Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the technical solution of the present application and are not intended to limit the present application.
For a better understanding of the technical solution of the present application, the following detailed description will be given with reference to the drawings and the specific embodiments.
The main solution of the embodiment of the application is that a target data packet is acquired, a safety parameter is determined through data processing based on the target data packet, parameter weight calculation is performed based on the safety parameter to obtain a data packet safety value, and if the data packet safety value is larger than a preset threshold value, the target data packet is sent to the target virtual switch.
At present, information security control is usually realized by arranging micro-isolation virtual machines in the industry, but the current data packet security evaluation method related to the micro-isolation virtual machines lacks comprehensive and perfect security evaluation strategies, and the accuracy of security performance evaluation of the data packets is not high.
The target data packet is firstly routed to the micro-isolation virtual machine corresponding to the target virtual switch to obtain the target data packet, then the micro-isolation virtual machine is used for carrying out double security verification on the target data packet based on the access control strategy and the data packet security value, and the verified target data packet can be sent to the target virtual switch. Therefore, the accuracy of the security performance evaluation of the data packet in the micro-isolated virtual machine can be improved.
It should be noted that, the execution body of the embodiment may be a computing service device with functions of data processing, network communication and program running, such as a tablet computer, a personal computer, a mobile phone, etc., or an electronic device, a data packet security evaluation system, etc. capable of implementing the above functions. This embodiment and the following embodiments will be described below with reference to a packet security evaluation system.
Based on this, an embodiment of the present application provides a method for evaluating security of a data packet, and referring to fig. 1, fig. 1 is a schematic flow chart of a first embodiment of the method for evaluating security of a data packet according to the present application.
In this embodiment, the data packet security evaluation method includes steps S10 to S30:
step S10, obtaining a target data packet;
It should be noted that, the data packet security evaluation method provided by the application is applied to a scenario of performing security performance evaluation on a large amount of data in a virtual data environment. The data packet is sent by the sender and received by an object to be sent by the data packet, where the sending object may be a target virtual switch in the virtual data environment related service, and thus, the destination IP address of the target data packet is the IP address of the target virtual switch corresponding to the micro isolation virtual machine. In the embodiment, the micro-isolated virtual switch is arranged between the sender and the sending object, each virtual switch corresponds to one micro-isolated virtual machine, the data packet sent to the target virtual switch needs to be routed to the micro-isolated virtual machine, the data is sent to the virtual machine only after the data packet meets an access control strategy and the data security is determined based on the security value of the data packet, and otherwise, the data is not sent, so that the embodiment realizes the data security protection of the virtual machine.
Step S20, determining safety parameters through data processing based on the target data packet;
Before the security parameters are determined, access rights verification needs to be performed on the target data packet based on a preset access control policy, and the security parameters can be determined through data processing based on the target data packet only when the access rights pass. The access control strategy can be set according to user requirements or actual service requirements, and is configured in the micro-isolated virtual machine. In addition, the access control policy is used to limit what data may access the virtual switch. Specifically, the application compares the target data packet with a preset access control strategy to verify whether the data packet has access rights. The access control policy may be a set of rules that specify which types of packets may pass and which need to be intercepted or inspected.
For example, the access control policy may include a white list that includes IP addresses for which virtual switches may be accessed. Also included in the access control policy are, for example, black lists, access rules (e.g., network protocols), etc.
After the access right passes, the embodiment determines the security parameters through data processing based on the target data packet. Wherein the security parameter may characterize the degree of data security of the data packet as it passes through the respective node or link.
Step S30, parameter weight calculation is carried out based on the security parameters, and a data packet security value is obtained;
And under the condition that the access authority verification is passed, the micro-isolation virtual machine carries out safety processing on the data packet, if the processing result is safe, the data packet is sent to the virtual machine, and if the processing result is unsafe, the data packet is discarded and an abnormal early warning is sent. The basis of the security processing of the data packet by the micro-isolation virtual machine is the data packet security value, and the data packet security value is generated after the micro-isolation virtual machine evaluates the security value of the data packet according to the equipment security degree of all nodes on the data packet transmission link, the condition that each node processes the data packet sent by the source IP and the condition that the transmission link processes the data packet. Specifically, after the micro-isolated virtual machine performs security assessment, a packet security value is obtained, where the value may be a fraction indicating the security level of the packet. It can be understood that the security evaluation is performed on the data packet, so that the counterfeiting and the falsification of the data packet can be effectively detected and prevented, and the reliability of network communication is improved. In this embodiment, a preset security value calculation formula needs to be formulated, and the security value calculation formula can be combined with a plurality of security parameters to perform parameter weight calculation, so as to obtain a security value of the data packet. The security value calculation formula may relate to security degree weight assignment, rule matching, anomaly detection, and the like.
And step S40, if the data packet security value is greater than a preset threshold value, the target data packet is sent to the target virtual switch.
It should be noted that, if the packet security value is greater than the preset threshold, that is, it is considered to be secure, the target packet is sent to the target virtual switch. The target data packet may continue to be transmitted in the network or passed to the target virtual switch. Only secure data packets will be sent to the target virtual switch, whereby network congestion and bandwidth consumption can be reduced, thereby optimizing network performance.
In the embodiment, a target data packet is acquired, a safety parameter is determined through data processing based on the target data packet, parameter weight calculation is performed based on the safety parameter to obtain a data packet safety value, and if the data packet safety value is greater than a preset threshold value, the target data packet is sent to the target virtual switch. The method comprises the steps of firstly routing a target data packet to a micro-isolation virtual machine corresponding to a target virtual switch to obtain the target data packet, then carrying out double security verification on the target data packet by the micro-isolation virtual machine based on an access control strategy and a data packet security value, and transmitting the verified target data packet to the target virtual switch. Therefore, the accuracy of the security performance evaluation of the data packet in the micro-isolated virtual machine can be improved.
In the second embodiment of the present application, the same or similar content as in the first embodiment of the present application may be referred to the above description, and will not be repeated. On this basis, please refer to fig. 2, fig. 2 is a flow chart of a second embodiment of the data packet security evaluation method of the present application, and as shown in fig. 2, the step of determining the security parameters through data processing based on the target data packet may include steps S201 to S204:
Step S201, acquiring attribute information of the target data packet based on a preset access control strategy;
It should be noted that, in this embodiment, the access control policy ensures that the access of the data packet is legal, that is, the preset access control policy is used to check whether the target data packet has the appropriate authority to be accessed. The attribute information of the destination packet may include attribute information such as a source IP address, a destination IP address, a port number, a protocol type, a user identity, and the like. The step of obtaining the attribute information of the target data packet may include extracting the attribute information of a source IP address, a network protocol, a source port, and the like in the target data packet through tools such as a Wireshark (network packet grabbing).
Step S202, performing access right verification based on the attribute information, and if the access right verification is passed, analyzing the target data packet to obtain analysis data;
It should be noted that, in this embodiment, the access right verification is performed on the target data packet by using the obtained attribute information. If validated, this packet may continue to be processed, otherwise it will be rejected or blocked. After passing the access right verification, the embodiment further analyzes the target data packet. The parsed data may include specific content of the data packet, such as header information, payloads, and the like.
Step S203, based on the analysis data, determining the safety parameters through information statistics.
It should be noted that the security parameters may include content characteristics of the data packet, behavior patterns, embedded commands or scripts, and whether malicious code is contained. Methods for determining security parameters based on analytical data through information statistics generally include in-depth analysis of the analytical data to understand patterns and statistical distribution rules thereof.
In the embodiment, the attribute information of the target data packet is acquired specifically through a preset access control strategy, access right verification is performed based on the attribute information, if the access right verification is passed, the target data packet is analyzed to obtain analysis data, safety parameters are determined through information statistics based on the analysis data, and the data packet safety value is obtained through evaluation based on the safety parameters and a preset safety value calculation formula. Through the scheme, the validity and the safety of the data packet are ensured through multiple verification and analysis processes, so that malicious attacks, data leakage or other security threats are prevented.
In the third embodiment of the present application, the same or similar contents as those of the above embodiment can be referred to the above description, and the description thereof will not be repeated. On the basis, referring to fig. 3, fig. 3 is a flow chart of a third embodiment of the packet security evaluation method according to the present application, as shown in fig. 3,
The step of determining the security parameter through information statistics based on the analysis data may include steps S2031 to S2034:
Step S2031, determining a target link and a target node corresponding to the target data packet based on the parsing data, where the target node includes a source IP node;
In this embodiment, after the analysis data is obtained, a target link and a target node corresponding to the target data packet need to be determined, where the target node includes a source IP node, and the target link is a link of the target data packet transmitted to the target virtual switch, and the target node is all nodes except the target virtual switch on the target link. The destination node may be determined by a program such as traceroute (route trace). The source IP node is the node corresponding to the device that sends the data packet.
Step S2032, determining, based on the target nodes, respective device security parameters corresponding to the target nodes through information statistics;
It should be noted that the device security parameters are obtained by comprehensively evaluating the device based on security protection software of the device. For example, the current safety degree of the equipment is detected through the safety protection software such as a firewall running on the equipment, or the safety condition of the equipment is detected periodically through the safety protection software such as the firewall running on the equipment, and the latest detected value is obtained through information statistics and is used as the equipment safety parameter. The method for acquiring the equipment security parameters corresponding to the target node comprises a first method for transmitting a security degree acquisition request to the target node through the micro-isolation virtual machine, wherein the target node returns the node equipment security parameters based on the request, and a second method for periodically reporting the equipment security parameters to a preset summary node through the target node and reporting the equipment security parameters to the micro-isolation virtual machine through the summary node.
Step S2033, determining, based on the source IP node, a source IP security parameter corresponding to the source IP node through information statistics;
the source IP security parameter characterizes the security degree of the device (source IP node) of the sender of the data packet.
Step S2034, determining, by information statistics, link security parameters corresponding to the target link based on the source IP node and the target link.
It should be noted that the link security parameter characterizes the security degree of the target link.
In this embodiment, the security parameters may be divided on the data layer transmitted from the source IP node to the target virtual switch, that is, the security parameters may include a device security parameter, a source IP security parameter, and a link security parameter. The device security parameter characterizes the security degree of the related device itself in the transmission process of the data packet, the source IP security parameter characterizes the security degree of the device (source IP node) of the sender of the target data packet, and the link security parameter characterizes the security degree of the target link. According to the embodiment, the safety parameters are determined, the safety of the data is evaluated from the two layers of data generation and data transmission, the data is transmitted only under the condition that the safety of the data is finally evaluated, and the safety risk caused by the condition that the data packet meets an access control strategy but is not safe is avoided, so that the accuracy of the safety performance evaluation of the data packet in the micro-isolation virtual machine is improved.
It should be noted that, the execution sequence of the steps S2032 to S2034 is not specifically limited in this embodiment, that is, the order of determining the device security parameter, the source IP security parameter, and the link security parameter is not limited, and taking the step S2032 as an example, the step S2032 may be executed before the step S2033 and the step S2034, may be executed between the step S2033 and the step S2034, or may be executed after the step S2033 and the step S2034. In addition, the security parameters may include only any one or more of the device security parameters, the source IP security parameters and the link security parameters, and in the implementation process, the appropriate security parameters may be selected according to the actual requirements.
In a possible implementation manner, the step S2033 may include steps A1 to A5 of determining, based on the source IP node, a source IP security parameter corresponding to the source IP node through information statistics:
step A1, accessing a flow log obtained in advance to obtain historical data packet log data;
It should be noted that, the traffic log is a log file for recording the network data transmission condition, and specifically includes various information of the network traffic, such as a source IP address, a destination IP address, a port number, a transmission protocol, a data packet size, a timestamp, and the like. According to the embodiment, the historical data packet log data is obtained by accessing the content of the relevant statistical downlink data packet of the flow log, wherein the historical data packet log data contains the relevant information of all data packets received by the micro-isolation virtual machine.
Step A2, based on the historical data packet log data, counting the total received data packet in a preset time interval to obtain total received data packet;
Specifically, the embodiment counts the number of all data packets received in a preset time interval based on the historical data packet log, so as to obtain the total received data packet. The number of the data packets may be the number of times or the data amount. The time interval may be set according to the actual situation in the implementation process, which is not limited in this embodiment.
Step A3, based on the historical data packet log data and the source IP node, counting the number of data packets sent by the source IP node and received in a preset time interval to obtain the total sending amount of the source IP data packets;
Specifically, the embodiment counts the number of data packets sent by the source IP node to the micro-isolated virtual machine in the same time interval based on the historical data packet log, to obtain the total sending amount of the source IP data packets.
Step A4, based on the historical data packet log data and the source IP node, counting the number of forwarding data packets in the data packets sent by the source IP node and received in a preset time interval to obtain the total forwarding amount of the source IP data packets;
It should be noted that, if the destination IP address of the data packet sent by the source IP node is not the destination node, the destination node forwards the data packet according to a preset routing policy, so that the embodiment can determine, through the micro-isolation virtual machine, the forwarding data packet to be forwarded on each destination node, and count the number of forwarding data packets to obtain the total forwarding amount of the source IP data packet;
and step A5, calculating based on the total data packet receiving amount, the total source IP data packet sending amount and the total source IP data packet forwarding amount to obtain the source IP security parameters.
It should be noted that, in this embodiment, based on the total packet reception amount, the total source IP packet transmission amount, and the total source IP packet forwarding amount, the security degree of the device (source IP node) of the sender of the target packet is evaluated, and the specific calculation manner may be determined by itself according to the actual requirement, and in addition, the execution sequence of steps A2 to A4 is not limited in this embodiment, and the steps A2 to A4 may be combined by itself in the specific implementation process.
In another possible implementation manner, the determining, by information statistics, the link security parameter corresponding to the target link based on the source IP node and the target link, step S2034 may include steps B1 to B7:
step B1, accessing a link log obtained in advance to obtain historical data packet link data;
it should be noted that the link log describes link data in the packets received by the micro-isolated virtual machine, that is, historical packet link data, where the historical packet link data includes all network nodes from the transmitting node to the receiving node, and a link direction.
Step B2, determining a first same-link data packet characteristic, a second same-link data packet characteristic and a third same-link data packet characteristic based on the target link data packet, wherein a link corresponding to the first same-link data packet characteristic is the target link, a link corresponding to the second same-link data packet characteristic is an extended link constructed based on the target link, and a link corresponding to the third target link data packet characteristic is a reorganized link constructed based on each node and the link direction in the target link;
Since the links are directional, the links a and a link are identical only if the directions are identical and the nodes are identical. For example, link A, IP1 (node 1) - > IP2 (node 2) - > virtual switch, and link B, IP2- > IP1- > virtual switch, are identical but in different directions and are not considered identical. Therefore, the embodiment determines the first co-link packet feature, the second co-link packet feature and the third co-link packet feature based on the rule, where the link corresponding to the first co-link packet feature is a target link, the link corresponding to the first co-link packet feature can only be an IP1- > IP2- > virtual switch, the link corresponding to the second co-link packet feature is an extended link constructed based on the target link, for example, the target link is an IP1- > IP2- > virtual switch, the link corresponding to the second co-link packet feature can be an IP0 (node 0) - > IP1- > IP2- > virtual switch, and the link corresponding to the third target link packet feature is a recombined link constructed based on each node and the link direction in the target link, for example, the target link is an IP1- > IP2- > virtual switch, and the link corresponding to the third co-link packet feature can be an IP1- > IP2- > IP3- > virtual switch.
Step B3, based on the historical data packet link data, the source IP node and the target link, counting the number of data packets which are received in a preset time interval and are transmitted by the source IP node and accord with the first co-link data packet characteristics, and obtaining the total amount of the source IP co-link data packets;
It should be noted that, in this embodiment, link comparison is performed according to the historical packet link data, the source IP node, and the target link, so as to count the number of packets which are received in a preset time interval and are sent by the source IP node and conform to the characteristics of the first co-link packet, and the counted number of packets is used as the total amount of the source IP co-link packets.
Step B4, based on the historical data packet link data and the target link, counting the number of data packets which are received in a preset time interval and accord with the characteristics of the second co-link data packets, and obtaining the total amount of the complete co-link data packets;
It should be noted that, in this embodiment, link comparison is performed based on the historical packet link data and the target link, so as to count the number of packets received in a preset time interval, which conform to the characteristics of the second co-link packet, and take the counted number of packets as the total amount of complete co-link packets.
Step B5, based on the historical data packet link data and the target link, counting the number of data packets which are received in a preset time interval and accord with the third co-link data packet characteristics, and obtaining the total amount of partial co-link data packets;
It should be noted that, in this embodiment, link comparison is performed based on the historical data packet link data and the target link, so as to count the number of data packets received in a preset time interval, which conform to the third co-link data packet feature, and take the counted number of data packets as the total amount of partial co-link data packets;
Step B6, based on the historical data packet link data and the target link, generating a quantity attribute value of the data packets which are received in a preset time interval and accord with the third same-link data packet characteristic;
It should be noted that, the number attribute value is the number of nodes, where the links of the data packet which is received by the micro-isolated virtual machine and conforms to the third co-link data packet feature in the preset time interval are the same as the target links. For example, the target link is an IP1- > IP2- > virtual switch, the link of the data packet received by the micro-isolation virtual machine in the preset time interval and conforming to the data packet characteristic of the third same link is an IP1- > IP2- > IP3- > virtual switch, and then the number of the same nodes in the two links is 3, that is, the number attribute value is 3.
And B7, calculating based on the total amount of the source IP and link data packets, the total amount of the complete and link data packets, the total amount of the partial and link data packets and the quantity attribute value to obtain the link security parameter.
It should be noted that, in this embodiment, the security degree of the transmission link is evaluated based on the total amount of the source IP co-link data packet, the total amount of the complete co-link data packet, the total amount of part of the co-link data packet, and the attribute value of the number, and a specific calculation manner may be determined by itself according to actual needs, and in addition, the execution sequence of steps B3 to B8 is not limited in this embodiment, and the above steps B3 to B8 may be combined by itself in a specific implementation process.
The above are merely two possible implementations provided by the present embodiment, and the specific implementation of step S2033 and step S2034 in the present embodiment is not specifically limited.
For example, in order to facilitate understanding the implementation flow of the packet security evaluation method obtained by combining the present embodiment with the second embodiment, as another possible implementation manner, the step of obtaining the packet security value by performing parameter weight calculation based on the security parameter in the present embodiment may include:
and calculating parameter weights based on the equipment security parameters, the source IP security parameters, the link security parameters and a preset security value calculation formula to obtain the data packet security value.
In addition, according to the steps S2031 to S2034, steps A1 to A5 and steps B1 to B7, the equipment security parameter is S1, the source IP security parameter is S2, the link security parameter is S3, the total amount of received packets is nall, and the total amount of transmitted source IP packets is nallThe total forwarding amount of the source IP data packet is recorded asThe total amount of the source IP and the link data packets is recorded asThe total amount of the complete same-link data packets is recorded asThe total amount of partial co-link data packets is recorded asThe value of the number attribute is denoted as x.
The device security parameter S1 is obtained by calculating the node device security parameter SIP of each target node, and the calculation formula is as follows:
Wherein max { SIP } in the formula (1) is the maximum value of the node equipment security parameters corresponding to all the target nodes, min { SIP } in the formula (1) is the minimum value of the node equipment security parameters corresponding to all the target nodes, and avg { SIP } in the formula (1) is the average value of the node equipment security parameters corresponding to all the target nodes. S1 represents the average security level of all target nodes in the link, the larger the value the safer.
The formula for calculating the source IP security parameter S2 is as follows:
Wherein nall is the total amount of data packet reception,The total amount is sent for the source IP data packet,Forwarding the total amount for the source IP packet.
The formula for calculating the link security parameter as S3 is as follows:
Wherein,For the total amount of source IP and link packets,For the total amount of complete on-link packets,For the total amount of partial co-link data packets, x is the value of the number attribute.
Thus, the formulas for calculating the packet security value x are as follows, by integrating the formulas (1), (2) and (3):
S=S1+S2+S3 (4)
It should be noted that the above examples are only for aiding in understanding the present application, and do not limit the method for evaluating the security of the data packet of the present application, and it is within the scope of the present application to make more simple changes based on the technical concept.
According to the scheme, the target link and the target node corresponding to the target data packet are determined specifically based on the analysis data, wherein the target node comprises a source IP node, equipment security parameters corresponding to the target node are determined based on the target node, source IP security parameters corresponding to the source IP node are determined based on the source IP node, and link security parameters corresponding to the target link are determined based on the source IP node and the target link. According to the method and the device, the safety value of the data packet is evaluated according to the equipment safety degree of all nodes on the data packet transmission link, the condition that each node processes the data packet sent by the source IP and the condition that the transmission link processes the data packet, so that the safety of the data is evaluated from two layers of data generation and data transmission, and the accurate evaluation of the safety degree of the data packet is ensured.
In the fourth embodiment of the present application, the same or similar content as the first embodiment of the present application can be referred to the above description, and the description thereof will not be repeated. On this basis, please refer to fig. 4, fig. 4 is a flowchart of a fourth embodiment of the packet security evaluation method of the present application, and as shown in fig. 4, after the step of calculating the parameter weight based on the security parameter to obtain the packet security value, the step S50 may include:
Step S50, if the packet security value is less than or equal to the preset threshold, the target packet is sent to the target virtual switch under the condition that a packet security confirmation instruction input by the user is received.
Specifically, the present embodiment first compares the security value of the target data packet with a preset security threshold. If the security value is less than or equal to the preset threshold value, it is indicated that the packet is considered risky. In the case that the security value is lower than the preset threshold, the system will generate a piece of suspected risk early warning information, which may include information about the source, content, risk type, etc. of the data packet. Finally, the embodiment sends the generated suspected risk early warning information to the client so that the client can timely receive and make corresponding reactions.
It should be noted that the preset threshold may be an empirical value, or may be a value obtained by analyzing sample data, for example, by performing large data analysis by using a large amount of sample data marked with safety and unsafe, to obtain a threshold suitable for the network environment.
Specifically, if the security value of the data packet is not greater than the preset threshold, the risk is considered to exist, but because the security value of the data packet meets the access control policy, the data packet is kept in the micro-isolated virtual machine, a secondary security confirmation instruction sent by the client based on the risk early warning information under the preset response time condition is waited, the user is requested to confirm whether the data packet is forwarded to the virtual switch, and if the user does not agree or does not confirm within a period of time, the data packet is not forwarded.
In this embodiment, a packet security assessment method based on micro-isolation is provided, where each virtual switch corresponds to one micro-isolated virtual machine, a packet of the virtual machine is routed to the micro-isolated virtual machine first, and the packet is sent to the virtual machine only after the packet meets an access control policy and determines that the packet is secure based on a security value of the packet, otherwise, the packet is not sent, so that data security protection in a virtual data environment can be achieved, and accuracy of packet security performance assessment by the micro-isolated virtual machine is improved.
It should be noted that, the foregoing embodiments may be implemented in a reasonable combination according to actual situations, which is not described in detail in this embodiment.
The present application also provides a data packet security evaluation device, which is applied to a micro-isolated virtual machine, please refer to fig. 5, and the data packet security evaluation device includes:
A data receiving module 10, configured to obtain a target data packet;
a data processing module 20 for determining a security parameter by data processing based on the target data packet;
a parameter calculation module 30, configured to perform parameter weight calculation based on the security parameter, so as to obtain a data packet security value;
and the packet forwarding module 40 is configured to send the target packet to the target virtual switch if the packet security value is greater than a preset threshold.
Optionally, the data processing module 20 is further configured to:
acquiring attribute information of the target data packet based on a preset access control strategy;
Performing access right verification based on the attribute information, and if the access right verification is passed, analyzing the target data packet to obtain analysis data;
based on the analysis data, determining safety parameters through information statistics
Optionally, the data processing module 20 is further configured to:
Determining a target link and a target node corresponding to the target data packet based on the analysis data, wherein the target node comprises a source IP node;
Based on the target nodes, determining the equipment security parameters corresponding to the target nodes through information statistics;
based on the source IP node, determining a source IP security parameter corresponding to the source IP node through information statistics;
And determining link security parameters corresponding to the target link through information statistics based on the source IP node and the target link.
