CN117336068A - Gateway equipment-based data message processing method, device and equipment - Google Patents
Gateway equipment-based data message processing method, device and equipment Download PDFInfo
- Publication number
- CN117336068A CN117336068A CN202311337108.5A CN202311337108A CN117336068A CN 117336068 A CN117336068 A CN 117336068A CN 202311337108 A CN202311337108 A CN 202311337108A CN 117336068 A CN117336068 A CN 117336068A
- Authority
- CN
- China
- Prior art keywords
- behavior
- data message
- identified
- abnormal
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 14
- 230000002159 abnormal effect Effects 0.000 claims abstract description 89
- 238000000034 method Methods 0.000 claims abstract description 37
- 230000002265 prevention Effects 0.000 claims abstract description 23
- 230000000903 blocking effect Effects 0.000 claims abstract description 16
- 230000006399 behavior Effects 0.000 claims description 358
- 238000012545 processing Methods 0.000 claims description 21
- 230000003542 behavioural effect Effects 0.000 claims description 18
- 206010000117 Abnormal behaviour Diseases 0.000 claims description 8
- 238000004590 computer program Methods 0.000 claims description 7
- 238000012549 training Methods 0.000 claims description 5
- 238000004891 communication Methods 0.000 description 5
- 238000011161 development Methods 0.000 description 4
- 230000005856 abnormality Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 230000001419 dependent effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/66—Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
- H04L63/306—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Technology Law (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a gateway equipment-based data message processing method, device and equipment, comprising the following steps: acquiring a data message to be identified; obtaining target behavior characteristics based on the target behavior model and the data message to be identified; determining whether the target behavior feature is abnormal or not based on the behavior feature in the local behavior library; under the condition that the target behavior characteristics are not abnormal, carrying out situation awareness based on the data message to be identified through the target behavior model to obtain situation awareness results; based on behavior characteristics and situation awareness results in a local behavior library, blocking the data message to be identified based on an intrusion prevention strategy, so that whether the data message to be identified is abnormal or not can be determined through a target behavior model, situation awareness is performed based on the data message to be identified, and whether the data message to be identified is abnormal or not is further determined; therefore, the method does not depend on manual intervention and accurate definition of characteristics, and can improve the protection intensity and the network safety.
Description
Technical Field
The present invention relates to the field of network data security technologies, and in particular, to a method, an apparatus, and a device for processing a data packet based on a gateway device.
Background
The rapid development of the Internet brings convenience to the life of people and provides a good environment for network attackers. Network security problems are not only related to folk life but also related to national security, and therefore, have become one of the most important development and research directions in the internet field.
Current intrusion prevention systems (Intrusion Prevention System, IPS) rely primarily on passive responses; the attack is purified by each security team and then is input into the gateway, so that the problem that the attack prevention depends on manual intervention can be caused.
Disclosure of Invention
The application provides a gateway equipment-based data message processing method, device and equipment, which can determine whether a data message to be identified is abnormal or not through a target behavior model, and further determine whether the data message to be identified is abnormal or not by performing situation awareness based on the data message to be identified; therefore, the protection intensity and the network security can be improved without relying on manual intervention or definition of behavior characteristics.
In a first aspect of the present application, a method for processing a data packet based on a gateway device is provided, including:
acquiring a data message to be identified;
obtaining target behavior characteristics based on the target behavior model and the data message to be identified;
determining whether the target behavior feature is abnormal or not based on the target behavior feature and the behavior feature in the local behavior library;
under the condition that the target behavior characteristics are not abnormal, carrying out situation awareness based on the data message to be identified through the target behavior model to obtain situation awareness results;
based on the behavior characteristics and the situation awareness results in the local behavior library, blocking the data message to be identified based on an intrusion prevention strategy, or releasing the data message to be identified.
In some embodiments, the determining whether there is an anomaly in the target behavioral feature based on the target behavioral feature and the behavioral features in the local behavioral library includes:
comparing the target behavior characteristics with the behavior characteristics in the local behavior library to obtain a comparison result;
and determining whether the target behavior feature is abnormal according to the comparison result.
In some embodiments, the situational awareness results include traffic characteristics of a next stage;
based on the behavior characteristics and the situation awareness result in the local behavior library, blocking the data message to be identified based on an intrusion prevention policy, or releasing the data message to be identified, including:
determining whether the flow of the next stage is abnormal flow or not based on the behavior characteristics in the local behavior library and the characteristics of the flow of the next stage;
and blocking the data message to be identified based on the intrusion prevention policy when the next-stage traffic is abnormal traffic, or releasing the data message to be identified when the next-stage traffic is non-abnormal traffic.
In some embodiments, the method further comprises:
and under the condition that the flow in the next stage is abnormal, updating the behavior characteristics in the local behavior library based on the target behavior characteristics corresponding to the data message to be identified, and uploading the target behavior characteristics corresponding to the data message to be identified to a cloud behavior library so as to update the behavior characteristics in the cloud behavior library.
In some embodiments, the method further comprises:
under the condition that the target behavior characteristics are abnormal, updating the behavior characteristics in the local behavior library based on the target behavior characteristics, and uploading the target behavior characteristics to a cloud behavior library so as to update the behavior characteristics in the cloud behavior library.
In some embodiments, the method further comprises:
acquiring behavior characteristics in the cloud behavior library;
and updating the behavior characteristics in the local behavior library based on the behavior characteristics in the cloud behavior library.
In some embodiments, the method further comprises:
acquiring a normal data message sent by a client simulator and an abnormal data message sent by an attack simulator;
training an initial behavior model based on the normal data message and the abnormal data message to obtain the target behavior model;
determining normal behavior characteristics based on the normal data message through the target behavior model;
determining abnormal behavior characteristics based on the abnormal data message through the target behavior model;
and determining at least one behavior characteristic based on the normal behavior characteristic and the abnormal behavior characteristic, and uploading the at least one behavior characteristic to the cloud behavior library.
In a second aspect of the embodiments of the present application, a data packet processing apparatus based on a gateway device is provided, including:
the acquisition module is used for acquiring the data message to be identified;
the processing module is used for obtaining target behavior characteristics based on the target behavior model and the data message to be identified; determining whether the target behavior feature is abnormal or not based on the target behavior feature and the behavior feature in the local behavior library;
the situation awareness module is used for carrying out situation awareness based on the data message to be identified through the target behavior model under the condition that the target behavior feature is not abnormal, so as to obtain a situation awareness result; based on the behavior characteristics and the situation awareness results in the local behavior library, blocking the data message to be identified based on an intrusion prevention strategy, or releasing the data message to be identified.
In a third aspect of the embodiments of the present application, there is provided an electronic device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing the method steps according to any of the embodiments described above when the program is executed by the processor.
In a fourth aspect of embodiments of the present application, there is provided a non-transitory computer readable storage medium having stored thereon a computer program, characterized in that the computer program when executed by a processor implements the method steps of any of the embodiments described above.
The embodiment of the application provides a data message processing method based on gateway equipment, which comprises the following steps: acquiring a data message to be identified; obtaining target behavior characteristics based on the target behavior model and the data message to be identified; determining whether the target behavior feature is abnormal or not based on the behavior feature in the local behavior library; under the condition that the target behavior characteristics are not abnormal, carrying out situation awareness based on the data message to be identified through the target behavior model to obtain situation awareness results; based on the behavior characteristics and the situation awareness results in the local behavior library, blocking the data message to be identified based on an intrusion prevention strategy, or releasing the data message to be identified; determining whether the data message to be identified is abnormal or not through the target behavior model, and performing situation awareness based on the data message to be identified to further determine whether the data message to be identified is abnormal or not; therefore, the method does not depend on manual intervention and accurate definition of characteristics, and can improve the protection intensity and the network safety.
Drawings
Fig. 1 is a flow chart of a data message processing method based on gateway device according to an embodiment of the present application;
fig. 2 is a flow chart of another method for processing a data packet based on a gateway device according to an embodiment of the present application;
fig. 3 is a flow chart of another data message processing method based on gateway device according to an embodiment of the present application;
fig. 4 is a flow chart of another data message processing method based on gateway device according to an embodiment of the present application;
fig. 5 is a flow chart of another data message processing method based on gateway device according to an embodiment of the present application;
fig. 6 is a flow chart of another data message processing method based on gateway device according to an embodiment of the present application;
fig. 7 is a flow chart of another data message processing method based on gateway device according to an embodiment of the present application;
fig. 8 is a flow chart of another data message processing method based on gateway device according to an embodiment of the present application;
fig. 9 is a flow chart of another method for processing a data packet based on a gateway device according to an embodiment of the present application;
fig. 10 is a schematic structural diagram of a data packet processing device based on gateway equipment according to an embodiment of the present application;
fig. 11 is a schematic entity structure diagram of an electronic device according to an embodiment of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present application more apparent, the technical solutions in the present application will be clearly and completely described below with reference to the drawings in the present application.
The rapid development of the Internet brings convenience to the life of people and provides a good environment for network attackers. Network security problems are not only related to folk life but also related to national security, and therefore, have become one of the most important development and research directions in the internet field.
Current intrusion prevention systems (Intrusion Prevention System, IPS) rely primarily on passive responses; the attack is purified by each security team and then is input into the gateway, so that the attack prevention is dependent on manual intervention, and the problems of postposition and resource incapability are caused. And because the attack features have variability, the current feature extraction mainly depends on feature accurate definition, for example, only a single attack feature is input, and if the attack feature is not input, the attack cannot be processed in time.
In order to solve the problems, the application provides a gateway equipment-based data message processing method, which can determine whether a data message to be identified is abnormal or not through a target behavior model, and further determine whether the data message to be identified is abnormal or not by performing situation awareness based on the data message to be identified; therefore, the protection intensity can be improved and the network security can be improved without depending on the definition of the behavior characteristics.
Referring to fig. 1, an embodiment of the present application provides a method for processing a data packet based on a gateway device, including:
s101, acquiring a data message to be identified.
In some embodiments, the gateway device obtains the data message to be identified. The data message to be identified may be a transmission control protocol (TCP, transmission Control Protocol) message.
S102, obtaining target behavior characteristics based on the target behavior model and the data message to be identified.
In some embodiments, the gateway device obtains the target behavior feature based on the target behavior model and the data packet to be identified obtained by executing S101.
In some embodiments, the data message to be identified is input into a target behavior model, and the data message to be identified is processed through the target behavior model to obtain target behavior characteristics corresponding to the data message to be identified.
S103, determining whether the target behavior feature is abnormal or not based on the target behavior feature and the behavior feature in the local behavior library.
In some embodiments, the gateway device determines whether there is an anomaly in the target behavior feature based on the target behavior feature obtained by executing S102 and the behavior feature in the local behavior library.
The target behavior feature is compared with the behavior feature in the local behavior library, and if the similarity between the target behavior feature and the behavior feature in the local behavior library is greater than or equal to a first preset threshold, it is determined that the target behavior feature is abnormal. If the similarity between the target behavior feature and the behavior feature in the local behavior library is smaller than a first preset threshold, determining that the target behavior feature is not abnormal.
As depicted in fig. 2, in some embodiments, S103 includes S1031-S1032.
S1031, comparing the target behavior characteristics with the behavior characteristics in the local behavior library to obtain a comparison result.
In some embodiments, the gateway device compares the target behavior feature obtained in S102 with the behavior features in the local behavior library to obtain a comparison result.
The comparison result may be a similarity between the target behavior feature and the behavior feature in the local behavior library, or may be a match or a mismatch between the target behavior feature and the behavior feature in the local behavior library. The embodiments of the present application are not limited in this regard.
S1032, determining whether the target behavior feature is abnormal according to the comparison result.
In some embodiments, the gateway device determines whether the target behavior feature is abnormal based on the comparison.
Illustratively, if the target behavioral characteristics match behavioral characteristics in the local behavioral library, it is determined that there is an anomaly in the target behavioral characteristics. If the target behavior characteristics are not matched with the behavior characteristics in the local behavior library, determining that no abnormality exists in the target behavior characteristics.
S104, under the condition that the target behavior characteristics are not abnormal, situation awareness is conducted on the basis of the data message to be identified through the target behavior model, and a situation awareness result is obtained.
In some embodiments, under the condition that the target behavior feature is not abnormal, the gateway device performs situation awareness based on the data message to be identified through the target behavior model, and a situation awareness result is obtained.
In some embodiments, the situational awareness results include the flow characteristics of the next stage.
Illustratively, the flow characteristic of the next stage may include a flow value of the next stage.
S105, blocking the data message to be identified based on the intrusion prevention policy or releasing the data message to be identified based on the behavior characteristics and situation awareness results in the local behavior library.
