CN118509268A

CN118509268A - Network security protection method, device, equipment and medium based on network port lock

Info

Publication number: CN118509268A
Application number: CN202410978679.5A
Authority: CN
Inventors: 钱锦; 李勇军; 殷嘉鹏; 陈超; 孙智卿; 张晖; 高隽; 郑芷逸; 倪夏冰; 罗俊; 赵增良; 王奇锋; 黄迪; 何岳昊
Original assignee: Hangzhou Ruishengbo Technology Co ltd; Xian Jiaotong University; Hangzhou Power Supply Co of State Grid Zhejiang Electric Power Co Ltd
Current assignee: Hangzhou Ruishengbo Technology Co ltd; Xian Jiaotong University; Hangzhou Power Supply Co of State Grid Zhejiang Electric Power Co Ltd
Priority date: 2024-07-22
Filing date: 2024-07-22
Publication date: 2024-08-16
Anticipated expiration: 2044-07-22
Also published as: CN118509268B

Abstract

The application relates to the technical field of network security, and discloses a network security protection method, device, equipment and medium based on a network port lock, which comprises the following steps: establishing a communication connection; acquiring uplink and downlink flow data of a target server through a network port lock, and identifying a plurality of flow access data chains according to a flow attribution identifier; determining an access breakpoint in the traffic access data chain for any traffic access data chain, and generating chain characteristics of the traffic access data chain based on the position of the access breakpoint in the traffic access data chain; determining evaluation information of chained features of each flow access data chain, and summarizing each evaluation information to generate evaluation features of uplink and downlink flow data; and judging whether the uplink and downlink flow data are marked as abnormal data or not according to the evaluation characteristics, and if so, issuing a flow cutting instruction to a target server through a network interface. The application has the effect of more intelligent and active network security protection capability.

Description

Network security protection method, device, equipment and medium based on network port lock

Technical Field

The present application relates to the field of network security technologies, and in particular, to a network security protection method, device, equipment, and medium based on a network port lock.

Background

As networks grow in popularity and traffic, network traffic becomes increasingly complex. This complex traffic may contain malicious behavior such as DDoS attacks, phishing, malware, and data leakage, not only affecting the user's normal use of various network devices, but also potentially resulting in economic loss. Conventional network security technologies such as software firewalls, IDS, and antivirus software have problems of inadequate defenses and lack of active countermeasures in the face of these complex network attacks.

For this reason, there is a need to track and manage network traffic in combination with more intelligent and proactive defensive measures to enhance network security.

Disclosure of Invention

The application provides a network security protection method, device, equipment and medium based on a network port lock, which solve the technical problem of how to strengthen the network security protection and achieve the technical effect of more intelligent network security protection.

In order to achieve the above purpose, the main technical scheme adopted by the application comprises the following steps:

in a first aspect, an embodiment of the present application provides a network security protection method based on a portal lock, where the method includes:

Initializing a network interface of a network port lock, wherein the network port lock establishes communication connection with a target server through the network interface;

acquiring uplink and downlink flow data of the target server through the network port lock, and identifying a plurality of flow access data chains from the uplink and downlink flow data according to a flow attribution identifier;

determining an access breakpoint in a traffic access data chain according to any traffic access data chain, and generating chain characteristics of the traffic access data chain based on the position of the access breakpoint in the traffic access data chain;

determining evaluation information of chained features of each flow access data chain, and summarizing each evaluation information to generate evaluation features of the uplink and downlink flow data;

and judging whether the uplink and downlink flow data are marked as abnormal data or not according to the evaluation characteristics, and if so, issuing a flow cutting instruction to the target server through the network interface.

According to the network security protection method based on the network port lock, firstly, by initializing a network interface of the network port lock, the network port lock is ensured to be successfully connected to a target server and stable communication is established. And then analyzing the uplink and downlink flow data, extracting the flow attribution identification, classifying and sorting the data according to the identification, and forming a plurality of flow access data chains. The data interaction between each device and the target server, including the source and the destination of the uplink and downlink traffic, can be accurately identified. And then, analyzing the access breakpoint and the position thereof in the traffic access data chain to generate chain characteristics describing the data transmission characteristics, thereby being beneficial to identifying network abnormality or attack behavior. In addition, the chained features are evaluated, the evaluation information of normal flow or abnormal flow is identified and summarized, and the evaluation features of the uplink and downlink flow data are generated based on the summarized information. And finally, when the uplink and downlink traffic abnormality is detected, a traffic cutting instruction is sent to the target server through the network port lock, so that the network is protected from possible attack or abnormal traffic, and the safety and stability of the network are ensured. By the implementation mode, the network port lock has more intelligent and active network safety protection capability, monitors, identifies and evaluates uplink and downlink flow data in real time, takes corresponding measures according to the evaluation result, and effectively protects the network from various network attacks or threats of abnormal flow.

Optionally, the traffic attribution identifier is used for characterizing a device number for data interaction with the target server;

Identifying a plurality of traffic access data chains from the uplink and downlink traffic data according to the traffic attribution identifier comprises:

for any equipment number, extracting target data carrying the equipment number from the uplink and downlink flow data, acquiring time stamps of all data messages in the target data, and identifying uplink and downlink identifications corresponding to the time stamps;

And sequencing the uplink and downlink identifiers according to the sequence of the time stamps, and constructing a flow access data chain of the target data based on the sequenced result.

In the embodiment, the target data carrying the corresponding equipment number is effectively screened out by analyzing the uplink and downlink flow data. And then, extracting the time stamp of each data message in the target data, and identifying the uplink and downlink identification corresponding to each time stamp. The timestamp records the transmission time of the data message in the network, and the uplink and downlink identifiers reflect the direction of data transmission. Such information is useful in understanding the time series characteristics of the data transmission, such as the time interval between requests and responses and the delay of the data transmission. And then, sequencing the acquired data messages according to the sequence of the time stamps, and constructing a flow access data chain based on the sequenced data messages. The ordered flow access data chain not only accurately represents the sequence of data transmission, but also can be used for safety elimination and further accurately analyzes uplink and downlink network data.

Optionally, determining an access breakpoint in the traffic access data chain includes:

identifying time stamps corresponding to each uplink and downlink identification in the flow access data chain, and calculating the time difference between any two adjacent time stamps;

Counting target time differences which are larger than or equal to a preset duration in each calculated time difference, and sequentially recording start and stop time stamps corresponding to each target time difference;

and generating an access breakpoint in the traffic access data chain based on the recorded start-stop time stamps of each group.

In this embodiment, by calculating the time difference between adjacent time stamps, the traffic pattern of the data packet transmission can be identified. Normally, these time differences are continuous and uniform, reflecting a stable data transmission behaviour; the time differences in abnormal situations appear as irregular patterns, possibly indicating network problems or potential aggression. In time difference analysis, a target time difference which is more than or equal to a preset time length and a corresponding start-stop time stamp are screened out, and each group of calculated start-stop time stamps are converted into access break points, so that the flow access data link is managed and managed, and the access break points in the flow access data link are analyzed, so that the monitoring capability of network flow is improved, and the safety and stability of the network are effectively ensured.

Optionally, generating the access breakpoint in the traffic access data chain based on the recorded start-stop timestamps of the respective groups comprises:

calculating the total access time length of the flow access data chain according to the start time stamp and the end time stamp of the flow access data chain;

Generating the distribution information of the time period formed by the start-stop time stamps in the total access duration according to the recorded start-stop time stamps of each group;

and summarizing each piece of distribution information to generate an access breakpoint in the traffic access data chain.

According to the method and the device, the total access duration is calculated by comparing the time stamp of the first data message with the time stamp of the last data message in the flow access data chain, so that the time span of the whole flow access data chain can be accurately known, and then the percentage of each time period in the total access duration is calculated according to the time stamps. The distribution condition of different time periods in the whole access time length can be known in detail, so that specific access breakpoints in the traffic access data chain can be identified. And finally, summarizing the distribution information of each time period to form a complete access breakpoint. The time sequence distribution of access breakpoints in the traffic access data chain can be comprehensively displayed so as to further analyze network traffic management.

Optionally, generating the chained feature of the traffic access data chain based on the location of the access breakpoint in the traffic access data chain comprises:

identifying a starting node and a terminating node of the access breakpoint, and calculating a first weight of the starting node and a second weight of the terminating node;

calculating a representative node of the access breakpoint according to the first weight and the second weight;

And determining the node positions of the representative nodes in the total access time length of the flow access data chain, and taking the node positions as characteristic elements to form chain characteristics of the flow access data chain.

According to the method and the device, the starting node and the ending node of the access breakpoint are determined by analyzing the time stamp of the data message, the first weight of the starting node and the second weight of the ending node are calculated, and the representative node of the access breakpoint is calculated according to the first weight and the second weight, so that the position of the access breakpoint in the flow access data chain can be determined more accurately. Further, by determining the node position of the representative node in the total access time length of the traffic access data chain, a comparison between traffic access data chains of different total access time lengths can be achieved. And then taking the positions of the nodes as characteristic elements to form chain characteristics of a flow access data chain, wherein the chain characteristics are used for predicting flow abnormality and improving the effect of intelligent network safety protection.

Optionally, calculating the first weight of the start node and the second weight of the end node includes:

Determining a first access data segment to which the starting node belongs in the traffic access data chain, and determining a second access data segment to which the terminating node belongs;

Identifying a first data volume characteristic of the first access data segment, generating a first weight according to the first data volume characteristic, identifying a second data volume characteristic of the second access data segment, and generating a second weight according to the second data volume characteristic.

The embodiment can accurately divide the data message segments before and after the access breakpoint by identifying the starting node and the ending node in the access traffic data chain, thereby determining the range of the first access data segment and the second access data segment. The generation of the first weight and the second weight is based on characteristics of the respective data segments. For example, the weights may be generated based on data volume characteristics such as message length, time stamp, etc. The embodiment can ensure that the access break points are accurately identified and positioned in the access traffic data chain, so that the network traffic is more accurately analyzed and processed.

Optionally, summarizing each of the evaluation information to generate the evaluation feature of the uplink and downlink traffic data includes:

And identifying evaluation values of the evaluation information characterization, and taking each evaluation value as a vector element to form a feature vector for characterizing evaluation features of the uplink and downlink flow data.

The embodiment gathers the evaluation information to generate the evaluation characteristics of the uplink and downlink flow data, can gather the evaluation information of all the flow access data chains to form a comprehensive characteristic vector, the comprehensive risk assessment is carried out, and the state of the network traffic can be more comprehensively understood, and potential security threats can be timely found and responded through the multi-level and multi-dimensional assessment method.

Optionally, after issuing a traffic shutdown instruction to the target server through the network interface, the method further comprises:

Continuously acquiring flow to be verified sent to the target server in a preset monitoring period, and identifying each data link to be verified in the flow to be verified;

splicing the data link to be verified into a corresponding flow access data link according to the flow attribution identifier to form a comprehensive data link;

And generating information to be verified, which is commonly represented by each comprehensive data chain, and if the information to be verified represents normal data, issuing a flow recovery instruction to the target server through the network interface.

According to the network security protection method based on the internet access lock, the to-be-verified flow sent to the target server is continuously obtained in the preset monitoring period, the to-be-verified data link is identified in real time, and data flowing to the target server can be immediately captured and analyzed, so that the network flow state of the target server is effectively monitored. And then, by identifying and splicing the data chain to be verified into the flow access data chain, the complete data transmission path can be reconstructed and analyzed, so that the data flow flowing to the target server can be accurately tracked and understood, and meanwhile, the data chain to be verified is ensured to be matched with the flow attribution identifier of the data chain to be verified, so that the subsequent analysis and judgment can be realized. And then splicing the identified data chain to be verified into a comprehensive data chain according to the flow attribution identifier, and generating the characterization information to be verified. The information to be verified reflects the nature of the integrated data chain to facilitate subsequent decisions and responses. And when the information to be verified is confirmed to be normal data, the network port lock automatically sends a flow recovery instruction to the target server through the network interface. The automatic response mechanism can quickly recover the cut-off network service, reduce service interruption time and improve reliability and user experience. Through real-time monitoring, data chain reorganization and automatic response, service can be quickly restored, and abnormal traffic and possible security threats can be effectively treated. The method remarkably improves the security of the network and reduces the risk of being influenced by attack or abnormal traffic.

In a second aspect, an embodiment of the present application provides a network security protection apparatus based on a portal lock, where the apparatus includes:

The initialization unit is used for initializing a network interface of the network port lock, and the network port lock establishes communication connection with the target server through the network interface;

the flow identification unit is used for acquiring uplink and downlink flow data of the target server through the network port lock and identifying a plurality of flow access data chains from the uplink and downlink flow data according to the flow attribution identification;

the chained feature generation unit is used for determining an access breakpoint in the flow access data chain aiming at any flow access data chain and generating chained features of the flow access data chain based on the position of the access breakpoint in the flow access data chain;

The evaluation feature generation unit is used for determining evaluation information of chained features of each flow access data chain and summarizing each evaluation information to generate evaluation features of the uplink and downlink flow data;

And the exception processing unit is used for judging whether the uplink and downlink flow data are marked as exception data according to the evaluation characteristics, and if so, issuing a flow cut-off instruction to the target server through the network interface.

The network security protection device based on the network port lock is used for ensuring that the network security protection device can be successfully connected to a target server and establish stable communication by initializing a network interface of the network port lock. And then analyzing the uplink and downlink flow data, extracting the flow attribution identification, classifying and sorting the data according to the identification, and forming a plurality of flow access data chains. The data interaction between each device and the target server, including the source and the destination of the uplink and downlink traffic, can be accurately identified. And then, analyzing the access breakpoint and the position thereof in the traffic access data chain to generate chain characteristics describing the data transmission characteristics, thereby being beneficial to identifying network abnormality or attack behavior. In addition, the chained features are evaluated, the evaluation information of normal flow or abnormal flow is identified and summarized, and the evaluation features of the uplink and downlink flow data are generated based on the summarized information. And finally, when the uplink and downlink traffic abnormality is detected, a traffic cutting instruction is sent to the target server through the network port lock, so that the network is protected from possible attack or abnormal traffic, and the safety and stability of the network are ensured. By the implementation mode, the network port lock has more intelligent and active network safety protection capability, monitors, identifies and evaluates uplink and downlink flow data in real time, takes corresponding measures according to the evaluation result, and effectively protects the network from various network attacks or threats of abnormal flow.

the flow identification unit performs the following operations:

Optionally, determining an access breakpoint in the traffic access data chain in the chained feature generation unit includes:

Optionally, the generating, in the chained feature generating unit, the chained feature of the traffic access data chain based on the position of the access breakpoint in the traffic access data chain includes:

Optionally, the step of summarizing each piece of evaluation information in the evaluation feature generating unit to generate the evaluation feature of the uplink and downlink traffic data includes:

Optionally, after the exception handling unit, the apparatus further comprises:

The to-be-verified database chain generation unit is used for continuously acquiring to-be-verified flow sent to the target server in a preset monitoring period and identifying each to-be-verified data chain in the to-be-verified flow;

The comprehensive data chain generation unit is used for splicing the data chain to be verified into the corresponding flow access data chain according to the flow attribution identifier to form a comprehensive data chain;

And the recovery instruction unit is used for generating information to be verified, which is commonly represented by each comprehensive data chain, and issuing a flow recovery instruction to the target server through the network interface if the information to be verified represents normal data.

According to the method and the device, the flow to be verified, which is sent to the target server, is continuously obtained in the preset monitoring period, the data to be verified in the flow to the target server is identified in real time, and the data flowing to the target server can be immediately captured and analyzed, so that the network flow state of the target server is effectively monitored. And then, by identifying and splicing the data chain to be verified into the flow access data chain, the complete data transmission path can be reconstructed and analyzed, so that the data flow flowing to the target server can be accurately tracked and understood, and meanwhile, the data chain to be verified is ensured to be matched with the flow attribution identifier of the data chain to be verified, so that the subsequent analysis and judgment can be realized. And then splicing the identified data chain to be verified into a comprehensive data chain according to the flow attribution identifier, and generating the characterization information to be verified. The information to be verified reflects the nature of the integrated data chain to facilitate subsequent decisions and responses. And when the information to be verified is confirmed to be normal data, the network port lock automatically sends a flow recovery instruction to the target server through the network interface. The automatic response mechanism can quickly recover the cut-off network service, reduce service interruption time and improve reliability and user experience. Through real-time monitoring, data chain reorganization and automatic response, service can be quickly restored, and abnormal traffic and possible security threats can be effectively treated. The method remarkably improves the security of the network and reduces the risk of being influenced by attack or abnormal traffic.

In a third aspect, an embodiment of the present application provides a computer apparatus, including:

The system comprises a memory and a processor, wherein the memory and the processor are in communication connection, the memory stores computer instructions, and the processor executes the computer instructions, so that the method is executed.

In a fourth aspect, embodiments of the present application provide a computer readable storage medium having stored thereon computer instructions for causing a computer to perform the method described above.

Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are needed in the description of the embodiments or the prior art will be briefly described, and it is obvious that the drawings in the description below are some embodiments of the present application, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.

Fig. 1 is a flowchart of a network security protection method based on a portal lock according to an embodiment of the present application;

FIG. 2 is a flowchart of step S3 provided in an embodiment of the present application;

FIG. 3 is a flowchart of determining an access breakpoint in the traffic access data chain according to an embodiment of the present application;

fig. 4 is a flowchart of step S515 provided in an embodiment of the present application;

FIG. 5 is a flowchart of generating a chained feature of the traffic access data chain according to an embodiment of the present application;

fig. 6 is a flowchart of step S531 provided in the embodiment of the present application;

fig. 7 is a flowchart of another network security protection method based on a portal lock according to an embodiment of the present application;

Fig. 8 is a diagram of a network security protection device based on a portal lock according to an embodiment of the present application;

fig. 9 is a schematic structural diagram of a computer device according to an embodiment of the present application.

Detailed Description

For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments of the present application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to fall within the scope of the application.

Traditional network security technologies such as software firewalls, anti-virus software, and IDS present some limitations and challenges in facing complex network attacks:

For software firewalls and anti-virus software, an attacker may bypass the software firewall or anti-virus software with known or unknown vulnerabilities. Such software typically relies on features and signatures to detect malicious behavior, and thus may not be effectively defensive against new attacks or unknown vulnerabilities.

For IDS, false positives (misinterpreting legitimate traffic as an attack) and false negatives (failing to detect an actual attack) are often faced, which make it difficult for an administrator to accurately judge and respond to a real security event. A high false positive rate may cause an administrator to ignore a genuine security threat, while a high false negative rate means that the attack may have been active within the system for some time.

Furthermore, conventional security techniques tend to be passive, relying primarily on post-hoc detection and response. This means that an attack may have already inflicted some damage to be discovered and handled. The lack of active countermeasures makes the system more susceptible to persistent attacks and advanced threats.

The network security protection method based on the network port lock can be applied to enterprise network security, and network access behaviors of internal staff are monitored through the network port lock, so that unauthorized access and data leakage are prevented; the method can be applied to cloud service providers, and network port locks are used for monitoring traffic among virtual machines to prevent malicious software from spreading and network attacks; the method can be applied to the financial service industry, and the network port lock is used for monitoring the transaction flow, preventing fraudulent activity and ensuring transaction safety; can be applied to telecom operators: network port locks are used to monitor network traffic to prevent DDoS attacks and other forms of network abuse.

According to an embodiment of the present application, there is provided an embodiment of a network security protection method based on a portal lock, it should be noted that the steps illustrated in the flowchart of the drawings may be performed in a computer system such as a set of computer executable instructions, and that although a logical order is illustrated in the flowchart, in some cases, the steps illustrated or described may be performed in an order different from that herein.

In this embodiment, a network security protection method based on a portal lock is provided, and fig. 1 is a flowchart of a network security protection method based on a portal lock provided in an embodiment of the present application, as shown in fig. 1, where the flowchart includes the following steps:

Step S1, initializing a network interface of a network port lock, wherein the network port lock establishes communication connection with a target server through the network interface.

Specifically, the network interface of the network port lock is initialized, and parameters of the network interface including an IP address, a subnet mask, a default gateway and the like are configured in the initialization process so as to ensure that the network port lock can establish communication with the target server through the network interface. After the network interface of the network port lock successfully establishes communication connection with the target server, the task of network security protection of the network port lock is started to be executed.

And S3, acquiring uplink and downlink flow data of the target server through the network port lock, and identifying a plurality of flow access data chains from the uplink and downlink flow data according to the flow attribution identification.

Specifically, the upstream and downstream traffic data refers to data (upstream traffic data) that the device uploads to the target server through the portal lock, and data (downstream traffic data) that the device downloads from the target server through the portal lock. Traffic attribution identification is used to distinguish data interactions, typically device unique numbers, between different devices and a target server for accurately locating the source or destination of traffic data. After the uplink and downlink flow data of the target server are acquired through the network port lock, analysis is needed, and the flow attribution identification is extracted. And then, distinguishing the uplink and downlink traffic data according to the identifiers, and sorting the uplink and downlink traffic data into traffic access data chains of corresponding devices. Through this process, a plurality of traffic access data chains for different devices can be obtained.

And S5, determining an access breakpoint in the traffic access data chain for any traffic access data chain, and generating chain characteristics of the traffic access data chain based on the position of the access breakpoint in the traffic access data chain.

In particular, a breakpoint refers to a delay or interruption in data transmission, which is generally continuous and regular at normal data transmission. A breakpoint may occur upon an abnormal data transmission, such as a network interruption or a packet loss. For each traffic access data chain, a chain feature may be generated by determining the access breakpoint therein and its location. These features may be used to describe continuity or discontinuity of data transmission, as well as possible anomalies.

And S7, determining evaluation information of chained features of each flow access data chain, and summarizing each evaluation information to generate evaluation features of the uplink and downlink flow data.

Specifically, the chained feature of each flow access data chain is evaluated to generate evaluation information, wherein the evaluation information can be a risk probability value, and if the abnormal high frequency of access break points in the chained feature is found, DDoS attack can be indicated; if the access break points in the chained feature are irregular, network congestion or other problems may be indicated, if the access break points in the chained feature are low in frequency and relatively far apart, network congestion or service problems may be indicated, and corresponding evaluation information is obtained by evaluating the chained feature. The evaluation may be based on historical data, preset rules, or a machine learning model. For example, the chain characteristics of the current traffic access data chain are compared with historical data to determine whether there is a significant deviation, and evaluation information is obtained. For example, preset rules are formulated to identify normal or abnormal traffic patterns, and evaluation information is obtained, and the rules can be based on frequently occurring breakpoint conditions. For example, using machine learning algorithms, such as supervised learning or unsupervised learning, to train models to identify normal and abnormal traffic patterns, and to obtain evaluation information, the method may automatically classify traffic behavior based on existing signature data (normal and abnormal data samples).

And then summarizing the evaluation information of all the flow access data chains, and inputting the summarized evaluation information into a pre-trained neural network model, wherein the neural network can be a supervised learning model or an unsupervised learning model. The neural network model outputs an evaluation feature integrating the upstream and downstream traffic data, which may be risk score values, the different risk score values being marked as data of different states, such as normal data, abnormal data.

For example, there are three traffic access data chains, whose evaluation information is 0.6,0.3 and 0.8, respectively. These evaluation information are summarized to obtain a feature vector (0.6,0.3,0.8), and input into a neural network. The neural network processes the data and outputs a risk score of the overall network, for example, if the risk score is greater than 0.5 score, the uplink and downlink traffic data are marked as abnormal data, and if the risk score is less than or equal to 0.5 score, the uplink and downlink traffic data are marked as normal data. Note that the neural network is pre-trained with normal data samples and abnormal data samples to obtain a trained model, which is not described here.

And S9, judging whether the uplink and downlink flow data are marked as abnormal data according to the evaluation characteristics, and if so, issuing a flow cutting instruction to the target server through the network interface.

Specifically, when the uplink and downlink traffic data is marked as abnormal data, a traffic cutoff instruction is sent to the target server through the internet access lock. Ensuring that the execution of the flow cut-off instruction is timely and efficient to minimize potential impact and loss. And the system can track and manage the uplink and downlink traffic data more intelligently and actively so as to strengthen the network security protection.

In some embodiments, aggregating the respective evaluation information to generate the evaluation features of the upstream and downstream traffic data comprises: and identifying evaluation values of the evaluation information characterization, and taking each evaluation value as a vector element to form a feature vector for characterizing evaluation features of the uplink and downlink flow data.

Specifically, for each flow access data chain, identifying an evaluation value represented by evaluation information, and constructing a feature vector representing the evaluation feature of the uplink and downlink flow data by taking each evaluation value as an element of the feature vector, wherein each element represents the risk level of the different flow access data chains.

Compared with the embodiment shown in fig. 1, the method for evaluating the network traffic in the embodiment summarizes all evaluation information to generate the evaluation characteristics of uplink and downlink traffic data, can summarize the evaluation information of all traffic access data chains to form a comprehensive feature vector to comprehensively evaluate risks, and can more comprehensively understand the state of the network traffic and timely discover and respond to potential security threats by the multi-level and multi-dimensional evaluation method.

Fig. 2 is a flowchart of step S3 provided in the embodiment of the present application, where the traffic attribution identifier is used to characterize a device number that performs data interaction with the target server; the method may comprise the steps of:

Step S31, for any equipment number, extracting target data carrying the equipment number from the uplink and downlink flow data, acquiring time stamps of all data messages in the target data, and identifying uplink and downlink identifications corresponding to the time stamps.

Specifically, for each device number, the target data carrying the device number is screened from the uplink and downlink traffic data, the time stamp of each data message is extracted from the target data, whether the data message corresponding to each time stamp is an uplink identifier (sent from the device to the target server) or a downlink identifier (downloaded from the target server to the device) is identified, and the time stamp records the transmission time of the data message in the network. For example, the timestamp of the data packet A in the target data is 10:00:00, and is marked as uplink; the time stamp of the data message B is 10:01:30, and the data message B is marked as downlink; the time stamp of the data message C is 10:02:45, and the data message C is marked as uplink; the time stamp of the data message D is 10:03:15, and the data message D is marked as downlink.

And step S33, sorting the uplink and downlink identifiers according to the sequence of the time stamps, and constructing a flow access data chain of the target data based on the sorted result.

Specifically, the obtained data messages are ordered according to the sequence of the time stamps. Ensuring that the order of the data messages reflects their actual order of transmission in the network. And constructing a traffic access data chain based on the ordered data messages. For example, the data messages are ordered in the order of time stamps: data message A, uplink-data message B, downlink-data message C, uplink-data message D, downlink. By constructing a traffic access data chain, the communication mode and behavior between the device and the target server, including the request and response flows of data, can be more clearly analyzed.

Compared with the embodiment shown in fig. 1, the embodiment effectively screens out the target data carrying the corresponding equipment number by analyzing the uplink and downlink flow data. And then, extracting the time stamp of each data message in the target data, and identifying the uplink and downlink identification corresponding to each time stamp. The timestamp records the transmission time of the data message in the network, and the uplink and downlink identifiers reflect the direction of data transmission. Such information is useful in understanding the time series characteristics of the data transmission, such as the time interval between requests and responses and the delay of the data transmission. And then, sequencing the acquired data messages according to the sequence of the time stamps, and constructing a flow access data chain based on the sequenced data messages. The ordered flow access data chain not only accurately represents the sequence of data transmission, but also can be used for safety elimination and further accurately analyzes uplink and downlink network data.

Fig. 3 is a flowchart of determining an access breakpoint in the traffic access data chain according to an embodiment of the present application, where the method may include the following steps:

In step S511, the time stamp corresponding to each uplink and downlink identifier is identified in the traffic access data chain, and the time difference between any two adjacent time stamps is calculated.

Specifically, for the ordered list of time stamps, the time differences between each pair of adjacent time stamps are calculated, i.e. the previous time stamp is subtracted from the next time stamp, and these time differences are analyzed to determine the interval pattern of the data message transmission. For example, consecutive and uniform intervals may indicate a steady traffic pattern, while irregular intervals may indicate network delays or congestion. Significant deviations or outliers in the time differences are identified, which may be indicative of network problems or aggressive behavior, such as DDoS attacks or data leakage attempts.

Suppose that a data chain is accessed for traffic: data message A, uplink-data message B, downlink-data message C, uplink-data message D, downlink. Calculating the time difference between any two adjacent time stamps to obtain:

time difference (AB) =timestamp B-timestamp a=10:01:30-10:00:00=1 minute 30 seconds=90 seconds;

time difference (BC) =timestamp C-timestamp b=10:02:45-10:01:30=1 minute 15 seconds=75 seconds;

Time difference (CD) =timestamp D-timestamp c=10:03:15-10:02:45=30 seconds.

In step S513, a target time difference greater than or equal to a preset duration is counted in each calculated time difference, and start and stop time stamps corresponding to each target time difference are sequentially recorded.

Specifically, from all the calculated time differences, the target time differences which are greater than or equal to the preset duration are screened out. The preset duration can be determined by analyzing the historical flow data, determining the range and distribution of the normal data message sending time interval, establishing a standard, namely the statistical characteristics (such as average value, standard deviation and the like) of the normal time difference, and setting the preset duration as a threshold value based on the analysis result of the historical data. And recording corresponding start and stop time stamps for each screened target time difference. The start-stop timestamp is the timestamp of one data message after the target time difference and the timestamp of one data message before the target time difference.

Step S515, generating an access breakpoint in the traffic access data chain based on the recorded start-stop time stamps of each group.

Specifically, for each start-stop time stamp, the start-stop time stamp is converted into an access breakpoint, so that all access breakpoints in the traffic access data chain are generated, and each access breakpoint comprises a target time difference and a corresponding start-stop time stamp.

Compared with the embodiment shown in fig. 1, the present embodiment can identify the traffic pattern of data packet transmission by calculating the time difference between adjacent time stamps. Normally, these time differences are continuous and uniform, reflecting a stable data transmission behaviour; the time differences in abnormal situations appear as irregular patterns, possibly indicating network problems or potential aggression. In time difference analysis, a target time difference which is more than or equal to a preset time length and a corresponding start-stop time stamp are screened out, and each group of calculated start-stop time stamps are converted into access break points, so that the flow access data link is managed and managed, and the access break points in the flow access data link are analyzed, so that the monitoring capability of network flow is improved, and the safety and stability of the network are effectively ensured.

Fig. 4 is a flowchart of step S515 provided in an embodiment of the present application, where the method may include the following steps:

Step S5151, calculating the total access duration of the traffic access data chain according to the start time stamp and the end time stamp of the traffic access data chain.

Step S5153, generating distribution information of the time period formed by the start-stop time stamps in the total access duration according to the recorded start-stop time stamps of each group.

Step S5155, summarizing each piece of the distribution information to generate an access breakpoint in the traffic access data chain.

Specifically, the total access duration of the flow access data chain is determined, namely, the total access duration is obtained according to the difference value between the time stamp of the first data message and the time stamp of the last data message in the flow access data chain. The total time span corresponding to the traffic access data chain can be determined. Accessing the data chain in traffic: data message a, uplink-data message B, downlink-data message C, uplink-data message D, next example, access total duration = timestamp (last data message D) -timestamp (first data message a) =10:03:15-10:00:00=3 minutes 15 seconds = 195 seconds. Thus, the total access duration of the traffic access data chain is 195 seconds. Then, for each set of start-stop timestamps, the length of the period is calculated:

a first set of time periods: 10:00:00 to 10:01:30 for 1 minute 30 seconds = 90 seconds.

A second set of time periods: 10:01:30 to 10:02:45 for 1 minute 15 seconds = 75 seconds.

Third group of time periods: 10:02:45 to 10:03:15 for 30 seconds.

Because the total access time length of different data chains is different, the time period length needs to be normalized to realize comparison among different flow access data chains, the time periods are arranged according to time sequence and marked on a time axis, the interval between the time periods is analyzed, namely, the length of each time period is compared with the total access time length to determine the percentage of each time period in the total access time length, and the distribution information of the time periods in the total access time length is as follows:

The first set of time periods takes up 90 seconds/195 seconds 46.15% of the time.

The second set of time periods takes up 75 seconds/195 seconds approximately 38.46% of the time.

The third group of time periods takes up 30 seconds/195 seconds ≡ 15.38% of the time.

And finally, summarizing the distribution information of all the time periods to form an access breakpoint in a complete flow access data chain.

Compared with the embodiment shown in fig. 3, in this embodiment, the total access duration is calculated by comparing the timestamp of the first data packet with the timestamp of the last data packet in the traffic access data chain, so as to ensure that the time span of the entire traffic access data chain can be accurately known, and then the percentage of each period in the total access duration is calculated according to the timestamps. The distribution condition of different time periods in the whole access time length can be known in detail, so that specific access breakpoints in the traffic access data chain can be identified. And finally, summarizing the distribution information of each time period to form a complete access breakpoint. The time sequence distribution of access breakpoints in the traffic access data chain can be comprehensively displayed so as to further analyze network traffic management.

Fig. 5 is a flowchart of generating a chained feature of the traffic access data chain according to an embodiment of the present application, where the method may include the following steps:

Step S531, identifying the start node and the end node of the access breakpoint, and calculating the first weight of the start node and the second weight of the end node.

Step S533, calculating the representative node of the access breakpoint according to the first weight and the second weight.

Step S535, determining node positions of the representative nodes in the total access duration of the traffic access data chain, and using each node position as a feature element to form a chained feature of the traffic access data chain.

Specifically, in order to ensure that the position of the access breakpoint can accurately reflect the actual condition of the traffic, especially when there is a significant difference between the data messages before and after the access breakpoint. Therefore, it is necessary to identify the start node and the end node corresponding to the access breakpoint in the access traffic data chain, and then calculate the first weight of the start node and the second weight of the end node, and determine the first weight and the second weight according to some characteristics of the front and back data messages, so that the position of the access breakpoint in the traffic access data chain is more accurately determined.

In order to allow traffic access data chains of different total access durations to be compared on the same scale, it is necessary to determine the node position representing the node in the total access duration of the traffic access data chain, where the node position may be represented in a normalized manner, e.g. using a percentage, where the total access duration is normalized to 100%. If the representative node is at 75% of the total length of access, then its location is indicated as 75%. And finally, taking the positions of all nodes in the flow access data chain as characteristic elements to form chain characteristics of the flow access data chain.

Compared with the embodiment shown in fig. 1, the embodiment determines the start node and the end node of the access breakpoint by analyzing the time stamp of the data message, calculates the first weight of the start node and the second weight of the end node, calculates the representative node of the access breakpoint according to the first weight and the second weight, and can determine the position of the access breakpoint in the traffic access data chain more accurately. Further, by determining the node position of the representative node in the total access time length of the traffic access data chain, a comparison between traffic access data chains of different total access time lengths can be achieved. And then taking the positions of the nodes as characteristic elements to form chain characteristics of a flow access data chain, wherein the chain characteristics are used for predicting flow abnormality and improving the effect of intelligent network safety protection.

Fig. 6 is a flowchart of step S531 provided in an embodiment of the present application, where the method may include the following steps:

step S5311, determining a first access data segment to which the start node belongs and a second access data segment to which the end node belongs in the traffic access data chain.

Step S5313, identifying a first data volume characteristic of the first access data segment, generating a first weight according to the first data volume characteristic, identifying a second data volume characteristic of the second access data segment, and generating a second weight according to the second data volume characteristic.

Specifically, in order to ensure that the position of the access breakpoint can accurately reflect the actual condition of the traffic, it is necessary to identify a start node and a stop node corresponding to the access breakpoint in the access traffic data chain, where the start node is the end position of the data packet before the access breakpoint, the first access data segment is determined according to the data packet to which the start node belongs, and the stop node is the start position of the data packet after the access breakpoint, and the second access data segment is determined according to the data packet to which the stop node belongs. A first data volume characteristic of the first access data segment is then identified, and a second data volume characteristic of the second access data segment is identified, which may include a message length, a message timestamp, and the like.

Taking a message time stamp as an example, when a first weight is generated according to a first data volume characteristic and a second weight is generated according to a second data volume characteristic, the weights are distributed according to the time stamp difference, for example, if the time stamp of a first access data segment is longer, a larger first weight is distributed for a starting node; if the timestamp of the second access data segment is shorter, a smaller second weight is assigned to the terminating node. For example, if the first weight is 0.8 and the second weight is 0.2, then the representative node is located closer to the end of the first access data segment because it is weighted more heavily.

Compared with the embodiment shown in fig. 5, the present embodiment can accurately divide the data packet segments before and after the access breakpoint by identifying the start node and the end node in the access traffic data chain, thereby determining the ranges of the first access data segment and the second access data segment. The generation of the first weight and the second weight is based on characteristics of the respective data segments. For example, the weights may be generated based on data volume characteristics such as message length, time stamp, etc. The embodiment can ensure that the access break points are accurately identified and positioned in the access traffic data chain, so that the network traffic is more accurately analyzed and processed.

Fig. 7 is a flowchart of another network security protection method based on a portal lock according to an embodiment of the present application, after step S9, the method may further include the following steps:

Step S101, continuously acquiring the flow to be verified sent to the target server in a preset monitoring period, and identifying each data link to be verified in the flow to be verified.

And step S103, splicing the data link to be verified to a corresponding flow access data link according to the flow attribution identifier to form a comprehensive data link.

Step 105, generating information to be verified, which is commonly represented by each comprehensive data chain, and if the information to be verified represents normal data, issuing a flow recovery instruction to the target server through the network interface.

Specifically, when the internet access lock issues a flow cut-off instruction to the target server, the device cannot download data from the target server, and only can continuously send flow to be verified to the target server, so that data interaction with the target server is expected to be established again. And continuously acquiring the flow to be verified in a preset monitoring period, and identifying each data link to be verified in the flow to be verified in a mode of step S3, so that the real-time flow monitoring of the target server is realized. And for each data chain to be verified in the identified flow to be verified, splicing the data chains to be verified into the corresponding flow access data chains according to the flow attribution identification to form a comprehensive data chain. And for the comprehensive data chain, generating information to be verified, which is commonly represented by the comprehensive data chain, in a mode of step S5-step S7, and if the information to be verified is identified as normal data, automatically issuing a flow recovery instruction to a target server through a network interface by the network port lock. The automatic response mechanism can quickly recover network service, reduce service interruption caused by traffic problems, improve the defending capability of the network to abnormal traffic and enhance the overall network security.

Accordingly, referring to fig. 8, an embodiment of the present application provides a network security protection device based on a portal lock, where the device includes:

An initializing unit 201, configured to initialize a network interface of a network port lock, where the network port lock establishes a communication connection with a target server through the network interface;

The flow identification unit 203 is configured to obtain uplink and downlink flow data of the target server through the network port lock, and identify a plurality of flow access data chains from the uplink and downlink flow data according to a flow attribution identifier;

A chained feature generating unit 205, configured to determine, for any one traffic access data chain, an access breakpoint in the traffic access data chain, and generate chained features of the traffic access data chain based on a position of the access breakpoint in the traffic access data chain;

An evaluation feature generating unit 207 configured to determine evaluation information of chained features of each flow access data chain, and aggregate each of the evaluation information to generate evaluation features of the uplink and downlink flow data;

And an exception handling unit 209, configured to determine whether the uplink and downlink traffic data is marked as exception data according to the evaluation feature, and if so, issue a traffic cutoff instruction to the target server through the network interface.

the flow rate identification unit 203 performs the following operations:

Optionally, determining an access breakpoint in the traffic access data chain in the chained feature generation unit 205 includes:

Optionally, the generating, in the chained feature generating unit 205, the chained feature of the traffic access data chain based on the location of the access breakpoint in the traffic access data chain includes:

Optionally, the step of summarizing each piece of evaluation information in the evaluation feature generating unit 207 to generate the evaluation feature of the uplink and downlink traffic data includes:

Optionally, after the exception handling unit, the apparatus further comprises:

Further functional descriptions of the above respective modules and units are the same as those of the above corresponding embodiments, and are not repeated here.

The network security protection apparatus based on the internet access lock in this embodiment is presented as a functional unit, where the unit refers to an ASIC (Application SPECIFIC INTEGRATED Circuit) Circuit, a processor and a memory that execute one or more software or fixed programs, and/or other devices that can provide the above functions.

Referring to fig. 9, fig. 9 is a schematic structural diagram of a computer device according to an embodiment of the present application, and as shown in fig. 9, the computer device includes: one or more processors 10, memory 20, and interfaces for connecting the various components, including high-speed interfaces and low-speed interfaces. The various components are communicatively coupled to each other using different buses and may be mounted on a common motherboard or in other manners as desired. The processor may process instructions executing within the computer device, including instructions stored in or on memory to display graphical information of the GUI on an external input/output device, such as a display device coupled to the interface. In some alternative embodiments, multiple processors and/or multiple buses may be used, if desired, along with multiple memories and multiple memories. Also, multiple computer devices may be connected, each providing a portion of the necessary operations (e.g., as a server array, a set of blade servers, or a multiprocessor system). One processor 10 is illustrated in fig. 9.

The processor 10 may be a central processor, a network processor, or a combination thereof. The processor 10 may further include a hardware chip, among others. The hardware chip may be an application specific integrated circuit, a programmable logic device, or a combination thereof. The programmable logic device may be a complex programmable logic device, a field programmable gate array, a general-purpose array logic, or any combination thereof.

Wherein the memory 20 stores instructions executable by the at least one processor 10 to cause the at least one processor 10 to perform the methods shown in implementing the above embodiments.

The memory 20 may include a storage program area that may store an operating system, at least one application program required for functions, and a storage data area; the storage data area may store data created according to the use of the computer device, etc. In addition, the memory 20 may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid-state storage device. In some alternative embodiments, memory 20 may optionally include memory located remotely from processor 10, which may be connected to the computer device via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

Memory 20 may include volatile memory, such as random access memory; the memory may also include non-volatile memory, such as flash memory, hard disk, or solid state disk; the memory 20 may also comprise a combination of the above types of memories.

The computer device also includes a communication interface 30 for the computer device to communicate with other devices or communication networks.

The embodiments of the present application also provide a computer readable storage medium, and the method according to the embodiments of the present application described above may be implemented in hardware, firmware, or as a computer code which may be recorded on a storage medium, or as original stored in a remote storage medium or a non-transitory machine readable storage medium downloaded through a network and to be stored in a local storage medium, so that the method described herein may be stored on such software process on a storage medium using a general purpose computer, a special purpose processor, or programmable or special purpose hardware. The storage medium can be a magnetic disk, an optical disk, a read-only memory, a random access memory, a flash memory, a hard disk, a solid state disk or the like; further, the storage medium may also comprise a combination of memories of the kind described above. It will be appreciated that a computer, processor, microprocessor controller or programmable hardware includes a storage element that can store or receive software or computer code that, when accessed and executed by the computer, processor or hardware, implements the methods illustrated by the above embodiments.

The method, apparatus or unit set forth in the above embodiments may be implemented in particular by a computer chip or entity, or by a product having some function. One typical implementation is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.

For convenience of description, the above devices are described as being functionally divided into various units, respectively. Of course, the functions of each element may be implemented in the same piece or pieces of software and/or hardware when implementing the present application.

It will be apparent to those skilled in the art that embodiments of the present application may be provided as a method, apparatus, or device. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and devices according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises the element.

In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for system embodiments, since they are substantially similar to method embodiments, the description is relatively simple, as relevant to see a section of the description of method embodiments.

The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and variations of the present application will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. which come within the spirit and principles of the application are to be included in the scope of the claims of the present application.

Although embodiments of the present application have been described in connection with the accompanying drawings, various modifications and variations may be made by those skilled in the art without departing from the spirit and scope of the application, and such modifications and variations are within the scope of the application as defined by the appended claims.

Claims

1. A network security protection method based on a portal lock, the method comprising:

2. The method of claim 1, wherein the traffic home identifier is used to characterize a device number for data interaction with the target server;

3. The method of claim 1 or 2, wherein determining an access breakpoint in the traffic access data chain comprises:

4. The method of claim 3, wherein generating an access breakpoint in the traffic access data chain based on the recorded sets of start-stop timestamps comprises:

5. The method of claim 1, wherein generating a chained feature of the traffic access data chain based on where the access breakpoint is located in the traffic access data chain comprises:

6. The method of claim 5, wherein calculating the first weight of the originating node and the second weight of the terminating node comprises:

7. The method of claim 1, wherein aggregating the respective evaluation information to generate an evaluation feature of the upstream and downstream traffic data comprises:

8. The method of claim 1, wherein after issuing a traffic-cutoff instruction to the target server through the network interface, the method further comprises:

9. A network security appliance based on a portal lock, the appliance comprising:

10. A computer device, comprising:

a memory and a processor in communication with each other, the memory having stored therein computer instructions which, upon execution, cause the processor to perform the method of any of claims 1 to 8.

11. A computer readable storage medium having stored thereon computer instructions for causing a computer to perform the method of any one of claims 1 to 8.