CN111031004B

CN111031004B - Service flow processing method, service flow learning method, device and system

Info

Publication number: CN111031004B
Application number: CN201911151007.2A
Authority: CN
Inventors: 陈国�; 彭晨晨
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2019-11-21
Filing date: 2019-11-21
Publication date: 2021-11-26
Anticipated expiration: 2039-11-21
Also published as: CN111031004A

Abstract

The application discloses a method for processing service traffic, a method for learning service traffic, a device and a system, which can be applied to the field of data security in data transmission, can efficiently intercept service traffic meeting abnormal traffic processing conditions, and release service traffic under an available protocol number to prevent normal services from being killed by mistake. The method comprises the following steps: when a target Internet Protocol (IP) address of a server is attacked, a protocol number base line of the server and a target protocol number corresponding to the attacked target IP address are obtained, if the target protocol number is inconsistent with an available protocol number in the protocol number base line, a load characteristic statistical result of P data packets is obtained according to service traffic corresponding to the target protocol number, if the load characteristic statistical result meets an abnormal traffic processing condition, Q data packets are determined from the P data packets, and the Q data packets are intercepted.

Description

Service flow processing method, service flow learning method, device and system

Technical Field

The present application relates to the field of network security, and in particular, to a method for processing a service traffic, a method, an apparatus, and a system for learning a service traffic.

Background

In the fields of medical care, finance, credit investigation, banking, government affairs, games, education, etc., a business service is often provided to a user through a server, and an attack technique against the server is also developed. A distributed denial of Service (DDoS) attack refers to a hacker initiating a large amount of abnormal traffic to a server by controlling multiple machines distributed in various places, so that the server is busy processing the abnormal traffic, and the server cannot process a normal user request. With the continuous development of the attack technology, a novel attack method, namely Protocol flooding attack, begins to appear, and an attacker controls a broiler chicken counterfeiting source Internet Protocol (IP) to send a large amount of flow for randomly counterfeiting different protocols to an attacked server, so that the bandwidth of the attacked server is congested.

At present, aiming at the situation of protocol flooding attack, the speed of the traffic of the non-use protocol can be limited during protection, and the traffic of the non-use protocol exceeding the speed limit value is discarded, so that the protection effect can be realized.

However, if there is traffic using an extraordinary protocol in the protected server, the speed limit obviously causes false-killing of the normal traffic. This is because the speed limit can only be lost indiscriminately until the traffic is below the threshold, and if a protocol flooding attack occurs, normal traffic and attack traffic are indiscriminately and randomly discarded, resulting in failure of normal traffic.

Disclosure of Invention

The embodiment of the application provides a method for processing service traffic, a method for learning service traffic, a device and a system, which can identify attack traffic of protocol flooding in real time, analyze service traffic under a non-available protocol number only, efficiently intercept service traffic meeting abnormal traffic processing conditions, release service traffic under the available protocol number, and prevent normal services from being killed by mistake.

In view of the above, a first aspect of the present application provides a method for processing service traffic, including:

when a target Internet Protocol (IP) address of a server is attacked, acquiring a protocol number baseline of the server and a target protocol number corresponding to the attacked target IP address, wherein the protocol number baseline comprises a corresponding relation between the IP address and an available protocol number;

if the target protocol number is not consistent with the available protocol number in the protocol number baseline, acquiring a load characteristic statistical result of P data packets according to the service flow corresponding to the target protocol number, wherein the load characteristic statistical result is a statistical result of the target load characteristic in the P data packets, and P is an integer greater than or equal to 1;

if the load characteristic statistical result meets the abnormal flow processing condition, determining Q data packets from the P data packets, wherein the load characteristics of the Q data packets are target load characteristics, and Q is an integer which is greater than or equal to 1 and less than or equal to P;

and intercepting the Q data packets.

A second aspect of the present application provides a method for learning service traffic, including:

acquiring mirror image service flow corresponding to the protected IP address through the optical splitter;

acquiring an available protocol number corresponding to the protected IP address according to the mirror image service flow;

generating a protocol number baseline according to the protected IP address and an available protocol number corresponding to the protected IP address, wherein the protocol number baseline comprises a corresponding relation between the IP address and the available protocol number;

when a target Internet Protocol (IP) address of a server is attacked, a protocol number baseline of the server is sent to protective equipment, so that the protective equipment determines that a target protocol number is inconsistent with an available protocol number in the protocol number baseline according to the protocol number baseline of the server, load characteristic statistical results of P data packets are obtained according to service traffic corresponding to the target protocol number, if the load characteristic statistical results meet abnormal traffic processing conditions, Q data packets are determined from the P data packets, and the Q data packets are intercepted, wherein the load characteristic statistical results are statistical results of target load characteristics in the P data packets, P is an integer greater than or equal to 1, the load characteristics of the Q data packets are target load characteristics, and Q is an integer greater than or equal to 1 and less than or equal to P.

In one possible design, in a first implementation manner of the second aspect of the embodiment of the present application, the method further includes:

acquiring a user identifier corresponding to a protected IP address;

generating a protocol number baseline according to the protected IP address and the available protocol number corresponding to the protected IP address, wherein the protocol number baseline comprises the following steps:

if the user identification is the first user identification, generating a protocol number baseline according to the first user identification, the protected IP address and an available protocol number corresponding to the protected IP address;

and if the user identifier is a second user identifier, generating a protocol number baseline according to the second user identifier, the protected IP address and the available protocol number corresponding to the protected IP address.

In one possible design, in a second implementation manner of the second aspect of the embodiment of the present application, the method further includes:

acquiring user grade information corresponding to a protected IP address;

obtaining an available protocol number corresponding to the protected IP address according to the mirror image service flow, comprising:

if the user grade information is a first grade, acquiring an available protocol number corresponding to the protected IP address according to the mirror image service flow in a first time length;

and if the user grade information is a second grade, acquiring an available protocol number corresponding to the protected IP address according to the mirror image service flow in a second time length, wherein the second grade is lower than the first grade, and the second time length is less than the first time length.

A third aspect of the present application provides a service traffic processing apparatus, including:

the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring a protocol number baseline of a server and a target protocol number corresponding to an attacked target IP address when the target Internet protocol IP address of the server is attacked, and the protocol number baseline comprises a corresponding relation between the IP address and an available protocol number;

the acquisition module is further used for acquiring a load characteristic statistical result of P data packets according to the service flow corresponding to the target protocol number under the condition that the target protocol number acquired by the acquisition module is inconsistent with the available protocol number in the protocol number baseline acquired by the acquisition module, wherein the load characteristic statistical result is a statistical result of the target load characteristic in the P data packets, and P is an integer greater than or equal to 1;

the processing module is used for determining Q data packets from the P data packets under the condition that the load characteristic statistical result obtained by the obtaining module meets the abnormal flow processing condition, wherein the load characteristics of the Q data packets are target load characteristics, and Q is an integer which is greater than or equal to 1 and less than or equal to P;

and the processing module is also used for intercepting the Q data packets determined by the processing module.

In one possible design, in a first implementation of the third aspect of an embodiment of the present application,

the acquisition module is also used for acquiring an available protocol number corresponding to the target IP address according to the protocol number baseline acquired by the acquisition module;

the processing module is also used for comparing the target protocol number acquired by the acquisition module with the available protocol number corresponding to the target IP address acquired by the acquisition module to obtain a comparison result;

the processing module is further used for determining that the target protocol number is inconsistent with the available protocol number in the protocol number baseline under the condition that the comparison result obtained by the processing module is the first result;

and the processing module is also used for determining that the target protocol number is consistent with the available protocol number in the protocol number baseline under the condition that the comparison result obtained by the processing module is a second result.

In a possible design, in a second implementation manner of the third aspect of the embodiment of the present application, the service traffic processing apparatus further includes: and the sending module is used for sending the P data packets corresponding to the target protocol number acquired by the acquisition module to the server.

In one possible design, in a third implementation of the third aspect of the embodiments of the present application,

an acquisition module specifically configured to:

acquiring a service flow corresponding to a target protocol number;

acquiring load data of P data packets according to the service flow corresponding to the target protocol number;

acquiring load characteristics in unit time according to load data of P data packets, wherein the load characteristics comprise at least one of first N bytes and last M bytes of the load data, N is an integer greater than or equal to 1, and M is an integer greater than or equal to 1;

and generating a load characteristic statistical result according to the load characteristics in unit time.

In one possible design, in a fourth implementation of the third aspect of the embodiments of the present application,

an acquisition module specifically configured to: acquiring the occurrence times of the same byte in the first N bytes in unit time according to the load data of the P data packets to generate a load characteristic statistical result;

and the processing module is further used for determining that the statistical result of the load characteristics meets the abnormal flow processing condition under the condition that the occurrence frequency of the same byte in the first N bytes acquired by the acquisition module in unit time is greater than or equal to the occurrence frequency threshold.

In one possible design, in a fifth implementation form of the third aspect of the embodiments of the present application,

an acquisition module specifically configured to: generating a load characteristic statistical result according to the occurrence times of the same byte in the later M bytes in unit time;

and the processing module is further used for determining that the load characteristic statistical result meets the abnormal flow processing condition if the occurrence frequency of the same byte in the last M bytes acquired by the acquisition module in unit time is greater than or equal to the occurrence frequency threshold.

In one possible design, in a sixth implementation form of the third aspect of the embodiments of the present application,

the acquisition module is also used for acquiring the mirror image service flow corresponding to the protected IP address through the optical splitter;

the acquisition module is also used for acquiring an available protocol number corresponding to the protected IP address according to the mirror image service flow acquired by the acquisition module;

and the processing module is also used for generating a protocol number baseline according to the protected IP address and the available protocol number corresponding to the protected IP address.

In one possible design, in a seventh implementation form of the third aspect of the embodiments of the present application,

the obtaining module is also used for obtaining the user identification corresponding to the protected IP address;

the processing module is specifically configured to:

if the user identifier acquired by the acquisition module is the first user identifier, generating a protocol number baseline according to the first user identifier, the protected IP address and the available protocol number corresponding to the protected IP address;

and if the user identifier acquired by the acquisition module is a second user identifier, generating a protocol number baseline according to the second user identifier, the protected IP address and the available protocol number corresponding to the protected IP address.

In one possible design, in an eighth implementation form of the third aspect of the embodiments of the present application,

the acquisition module is also used for acquiring the user grade information corresponding to the protected IP address;

an acquisition module specifically configured to:

if the user grade information acquired by the acquisition module is a first grade, acquiring an available protocol number corresponding to the protected IP address according to the mirror image service flow in the first time length;

and if the user grade information acquired by the acquisition module is a second grade, acquiring an available protocol number corresponding to the protected IP address according to the mirror image service flow in a second time length, wherein the second grade is lower than the first grade, and the second time length is shorter than the first time length.

A fourth aspect of the present application provides a service traffic learning apparatus, including:

the acquisition module is used for acquiring the mirror image service flow corresponding to the protected IP address through the optical splitter;

the processing module is used for generating a protocol number baseline according to the protected IP address and the available protocol number corresponding to the protected IP address, wherein the protocol number baseline comprises the corresponding relation between the IP address and the available protocol number;

a sending module, configured to send, to the protective device, the protocol number baseline of the server generated by the processing module when the target internet protocol IP address of the server is attacked, so that when the protective equipment determines that the target protocol number is inconsistent with the available protocol number in the protocol number base line according to the protocol number base line of the server, acquiring the load characteristic statistical result of P data packets according to the service flow corresponding to the target protocol number, if the load characteristic statistical result meets the abnormal flow processing condition, determining Q data packets from the P data packets, intercepting the Q data packets, the load characteristic statistical result is a statistical result of target load characteristics in P data packets, P is an integer greater than or equal to 1, the load characteristics of Q data packets are target load characteristics, and Q is an integer greater than or equal to 1 and less than or equal to P.

In one possible design, in a first implementation of the fourth aspect of the embodiments of the present application,

the processing module is specifically configured to:

In one possible design, in a second implementation of the fourth aspect of the embodiments of the present application,

an acquisition module specifically configured to:

A fifth aspect of the present application provides a protective apparatus, comprising: a memory, a transceiver, a processor, and a bus system;

wherein the memory is used for storing programs;

the processor is configured to execute the program in the memory, including performing any one of the implementations of the first aspect;

the bus system is used for connecting the memory and the processor so as to enable the memory and the processor to communicate.

A sixth aspect of the present application provides a detection apparatus, comprising: a memory, a transceiver, a processor, and a bus system;

wherein the memory is used for storing programs;

the processor is configured to execute the program in the memory, including performing any one of the implementations of the second aspect;

A seventh aspect of the present application provides a computer-readable storage medium having stored therein instructions, which, when run on a computer, cause the computer to perform the method of the above-described aspects.

According to the technical scheme, the embodiment of the application has the following advantages:

when a target Internet Protocol (IP) address of a server is attacked, a protocol number base line of the server and a target protocol number corresponding to the attacked target IP address are obtained, wherein the protocol number base line comprises a corresponding relation between the IP address and an available protocol number, if the target protocol number is inconsistent with the available protocol number in the protocol number base line, a load characteristic statistical result of P data packets is obtained according to service flow corresponding to the target protocol number, the load characteristic statistical result is a statistical result of target load characteristics in the P data packets, and if the load characteristic statistical result meets an abnormal flow processing condition, Q data packets with load characteristics as the target load characteristics are determined from the P data packets, and the Q data packets are intercepted. By the method, the attack traffic of the protocol flooding can be identified in real time, only the service traffic under the unavailable protocol number is analyzed, the service traffic meeting the abnormal traffic processing condition is efficiently intercepted, and the service traffic under the available protocol number is released, so that the normal service is prevented from being killed by mistake.

Drawings

Fig. 1 is a schematic diagram of a network architecture of a service traffic processing method in an embodiment of the present application;

fig. 2 is a schematic diagram of an embodiment of a method for processing service traffic in an embodiment of the present application;

fig. 3 is a schematic diagram illustrating data packet information in a method for processing service traffic in an embodiment of the present application;

FIG. 4 is a schematic diagram of an embodiment of a method for learning traffic flow in an embodiment of the present application;

fig. 5 is a schematic diagram of an embodiment of a service traffic processing apparatus in an embodiment of the present application;

fig. 6 is a schematic diagram of another embodiment of a service traffic processing apparatus in an embodiment of the present application;

fig. 7 is a schematic diagram of an embodiment of a service traffic learning apparatus in an embodiment of the present application;

fig. 8 is a schematic structural diagram of a terminal device in an embodiment of the present application;

fig. 9 is a schematic structural diagram of a server in an embodiment of the present application.

Detailed Description

The terms "first," "second," "third," "fourth," and the like in the description and in the claims of the present application and in the drawings described above, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are, for example, capable of operation in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "corresponding" and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

It should be understood that the embodiments of the present application may be applied to a scenario of protecting a server attacked by DDoS, for example, when a background server of a game application is attacked by DDoS, the background server may be busy processing abnormal traffic and may not process a normal user request; for background servers of financial applications, background servers of instant messaging applications, background servers of video applications and the like, normal services cannot be performed when DDoS attacks are suffered.

In order to solve the above problem, the present application provides a method for processing service traffic, where the method is applied to a network architecture shown in fig. 1, please refer to fig. 1, fig. 1 is a schematic diagram of a network architecture of a service traffic processing method in an embodiment of the present application, and as shown in the diagram, the network architecture may include a service traffic processing system 100, an optical splitter 110, a core router 120, an access router 130, and a server 140, the service traffic processing system includes a detection device 1001, a control device 1002, and a protection device 1003, and the optical splitter 110 is connected to an Internet Service Provider (ISP) network.

The optical splitter 110 may be embodied as an optical fiber optical splitter, where the optical fiber optical splitter is an optical fiber tandem device for coupling, branching, and distributing optical signals in an optical network system, and has a plurality of input ends and a plurality of output ends, and the optical splitter 110 is configured to generate mirror image traffic after obtaining service traffic from an internet service provider network, send the mirror image traffic to a detection device 1001 in the service traffic processing system 100, and send the service traffic to the core router 120.

The core router 120 is connected with an access router 130, the access router 130 is connected with a server 140, so as to realize the communication between the server 140 and other network devices in the internet service provider network, and each core router 120 can be connected with a plurality of access routers 130. Each access router 130 may be connected to one or more servers 140, where the servers 140 may be independent physical servers, may also be a server cluster or distributed system formed by a plurality of physical servers, and may also be cloud servers providing basic cloud computing services such as cloud services, a cloud database, cloud computing, cloud functions, cloud storage, Network services, cloud communications, middleware services, domain name services, security services, a Content Delivery Network (CDN), and a big data and artificial intelligence platform.

The detection device 1001, the control device 1002, and the protection device 1003 included in the service traffic processing system 100 may be implemented by separate devices (such as servers), or two or three of them may be integrated on one device. The detection device 1001 in the traffic processing system 100 may learn the available protocol number of the server 140 according to the mirror traffic, generate and store a protocol number baseline, and when the detection device 1001 finds that the target IP address of the server 140 is attacked, the detection device 1001 may send the protocol number baseline to the protection device 1003 in the traffic processing system 100 through the control device 1002 in the traffic processing system 100.

The protective device 1003 acquires a target protocol number corresponding to an attacked target IP address, if the target protocol number is not consistent with an available protocol number in a protocol number baseline, the protective device 1003 acquires a load characteristic statistical result of P data packets according to service traffic corresponding to the target protocol number, where the load characteristic statistical result is a statistical result of target load characteristics in the P data packets, and if the load characteristic statistical result satisfies an abnormal traffic processing condition, Q data packets whose load characteristics are the target load characteristics are determined from the P data packets, Q data packets are intercepted, and data packets except the Q data packets in the P data packets are transmitted to the core router 120 and then transmitted to the server 140, so that abnormal traffic is intercepted, and the server can process normal traffic.

It should be noted that fig. 1 is only a schematic network architecture diagram of the service traffic processing method in the embodiment of the present application, in an actual situation, the control device 1002 may also not be present in the service traffic processing system 100, and the detection device 1001 and the protection device 1003 may directly communicate with each other, or the access router may also be replaced by an access switch, and correspondingly, the switch may be connected with one or more servers, and the example in fig. 1 is only for convenience of understanding the present solution, and is not used to limit the present solution.

Since the data mentioned in the embodiments of the present application may be stored by Cloud Technology (Cloud Technology), some basic concepts of Cloud Technology are introduced before the method for processing the traffic provided in the embodiments of the present application is introduced. The cloud technology is a hosting technology for unifying series resources such as hardware, software, network and the like in a wide area network or a local area network to realize the calculation, storage, processing and sharing of data.

Further, Cloud Security (Cloud Security) refers to a generic term for Security software, hardware, users, organizations, and secure Cloud platforms for Cloud-based computing business model applications. The cloud security integrates emerging technologies and concepts such as parallel processing, grid computing and unknown virus behavior judgment, abnormal monitoring of software behaviors in the network is achieved through a large number of meshed clients, the latest information of trojans and malicious programs in the internet is obtained and sent to the server for automatic analysis and processing, and then the virus and trojan solution is distributed to each client.

The main research directions of cloud security include: 1. the cloud computing security mainly researches how to guarantee the security of the cloud and various applications on the cloud, including the security of a cloud computer system, the secure storage and isolation of user data, user access authentication, information transmission security, network attack protection, compliance audit and the like; 2. the cloud of the security infrastructure mainly researches how to adopt cloud computing to newly build and integrate security infrastructure resources and optimize a security protection mechanism, and comprises the steps of constructing a super-large-scale security event and an information acquisition and processing platform through a cloud computing technology, realizing the acquisition and correlation analysis of mass information, and improving the handling control capability and the risk control capability of the security event of the whole network; 3. the cloud security service mainly researches various security services, such as anti-virus services and the like, provided for users based on a cloud computing platform.

With reference to fig. 2, a method for processing service traffic in the present application will be described below, where an embodiment of the method for processing service traffic in the present application includes:

101. when a target Internet Protocol (IP) address of a server is attacked, a protective device of a service flow processing system acquires a protocol number baseline of the server and a target protocol number corresponding to the attacked target IP address, wherein the protocol number baseline comprises a corresponding relation between the IP address and an available protocol number;

in this embodiment, the detection device of the service traffic processing system may detect one or more protected IP addresses in the server in real time, to detect whether the attacked target IP address appears in the protected IP address, specifically, the detecting device can obtain the number of data packets accessing each protected IP address in unit time in real time, when the number of data packets accessing the target IP address in unit time is detected to be larger than or equal to a first threshold value, determining that the target IP address is attacked, wherein, the value of the unit time can be 1 second, 2 seconds, 5 seconds or other values, the value of the first threshold is related to the length of the unit time, the longer the unit time, the larger the value of the first threshold, as an example, for example, the unit time is 1 second, and the value of the first threshold is 2000, it should be understood that this is only an example and is not used to limit the present solution. When detecting that one or more target IP addresses in the protected IP addresses are attacked, sending a protocol number baseline and one or more attacked target IP addresses to the protection equipment of the service flow processing system. Since the guard device of the service traffic processing system establishes neighbors with the core router connected to the server in advance through Border Gateway Protocol (BGP), after the guard device obtains one or more target IP addresses, for each target IP address, the guard device may send a 32-bit host route corresponding to the target IP address to the core router, the core router selects the service traffic with the target IP address from the acquired service traffic according to the 32-bit host routing, pulls the service traffic with the target IP address onto the protection device, and the protective equipment can acquire a plurality of data packets with the destination IP address as the destination IP address from the service flow of the destination IP address, and further, a target protocol number corresponding to each data packet is obtained, that is, at least one target protocol number corresponding to a target IP address can be obtained.

The protected IP address refers to at least one IP address among IP addresses of servers, and since the servers in the embodiment of the present application may be a server cluster formed by a plurality of servers, there may be a plurality of IP addresses in the servers, and at least one IP address may be determined from all IP addresses of the servers as the protected IP address. The destination IP address refers to one or more of the protected IP addresses that are attacked. The BGP protocol is an inter-autonomous system routing protocol that transfers routing information from and to a plurality of autonomous systems. The service traffic of the destination IP address carries a plurality of data packets, each data packet carries a source IP address and a destination IP address of the data packet and a data packet protocol used by the data packet, the destination protocol number refers to a protocol number corresponding to a data packet protocol used by a data packet whose destination IP address is the destination IP address, the data packet may be specifically represented as a message, and the destination protocol number may be specifically represented as a message protocol number, for example, a protocol number corresponding to an Encapsulation Security Payload (ESP) protocol is 50, and a protocol number corresponding to an Authentication Header (AH) protocol is 51.

To further understand the present solution, please refer to fig. 3, fig. 3 is a schematic diagram showing packet information of a method for traffic processing in an embodiment of the present application, wherein, a1 refers to a plurality of data packets in the service traffic, a2 refers to the timestamp of the received data packet, A3 refers to the source IP address of the data packet, a4 refers to the destination IP address of the data packet, a5 refers to the protocol adopted by the data packet, the guard device of the service traffic processing system can obtain the destination protocol number corresponding to the destination IP address according to the protocol in the data packet, a6 refers to the load data obtained by the guard device of the service traffic processing system from the data packet in the service traffic, fig. 3 shows a certain data packet carrying 24 bytes of payload data, and it should be understood that the example in fig. 3 is only for convenience of understanding the scheme and is not intended to limit the scheme.

The protocol number base line includes a corresponding relationship between the protected IP address and the available protocol number, and the protective device may store the protocol number base line in a table, an array, an index, or other form, where the protocol number base line is stored in a table form as an example, please refer to table 1 below.

TABLE 1

Protected IP address	Available protocol number
		1.1.1.1	1、6、50、51
1.1.1.2	17、50
		1.1.1.3	6、17、51

Referring to table 1 above, table 1 shows the corresponding relationship between 3 IP addresses and available protocol numbers, where the protocol number is 1 is an Internet Control Message Protocol (ICMP), and the protocol number is 6 is a Transmission Control Protocol (TCP), it should be understood that table 1 is only an example of a protocol number baseline, and in an actual situation, more or less corresponding relationships between a protected IP address and an available protocol number may be included in the protocol number baseline, or other information may be included in the protocol number baseline, such as a level of the protected IP address, and the like, which is not limited herein.

102. If the target protocol number is not consistent with the available protocol number in the protocol number baseline, the protective equipment of the service flow processing system acquires the load characteristic statistical result of P data packets according to the service flow corresponding to the target protocol number, wherein the load characteristic statistical result is the statistical result of the target load characteristic in the P data packets, and P is an integer greater than or equal to 1;

in this embodiment, after the protective device of the service traffic processing system obtains the protocol number baseline, all available protocol numbers corresponding to the target IP address may be obtained from the protocol number baseline, and after the protective device obtains one or more target protocol numbers corresponding to the target IP address according to the service traffic of the target IP address, for each target protocol number, the protective device may determine whether the target protocol number is consistent with the available protocol number in the protocol number baseline, and for one or more target protocol numbers inconsistent with the available protocol number, the protective device may obtain the load characteristic statistics result of P data packets according to the service traffic corresponding to the inconsistent target protocol number, that is, the protocol number corresponding to each data packet in the P data packets is inconsistent with the common protocol number. The load characteristic may be obtained by performing statistics on all load data in the data packet, or may be obtained by performing statistics on a preset number of load data at a preset position in the data packet, for example, the first M bytes, the last N bytes, or the middle L bytes in the load data of the data packet, which is not limited herein. The payload data refers to data in a data packet except for a protocol header field, the protocol header field can be understood as an envelope, and the payload data is the content of a message and can be specifically expressed as bytes. The load characteristic statistical result is a statistical result of the target load characteristics in the P data packets, that is, a result obtained by performing statistics on the data packets of which the load characteristics are the target load characteristics in the P data packets, and the target load characteristics refer to that bytes with a preset number at a preset position of the load data are target content.

103. If the load characteristic statistical result meets the abnormal flow processing condition, the protection equipment of the service flow processing system determines Q data packets from P data packets, wherein the load characteristics of the Q data packets are target load characteristics, Q is an integer which is greater than or equal to 1 and less than or equal to P;

in this embodiment, the protection device of the service traffic processing system may determine whether the load characteristic statistical result meets an abnormal traffic processing condition, and in the case that the abnormal traffic processing condition is met, the protection device may determine, according to the load characteristic of each data packet of the P data packets, Q data packets whose load characteristics are target load characteristics, that is, Q data packets are data packets for performing abnormal attack on the target IP address. The abnormal traffic handling condition may be that the number of data packets whose load characteristics are target load characteristics in a unit time is greater than or equal to the occurrence time threshold, the value of the unit time may be 1 second, 2 seconds, 5 seconds or other values, the value of the occurrence time threshold is related to the length of the unit time, the longer the length of the unit time is, the larger the value of the occurrence time threshold is, the smaller the value of the occurrence time threshold is than the first threshold, for example, the length of the unit time is 1 second, and the value of the occurrence time threshold is 1000, as another example, the length of the unit time is 2 seconds, and the value of the occurrence time threshold is 1800, which is not limited herein.

104. And the protective equipment of the service flow processing system intercepts the Q data packets.

In this embodiment, after determining Q data packets for performing an abnormal attack on a target IP address, the protection device of the service traffic processing system performs interception processing on the Q data packets, and returns service traffic corresponding to data packets, except the Q data packets, of the P data packets to the core router.

In the embodiment of the application, when a target Internet Protocol (IP) address of a server is attacked, a protocol number baseline of the server and a target protocol number corresponding to the attacked target IP address are obtained, wherein the protocol number baseline comprises a corresponding relation between the IP address and an available protocol number, if the target protocol number is inconsistent with the available protocol number in the protocol number baseline, a load characteristic statistical result of P data packets is obtained according to service traffic corresponding to the target protocol number, wherein the load characteristic statistical result is a statistical result of target load characteristics in the P data packets, and if the load characteristic statistical result meets an abnormal traffic processing condition, Q data packets with load characteristics as the target load characteristics are determined from the P data packets, and the Q data packets are intercepted. By the method, the attack traffic of the protocol flooding can be identified in real time, only the service traffic under the unavailable protocol number is analyzed, the service traffic meeting the abnormal traffic processing condition is efficiently intercepted, and the service traffic under the available protocol number is released, so that the normal service is prevented from being killed by mistake.

Optionally, on the basis of the embodiment corresponding to fig. 2, in an optional embodiment of the method for processing service traffic provided in the embodiment of the present application, after the guard device of the service traffic processing system obtains the protocol number baseline of the server and the target protocol number corresponding to the attacked target IP address, the method further includes:

the protection equipment of the service flow processing system acquires an available protocol number corresponding to the target IP address according to the protocol number baseline;

the protection equipment of the service flow processing system compares the target protocol number with the available protocol number corresponding to the target IP address to obtain a comparison result;

if the comparison result is the first result, the protective equipment of the service flow processing system determines that the target protocol number is inconsistent with the available protocol number in the protocol number baseline;

and if the comparison result is a second result, the protective equipment of the service flow processing system determines that the target protocol number is consistent with the available protocol number in the protocol number baseline.

In this embodiment, after acquiring a protocol number baseline of a server and at least one target protocol number corresponding to an attacked target IP address, a protection device of a traffic processing system may traverse the protocol number baseline to determine the attacked target IP address from the at least one protected IP address included in the protocol number baseline, and further acquire all available protocol numbers corresponding to the target IP address, for each target protocol number corresponding to the target IP address, the protection device of the traffic processing system compares the target protocol number with the at least one available protocol number corresponding to the target IP address to obtain a comparison result, if the comparison result is a first result, the protection device of the traffic processing system determines that the target protocol number is not consistent with the available protocol number in the protocol number baseline, and if the comparison result is a second result, the protection device of the traffic processing system determines that the target protocol number is consistent with the available protocol number in the protocol number baseline, the first result is that the target protocol number does not exist in the at least one available protocol number corresponding to the target IP address, and the second result is that the target protocol number exists in the at least one available protocol number corresponding to the target IP address. As an example, taking an example in conjunction with table 1 above, for example, if the target IP address is 1.1.1.1, the obtained available protocol numbers are 1, 6, 50, and 51, and if the target protocol number is 62, it is determined that the target protocol number is not consistent with the available protocol number in the protocol number baseline.

In the embodiment of the application, after a protocol number baseline of a server and a target protocol number corresponding to an attacked target IP address are obtained, an available protocol number corresponding to the target IP address is obtained according to the protocol number baseline, the target protocol number is compared with the available protocol number corresponding to the target IP address to obtain a comparison result, if the comparison result is a first result, the target protocol number is determined to be inconsistent with the available protocol number in the protocol number baseline, and if the comparison result is a second result, the target protocol number is determined to be consistent with the available protocol number in the protocol number baseline. By the method, the specific implementation process of the consistency judgment of the target protocol number and the available protocol number in the protocol number base line is provided, and the realizability of the scheme is improved.

Optionally, on the basis of the embodiment corresponding to fig. 2, in an optional embodiment of the method for processing service traffic provided in the embodiment of the present application, after the guard device of the service traffic processing system determines that the target protocol number is consistent with the available protocol number in the protocol number baseline, the method further includes:

and the protection equipment of the service flow processing system sends P data packets corresponding to the target protocol number to the server.

In this embodiment, after obtaining the protocol number baseline and the target protocol number corresponding to the attacked target IP address, for each target protocol number, the protective device of the service traffic processing system may determine whether the target protocol number is consistent with at least one available protocol number corresponding to the target IP address in the protocol number baseline, and when the target protocol number is consistent with the available protocol number, that is, all available protocol numbers corresponding to the target IP address include the target protocol number, the protective device may send P data packets corresponding to the target protocol number to the server.

In the embodiment of the application, after the protocol number baseline of the server and the target protocol number corresponding to the attacked target IP address are obtained, if the target protocol number is consistent with the available protocol number in the protocol number baseline, P data packets corresponding to the target protocol number are sent to the server. By the mode, the service flow which is not attack flow is preliminarily determined according to the protocol number, the service flow under the available protocol number can be released in time, and normal service can be ensured to be normally carried out.

Optionally, on the basis of the embodiment corresponding to fig. 2, in an optional embodiment of the method for processing service traffic provided in the embodiment of the present application, the obtaining, by the guard device of the service traffic processing system, the load feature statistical result of the P data packets according to the service traffic corresponding to the target protocol number includes:

the method comprises the steps that protective equipment of a service flow processing system obtains service flow corresponding to a target protocol number;

the protection equipment of the service flow processing system acquires load data of P data packets according to the service flow corresponding to the target protocol number;

the protection equipment of the service flow processing system acquires load characteristics in unit time according to load data of P data packets, wherein the load characteristics comprise at least one of first N bytes and last M bytes of the load data, N is an integer greater than or equal to 1, and M is an integer greater than or equal to 1;

and the protective equipment of the service flow processing system generates a load characteristic statistical result according to the load characteristic in unit time.

In this embodiment, after performing consistency judgment on at least one target protocol number corresponding to a target IP address and all available protocol numbers corresponding to the target IP address, the protection device of the service traffic processing system may obtain one or more target protocol numbers that are inconsistent with the available protocol numbers from the at least one target protocol number corresponding to the target IP address, and after determining the one or more target protocol numbers that are inconsistent with the available protocol numbers, the protection device needs to obtain P data packets according to service traffic corresponding to the target protocol numbers, and obtain load characteristics in a unit time according to load data of the P data packets, where the load characteristics include at least one of first N bytes and last M bytes of the load data.

Specifically, in one case, after acquiring the service flows corresponding to all the target protocol numbers, the protection device of the service flow processing system may determine the target protocol number used by each data packet in the service flows corresponding to all the target protocol numbers, and further determine which data packets use the target protocol number that is not consistent with the available protocol number from all the data packets, so as to select load data of P data packets from all the data packets, where the P data packets refer to data packets that use all the target protocol numbers that are not consistent with the available protocol number from all the data packets. As an example, taking an example with reference to table 1, for example, the destination IP address is 1.1.1.1, the available protocol numbers are 1, 6, 50, and 51, and 2000 packets are obtained according to the traffic flows corresponding to all the destination protocol numbers corresponding to the destination IP addresses, where the destination protocol number corresponding to 800 packets is 1, the destination protocol number corresponding to 200 packets is 50,600 packets, and the destination protocol number corresponding to 33,400 packets is 26, and then P packets refer to 600 packets with the destination protocol number of 33 and 400 packets with the destination protocol number of 26, and it should be understood that the example is not limited to this solution. In another case, after determining one or more target protocol numbers that are inconsistent with the available protocol number, the guard device of the service traffic processing system may process each target protocol number that is inconsistent with the available protocol number, and obtain service traffic corresponding to one target protocol number that is inconsistent with the available protocol number, and further obtain P data packets from the service traffic corresponding to one target protocol number that is inconsistent with the available protocol number.

After obtaining P data packets, a protection device of a service traffic processing system obtains load characteristics in unit time according to load data of the P data packets, where the load characteristics include at least one of first N bytes and last M bytes of the load data, a value of M and a value of N may be the same or different, the value of N may be 3,4, 5 or other values, the value of M may be 3,4, 5 or other values, and both M and N should be determined by combining computing power of the protection device, and the higher the computing power of the protection device is, the larger the value of M or N is.

After the occurrence frequency of each load feature in unit time is obtained, the protective device may determine a target load feature with the largest occurrence frequency, optionally, the various load features may be sorted from large to small according to the occurrence frequency of each load feature, at least two target load features are selected from large to small, after the target load features are determined, the protective device may generate a load feature statistical result, where the load feature statistical result refers to the occurrence frequency of the target load feature in unit time, and the load feature statistical result is used to determine whether an abnormal flow processing condition is satisfied.

In the embodiment of the application, the service flow corresponding to the target protocol number is obtained, the load data of the P data packets are obtained according to the service flow corresponding to the target protocol number, the load characteristics in unit time are obtained according to the load data of the P data packets, wherein the load characteristics include at least one of the first N bytes and the last M bytes of the load data, and the load characteristic statistical result is generated according to the load characteristics in unit time. Through the mode, the specific implementation mode for obtaining the statistical result of the load characteristics is provided, the realizability of the scheme is improved, the front N bytes and/or the rear M bytes are selected for the load characteristics, the statistics is facilitated, and the realizability of the scheme is further improved.

Optionally, on the basis of the embodiment corresponding to fig. 2, in an optional embodiment of the method for processing service traffic provided in the embodiment of the present application, the obtaining, by a guard device of a service traffic processing system, a load characteristic in a unit time according to load data of P data packets includes:

the protection equipment of the service flow processing system acquires the occurrence times of the same byte in the first N bytes in unit time according to the load data of the P data packets to generate a load characteristic statistical result;

after the protective device of the service traffic processing system generates a load characteristic statistical result according to the load characteristic in unit time, the method further includes:

if the occurrence frequency of the same byte in the first N bytes in the unit time is greater than or equal to the occurrence frequency threshold, the protection device of the service flow processing system determines that the load characteristic statistical result meets the abnormal flow processing condition.

In this embodiment, after acquiring the load data of P data packets, the protection device of the service traffic processing system may count the byte content of the first N bytes of each data packet in unit time, so as to acquire the number of occurrences of the same byte in the first N bytes in unit time, and generate a load feature statistical result according to the number of occurrences of the same byte in the first N bytes in unit time acquired by the load data of the P data packets, where the load feature statistical result includes the number of occurrences of the same byte in the first N bytes. As an example, the content of the load characteristic statistics result may be that the number of occurrences of the byte content is 0x02, 0x1d, 0xee, 0xee is 1300, the number of occurrences of the byte content is 0002, 0000, 0xee, 0xee is 100, the number of occurrences of the byte content is 00yh, yywy, ff00, 0xee is 50, and it should be understood that the example is only for convenience of understanding the present solution and is not used to limit the present solution.

If the repeated occurrence frequency of the same byte in the first N bytes in the unit time is greater than or equal to the occurrence frequency threshold, that is, the occurrence frequency of the target load characteristic in the first N bytes is greater than or equal to the occurrence frequency threshold, the protection device of the service traffic processing system determines that the load characteristic statistical result meets the abnormal traffic processing condition. For example, the load characteristic statistical result is obtained by counting the occurrence times of the same byte in the first 4 bytes in 1 second according to P packets, and generates a load characteristic statistical result, where the load characteristic statistical result shows that the byte content is 0x02, 0x1d, 0xee, the occurrence times of 0xee is 1300, and the threshold of the occurrence times is 1000, and it is determined that the load characteristic statistical result satisfies the abnormal traffic handling condition.

In the embodiment of the application, the occurrence frequency of the same byte in the first N bytes in unit time is obtained according to the load data of the P data packets to generate the load characteristic statistical result, and if the occurrence frequency of the same byte in the first N bytes in unit time is greater than or equal to the occurrence frequency threshold, the load characteristic statistical result is determined to meet the abnormal flow processing condition. By the method, a specific implementation mode for judging the abnormity when the load characteristics are the first N bytes is provided, and the implementation mode is improved; the attacker can fill bytes into the load in order to make the attack flow larger, and the attacker does not consider the load meaning during filling, so the filled bytes are repeated frequently, and the normal service flow generally does not have high probability repetition because the load data has actual meaning.

Optionally, on the basis of the embodiment corresponding to fig. 2, in an optional embodiment of the method for processing service traffic provided in the embodiment of the present application, the generating, by a guard device of a service traffic processing system, a load feature statistical result according to a load feature in a unit time includes:

the protection equipment of the service flow processing system generates a load characteristic statistical result according to the occurrence times of the same byte in the later M bytes in unit time;

after the protection device of the service traffic processing system determines the statistical result of the load characteristics according to the load data of the message, the method further comprises the following steps:

and if the same byte appears in the M bytes within the unit time, the protection equipment of the service flow processing system determines that the load characteristic statistical result meets the abnormal flow processing condition.

In this embodiment, after acquiring the load data of P data packets, the protection device of the service traffic processing system may count the byte content of the last M bytes of each data packet in unit time, so as to acquire the occurrence frequency of the same byte in the last M bytes in unit time, and generate a load characteristic statistical result according to the occurrence frequency of the same byte in the last M bytes in unit time acquired by the load data of the P data packets, where the load characteristic statistical result includes the occurrence frequency of the same byte in the last M bytes. If the repeated occurrence frequency of the same byte in the last M bytes in the unit time is greater than or equal to the occurrence frequency threshold, that is, the occurrence frequency of the target load characteristic in the last M bytes is greater than or equal to the occurrence frequency threshold, the protection device of the service flow processing system determines that the load characteristic statistical result meets the abnormal flow processing condition.

In the embodiment of the application, the occurrence frequency of the same byte in the last M bytes in unit time is acquired according to the load data of the P data packets to generate the load characteristic statistical result, and if the occurrence frequency of the same byte in the last M bytes in unit time is greater than or equal to the occurrence frequency threshold, the load characteristic statistical result is determined to meet the abnormal flow processing condition. Through the method, the specific implementation mode of carrying out abnormity judgment when the load characteristic is the last M bytes is provided, and the implementation flexibility of the scheme is improved.

Optionally, on the basis of the embodiment corresponding to fig. 2, in an optional embodiment of the method for processing service traffic provided in the embodiment of the present application, the method further includes:

a detection device of the service flow processing system acquires mirror image service flow corresponding to the protected IP address through the optical splitter;

the detection equipment of the service flow processing system acquires an available protocol number corresponding to the protected IP address according to the mirror image service flow;

and the detection equipment of the service flow processing system generates a protocol number base line according to the protected IP address and the available protocol number corresponding to the protected IP address.

In this embodiment, when the protected IP address of the server does not receive an attack, specifically, before or after the protected IP address is attacked, the detection device of the service traffic processing system may further learn the available protocol numbers of the one or more protected IP addresses. In one implementation mode, the optical splitter generates mirror image service flows of the service flows of all the IP addresses of the server and sends the mirror image service flows of the service flows of all the IP addresses to the detection equipment, and correspondingly, the detection equipment can obtain the mirror image service flows corresponding to all the IP addresses of the server, so that the detection equipment can obtain the mirror image service flows corresponding to protected IP addresses from the mirror image service flows corresponding to all the IP addresses. In another implementation manner, the optical splitter may generate only a mirror image service traffic of the protected IP address of the server, and send the mirror image service traffic of the protected IP address to the detection device, and the detection device may obtain the mirror image service traffic corresponding to the protected IP address.

Because the destination IP address in the mirror image service traffic corresponding to the protected IP address is a plurality of data packets of the protected IP address, and the data header of the data packet is provided with the protocol number field, when the protected IP address of the server is not attacked, the detection device of the service traffic processing system may obtain the available protocol number corresponding to each protected IP address according to the mirror image service traffic corresponding to the protected IP address, and may further generate a protocol number baseline according to the protected IP address and the available protocol number corresponding to the protected IP address, where the protocol number baseline includes a correspondence between the protected IP address and the available protocol number, and since the specific presentation form of the protocol number baseline is exemplified in the above embodiments, details are not described here.

In the embodiment of the application, the mirror image service flow corresponding to the protected IP address is obtained through the optical splitter, the available protocol number corresponding to the protected IP address is obtained according to the mirror image service flow, and the protocol number baseline is generated according to the protected IP address and the available protocol number corresponding to the protected IP address. By the mode, the generation of the protocol number base line is realized by utilizing the optical splitter, and the protocol number base line can be dynamically updated according to the acquired mirror image service flow, so that the real-time performance of the protocol number base line is ensured, and the accuracy of the abnormal flow judgment process in the scheme is improved.

a detection device of a service flow processing system acquires a user identifier corresponding to a protected IP address;

the method for generating a protocol number baseline by a detection device of a service flow processing system according to a protected IP address and an available protocol number corresponding to the protected IP address comprises the following steps:

if the user identifier is a first user identifier, the detection equipment of the service flow processing system generates a protocol number base line according to the first user identifier, the protected IP address and an available protocol number corresponding to the protected IP address;

and if the user identifier is a second user identifier, the detection equipment of the service flow processing system generates a protocol number baseline according to the second user identifier, the protected IP address and the available protocol number corresponding to the protected IP address.

In this embodiment, because a plurality of data packets whose destination IP addresses are protected IP addresses in the mirror image service traffic corresponding to the protected IP addresses may carry information such as a source IP address, a destination IP address, an account id of a user, and a protocol number, a detection device of the service traffic processing system may further obtain a user id of each data packet after obtaining the mirror image service traffic corresponding to the protected IP addresses, so as to obtain a user id corresponding to a data packet whose destination IP address is a protected IP address, where the user id may specifically be a source IP address, an account id of a user, or other user ids, for example, "183.13.205.68", "183.58.47.158", "0000000001", "TY 0000001", or other user ids.

If the user identifier is the first user identifier, the detection device of the service traffic processing system generates a protocol number baseline according to the first user identifier, the protected IP address, and the available protocol number corresponding to the protected IP address, and if the user identifier is the second user identifier, the detection device of the service traffic processing system generates a protocol number baseline according to the second user identifier, the protected IP address, and the available protocol number corresponding to the protected IP address, that is, the protocol number baseline includes the corresponding relationship among the protected IP address, the user identifier, and the protocol number, and the detection device of the service traffic processing system may store the protocol number baseline in a form of a table, an array, an index, or other form, where the example of storing the protocol number baseline in a form of a table is referred to as table 2 below.

TABLE 2

Protected IP address	User identification	Available protocol number
			1.1.1.1	0000000001	1、50、51
1.1.1.1	0000000002	6、50
			1.1.1.1	0000000003	1、51

Please refer to table 2 above, where table 2 shows a corresponding relationship between 1 protected IP address and a user identifier and an available protocol number, where table 2 takes a user identifier as an account identifier of a user as an example, table 2 shows a corresponding relationship between one protected IP address and three user identifiers, and table 2 also shows an available protocol number corresponding to each user identifier, and since the protocol meanings corresponding to the protocol numbers 1, 6, 50, and 51 are described in the above embodiments, which are not described herein again, it should be understood that table 2 is only an example of a protocol number baseline, in an actual situation, the protocol number baseline may include more corresponding relationships between the protected IP address and the user identifier and the available protocol number, and is not limited herein.

In the embodiment of the application, a user identifier corresponding to a protected IP address is obtained, if the user identifier is a first user identifier, a protocol number baseline is generated according to the first user identifier, the protected IP address and an available protocol number corresponding to the protected IP address, and if the user identifier is a second user identifier, the protocol number baseline is generated according to the second user identifier, the protected IP address and the available protocol number corresponding to the protected IP address. Through the method, the protocol number base line comprises the protected IP address, the user identification and the corresponding relation among the protocol numbers, namely the protocol number used by each user identification is refined in the protocol number base line, namely the available protocol number of the protected IP address is managed more finely, and the accuracy of the abnormal flow judgment process is improved.

a detection device of a service flow processing system acquires user level information corresponding to a protected IP address;

the detection device of the service flow processing system acquires the available protocol number corresponding to the protected IP address according to the mirror image service flow, and the method comprises the following steps:

if the user grade information is a first grade, the detection equipment of the service flow processing system acquires an available protocol number corresponding to the protected IP address according to the mirror image service flow in the first time length;

and if the user grade information is a second grade, the detection equipment of the service flow processing system acquires the available protocol number corresponding to the protected IP address according to the mirror image service flow in a second time length, wherein the second grade is lower than the first grade, and the second time length is shorter than the first time length.

In this embodiment, the detection device of the service traffic processing system may pre-store user level information corresponding to each protected IP address, when the available protocol number of the protected IP address needs to be learned, the user level information corresponding to the protected IP address is obtained first, if the user level information is of a first level, the detection device of the service traffic processing system obtains the available protocol number corresponding to the protected IP address according to the mirror image service traffic within a first duration, and if the user level information is of a second level, the detection device obtains the available protocol number corresponding to the protected IP address according to the mirror image service traffic within a second duration, where the second level is lower than the first level, and the second duration is shorter than the first duration. The protected IP address with higher level may be an IP address with higher real-time requirement, or an IP address with higher importance, and may be determined according to factors such as the type of service provided by the protected IP address, the length of the second time period may be a day, a week, or other lengths, and the length of the first time period may be a week, a half month, or other lengths. For example, if the user level of the protected IP address 1 is a first level, and the user level of the protected IP address 2 is a second level, the mirror traffic of the service traffic of the protected IP address 1 in one week may be obtained, the available protocol number of the protected IP address 1 may be learned, the mirror traffic of the service traffic of the protected IP address 2 in one day may be obtained, and the available protocol number of the protected IP address 2 may be learned.

In the embodiment of the application, user level information corresponding to a protected IP address is obtained, if the user level information is of a first level, an available protocol number corresponding to the protected IP address is obtained according to mirror image service flow in a first time length, and if the user level information is of a second level, the available protocol number corresponding to the protected IP address is obtained according to mirror image service flow in a second time length, wherein the second level is lower than the first level, and the second time length is shorter than the first time length. By the method, the protected IP addresses are classified into the grades, and the higher the grade of the protected IP addresses is, the longer the flow time of the mirror image service based on the learning of the available protocol numbers is, so that the higher the grade of the available protocol numbers in the protocol number base line of the protected IP addresses is, the more accurate the available protocol numbers are, and the higher the grade of the protected IP addresses is, the more computer resources are distributed to the protected IP addresses.

An embodiment of the present application further provides a method for learning service traffic, please refer to fig. 4, where an embodiment of the method for learning service traffic in the embodiment of the present application includes:

201. a detection device of the service flow processing system acquires mirror image service flow corresponding to the protected IP address through the optical splitter;

in this embodiment, the detection device of the service traffic processing system may learn available protocol numbers of one or more protected IP addresses. Specifically, a communication connection is pre-established between the detection device and the optical splitter, the optical splitter can acquire service flows of all IP addresses of the server from the ISP network, in one implementation manner, the optical splitter generates mirror image service flows of the service flows of all IP addresses of the server, and sends the mirror image service flows of the service flows of all IP addresses to the detection device, and correspondingly, the detection device can acquire the mirror image service flows corresponding to all IP addresses of the server, so that the detection device can acquire the mirror image service flows corresponding to protected IP addresses from the mirror image service flows corresponding to all IP addresses.

In another implementation manner, the optical splitter may generate only a mirror image service traffic of the protected IP address of the server, and send the mirror image service traffic of the protected IP address to the detection device, and the detection device may obtain the mirror image service traffic corresponding to the protected IP address.

202. The detection equipment of the service flow processing system acquires an available protocol number corresponding to the protected IP address according to the mirror image service flow;

in this embodiment, because the destination IP address in the mirror image service traffic corresponding to the protected IP address is a plurality of data packets of the protected IP address, and a data header of the data packet is provided with a protocol number field, when the protected IP address of the server is not attacked, the detection device of the service traffic processing system may obtain an available protocol number corresponding to each protected IP address according to the mirror image service traffic corresponding to the protected IP address.

203. Generating a protocol number baseline by detection equipment of the service flow processing system according to the protected IP address and an available protocol number corresponding to the protected IP address, wherein the protocol number baseline comprises a corresponding relation between the IP address and the available protocol number;

in this embodiment, the detection device of the service traffic processing system may generate a protocol number baseline according to the protected IP address and the available protocol number corresponding to the protected IP address, where the protocol number baseline includes a correspondence between the protected IP address and the available protocol number, and since a specific presentation form of the protocol number baseline is exemplified in the above embodiments, details are not described here.

The specific implementation of steps 201 to 203 in the embodiment of the present application is already described in the above embodiment, and is not described herein again.

204. When the target Internet Protocol (IP) address of the server is attacked, the detection equipment of the service flow processing system sends the protocol number baseline of the server to the protection equipment, so that when the protective equipment determines that the target protocol number is inconsistent with the available protocol number in the protocol number base line according to the protocol number base line of the server, acquiring the load characteristic statistical result of P data packets according to the service flow corresponding to the target protocol number, if the load characteristic statistical result meets the abnormal flow processing condition, determining Q data packets from the P data packets, intercepting the Q data packets, the load characteristic statistical result is a statistical result of target load characteristics in P data packets, P is an integer greater than or equal to 1, the load characteristics of Q data packets are target load characteristics, and Q is an integer greater than or equal to 1 and less than or equal to P.

In this embodiment, when detecting that one or more target IP addresses in the protected IP addresses receive an attack, the detection device of the traffic processing system sends the protocol number baseline and the one or more attacked target IP addresses to the protection device of the traffic processing system. Specifically, the detection device may obtain, in real time, the number of data packets accessing each protected IP address in unit time, and when it is detected that the number of data packets accessing the target IP address in unit time is greater than or equal to the first threshold, it is determined that the target IP address is attacked.

After the protective device of the service traffic processing system obtains the protocol number baseline, all available protocol numbers corresponding to the target IP address can be obtained from the protocol number baseline, after the protective device obtains one or more target protocol numbers corresponding to the target IP address according to the service traffic of the target IP address, for each target protocol number, the protective device can judge whether the target protocol number is consistent with the available protocol number in the protocol number baseline, and for one or more target protocol numbers inconsistent with the available protocol number, the protective device can obtain the load characteristic statistical result of P data packets according to the service traffic corresponding to the inconsistent target protocol number, that is, the protocol number corresponding to each data packet in the P data packets is inconsistent with the common protocol number. The load characteristics may be obtained by performing statistics on all load data in the data packet, or by performing statistics on a preset number of load data at preset positions in the data packet. Under the condition that the abnormal flow processing condition is met, the protection device determines Q data packets with the load characteristics as the target load characteristics according to the load characteristics of each data packet in the P data packets, namely the Q data packets are data packets for performing abnormal attack on the target IP address.

After determining Q data packets for performing abnormal attack on a target IP address, the protection device of the service flow processing system intercepts the Q data packets, and returns service flow corresponding to data packets except the Q data packets in the P data packets to the core router.

In the embodiment of the application, a detection device of a service flow processing system acquires mirror image service flow corresponding to a protected IP address through an optical splitter, acquires an available protocol number corresponding to the protected IP address according to the mirror image service flow, and generates a protocol number baseline according to the protected IP address and the available protocol number corresponding to the protected IP address, wherein the protocol number baseline comprises a corresponding relation between the IP address and the available protocol number, when a target Internet Protocol (IP) address of a server is attacked, the protocol number baseline of the server is sent to a protection device, so that the protection device acquires load characteristic statistical results of P data packets according to the service flow corresponding to the target protocol number when the protection device determines that the target protocol number is inconsistent with the available protocol number in the protocol number baseline according to the protocol number baseline of the server, and if the load characteristic statistical results meet abnormal flow processing conditions, determining Q data packets from the P data packets, and intercepting the Q data packets. By the method, the attack traffic of the protocol flooding can be identified in real time, only the service traffic under the unavailable protocol number is analyzed, the service traffic meeting the abnormal traffic processing condition is efficiently intercepted, and the service traffic under the available protocol number is released, so that the normal service is prevented from being killed by mistake.

Referring to fig. 5, fig. 5 is a schematic view of an embodiment of a service traffic processing device in an embodiment of the present application, where the service traffic processing device 30 includes:

an obtaining module 301, configured to obtain a protocol number baseline of a server and a target protocol number corresponding to an attacked target IP address when the target internet protocol IP address of the server is attacked, where the protocol number baseline includes a correspondence between an IP address and an available protocol number;

the obtaining module 301 is further configured to obtain a statistical result of load characteristics of P data packets according to service traffic corresponding to the target protocol number when the target protocol number obtained by the obtaining module 301 is inconsistent with the available protocol number in the protocol number baseline obtained by the obtaining module 301, where the statistical result of load characteristics is a statistical result of target load characteristics in the P data packets, and P is an integer greater than or equal to 1;

a processing module 302, configured to determine Q data packets from P data packets when the statistical result of the load characteristics obtained by the obtaining module 301 meets an abnormal traffic processing condition, where the load characteristics of the Q data packets are target load characteristics, Q is an integer greater than or equal to 1 and less than or equal to P;

the processing module 302 is further configured to intercept the Q data packets determined by the processing module 302.

In this embodiment, when a target internet protocol IP address of a server is attacked, the obtaining module 301 obtains a protocol number baseline of the server and a target protocol number corresponding to the attacked target IP address, where the protocol number baseline includes a corresponding relationship between an IP address and an available protocol number, and the obtaining module 301 obtains a load feature statistical result of P data packets according to a service traffic corresponding to the target protocol number when the target protocol number obtained by the obtaining module 301 is inconsistent with the available protocol number in the protocol number baseline obtained by the obtaining module 301, where the load feature statistical result is a statistical result of target load features in the P data packets, and P is an integer greater than or equal to 1, and the processing module 302 determines Q data packets from the P data packets when the load feature statistical result obtained by the obtaining module 301 meets an abnormal traffic processing condition, the load characteristics of the Q data packets are target load characteristics, Q is an integer greater than or equal to 1 and less than or equal to P, and the processing module 302 performs interception processing on the Q data packets determined by the processing module 302.

In this embodiment of the present application, when a target internet protocol IP address of a server is attacked, the obtaining module 301 obtains a protocol number baseline of the server and a target protocol number corresponding to the attacked target IP address, where the protocol number baseline includes a corresponding relationship between an IP address and an available protocol number, and if the target protocol number is not consistent with the available protocol number in the protocol number baseline, the obtaining module 301 obtains a load feature statistical result of P data packets according to service traffic corresponding to the target protocol number, where the load feature statistical result is a statistical result of target load features in the P data packets, and if the load feature statistical result satisfies an abnormal traffic processing condition, the processing module 302 determines Q data packets whose load features are the target load features from the P data packets, and intercepts the Q data packets. By the method, the attack traffic of the protocol flooding can be identified in real time, only the service traffic under the unavailable protocol number is analyzed, the service traffic meeting the abnormal traffic processing condition is efficiently intercepted, and the service traffic under the available protocol number is released, so that the normal service is prevented from being killed by mistake.

Optionally, on the basis of the embodiment corresponding to fig. 5, in another embodiment of the service traffic processing apparatus 30 provided in this embodiment of the present application, the obtaining module 301 is further configured to obtain an available protocol number corresponding to the target IP address according to the protocol number baseline obtained by the obtaining module 301;

the processing module 302 is further configured to compare the target protocol number acquired by the acquisition module 301 with the available protocol number corresponding to the target IP address acquired by the acquisition module 301, so as to obtain a comparison result;

the processing module 302 is further configured to determine that the target protocol number is inconsistent with the available protocol number in the protocol number baseline if the comparison result obtained by the processing module 302 is the first result;

the processing module 302 is further configured to determine that the target protocol number is consistent with the available protocol number in the protocol number baseline if the comparison result obtained by the processing module 302 is the second result.

In this embodiment of the application, after the obtaining module 301 obtains the protocol number baseline of the server and the target protocol number corresponding to the attacked target IP address, the available protocol number corresponding to the target IP address is obtained according to the protocol number baseline, the processing module 302 compares the target protocol number with the available protocol number corresponding to the target IP address to obtain a comparison result, if the comparison result is a first result, it is determined that the target protocol number is not consistent with the available protocol number in the protocol number baseline, and if the comparison result is a second result, it is determined that the target protocol number is consistent with the available protocol number in the protocol number baseline. By the method, the specific implementation process of the consistency judgment of the target protocol number and the available protocol number in the protocol number base line is provided, and the realizability of the scheme is improved.

Optionally, on the basis of the embodiment corresponding to fig. 5, please refer to fig. 6, where fig. 6 is a schematic diagram of an embodiment of a traffic processing device in the embodiment of the present application, and in another embodiment of a service traffic processing device 30 provided in the embodiment of the present application, the service traffic processing device further includes: a sending module 303, configured to send, to the server, the P data packets corresponding to the target protocol number acquired by the acquiring module 301.

In this embodiment of the present application, after the obtaining module 301 obtains the protocol number baseline of the server and the target protocol number corresponding to the attacked target IP address, if the target protocol number is consistent with the available protocol number in the protocol number baseline, the sending module 303 sends P data packets corresponding to the target protocol number to the server. By the mode, the service flow which is not attack flow is preliminarily determined according to the protocol number, the service flow under the available protocol number can be released in time, and normal service can be ensured to be normally carried out.

Optionally, on the basis of the embodiment corresponding to fig. 5, in another embodiment of the service traffic processing apparatus 30 provided in this embodiment of the present application, the obtaining module 301 is specifically configured to:

acquiring a service flow corresponding to a target protocol number;

In this embodiment of the application, the obtaining module 301 obtains a service flow corresponding to a target protocol number, obtains load data of P data packets according to the service flow corresponding to the target protocol number, obtains load characteristics in unit time according to the load data of the P data packets, where the load characteristics include at least one of first N bytes and last M bytes of the load data, and generates a load characteristic statistical result according to the load characteristics in unit time. Through the mode, the specific implementation mode for obtaining the statistical result of the load characteristics is provided, the realizability of the scheme is improved, the front N bytes and/or the rear M bytes are selected for the load characteristics, the statistics is facilitated, and the realizability of the scheme is further improved.

Optionally, on the basis of the embodiment corresponding to fig. 5, in another embodiment of the service traffic processing apparatus 30 provided in this embodiment of the present application, the obtaining module 301 is specifically configured to: acquiring the occurrence times of the same byte in the first N bytes in unit time according to the load data of the P data packets to generate a load characteristic statistical result;

the processing module 302 is further configured to determine that the statistical result of the load characteristic satisfies the abnormal traffic processing condition when the occurrence frequency of the same byte in the first N bytes acquired by the acquiring module 301 in unit time is greater than or equal to the occurrence frequency threshold.

In this embodiment of the application, the obtaining module 301 obtains, according to the load data of the P data packets, the occurrence number of the same byte in the first N bytes in unit time to generate a load feature statistical result, and if the occurrence number of the same byte in the first N bytes in unit time is greater than or equal to the occurrence number threshold, the processing module 302 determines that the load feature statistical result meets the abnormal flow processing condition. By the method, a specific implementation mode for judging the abnormity when the load characteristics are the first N bytes is provided, and the implementation mode is improved; the attacker can fill bytes into the load in order to make the attack flow larger, and the attacker does not consider the load meaning during filling, so the filled bytes are repeated frequently, and the normal service flow generally does not have high probability repetition because the load data has actual meaning.

Optionally, on the basis of the embodiment corresponding to fig. 5, in another embodiment of the service traffic processing apparatus 30 provided in this embodiment of the present application, the obtaining module 301 is specifically configured to: generating a load characteristic statistical result according to the occurrence times of the same byte in the later M bytes in unit time;

the processing module 302 is further configured to determine that the statistical result of the load characteristics satisfies the abnormal traffic processing condition if the occurrence frequency of the same byte in the last M bytes acquired by the acquiring module 301 in unit time is greater than or equal to the occurrence frequency threshold.

In this embodiment of the application, the obtaining module 301 obtains, according to the load data of the P data packets, the occurrence frequency of the same byte in the last M bytes in the unit time to generate a load feature statistical result, and if the occurrence frequency of the same byte in the last M bytes in the unit time is greater than or equal to the occurrence frequency threshold, the processing module 302 determines that the load feature statistical result meets the abnormal flow processing condition. Through the method, the specific implementation mode of carrying out abnormity judgment when the load characteristic is the last M bytes is provided, and the implementation flexibility of the scheme is improved.

Optionally, on the basis of the embodiment corresponding to fig. 5, in another embodiment of the service traffic processing apparatus 30 provided in this embodiment of the present application, the obtaining module 301 is further configured to obtain, by using an optical splitter, a mirror image service traffic corresponding to the protected IP address;

the obtaining module 301 is further configured to obtain an available protocol number corresponding to the protected IP address according to the mirror image service traffic obtained by the obtaining module 301;

the processing module 302 is further configured to generate a protocol number baseline according to the protected IP address and the available protocol number corresponding to the protected IP address.

In this embodiment, the obtaining module 301 obtains the mirror image service traffic corresponding to the protected IP address through the optical splitter, obtains the available protocol number corresponding to the protected IP address according to the mirror image service traffic, and the processing module 302 generates the protocol number baseline according to the protected IP address and the available protocol number corresponding to the protected IP address. By the mode, the generation of the protocol number base line is realized by utilizing the optical splitter, and the protocol number base line can be dynamically updated according to the acquired mirror image service flow, so that the real-time performance of the protocol number base line is ensured, and the accuracy of the abnormal flow judgment process in the scheme is improved.

Optionally, on the basis of the embodiment corresponding to fig. 5, in another embodiment of the service traffic processing apparatus 30 provided in this embodiment of the present application, the obtaining module 301 is further configured to obtain a user identifier corresponding to the protected IP address;

the processing module 302 is specifically configured to:

if the user identifier acquired by the acquisition module 301 is the first user identifier, generating a protocol number baseline according to the first user identifier, the protected IP address and the available protocol number corresponding to the protected IP address;

if the user identifier obtained by the obtaining module 301 is the second user identifier, a protocol number baseline is generated according to the second user identifier, the protected IP address, and the available protocol number corresponding to the protected IP address.

In this embodiment of the application, the obtaining module 301 obtains a user identifier corresponding to a protected IP address, if the user identifier is a first user identifier, the processing module 302 generates a protocol number baseline according to the first user identifier, the protected IP address, and an available protocol number corresponding to the protected IP address, and if the user identifier is a second user identifier, the processing module 302 generates the protocol number baseline according to the second user identifier, the protected IP address, and the available protocol number corresponding to the protected IP address. Through the method, the protocol number base line comprises the protected IP address, the user identification and the corresponding relation among the protocol numbers, namely the protocol number used by each user identification is refined in the protocol number base line, namely the available protocol number of the protected IP address is managed more finely, and the accuracy of the abnormal flow judgment process is improved.

Optionally, on the basis of the embodiment corresponding to fig. 5, in another embodiment of the service traffic processing apparatus 30 provided in this embodiment of the present application, the obtaining module 301 is further configured to obtain user level information corresponding to a protected IP address;

the obtaining module 301 is specifically configured to:

if the user level information acquired by the acquisition module 301 is a first level, acquiring an available protocol number corresponding to the protected IP address according to the mirror image service traffic within a first duration;

if the user level information acquired by the acquisition module 301 is a second level, the available protocol number corresponding to the protected IP address is acquired according to the mirror image service traffic in a second duration, where the second level is lower than the first level, and the second duration is shorter than the first duration.

In this embodiment of the present application, the obtaining module 301 obtains user level information corresponding to a protected IP address, if the user level information is a first level, the obtaining module 301 obtains an available protocol number corresponding to the protected IP address according to mirror image service traffic within a first duration, and if the user level information is a second level, the obtaining module 301 obtains the available protocol number corresponding to the protected IP address according to mirror image service traffic within a second duration, where the second level is lower than the first level, and the second duration is shorter than the first duration. By the method, the protected IP addresses are classified into the grades, and the higher the grade of the protected IP addresses is, the longer the flow time of the mirror image service based on the learning of the available protocol numbers is, so that the higher the grade of the available protocol numbers in the protocol number base line of the protected IP addresses is, the more accurate the available protocol numbers are, and the higher the grade of the protected IP addresses is, the more computer resources are distributed to the protected IP addresses.

Referring to fig. 7, fig. 7 is a schematic view of an embodiment of a service traffic learning apparatus in an embodiment of the present application, in which a service traffic learning apparatus 40 includes:

an obtaining module 401, configured to obtain, through an optical splitter, a mirror image service traffic corresponding to a protected IP address;

the obtaining module 401 is further configured to obtain an available protocol number corresponding to the protected IP address according to the mirror image service traffic obtained by the obtaining module 401;

a processing module 402, configured to generate a protocol number baseline according to the protected IP address and an available protocol number corresponding to the protected IP address, where the protocol number baseline includes a correspondence between the IP address and the available protocol number;

a sending module 403, configured to send, to the safeguard device, the protocol number baseline of the server generated by the processing module 402 when the target internet protocol IP address of the server is attacked, so that when the protective equipment determines that the target protocol number is inconsistent with the available protocol number in the protocol number base line according to the protocol number base line of the server, acquiring the load characteristic statistical result of P data packets according to the service flow corresponding to the target protocol number, if the load characteristic statistical result meets the abnormal flow processing condition, determining Q data packets from the P data packets, intercepting the Q data packets, the load characteristic statistical result is a statistical result of target load characteristics in P data packets, P is an integer greater than or equal to 1, the load characteristics of Q data packets are target load characteristics, and Q is an integer greater than or equal to 1 and less than or equal to P.

In this embodiment, the obtaining module 401 obtains the mirror image traffic corresponding to the protected IP address through the optical splitter, the obtaining module 401 obtains the available protocol number corresponding to the protected IP address according to the mirror image traffic obtained by the obtaining module 401, the processing module 402 generates a protocol number baseline according to the protected IP address and the available protocol number corresponding to the protected IP address, where the protocol number baseline includes a corresponding relationship between the IP address and the available protocol number, and the sending module 403 sends the protocol number baseline of the server generated by the processing module 402 to the protection device when the target internet protocol IP address of the server is attacked, so that the protection device obtains the load characteristic statistics result of P data packets according to the traffic corresponding to the target protocol number when determining that the target protocol number is inconsistent with the available protocol number in the protocol number baseline according to the protocol number baseline of the server, if the load characteristic statistical result meets the abnormal flow processing condition, determining Q data packets from the P data packets, and intercepting the Q data packets, wherein the load characteristic statistical result is the statistical result of the target load characteristic in the P data packets, P is an integer greater than or equal to 1, the load characteristic of the Q data packets is the target load characteristic, and Q is an integer greater than or equal to 1 and less than or equal to P.

In this embodiment, the obtaining module 401 obtains a mirror image service traffic corresponding to a protected IP address through an optical splitter, and obtains an available protocol number corresponding to the protected IP address according to the mirror image service traffic, the processing module 402 generates a protocol number baseline according to the protected IP address and the available protocol number corresponding to the protected IP address, where the protocol number baseline includes a corresponding relationship between the IP address and the available protocol number, when a target internet protocol IP address of a server is attacked, the sending module 403 sends the protocol number baseline of the server to the protection device, so that when the protection device determines that the target protocol number is inconsistent with the available protocol number in the protocol number baseline according to the protocol number baseline of the server, a load feature statistical result of P data packets is obtained according to the service traffic corresponding to the target protocol number, and if the load feature statistical result satisfies an abnormal traffic processing condition, determining Q data packets from the P data packets, and intercepting the Q data packets. By the method, the attack traffic of the protocol flooding can be identified in real time, only the service traffic under the unavailable protocol number is analyzed, the service traffic meeting the abnormal traffic processing condition is efficiently intercepted, and the service traffic under the available protocol number is released, so that the normal service is prevented from being killed by mistake.

Next, an embodiment of the present application further provides a terminal device, where the terminal device may be a protection device, or may also be a detection device or a detection device. The service traffic processing apparatus provided in the embodiment corresponding to fig. 5 or fig. 6 may be deployed on the protection device, and is configured to execute the steps executed by the service traffic processing system in the embodiments corresponding to fig. 2 to fig. 3. The detection device may be deployed with the service traffic learning apparatus provided in the embodiment corresponding to fig. 7, and is configured to execute the steps executed by the detection device of the service traffic processing system in the embodiment corresponding to fig. 4. As shown in fig. 8, for convenience of explanation, only the parts related to the embodiments of the present application are shown, and details of the technology are not disclosed, please refer to the method part of the embodiments of the present application. The terminal device may be any terminal device including a mobile phone, a tablet computer, a Personal Digital Assistant (PDA), a Point of Sales (POS), a vehicle-mounted computer, and the like, taking the terminal device as a PC as an example:

fig. 8 is a block diagram showing a partial structure of a PC related to the attribute information presentation apparatus provided in the embodiment of the present application. Referring to fig. 8, the PC includes: radio Frequency (RF) circuit 510, memory 520, input unit 530, display unit 540, sensor 550, audio circuit 560, wireless fidelity (WiFi) module 570, processor 580, and power supply 590. Those skilled in the art will appreciate that the PC architecture shown in fig. 8 does not constitute a limitation of a PC and may include more or fewer components than shown, or some components may be combined, or a different arrangement of components.

The following describes each component of the PC in detail with reference to fig. 8:

RF circuit 510 may be used for receiving and transmitting signals during information transmission and reception or during a call, and in particular, for processing downlink information of a base station after receiving the downlink information to processor 580; in addition, the data for designing uplink is transmitted to the base station. In general, RF circuit 510 includes, but is not limited to, an antenna, at least one amplifier, a transceiver, a coupler, a Low Noise Amplifier (LNA), a duplexer, and the like. In addition, RF circuit 510 may also communicate with networks and other devices via wireless communication. The wireless communication may use any communication standard or protocol, including but not limited to Global System for Mobile communications (GSM), General Packet Radio Service (GPRS), Code Division Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA), Long Term Evolution (LTE), email, Short Messaging Service (SMS), etc.

The memory 520 may be used to store software programs and modules, and the processor 580 executes various functional applications of the PC and data processing by operating the software programs and modules stored in the memory 520. The memory 520 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data (such as audio data, a phonebook, etc.) created according to the use of the PC, and the like. Further, the memory 520 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device.

The input unit 530 may be used to receive input numeric or character information and generate key signal inputs related to user settings and function control of the PC. Specifically, the input unit 530 may include a touch panel 531 and other input devices 532. The touch panel 531, also called a touch screen, can collect touch operations of a user on or near the touch panel 531 (for example, operations of the user on or near the touch panel 531 by using any suitable object or accessory such as a finger or a stylus pen), and drive the corresponding connection device according to a preset program. Alternatively, the touch panel 531 may include two parts of a touch detection device and a touch controller. The touch detection device detects the touch direction of a user, detects a signal brought by touch operation and transmits the signal to the touch controller; the touch controller receives touch information from the touch sensing device, converts the touch information into touch point coordinates, and sends the touch point coordinates to the processor 580, and can receive and execute commands sent by the processor 580. In addition, the touch panel 531 may be implemented by various types such as a resistive type, a capacitive type, an infrared ray, and a surface acoustic wave. The input unit 530 may include other input devices 532 in addition to the touch panel 531. In particular, other input devices 532 may include, but are not limited to, one or more of a physical keyboard, function keys (such as volume control keys, switch keys, etc.), a trackball, a mouse, a joystick, and the like.

The display unit 540 may be used to display information input by the user or information provided to the user and various menus of the PC. The Display unit 540 may include a Display panel 541, and optionally, the Display panel 541 may be configured in the form of a Liquid Crystal Display (LCD), an Organic Light-Emitting Diode (OLED), or the like. Further, the touch panel 531 may cover the display panel 541, and when the touch panel 531 detects a touch operation on or near the touch panel 531, the touch panel is transmitted to the processor 580 to determine the type of the touch event, and then the processor 580 provides a corresponding visual output on the display panel 541 according to the type of the touch event. Although the touch panel 531 and the display panel 541 are shown in fig. 8 as two separate components to implement the input and output functions of the PC, in some embodiments, the touch panel 531 and the display panel 541 may be integrated to implement the input and output functions of the PC.

The PC may also include at least one sensor 550, such as a light sensor, motion sensor, and other sensors. Specifically, the light sensor may include an ambient light sensor that adjusts the brightness of the display panel 541 according to the brightness of ambient light, and a proximity sensor that turns off the display panel 541 and/or the backlight when the PC is moved to the ear. As one of the motion sensors, the accelerometer sensor can detect the magnitude of acceleration in each direction (generally, three axes), detect the magnitude and direction of gravity when stationary, and can be used for applications of identifying PC gestures (such as horizontal and vertical screen switching, related games, magnetometer gesture calibration), vibration identification related functions (such as pedometer, tapping), and the like; as for other sensors such as a gyroscope, a barometer, a hygrometer, a thermometer, and an infrared sensor, which can be configured by the PC, the description thereof is omitted.

Audio circuitry 560, speaker 561, microphone 562 may provide an audio interface between the user and the PC. The audio circuit 560 may transmit the electrical signal converted from the received audio data to the speaker 561, and convert the electrical signal into a sound signal by the speaker 561 for output; on the other hand, the microphone 562 converts the collected sound signal into an electric signal, is received by the audio circuit 560 and converted into audio data, and then, after being processed by the audio data output processor 580, is sent to, for example, another PC via the RF circuit 510, or outputs the audio data to the memory 520 for further processing.

WiFi belongs to short-range wireless transmission technology, and the PC can help the user send and receive e-mails, browse web pages, access streaming media, etc. through the WiFi module 570, which provides wireless broadband internet access for the user. Although fig. 8 shows the WiFi module 570, it is understood that it does not belong to the essential constitution of the PC, and may be omitted entirely as needed within the scope not changing the essence of the invention.

The processor 580 is a control center of the PC, connects various parts of the entire PC using various interfaces and lines, and performs various functions of the PC and processes data by running or executing software programs and/or modules stored in the memory 520 and calling data stored in the memory 520, thereby monitoring the PC as a whole. Alternatively, processor 580 may include one or more processing units; alternatively, processor 580 may integrate an application processor, which handles primarily the operating system, user interface, applications, etc., and a modem processor, which handles primarily the wireless communications. It will be appreciated that the modem processor described above may not be integrated into processor 580.

The PC also includes a power supply 590 (e.g., a battery) for powering the various components, which may optionally be logically connected to the processor 580 via a power management system to manage charging, discharging, and power consumption via the power management system.

Although not shown, the PC may further include a camera module, a bluetooth module, etc., which will not be described herein.

In this embodiment of the present application, when the service traffic processing apparatus provided in the embodiment corresponding to fig. 5 or fig. 6 is deployed on the protection device, the processor 580 is further configured to perform the following steps:

when a target Internet Protocol (IP) address of a server is attacked, acquiring a protocol number baseline of the server and a target protocol number corresponding to the attacked target IP address, wherein the protocol number baseline comprises a corresponding relation between a protected IP address and an available protocol number;

if the target protocol number is not consistent with the available protocol number in the protocol number baseline, acquiring a load characteristic statistical result of P data packets according to the service flow corresponding to the target protocol number, wherein the load characteristic statistical result is a statistical result of target load characteristics in the P data packets, and P is an integer greater than or equal to 1;

if the load characteristic statistical result meets an abnormal flow processing condition, determining Q data packets from the P data packets, wherein the load characteristics of the Q data packets are target load characteristics, and Q is an integer which is greater than or equal to 1 and less than or equal to P;

and intercepting the Q data packets.

In this embodiment of the present application, when the service traffic learning apparatus provided in the embodiment corresponding to fig. 7 is deployed on the detection device, the processor 580 is further configured to perform the following steps:

when a target Internet Protocol (IP) address of a server is attacked, a protocol number baseline of the server is sent to protective equipment, so that when the protective equipment determines that a target protocol number is inconsistent with an available protocol number in the protocol number baseline according to the protocol number baseline of the server, a load characteristic statistical result of P data packets is obtained according to service traffic corresponding to the target protocol number, if the load characteristic statistical result meets an abnormal traffic processing condition, Q data packets are determined from the P data packets, the Q data packets are intercepted, wherein the load characteristic statistical result is a statistical result of target load characteristics in the P data packets, P is an integer greater than or equal to 1, the load characteristics of the Q data packets are target load characteristics, and Q is greater than or equal to 1, and is less than or equal to an integer of said P.

Next, an embodiment of the present application further provides a server, where the server may be a protection device or a detection device. The service traffic processing apparatus provided in the embodiment corresponding to fig. 5 or fig. 6 may be deployed on the protective device, and is configured to execute steps executed by the protective device of the service traffic processing system in the embodiments corresponding to fig. 2 to fig. 3. The detection device may be deployed with the service traffic learning apparatus provided in the embodiment corresponding to fig. 7, and is configured to execute the steps executed by the detection device of the service traffic processing system in the embodiment corresponding to fig. 4. As shown in fig. 9, fig. 9 is a schematic structural diagram of a server according to an embodiment of the present application, and the server 600 may have a relatively large difference due to different configurations or performances, and may include one or more Central Processing Units (CPUs) 622 (e.g., one or more processors) and a memory 632, and one or more storage media 630 (e.g., one or more mass storage devices) for storing applications 642 or data 644. Memory 632 and storage medium 630 may be, among other things, transient or persistent storage. The program stored in the storage medium 630 may include one or more modules (not shown), each of which may include a series of instruction operations for the server. Still further, the central processor 622 may be configured to communicate with the storage medium 630 and execute a series of instruction operations in the storage medium 630 on the server 600.

The server 600 may also include one or more power supplies 626, one or more wired or wireless network interfaces 650, one or more input-output interfaces 658, and/or one or more operating systems 641, such as Windows Server, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM, and so forth.

The steps performed by the server in the above embodiments may be based on the server structure shown in fig. 9.

In this embodiment of the application, when the service traffic processing apparatus provided in the embodiment corresponding to fig. 5 or fig. 6 is deployed on the protection device, the CPU 622 is further configured to execute the following steps:

and intercepting the Q data packets.

In this embodiment of the application, when the service traffic learning apparatus provided in the embodiment corresponding to fig. 7 is deployed on the detection device, the CPU 622 is further configured to execute the following steps:

Also provided in the embodiments of the present application is a computer-readable storage medium, which stores a computer program, and when the computer program runs on a computer, the computer is caused to execute the steps executed by the service traffic processing system in the method described in the foregoing embodiments shown in fig. 2 to 3, or the computer is caused to execute the steps executed by the detection device of the service traffic processing system in the method described in the foregoing embodiment shown in fig. 4.

Also provided in the embodiments of the present application is a computer program product including a program, which when run on a computer, causes the computer to execute the steps executed by the service traffic processing system in the method described in the foregoing embodiments shown in fig. 2 to 3, or causes the computer to execute the steps executed by the detection device of the service traffic processing system in the method described in the foregoing embodiment shown in fig. 4.

It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.

In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, functional units in the embodiments of the present application may be integrated into one processing module, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.

The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.

The above embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions in the embodiments of the present application.

Claims

1. A method for traffic processing, comprising:

if the load characteristic statistical result meets an abnormal flow processing condition, determining Q data packets from the P data packets, wherein the load characteristics of the Q data packets are target load characteristics, Q is an integer which is greater than or equal to 1 and less than or equal to P, and the Q data packets are data packets for performing abnormal attack on the target IP address;

and intercepting the Q data packets.

2. The method of claim 1, wherein after obtaining the protocol number baseline of the server and the target protocol number corresponding to the attacked target IP address, the method further comprises:

acquiring an available protocol number corresponding to the target IP address according to the protocol number baseline;

comparing the target protocol number with an available protocol number corresponding to the target IP address to obtain a comparison result;

if the comparison result is a first result, determining that the target protocol number is inconsistent with the available protocol number in the protocol number baseline;

and if the comparison result is a second result, determining that the target protocol number is consistent with the available protocol number in the protocol number baseline.

3. The method of claim 2, wherein after determining that the target protocol number is consistent with an available protocol number in the protocol number baseline, the method further comprises:

and sending the P data packets corresponding to the target protocol number to the server.

4. The method according to claim 1, wherein the obtaining the statistical result of the load characteristics of P data packets according to the service traffic corresponding to the target protocol number includes:

acquiring the service flow corresponding to the target protocol number;

acquiring load data of the P data packets according to the service flow corresponding to the target protocol number;

acquiring load characteristics in unit time according to the load data of the P data packets, wherein the load characteristics comprise at least one of the first N bytes and the last M bytes of the load data, N is an integer greater than or equal to 1, and M is an integer greater than or equal to 1;

and generating the load characteristic statistical result according to the load characteristics in the unit time.

5. The method according to claim 4, wherein the obtaining the payload characteristics per unit time according to the payload data of the P packets comprises:

acquiring the occurrence times of the same byte in the first N bytes in the unit time according to the load data of the P data packets to generate the load characteristic statistical result;

after the load feature statistical result is generated according to the load features in the unit time, the method further includes:

and if the occurrence frequency of the same byte in the first N bytes in the unit time is greater than or equal to the occurrence frequency threshold, determining that the load characteristic statistical result meets the abnormal flow processing condition.

6. The method of claim 4, wherein generating the load signature statistics from the load signatures over the unit of time comprises:

generating the load characteristic statistical result according to the occurrence times of the later M bytes with the same byte in the unit time;

after determining the load characteristic statistical result according to the load data of the packet, the method further includes:

and if the occurrence frequency of the same byte in the later M bytes in the unit time is greater than or equal to the occurrence frequency threshold, determining that the load characteristic statistical result meets the abnormal flow processing condition.

7. The method according to any one of claims 1 to 6, further comprising:

and generating the protocol number baseline according to the protected IP address and the available protocol number corresponding to the protected IP address.

8. The method of claim 7, further comprising:

acquiring a user identifier corresponding to the protected IP address;

generating the protocol number baseline according to the protected IP address and the available protocol number corresponding to the protected IP address, including:

if the user identifier is a first user identifier, generating a protocol number baseline according to the first user identifier, the protected IP address and an available protocol number corresponding to the protected IP address;

and if the user identifier is a second user identifier, generating the protocol number baseline according to the second user identifier, the protected IP address and the available protocol number corresponding to the protected IP address.

9. The method of claim 7, further comprising:

acquiring user grade information corresponding to the protected IP address;

the obtaining the available protocol number corresponding to the protected IP address according to the mirror image service traffic includes:

if the user level information is a first level, acquiring an available protocol number corresponding to the protected IP address according to mirror image service flow in a first time length;

and if the user level information is of a second level, acquiring an available protocol number corresponding to the protected IP address according to mirror image service flow in a second time length, wherein the second level is lower than the first level, and the second time length is shorter than the first time length.

10. A method for learning traffic flow, comprising:

when a target Internet Protocol (IP) address of a server is attacked, a protocol number baseline of the server is sent to protective equipment, so that when the protective equipment determines that a target protocol number is inconsistent with an available protocol number in the protocol number baseline according to the protocol number baseline of the server, a load characteristic statistical result of P data packets is obtained according to service traffic corresponding to the target protocol number, if the load characteristic statistical result meets an abnormal traffic processing condition, Q data packets are determined from the P data packets, the Q data packets are intercepted, wherein the load characteristic statistical result is a statistical result of target load characteristics in the P data packets, P is an integer greater than or equal to 1, the load characteristics of the Q data packets are target load characteristics, and Q is greater than or equal to 1, and the number of the Q data packets is less than or equal to the integer of the P, and the Q data packets are data packets for carrying out abnormal attack on the target IP address.

11. A traffic processing apparatus, comprising:

the obtaining module is further configured to obtain a statistical result of load characteristics of P data packets according to service traffic corresponding to a target protocol number when the target protocol number obtained by the obtaining module is inconsistent with an available protocol number in a protocol number baseline obtained by the obtaining module, where the statistical result of load characteristics is a statistical result of target load characteristics in the P data packets, and P is an integer greater than or equal to 1;

a processing module, configured to determine Q data packets from the P data packets when the load feature statistical result obtained by the obtaining module meets an abnormal traffic processing condition, where the load feature of the Q data packets is a target load feature, Q is an integer greater than or equal to 1 and less than or equal to P, and the Q data packets are data packets that perform an abnormal attack on the target IP address;

the processing module is further configured to intercept the Q data packets determined by the processing module.

12. A traffic learning apparatus, comprising:

the obtaining module is further configured to obtain an available protocol number corresponding to the protected IP address according to the mirror image service traffic obtained by the obtaining module;

the processing module is used for generating a protocol number baseline according to the protected IP address and an available protocol number corresponding to the protected IP address, wherein the protocol number baseline comprises a corresponding relation between the IP address and the available protocol number;

a sending module, configured to send, to a protective device, a protocol number baseline of a server generated by the processing module when a target internet protocol IP address of the server is attacked, so that when the protective device determines, according to the protocol number baseline of the server, that a target protocol number is not consistent with an available protocol number in the protocol number baseline, a load feature statistical result of P data packets is obtained according to traffic corresponding to the target protocol number, and if the load feature statistical result satisfies an abnormal traffic processing condition, Q data packets are determined from the P data packets, and the Q data packets are intercepted, where the load feature statistical result is a statistical result of target load features in the P data packets, P is an integer greater than or equal to 1, and a load feature of the Q data packets is a target load feature, and Q is an integer which is greater than or equal to 1 and less than or equal to P, and the Q data packets are data packets for performing abnormal attack on the target IP address.

13. A protective apparatus, comprising: a memory, a transceiver, a processor, and a bus system;

wherein the memory is used for storing programs;

the processor is configured to execute a program in the memory, including performing the method of any of claims 1 to 9;

14. A detection apparatus, comprising: a memory, a transceiver, a processor, and a bus system;

wherein the memory is used for storing programs;

the processor is configured to execute the program in the memory to perform the method of claim 10;

15. A computer-readable storage medium comprising instructions which, when executed on a computer, cause the computer to perform the method of any one of claims 1 to 9 or perform the method of claim 10.