In some embodiments, the gateway device blocks the data message to be identified based on the intrusion prevention policy or passes the data message to be identified based on the behavior characteristics and situation awareness results in the local behavior library.
If the similarity between the flow characteristics of the next stage in the situation awareness result and the behavior characteristics in the local behavior library is greater than or equal to a second preset threshold, determining that the data message to be identified is abnormal; at this time, the data message to be identified is blocked based on an intrusion prevention policy. If the similarity between the flow characteristics of the next stage in the situation awareness result and the behavior characteristics in the local behavior library is smaller than a second preset threshold value, determining that the data message to be identified is not abnormal; at this time, the data message to be identified is released. It should be noted that the first preset threshold value and the second preset threshold value may be equal or unequal. The embodiments of the present application are not limited in this regard.
As shown in FIG. 3, in some embodiments, S105 includes S1051-S1052.
S1051, determining whether the flow of the next stage is abnormal flow or not based on the behavior characteristics in the local behavior library and the characteristics of the flow of the next stage.
In some embodiments, if it is determined, based on the characteristics of the next-stage traffic, that the traffic value of the next-stage traffic is greater than the traffic value corresponding to the behavior characteristics in the local behavior library, then the next-stage traffic is determined to be an abnormal traffic. If the flow value of the flow of the next stage is smaller than or equal to the flow value corresponding to the behavior characteristic in the local behavior library based on the characteristic of the flow of the next stage, the flow of the next stage is determined to be non-abnormal.
S1052, blocking the data message to be identified based on the intrusion protection policy when the traffic of the next stage is abnormal traffic, or releasing the data message to be identified when the traffic of the next stage is non-abnormal traffic.
If the flow value of the flow of the next stage is determined to be greater than the flow value corresponding to the behavior feature in the local behavior library based on the feature of the flow of the next stage, the flow of the next stage is determined to be abnormal flow, and the data message to be identified is blocked based on the intrusion prevention policy. If the flow value of the flow of the next stage is smaller than or equal to the flow value corresponding to the behavior feature in the local behavior library based on the feature of the flow of the next stage, the flow of the next stage is determined to be non-abnormal flow, and the data message to be identified is released.
It can be understood that situation awareness is performed on the data message to be identified, so that whether the flow of the next stage corresponding to the data message to be identified is abnormal flow can be further determined; processing the data message to be identified by determining whether the flow of the next stage corresponding to the data message to be identified is abnormal flow; therefore, the protection intensity can be improved and the network security can be improved without depending on the accurate definition of the characteristics.
In some embodiments, the method for processing a data message based on a gateway device provided in the embodiments of the present application further includes:
and under the condition that the flow at the next stage is abnormal, updating the behavior characteristics in the local behavior library based on the target behavior characteristics corresponding to the data message to be identified, and uploading the target behavior characteristics corresponding to the data message to be identified to the cloud behavior library so as to update the behavior characteristics in the cloud behavior library. .
For example, in the case that the traffic of the next stage is abnormal, it means that there is an attack in the data packet to be identified; at this time, the gateway equipment inputs the target behavior characteristics corresponding to the data message to be identified into the behavior characteristics in the local behavior library so as to update the behavior characteristics in the local behavior library; and uploading target behavior characteristics corresponding to the data message to be identified into a cloud behavior library so as to update the behavior characteristics in the cloud behavior library.
It should be noted that, the gateway device may periodically upload the target behavior feature corresponding to the data packet to be identified to the cloud behavior library, or may upload the target behavior feature corresponding to the data packet to be identified to the cloud behavior library in real time. The embodiments of the present application are not limited. In the following embodiments, the gateway device uploads the target behavior characteristics corresponding to the data packet to be identified to the cloud behavior library in real time for exemplary illustration.
In some embodiments, the method for processing a data message based on a gateway device provided in the embodiments of the present application further includes:
under the condition that the target behavior characteristics are abnormal, updating the behavior characteristics in the local behavior library based on the target behavior characteristics, and uploading the target behavior characteristics to the cloud behavior library so as to update the behavior characteristics in the cloud behavior library.
For example, in the case that the target behavior feature is abnormal, it means that there is an attack behavior in the data packet to be identified; at this time, the gateway equipment inputs the target behavior characteristics into the behavior characteristics in the local behavior library so as to update the behavior characteristics in the local behavior library; and uploading the target behavior characteristics to a cloud behavior library to update the behavior characteristics in the cloud behavior library.
In order to further improve network security and ensure comprehensiveness of the behavior features in the local behavior library, the gateway device may update the behavior features in the local behavior library periodically or in real time based on the behavior features in the cloud behavior library.
As shown in fig. 4, in some embodiments, the method for processing a data packet based on a gateway device according to the embodiments of the present application further includes:
s401, acquiring behavior characteristics in a cloud behavior library.
S402, based on behavior features in the cloud behavior library, updating the behavior features in the local behavior library.
In some embodiments, the gateway device performs S401 to obtain the behavior features in the cloud behavior library, and then updates the behavior features in the local behavior library based on the behavior features in the cloud behavior library.
Illustratively, the gateway device may perform S401-S402 periodically, e.g., once per week S401-S402; S401-S402 may also be performed in real time; S401-S402 may also be performed before each execution of S101. Thus, timeliness and comprehensiveness of behavior features in the local behavior library can be guaranteed.
In some embodiments, as shown in fig. 5, when the gateway device determines that an attack behavior exists in the data packet to be identified, that is, when the gateway device determines that an abnormality exists in a target behavior feature corresponding to the data packet to be identified and/or a flow of a next stage corresponding to the data packet to be identified is an abnormal flow, the gateway device blocks the data packet to be identified based on an intrusion prevention policy, and uploads the target behavior feature corresponding to the data packet to be identified to a cloud behavior library so as to update the behavior feature in the cloud behavior library; at this time, other gateway devices may acquire behavior features in the cloud behavior library to update behavior features in the local behavior library corresponding to the other gateway devices. Therefore, all gateway devices (other gateway devices) in the network can achieve the effects of threat sharing, threat sharing and threat co-protection. Further improving network security.
As shown in fig. 6, in some embodiments, the method for processing a data packet based on a gateway device according to the embodiments of the present application further includes:
s601, acquiring a normal data message sent by a client simulator and an abnormal data message sent by an attack simulator.
In some embodiments, the gateway device obtains a normal data packet sent by the client simulator and an abnormal data packet sent by the attack simulator, respectively.
In some embodiments, the gateway device may be deployed at the intranet server side.
Illustratively, as shown in fig. 7, the gateway device acquires a normal data packet (normal TCP packet) sent by the client simulator to the intranet server (server); at this time, the gateway device does not make any protection. The gateway equipment monitors the obtained flow packet of the normal TCP message at the server side and determines the normal access flow corresponding to the normal TCP message. As shown in fig. 8, the gateway device acquires an abnormal data packet (including an abnormal request of an attack behavior) sent by the attack simulator to the intranet server; at this time, the gateway device does not make any protection. The gateway equipment monitors the acquired flow packet containing the abnormal request of the attack behavior at the server side, and determines the abnormal access flow corresponding to the abnormal request containing the attack behavior.
S602, training an initial behavior model based on a normal data message and an abnormal data message sent by a client simulator to obtain a target behavior model.
In some embodiments, the gateway device trains the initial behavior model based on the positive and negative data messages to obtain a target behavior model. The method comprises the steps of outputting positive data messages to an initial behavior model and inputting abnormal data messages to the initial behavior model, and performing iterative training on the initial behavior model until the initial behavior model is trained, so that a target behavior model is obtained. Wherein. The training method of the initial behavior model is the prior art, and is not described herein.
S603, determining normal behavior characteristics based on normal data messages sent by the client simulator through the target behavior model.
In some embodiments, the gateway device determines the normal behavior characteristics based on normal data messages sent by the client simulator through the target behavior model.
The gateway device illustratively inputs the normal data message into a target behavior model, processes the normal data message through the target behavior model, and determines normal behavior characteristics (e.g., normal access traffic characteristics).
S604, determining abnormal behavior characteristics based on the abnormal data message through the target behavior model.
In some embodiments, the gateway device determines the abnormal behavior feature based on the abnormal data message through the target behavior model.
Illustratively, the gateway device inputs the abnormal data message into a target behavior model, processes the abnormal data message through the target behavior model, and determines an abnormal data message (e.g., an abnormal access traffic characteristic).
S605, determining at least one behavior characteristic based on the normal behavior characteristic and the abnormal behavior characteristic, and uploading the at least one behavior characteristic to a cloud behavior library to obtain the behavior characteristic in the cloud behavior library.
In some embodiments, the gateway device determines at least one behavioral characteristic based on the normal behavioral characteristic and the abnormal behavioral characteristic and uploads to the cloud behavior library.
As shown in fig. 9, in some embodiments, the embodiments of the present application further provide a method for processing a data packet based on a gateway device, including:
and S901, acquiring the flow (the data message to be identified).
S902, determining the characteristics (target behavior characteristics) of the flow through the target behavior model.
S903, determining whether the characteristics of the flow are matched with local behavior rules (behavior characteristics in a local behavior library); if yes, executing S904; if not, then S905 is performed.
S904, blocking the flow.
S905, performing situation awareness on the flow through a target behavior model, and determining the characteristics of the flow in the next stage of the flow.
S906, determining whether the characteristics of the flow in the next stage are matched with local behavior rules; if yes, executing S907; if not, then S909 is executed.
S907, blocking the flow and recording the characteristics of the flow into a local behavior rule.
S908, uploading the characteristics of the flow to the cloud to update the behavior rules of the cloud.
In some embodiments, this enables other gateway devices to obtain cloud behavior rules (behavior features of the cloud behavior library), and update local behavior rules (behavior features in the local behavior library) based on the cloud behavior rules.
S909, letting pass the flow.
Referring to fig. 10, an embodiment of the present application provides a data packet processing apparatus based on a gateway device, including:
an obtaining module 1001, configured to obtain a data packet to be identified;
the processing module 1002 is configured to obtain a target behavior feature based on the target behavior model and the data packet to be identified; determining whether the target behavior feature is abnormal or not based on the target behavior feature and the behavior feature in the local behavior library;
the situation awareness module 1003 is configured to perform situation awareness based on the data packet to be identified through the target behavior model, and obtain a situation awareness result when the target behavior feature is not abnormal; based on behavior characteristics and situation awareness results in the local behavior library, blocking the data message to be identified based on an intrusion prevention strategy, or releasing the data message to be identified.
In some embodiments of the present application, the processing module 1002 is further configured to compare the target behavior feature with a behavior feature in a local behavior library to obtain a comparison result; and determining whether the target behavior feature is abnormal according to the comparison result.
In some embodiments of the present application, the situation awareness result includes a flow characteristic of a next stage;
the situation awareness module 1003 is further configured to determine whether the next-stage traffic is abnormal traffic based on the behavior feature in the local behavior library and the feature of the next-stage traffic; and blocking the data message to be identified based on an intrusion prevention policy when the traffic of the next stage is abnormal traffic, or releasing the data message to be identified when the traffic of the next stage is non-abnormal traffic.
In some embodiments of the present application, a data packet processing apparatus based on a gateway device provided in the embodiments of the present application further includes: uploading an updating module;
and the uploading updating module is used for updating the behavior characteristics in the local behavior library based on the target behavior characteristics corresponding to the data message to be identified under the condition that the flow at the next stage is abnormal, and uploading the target behavior characteristics corresponding to the data message to be identified into the cloud behavior library so as to update the behavior characteristics in the cloud behavior library.
In some embodiments of the present application, the uploading updating module is further configured to update the behavior feature in the local behavior library based on the target behavior feature when the target behavior feature is abnormal, and upload the target behavior feature to the cloud behavior library to update the behavior feature in the cloud behavior library.
In some embodiments of the present application, the obtaining module 1001 is further configured to obtain a behavior feature in a cloud behavior library;
the uploading updating module is also used for updating the behavior characteristics in the local behavior library based on the behavior characteristics in the cloud behavior library.
In some embodiments of the present application, the obtaining module 1001 is further configured to obtain a normal data packet sent by the client simulator and an abnormal data packet sent by the attack simulator;
the processing module 1002 is further configured to train the initial behavior model based on the positive-constant data packet and the abnormal-constant data packet, to obtain a target behavior model; determining normal behavior characteristics based on the positive data message through the target behavior model; determining abnormal behavior characteristics based on the abnormal data message through the target behavior model; determining at least one behavioral characteristic based on the normal behavioral characteristic and the abnormal behavioral characteristic;
and the uploading updating module is also used for uploading at least one behavior characteristic to the cloud behavior library.
As shown in fig. 11, an electronic device provided in an embodiment of the present application may include: processor 1110, communication interface Communications Interface 1120, memory 1130 and communication bus 1140, wherein processor 1110, communication interface 1120 and memory 1130 communicate with each other via communication bus 1140. Processor 1110 may invoke logic instructions in memory 1130 to perform the methods described above.
Further, the logic instructions in the memory 1130 described above may be implemented in the form of software functional units and sold or used as a stand-alone product, stored on a computer-readable storage medium. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method for monitoring the mechanical state of a switching device according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
In yet another aspect, the present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, is implemented to perform the above methods.
The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on this understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the respective embodiments or some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims (10)
1. The data message processing method based on the gateway equipment is characterized by comprising the following steps:
acquiring a data message to be identified;
obtaining target behavior characteristics based on the target behavior model and the data message to be identified;
determining whether the target behavior feature is abnormal or not based on the target behavior feature and the behavior feature in the local behavior library;
under the condition that the target behavior characteristics are not abnormal, carrying out situation awareness based on the data message to be identified through the target behavior model to obtain situation awareness results;
based on the behavior characteristics and the situation awareness results in the local behavior library, blocking the data message to be identified based on an intrusion prevention strategy, or releasing the data message to be identified.
2. The method of claim 1, wherein the determining whether the target behavioral feature is abnormal based on the target behavioral feature and behavioral features in a local behavioral library comprises:
comparing the target behavior characteristics with the behavior characteristics in the local behavior library to obtain a comparison result;
and determining whether the target behavior feature is abnormal according to the comparison result.
3. The method of claim 1, wherein the situational awareness results include characteristics of next stage traffic;
based on the behavior characteristics and the situation awareness result in the local behavior library, blocking the data message to be identified based on an intrusion prevention policy, or releasing the data message to be identified, including:
determining whether the flow of the next stage is abnormal flow or not based on the behavior characteristics in the local behavior library and the characteristics of the flow of the next stage;
and blocking the data message to be identified based on the intrusion prevention policy when the next-stage traffic is abnormal traffic, or releasing the data message to be identified when the next-stage traffic is non-abnormal traffic.
4. A method according to claim 3, characterized in that the method further comprises:
and under the condition that the flow in the next stage is abnormal, updating the behavior characteristics in the local behavior library based on the target behavior characteristics corresponding to the data message to be identified, and uploading the target behavior characteristics corresponding to the data message to be identified to a cloud behavior library so as to update the behavior characteristics in the cloud behavior library.
5. The method according to any one of claims 1-4, further comprising:
under the condition that the target behavior characteristics are abnormal, updating the behavior characteristics in the local behavior library based on the target behavior characteristics, and uploading the target behavior characteristics to a cloud behavior library so as to update the behavior characteristics in the cloud behavior library.
6. The method of claim 5, wherein the method further comprises:
acquiring behavior characteristics in the cloud behavior library;
and updating the behavior characteristics in the local behavior library based on the behavior characteristics in the cloud behavior library.
7. The method according to claim 1, wherein the method further comprises:
acquiring a normal data message sent by a client simulator and an abnormal data message sent by an attack simulator;
training an initial behavior model based on the normal data message and the abnormal data message to obtain the target behavior model;
determining normal behavior characteristics based on the normal data message through the target behavior model;
determining abnormal behavior characteristics based on the abnormal data message through the target behavior model;
and determining at least one behavior characteristic based on the normal behavior characteristic and the abnormal behavior characteristic, and uploading the at least one behavior characteristic to a cloud behavior library.
8. A gateway device-based data message processing apparatus, comprising:
the acquisition module is used for acquiring the data message to be identified;
the processing module is used for obtaining target behavior characteristics based on the target behavior model and the data message to be identified; determining whether the target behavior feature is abnormal or not based on the target behavior feature and the behavior feature in the local behavior library;
the situation awareness module is used for carrying out situation awareness based on the data message to be identified through the target behavior model under the condition that the target behavior feature is not abnormal, so as to obtain a situation awareness result; based on the behavior characteristics and the situation awareness results in the local behavior library, blocking the data message to be identified based on an intrusion prevention strategy, or releasing the data message to be identified.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of any one of claims 1 to 7 when the program is executed by the processor.
10. A non-transitory computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when executed by a processor, implements the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311337108.5A CN117336068A (en) | 2023-10-16 | 2023-10-16 | Gateway equipment-based data message processing method, device and equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311337108.5A CN117336068A (en) | 2023-10-16 | 2023-10-16 | Gateway equipment-based data message processing method, device and equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117336068A true CN117336068A (en) | 2024-01-02 |
Family
ID=89279003
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311337108.5A Pending CN117336068A (en) | 2023-10-16 | 2023-10-16 | Gateway equipment-based data message processing method, device and equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117336068A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108718310A (en) * | 2018-05-18 | 2018-10-30 | 安徽继远软件有限公司 | Multi-level attack signatures generation based on deep learning and malicious act recognition methods |
| CN112261033A (en) * | 2020-10-19 | 2021-01-22 | 北京京航计算通讯研究所 | Network security protection method based on enterprise intranet |
| CN112671807A (en) * | 2021-03-15 | 2021-04-16 | 中国电子信息产业集团有限公司第六研究所 | Threat processing method, threat processing device, electronic equipment and computer readable storage medium |
| CN113079167A (en) * | 2021-04-12 | 2021-07-06 | 西北工业大学 | Internet of vehicles intrusion detection method and system based on deep reinforcement learning |
| US20220342988A1 (en) * | 2021-04-21 | 2022-10-27 | Sonalysts, Inc. | System and method of situation awareness in industrial control systems |
-
2023
- 2023-10-16 CN CN202311337108.5A patent/CN117336068A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108718310A (en) * | 2018-05-18 | 2018-10-30 | 安徽继远软件有限公司 | Multi-level attack signatures generation based on deep learning and malicious act recognition methods |
| CN112261033A (en) * | 2020-10-19 | 2021-01-22 | 北京京航计算通讯研究所 | Network security protection method based on enterprise intranet |
| CN112671807A (en) * | 2021-03-15 | 2021-04-16 | 中国电子信息产业集团有限公司第六研究所 | Threat processing method, threat processing device, electronic equipment and computer readable storage medium |
| CN113079167A (en) * | 2021-04-12 | 2021-07-06 | 西北工业大学 | Internet of vehicles intrusion detection method and system based on deep reinforcement learning |
| US20220342988A1 (en) * | 2021-04-21 | 2022-10-27 | Sonalysts, Inc. | System and method of situation awareness in industrial control systems |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Radoglou-Grammatikis et al. | Modeling, detecting, and mitigating threats against industrial healthcare systems: a combined software defined networking and reinforcement learning approach | |
| Eckhart et al. | A specification-based state replication approach for digital twins | |
| US10848514B2 (en) | Data surveillance for privileged assets on a computer network | |
| AU2017224993B2 (en) | Malicious threat detection through time series graph analysis | |
| EP3178033B1 (en) | Cyber security | |
| US9124626B2 (en) | Firewall based botnet detection | |
| US20190075123A1 (en) | Systems and methods for cyber intrusion detection and prevention | |
| CA2973969C (en) | Session security splitting and application profiler | |
| US20070136809A1 (en) | Apparatus and method for blocking attack against Web application | |
| CN112468347B (en) | Security management method and device for cloud platform, electronic equipment and storage medium | |
| CN112534432A (en) | Real-time mitigation of unfamiliar threat scenarios | |
| CN105577670B (en) | A kind of warning system hitting library attack | |
| CN113269389A (en) | Network security situation assessment and situation prediction modeling method based on deep belief network | |
| US11949701B2 (en) | Network access anomaly detection via graph embedding | |
| Sakthivel et al. | Robust asynchronous filtering for discrete-time T–S fuzzy complex dynamical networks against deception attacks | |
| US20220255926A1 (en) | Event-triggered reauthentication of at-risk and compromised systems and accounts | |
| EP3767913B1 (en) | Systems and methods for correlating events to detect an information security incident | |
| WO2022060438A1 (en) | Fidelity of anomaly alerts using control plane and data plane information | |
| US11477200B2 (en) | Methods and systems for IP-based network intrusion detection and prevention | |
| US20170099304A1 (en) | Automatic generation of cluster descriptions | |
| CN117336068A (en) | Gateway equipment-based data message processing method, device and equipment | |
| CN110048905B (en) | Internet of things equipment communication mode identification method and device | |
| US20230275912A1 (en) | Graph-based analysis of security incidents | |
| US11425092B2 (en) | System and method for analytics based WAF service configuration | |
| CN114760083A (en) | Method and device for issuing attack detection file and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |