CN115865670B - Method and device for adjusting concurrency performance of WEB security gateway based on kernel tuning - Google Patents
Method and device for adjusting concurrency performance of WEB security gateway based on kernel tuning Download PDFInfo
- Publication number
- CN115865670B CN115865670B CN202310168264.7A CN202310168264A CN115865670B CN 115865670 B CN115865670 B CN 115865670B CN 202310168264 A CN202310168264 A CN 202310168264A CN 115865670 B CN115865670 B CN 115865670B
- Authority
- CN
- China
- Prior art keywords
- gateway
- kernel
- target
- classification
- security gateway
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The application provides a method and a device for adjusting concurrency performance of a WEB security gateway based on kernel tuning, wherein the method comprises the steps of establishing connection with a service server based on a TCP (transmission control protocol) quick opening mechanism; acquiring gateway characteristic data corresponding to a client access service server and carrying out normalization processing to obtain normalized gateway characteristics; inputting the normalized gateway characteristics into a classification model for classification to obtain gateway characteristic classification labels; and matching target classification labels with similarity exceeding a preset similarity threshold value with the gateway characteristic classification labels in the classification labels respectively corresponding to the plurality of kernel parameters and the corresponding target kernel parameters, and carrying out local kernel parameter reconfiguration to take effect based on the target kernel parameters and the proxy middleware. The embodiment of the invention realizes the optimization of TCP network transmission on the premise of not changing the system architecture and the kernel of the security gateway, thereby not only improving the overall concurrency performance of the system of the security gateway, but also reducing the realization cost.
Description
Technical Field
The application relates to the technical field of concurrency performance tuning, in particular to a method and a device for adjusting the concurrency performance of a WEB security gateway based on kernel tuning.
Background
With the birth of a series of internet products such as Web3.0, webletter applet, mobile APP and the like, the application of the internet based on the Web environment is more and more widely used. The rapid development of Web services also draws strong attention of network hackers, the hackers obtain the control right of the server by utilizing system holes, tamper website contents slightly, steal user data and seriously threaten personal privacy and property security of the users.
The Web security gateway is a gateway type security product which is generated aiming at Web service security. It is deployed between the client and the real server, all client requests will go through the Web security gateway. The defending means is not realized by the form of packet filtering, but by the form of proxy. The client directly interacts with the security gateway, and after the security gateway checks that the request from the client has no problem, the security gateway can initiate the request to the server, acquire the response and then forward the response to the client. The detection and processing are completed in the application.
The Web security gateway is arranged between the client and the server and is connected in series in the whole network. The concurrency performance of the Web security gateway directly affects the concurrency performance of the entire network. The main reason for the low concurrency performance of the current Web security gateway is that the hardware performance of the security gateway cannot be greatly improved due to the fact that the utilization rate of hardware such as a CPU, a memory and the like is low.
Aiming at the fact that the Web security concurrency performance is low, the following two modes are mainly adopted at present:
the first mode is to use a virtual IP technology to deploy a plurality of virtual machines on a single security gateway, so that the utilization rate of hardware is improved, and the overall concurrency performance of the system is improved; the physical clustering method is to distribute data streams to different gateways for processing by using a plurality of physical gateway devices through a load balancing technology so as to improve the overall concurrency performance of the system.
The following disadvantages exist when the first mode is adopted: 1) Deploying a plurality of agent programs on a single security gateway, and modifying a system architecture, wherein agent information on the security gateway needs to be reconfigured, and the plurality of agent programs are inconvenient to maintain and manage; 2) The physical clustering method is high in cost and high in energy consumption.
The second approach is to customize the operating system kernel so that it can provide some network information and hardware resource usage information, and then dynamically adjust kernel parameters according to the provided network information and hardware resource usage information.
The second mode has the following disadvantages that 1) the customized kernel does not pass the long-time open test, and potential system loopholes exist, which can influence the normal operation of the security gateway service; 2) Only the kernel parameters are modified, and optimization of the middleware with the security gateway proxy is not included.
Disclosure of Invention
The embodiment of the application provides a WEB security gateway concurrency performance adjusting method and device based on kernel tuning, which aim to solve the problems that when a security gateway adopts a virtual IP or customized kernel in the prior art, the cost is increased due to large change of a system architecture, and the operation of the gateway is abnormal due to unstable kernel.
In a first aspect, an embodiment of the present application provides a method for adjusting concurrency performance of a WEB security gateway based on kernel tuning, including:
establishing connection with a service server based on a TCP protocol quick opening mechanism;
acquiring gateway characteristic data corresponding to a client access service server and carrying out normalization processing to obtain normalized gateway characteristics; the gateway characteristic data is characteristic data generated by a client based on a security gateway access service server, and at least comprises TCP connection behavior information, connection quality information and gateway resource use information;
acquiring a pre-trained classification model, and inputting the normalized gateway characteristics into the classification model for classification to obtain a gateway characteristic classification label;
and matching target classification labels with the similarity exceeding a preset similarity threshold value between the stored classification labels of the plurality of kernel parameters respectively, acquiring target kernel parameters corresponding to the target classification labels, and carrying out local kernel parameter reconfiguration and effectiveness based on the target kernel parameters and the proxy middleware so as to adjust the concurrency performance of the security gateway.
In a second aspect, an embodiment of the present application provides a device for adjusting concurrency performance of a WEB security gateway based on kernel tuning, including:
the connection establishment unit is used for establishing connection with the service server based on a TCP protocol quick opening mechanism;
the feature data acquisition unit is used for acquiring gateway feature data corresponding to the client access service server and carrying out normalization processing to obtain normalized gateway features; the gateway characteristic data is characteristic data generated by a client based on a security gateway access service server, and at least comprises TCP connection behavior information, connection quality information and gateway resource use information;
the feature data learning unit is used for acquiring a pre-trained classification model, inputting the normalized gateway features into the classification model for classification, and obtaining a gateway feature classification label;
and the system tuning unit is used for matching target classification labels with the similarity exceeding a preset similarity threshold value between the stored classification labels of the plurality of kernel parameters respectively, acquiring target kernel parameters corresponding to the target classification labels, and carrying out local kernel parameter reconfiguration and effectiveness based on the target kernel parameters and the proxy middleware so as to adjust the concurrency performance of the security gateway.
In a third aspect, an embodiment of the present application further provides a computer device, which includes a memory, a processor, and a computer program stored in the memory and capable of running on the processor, where the processor implements the method for adjusting concurrency performance of a WEB security gateway based on kernel tuning according to the first aspect when the processor executes the computer program.
In a fourth aspect, an embodiment of the present application further provides a computer readable storage medium, where the computer readable storage medium stores a computer program, where the computer program when executed by a processor causes the processor to perform the method for adjusting concurrency performance of a WEB security gateway based on kernel tuning according to the first aspect.
The embodiment of the application provides a method and a device for adjusting concurrency performance of a WEB security gateway based on kernel tuning, wherein the method comprises the following steps: establishing connection with a service server based on a TCP protocol quick opening mechanism; acquiring gateway characteristic data corresponding to a client access service server and carrying out normalization processing to obtain normalized gateway characteristics; acquiring a pre-trained classification model, and inputting the normalized gateway characteristics into the classification model for classification to obtain a gateway characteristic classification label; and matching target classification labels with the similarity exceeding a preset similarity threshold value between the stored classification labels of the plurality of kernel parameters respectively, acquiring target kernel parameters corresponding to the target classification labels, and carrying out local kernel parameter reconfiguration and effectiveness based on the target kernel parameters and the proxy middleware so as to adjust the concurrency performance of the security gateway. The embodiment of the invention realizes the optimization of the TCP network transmission mode on the premise of not changing the system architecture and the kernel of the security gateway, thereby not only improving the overall concurrency performance of the system of the security gateway, but also reducing the realization cost.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic diagram of an application scenario of a method for adjusting concurrency performance of a WEB security gateway based on kernel tuning according to an embodiment of the present invention;
FIG. 2 is a schematic flow chart of a method for adjusting concurrency performance of a WEB security gateway based on kernel tuning according to an embodiment of the present invention;
fig. 3 is a schematic sub-flowchart of a method for adjusting concurrency performance of a WEB security gateway based on kernel tuning according to an embodiment of the present application;
FIG. 4 is a schematic block diagram of a distributed system and a kernel tuning-based concurrent performance adjusting device for a WEB security gateway according to an embodiment of the present application;
fig. 5 is a schematic block diagram of a computer device provided in an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
It should be understood that the terms "comprises" and "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It is also to be understood that the terminology used in the description of the present application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
It should be further understood that the term "and/or" as used in this specification and the appended claims refers to any and all possible combinations of one or more of the associated listed items, and includes such combinations.
Referring to fig. 1 and fig. 2, fig. 1 is a schematic application scenario diagram of a method for adjusting concurrency performance of a WEB security gateway based on kernel tuning according to an embodiment of the present invention, and fig. 2 is a schematic flowchart of a method for adjusting concurrency performance of a WEB security gateway based on kernel tuning according to an embodiment of the present invention. The WEB security gateway concurrency performance adjusting method based on kernel tuning is applied to the security gateway 20.
As shown in FIG. 2, the method includes steps S101-S104.
S101, establishing connection with a service server based on a TCP protocol quick opening mechanism.
In this embodiment, the technical scheme is described by using the security gateway as the execution body. In the prior art, a communication connection based on a transmission control protocol is established between a service server and a service server, and the difference between the application and the prior art is that the communication connection is established between a security gateway and the service server based on a TCP protocol quick opening mechanism. Among them, the TCP FAST OPEN mechanism is TCP FAST OPEN (TCP FAST OPEN is abbreviated as TFO).
After the TCP protocol quick opening mechanism of the security gateway and the service server is opened, the time delay from the security gateway to the service server of an access request (such as an HTTP request) of a client can be optimized.
In one embodiment, step S101 includes:
acquiring a pre-stored TCP quick-opening function starting instruction;
and starting the local container and the proxy middleware, and executing the TCP quick opening function starting instruction to establish communication connection with the service server.
In this embodiment, when the communication connection between the security gateway and the service server is established based on the TCP fast opening mechanism, a pre-stored TCP fast opening function start instruction (specifically, for example, a sysctl-w net.ipv 4.tcp_fastopen=1 command) needs to be acquired in the security gateway, and then the local container and the proxy middleware of the security gateway are started and the TFO functions of the local container and the proxy middleware are started based on the TCP fast opening function start instruction, so that the TFO function of the security gateway is started finally.
In order to realize the connection between the security gateway and the service server based on the TFO function, the TFO function is also required to be started in the service server. Specifically, the service server executes a sysctl-w net.ipv4.tcp_fastopen=2 command, and the service server is used as a server to start a TFO function.
In one embodiment, after step S101, the method further includes:
if the connection times with the service server are determined to be more than 1 time, and the access request of the client is detected, carrying the access request with the service server every primary handshake and sending the access request to the service server.
In this embodiment, if the security gateway and the service server are connected for the first time, that is, when it is determined that the number of times of connection between the security gateway and the service server is equal to 1, the security gateway and the service server still perform three-way handshake based on the transmission control protocol, and then an access request sent from the client to the service server can be sent to the service server. The security gateway obtains the access request in the third handshake of the three-way handshake based on the transmission control protocol of the client, and the same security gateway sends the access request to the service server in the third handshake with the service server when the security gateway first performs the third handshake based on the transmission control protocol with the service server. When the security gateway and the service server initially establish initial connection based on three-way handshake, the service server generates an encrypted small text file (namely encrypted Cookie) during the second handshake, and sends the encrypted small text file to the security gateway together during the second handshake through a SYN packet and an ACK packet, and the encrypted Cookie is cached locally in the security gateway to be used as a handshake in non-primary interaction after the security gateway and the service server.
When the connection times between the security gateway and the service server are determined to be greater than 1 time, the security gateway and the service server are indicated to have established initial connection, the initial connection is used as non-initial interaction between the security gateway and the service server, and then if the security gateway detects an access request of a client, and the security gateway needs to send the access request to the service server, three handshakes are still needed when the security gateway interacts with the service server, but the first handshakes of each interaction carry the access request and the encrypted Cookie, so that the access request of the client is sent to the service server when the first handshakes, and the time delay of the access request from the security gateway to the service server is reduced (specifically, 1 RTT is reduced, and RTT refers to round trip time, for example, the total duration of the first handshakes and the second handshakes in the three handshakes between the security gateway and the service server is regarded as 1 RTT). Based on the above mode, the interaction time delay between the security gateway and the service server is effectively reduced, and the transmitted data volume is maintained.
In addition, the method and the device do not need to adopt a plurality of physical gateways to improve the whole concurrency of the system, but improve the concurrency of a single physical gateway through optimizing the transmission form of the TCP network, so that the cost is reduced. Specifically, TFO between the security gateway and the service server is started, delay caused by TCP establishing handshake is reduced, response delay of the whole system is reduced, and concurrency of the security gateway is increased. Compared with a method for improving concurrency performance of deploying a plurality of virtual machines on a single gateway, the method does not change the original system architecture on the safety gateway and does not increase maintenance cost.
S102, acquiring gateway characteristic data corresponding to the client access service server and carrying out normalization processing to obtain normalized gateway characteristics.
The gateway characteristic data is characteristic data generated by a client based on a security gateway access service server, and at least comprises TCP connection behavior information, connection quality information and gateway resource use information.
In this embodiment, as shown in fig. 1, when the client 10 (in the implementation, not limited to 1 client shown in fig. 1, but a plurality of clients 10), the security gateway 20 and the service server 30 successfully establish a communication connection, each access request of the client 10 is sent to the security gateway 20 first. After a plurality of clients 10 send access requests to the security gateway 20 and finally successfully access the service server 30, gateway characteristic data may be statistically calculated at the security gateway 20 based on the accesses of the clients 10.
In specific implementation, the security gateway 20 captures the data packet in real time, calculates the TCP connection behavior information, the connection quality information and the gateway resource usage information on the security gateway 20 based on the data packet, so as to obtain important data reflecting the network condition and the resource usage condition on the security gateway, and the obtained TCP connection behavior information, connection quality information and gateway resource usage information can be used for further analyzing the gateway characteristics of the security gateway 20 at the current moment. More specifically, a gateway characteristic data analysis period may be preset in the security gateway (for example, the gateway characteristic data analysis period is not limited to the foregoing periods of time, and may be set by user definition based on the actual requirement of the user when the specific implementation is performed) and when the time interval between the current system time and the previous gateway characteristic data analysis time is satisfied to be equal to the gateway characteristic data analysis period, the security gateway 20 performs the analysis processing of the gateway characteristic based on the data packet of the current system time.
In one embodiment, as shown in fig. 3, step S102 includes:
s1021, acquiring the number of long connections and the number of short connections to form TCP connection behavior information;
s1022, acquiring network connection delay, packet loss rate and network bandwidth to form connection quality information;
s1023, acquiring CPU utilization rate, memory utilization rate and disk utilization rate to form gateway resource utilization information;
s1024, carrying out normalization processing on the TCP connection behavior information, the connection quality information and the gateway resource use information, and concatenating the normalization processing to form the normalized gateway characteristic.
In this embodiment, the information such as the number of long connections and the number of short connections that can be obtained by parsing the data packet in the security gateway is specifically configured to form TCP connection behavior information (the TCP connection behavior information is not limited to the illustrated information in the implementation process, and may further include more TCP connection related information); the data packet in the security gateway can also be analyzed to obtain information such as network connection delay, packet loss rate, network bandwidth and the like, so that connection quality information is formed (the connection quality information is not limited to the exemplified information in the specific implementation process and can also comprise more TCP connection quality related information); the data packet in the security gateway can also be parsed to obtain information such as CPU usage rate, memory usage rate, disk usage rate, etc., so as to form gateway resource usage information (the gateway resource usage information is not limited to the exemplified information in implementation, and can also include more gateway system resource usage related information). Because the magnitude of the TCP connection behavior information compared with the CPU utilization rate is different, the accuracy of the subsequent analysis can be affected, the TCP connection behavior information, the connection quality information and the gateway resource utilization information can be normalized to be mapped to the interval of [0, 1], and then the normalized TCP connection behavior information, the normalized connection quality information and the normalized gateway resource utilization information are connected in series to form the normalized gateway characteristic. After the normalized gateway characteristics are obtained, their characteristics may be further determined based on an analytical model local to the security gateway.
S103, acquiring a pre-trained classification model, and inputting the normalized gateway characteristics into the classification model for classification to obtain a gateway characteristic classification label.
In this embodiment, a KNN model may be pre-trained as a classification model at the local site of the security gateway during implementation, where the KNN model is a K nearest neighbor classification algorithm. The main idea of the K nearest neighbor classification algorithm is to determine which class x belongs to when predicting a new value x, based on what class it is from the nearest K points. And when the KNN model is trained, characteristic data in the training set is used as training samples, optimal kernel parameter information is collected according to gradient change, and each sample is marked with a proper classification label. The most important of the KNN algorithm is the selection of a K value, which determines the accuracy of a feature tag obtained by inputting feature information, so that the K value is continuously increased from the selection of a smaller K value in the training of the KNN model, then the variance of a verification set is calculated, and finally a proper K value is found, thereby completing the training of the KNN model. When the gateway characteristic classification label is determined based on the normalized gateway characteristic and the classification model, the method can be used for further analyzing and determining the kernel parameter tuning of the security gateway.
S104, matching target classification labels with the similarity exceeding a preset similarity threshold value between the stored classification labels with the gateway characteristic classification labels respectively, acquiring target kernel parameters corresponding to the target classification labels, and carrying out local kernel parameter reconfiguration validation based on the target kernel parameters and the proxy middleware to adjust the concurrency performance of the security gateway.
In this embodiment, after the security gateway knows the gateway feature classification tag, since the security gateway has prestored a plurality of classification tags and kernel parameters corresponding to each classification tag, the security gateway determines a target classification tag with similarity exceeding a preset similarity threshold between the security gateway and the gateway feature classification tag, and obtains a target kernel parameter corresponding to the target classification tag, that is, the target kernel parameter can adjust concurrency performance of the security gateway.
In an embodiment, the matching, in the class labels corresponding to the stored plurality of kernel parameters, the target class label having a similarity exceeding a preset similarity threshold value with the gateway feature class label, and obtaining the target kernel parameter corresponding to the target class label includes:
Acquiring classification labels corresponding to each kernel parameter in the stored multiple kernel parameters and word vectors corresponding to each classification label;
acquiring a current word vector corresponding to the gateway characteristic classification tag;
acquiring cosine similarity between the current word vector and the word vector corresponding to each classification label, and taking the cosine similarity as the similarity between the gateway characteristic classification label and each classification label;
if the cosine similarity between the word vector corresponding to the classification label and the current word vector corresponding to the gateway characteristic classification label exceeds the preset similarity threshold, acquiring the corresponding classification label as a target classification label;
and acquiring kernel parameters corresponding to the target classification labels as the target kernel parameters.
In this embodiment, when determining that the target classification label similar to the gateway feature classification label is obtained in the security gateway, a manner of calculating cosine similarity (also may use calculation of euclidean distance, etc.) between the current word vector corresponding to the gateway feature classification label and the word vector of the classification label corresponding to each kernel parameter may be used to determine the target word vector whose cosine similarity between the current word vectors corresponding to the gateway feature classification label exceeds the preset similarity threshold, so as to further obtain the target classification label corresponding to the target word vector. After the target classification labels are determined, the corresponding kernel parameters can be obtained to serve as the target kernel parameters, and the target kernel parameters are used as parameter bases of concurrency performance of the security gateway.
In an embodiment, before the obtaining, as the target kernel parameter, the kernel parameter corresponding to the target classification label, the method further includes:
if the number of the target classification labels is determined to be greater than 1, acquiring a word vector with the maximum cosine similarity between the word vector corresponding to the target classification labels and the current word vector and a word vector with the maximum cosine similarity between the word vector and the current word vector and a corresponding classification label to update the target classification labels;
and if the number of the target classification labels is equal to 1, reserving the target classification labels.
In this embodiment, in order to obtain the target classification labels more accurately, it is further required to determine whether the number of target classification labels is greater than 1. If the number of the target classification labels is determined to be greater than 1, the fact that cosine similarity between the word vectors corresponding to the plurality of classification labels and the current word vector exceeds the preset similarity threshold is indicated, and at the moment, a word vector with the maximum cosine similarity between the word vectors corresponding to the target classification labels and the current word vector and the corresponding classification label can be selected to update the target classification labels. Of course, it is also possible to use a method of randomly determining one object classification label among the plurality of object classification labels as the final object classification label.
If the number of the target classification labels is equal to 1, the fact that cosine similarity between the word vectors corresponding to only 1 classification label and the current word vector exceeds the preset similarity threshold is indicated, and the target classification label is directly used as the final target classification label.
If the number of the target classification labels is less than 1, the classification labels similar to the gateway characteristic classification labels are not stored in the security gateway in advance, and the security gateway concurrency performance adjustment can be realized in an auxiliary mode at least in the following mode. The security gateway sends the notification information for prompting the maintainer to add the new classification label and the corresponding kernel parameters to the service server, and the service server sends the notification information to the receiving terminal of the corresponding maintainer (namely the intelligent terminal such as the intelligent mobile phone used by the maintainer). And then, a maintainer adds a classification label meeting new requirements and corresponding kernel parameters thereof in the security gateway in time.
In an embodiment, the performing the local kernel parameter reconfiguration based on the target kernel parameter and the proxy middleware takes effect includes:
updating and configuring a configuration file in the proxy middleware in a write data operation based on the target kernel parameters and/or proc virtual file system;
The proxy middleware is restarted to validate local kernel parameter reconfiguration.
In this embodiment, the determined target kernel parameter may enable the security gateway to adjust the security gateway to a state with optimal concurrency performance in the current environment. The target kernel parameters are fed back to the/proc virtual file system in the security gateway and in the configuration file in the automated configuration proxy middleware to be consistent with the target kernel parameters. Thereafter, the proxy middleware is restarted to validate the configuration file.
Wherein, modifying the kernel parameter may be performed by a form of a write parameter in a file of the per proc virtual file system, for example, when the security gateway detects that a large number of TCP connections are established in a short time, modifying the kernel parameter includes modifying sizes of a TCP semi-connection queue and a full-connection queue:
echo “1024”>/proc/sys/net/core/somaxconn
echo “1024”>/proc/sys/net/ipv4/tcp_max_syn_backlog
echo “1”>/proc/sys/net/ipv4/tcp_syncookies
the kernel parameters may also be modified by a sysctl command, for example:
sysctl -w net.ipv4.tcp_syncookies=1
the sysctl command, when modifying the kernel parameters, checks the validity of the parameters.
The configuration of the kernel parameters and the proxy middleware is dynamically optimized, so that the gateway resource occupancy rate is increased and concurrent in a mode of improving the gateway resource occupancy rate, and the implementation of a customized kernel mode is not needed. In the application, the security gateway does not modify the kernel, and only modifies the related parameters of the kernel, so that the stability of the system is ensured. And feature information of the gateway is dynamically extracted, and configuration of kernel parameters and proxy middleware is modified through the parameters, so that complexity and inaccuracy of manual modification are solved.
The method realizes the optimization of TCP network transmission on the premise of not changing the system architecture and the kernel of the security gateway, thereby not only improving the overall concurrency performance of the system of the security gateway, but also reducing the realization cost.
The embodiment of the application also provides a WEB security gateway concurrency performance adjusting device based on kernel tuning, which is used for executing any embodiment of the WEB security gateway concurrency performance adjusting method based on kernel tuning. Specifically, referring to fig. 4, fig. 4 is a schematic block diagram of a device for adjusting concurrency performance of a WEB security gateway based on kernel tuning according to an embodiment of the present application. As shown in fig. 4, the WEB security gateway concurrency performance adjusting device 100 includes a connection establishment unit 110, a feature data acquisition unit 120, a feature data learning unit 130, and a system tuning unit 140.
The connection establishment unit 110 is configured to establish a connection with a service server based on a TCP fast open mechanism.
In this embodiment, the technical scheme is described by using the security gateway as the execution body. In the prior art, a communication connection based on a transmission control protocol is established between a service server and a service server, and the difference between the application and the prior art is that the communication connection is established between a security gateway and the service server based on a TCP protocol quick opening mechanism. Among them, the TCP FAST OPEN mechanism is TCP FAST OPEN (TCP FAST OPEN is abbreviated as TFO).
After the TCP protocol quick opening mechanism of the security gateway and the service server is opened, the time delay from the security gateway to the service server of an access request (such as an HTTP request) of a client can be optimized.
In one embodiment, the connection establishment unit 110 is specifically configured to:
acquiring a pre-stored TCP quick-opening function starting instruction;
and starting the local container and the proxy middleware, and executing the TCP quick opening function starting instruction to establish communication connection with the service server.
In this embodiment, when the communication connection between the security gateway and the service server is established based on the TCP fast opening mechanism, a pre-stored TCP fast opening function start instruction (specifically, for example, a sysctl-w net.ipv 4.tcp_fastopen=1 command) needs to be acquired in the security gateway, and then the local container and the proxy middleware of the security gateway are started and the TFO functions of the local container and the proxy middleware are started based on the TCP fast opening function start instruction, so that the TFO function of the security gateway is started finally.
In order to realize the connection between the security gateway and the service server based on the TFO function, the TFO function is also required to be started in the service server. Specifically, the service server executes a sysctl-w net.ipv4.tcp_fastopen=2 command, and the service server is used as a server to start a TFO function.
In an embodiment, the WEB security gateway concurrency performance adjustment apparatus 100 further includes:
and the request forwarding control unit is used for carrying the access request with each primary handshake of the service server and sending the access request to the service server if the connection times with the service server are more than 1 time and the access request of the client is detected.
In this embodiment, if the security gateway and the service server are connected for the first time, that is, when it is determined that the number of times of connection between the security gateway and the service server is equal to 1, the security gateway and the service server still perform three-way handshake based on the transmission control protocol, and then an access request sent from the client to the service server can be sent to the service server. The security gateway obtains the access request in the third handshake of the three-way handshake based on the transmission control protocol of the client, and the same security gateway sends the access request to the service server in the third handshake with the service server when the security gateway first performs the third handshake based on the transmission control protocol with the service server. When the security gateway and the service server initially establish initial connection based on three-way handshake, the service server generates an encrypted small text file (namely encrypted Cookie) during the second handshake, and sends the encrypted small text file to the security gateway together during the second handshake through a SYN packet and an ACK packet, and the encrypted Cookie is cached locally in the security gateway to be used as a handshake in non-primary interaction after the security gateway and the service server.
When the connection times between the security gateway and the service server are determined to be greater than 1 time, the security gateway and the service server are indicated to have established initial connection, the initial connection is used as non-initial interaction between the security gateway and the service server, and then if the security gateway detects an access request of a client, and the security gateway needs to send the access request to the service server, three handshakes are still needed when the security gateway interacts with the service server, but the first handshakes of each interaction carry the access request and the encrypted Cookie, so that the access request of the client is sent to the service server when the first handshakes, and the time delay of the access request from the security gateway to the service server is reduced (specifically, 1 RTT is reduced, and RTT refers to round trip time, for example, the total duration of the first handshakes and the second handshakes in the three handshakes between the security gateway and the service server is regarded as 1 RTT). Based on the above mode, the interaction time delay between the security gateway and the service server is effectively reduced, and the transmitted data volume is maintained.
In addition, the method and the device do not need to adopt a plurality of physical gateways to improve the whole concurrency of the system, but improve the concurrency of a single physical gateway through optimizing the transmission form of the TCP network, so that the cost is reduced. Specifically, TFO between the security gateway and the service server is started, delay caused by TCP establishing handshake is reduced, response delay of the whole system is reduced, and concurrency of the security gateway is increased. Compared with a method for improving concurrency performance of deploying a plurality of virtual machines on a single gateway, the method does not change the original system architecture on the safety gateway and does not increase maintenance cost.
The feature data collection unit 120 is configured to obtain gateway feature data corresponding to the client access service server, and perform normalization processing to obtain normalized gateway features.
The gateway characteristic data is characteristic data generated by a client based on a security gateway access service server, and at least comprises TCP connection behavior information, connection quality information and gateway resource use information.
In this embodiment, as shown in fig. 1, when the client 10 (in the implementation, not limited to 1 client shown in fig. 1, but a plurality of clients 10), the security gateway 20 and the service server 30 successfully establish a communication connection, each access request of the client 10 is sent to the security gateway 20 first. After a plurality of clients 10 send access requests to the security gateway 20 and finally successfully access the service server 30, gateway characteristic data may be statistically calculated at the security gateway 20 based on the accesses of the clients 10.
In specific implementation, the security gateway 20 captures the data packet in real time, calculates the TCP connection behavior information, the connection quality information and the gateway resource usage information on the security gateway 20 based on the data packet, so as to obtain important data reflecting the network condition and the resource usage condition on the security gateway, and the obtained TCP connection behavior information, connection quality information and gateway resource usage information can be used for further analyzing the gateway characteristics of the security gateway 20 at the current moment. More specifically, a gateway characteristic data analysis period may be preset in the security gateway (for example, the gateway characteristic data analysis period is not limited to the foregoing periods of time, and may be set by user definition based on the actual requirement of the user when the specific implementation is performed) and when the time interval between the current system time and the previous gateway characteristic data analysis time is satisfied to be equal to the gateway characteristic data analysis period, the security gateway 20 performs the analysis processing of the gateway characteristic based on the data packet of the current system time.
In an embodiment, the feature data acquisition unit 120 is configured to:
acquiring the number of long connections and the number of short connections to form TCP connection behavior information;
acquiring network connection delay, packet loss rate and network bandwidth to form connection quality information;
acquiring CPU utilization rate, memory utilization rate and disk utilization rate to form gateway resource utilization information;
and carrying out normalization processing on the TCP connection behavior information, the connection quality information and the gateway resource use information, and concatenating the normalization processing and the normalization gateway characteristic.
In this embodiment, the information such as the number of long connections and the number of short connections that can be obtained by parsing the data packet in the security gateway is specifically configured to form TCP connection behavior information (the TCP connection behavior information is not limited to the illustrated information in the implementation process, and may further include more TCP connection related information); the data packet in the security gateway can also be analyzed to obtain information such as network connection delay, packet loss rate, network bandwidth and the like, so that connection quality information is formed (the connection quality information is not limited to the exemplified information in the specific implementation process and can also comprise more TCP connection quality related information); the data packet in the security gateway can also be parsed to obtain information such as CPU usage rate, memory usage rate, disk usage rate, etc., so as to form gateway resource usage information (the gateway resource usage information is not limited to the exemplified information in implementation, and can also include more gateway system resource usage related information). Because the magnitude of the TCP connection behavior information compared with the CPU utilization rate is different, the accuracy of the subsequent analysis can be affected, the TCP connection behavior information, the connection quality information and the gateway resource utilization information can be normalized to be mapped to the interval of [0, 1], and then the normalized TCP connection behavior information, the normalized connection quality information and the normalized gateway resource utilization information are connected in series to form the normalized gateway characteristic. After the normalized gateway characteristics are obtained, their characteristics may be further determined based on an analytical model local to the security gateway.
The feature data learning unit 130 is configured to obtain a pre-trained classification model, input the normalized gateway feature to the classification model for classification, and obtain a gateway feature classification tag.
In this embodiment, a KNN model may be pre-trained as a classification model at the local site of the security gateway during implementation, where the KNN model is a K nearest neighbor classification algorithm. The main idea of the K nearest neighbor classification algorithm is to determine which class x belongs to when predicting a new value x, based on what class it is from the nearest K points. And when the KNN model is trained, characteristic data in the training set is used as training samples, optimal kernel parameter information is collected according to gradient change, and each sample is marked with a proper classification label. The most important of the KNN algorithm is the selection of a K value, which determines the accuracy of a feature tag obtained by inputting feature information, so that the K value is continuously increased from the selection of a smaller K value in the training of the KNN model, then the variance of a verification set is calculated, and finally a proper K value is found, thereby completing the training of the KNN model. When the gateway characteristic classification label is determined based on the normalized gateway characteristic and the classification model, the method can be used for further analyzing and determining the kernel parameter tuning of the security gateway.
And the system tuning unit 140 is configured to match, in the class labels corresponding to the stored kernel parameters, a target class label with a similarity exceeding a preset similarity threshold value between the class labels of the gateway features, obtain a target kernel parameter corresponding to the target class label, and perform local kernel parameter reconfiguration and validation based on the target kernel parameter and the proxy middleware, so as to adjust the concurrency performance of the security gateway.
In this embodiment, after the security gateway knows the gateway feature classification tag, since the security gateway has prestored a plurality of classification tags and kernel parameters corresponding to each classification tag, the security gateway determines a target classification tag with similarity exceeding a preset similarity threshold between the security gateway and the gateway feature classification tag, and obtains a target kernel parameter corresponding to the target classification tag, that is, the target kernel parameter can adjust concurrency performance of the security gateway.
In an embodiment, the matching, in the class labels corresponding to the stored plurality of kernel parameters, the target class label having a similarity exceeding a preset similarity threshold value with the gateway feature class label, and obtaining the target kernel parameter corresponding to the target class label includes:
Acquiring classification labels corresponding to each kernel parameter in the stored multiple kernel parameters and word vectors corresponding to each classification label;
acquiring a current word vector corresponding to the gateway characteristic classification tag;
acquiring cosine similarity between the current word vector and the word vector corresponding to each classification label, and taking the cosine similarity as the similarity between the gateway characteristic classification label and each classification label;
if the cosine similarity between the word vector corresponding to the classification label and the current word vector corresponding to the gateway characteristic classification label exceeds the preset similarity threshold, acquiring the corresponding classification label as a target classification label;
and acquiring kernel parameters corresponding to the target classification labels as the target kernel parameters.
In this embodiment, when determining that the target classification label similar to the gateway feature classification label is obtained in the security gateway, a manner of calculating cosine similarity (also may use calculation of euclidean distance, etc.) between the current word vector corresponding to the gateway feature classification label and the word vector of the classification label corresponding to each kernel parameter may be used to determine the target word vector whose cosine similarity between the current word vectors corresponding to the gateway feature classification label exceeds the preset similarity threshold, so as to further obtain the target classification label corresponding to the target word vector. After the target classification labels are determined, the corresponding kernel parameters can be obtained to serve as the target kernel parameters, and the target kernel parameters are used as parameter bases of concurrency performance of the security gateway.
In an embodiment, the system tuning unit 140 is further configured to:
if the number of the target classification labels is determined to be greater than 1, acquiring a word vector with the maximum cosine similarity between the word vector corresponding to the target classification labels and the current word vector and a word vector with the maximum cosine similarity between the word vector and the current word vector and a corresponding classification label to update the target classification labels;
and if the number of the target classification labels is equal to 1, reserving the target classification labels.
In this embodiment, in order to obtain the target classification labels more accurately, it is further required to determine whether the number of target classification labels is greater than 1. If the number of the target classification labels is determined to be greater than 1, the fact that cosine similarity between the word vectors corresponding to the plurality of classification labels and the current word vector exceeds the preset similarity threshold is indicated, and at the moment, a word vector with the maximum cosine similarity between the word vectors corresponding to the target classification labels and the current word vector and the corresponding classification label can be selected to update the target classification labels. Of course, it is also possible to use a method of randomly determining one object classification label among the plurality of object classification labels as the final object classification label.
If the number of the target classification labels is equal to 1, the fact that cosine similarity between the word vectors corresponding to only 1 classification label and the current word vector exceeds the preset similarity threshold is indicated, and the target classification label is directly used as the final target classification label.
If the number of the target classification labels is less than 1, the classification labels similar to the gateway characteristic classification labels are not stored in the security gateway in advance, and the security gateway concurrency performance adjustment can be realized in an auxiliary mode at least in the following mode. The security gateway sends the notification information for prompting the maintainer to add the new classification label and the corresponding kernel parameters to the service server, and the service server sends the notification information to the receiving terminal of the corresponding maintainer (namely the intelligent terminal such as the intelligent mobile phone used by the maintainer). And then, a maintainer adds a classification label meeting new requirements and corresponding kernel parameters thereof in the security gateway in time.
In an embodiment, the system tuning unit 140 is further configured to:
updating and configuring a configuration file in the proxy middleware in a write data operation based on the target kernel parameters and/or proc virtual file system;
the proxy middleware is restarted to validate local kernel parameter reconfiguration.
In this embodiment, the determined target kernel parameter may enable the security gateway to adjust the security gateway to a state with optimal concurrency performance in the current environment. The target kernel parameters are fed back to the/proc virtual file system in the security gateway and in the configuration file in the automated configuration proxy middleware to be consistent with the target kernel parameters. Thereafter, the proxy middleware is restarted to validate the configuration file.
Wherein, modifying the kernel parameter may be performed by a form of a write parameter in a file of the per proc virtual file system, for example, when the security gateway detects that a large number of TCP connections are established in a short time, modifying the kernel parameter includes modifying sizes of a TCP semi-connection queue and a full-connection queue:
echo “1024”>/proc/sys/net/core/somaxconn
echo “1024”>/proc/sys/net/ipv4/tcp_max_syn_backlog
echo “1”>/proc/sys/net/ipv4/tcp_syncookies
the kernel parameters may also be modified by a sysctl command, for example:
sysctl -w net.ipv4.tcp_syncookies=1
the sysctl command, when modifying the kernel parameters, checks the validity of the parameters.
The configuration of the kernel parameters and the proxy middleware is dynamically optimized, so that the gateway resource occupancy rate is increased and concurrent in a mode of improving the gateway resource occupancy rate, and the implementation of a customized kernel mode is not needed. In the application, the security gateway does not modify the kernel, and only modifies the related parameters of the kernel, so that the stability of the system is ensured. And feature information of the gateway is dynamically extracted, and configuration of kernel parameters and proxy middleware is modified through the parameters, so that complexity and inaccuracy of manual modification are solved.
The device optimizes TCP network transmission on the premise of not changing the system architecture and the kernel of the security gateway, thereby not only improving the overall concurrency performance of the system of the security gateway, but also reducing the realization cost.
The above-described core tuning based WEB security gateway concurrency performance tuning apparatus of the distributed system may be implemented in the form of a computer program that can be run on a computer device as shown in fig. 5.
Referring to fig. 5, fig. 5 is a schematic block diagram of a computer device according to an embodiment of the present application. The computer device 500 is a server, or a cluster of servers. The server may be an independent server, or may be a cloud server that provides cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communications, middleware services, domain name services, security services, content delivery networks (Content Delivery Network, CDN), and basic cloud computing services such as big data and artificial intelligence platforms.
With reference to fig. 5, the computer device 500 includes a processor 502, a memory, and a network interface 505, which are connected by a device bus 501, where the memory may include a storage medium 503 and an internal memory 504.
The storage medium 503 may store an operating system 5031 and a computer program 5032. The computer program 5032, when executed, may cause the processor 502 to perform a kernel tuning based WEB security gateway concurrency performance tuning method for a distributed system.
The processor 502 is used to provide computing and control capabilities to support the operation of the overall computer device 500.
The internal memory 504 provides an environment for the execution of a computer program 5032 in the storage medium 503, which computer program 5032, when executed by the processor 502, causes the processor 502 to execute a method for core tuning based WEB security gateway concurrency performance tuning of a distributed system.
The network interface 505 is used for network communication, such as providing for transmission of data information, etc. Those skilled in the art will appreciate that the architecture shown in fig. 5 is merely a block diagram of a portion of the architecture in connection with the present application and is not intended to limit the computer device 500 to which the present application is applied, and that a particular computer device 500 may include more or fewer components than shown, or may combine certain components, or have a different arrangement of components.
The processor 502 is configured to run a computer program 5032 stored in a memory, so as to implement a method for adjusting concurrent performance of a WEB security gateway based on kernel tuning of a distributed system disclosed in an embodiment of the present application.
Those skilled in the art will appreciate that the embodiment of the computer device shown in fig. 5 is not limiting of the specific construction of the computer device, and in other embodiments, the computer device may include more or less components than those shown, or certain components may be combined, or a different arrangement of components. For example, in some embodiments, the computer device may include only a memory and a processor, and in such embodiments, the structure and function of the memory and the processor are consistent with the embodiment shown in fig. 5, and will not be described again.
It should be appreciated that in embodiments of the present application, the processor 502 may be a central processing unit (Central Processing Unit, CPU), the processor 502 may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSPs), application specific integrated circuits (Application Specific Integrated Circuit, ASICs), off-the-shelf programmable gate arrays (Field-Programmable Gate Array, FPGAs) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. Wherein the general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
In another embodiment of the present application, a computer-readable storage medium is provided. The computer readable storage medium may be a nonvolatile computer readable storage medium or a volatile computer readable storage medium. The computer readable storage medium stores a computer program, wherein the computer program when executed by a processor realizes the WEB security gateway concurrency performance adjustment method based on kernel tuning of the distributed system disclosed by the embodiment of the application.
It will be clearly understood by those skilled in the art that, for convenience and brevity of description, specific working procedures of the apparatus, device and unit described above may refer to corresponding procedures in the foregoing method embodiments, which are not repeated herein. Those of ordinary skill in the art will appreciate that the elements and algorithm steps described in connection with the embodiments disclosed herein may be embodied in electronic hardware, in computer software, or in a combination of the two, and that the elements and steps of the examples have been generally described in terms of function in the foregoing description to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the several embodiments provided in this application, it should be understood that the disclosed apparatus, device, and method may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, for example, the division of the units is merely a logical function division, there may be another division manner in actual implementation, or units having the same function may be integrated into one unit, for example, multiple units or components may be combined or may be integrated into another apparatus, or some features may be omitted, or not performed. In addition, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices, or elements, or may be an electrical, mechanical, or other form of connection.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purposes of the embodiments of the present application.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units may be stored in a storage medium if implemented in the form of software functional units and sold or used as stand-alone products. Based on such understanding, the technical solution of the present application is essentially or a part contributing to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a background server, or a network device, etc.) to perform all or part of the steps of the method described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a magnetic disk, an optical disk, or other various media capable of storing program codes.
While the invention has been described with reference to certain preferred embodiments, it will be understood by those skilled in the art that various changes and substitutions of equivalents may be made and equivalents will be apparent to those skilled in the art without departing from the scope of the invention. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (10)
1. A WEB security gateway concurrency performance adjusting method based on kernel tuning is applied to a security gateway and is characterized by comprising the following steps:
establishing connection with a service server based on a TCP protocol quick opening mechanism;
acquiring gateway characteristic data corresponding to a client access service server and carrying out normalization processing to obtain normalized gateway characteristics; the gateway characteristic data is characteristic data generated by a client based on a security gateway access service server, and at least comprises TCP connection behavior information, connection quality information and gateway resource use information;
acquiring a pre-trained classification model, and inputting the normalized gateway characteristics into the classification model for classification to obtain a gateway characteristic classification label;
And matching target classification labels with the similarity exceeding a preset similarity threshold value between the stored classification labels of the plurality of kernel parameters respectively, acquiring target kernel parameters corresponding to the target classification labels, and carrying out local kernel parameter reconfiguration and effectiveness based on the target kernel parameters and the proxy middleware so as to adjust the concurrency performance of the security gateway.
2. The method of claim 1, wherein the obtaining gateway characteristic data corresponding to the client access service server and performing normalization processing to obtain normalized gateway characteristics includes:
acquiring the number of long connections and the number of short connections to form TCP connection behavior information;
acquiring network connection delay, packet loss rate and network bandwidth to form connection quality information;
acquiring CPU utilization rate, memory utilization rate and disk utilization rate to form gateway resource utilization information;
and carrying out normalization processing on the TCP connection behavior information, the connection quality information and the gateway resource use information, and concatenating the normalization processing and the normalization gateway characteristic.
3. The method of claim 1, wherein the matching, in the class labels corresponding to the stored kernel parameters, the target class label having a similarity exceeding a preset similarity threshold with the gateway feature class label, and obtaining the target kernel parameter corresponding to the target class label, includes:
Acquiring classification labels corresponding to each kernel parameter in the stored multiple kernel parameters and word vectors corresponding to each classification label;
acquiring a current word vector corresponding to the gateway characteristic classification tag;
acquiring cosine similarity between the current word vector and the word vector corresponding to each classification label, and taking the cosine similarity as the similarity between the gateway characteristic classification label and each classification label;
if the cosine similarity between the word vector corresponding to the classification label and the current word vector corresponding to the gateway characteristic classification label exceeds the preset similarity threshold, acquiring the corresponding classification label as a target classification label;
and acquiring kernel parameters corresponding to the target classification labels as the target kernel parameters.
4. The method of claim 3, wherein prior to the obtaining the kernel parameter corresponding to the target class label as the target kernel parameter, the method further comprises:
if the number of the target classification labels is determined to be greater than 1, acquiring a word vector with the maximum cosine similarity between the word vector corresponding to the target classification labels and the current word vector and a word vector with the maximum cosine similarity between the word vector and the current word vector and a corresponding classification label to update the target classification labels;
And if the number of the target classification labels is equal to 1, reserving the target classification labels.
5. The method according to claim 3 or 4, wherein said locally performing core parameter reconfiguration validation based on said target core parameters and proxy middleware comprises:
updating and configuring a configuration file in the proxy middleware in a write data operation based on the target kernel parameters and/or proc virtual file system;
the proxy middleware is restarted to validate local kernel parameter reconfiguration.
6. The method of claim 1, wherein establishing a connection with the traffic server based on a TCP protocol quick open mechanism comprises:
acquiring a pre-stored TCP quick-opening function starting instruction;
and starting the local container and the proxy middleware, and executing the TCP quick opening function starting instruction to establish communication connection with the service server.
7. The method of claim 6, wherein after said initiating the local container and proxy middleware and executing said TCP quick-open function initiation instructions to establish a communication connection with said traffic server, further comprising:
If the connection times with the service server are determined to be more than 1 time, and the access request of the client is detected, carrying the access request with the service server every primary handshake and sending the access request to the service server.
8. WEB security gateway concurrency performance adjusting device based on kernel tuning is configured in security gateway, and is characterized in that the device comprises:
the connection establishment unit is used for establishing connection with the service server based on a TCP protocol quick opening mechanism;
the feature data acquisition unit is used for acquiring gateway feature data corresponding to the client access service server and carrying out normalization processing to obtain normalized gateway features; the gateway characteristic data is characteristic data generated by a client based on a security gateway access service server, and at least comprises TCP connection behavior information, connection quality information and gateway resource use information;
the feature data learning unit is used for acquiring a pre-trained classification model, inputting the normalized gateway features into the classification model for classification, and obtaining a gateway feature classification label;
and the system tuning unit is used for matching target classification labels with the similarity exceeding a preset similarity threshold value between the stored classification labels of the plurality of kernel parameters respectively, acquiring target kernel parameters corresponding to the target classification labels, and carrying out local kernel parameter reconfiguration and effectiveness based on the target kernel parameters and the proxy middleware so as to adjust the concurrency performance of the security gateway.
9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the kernel-based tuning WEB security gateway concurrency performance tuning method of any one of claims 1 to 7 when the computer program is executed.
10. A computer readable storage medium storing a computer program which when executed by a processor causes the processor to perform the kernel tuning based WEB security gateway concurrency performance tuning method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310168264.7A CN115865670B (en) | 2023-02-27 | 2023-02-27 | Method and device for adjusting concurrency performance of WEB security gateway based on kernel tuning |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310168264.7A CN115865670B (en) | 2023-02-27 | 2023-02-27 | Method and device for adjusting concurrency performance of WEB security gateway based on kernel tuning |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115865670A CN115865670A (en) | 2023-03-28 |
| CN115865670B true CN115865670B (en) | 2023-06-16 |
Family
ID=85659047
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310168264.7A Active CN115865670B (en) | 2023-02-27 | 2023-02-27 | Method and device for adjusting concurrency performance of WEB security gateway based on kernel tuning |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115865670B (en) |
Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108833191A (en) * | 2018-08-03 | 2018-11-16 | 云丁智能科技(北京)有限公司 | Gateway configuration method and device |
| CN109568760A (en) * | 2017-09-29 | 2019-04-05 | ***通信有限公司研究院 | Sleep environment adjusting method and system |
| CN110830551A (en) * | 2019-09-30 | 2020-02-21 | 浙江口碑网络技术有限公司 | Service request processing method, device and system |
| CN111049695A (en) * | 2020-01-09 | 2020-04-21 | 深圳壹账通智能科技有限公司 | Cloud gateway configuration method and system |
| CN111858015A (en) * | 2019-04-25 | 2020-10-30 | ***通信集团河北有限公司 | Method, device and gateway for configuring running resources of application program |
| CN112532633A (en) * | 2020-11-30 | 2021-03-19 | 安徽工业大学 | Industrial network firewall rule generation method and device based on machine learning |
| CN113423113A (en) * | 2021-06-17 | 2021-09-21 | 中国联合网络通信集团有限公司 | Wireless parameter optimization processing method and device and server |
| WO2021206807A1 (en) * | 2020-04-10 | 2021-10-14 | Microsoft Technology Licensing, Llc | Prefetching and/or computing resource allocation based on predicting classification labels with temporal data |
| CN114205402A (en) * | 2021-11-18 | 2022-03-18 | 阿里云计算有限公司 | Connection establishing method, system, device and storage medium |
| WO2022135539A1 (en) * | 2020-12-25 | 2022-06-30 | 京东方科技集团股份有限公司 | Method and apparatus for processing device configuration parameters, method and apparatus for data analysis, computing device, computer readable storage medium, and computer program product |
| CN115080771A (en) * | 2022-06-23 | 2022-09-20 | 康键信息技术(深圳)有限公司 | Data processing method and device based on artificial intelligence, medium and gateway equipment |
| CN115242637A (en) * | 2021-04-23 | 2022-10-25 | 深圳富联富桂精密工业有限公司 | Deployment method of remote desktop gateway, computer device and storage medium |
| CN115437778A (en) * | 2021-06-03 | 2022-12-06 | Oppo广东移动通信有限公司 | Kernel scheduling method and device, electronic equipment and computer readable storage medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11556851B2 (en) * | 2020-01-31 | 2023-01-17 | Salesforce.Com, Inc. | Establishing a communication session between client terminals of users of a social network selected using a machine learning model |
-
2023
- 2023-02-27 CN CN202310168264.7A patent/CN115865670B/en active Active
Patent Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109568760A (en) * | 2017-09-29 | 2019-04-05 | ***通信有限公司研究院 | Sleep environment adjusting method and system |
| CN108833191A (en) * | 2018-08-03 | 2018-11-16 | 云丁智能科技(北京)有限公司 | Gateway configuration method and device |
| CN111858015A (en) * | 2019-04-25 | 2020-10-30 | ***通信集团河北有限公司 | Method, device and gateway for configuring running resources of application program |
| CN110830551A (en) * | 2019-09-30 | 2020-02-21 | 浙江口碑网络技术有限公司 | Service request processing method, device and system |
| CN111049695A (en) * | 2020-01-09 | 2020-04-21 | 深圳壹账通智能科技有限公司 | Cloud gateway configuration method and system |
| WO2021206807A1 (en) * | 2020-04-10 | 2021-10-14 | Microsoft Technology Licensing, Llc | Prefetching and/or computing resource allocation based on predicting classification labels with temporal data |
| CN112532633A (en) * | 2020-11-30 | 2021-03-19 | 安徽工业大学 | Industrial network firewall rule generation method and device based on machine learning |
| WO2022135539A1 (en) * | 2020-12-25 | 2022-06-30 | 京东方科技集团股份有限公司 | Method and apparatus for processing device configuration parameters, method and apparatus for data analysis, computing device, computer readable storage medium, and computer program product |
| CN114697212A (en) * | 2020-12-25 | 2022-07-01 | 北京京东方技术开发有限公司 | Device parameter processing method, device, system and medium |
| CN115242637A (en) * | 2021-04-23 | 2022-10-25 | 深圳富联富桂精密工业有限公司 | Deployment method of remote desktop gateway, computer device and storage medium |
| CN115437778A (en) * | 2021-06-03 | 2022-12-06 | Oppo广东移动通信有限公司 | Kernel scheduling method and device, electronic equipment and computer readable storage medium |
| CN113423113A (en) * | 2021-06-17 | 2021-09-21 | 中国联合网络通信集团有限公司 | Wireless parameter optimization processing method and device and server |
| CN114205402A (en) * | 2021-11-18 | 2022-03-18 | 阿里云计算有限公司 | Connection establishing method, system, device and storage medium |
| CN115080771A (en) * | 2022-06-23 | 2022-09-20 | 康键信息技术(深圳)有限公司 | Data processing method and device based on artificial intelligence, medium and gateway equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115865670A (en) | 2023-03-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11122067B2 (en) | Methods for detecting and mitigating malicious network behavior and devices thereof | |
| US10951495B2 (en) | Application signature generation and distribution | |
| US10505818B1 (en) | Methods for analyzing and load balancing based on server health and devices thereof | |
| US10791201B2 (en) | Server initiated multipath content delivery | |
| US10122740B1 (en) | Methods for establishing anomaly detection configurations and identifying anomalous network traffic and devices thereof | |
| US11381629B2 (en) | Passive detection of forged web browsers | |
| WO2018121331A1 (en) | Attack request determination method, apparatus and server | |
| CN110519380B (en) | Data access method and device, storage medium and electronic equipment | |
| US9201644B2 (en) | Distributed update service | |
| US10355949B2 (en) | Behavioral network intelligence system and method thereof | |
| US20210279332A1 (en) | System and method for automatic generation of malware detection traps | |
| US11936660B2 (en) | Self-training classification | |
| US10097616B2 (en) | Methods for optimizing service of content requests and devices thereof | |
| US11570203B2 (en) | Edge network-based account protection service | |
| WO2024060408A1 (en) | Network attack detection method and apparatus, device and storage medium | |
| Naseer et al. | Configanator: A Data-driven Approach to Improving {CDN} Performance. | |
| CN107438058A (en) | The filter method and filtration system of user's request | |
| Beckett et al. | HTTP/2 Cannon: Experimental analysis on HTTP/1 and HTTP/2 request flood DDoS attacks | |
| CN110417782A (en) | A kind of system and method for the transmission of Intelligent hardware message | |
| CN115865670B (en) | Method and device for adjusting concurrency performance of WEB security gateway based on kernel tuning | |
| US9851980B1 (en) | Distributed update service enabling update requests | |
| CN113079210A (en) | Cross-region data automatic synchronization configuration method, terminal equipment and storage medium | |
| CN115297098A (en) | Edge service acquisition method and device, edge computing system, medium and equipment | |
| US11249873B2 (en) | Method and apparatus for continuous integration testing of network access devices | |
| CN116192766A (en) | Method and apparatus for adjusting data transmission rate and training congestion control model |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |