundary 1, the network boundary 1 includes a device 2-1 and a device 2-2, where "-1" in the device 2-1 represents a cascade hierarchy of the NAT device 1, and similarly "-2" in the device 2-2 represents a cascade hierarchy of the NAT device 2, when an internal network 2 and/or an internal network 3 is accessed from the external network 1, an in interface of the device 2-2 is an in, an out interface is an out interface, an out interface is a tsided, an out interface is an out interface, and a log of the network is an access log of the network is a group is a log of the network is an integrated log of a group of the network and a corresponding access log of a group is a corresponding to a group of the network is a group of an access log of a group is determined in a corresponding to a three-port is a log of an aggregate log of a port is determined in a three-to a corresponding direction is a corresponding access port is a network of a network is a corresponding has a network of a group is determined. For example, if the value of the NAT device field in the set of logs recorded in the log aggregation table is device 2-1, the value of the source interface field is extranet, and the value of the destination interface field is inside, if the network boundary 1 can be queried in the network boundary topology diagram shown in fig. 3, the NAT device named device 2-1 and the value of the entry field is extranet, and the value of the exit interface field is inside, then it can be determined that the NAT device recorded in the set of logs is the same NAT device as the NAT device in the network topology diagram, and from the network boundary topology diagram, it can be determined that the NAT device from the interface extranet to the interface inside is accessed from the external network to the internal network, that is, it can be determined that the access direction of the network session in the NAT device 2-1 is in the boundary. Conversely, if the value of the NAT device field in another set of logs recorded in the log aggregation table is device 2-2, the value of the source interface field is inter, and the value of the destination interface field is outside, if the network boundary 1 can be queried that there is a NAT device named device 2-2 and the value of the ingress interface field is inter and the value of the egress interface field is outside in the network boundary topology shown in fig. 3, then it can be determined that the NAT device recorded in the set of logs is the same NAT device as the device in the network topology, and from the network boundary topology, it can be determined that the network session is out of range from the interface inter to the interface outside as accessing the external network from the internal network, that is, it can be determined that the access direction of the network session in the NAT device 2-2.

It should be noted that, after the server performing data processing acquires the network boundary topological relation, the network boundary topological relation is stored in a table form shown in fig. 4, fig. 4 is an access path table of the NAT device, and contents recorded in the table are identical to information recorded in fig. 3, for example, names of network boundaries where the NAT device is located, cascade levels of the network boundaries, names of each NAT device in the network boundaries where the NAT device is located, cascade levels of each NAT device, an access direction of the network session through the NAT device, an interface (i.e., an in interface) where the network session enters the NAT device, and an interface (i.e., an out interface) where the network session exits the NAT device are recorded. As shown in fig. 4, when the above information is described in fig. 3, fig. 4 also shows that, in the network boundary 1 including 2 NAT devices, the access direction is in the boundary when the internal network 2 is accessed from the external network 1 through the network boundary 1, the access direction of the device 2-1 in cascade level 1 is out, the egress interface is in the inside, the ingress interface of the device 2-2 in cascade level 2 is out, the egress interface is dmz, the access direction of the device 2-1 in cascade level 1 is out, the ingress interface of the device 2-1 in cascade level 1 is in the inside, the egress interface of the device 2-2 in cascade level 2 is out, the ingress interface of the device 2-2 in cascade level 2 is in the outside, the ingress interface of the device 2-1 in cascade level 1 is in the outside, the ingress interface of the device 2-1 in the cascade level 1 is in the outside, the ingress interface of the device 2-2 in cascade level is out of the outside, and the ingress interface of the device 2-2 in cascade level is in the outside when the external network 1 is accessed from the internal network 3 through the network boundary 1. The network boundary topology relationship can be stored and reused only by initializing once, and is updated only when the NAT equipment topology in the network boundary is detected to change.

According to another alternative embodiment of the application, the local network access relation of the network session at the NAT device is extracted according to the access direction, comprising determining a source mapping network address corresponding to the identification information of the NAT device as an internal interface source network address, determining a destination network address corresponding to the identification information of the NAT device as an internal interface destination network address, determining a destination port corresponding to the identification information of the NAT device as an internal interface destination port, determining a source network address corresponding to the identification information of the NAT device as an external interface source network address, determining a destination mapping network address corresponding to the identification information of the NAT device as an external interface destination network address, and determining a destination mapping network address corresponding to the identification information of the NAT device as an external interface destination port, wherein the external interface indicates a device accessing the network boundary from outside the network boundary, determining a plurality of local network access relations of the network session at the device according to the internal interface source network address, the internal interface destination network address, the external interface destination network address and the external interface destination network address when the identification information of the NAT device is determined as the internal interface destination network address, determining the source network address corresponding to the NAT device, and determining the destination network address corresponding to the NAT device as the external interface destination network address, and determining the destination network address corresponding to the NAT device identification information of the NAT device as the external interface destination network address when the internal interface destination address and the network address is determined to be the internal interface network address, and determining a plurality of local network access relations of the network session at the NAT device when the access direction is out of range according to the internal interface source network address, the internal interface destination port, the external interface source network address, the external interface destination network address and the external interface destination port.

In this embodiment, after determining the access direction of the NAT device according to the above embodiment, the method of extracting the local network access relationship of the NAT device according to the access direction is that, when the access direction is in the boundary, the value of the source mapping IP field recorded in the log of the NAT device is determined as the network address (i.e., the internal interface source network address) of the interface (i.e., the internal interface) of the NAT device near the internal network side, the value of the destination IP field recorded in the log of the NAT device is determined as the internal interface destination network address of the NAT device, the value of the destination port field recorded in the log of the NAT device is determined as the internal interface destination port of the NAT device, the value of the source IP field recorded in the log of the NAT device is determined as the network address (i.e., the external interface source network address) of the interface (i.e., the external interface) of the NAT device near the external network side, and the destination mapping IP field recorded in the log of the NAT device is determined as the external interface destination port of the NAT device. When the access direction is out of bounds, determining a value of a source IP field recorded in a log of the NAT device as a network address (i.e., an internal interface source network address) of an interface (i.e., an internal interface) of the NAT device near the internal network side, determining a value of a destination mapping IP field recorded in the log of the NAT device as an internal interface destination network address of the NAT device, determining a value of a destination mapping port field recorded in the log of the NAT device as an internal interface destination port of the NAT device, determining a value of a source mapping IP field recorded in the log of the NAT device as a network address (i.e., an external interface source network address) of an interface (i.e., an external interface) of the NAT device near the external network side, determining a value of a destination IP field recorded in the log of the NAT device as an external interface destination network address of the NAT device, and determining a destination port recorded in the log of the NAT device as an external interface destination port of the NAT device. Therefore, the local network access relationship of the network session consisting of the internal interface source network address, the internal interface destination network address, the external interface source network address, the external interface destination network address and the external interface destination port at the NAT device can be determined according to whether the access direction is the inbound or outbound, wherein if only one NAT device exists in the network boundary, two local network access relationships of one NAT device are obtained through the method, one is the local network access relationship from the external network to the external interface of the NAT device, and the other is the local network access relationship from the internal interface to the internal network of the NAT device, and if a plurality of NAT devices exist in the network boundary, the two local network access relationships are obtained for each NAT device. For example, in fig. 2, when the source IP of the device 2-1 is 211.0.0.2, the destination IP is 172.16.0.2, the destination port is 8080, the source map IP is 211.0.0.2, the destination map IP is 112.0.0.2, the destination map port is 80, and when the access direction is determined to be in the access when the internal network 2 is accessed from the external network 1 in connection with fig. 3, when the access direction is in the access, the network session has a local network access relationship between the internal interface of the NAT device 2-1 and the internal interface of the NAT device 2-2, where one segment is a local network access relationship between the external network 1 and the external interface of the NAT device 2-1, which is composed of the external interface source network address 211.0.0.2, the external interface destination network address 112.0.0.2, and the external interface destination port is 80, and the other segment is a local network access relationship between the internal interface source network address 211.0.0.2, the internal interface destination network address 172.16.0.2, and the internal interface destination port of the NAT device 2-1.

Step S106, the local network access relation of the network session at each NAT device is connected in series, and the full path network access relation of the network boundary of each NAT device is obtained.

In step S106, after determining the local network access relationship of the NAT device by the above method, the network session is connected in series with the local network access relationships of each NAT device, so as to obtain the full path network access relationship of the network boundary to which the NAT device belongs.

According to an optional embodiment of the application, the local network access relation of each NAT device is connected in series to obtain the full path network access relation of the network boundary to which each NAT device belongs, and the method comprises the steps of determining the number of NAT devices in the network boundary to which each NAT device belongs from an access path table of the NAT device, connecting a plurality of local network access relations of a plurality of NAT devices in the same network boundary in series according to a series rule if the number is greater than one to obtain the full path network access relation, and determining the local network access relation of the NAT device as the full path network access relation if the number is equal to one.

In this embodiment, when the local network access relationship of each NAT device is connected in series, firstly, determining the network boundary to which the NAT device belongs and the number of NAT devices in the network boundary from the access path table of the NAT device shown in fig. 4, if only one NAT device exists in the network boundary, the local network access relationship of the NAT device is the full path network access relationship of the network boundary, and if the network boundary includes 2 or more NAT devices, at this time, connecting the local network access relationships of the NAT devices in the network boundary in series to obtain the full path network access relationship of the network boundary.

According to other preferred embodiments of the present application, concatenating the local network access relationships of the plurality of NAT devices within the same network boundary according to the concatenation rule includes concatenating the local network access relationships of the first NAT device and the local network access relationships of the second NAT device into a full path access relationship of the network boundary if an internal interface source network address of a first NAT device of the plurality of NAT devices is equal to an external interface source network address of a second NAT device of the plurality of NAT devices, an internal interface destination network address of the first NAT device is equal to an external interface destination network address of the second NAT device, and an internal interface destination port of the first NAT device is equal to an external interface destination port of the second NAT device, wherein the first NAT device and the second NAT device are in an adjacent relationship, and a concatenation hierarchy of the first NAT device is less than a concatenation hierarchy of the second NAT device.

In other preferred embodiments, the cascade hierarchy of the plurality of NAT devices within the same network boundary is determined by concatenating the plurality of local network access relationships of the plurality of NAT devices within the same network boundary by concatenating, from the lowest level, the internal interface source network address described in the local network access relationship of the NAT device of the low cascade hierarchy with the external interface source network address described in the local network access relationship of the NAT device of the higher cascade hierarchy adjacent thereto, and the internal interface destination network address described in the local network access relationship of the NAT device of the low cascade hierarchy with the external interface destination network address described in the local network access relationship of the NAT device of the higher cascade adjacent thereto, and the internal interface destination port described in the local network access relationship of the NAT device of the low cascade hierarchy with the external interface destination port described in the local network access relationship of the NAT device of the higher cascade hierarchy adjacent thereto, sequentially concatenating the local network access relationship of the NAT devices of the low cascade hierarchy with the local network access relationship of the NAT device of the higher cascade hierarchy from the lowest level until the highest-level NAT device of the network boundary is reached, and the full concatenation path of the cascade boundary is completed. For example, the network boundary 1 includes a level 1 NAT device 2-1 and a level 2 NAT device 2-2, the internal interface source network address of the NAT device 2-1 is 211.0.0.2, the internal interface destination network address is 172.16.0.2, the internal interface destination port is 8080, the external interface source network address of the NAT device 2-2 is 211.0.0.2, the external interface destination network address is 172.16.0.2, and the external interface destination port is 8080, and then the local network access relationship of the NAT device 2-1 and the local network access relationship of the NAT device 2-2 are connected in series to form a full path network access relationship of the network boundary 1.

Fig. 5 is a schematic diagram of a full path network access relationship table, which needs to be explained, after obtaining the full path network access relationship of the network boundary, the full path network access relationship table may also be recorded and stored in the form of the table shown in fig. 5, where the full path network access relationship table records the name of the network boundary, the access direction of the network session access network boundary, the local network access relationship of the external interface of the lowest cascade level, the local network access relationship of the internal interface of the highest cascade level, the local network access relationship between adjacent NAT devices, the protocol adopted by the network session, and the number of occurrences (i.e. the number of connection times) of the same full path network access relationship, where the local network access relationship of the external interface of the lowest cascade level, the local network access relationship of the internal interface of the highest cascade level, and the local network access relationship between adjacent NAT devices are all composed of a source IP field, a destination IP field, and a destination port field. When the network boundary 1 shown in fig. 3 includes the NAT device 2-1 of the lowest cascade level and the NAT device 2-2 of the highest cascade level, and when the internal network 2 or the internal network 3 is accessed through the external network 1, the access direction is recorded as an entrance in the full path network access relationship table of the network boundary 1, the local network access relationship of the external interface of the device 2-1 is composed of the source IP211.0.0.2, the destination IP112.0.0.2, and the destination port 80, the local network access relationship of the internal interface of the device 2-2 is composed of the source IP211.0.0.2, the destination IP172.16.0.2, and the destination port 8080, the local network access relationship between the device 2-1 and the device 2-2 is composed of the source IP211.0.0.2, the destination IP172.16.0.2, and the destination port 8080, and the number of occurrences of the full path access relationship is recorded in the full path network access relationship table of the network boundary 1 (for example, 100 times). When the external network 1 is accessed through the internal network 2 or the internal network 3, the access direction is recorded as out-bound in the full path network access relation table of the network boundary 1, the local network access relation of the external interface of the device 2-1 is composed of a source IP112.0.10.3, a destination IP211.0.0.3, and a destination port 443, the local network access relation of the internal interface of the device 2-2 is composed of a source IP172.16.0.3, a destination IP192.168.0.3, and a destination port 443, the local network access relation between the device 2-1 and the device 2-2 is composed of a source IP172.16.0.3, a destination IP211.0.0.3, and a destination port 443, and the number of occurrences of the full path access relation (for example, 200 times) is recorded in the full path network access relation table of the network boundary 1.

The method comprises the steps of extracting the local network access relation before and after passing through the NAT equipment through the NAT session log, combining the NAT equipment topological graph of the network boundary to connect a plurality of local network access relations in series as the full-path network access relation of the network boundary where the NAT equipment is located, and extracting the full-path network access relation of the network session passing through the network boundary from the session log without acquiring the full-path network access relation of the network session passing through the network boundary based on the mapping configuration data of the NAT equipment, so that the method is suitable for application scenes with complex NAT configuration such as one-to-many mapping, many-to-one mapping, mapping associated with policy routing and the like in the NAT equipment, is suitable for application scenes with cascading of a plurality of NAT equipment, and can accurately and efficiently acquire the full-path network access relation of the network boundary without deploying an agent program and capturing and analyzing massive traffic data packets on the basis of reducing operation and maintenance cost.

According to an optional embodiment of the application, the method for acquiring the full path network access relation further comprises the steps of determining a node corresponding to a device for initiating the access request in the full path network access relation as a starting node, determining a node corresponding to a device for receiving the access request in the full path network access relation as an ending node, determining NAT devices in the full path network access relation as intermediate nodes, determining line segments for connecting the starting node, the intermediate nodes and the ending nodes as edges, wherein the direction of the edges is determined according to the access direction of a network session passing through a network boundary, the direction of the edges is indicated by arrows, generating a visible view of the full path network access relation according to the starting node, the intermediate node, the ending node and the edges, and displaying the visible view of the full path network access relation.

The method provided according to the embodiment of the present application may further display a full path network access relationship, and fig. 6 is a schematic diagram of a full path network access relationship visual view, where the full path network access relationship visual view includes an external network area, a network boundary area, and an internal network area, and the internal network initiates a network session, and the internal network area displays a name of a device in the internal network (i.e., a client) and a network address of the device (e.g., 172.16.0.3) and a local network access relationship that the network session enters the network boundary from the internal network; the names (e.g., NAT device 1, NAT device 2), source (e.g., inside, intranet), and destination (e.g., extranet, outside) interfaces of each NAT device in the network boundary are displayed in the network boundary area, and the local network access relationship between the NAT devices of the network session in the network boundary is displayed in the external network area, the names (e.g., server) of the devices in the external network and the local network access relationship between the network addresses (e.g., 112.0.10.3: 443) of the devices and the network session accessing the external network through the network boundary are displayed in the external network area, wherein the local network access relationship of the external network access network boundary is displayed in the form of a label including the source network address (e.g., 112.00.10.3), the destination network address (e.g., 211.0.10.3), and the destination port (e.g., 443), the local network access relationship of the network session between the NAT devices is displayed in the form of a label including the source network address (e.g., 172.16.0.3), the destination network address (e.192.168.0.3), and the destination port (e.g., 443), including a source network address (e.g., 172.16.0.3), a destination network address (e.g., 211.0.0.3), and a destination port (e.g., 443). When the access path is displayed, the node corresponding to the accessed device is taken as an end node, the nodes corresponding to the NAT devices are taken as intermediate nodes, the node corresponding to the device initiating the access request in the whole path is taken as a start node, the nodes corresponding to the devices in the access path are connected through line segments to be taken as edges, and the access direction is indicated through arrows.

Fig. 7 is a block diagram of a system for displaying full path network access relationships, which is provided according to an embodiment of the present application, and includes a terminal device 70, a data visualization server 72, and a data processing server 74, where the terminal device 70 is connected to the data visualization server 72 and is configured to send a query request for requesting access to a full path network access relationship of a network boundary to the data visualization server 72 and display the full path network access relationship, the data visualization server 72 is connected to the data processing server 74 and is configured to respond to the query request and obtain data corresponding to the full path network access relationship, the data processing server 74 is configured to obtain a plurality of logs of a plurality of NAT devices, convert the plurality of logs into structured session logs corresponding to each NAT device in the plurality of NAT devices, extract a local network access relationship of a network session at each NAT device according to the structured session log corresponding to each NAT device, and connect the local network access relationship at each NAT device in series to obtain the full path network access relationship of the network boundary to which each device belongs, and store the data corresponding to the full path network access relationship and send the data corresponding to the full path network access relationship to the data visualization server 72 to the network boundary.

Fig. 8 is a flowchart of a system for displaying the full path network access relationship of the network boundary where the NAT device is located, where the terminal device 70 first initiates a query request to the data visualization server 72 to query the full path network access relationship of the network boundary where the NAT device is located, after the data visualization server 72 receives the query request, acquires the full path network access relationship from the data processing server 74, and the data processing server 74 sends the stored data for identifying the full path network access relationship to the data visualization server 72, where the data processing server 74 collects the session log of each NAT device in the network boundary in a predetermined period and converts each session log into a standard structured session log, further extracts the local network access relationship of each NAT device through the structured session log of each NAT device, and connects the local network access relationship of each NAT device in series as the full path network access relationship of the network boundary where the NAT device is located and stores the full path network access relationship according to the method described above, and the data visualization server 72 sends the full path network access relationship which can be visualized to the terminal device 70, and generates the full path view representing the full path view of the terminal device 70.

Fig. 9 is a block diagram of an apparatus for acquiring a full path network access relationship according to an embodiment of the present application, which includes an acquiring module 90 configured to acquire a structured session log corresponding to each of a plurality of NAT devices, an extracting module 92 configured to extract, according to the structured session log corresponding to each NAT device, a local network access relationship of a network session at each NAT device, where the network session is a session between a device within a network boundary to which each NAT device belongs and a device outside the network boundary to which each NAT device belongs, and a processing module 94 configured to concatenate the local network access relationships of the network session at each NAT device to obtain the full path network access relationship of the network boundary to which each NAT device belongs.

When the device for acquiring the full-path network access relation works, the acquisition module 90 acquires and analyzes the session log of each NAT device in the network boundary in real time, the acquired original session log is converted into a standard structured session log, the extraction module 92 acquires and stores the structured session log acquired by the acquisition module 90, performs aggregation classification on data in one hour or data in one day or data in one month according to a preset period such as one hour, one day and one month, and extracts the local network access relation before and after passing through the NAT device from the data in one hour or data in one month, and the processing module 94 serially connects the local network access relation before and after passing through the NAT device, which is acquired by the extraction module 92, into the full-path network access relation of the network device where the NAT device is located.

It should be noted that, the preferred implementation manner of the embodiment shown in fig. 9 may refer to the related description of the embodiment shown in fig. 1, which is not repeated herein.

The method provided by the embodiment can be applied to any network boundary where NAT equipment is deployed, for example, the method can be applied to the boundary between an intranet and the Internet in a data center, the boundary between different service isolation areas in the data center, the boundary between public cloud and the Internet, and the like. The method provided by the embodiment of the application collects NAT session logs of the network security boundary NAT equipment, extracts local network access relations before and after passing through the NAT equipment, and performs series matching on the local network access relations before and after a plurality of NAT equipment nodes on the boundary network path, thereby accurately obtaining the security boundary full-path access relation. In a complex multi-NAT device cascade environment and a complex NAT device configuration environment, such as an application environment of complex NAT configuration in which one-to-many mapping, many-to-one mapping, address mapping and port mapping associated with policy routing (Policy Based Routing, PBR) exist in NAT devices, the agent program does not need to be deployed on a large number of service servers, and massive service flow data packets do not need to be captured and analyzed, so that the operation and maintenance cost is reduced.

The embodiment of the application also provides a nonvolatile storage medium, wherein the nonvolatile storage medium stores a computer program, and the equipment where the nonvolatile storage medium is located executes the method of the full path network access relation through running the computer program.

The nonvolatile storage medium is used for storing a program for executing the following functions of acquiring a structured session log corresponding to each NAT device in a plurality of NAT devices, extracting a local network access relation of a network session at each NAT device according to the structured session log corresponding to each NAT device, wherein the network session is a session between a device in a network boundary to which each NAT device belongs and a device outside the network boundary to which each NAT device belongs, and connecting the local network access relation of the network session at each NAT device in series to obtain a full path network access relation of the network boundary to which each NAT device belongs.

The embodiment of the application also provides an electronic device comprising a memory in which a computer program is stored and a processor arranged to perform the above method of full path network access relation by the computer program.

The processor in the electronic device is used for running a program for executing the following functions of acquiring a structured session log corresponding to each NAT device in a plurality of NAT devices, extracting a local network access relation of a network session at each NAT device according to the structured session log corresponding to each NAT device, wherein the network session is a session between a device in a network boundary to which each NAT device belongs and a device outside the network boundary to which each NAT device belongs, and connecting the local network access relation of the network session at each NAT device in series to obtain a full path network access relation of the network boundary to which each NAT device belongs.

It should be noted that each module in the apparatus for acquiring the full path network access relationship may be a program module (for example, a set of program instructions for implementing a specific function), or may be a hardware module, and for the latter, it may be expressed in a form, but not limited to, that each module is expressed in a form of one processor, or the functions of each module are implemented by one processor.

The foregoing embodiment numbers of the present application are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.

In the foregoing embodiments of the present application, the descriptions of the embodiments are emphasized, and for a portion of this disclosure that is not described in detail in this embodiment, reference is made to the related descriptions of other embodiments.

In the several embodiments provided in the present application, it should be understood that the disclosed technology may be implemented in other manners. The above-described embodiments of the apparatus are merely exemplary, and the division of the units, for example, may be a logic function division, and may be implemented in another manner, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interfaces, units or modules, or may be in electrical or other forms.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.

The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied in essence or a part contributing to the related art or all or part of the technical solution, in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server or a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application. The storage medium includes a U disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a removable hard disk, a magnetic disk, or an optical disk, etc. which can store the program code.

The foregoing is merely a preferred embodiment of the present application and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present application, which are intended to be comprehended within the scope of the present application.

Claims (12)

1. A method for obtaining a full-path network access relationship, comprising: Obtaining a structured session log corresponding to each of the multiple NAT devices; Extracting, based on the structured session log corresponding to each NAT device, a local network access relationship of the network session at each NAT device, including: generating a log aggregation table based on the structured session log, and determining an access direction of the network session passing through the NAT device based on an ingress/egress path table of the NAT device and the log aggregation table; extracting, based on the access direction, the local network access relationship of the network session at the NAT device, wherein the ingress/egress path table is used to store a path of the network session passing through the NAT device, and wherein the network session is a session between a device within a network boundary to which each NAT device belongs and a device outside the network boundary to which each NAT device belongs; The local network access relationships of the network session at each NAT device are concatenated to obtain the full-path network access relationship of the network boundary to which each NAT device belongs, including: determining the number of NAT devices in the network boundary to which the NAT device belongs from the ingress and egress path table of the NAT device; if the number is greater than one, concatenating multiple local network access relationships of multiple NAT devices within the same network boundary according to the concatenation rule to obtain the full-path network access relationship; if the number is equal to one, determining the local network access relationship of the NAT device as the full-path network access relationship. 2. The method according to claim 1, wherein extracting the local network access relationship of the network session at each NAT device based on the structured sessionization log corresponding to each NAT device further comprises: Obtain a network boundary topology relationship of the NAT device, and generate an input and output path table of the NAT device based on the network boundary topology relationship, wherein the input and output path table of the NAT device includes: identification information of the NAT device, the name of the network boundary where the NAT device is located, the cascade level of the NAT device, the access direction of the network session passing through the NAT device, the name of the input interface, and the name of the output interface, where the input interface is the interface where the network session enters the NAT device, and the output interface is the interface where the network session exits the NAT device. 3. The method according to claim 1, wherein obtaining a structured session log corresponding to each of the plurality of NAT devices comprises: Obtain multiple logs of multiple NAT devices, and obtain key element information from the multiple logs, wherein the key element information includes: timestamp, source network address, destination network address, destination port, source mapping network address, destination mapping network address, destination mapping port, protocol type, source interface, and destination interface; Acquire identification information of each NAT device, wherein the identification information includes at least one of the following: a name of the NAT device and a network address of the NAT device; The key element information of each NAT device and the identification information of each NAT device are combined to obtain a structured session log corresponding to each NAT device. 4. The method according to claim 3, wherein generating a log aggregation table based on the structured session log comprises: Determining a preset period, and collecting a plurality of the structured session logs within the preset period; Classifying data in the structured conversation logs that have identical key element information except the timestamp into one group of data to obtain multiple groups of data; A log aggregation table is generated according to the multiple groups of data, wherein the log aggregation table includes: identification information of the NAT device, the key element information, and the number of times each group of data appears. 5. The method according to claim 2, wherein generating a log aggregation table based on the structured session log and determining an access direction of the network session passing through the NAT device based on the inbound and outbound path table of the NAT device and the log aggregation table comprises: Obtaining identification information of the NAT device in the log aggregation table, a name of a source interface corresponding to the identification information of the NAT device, and a name of a destination interface corresponding to the identification information of the NAT device; The access direction of the network session of the NAT device indicated by the identification information of the NAT device is determined through the ingress and egress path table of the NAT device using the identification information of the NAT device, the name of the source interface corresponding to the identification information of the NAT device, and the name of the destination interface corresponding to the identification information of the NAT device. 6. The method according to claim 2, wherein extracting the local network access relationship of the network session at the NAT device according to the access direction comprises: If the access direction is inbound, determining the source mapping network address corresponding to the identification information of the NAT device as the inner interface source network address, determining the destination network address corresponding to the identification information of the NAT device as the inner interface destination network address, determining the destination port corresponding to the identification information of the NAT device as the inner interface destination port, determining the source network address corresponding to the identification information of the NAT device as the outer interface source network address, determining the destination mapping network address corresponding to the identification information of the NAT device as the outer interface destination network address, and determining the destination mapping port corresponding to the identification information of the NAT device as the outer interface destination port, wherein the inbound indication is accessing a device within the network boundary from a device outside the network boundary; Determine, based on the inner interface source network address, the inner interface destination network address, the inner interface destination port, the outer interface source network address, the outer interface destination network address, and the outer interface destination port, a plurality of local network access relationships of the network session at the NAT device when the access direction is inbound; If the access direction is out-of-bounds, determining the source network address corresponding to the identification information of the NAT device as the inner interface source network address, determining the destination mapped network address corresponding to the identification information of the NAT device as the inner interface destination network address, determining the destination mapped port corresponding to the identification information of the NAT device as the inner interface destination port, determining the source mapped network address corresponding to the identification information of the NAT device as the outer interface source network address, determining the destination network address corresponding to the identification information of the NAT device as the outer interface destination network address, and determining the destination port corresponding to the identification information of the NAT device as the outer interface destination port, wherein the out-of-bounds indication is accessing a device outside the network boundary from a device inside the network boundary; Determine multiple local network access relationships of the network session at the NAT device when the access direction is out of bounds based on the internal interface source network address, the internal interface destination network address, the internal interface destination port, the external interface source network address, the external interface destination network address and the external interface destination port. 7. The method according to claim 1, wherein the step of serially connecting the multiple local network access relationships of the multiple NAT devices within the same network boundary according to a serial connection rule comprises: If the internal interface source network address of a first NAT device among the multiple NAT devices is equal to the external interface source network address of a second NAT device among the multiple NAT devices, the internal interface destination network address of the first NAT device is equal to the external interface destination network address of the second NAT device, and the internal interface destination port of the first NAT device is equal to the external interface destination port of the second NAT device, the local network access relationship of the first NAT device and the local network access relationship of the second NAT device are concatenated into a full path access relationship of the network boundary, wherein the first NAT device and the second NAT device belong to the same network boundary, the first NAT device and the second NAT device are adjacent to each other, and the cascade level of the first NAT device is lower than the cascade level of the second NAT device. 8. The method according to claim 1, further comprising: Determine the node corresponding to the device that initiates the access request in the full-path network access relationship as the starting node, determine the node corresponding to the device that receives the access request in the full-path network access relationship as the ending node, and determine the NAT device in the full-path network access relationship as the intermediate node; Determine a line segment connecting the start node, the intermediate node, and the end node as an edge, wherein a direction of the edge is determined according to an access direction of the network session crossing the network boundary, and the direction of the edge is indicated by an arrow; Generate a visual graph of the full-path network access relationship according to the starting node, the intermediate node, the ending node, and the edge; A visual diagram showing the full-path network access relationship. 9. A system for displaying full-path network access relationships, comprising: a terminal device, a data visualization server, and a data processing server, wherein: The terminal device is connected to the data visualization server and is used to send a query request for requesting access to the full-path network access relationship of the network boundary to the data visualization server, and display the full-path network access relationship; The data visualization server is connected to the data processing server and is used to respond to the query request and obtain data corresponding to the full-path network access relationship; The data processing server is used to obtain multiple logs of multiple NAT devices, convert the multiple logs into structured session logs corresponding to each NAT device in the multiple NAT devices, extract the local network access relationship of the network session at each NAT device according to the structured session log corresponding to each NAT device, concatenate the local network access relationship at each NAT device to obtain the full-path network access relationship of the network boundary to which each NAT device belongs, store data corresponding to the full-path network access relationship, and send the data corresponding to the full-path network access relationship to the data visualization server, wherein the network session is a session between a device within the network boundary and a device outside the network boundary, and the extraction of the local network access relationship of the network session at each NAT device includes: generating a log aggregation table according to the structured session log, and according to the N The in/out path table of the AT device and the log aggregation table determine the access direction of the network session passing through the NAT device; extract the local network access relationship of the network session at the NAT device according to the access direction, and the in/out path table is used to store the path of the network session passing through the NAT device; the local network access relationship at each NAT device is connected in series to obtain the full-path network access relationship of the network boundary to which each NAT device belongs, including: determining the number of NAT devices in the network boundary to which the NAT device belongs from the in/out path table of the NAT device; if the number is greater than one, connecting multiple local network access relationships of multiple NAT devices within the same network boundary in series according to a connection rule to obtain the full-path network access relationship; if the number is equal to one, determining the local network access relationship of the NAT device as the full-path network access relationship. 10. A device for obtaining a full-path network access relationship, comprising: An acquisition module, configured to acquire a structured session log corresponding to each of the plurality of NAT devices; An extraction module is configured to extract, based on the structured session log corresponding to each NAT device, a local network access relationship of a network session at each NAT device, including: generating a log aggregation table based on the structured session log, and determining an access direction of the network session passing through the NAT device based on an ingress/egress path table of the NAT device and the log aggregation table; extracting the local network access relationship of the network session at the NAT device based on the access direction, wherein the ingress/egress path table is used to store a path of the network session passing through the NAT device, wherein the network session is a session conducted between a device within a network boundary to which each NAT device belongs and a device outside the network boundary to which each NAT device belongs; A processing module, configured to concatenate the local network access relationships of the network sessions at each NAT device to obtain a full-path network access relationship of the network boundary to which each NAT device belongs, comprising: Determine the number of NAT devices in the network boundary to which the NAT device belongs from the ingress and egress path table of the NAT device; if the number is greater than one, concatenate multiple local network access relationships of multiple NAT devices within the same network boundary according to the concatenation rule to obtain the full-path network access relationship; if the number is equal to one, determine the local network access relationship of the NAT device as the full-path network access relationship. 11. A non-volatile storage medium, characterized in that a computer program is stored in the non-volatile storage medium, wherein the device where the non-volatile storage medium is located executes the method of full-path network access relationship described in any one of claims 1 to 8 by running the computer program. 12. An electronic device comprising a memory and a processor, wherein a computer program is stored in the memory, and the processor is configured to execute the method of full-path network access relationship described in any one of claims 1 to 8 through the computer program.