Optionally, the data processing module 20 is further configured to:
accessing a pre-acquired flow log to obtain historical data packet log data;
Based on the historical data packet log data, counting the total received data packet in a preset time interval to obtain total received data packet;
based on the historical data packet log data and the source IP node, counting the number of data packets sent by the source IP node and received in a preset time interval to obtain the total sending amount of the source IP data packets;
Based on the historical data packet log data and the source IP node, counting the number of forwarding data packets in the data packets received in a preset time interval and sent by the source IP node to obtain the total forwarding amount of the source IP data packets;
And calculating based on the total data packet receiving amount, the total source IP data packet sending amount and the total source IP data packet forwarding amount to obtain the source IP security parameters.
Optionally, the data processing module 20 is further configured to:
accessing a pre-acquired link log to obtain historical data packet link data;
Determining a first same-link data packet characteristic, a second same-link data packet characteristic and a third same-link data packet characteristic based on the target link data packet, wherein a link corresponding to the first same-link data packet characteristic is the target link, a link corresponding to the second same-link data packet characteristic is an extended link constructed based on the target link, and a link corresponding to the third target link data packet characteristic is a reorganized link constructed based on each node and the link direction in the target link;
Based on the historical data packet link data, the source IP node and the target link, counting the number of data packets which are received in a preset time interval and are transmitted by the source IP node and accord with the first co-link data packet characteristics, and obtaining the total amount of the source IP co-link data packets;
Based on the historical data packet link data and the target link, counting the number of data packets which are received in a preset time interval and accord with the characteristics of the second co-link data packets, and obtaining the total amount of the complete co-link data packets;
based on the historical data packet link data and the target link, counting the number of data packets which are received in a preset time interval and accord with the third on-link data packet characteristics, and obtaining the total amount of partial on-link data packets;
generating a quantity attribute value of the data packets which are received in a preset time interval and accord with the third same-link data packet characteristic based on the historical data packet link data and the target link;
and calculating based on the total amount of the source IP and link data packets, the total amount of the complete and link data packets, the total amount of the partial and link data packets and the quantity attribute value to obtain the link security parameter.
Optionally, the packet forwarding module 40 is further configured to:
and if the data packet safety value is smaller than or equal to a preset threshold value, the target data packet is sent to the target virtual switch under the condition that a data packet safety confirmation instruction input by a user is received.
The data packet security assessment device provided by the application can solve the technical problem of how to improve the accuracy of security performance assessment of the data packet in the micro-isolated virtual machine by adopting the data packet security assessment method in the embodiment. Compared with the prior art, the beneficial effects of the data packet security assessment device provided by the application are the same as those of the data packet security assessment method provided by the embodiment, and other technical features in the data packet security assessment device are the same as those disclosed by the method of the embodiment, so that details are not repeated.
The application provides a data packet security assessment device which comprises at least one processor and a memory in communication connection with the at least one processor, wherein the memory stores instructions executable by the at least one processor, and the instructions are executed by the at least one processor so that the at least one processor can execute the data packet security assessment method in the first embodiment.
Referring now to fig. 6, a schematic diagram of a packet security assessment apparatus suitable for use in implementing embodiments of the present application is shown. The packet security evaluation apparatus in the embodiment of the present application may include, but is not limited to, mobile terminals such as mobile phones, notebook computers, digital broadcast receivers, PDAs (Personal DIGITAL ASSISTANT: personal digital assistants), PADs (Portable Application Description: tablet computers), PMPs (Portable MEDIA PLAYER: portable multimedia players), vehicle-mounted terminals (e.g., vehicle-mounted navigation terminals), and the like, and fixed terminals such as digital TVs, desktop computers, and the like. The packet security assessment apparatus shown in fig. 6 is only an example, and should not impose any limitation on the functionality and scope of use of the embodiments of the present application.
As shown in fig. 6, the packet security evaluation apparatus may include a processing device 1001 (e.g., a central processor, a graphics processor, etc.), which may perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 1002 or a program loaded from a storage device 1003 into a random access Memory (RAM: random Access Memory) 1004. In the RAM1004, various programs and data required for the operation of the packet security evaluation apparatus are also stored. The processing device 1001, the ROM1002, and the RAM1004 are connected to each other by a bus 1005. An input/output (I/O) interface 1006 is also connected to the bus. In general, a system including an input device 1007 such as a touch screen, a touch pad, a keyboard, a mouse, an image sensor, a microphone, an accelerometer, a gyroscope, etc., an output device 1008 including a Liquid crystal display (LCD: liquid CRYSTAL DISPLAY), a speaker, a vibrator, etc., a storage device 1003 including a magnetic tape, a hard disk, etc., and a communication device 1009 may be connected to the I/O interface 1006. The communication means 1009 may allow the packet security assessment device to communicate wirelessly or by wire with other devices to exchange data. While the figures illustrate packet security assessment devices having various systems, it should be understood that not all illustrated systems are required to be implemented or provided. More or fewer systems may alternatively be implemented or provided.
In particular, according to embodiments of the present disclosure, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method shown in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through a communication device, or installed from the storage device 1003, or installed from the ROM 1002. The above-described functions defined in the method of the disclosed embodiment of the application are performed when the computer program is executed by the processing device 1001.
The data packet security assessment equipment provided by the application can solve the technical problem of how to improve the accuracy of security performance assessment of the data packet in the micro-isolated virtual machine by adopting the data packet security assessment method in the embodiment. Compared with the prior art, the beneficial effects of the data packet security assessment device provided by the application are the same as those of the data packet security assessment method provided by the embodiment, and other technical features of the data packet security assessment device are the same as those disclosed by the method of the previous embodiment, and are not repeated herein.
It is to be understood that portions of the present disclosure may be implemented in hardware, software, firmware, or a combination thereof. In the description of the above embodiments, particular features, structures, materials, or characteristics may be combined in any suitable manner in any one or more embodiments or examples.
The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
The present application provides a computer readable storage medium having computer readable program instructions (i.e., a computer program) stored thereon for performing the packet security assessment method of the above-described embodiments.
The computer readable storage medium provided by the present application may be, for example, a U disk, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, or device, or a combination of any of the foregoing. More specific examples of a computer-readable storage medium may include, but are not limited to, an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access Memory (RAM: random Access Memory), a Read-Only Memory (ROM), an erasable programmable Read-Only Memory (EPROM: erasable Programmable Read Only Memory or flash Memory), an optical fiber, a portable compact disc Read-Only Memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In this embodiment, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, or device. Program code embodied on a computer readable storage medium may be transmitted using any appropriate medium, including but not limited to electrical wiring, fiber optic cable, RF (Radio Frequency) and the like, or any suitable combination of the foregoing.
The computer readable storage medium may be included in the packet security assessment apparatus or may exist alone without being incorporated in the packet security assessment apparatus.
The computer-readable storage medium carries one or more programs that, when executed by the packet security assessment device, cause the packet security assessment device to:
Acquiring a target data packet;
determining a security parameter through data processing based on the target data packet;
calculating parameter weight based on the security parameters to obtain a data packet security value;
And if the data packet security value is greater than a preset threshold value, the target data packet is sent to the target virtual switch.
Computer program code for carrying out operations of the present application may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of remote computers, the remote computer may be connected to the user's computer through any kind of network, including a local area network (LAN: local Area Network) or a wide area network (WAN: wide Area Network), or may be connected to an external computer (for example, through the Internet using an Internet service provider).
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules involved in the embodiments of the present application may be implemented in software or in hardware. Wherein the name of the module does not constitute a limitation of the unit itself in some cases.
The readable storage medium provided by the application is a computer readable storage medium, and the computer readable storage medium stores computer readable program instructions (namely computer programs) for executing the data packet security assessment method, so that the technical problem of how to improve the accuracy of security performance assessment of the data packet in the micro-isolated virtual machine can be solved. Compared with the prior art, the beneficial effects of the computer readable storage medium provided by the application are the same as those of the data packet security evaluation method provided by the above embodiment, and are not described in detail herein.
The application also provides a computer program product comprising a computer program which, when executed by a processor, implements the steps of a data packet security assessment method as described above.
The computer program product provided by the application can solve the technical problem of how to improve the accuracy of the security performance evaluation of the data packet in the micro-isolated virtual machine. Compared with the prior art, the beneficial effects of the computer program product provided by the application are the same as those of the data packet security evaluation method provided by the above embodiment, and are not described herein.
The foregoing description is only a partial embodiment of the present application, and is not intended to limit the scope of the present application, and all the equivalent structural changes made by the description and the accompanying drawings under the technical concept of the present application, or the direct/indirect application in other related technical fields are included in the scope of the present application.