CN114553583B - Network security analysis system, method, equipment and storage medium - Google Patents
Network security analysis system, method, equipment and storage medium Download PDFInfo
- Publication number
- CN114553583B CN114553583B CN202210206190.7A CN202210206190A CN114553583B CN 114553583 B CN114553583 B CN 114553583B CN 202210206190 A CN202210206190 A CN 202210206190A CN 114553583 B CN114553583 B CN 114553583B
- Authority
- CN
- China
- Prior art keywords
- nta
- equipment
- network data
- target
- resource pool
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000004458 analytical method Methods 0.000 title claims abstract description 57
- 238000000034 method Methods 0.000 title claims description 25
- 238000005516 engineering process Methods 0.000 claims abstract description 7
- 238000005206 flow analysis Methods 0.000 claims abstract description 5
- 230000004044 response Effects 0.000 claims description 60
- 238000004590 computer program Methods 0.000 claims description 16
- 230000005540 biological transmission Effects 0.000 claims description 13
- 238000011217 control strategy Methods 0.000 claims description 5
- 238000004806 packaging method and process Methods 0.000 claims description 5
- 238000012795 verification Methods 0.000 claims description 5
- 238000005538 encapsulation Methods 0.000 claims description 3
- 238000011064 split stream procedure Methods 0.000 claims description 3
- 238000004891 communication Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 6
- 238000012545 processing Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 241000700605 Viruses Species 0.000 description 2
- 230000000903 blocking effect Effects 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000002776 aggregation Effects 0.000 description 1
- 238000004220 aggregation Methods 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 230000010076 replication Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
- 238000004260 weight control Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a network security analysis system, a network security analysis method, network security analysis equipment and a storage medium. The system comprises: a convergence and distribution equipment subsystem comprising a plurality of convergence and distribution equipment, an NTA resource pool comprising a plurality of NTA equipment based on network flow analysis technology and a control server; the control server is respectively connected with the converging and diverging equipment subsystem and the NTA resource pool; the converging and diverging equipment subsystem is connected with the NTA resource pool; the network security analysis system solves the problems of low expansibility, incapability of multiplexing NTA equipment resources and high investment cost caused by unbalanced resource use of the existing network security analysis system in a point-to-point direct connection mode, and provides a network security analysis system capable of flexibly allocating policy control by uniformly controlling convergence and diversion equipment and NTA resource pool equipment through a control server, so that the investment cost is reduced.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a network security analysis system, method, device, and storage medium.
Background
With the continuous development of hacking intrusion techniques, intrusion detection systems cannot effectively discover network threats in some network scenarios. Thus, NTA devices based on network traffic analysis (Network Traffic Analysis, NTA) are deployed in large numbers in network systems. In the current internet and communication networks, NTA devices are specialized devices that are widely used for network traffic identification and processing.
The existing network security analysis system consists of two parts, namely a converging and diverging device and an NTA device, wherein the deployment mode is shown in figure 1, and the converging and diverging device and the NTA device are in a point-to-point direct connection mode, namely, the network data flow output by the converging and diverging device directly reaches the NTA device. This conventional deployment approach has the following disadvantages: the point-to-point direct connection mode has insufficient expansibility, cannot effectively cope with the condition of overload operation of part of NTA equipment, and the expansion of a service system also leads to continuous expansion investment of the NTA equipment with high investment cost; and NTA equipment resources of different positions and different systems cannot be multiplexed, and the resource use is unbalanced.
Disclosure of Invention
The invention provides a network security analysis system, a method, equipment and a storage medium, which are used for solving the problems of low expansibility, incapability of multiplexing NTA equipment resources and high investment cost caused by unbalanced resource use of the traditional point-to-point direct connection mode of the network security analysis system.
According to an aspect of the present invention, there is provided a network security analysis system including: a convergence and distribution equipment subsystem comprising a plurality of convergence and distribution equipment, an NTA resource pool comprising a plurality of NTA equipment based on network flow analysis technology and a control server; the control server is respectively connected with the converging and diverging equipment subsystem and the NTA resource pool; the converging and diverging equipment subsystem is connected with the NTA resource pool;
the convergence and distribution equipment is used for generating NTA resource pool address request information according to the acquired network data flow and sending the NTA resource pool address request information to the control server; the network data flow is packaged according to a response message fed back by the control server and then transmitted to target NTA equipment, wherein the response message comprises a target NTA equipment address corresponding to the target NTA equipment in the NTA resource pool;
the control server is used for determining a response message according to the received NTA resource pool address request message sent by the convergence and distribution equipment, and feeding back the response message to the convergence and distribution equipment for collecting the network data flow;
the target NTA device is used for receiving the encapsulated network data stream and analyzing and safely analyzing the encapsulated network data stream.
According to another aspect of the present invention, there is provided a network security analysis method applied to a convergence and diversion device in a network security analysis system, the method including:
collecting a network data stream, and generating an NTA resource pool address request message based on the network data stream;
sending the NTA resource pool address request message to a control server;
receiving a response message fed back by the control server, wherein the response message comprises a target NTA equipment address determined according to the NTA resource pool address request message;
and packaging the network data flow according to the response message and then transmitting the network data flow to target NTA equipment in an NTA resource pool.
According to another aspect of the present invention, there is provided a network security analysis method applied to a control server in a network security analysis system, the method comprising:
receiving an NTA resource pool address request message sent by convergence and distribution equipment for collecting network data flows;
determining a response message according to the NTA resource pool address request message, wherein the response message contains a target NTA equipment address;
and feeding the response message back to the convergence and diversion device for collecting the network data flow.
According to another aspect of the present invention, there is provided an electronic apparatus including:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the network security analysis method of any one of the embodiments of the present invention.
According to another aspect of the present invention, there is provided a computer readable storage medium storing computer instructions for causing a processor to implement the network security analysis method according to any one of the embodiments of the present invention when executed.
The technical scheme of the embodiment of the invention provides a network security analysis system, which comprises: a convergence and distribution equipment subsystem comprising a plurality of convergence and distribution equipment, an NTA resource pool comprising a plurality of NTA equipment based on network flow analysis technology and a control server; the control server is respectively connected with the converging and diverging equipment subsystem and the NTA resource pool; the converging and diverging equipment subsystem is connected with the NTA resource pool; the method solves the problem of high investment cost caused by the existing network security analysis system with the point-to-point direct connection mode, such as insufficient expansibility, incapability of multiplexing NTA equipment resources and unbalanced resource use, and achieves the effects of flexibly allocating NTA equipment in an NTA resource pool and reducing investment cost by uniformly controlling convergence and distribution equipment and NTA resource pool equipment through a control server.
It should be understood that the description in this section is not intended to identify key or critical features of the embodiments of the invention or to delineate the scope of the invention. Other features of the present invention will become apparent from the description that follows.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of a prior art network security analysis system;
fig. 2 is a schematic structural diagram of a network security analysis system according to a first embodiment of the present invention;
fig. 3 is a flowchart of a network security analysis method according to a second embodiment of the present invention;
fig. 4 is a flowchart of a network security analysis method according to a third embodiment of the present invention;
fig. 5 is a schematic structural diagram of an electronic device implementing a network security analysis method according to an embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
It is noted that the terms "comprises" and "comprising," and any variations thereof, in the description and claims of the present invention and in the foregoing figures, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed or inherent to such process, method, article, or apparatus.
Example 1
Fig. 2 is a schematic structural diagram of a network security analysis system according to an embodiment of the present invention, where the embodiment is applicable to a case of performing security analysis on a network data stream generated by a service system, and the security analysis system includes: a convergence and splitting device subsystem 10 including a plurality of convergence and splitting devices, an NTA resource pool 20 including a plurality of NTA devices based on network traffic analysis techniques, and a control server 30; the control server 30 is respectively connected with the convergence and diversion equipment subsystem 10 and the NTA resource pool 20; the converging and diverging equipment subsystem 10 is connected with the NTA resource pool 20;
the convergence and distribution equipment is used for generating NTA resource pool address request information according to the acquired network data flow and sending the NTA resource pool address request information to the control server; the network data stream is packaged according to a response message fed back by the control server and then transmitted to the target NTA equipment, wherein the response message comprises a target NTA equipment address corresponding to the target NTA equipment in the NTA resource pool;
the control server is used for receiving the request message sent by the convergence and distribution equipment and feeding back the response message determined according to the request message to the convergence and distribution equipment;
the target NTA device is used for receiving the encapsulated network data stream sent by the convergence and distribution device, and analyzing and safely analyzing the encapsulated network data stream.
The convergence and distribution equipment subsystem is a subsystem comprising a plurality of convergence and distribution equipment, and the convergence and distribution equipment can be used for the functions of network data flow access, convergence, replication, distribution, inner and outer layer rule filtration and the like. The network data streams may be collected at routing devices or other transmission device nodes in the network system.
The NTA Resource Pool is a container containing all available NTA equipment resources, the Resource Pool is vividly adopted, the available NTA equipment is used as a Resource object, and the NTA equipment can be generally configured in various service systems for security analysis. The control server calls and controls NTA equipment in the NTA resource pool through a formulated strategy and instructs the convergence and distribution equipment to transmit network data streams so as to realize load balancing, resource quantity control, blocking control and fault restoration of the NTA equipment. The converging and diverging device subsystem is connected with the NTA resource pool in a many-to-many connection mode, namely, each converging and diverging device in the converging and diverging device subsystem is respectively connected with a plurality of NTA devices in the NTA resource pool.
By way of example, the load balancing may be implemented by controlling NTA devices in the NTA device resource pool through weight control or domain control. The resource quantity control may be to control the quantity of NTA devices used in the NTA device resource pool, for example, to determine a lowest threshold value and a highest threshold limit for which the NTA devices may be used, and to add or delete the usable NTA devices according to the threshold values. The blocking control may be to return the available NTA devices to the NTA resource pool for a defined period of time or under defined conditions. The fault repair can be to detect the fault NTA equipment by adopting a monitoring thread under the fault conditions of NTA equipment faults, such as high load of equipment or unavailable equipment, and the like, so as to avoid blockage possibly caused by the faults.
Specifically, the convergence and distribution device is configured to collect a network data flow, generate an NTA resource pool address request message according to the network data flow, and send the NTA resource pool address request message to the control server. After receiving the NTA resource pool address request message, the control server determines a response message according to the NTA resource pool address request message, where the response message includes a target NTA device address, where the target NTA device address is used to represent an address of an NTA device that receives the network data stream. The control server feeds back the response message to the convergence and diversion device for collecting the network data flow. After receiving the response message fed back by the control server, the convergence and distribution device for collecting the network data stream encapsulates the network data stream according to the response message, and sends the encapsulated network data stream to the target NTA device corresponding to the target NTA resource pool address contained in the response message. And the target NTA equipment receives the encapsulated network data stream sent by the convergence and distribution equipment for collecting the network data stream, decapsulates the encapsulated network data stream to obtain the network data stream, and performs security analysis on the network data stream.
It should be noted that, the control server only serves as a control center, and is not used as a forwarding device to forward and transmit the network data stream. Because the collected network data flow has larger data quantity, if the control server is adopted to forward the network data flow, the hardware requirement on the control server is higher, and the capacity expansion investment of the intermediate server is increased. Therefore, in the embodiment of the present invention, the control server acts as a control center to instruct the convergence and offloading device to transmit the network data stream to the target NTA device, where the transmission of the network data stream is actually implemented through a many-to-many connection between the convergence and offloading device subsystem and the NTA resource pool.
The convergence and splitting equipment subsystem and NTA resources can be connected in many-to-many mode through an IP bearing network, the IP bearing network is a private network constructed by each operator through an IP technology and is used for bearing services with high transmission quality requirements, and the IP bearing network has the characteristics of low cost, good expansibility, flexible bearing services and the like of the IP network and simultaneously has high reliability and safety of a transmission system. The control server is added to instruct the convergence and distribution equipment to transmit the network data stream to the target NTA equipment by utilizing the IP bearer network connection between the convergence and distribution equipment subsystem and the NTA resources, so that flexible scheduling of the NTA equipment in the NTA resource pool can be further realized, and the investment cost is reduced.
The network security analysis system provided in this embodiment includes: a convergence and distribution equipment subsystem comprising a plurality of convergence and distribution equipment, an NTA resource pool comprising a plurality of NTA equipment based on network flow analysis technology and a control server; the control server is respectively connected with the converging and diverging equipment subsystem and the NTA resource pool; the converging and diverging equipment subsystem is connected with the NTA resource pool; the convergence and distribution equipment is used for generating NTA resource pool address request information according to the acquired network data flow and sending the NTA resource pool address request information to the control server; the network data stream is packaged according to a response message fed back by the control server and then transmitted to the target NTA equipment, wherein the response message comprises a target NTA equipment address corresponding to the target NTA equipment in the NTA resource pool; the control server is used for receiving the request message sent by the convergence and distribution equipment and feeding back the response message determined according to the request message to the convergence and distribution equipment; the target NTA device is used for receiving the encapsulated network data stream sent by the convergence and distribution device, analyzing and safely analyzing the encapsulated network data stream, solving the problem of high investment cost caused by the defect of insufficient expansibility, incapability of multiplexing NTA device resources and unbalanced resource use of the traditional network safety analysis system in a point-to-point direct connection mode, uniformly controlling the convergence and distribution device and the NTA resource pool device through the control server, and providing a network safety analysis system capable of flexibly allocating strategy control, thereby reducing the investment cost.
Optionally, the converging and diverging device includes: a request message generation module;
the request message generating module is used for determining service data identification information based on the network data flow; and generating an NTA resource pool address request message containing the service data identification information.
The service data identification information is identification information obtained by defining the system attribute information of the collected network data flow by the convergence and distribution equipment.
Specifically, after the convergence and distribution device collects the network data stream from the network system, the convergence and distribution device determines service data identification information corresponding to the network data stream according to a predefined format of the service data identification information, and generates an NTA resource pool address request message containing the service data identification information, where the NTA resource pool address request message is in a message format that can be identified by the control server.
Optionally, the service data identification information includes: network data stream number, convergence and distribution equipment name, service system name and service system geographic position information;
the network data stream number is determined by five tuple information of the network data stream, the five tuple information including: a source IP address, a source port, a destination IP address, a destination port, and a transport layer protocol. Illustratively, the network data stream number range may be A0000-Z9999.
Illustratively, the network data flow number is determined by five tuple information of the network data flow, the five tuple information including: the source IP address, source port, destination IP address, destination port, and transport layer protocol of the network data stream, the network data stream number may represent a transmission path of original data of the network data stream.
The configuration of the aggregate and shunt device name may be aggregate and shunt device attribute, aggregate and shunt device number, and aggregate and shunt device manufacturer, for example, FL0001HAJX, where FL represents the aggregate and shunt device, 0001 is the aggregate and shunt device number, and HAJX represents the aggregate and shunt device manufacturer. The service system name refers to the name of the service system to which the NTA device belongs, and may be expressed by using the abbreviation of the service system name, for example, EYCX indicates a mobile internet malicious program monitoring system, JMU indicates a Trojan, virus and botnet monitoring system, IDC indicates an internet data center, and TYDPI indicates a unified DPI. The geographic location information of the business system can be represented by a custom province number and a city number.
The service data identification information may be in the format of a network data stream number, an aggregate and offload device name, a service system identification, a service system ground city number, a service system province number. For example, a0001. F0001 hajx. Eycx.01.531, i.e., a0001. Split stream, aggregate 0001. Malicious program. Ji nan. Shan east.
Optionally, the control server includes:
the verification module is used for verifying the converged split stream equipment names contained in the NTA resource pool address request message;
the equipment identification information determining module is used for inquiring the NTA control strategy according to the network data stream number in the verified NTA resource pool address request message to determine target NTA equipment identification information;
the device address determining module is used for determining a target NTA device address of the target NTA device identification information;
and the response message generation module is used for generating a response message containing the address of the target NTA equipment.
The NTA control policy may be set according to actual requirements, for example, a control policy may be formulated according to priority, weight and current running state of each NTA device in the NTA resource pool, which is not limited in the embodiment of the present invention. The NTA control strategy can also realize that different convergence and distribution devices for collecting network data flows of the same session are sent to the same target TNA device through different transmission paths, so as to realize homology and homology.
Specifically, the control server includes: the device comprises a verification module, a device identification information determination module, a device address determination module and a response message generation module.
The verification module is used for verifying the converged split device name contained in the received NTA resource pool address request message after receiving the NTA resource pool address request message, and if verification is passed, the device identification information determination module queries a preset NTA control strategy according to the network data stream number in the NTA resource pool address request message to determine the target NTA device identification information of the target NTA device corresponding to the network data stream number. The device address determination module may obtain the target NTA device address from the target NTA device identification information. The response message generation module may generate a response message containing the target NTA device address in a format recognizable by the converged offload device.
Optionally, the target NTA device identification information includes: target NTA device address, target NTA device name, target service system name, and target service system geographic location information.
Illustratively, the target NTA device identification information is edited, modified, and saved in a control policy of the control server. The target NTA device address is the port IP address of the target NTA device; the target NTA device name may be NTA device attribute + NTA device number + NTA device manufacturer, e.g. NTA0001HAJX, NTA for NTA device, 0001 for NTA device number, HAJX for NTA device manufacturer. The service system name refers to the name of the service system to which the target NTA device belongs, and may be represented by a name abbreviation of the target service system, for example, EYCX represents a mobile internet malicious program monitoring system, JMU represents a Trojan, virus and botnet monitoring system, IDC represents an internet data center, and TYDPI represents a unified DPI. The geographic location information of the target business system can be represented by a custom province number and a city number.
The NTA device identification information may be in the format of a target NTA device address, a target NTA device name, a target service system identification, a target service system ground city number, a target service system province number, for example. For example 172.168.0.10.nta0001hajx.eycx.01.531, 172.168.0.10. Target NTA device 0001 some manufacturer malicious program, atanan, shandong.
Optionally, the convergence splitting device includes: the network data stream transmission module specifically comprises:
the acquisition unit is used for acquiring an output port address of the network data flow output by the convergence and distribution equipment;
the packaging unit is used for taking the output port address of the convergence and distribution device as a source address and taking the target NTA device address in the response message as a target address; based on a preset protocol, carrying out data encapsulation on the network data stream according to the source address and the target address to obtain an encapsulated network data stream;
and the transmission unit is used for transmitting the encapsulated network data stream to the target NTA equipment.
Specifically, the convergence and offloading device includes a network data stream transmission module, where the network data stream transmission module includes: the device comprises an acquisition unit, a packaging unit and a transmission unit. The acquisition unit acquires an output port address of the network data flow acquired by the convergence and distribution equipment and output from the convergence and distribution equipment. The encapsulation unit takes the output port address as a source address, takes a target NTA device address contained in the response message received by the convergence and distribution device as a target address, and encapsulates the network data stream according to the source address and the target address based on a preset protocol to obtain an encapsulated network data stream.
By way of example, the preset protocol may include: an ethernet protocol or a GTP protocol.
Example two
Fig. 3 is a flowchart of a network security analysis method according to a second embodiment of the present invention, where the embodiment is applicable to a case of performing security analysis on a network data flow generated by a service system, and the method may be performed by a convergence and diversion device in the network security analysis system. As shown in fig. 3, the method includes:
s210, collecting network data flow, and generating NTA resource pool address request information based on the network data flow.
Specifically, the convergence and distribution device collects network data streams generated by a service system accessed into the network security analysis system, and generates NTA resource pool address request information according to attribute information of the network data streams, service system information for generating the network data streams and information of the convergence and distribution device for collecting the network data streams.
S220, sending an NTA resource pool address request message to the control server.
The NTA resource pool address request information is used for requesting a control server for a target NTA device address of a received network data stream.
Specifically, the convergence and offloading device sends the generated NTA resource pool address request message to the control server, so as to request the control server to feed back the target NTA device address.
S230, receiving a response message fed back by the control server, wherein the response message comprises a target NTA equipment address determined according to the NTA resource pool address request message.
Specifically, after receiving the NTA resource pool address request message sent by the convergence and distribution device, the control server determines the target NTA device address according to the NTA resource pool address request message, and generates a response message containing the target NTA device address and feeds the response message back to the convergence and distribution device. Thus, the convergence and offloading device may determine the target NTA device address of the received network data stream after receiving the response message fed back by the control server.
And S240, the network data flow is packaged according to the response message and then transmitted to target NTA equipment in the NTA resource pool.
Specifically, the network data stream is encapsulated according to the response message including the target NTA device address and the output port address of the network data stream in the convergence and distribution device, and the encapsulated network data stream can be transmitted to the target NTA device in the NTA resource pool according to the target NTA device address.
The embodiment of the invention collects network data flow through the convergence and distribution equipment and generates NTA resource pool address request information based on the network data flow; sending an NTA resource pool address request message to a control server; receiving a response message fed back by the control server, wherein the response message comprises a target NTA equipment address determined according to the NTA resource pool address request message; according to the response message, the network data stream is packaged and then transmitted to the target NTA equipment in the NTA resource pool, the problems of low expansibility, incapability of multiplexing NTA equipment resources and high investment cost caused by unbalanced resource use of the traditional point-to-point direct connection mode of the network security analysis system are solved, unified control of the receiving control server on the converging and shunting equipment is realized, the network data stream is transmitted to the target NTA equipment, multiplexing and resource use balance of the NTA equipment are realized, and the investment cost is reduced.
Example III
Fig. 4 is a flowchart of a network security analysis method according to a third embodiment of the present invention, where the present embodiment is applicable to a case of performing security analysis on a network data stream generated by a service system, and the method may be performed by a control server in the network security analysis system. As shown in fig. 4, the method includes:
s310, receiving an NTA resource pool address request message sent by convergence and distribution equipment for collecting network data flows.
Specifically, the control server receives an NTA resource pool address request message sent by the convergence and distribution device for collecting network data flows. The NTA resource pool address request message may include attribute information of the collected network data flows, service system information for generating the network data flows, and information of an aggregation and offloading device for collecting the network data flows.
S320, determining a response message according to the NTA resource pool address request message, wherein the response message contains the address of the target NTA device.
Specifically, when the control server receives the NTA resource pool address request message sent by the convergence and distribution device, according to the network data flow information contained in the NTA resource pool address request message, the control server queries the NTA control policy to determine the target NTA device address, and generates a response message containing the target NTA device address.
The NTA control policy may be set according to actual requirements, for example, a control policy may be formulated according to priority, weight and current running state of each NTA device in the NTA resource pool, which is not limited in the embodiment of the present invention. The NTA control policies are pre-stored in the control server and may be edited, modified and saved.
S330, feeding back the response message to the convergence and diversion device for collecting the network data flow.
Specifically, the control server feeds back a response message containing the address of the target NTA device to the convergence and distribution device for collecting the network data stream, so that the convergence and distribution device for collecting the network data stream can transmit the network data stream to the target NTA device through a connection network between the convergence and distribution device and the target NTA device according to the indication of the response message.
The embodiment of the invention receives the request message sent by the convergence and distribution equipment through the control server; determining a response message according to the request message, wherein the response message contains the target NTA equipment address; the response message is fed back to the convergence and distribution equipment, so that the convergence and distribution equipment can be flexibly controlled to transmit the network data stream to the target NTA equipment in the NTA equipment resource pool, multiplexing of the NTA equipment and resource use balance are realized, and investment cost is reduced.
Example IV
Fig. 5 shows a schematic diagram of an electronic device 40 that may be used to implement an embodiment of the invention. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may be a converged offload device or a control server in a network security analysis system. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.
As shown in fig. 5, the electronic device 40 includes at least one processor 11, and a memory, such as a Read Only Memory (ROM) 12, a Random Access Memory (RAM) 13, etc., communicatively connected to the at least one processor 11, in which the memory stores a computer program executable by the at least one processor, and the processor 11 may perform various appropriate actions and processes according to the computer program stored in the Read Only Memory (ROM) 12 or the computer program loaded from the storage unit 18 into the Random Access Memory (RAM) 13. In the RAM 13, various programs and data required for the operation of the electronic device 40 can also be stored. The processor 11, the ROM 12 and the RAM 13 are connected to each other via a bus 14. An input/output (I/O) interface 15 is also connected to bus 14.
A number of components in the electronic device 40 are connected to the I/O interface 15, including: an input unit 16 such as a keyboard, a mouse, etc.; an output unit 17 such as various types of displays, speakers, and the like; a storage unit 18 such as a magnetic disk, an optical disk, or the like; and a communication unit 19 such as a network card, modem, wireless communication transceiver, etc. The communication unit 19 allows the electronic device 40 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunication networks.
The processor 11 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of processor 11 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, digital Signal Processors (DSPs), and any suitable processor, controller, microcontroller, etc. The processor 11 performs the various methods and processes described above, such as the network security analysis method.
In some embodiments, the network security analysis method may be implemented as a computer program tangibly embodied on a computer-readable storage medium, such as storage unit 18. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 40 via the ROM 12 and/or the communication unit 19. One or more of the steps of the network security analysis method described above may be performed when the computer program is loaded into RAM 13 and executed by processor 11. Alternatively, in other embodiments, the processor 11 may be configured to perform the network security analysis method in any other suitable way (e.g., by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuit systems, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.
A computer program for carrying out methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be implemented. The computer program may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. The computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) through which a user can provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), blockchain networks, and the internet.
The computing system may include clients and servers. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical hosts and VPS service are overcome.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps described in the present invention may be performed in parallel, sequentially, or in a different order, so long as the desired results of the technical solution of the present invention are achieved, and the present invention is not limited herein.
The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention.
Claims (8)
1. A network security analysis system, comprising: a convergence and distribution equipment subsystem comprising a plurality of convergence and distribution equipment, an NTA resource pool comprising a plurality of NTA equipment based on network flow analysis technology and a control server; the control server is respectively connected with the converging and diverging equipment subsystem and the NTA resource pool; the converging and diverging equipment subsystem is connected with the NTA resource pool;
the convergence and distribution equipment is used for generating NTA resource pool address request information according to the acquired network data flow and sending the NTA resource pool address request information to the control server; the network data flow is packaged according to a response message fed back by the control server and then transmitted to target NTA equipment, wherein the response message comprises a target NTA equipment address corresponding to the target NTA equipment in the NTA resource pool; wherein, the convergence and diversion device comprises: a request message generation module; the request message generating module is used for determining service data identification information based on the network data flow; generating an NTA resource pool address request message containing the service data identification information; the service data identification information includes: network data stream number, convergence and distribution equipment name, service system name and service system geographic position information;
the control server is used for determining a response message according to the received NTA resource pool address request message sent by the convergence and distribution equipment, and feeding back the response message to the convergence and distribution equipment for collecting the network data flow; wherein, the control server includes: the verification module is used for verifying the converged split stream equipment names contained in the NTA resource pool address request message; the equipment identification information determining module is used for inquiring the NTA control strategy according to the network data stream number in the verified NTA resource pool address request message to determine target NTA equipment identification information; the device address determining module is used for determining a target NTA device address of the target NTA device identification information; a response message generation module for generating a response message containing the target NTA device address; the NTA resource pool address request message comprises attribute information of the acquired network data flow, service system information for generating the network data flow and information of convergence and distribution equipment for acquiring the network data flow;
the target NTA device is used for receiving the encapsulated network data stream and analyzing and safely analyzing the encapsulated network data stream.
2. The system of claim 1, wherein the network data flow number is determined by five tuple information of the network data flow, the five tuple information comprising: a source IP address, a source port, a destination IP address, a destination port, and a transport layer protocol.
3. The system of claim 1, wherein the target NTA device identification information includes: target NTA device address, target NTA device name, target service system identification, and target service system geographical location information.
4. The system of claim 3, wherein the converging diverging device further comprises: the network data stream transmission module specifically comprises:
the acquisition unit is used for acquiring an output port address of the converging and diverging device for outputting the network data stream;
the packaging unit is used for taking the output port address of the convergence and distribution equipment as a source address and taking the target NTA equipment address in the response message as a target address; based on a preset protocol, carrying out data encapsulation on the network data stream according to the source address and the target address to obtain an encapsulated network data stream;
and the transmission unit is used for transmitting the encapsulated network data stream to the target NTA equipment.
5. A network security analysis method, applied to the convergence and diversion device in the network security analysis system as set forth in any one of claims 1 to 4, the method comprising:
collecting network data flow, generating NTA resource pool address request information according to attribute information of the network data flow, service system information for generating the network data flow and information of convergence and distribution equipment for collecting the network data flow;
sending the NTA resource pool address request message to a control server;
receiving a response message fed back by the control server, wherein the response message comprises a target NTA equipment address determined according to the NTA resource pool address request message;
and packaging the network data flow according to the response message and then transmitting the network data flow to target NTA equipment in an NTA resource pool.
6. A network security analysis method, applied to the control server in the network security analysis system of any one of claims 1 to 4, comprising:
receiving an NTA resource pool address request message sent by convergence and distribution equipment for collecting network data flows;
verifying the converged split device names contained in the NTA resource pool address request message;
inquiring an NTA control strategy according to the network data stream number in the verified NTA resource pool address request message to determine target NTA equipment identification information;
determining a target NTA equipment address of the target NTA equipment identification information, and generating a response message containing the target NTA equipment address;
and feeding the response message back to the convergence and diversion device for collecting the network data flow.
7. An electronic device, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the network security analysis method of any one of claims 5-6.
8. A computer readable storage medium storing computer instructions for causing a processor to implement the network security analysis method of any one of claims 5-6 when executed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210206190.7A CN114553583B (en) | 2022-03-01 | 2022-03-01 | Network security analysis system, method, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210206190.7A CN114553583B (en) | 2022-03-01 | 2022-03-01 | Network security analysis system, method, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114553583A CN114553583A (en) | 2022-05-27 |
| CN114553583B true CN114553583B (en) | 2024-01-30 |
Family
ID=81661086
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210206190.7A Active CN114553583B (en) | 2022-03-01 | 2022-03-01 | Network security analysis system, method, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114553583B (en) |
Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1728718A (en) * | 2004-07-27 | 2006-02-01 | 邓里文 | Adaptation method in sue for syncretizing Internet and plesiochronous digital hierarchy |
| CN101335686A (en) * | 2007-06-27 | 2008-12-31 | 上海博达数据通信有限公司 | Method for carrying out data flow analysis and management on network appliance |
| CN101414940A (en) * | 2007-10-16 | 2009-04-22 | 华为技术有限公司 | Method for establishing Ethernet business, net element equipment and network system |
| WO2014037764A1 (en) * | 2012-09-10 | 2014-03-13 | Upost2 Limited | Client controlled advertising system with market feedback |
| CN104579732A (en) * | 2013-10-21 | 2015-04-29 | 华为技术有限公司 | Method, device and system for managing virtualized network function network elements |
| CN108259434A (en) * | 2016-12-29 | 2018-07-06 | ***通信集团浙江有限公司 | A kind of opening method and server of user side QoS supportabilitys |
| CN109743261A (en) * | 2019-01-07 | 2019-05-10 | 中国人民解放军国防科技大学 | SDN-based container network resource scheduling method |
| CN109887112A (en) * | 2019-03-28 | 2019-06-14 | 深圳市腾讯计算机***有限公司 | Data processing method, device and electronic equipment |
| CN110798402A (en) * | 2019-10-30 | 2020-02-14 | 腾讯科技(深圳)有限公司 | Service message processing method, device, equipment and storage medium |
| CN111385822A (en) * | 2018-12-29 | 2020-07-07 | 华为技术有限公司 | Configuration method and controller |
| CN111586046A (en) * | 2020-05-08 | 2020-08-25 | 武汉思普崚技术有限公司 | Network traffic analysis method and system combining threat intelligence and machine learning |
| CN112671772A (en) * | 2020-12-24 | 2021-04-16 | 国网冀北电力有限公司信息通信分公司 | Network security service system and method |
| CN112732992A (en) * | 2020-12-02 | 2021-04-30 | 南京通达海科技股份有限公司 | Court network judicial survey and control system and method for multi-class resource fusion treatment |
| CN112838933A (en) * | 2020-12-31 | 2021-05-25 | 恒安嘉新(北京)科技股份公司 | Information synchronization method, equipment and storage medium in network traffic analysis |
| CN113271303A (en) * | 2021-05-13 | 2021-08-17 | 国家计算机网络与信息安全管理中心 | Botnet detection method and system based on behavior similarity analysis |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110611723B (en) * | 2018-06-15 | 2021-05-11 | 华为技术有限公司 | Scheduling method and device of service resources |
| US11108819B2 (en) * | 2019-10-07 | 2021-08-31 | Cisco Technology, Inc. | Privacy enhancing man-in-the-middle |
-
2022
- 2022-03-01 CN CN202210206190.7A patent/CN114553583B/en active Active
Patent Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1728718A (en) * | 2004-07-27 | 2006-02-01 | 邓里文 | Adaptation method in sue for syncretizing Internet and plesiochronous digital hierarchy |
| CN101335686A (en) * | 2007-06-27 | 2008-12-31 | 上海博达数据通信有限公司 | Method for carrying out data flow analysis and management on network appliance |
| CN101414940A (en) * | 2007-10-16 | 2009-04-22 | 华为技术有限公司 | Method for establishing Ethernet business, net element equipment and network system |
| WO2014037764A1 (en) * | 2012-09-10 | 2014-03-13 | Upost2 Limited | Client controlled advertising system with market feedback |
| CN104579732A (en) * | 2013-10-21 | 2015-04-29 | 华为技术有限公司 | Method, device and system for managing virtualized network function network elements |
| CN108259434A (en) * | 2016-12-29 | 2018-07-06 | ***通信集团浙江有限公司 | A kind of opening method and server of user side QoS supportabilitys |
| CN111385822A (en) * | 2018-12-29 | 2020-07-07 | 华为技术有限公司 | Configuration method and controller |
| CN109743261A (en) * | 2019-01-07 | 2019-05-10 | 中国人民解放军国防科技大学 | SDN-based container network resource scheduling method |
| CN109887112A (en) * | 2019-03-28 | 2019-06-14 | 深圳市腾讯计算机***有限公司 | Data processing method, device and electronic equipment |
| CN110798402A (en) * | 2019-10-30 | 2020-02-14 | 腾讯科技(深圳)有限公司 | Service message processing method, device, equipment and storage medium |
| CN111586046A (en) * | 2020-05-08 | 2020-08-25 | 武汉思普崚技术有限公司 | Network traffic analysis method and system combining threat intelligence and machine learning |
| CN112732992A (en) * | 2020-12-02 | 2021-04-30 | 南京通达海科技股份有限公司 | Court network judicial survey and control system and method for multi-class resource fusion treatment |
| CN112671772A (en) * | 2020-12-24 | 2021-04-16 | 国网冀北电力有限公司信息通信分公司 | Network security service system and method |
| CN112838933A (en) * | 2020-12-31 | 2021-05-25 | 恒安嘉新(北京)科技股份公司 | Information synchronization method, equipment and storage medium in network traffic analysis |
| CN113271303A (en) * | 2021-05-13 | 2021-08-17 | 国家计算机网络与信息安全管理中心 | Botnet detection method and system based on behavior similarity analysis |
Non-Patent Citations (4)
| Title |
|---|
| "29154_CR0022r1_TEI15 GENCEF_(Rel-15)_C3-182399 Nta event monitoring for UE group".3GPP tsg_ct\tsg_ct.2018,全文. * |
| N5-011250 "Correction to Call Control (CC)".3GPP tsg_cn\WG5_osa.2001,(TSGN5_00_old_meetings),全文. * |
| 基于SharpPcap的网络流量监控***;刘业;田琨玮;刘林峰;;计算机工程与设计(07);全文 * |
| 带宽管理与资源预留汇聚方案的研究与改进;尹琦, 陈艳艳, 李存华;淮海工学院学报(自然科学版)(02);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114553583A (en) | 2022-05-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11050586B2 (en) | Inter-cloud communication method and related device, and inter-cloud communication configuration method and related device | |
| CN105610632B (en) | Virtual network equipment and related method | |
| EP3154227B1 (en) | Packet transmission method, node, path management server and storage medium | |
| US9100298B2 (en) | Host visibility as a network service | |
| US9584369B2 (en) | Methods of representing software defined networking-based multiple layer network topology views | |
| CN104363170B (en) | Forwarding data flow method and apparatus in a kind of software defined network | |
| US11177976B2 (en) | Method and device for automatically implementing IOAM encapsulation and storage medium | |
| JP7313480B2 (en) | Congestion Avoidance in Slice-Based Networks | |
| CN109787827B (en) | CDN network monitoring method and device | |
| CN107196820B (en) | Switch performance test method, device and system | |
| CN109714238A (en) | A kind of method and apparatus for realizing inter-virtual machine communication | |
| US10178017B2 (en) | Method and control node for handling data packets | |
| CN107306215B (en) | Data processing method, system and node | |
| CN109005126B (en) | Data stream processing method, device and computer readable storage medium | |
| US20220400072A1 (en) | Method for configuring performance measurement indication information and related device | |
| US20220263765A1 (en) | Service Traffic Adjustment Method and Apparatus | |
| CN101841424B (en) | EMS network management system and method based on SOCKS proxy connection | |
| CN107222403A (en) | A kind of data transmission method, system and electronic equipment | |
| CN114553583B (en) | Network security analysis system, method, equipment and storage medium | |
| CN113423120A (en) | Data distribution processing method and device based on private network terminal and electronic equipment | |
| US20230209404A1 (en) | Method for accessing gateway and apparatus | |
| KR101802037B1 (en) | Method and system of transmitting oam message for service function chaining in software defined network environment | |
| CN111200537B (en) | Method and system for checking and accepting network node | |
| CN108141406A (en) | A kind of method, apparatus and equipment of traffic failure processing | |
| CN110545240A (en) | Method for establishing label forwarding table and forwarding message based on distributed aggregation system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |