[go: up one dir, main page]

CN115955423A - Domain name-based network traffic processing method, device and processing equipment - Google Patents

Domain name-based network traffic processing method, device and processing equipment Download PDF

Info

Publication number
CN115955423A
CN115955423A CN202211626406.1A CN202211626406A CN115955423A CN 115955423 A CN115955423 A CN 115955423A CN 202211626406 A CN202211626406 A CN 202211626406A CN 115955423 A CN115955423 A CN 115955423A
Authority
CN
China
Prior art keywords
network traffic
domain name
processed
target object
session
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202211626406.1A
Other languages
Chinese (zh)
Other versions
CN115955423B (en
Inventor
张凯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Anbotong Technology Co ltd
Original Assignee
Shanghai Ambiton Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Ambiton Information Technology Co ltd filed Critical Shanghai Ambiton Information Technology Co ltd
Priority to CN202211626406.1A priority Critical patent/CN115955423B/en
Publication of CN115955423A publication Critical patent/CN115955423A/en
Application granted granted Critical
Publication of CN115955423B publication Critical patent/CN115955423B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本申请提供了一种基于域名的网络流量处理方法、装置以及处理设备,用于更为简洁地进行特定网络流量的获取,实现精确的网络流量捕捉效果。本申请提供的基于域名的网络流量处理方法,包括:获取待处理网络流量,其中,待处理网络流量用来分析是否属于预设的目标对象的网络流量;在应用层面提取待处理网络流量的接收方的域名和发送方的域名;根据接收方的域名和发送方的域名,确定待处理网络流量是否与预设的目标对象的域名匹配规则匹配;若匹配,则确定待处理网络流量属于目标对象的网络流量。

Figure 202211626406

The present application provides a domain name-based network traffic processing method, device and processing equipment, which are used to obtain specific network traffic more concisely and achieve accurate network traffic capture effects. The domain name-based network traffic processing method provided by the present application includes: obtaining network traffic to be processed, wherein the network traffic to be processed is used to analyze whether the network traffic belongs to a preset target object; extracting the network traffic to be processed at the application level The domain name of the sender and the domain name of the sender; according to the domain name of the receiver and the domain name of the sender, determine whether the network traffic to be processed matches the preset domain name matching rule of the target object; if it matches, determine that the network traffic to be processed belongs to the target object of network traffic.

Figure 202211626406

Description

一种基于域名的网络流量处理方法、装置以及处理设备Domain name-based network traffic processing method, device and processing equipment

技术领域technical field

本申请涉及互联网领域,具体涉及一种基于域名的网络流量处理方法、装置以及处理设备。The present application relates to the Internet field, and specifically relates to a domain name-based network traffic processing method, device and processing equipment.

背景技术Background technique

域名系统(Domain Name System,DNS)协议是计算机网络中一种很重要的协议,实现域名和互联网协议地址(Internet Protocol Address,IP)之间的转换,也因此,在网络架构中的DNS设备处,其DNS流量网络流量监测中是容易重点关注的流量。The Domain Name System (Domain Name System, DNS) protocol is a very important protocol in the computer network, which realizes the conversion between the domain name and the Internet Protocol Address (Internet Protocol Address, IP), and therefore, the DNS device in the network architecture , its DNS traffic network traffic monitoring is easy to focus on the traffic.

而本申请发明人发现,由于网络中DNS流量较大,现有技术中的流量监控系统往往是不加区分地全部捕捉并展现出来,而这意味着需要占用大量硬盘或者数据库等方面的存储资源进行存储,显然存在应用成本较高或者应用不便的情况。However, the inventor of the present application found that due to the large DNS traffic in the network, the traffic monitoring system in the prior art often captures and displays all of them indiscriminately, which means that a large number of storage resources such as hard disks or databases need to be occupied For storage, it is obvious that the application cost is high or the application is inconvenient.

发明内容Contents of the invention

本申请提供了一种基于域名的网络流量处理方法、装置以及处理设备,用于更为简洁地进行特定网络流量的获取,实现精确的网络流量捕捉效果。The present application provides a domain name-based network traffic processing method, device and processing equipment, which are used to obtain specific network traffic more concisely and achieve accurate network traffic capture effects.

第一方面,本申请提供了一种基于域名的网络流量处理方法,方法包括:In the first aspect, the present application provides a domain name-based network traffic processing method, the method comprising:

获取待处理网络流量,其中,待处理网络流量用来分析是否属于预设的目标对象的网络流量;Obtaining network traffic to be processed, wherein the network traffic to be processed is used to analyze whether it belongs to the network traffic of a preset target object;

在应用层面提取待处理网络流量的接收方的域名和发送方的域名;Extract the domain name of the receiver and the domain name of the sender of the network traffic to be processed at the application level;

根据接收方的域名和发送方的域名,确定待处理网络流量是否与预设的目标对象的域名匹配规则匹配;According to the domain name of the receiver and the domain name of the sender, determine whether the network traffic to be processed matches the preset domain name matching rule of the target object;

若匹配,则确定待处理网络流量属于目标对象的网络流量。If matched, it is determined that the network traffic to be processed belongs to the network traffic of the target object.

结合本申请第一方面,在本申请第一方面第一种可能的实现方式中,若待处理网络流量属于请求报文类型,且目标对象为目标会话,确定待处理网络流量属于目标对象的网络流量之后,方法还包括:In combination with the first aspect of the present application, in the first possible implementation of the first aspect of the present application, if the network traffic to be processed belongs to the request message type, and the target object is the target session, determine that the network traffic to be processed belongs to the network of the target object After traffic, the method also includes:

创建目标对象的日志;Create a log of the target object;

将待处理网路流量的相关会话特征写入目标会话的日志中进行存储。Write the relevant session characteristics of the network traffic to be processed into the log of the target session for storage.

结合本申请第一方面,在本申请第一方面第二种可能的实现方式中,若待处理网络流量属于响应报文类型,且目标对象为目标会话,确定待处理网络流量属于目标对象的网络流量之后,方法还包括:In combination with the first aspect of the present application, in the second possible implementation of the first aspect of the present application, if the network traffic to be processed belongs to the response message type, and the target object is the target session, it is determined that the network traffic to be processed belongs to the network of the target object After traffic, the method also includes:

将待处理网路流量的相关会话特征写入目标会话的日志中进行存储。Write the relevant session characteristics of the network traffic to be processed into the log of the target session for storage.

结合本申请第一方面第一种或者第二种可能的实现方式,在本申请第一方面第三种可能的实现方式中,方法还包括:In combination with the first or second possible implementation of the first aspect of the present application, in the third possible implementation of the first aspect of the present application, the method further includes:

提取待处理网络流量的五元组信息,其中,五元组信息具体包括源IP、目的IP、源端口、目的端口和协议类型;Extracting quintuple information of the network traffic to be processed, wherein the quintuple information specifically includes source IP, destination IP, source port, destination port and protocol type;

根据五元组信息,确定待处理网络流量是否属于目标会话。According to the five-tuple information, determine whether the network traffic to be processed belongs to the target session.

结合本申请第一方面第三种可能的实现方式,在本申请第一方面第四种可能的实现方式中,若待处理网络流量未存在相关的查询报文或者响应报文,且目标对象为目标会话,则方法还包括:In combination with the third possible implementation of the first aspect of the present application, in the fourth possible implementation of the first aspect of the present application, if there is no relevant query message or response message for the network traffic to be processed, and the target object is target session, the method also includes:

在待处理网络流量关于目标会话的日志中,为待处理网络流量添加缺失标识,其中,缺失标识用于标识待处理网络流量未存在相关的查询报文或者响应报文。In the log about the target session of the network traffic to be processed, a missing identifier is added to the network traffic to be processed, wherein the missing identifier is used to indicate that there is no related query packet or response packet in the network traffic to be processed.

结合本申请第一方面,在本申请第一方面第五种可能的实现方式中,根据接收方的域名和发送方的域名,确定待处理网络流量是否与预设的目标对象的域名匹配规则匹配,包括:In combination with the first aspect of the present application, in the fifth possible implementation of the first aspect of the present application, according to the domain name of the receiver and the domain name of the sender, determine whether the network traffic to be processed matches the preset domain name matching rule of the target object ,include:

在接收方的域名和发送方的域名的基础上,通过hyperscan引擎确定待处理网络流量是否与预设的目标对象的域名匹配规则匹配,其中,hyperscan引擎写入了域名关键字和对应ID编号供匹配使用。Based on the domain name of the receiver and the domain name of the sender, the hyperscan engine is used to determine whether the network traffic to be processed matches the preset domain name matching rules of the target object, wherein the hyperscan engine writes the domain name keywords and corresponding ID numbers for Matching is used.

结合本申请第一方面,在本申请第一方面第六种可能的实现方式中,待处理流量具体为经过DNS设备的DNS流量。With reference to the first aspect of the present application, in a sixth possible implementation manner of the first aspect of the present application, the traffic to be processed is specifically the DNS traffic passing through the DNS device.

第二方面,本申请提供了一种基于域名的网络流量处理装置,装置包括:In a second aspect, the present application provides a domain name-based network traffic processing device, which includes:

获取单元,用于获取待处理网络流量,其中,待处理网络流量用来分析是否属于预设的目标对象的网络流量;The acquiring unit is configured to acquire network traffic to be processed, wherein the network traffic to be processed is used to analyze whether the network traffic belongs to a preset target object;

提取单元,用于在应用层面提取待处理网络流量的接收方的域名和发送方的域名;An extraction unit, configured to extract the domain name of the receiver and the domain name of the sender of the network traffic to be processed at the application level;

确定单元,用于根据接收方的域名和发送方的域名,确定待处理网络流量是否与预设的目标对象的域名匹配规则匹配,若匹配,则确定待处理网络流量属于目标对象的网络流量。The determining unit is configured to determine whether the network traffic to be processed matches the preset domain name matching rule of the target object according to the domain name of the receiver and the domain name of the sender, and if it matches, determine that the network traffic to be processed belongs to the network traffic of the target object.

结合本申请第二方面,在本申请第二方面第一种可能的实现方式中,装置还包括日志处理单元,若待处理网络流量属于请求报文类型,且目标对象为目标会话,用于:In combination with the second aspect of the present application, in the first possible implementation of the second aspect of the present application, the device further includes a log processing unit, if the network traffic to be processed belongs to the request message type and the target object is a target session, it is used to:

创建目标对象的日志;Create a log of the target object;

将待处理网路流量的相关会话特征写入目标会话的日志中进行存储。Write the relevant session characteristics of the network traffic to be processed into the log of the target session for storage.

结合本申请第二方面,在本申请第二方面第二种可能的实现方式中,装置还包括日志处理单元,若待处理网络流量属于响应报文类型,且目标对象为目标会话,用于:In combination with the second aspect of the present application, in the second possible implementation of the second aspect of the present application, the device further includes a log processing unit, if the network traffic to be processed belongs to the response message type and the target object is a target session, it is used to:

将待处理网路流量的相关会话特征写入目标会话的日志中进行存储。Write the relevant session characteristics of the network traffic to be processed into the log of the target session for storage.

结合本申请第二方面第一种或者第二种可能的实现方式,在本申请第二方面第三种可能的实现方式中,确定单元,还用于:In combination with the first or second possible implementation of the second aspect of the present application, in the third possible implementation of the second aspect of the present application, the determining unit is further configured to:

提取待处理网络流量的五元组信息,其中,五元组信息具体包括源IP、目的IP、源端口、目的端口和协议类型;Extracting quintuple information of the network traffic to be processed, wherein the quintuple information specifically includes source IP, destination IP, source port, destination port and protocol type;

根据五元组信息,确定待处理网络流量是否属于目标会话。According to the five-tuple information, determine whether the network traffic to be processed belongs to the target session.

结合本申请第二方面第三种可能的实现方式,在本申请第二方面第四种可能的实现方式中,装置还包括日志处理单元,若待处理网络流量未存在相关的查询报文或者响应报文,且目标对象为目标会话,用于:In combination with the third possible implementation of the second aspect of the present application, in the fourth possible implementation of the second aspect of the present application, the device further includes a log processing unit, if there is no relevant query message or response for the network traffic to be processed message, and the target object is the target session, which is used for:

在待处理网络流量关于目标会话的日志中,为待处理网络流量添加缺失标识,其中,缺失标识用于标识待处理网络流量未存在相关的查询报文或者响应报文。In the log about the target session of the network traffic to be processed, a missing identifier is added to the network traffic to be processed, wherein the missing identifier is used to indicate that there is no related query packet or response packet in the network traffic to be processed.

结合本申请第二方面,在本申请第二方面第五种可能的实现方式中,确定单元,具体用于:With reference to the second aspect of the present application, in a fifth possible implementation manner of the second aspect of the present application, the determining unit is specifically configured to:

在接收方的域名和发送方的域名的基础上,通过hyperscan引擎确定待处理网络流量是否与预设的目标对象的域名匹配规则匹配,其中,hyperscan引擎写入了域名关键字和对应ID编号供匹配使用。Based on the domain name of the receiver and the domain name of the sender, the hyperscan engine is used to determine whether the network traffic to be processed matches the preset domain name matching rules of the target object, wherein the hyperscan engine writes the domain name keywords and corresponding ID numbers for Matching is used.

结合本申请第二方面,在本申请第二方面第六种可能的实现方式中,待处理流量具体为经过DNS设备的DNS流量。With reference to the second aspect of the present application, in a sixth possible implementation manner of the second aspect of the present application, the traffic to be processed is specifically the DNS traffic passing through the DNS device.

第三方面,本申请提供了一种处理设备,包括处理器和存储器,存储器中存储有计算机程序,处理器调用存储器中的计算机程序时执行本申请第一方面或者本申请第一方面任一种可能的实现方式提供的方法。In a third aspect, the present application provides a processing device, including a processor and a memory, and a computer program is stored in the memory. When the processor calls the computer program in the memory, it executes any one of the first aspect of the present application or the first aspect of the present application. A method provided by a possible implementation.

第四方面,本申请提供了一种计算机可读存储介质,计算机可读存储介质存储有多条指令,指令适于处理器进行加载,以执行本申请第一方面或者本申请第一方面任一种可能的实现方式提供的方法。In a fourth aspect, the present application provides a computer-readable storage medium. The computer-readable storage medium stores a plurality of instructions, and the instructions are suitable for being loaded by a processor to execute any one of the first aspect of the present application or the first aspect of the present application. A method provided by a possible implementation.

从以上内容可得出,本申请具有以下的有益效果:Can draw from above content, the application has following beneficial effect:

对于特定网络流量的捕捉需求,本申请从待处理网络流量的应用层出发,确定接收方的域名和发送方的域名,再结合目标对象的域名匹配规则,确定待处理网络流量与目标对象之间的匹配关系,在该便捷的处理架构下,不用去关注、分析具体的流量内容,更为简洁地进行特定网络流量(目标对象的网络流量)的获取,实现精确的网络流量捕捉效果。For the capture requirements of specific network traffic, this application starts from the application layer of the network traffic to be processed, determines the domain name of the receiver and the domain name of the sender, and then combines the domain name matching rules of the target object to determine the relationship between the network traffic to be processed and the target object Under the convenient processing framework, it is unnecessary to pay attention to and analyze the specific traffic content, and obtain specific network traffic (network traffic of the target object) more concisely to achieve accurate network traffic capture effect.

附图说明Description of drawings

为了更清楚地说明本申请实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings that need to be used in the description of the embodiments will be briefly introduced below. Obviously, the drawings in the following description are only some embodiments of the present application. For those skilled in the art, other drawings can also be obtained based on these drawings without any creative effort.

图1为本申请基于域名的网络流量处理方法的一种流程示意图;Fig. 1 is a schematic flow chart of the domain name-based network traffic processing method of the present application;

图2为本申请域名匹配处理的一种工作流程图;Fig. 2 is a kind of work flowchart of domain name matching processing of the present application;

图3为本申请基于域名的网络流量处理装置的一种结构示意图;FIG. 3 is a schematic structural diagram of a domain name-based network traffic processing device of the present application;

图4为本申请处理设备的一种结构示意图。Fig. 4 is a schematic structural diagram of the processing equipment of the present application.

具体实施方式Detailed ways

下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。The following will clearly and completely describe the technical solutions in the embodiments of the application with reference to the drawings in the embodiments of the application. Apparently, the described embodiments are only some of the embodiments of the application, not all of them. Based on the embodiments in this application, all other embodiments obtained by those skilled in the art without making creative efforts belong to the scope of protection of this application.

本申请的说明书和权利要求书及上述附图中的术语“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换,以便这里描述的实施例能够以除了在这里图示或描述的内容以外的顺序实施。此外,术语“包括”和“具有”以及他们的任何变形,意图在于覆盖不排他的包含,例如,包含了一系列步骤或模块的过程、方法、系统、产品或设备不必限于清楚地列出的那些步骤或模块,而是可包括没有清楚地列出的或对于这些过程、方法、产品或设备固有的其它步骤或模块。在本申请中出现的对步骤进行的命名或者编号,并不意味着必须按照命名或者编号所指示的时间/逻辑先后顺序执行方法流程中的步骤,已经命名或者编号的流程步骤可以根据要实现的技术目的变更执行次序,只要能达到相同或者相类似的技术效果即可。The terms "first", "second" and the like in the specification and claims of the present application and the above drawings are used to distinguish similar objects, and are not necessarily used to describe a specific sequence or sequence. It is to be understood that the terms so used are interchangeable under appropriate circumstances such that the embodiments described herein can be practiced in sequences other than those illustrated or described herein. Furthermore, the terms "comprising" and "having", as well as any variations thereof, are intended to cover a non-exclusive inclusion, for example, a process, method, system, product or device comprising a series of steps or modules is not necessarily limited to the expressly listed Instead, other steps or modules not explicitly listed or inherent to the process, method, product or apparatus may be included. The naming or numbering of the steps in this application does not mean that the steps in the method flow must be executed in the time/logic sequence indicated by the naming or numbering. The execution order of the technical purpose is changed, as long as the same or similar technical effect can be achieved.

本申请中所出现的模块的划分,是一种逻辑上的划分,实际应用中实现时可以有另外的划分方式,例如多个模块可以结合成或集成在另一个系统中,或一些特征可以忽略,或不执行,另外,所显示的或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,模块之间的间接耦合或通信连接可以是电性或其他类似的形式,本申请中均不作限定。并且,作为分离部件说明的模块或子模块可以是也可以不是物理上的分离,可以是也可以不是物理模块,或者可以分布到多个电路模块中,可以根据实际的需要选择其中的部分或全部模块来实现本申请方案的目的。The division of modules presented in this application is a logical division. In actual applications, there may be other division methods. For example, multiple modules can be combined or integrated into another system, or some features can be ignored. , or not implemented. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be through some interfaces, and the indirect coupling or communication connection between modules may be electrical or other similar forms. Applications are not limited. Moreover, the modules or sub-modules described as separate components may or may not be physically separated, may or may not be physical modules, or may be distributed into multiple circuit modules, and some or all of them may be selected according to actual needs module to achieve the purpose of this application scheme.

在介绍本申请提供的基于域名的网络流量处理方法之前,首先介绍本申请所涉及的背景内容。Before introducing the domain name-based network traffic processing method provided by this application, first introduce the background content involved in this application.

本申请提供的基于域名的网络流量处理方法、装置以及计算机可读存储介质,可应用于处理设备,用于更为简洁地进行特定网络流量的获取,实现精确的网络流量捕捉效果。The domain name-based network traffic processing method, device, and computer-readable storage medium provided by the present application can be applied to processing equipment to obtain specific network traffic more concisely and achieve accurate network traffic capture effects.

本申请提及的基于域名的网络流量处理方法,其执行主体可以为基于域名的网络流量处理装置,或者集成了该基于域名的网络流量处理装置的服务器、物理主机或者用户设备(User Equipment,UE)等不同类型的处理设备。其中,基于域名的网络流量处理装置可以采用硬件或者软件的方式实现,UE具体可以为智能手机、平板电脑、笔记本电脑、台式电脑或者个人数字助理(Personal Digital Assistant,PDA)等终端设备,处理设备可以通过设备集群的方式设置。The domain name-based network traffic processing method mentioned in this application can be executed by a domain name-based network traffic processing device, or a server, physical host or user equipment (User Equipment, UE) that integrates the domain name-based network traffic processing device. ) and other different types of processing equipment. Among them, the network traffic processing device based on the domain name can be implemented in the form of hardware or software, and the UE can specifically be a terminal device such as a smart phone, a tablet computer, a notebook computer, a desktop computer or a personal digital assistant (Personal Digital Assistant, PDA), and the processing device It can be set by device cluster.

应当理解,该处理设备,拥有执行本申请基于域名的网络流量处理方法所涉及的功能服务的执行能力即可,因此在设备形式及其所处设备架构上可以根据实际需要进行适配性地调整,而回到网络架构场景中,显然,处理设备则可以直接为网络架构中需要进行流量捕捉、流量监控的特定网络设备节点,从而网络设备节点自身既可以通过本身基于域名的网络流量处理方法来实现便捷且精确的流量捕捉效果。It should be understood that the processing device only needs to have the ability to execute the functional services involved in the domain name-based network traffic processing method of this application, so the form of the device and the structure of the device where it is located can be adaptively adjusted according to actual needs , and back to the network architecture scenario, obviously, the processing device can directly be a specific network device node that needs to capture and monitor traffic in the network architecture, so that the network device node itself can use its own domain name-based network traffic processing method to Realize convenient and accurate traffic capture effect.

下面,开始介绍本申请提供的基于域名的网络流量处理方法。Next, start to introduce the domain name-based network traffic processing method provided by this application.

首先,参阅图1,图1示出了本申请基于域名的网络流量处理方法的一种流程示意图,本申请提供的基于域名的网络流量处理方法,具体可包括如下步骤S101至步骤S105:First, referring to FIG. 1, FIG. 1 shows a schematic flowchart of the domain name-based network traffic processing method of the present application. The domain name-based network traffic processing method provided by the present application may specifically include the following steps S101 to S105:

步骤S101,获取待处理网络流量,其中,待处理网络流量用来分析是否属于预设的目标对象的网络流量;Step S101, acquiring network traffic to be processed, wherein the network traffic to be processed is used to analyze whether the network traffic belongs to a preset target object;

可以理解,对应于本申请所涉及的网络流量分析场景,首先要做的,就是要确定当前或者说本次需要进行处理的网络流量,为方便进行说明,将其记为待处理网络流量。It can be understood that, corresponding to the network traffic analysis scenario involved in this application, the first thing to do is to determine the current or current network traffic that needs to be processed. For the convenience of description, it is recorded as the network traffic to be processed.

其中,对于该待处理网络流量,其既可以是实时监测到的流量,也可以是历史监测到流量,此外,对于该待处理网络流量的获取处理,既可以是处理设备自身发起的获取处理,也可以是接收其他设备针对本申请所涉及的网络流量分析场景传输过来供处理的流量,显然,在实际应用中具有较高的灵活性,可以随实际需要调整。Wherein, the network traffic to be processed may be real-time monitored traffic or historically monitored traffic. In addition, the acquisition processing of the network traffic to be processed may be the acquisition process initiated by the processing device itself, It can also be to receive the traffic transmitted by other devices for processing according to the network traffic analysis scenario involved in this application. Obviously, it has high flexibility in practical application and can be adjusted according to actual needs.

此外,本申请是基于现有技术中涉及的DNS流量所存在的缺陷而提出的,因此,该待处理网络流量具体可以为DNS流量,当然,在实际应用中,考虑到除了DNS流量,本申请也可以对其他类型的网络流量实现简便且精准的捕捉效果,因此也可以应用于其他类型的或者其他设备节点处的网络流量。In addition, this application is proposed based on the defects of the DNS traffic involved in the prior art. Therefore, the network traffic to be processed can be specifically DNS traffic. Of course, in practical applications, considering that in addition to DNS traffic, this application It can also achieve simple and accurate capture effects on other types of network traffic, so it can also be applied to other types of network traffic or other device nodes.

而对于本申请主要针对的DNS流量本身,作为一种具体的实现方式,该待处理流量具体就可以为经过DNS设备的DNS流量,从而,本申请可以聚焦于NDS设备处,从其经过的DNS流量中简便且精准捕捉出特定的网络流量,供相关的数据应用使用。As for the DNS traffic itself that this application is mainly aimed at, as a specific implementation, the traffic to be processed can specifically be the DNS traffic passing through the DNS device. Therefore, this application can focus on the NDS device, and the DNS traffic passing through it can be The specific network traffic is easily and accurately captured in the traffic, which can be used by related data applications.

为方便说明,下面的内容则以DNS流量为例进行介绍。For the convenience of description, the following content uses DNS traffic as an example for introduction.

步骤S102,在应用层面提取待处理网络流量的接收方的域名和发送方的域名;Step S102, extracting the domain name of the receiver and the domain name of the sender of the network traffic to be processed at the application level;

可以理解,本申请对于网络流量的捕捉,并不聚焦于其实质要传输的内容,而是以其域名来进行网络流量的区分。It can be understood that the capture of network traffic in this application does not focus on the actual content to be transmitted, but distinguishes network traffic by its domain name.

如此,可以从应用层出发来进行域名的提取处理,具体来说,就是在待处理网络流量的应用层数据中从域名的特定位置处,提取出相关的接收方的域名和发送方的域名,为后续的域名识别打下基础。In this way, domain name extraction can be performed starting from the application layer. Specifically, the domain name of the receiver and the domain name of the sender are extracted from the specific position of the domain name in the application layer data of the network traffic to be processed. Lay the foundation for subsequent domain name identification.

步骤S103,根据接收方的域名和发送方的域名,确定待处理网络流量是否与预设的目标对象的域名匹配规则匹配,若匹配,则触发步骤S104;Step S103, according to the domain name of the recipient and the domain name of the sender, determine whether the network traffic to be processed matches the preset domain name matching rule of the target object, and if so, trigger step S104;

可以理解,本申请所做的网络流量分析,其精准捕捉的实现就是基于域名来展开的,也因此,可以预先配置域名匹配规则,如此可以在后续应用中适配出对应的域名,从而即可确定特定的网络流量。It can be understood that the accurate capture of the network traffic analysis done in this application is based on the domain name. Therefore, domain name matching rules can be pre-configured, so that the corresponding domain name can be adapted in subsequent applications, so that Identify specific network traffic.

其中,该域名匹配规则,是以对应的对象进行配置的,在该设置下,每一个域名匹配规则背后对应的是一个对象,如此,确定出的特定网络流量对应了一个特定对象,达到以域名为基础,与特定对象为目标的网络流量捕捉效果。Among them, the domain name matching rule is configured based on the corresponding object. Under this setting, each domain name matching rule corresponds to an object. In this way, the determined specific network traffic corresponds to a specific object. Based on the effect of capturing network traffic with specific object targets.

对应的,在确定了当前待处理网络流量的接收方的域名和发送方的域名后,则可以将其与预设的目标对象的域名匹配规则进行匹配,若存在匹配的情况,显然,则可以确定为与目标对象相关的网络流量。Correspondingly, after determining the domain name of the receiver and the domain name of the sender of the current network traffic to be processed, it can be matched with the preset domain name matching rules of the target object. If there is a match, obviously, it can be Network traffic identified as being relevant to the target object.

值得补充的是,对于该目标对象,既可以是一个对象,也可以是多个对象,每个对象可以配置有自身对应的域名匹配规则。It is worth adding that the target object can be one object or multiple objects, and each object can be configured with its own corresponding domain name matching rule.

步骤S104,确定待处理网络流量属于目标对象的网络流量。Step S104, determining that the network traffic to be processed belongs to the network traffic of the target object.

而在确定了存在匹配的情况后,则可以根据具体的结果确定机制,将当前的待处理网络流量确定为属于目标对象的网络流量。After it is determined that there is a matching situation, the current network traffic to be processed can be determined as the network traffic belonging to the target object according to a specific result determination mechanism.

其中,该确定处理显然是可以随实际需求进行具体怎么进行确定的处理内容的,一般是随后面针对特定捕捉到的网络流量的相关数据应用进行调整。Wherein, the determination process can obviously be performed according to actual needs, and generally it is adjusted for the application of relevant data of specific captured network traffic later.

从图1所示实施例可看出,对于特定网络流量的捕捉需求,本申请从待处理网络流量的应用层出发,确定接收方的域名和发送方的域名,再结合目标对象的域名匹配规则,确定待处理网络流量与目标对象之间的匹配关系,在该便捷的处理架构下,不用去关注、分析具体的流量内容,更为简洁地进行特定网络流量(目标对象的网络流量)的获取,实现精确的网络流量捕捉效果。As can be seen from the embodiment shown in Figure 1, for the capture requirements of specific network traffic, this application starts from the application layer of the network traffic to be processed, determines the domain name of the receiver and the domain name of the sender, and then combines the domain name matching rules of the target object , to determine the matching relationship between the network traffic to be processed and the target object. Under this convenient processing framework, it is unnecessary to pay attention to and analyze the specific traffic content, and obtain specific network traffic (network traffic of the target object) more concisely , to achieve accurate network traffic capture effect.

继续对上述图1所示实施例的各个步骤及其在实际应用中可能的实现方式进行详细阐述。Continue to describe in detail the various steps of the above embodiment shown in FIG. 1 and their possible implementations in practical applications.

可以理解,本申请对于捕捉网络流量的执行单位,即上面涉及的特定对象,具体可以为会话,也就是说,本申请可以针对特定的会话(例如存在某一特定的会话方、特定时间点等特定的会话特征)来展开其对应的网络流量的精准捕捉,这在网络工作中,既可以涉及到运营业务的考量,也可以涉及到网络安全的考量,显然是具有其突出的实际价值的。It can be understood that the execution unit for capturing network traffic in this application, that is, the specific object mentioned above, can specifically be a session, that is to say, this application can be specific to a specific session (for example, there is a specific conversational party, a specific time point, etc. Specific session features) to accurately capture the corresponding network traffic. In network work, it can involve not only operational business considerations, but also network security considerations. Obviously, it has outstanding practical value.

例如,按照五元组信息对网络请求的报文进行会话区分,五元组相同,或者仅源IP和目的IP对换的报文,显然可以直接认为是属于同一条会话的。For example, according to the quintuple information, the packets requested by the network are distinguished by session. If the quintuples are the same, or only the source IP and destination IP are swapped, it can be directly considered as belonging to the same session.

作为一个实例,可以根据五元组信息作哈希(hash)计算,生成哈希表作为会话表,如此可以便于快速查询某个报文所属的会话。As an example, a hash (hash) calculation can be performed according to the five-tuple information, and a hash table can be generated as a session table, so that it is convenient to quickly query the session to which a message belongs.

其中,会话表数据结构可如下示例性配置:Among them, the session table data structure can be configured as follows:

Figure BDA0004003640980000081
Figure BDA0004003640980000081

对应的,对于此处还有后续涉及的是否属于目标会话的确定处理,本申请方法还可以包括以下内容:Correspondingly, for the subsequent determination of whether it belongs to the target session, the method of this application may also include the following content:

提取待处理网络流量的五元组信息,其中,五元组信息具体包括源IP、目的IP、源端口、目的端口和协议类型;Extracting quintuple information of the network traffic to be processed, wherein the quintuple information specifically includes source IP, destination IP, source port, destination port and protocol type;

根据五元组信息,确定待处理网络流量是否属于目标会话。According to the five-tuple information, determine whether the network traffic to be processed belongs to the target session.

其中,待处理网络流量的五元组信息与目标会话特定的五元组信息之间,源IP和目的IP,可以设置为相同关系或者对换关系。Wherein, between the quintuple information of the network traffic to be processed and the quintuple information specific to the target session, the source IP and the destination IP may be set to be the same or exchanged.

进一步的,本申请在网络流量以报文形式呈现的情况下,还可以将其分为请求和响应两种类型,即请求报文类型和响应报文类型,以进行更小颗粒度的网络流量分析。Furthermore, in the present application, when the network traffic is presented in the form of a message, it can also be divided into two types: request and response, that is, the request message type and the response message type, so as to carry out network traffic with a smaller granularity analyze.

而在其网络流量分析过程中,还可以引入日志的因素,来为会话单位的流量捕捉处理提供更为详尽的特征标注效果,如此在后面对于捕捉到的网络流量的相关分析处理中可以提供简洁且丰富的特征参考。In the process of network traffic analysis, log factors can also be introduced to provide more detailed feature labeling effects for the traffic capture processing of session units, so that concise analysis and processing of captured network traffic can be provided later. And rich feature reference.

具体的,作为又一种具体的实现方式,若待处理网络流量属于请求报文类型,且目标对象为目标会话,步骤S104确定待处理网络流量属于目标对象的网络流量之后,本申请方法还可以包括:Specifically, as yet another specific implementation, if the network traffic to be processed belongs to the request message type, and the target object is a target session, after step S104 determines that the network traffic to be processed belongs to the network traffic of the target object, the method of the present application can also include:

创建目标对象的日志;Create a log of the target object;

将待处理网路流量的相关会话特征写入目标会话的日志中进行存储。Write the relevant session characteristics of the network traffic to be processed into the log of the target session for storage.

可以理解,每一个会话,都是以请求报文开始进行触发,后面若正常推进会话,则会存在相应的响应报文,如此,在确定存在目标会话对应的请求报文时,则可以先创建对应的日志,并将当前响应报文(当前待处理网络流量)的相关会话特征写入该日志中,进行特征存储,供后续使用。It can be understood that each session is triggered by a request message. If the session is advanced normally later, there will be a corresponding response message. In this way, when it is determined that there is a request message corresponding to the target session, you can first create The corresponding log, and write the relevant session characteristics of the current response message (current network traffic to be processed) into the log, and store the characteristics for subsequent use.

而在根据请求报文创建了目标会话的日志后,后续属于同一目标会话的报文,则可以继续提取其会话特征,并继续写入到该日志中,如此形成一个目标会话完整的会话特征记录效果。After the log of the target session is created according to the request message, subsequent messages belonging to the same target session can continue to extract its session features and continue to be written into the log, thus forming a complete session feature record of the target session Effect.

与之相对应的,还存在另一种情况,当前处理的报文已经是响应报文类型了,即,若待处理网络流量属于响应报文类型,且目标对象为目标会话,则步骤S104确定待处理网络流量属于目标对象的网络流量之后,本申请方法还可以包括:Correspondingly, there is another situation where the currently processed message is already a response message type, that is, if the network traffic to be processed belongs to the response message type, and the target object is a target session, then step S104 determines After the network traffic to be processed belongs to the network traffic of the target object, the method of the present application may also include:

将待处理网路流量的相关会话特征写入目标会话的日志中进行存储。Write the relevant session characteristics of the network traffic to be processed into the log of the target session for storage.

可以理解,此处写入的日志,则是之前根据相应的请求报文所触发创建的。It can be understood that the log written here was previously created according to the trigger of the corresponding request message.

对于响应报文的会话特征,除了像请求报文可以提取出的基础会话特征,如域名和对应IP,还可以涉及到查询返回码、响应时间等与响应方面相关的会话特征。For the session features of the response message, in addition to the basic session features that can be extracted from the request message, such as the domain name and corresponding IP, it can also involve the session features related to the response, such as the query return code and response time.

此外,本申请还考虑到实际应用中可能存在的网络波动、报文乱序或者丢包等异常因素的干扰,而导致出现一个会话中缺失请求报文或者响应报文的情况,例如先收到DNS响应报文,或者仅仅收到DNS查询报文而无对应响应,如此在网络流量相关的日志中,显然由于请求的缺失,也会缺少其相关请求的会话特征的记录,针对该情况,本申请还可以进行标注出来,以更为精确、细腻地记录相关会话情况,继续完善所记录的内容。In addition, this application also takes into account the interference of abnormal factors such as network fluctuations, packet out-of-sequence, or packet loss that may exist in practical applications, resulting in the absence of request packets or response packets in a session, such as the first received DNS response message, or only received DNS query message without corresponding response, so in the network traffic-related logs, obviously due to the lack of requests, there will also be a lack of records of the session characteristics of related requests. For this situation, this The application can also be marked to record the relevant conversation more accurately and delicately, and continue to improve the recorded content.

具体的,若待处理网络流量未存在相关的查询报文或者响应报文,作为又一种具体的实现方式,本申请方法还可以包括:Specifically, if there is no relevant query message or response message in the network traffic to be processed, as another specific implementation, the application method may also include:

在待处理网络流量的日志中,为待处理网络流量添加缺失标识,其中,缺失标识用于标识待处理网络流量未存在相关的查询报文或者响应报文。In the log of the network traffic to be processed, a missing identifier is added to the network traffic to be processed, wherein the missing identifier is used to indicate that there is no related query message or response message in the network traffic to be processed.

容易理解,通过该缺失标识的配置,简洁明了地标识出了其缺失同一会话相应报文的情况。It is easy to understand that through the configuration of the missing flag, the missing corresponding message of the same session is clearly and concisely marked.

此外,对应于本申请针对会话展开网络流量捕捉并配置会话对应日志的设置,此处缺失标识的配置,具体可以直接配置于日志中,继续完善会话相应日志所记录的内容。In addition, corresponding to the settings of this application to capture network traffic for sessions and configure session-corresponding logs, the configuration of the missing identification here can be directly configured in the logs to continue to improve the content recorded in the session-corresponding logs.

对应的,在又一种具体的实现方式中,目标对象为目标会话,在待处理网络流量的日志中,为待处理网络流量添加缺失标识,具体可以包括以下内容:Correspondingly, in yet another specific implementation manner, the target object is the target session, and in the log of the network traffic to be processed, a missing identifier is added to the network traffic to be processed, which may specifically include the following content:

在待处理网络流量关于目标会话的日志中,为待处理网络流量添加缺失标识,其中,缺失标识用于标识待处理网络流量未存在相关的查询报文或者响应报文。In the log about the target session of the network traffic to be processed, a missing identifier is added to the network traffic to be processed, wherein the missing identifier is used to indicate that there is no related query packet or response packet in the network traffic to be processed.

此外,对于本申请所涉及的匹配处理,即基于预先的目标对象的域名匹配规则所展开的匹配处理,可以理解,针对其中涉及的域名匹配规则,工作人员可以预先进行设置,每条规则里都可包含若干域名,这些规则表示是工作人员所要关注的DNS流量的对应域名,然后系统对接收到的DNS报文进行解析,获取其域名信息,在用户预设的规则列表中进行匹配,查看是否为关注的流量。In addition, for the matching processing involved in this application, that is, the matching processing based on the domain name matching rules of the target object in advance, it can be understood that the staff can pre-set the domain name matching rules involved, and each rule contains It can contain several domain names. These rules indicate the corresponding domain names of the DNS traffic that the staff should pay attention to. Then the system parses the received DNS messages to obtain their domain name information, and matches them in the user preset rule list to check whether for traffic of interest.

此外,对于日志的使用,还可引入更新机制,当其完成了后续的应用(如供前端界面查询展示或其他用途)后,还可以进行数据清空操作还有日志结构数据空间释放操作,如此为后续其他待处理网络流量的流量捕捉处理提供更为有利的处理环境,有利于整体上的数据处理效果。In addition, for the use of logs, an update mechanism can also be introduced. After completing subsequent applications (such as for front-end interface query display or other purposes), data clearing operations and log structure data space release operations can also be performed. Subsequent traffic capture processing of other network traffic to be processed provides a more favorable processing environment, which is beneficial to the overall data processing effect.

在这过程中,本申请发现,如果按照常规做法,在进行域名匹配时,对照域名规则逐条进行字符串比较,在DNS流量较大和/或域名匹配规则较多的情况下,很可能会成为系统的瓶颈,其在单位时间内难以承担海量的匹配处理。During this process, the application found that if the conventional practice is followed, when performing domain name matching, character strings are compared one by one against the domain name rules, in the case of large DNS traffic and/or many domain name matching rules, it is likely to become a system bottleneck, it is difficult to undertake massive matching processing per unit time.

因此,作为又一种具体的实现方式,本申请引入了hyperscan匹配引擎来执行匹配处理,即,步骤S103根据接收方的域名和发送方的域名,确定待处理网络流量是否与预设的目标对象的域名匹配规则匹配,具体可以包括:Therefore, as yet another specific implementation, this application introduces a hyperscan matching engine to perform matching processing, that is, step S103 determines whether the network traffic to be processed is consistent with the preset target object according to the domain name of the receiver and the domain name of the sender. The domain name matching rules match, which can include:

在接收方的域名和发送方的域名的基础上,通过hyperscan引擎确定待处理网络流量是否与预设的目标对象的域名匹配规则匹配,其中,hyperscan引擎写入了域名关键字和对应ID编号供匹配使用。Based on the domain name of the receiver and the domain name of the sender, the hyperscan engine is used to determine whether the network traffic to be processed matches the preset domain name matching rules of the target object, wherein the hyperscan engine writes the domain name keywords and corresponding ID numbers for Matching is used.

对于该hyperscan引擎,其为专注于高性能的多模、流式匹配的正则表达式引擎,可快速有效的完成域名匹配,直接返回匹配结果,极大地提升匹配效率。For the hyperscan engine, it is a regular expression engine focusing on high-performance multi-mode and streaming matching, which can quickly and effectively complete domain name matching and directly return matching results, greatly improving matching efficiency.

用一个实例来进行说明,DNS设备侧的管理员若想监控网络内针对域名XXX.com和YYY.com查询的DNS流量,可以配置对应的域名规则1和域名规则2,分别包含上述两个域名。To illustrate with an example, if the administrator on the DNS device side wants to monitor the DNS traffic for domain names XXX.com and YYY.com in the network, he can configure the corresponding domain name rule 1 and domain name rule 2, which include the above two domain names respectively. .

在hyperscan引擎的配置过程中,可以生成两条对应的rule_id,rule_id本地唯一,用来区分不同规则,再分别将XXX.com和YYY.com两个域名作为关键字加入到关键字数组中(此处可以根据需要,按照正则表达式的语法规则形成关键字信息,实现精确匹配或模糊匹配);During the configuration process of the hyperscan engine, two corresponding rule_ids can be generated, and the rule_id is unique locally to distinguish different rules, and then add the two domain names of XXX.com and YYY.com as keywords to the keyword array (here Keyword information can be formed according to the grammatical rules of regular expressions according to needs, so as to realize exact matching or fuzzy matching);

同时将各自的rule_id作为关键字编号也一并加入到id编号数组中,后续作为匹配结果予以返回。At the same time, the respective rule_id is added to the id number array as a keyword number, and then returned as a matching result.

然后调用hyperscan的编译API接口进行编译,该API要求传入关键字数组和id编号数组,这样XXX.com和YYY.com两个域名的域名匹配规则涉及的关键字信息及其rule_id都加入到hyperscan引擎数据库中,由此hyperscan引擎可以展开其对应的域名匹配处理。Then call the compiling API interface of hyperscan to compile. The API requires the input of keyword array and id number array, so that the keyword information and rule_id involved in the domain name matching rules of the two domain names of XXX.com and YYY.com are added to hyperscan In the engine database, the hyperscan engine can start its corresponding domain name matching process.

在具体的域名匹配处理过程中,可以调用hyperscan的匹配API进行匹配,该API要求提供一个用户自定义的回调函数,以执行匹配后的操作,该函数直接将匹配上的规则rule_id返回即可,以便能找到匹配上的是哪一条规则。In the specific process of domain name matching, you can call the matching API of hyperscan for matching. This API requires a user-defined callback function to perform the operation after matching. This function can directly return the rule_id of the matching rule. In order to be able to find which rule is matched.

为方便理解以上内容,还可以结合图2示出的本申请域名匹配处理的一种工作流程图进行理解。For the convenience of understanding the above content, it can also be understood in conjunction with a workflow flowchart of domain name matching processing of the present application shown in FIG. 2 .

而在完成了基于域名的网络流量的捕捉后,如上面提及过的,可以展开相应的数据应用,以达到就有精准范围的网络流量的数据应用效果,如上面涉及的日志的应用。After the domain name-based network traffic capture is completed, as mentioned above, the corresponding data application can be launched to achieve the effect of data application with a precise range of network traffic, such as the log application involved above.

此外,还可以按照系统特点或应用需求进行其它类型的数据应用,例如展示日志、统计匹配的DNS流量占比、绘制域名与IP关联图等,是可以随实际情况进行灵活调整的,而由于处理对象即基于域名捕捉的网络流量具有高度精确的捕捉效果,因此可以带来高度精确的数据应用效果。In addition, other types of data applications can be performed according to system characteristics or application requirements, such as displaying logs, counting the proportion of DNS traffic matching, drawing domain name and IP correlation diagrams, etc., which can be flexibly adjusted according to the actual situation, and due to processing Objects, that is, network traffic captured based on domain names, have a highly accurate capture effect, so it can bring highly accurate data application effects.

以上是本申请提供的基于域名的网络流量处理方法的介绍,为便于更好的实施本申请提供的基于域名的网络流量处理方法,本申请还从功能模块角度提供了一种基于域名的网络流量处理装置。The above is the introduction of the domain name-based network traffic processing method provided by this application. In order to better implement the domain name-based network traffic processing method provided by this application, this application also provides a domain name-based network traffic processing method from the perspective of functional modules. Processing device.

参阅图3,图3为本申请基于域名的网络流量处理装置的一种结构示意图,在本申请中,基于域名的网络流量处理装置300具体可包括如下结构:Referring to FIG. 3, FIG. 3 is a schematic structural diagram of a domain name-based network traffic processing device in this application. In this application, the domain name-based network traffic processing device 300 may specifically include the following structure:

获取单元301,用于获取待处理网络流量,其中,待处理网络流量用来分析是否属于预设的目标对象的网络流量;The obtaining unit 301 is configured to obtain network traffic to be processed, wherein the network traffic to be processed is used to analyze whether the network traffic belongs to a preset target object;

提取单元302,用于在应用层面提取待处理网络流量的接收方的域名和发送方的域名;An extraction unit 302, configured to extract the domain name of the receiver and the domain name of the sender of the network traffic to be processed at the application level;

确定单元303,用于根据接收方的域名和发送方的域名,确定待处理网络流量是否与预设的目标对象的域名匹配规则匹配,若匹配,则确定待处理网络流量属于目标对象的网络流量。The determining unit 303 is configured to determine whether the network traffic to be processed matches the preset domain name matching rule of the target object according to the domain name of the receiver and the domain name of the sender, and if it matches, determine that the network traffic to be processed belongs to the network traffic of the target object .

在一种示例性的实现方式中,装置还包括日志处理单元304,若待处理网络流量属于请求报文类型,且目标对象为目标会话,用于:In an exemplary implementation, the device further includes a log processing unit 304, configured to:

创建目标对象的日志;Create a log of the target object;

将待处理网路流量的相关会话特征写入目标会话的日志中进行存储。Write the relevant session characteristics of the network traffic to be processed into the log of the target session for storage.

在又一种示例性的实现方式中,装置还包括日志处理单元304,若待处理网络流量属于响应报文类型,且目标对象为目标会话,用于:In yet another exemplary implementation, the device further includes a log processing unit 304, configured to:

将待处理网路流量的相关会话特征写入目标会话的日志中进行存储。Write the relevant session characteristics of the network traffic to be processed into the log of the target session for storage.

在又一种示例性的实现方式中,确定单元303,还用于:In yet another exemplary implementation manner, the determining unit 303 is further configured to:

提取待处理网络流量的五元组信息,其中,五元组信息具体包括源IP、目的IP、源端口、目的端口和协议类型;Extracting quintuple information of the network traffic to be processed, wherein the quintuple information specifically includes source IP, destination IP, source port, destination port and protocol type;

根据五元组信息,确定待处理网络流量是否属于目标会话。According to the five-tuple information, determine whether the network traffic to be processed belongs to the target session.

在又一种示例性的实现方式中,装置还包括日志处理单元304,若待处理网络流量未存在相关的查询报文或者响应报文,且目标对象为目标会话,用于:In yet another exemplary implementation, the device further includes a log processing unit 304, if there is no related query message or response message in the network traffic to be processed, and the target object is a target session, configured to:

在待处理网络流量关于目标会话的日志中,为待处理网络流量添加缺失标识,其中,缺失标识用于标识待处理网络流量未存在相关的查询报文或者响应报文。In the log about the target session of the network traffic to be processed, a missing identifier is added to the network traffic to be processed, wherein the missing identifier is used to indicate that there is no related query packet or response packet in the network traffic to be processed.

在又一种示例性的实现方式中,确定单元303,具体用于:In yet another exemplary implementation manner, the determining unit 303 is specifically configured to:

在接收方的域名和发送方的域名的基础上,通过hyperscan引擎确定待处理网络流量是否与预设的目标对象的域名匹配规则匹配,其中,hyperscan引擎写入了域名关键字和对应ID编号供匹配使用。Based on the domain name of the receiver and the domain name of the sender, the hyperscan engine is used to determine whether the network traffic to be processed matches the preset domain name matching rules of the target object, wherein the hyperscan engine writes the domain name keywords and corresponding ID numbers for Matching is used.

在又一种示例性的实现方式中,待处理流量具体为经过DNS设备的DNS流量。In yet another exemplary implementation manner, the traffic to be processed is specifically DNS traffic passing through the DNS device.

本申请还从硬件结构角度提供了一种处理设备,参阅图4,图4示出了本申请处理设备的一种结构示意图,具体的,本申请处理设备可包括处理器401、存储器402以及输入输出设备403,处理器401用于执行存储器402中存储的计算机程序时实现如图1对应实施例中基于域名的网络流量处理方法的各步骤;或者,处理器401用于执行存储器402中存储的计算机程序时实现如图3对应实施例中各单元的功能,存储器402用于存储处理器401执行上述图1对应实施例中基于域名的网络流量处理方法所需的计算机程序。The present application also provides a processing device from the perspective of hardware structure. Referring to FIG. 4, FIG. 4 shows a schematic structural diagram of the processing device of the present application. The output device 403, the processor 401 is used to execute the computer program stored in the memory 402 to implement the steps of the domain name-based network traffic processing method in the corresponding embodiment as shown in Figure 1; or, the processor 401 is used to execute the computer program stored in the memory 402 The computer program implements the functions of each unit in the embodiment corresponding to FIG. 3 , and the memory 402 is used to store the computer program required by the processor 401 to execute the domain name-based network traffic processing method in the embodiment corresponding to FIG. 1 .

示例性的,计算机程序可以被分割成一个或多个模块/单元,一个或者多个模块/单元被存储在存储器402中,并由处理器401执行,以完成本申请。一个或多个模块/单元可以是能够完成特定功能的一系列计算机程序指令段,该指令段用于描述计算机程序在计算机装置中的执行过程。Exemplarily, the computer program can be divided into one or more modules/units, and one or more modules/units are stored in the memory 402 and executed by the processor 401 to complete the present application. One or more modules/units may be a series of computer program instruction segments capable of accomplishing specific functions, and the instruction segments are used to describe the execution process of the computer program in the computer device.

处理设备可包括,但不仅限于处理器401、存储器402、输入输出设备403。本领域技术人员可以理解,示意仅仅是处理设备的示例,并不构成对处理设备的限定,可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件,例如处理设备还可以包括网络接入设备、总线等,处理器401、存储器402、输入输出设备403等通过总线相连。The processing device may include, but not limited to, a processor 401 , a memory 402 , and an input and output device 403 . Those skilled in the art can understand that the illustration is only an example of a processing device, and does not constitute a limitation to the processing device, and may include more or less components than those shown in the illustration, or combine some components, or different components, such as processing The device may also include a network access device, a bus, etc., and the processor 401, memory 402, input and output device 403, etc. are connected through the bus.

处理器401可以是中央处理单元(Central Processing Unit,CPU),还可以是其他通用处理器、数字信号处理器(Digital Signal Processor,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、现场可编程门阵列(Field-Programmable Gate Array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等,处理器是处理设备的控制中心,利用各种接口和线路连接整个设备的各个部分。The processor 401 can be a central processing unit (Central Processing Unit, CPU), and can also be other general-purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), on-site Field-Programmable Gate Array (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. The general-purpose processor may be a microprocessor or any conventional processor, etc. The processor is the control center of the processing device and uses various interfaces and lines to connect various parts of the entire device.

存储器402可用于存储计算机程序和/或模块,处理器401通过运行或执行存储在存储器402内的计算机程序和/或模块,以及调用存储在存储器402内的数据,实现计算机装置的各种功能。存储器402可主要包括存储程序区和存储数据区,其中,存储程序区可存储操作系统、至少一个功能所需的应用程序等;存储数据区可存储根据处理设备的使用所创建的数据等。此外,存储器可以包括高速随机存取存储器,还可以包括非易失性存储器,例如硬盘、内存、插接式硬盘,智能存储卡(Smart Media Card,SMC),安全数字(SecureDigital,SD)卡,闪存卡(Flash Card)、至少一个磁盘存储器件、闪存器件、或其他易失性固态存储器件。The memory 402 can be used to store computer programs and/or modules, and the processor 401 realizes various functions of the computer device by running or executing the computer programs and/or modules stored in the memory 402 and calling data stored in the memory 402 . The memory 402 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required by at least one function, etc.; the data storage area may store data created according to the use of the processing device, etc. In addition, the memory may include a high-speed random access memory, and may also include a non-volatile memory, such as a hard disk, a memory, a plug-in hard disk, a smart memory card (Smart Media Card, SMC), a secure digital (SecureDigital, SD) card, A flash card (Flash Card), at least one magnetic disk storage device, flash memory device, or other volatile solid-state storage device.

处理器401用于执行存储器402中存储的计算机程序时,具体可实现以下功能:When the processor 401 is used to execute the computer program stored in the memory 402, it can specifically realize the following functions:

获取待处理网络流量,其中,待处理网络流量用来分析是否属于预设的目标对象的网络流量;Obtaining network traffic to be processed, wherein the network traffic to be processed is used to analyze whether it belongs to the network traffic of a preset target object;

在应用层面提取待处理网络流量的接收方的域名和发送方的域名;Extract the domain name of the receiver and the domain name of the sender of the network traffic to be processed at the application level;

根据接收方的域名和发送方的域名,确定待处理网络流量是否与预设的目标对象的域名匹配规则匹配;According to the domain name of the receiver and the domain name of the sender, determine whether the network traffic to be processed matches the preset domain name matching rule of the target object;

若匹配,则确定待处理网络流量属于目标对象的网络流量。If matched, it is determined that the network traffic to be processed belongs to the network traffic of the target object.

所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的基于域名的网络流量处理装置、处理设备及其相应单元的具体工作过程,可以参考如图1对应实施例中基于域名的网络流量处理方法的说明,具体在此不再赘述。Those skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working process of the domain name-based network traffic processing device, processing equipment and corresponding units described above can be referred to in the corresponding embodiment as shown in Figure 1. The description of the network traffic processing method of the domain name will not be repeated here.

本领域普通技术人员可以理解,上述实施例的各种方法中的全部或部分步骤可以通过指令来完成,或通过指令控制相关的硬件来完成,该指令可以存储于一计算机可读存储介质中,并由处理器进行加载和执行。Those of ordinary skill in the art can understand that all or part of the steps in the various methods of the above embodiments can be completed by instructions, or by instructions controlling related hardware, and the instructions can be stored in a computer-readable storage medium, and is loaded and executed by the processor.

为此,本申请提供一种计算机可读存储介质,其中存储有多条指令,该指令能够被处理器进行加载,以执行本申请如图1对应实施例中基于域名的网络流量处理方法的步骤,具体操作可参考如图1对应实施例中基于域名的网络流量处理方法的说明,在此不再赘述。To this end, the present application provides a computer-readable storage medium, which stores a plurality of instructions that can be loaded by a processor to execute the steps of the domain name-based network traffic processing method in the corresponding embodiment of the present application as shown in Figure 1 For specific operations, reference may be made to the description of the domain name-based network traffic processing method in the corresponding embodiment shown in FIG. 1 , which will not be repeated here.

其中,该计算机可读存储介质可以包括:只读存储器(Read Only Memory,ROM)、随机存取记忆体(Random Access Memory,RAM)、磁盘或光盘等。Wherein, the computer-readable storage medium may include: a read-only memory (Read Only Memory, ROM), a random access memory (Random Access Memory, RAM), a magnetic disk or an optical disk, and the like.

由于该计算机可读存储介质中所存储的指令,可以执行本申请如图1对应实施例中基于域名的网络流量处理方法的步骤,因此,可以实现本申请如图1对应实施例中基于域名的网络流量处理方法所能实现的有益效果,详见前面的说明,在此不再赘述。Because the instructions stored in the computer-readable storage medium can execute the steps of the domain name-based network traffic processing method in the embodiment corresponding to Figure 1 of this application, therefore, the domain name-based network traffic processing method in the embodiment corresponding to Figure 1 of this application can be realized For the beneficial effects that can be achieved by the network traffic processing method, refer to the previous description for details, and will not be repeated here.

以上对本申请提供的基于域名的网络流量处理方法、装置、处理设备以及计算机可读存储介质进行了详细介绍,本文中应用了具体个例对本申请的原理及实施方式进行了阐述,以上实施例的说明只是用于帮助理解本申请的方法及其核心思想;同时,对于本领域的技术人员,依据本申请的思想,在具体实施方式及应用范围上均会有改变之处,综上所述,本说明书内容不应理解为对本申请的限制。The domain name-based network traffic processing method, device, processing equipment, and computer-readable storage medium provided by this application have been described above in detail. This article uses specific examples to illustrate the principle and implementation of this application. The above embodiments The description is only used to help understand the method of the present application and its core idea; at the same time, for those skilled in the art, according to the idea of the present application, there will be changes in the specific implementation and scope of application. In summary, The contents of this specification should not be understood as limiting the application.

Claims (10)

1.一种基于域名的网络流量处理方法,其特征在于,所述方法包括:1. A method for processing network traffic based on a domain name, characterized in that the method comprises: 获取待处理网络流量,其中,所述待处理网络流量用来分析是否属于预设的目标对象的网络流量;Obtaining network traffic to be processed, wherein the network traffic to be processed is used to analyze whether the network traffic belongs to a preset target object; 在应用层面提取所述待处理网络流量的接收方的域名和发送方的域名;Extracting the domain name of the receiver and the domain name of the sender of the network traffic to be processed at the application level; 根据所述接收方的域名和所述发送方的域名,确定所述待处理网络流量是否与预设的所述目标对象的域名匹配规则匹配;According to the domain name of the receiver and the domain name of the sender, determine whether the network traffic to be processed matches the preset domain name matching rule of the target object; 若匹配,则确定所述待处理网络流量属于所述目标对象的网络流量。If they match, it is determined that the network traffic to be processed belongs to the network traffic of the target object. 2.根据权利要求1所述的方法,其特征在于,若所述待处理网络流量属于请求报文类型,且所述目标对象为目标会话,所述确定所述待处理网络流量属于所述目标对象的网络流量之后,所述方法还包括:2. The method according to claim 1, wherein if the network traffic to be processed belongs to a request message type, and the target object is a target session, the determination that the network traffic to be processed belongs to the target After the object's network traffic, the method also includes: 创建所述目标对象的日志;create a log of said target object; 将所述待处理网路流量的相关会话特征写入所述目标会话的日志中进行存储。Writing the relevant session characteristics of the network traffic to be processed into the log of the target session for storage. 3.根据权利要求1所述的方法,其特征在于,若所述待处理网络流量属于响应报文类型,且所述目标对象为目标会话,所述确定所述待处理网络流量属于所述目标对象的网络流量之后,所述方法还包括:3. The method according to claim 1, wherein if the network traffic to be processed belongs to a response message type, and the target object is a target session, the determination that the network traffic to be processed belongs to the target After the object's network traffic, the method also includes: 将所述待处理网路流量的相关会话特征写入所述目标会话的日志中进行存储。Writing the relevant session characteristics of the network traffic to be processed into the log of the target session for storage. 4.根据权利要求2或3所述的方法,其特征在于,所述方法还包括:4. The method according to claim 2 or 3, characterized in that the method further comprises: 提取所述待处理网络流量的五元组信息,其中,所述五元组信息具体包括源IP、目的IP、源端口、目的端口和协议类型;Extracting the five-tuple information of the network traffic to be processed, wherein the five-tuple information specifically includes source IP, destination IP, source port, destination port and protocol type; 根据所述五元组信息,确定所述待处理网络流量是否属于所述目标会话。Determine whether the network traffic to be processed belongs to the target session according to the five-tuple information. 5.根据权利要求4所述的方法,其特征在于,若所述待处理网络流量未存在相关的查询报文或者响应报文,且目标对象为目标会话,则所述方法还包括:5. The method according to claim 4, wherein if there is no relevant query message or response message in the network traffic to be processed, and the target object is a target session, the method further comprises: 在所述待处理网络流量关于所述目标会话的日志中,为所述待处理网络流量添加所述缺失标识,其中,所述缺失标识用于标识所述待处理网络流量未存在相关的查询报文或者响应报文。In the log of the network traffic to be processed about the target session, add the missing identifier for the network traffic to be processed, wherein the missing identifier is used to identify that there is no relevant query report for the network traffic to be processed message or response message. 6.根据权利要求1所述的方法,其特征在于,所述根据所述接收方的域名和所述发送方的域名,确定所述待处理网络流量是否与预设的所述目标对象的域名匹配规则匹配,包括:6. The method according to claim 1, wherein, according to the domain name of the receiver and the domain name of the sender, it is determined whether the network traffic to be processed is consistent with the preset domain name of the target object Matching rules match, including: 在所述接收方的域名和所述发送方的域名的基础上,通过hyperscan引擎确定所述待处理网络流量是否与预设的所述目标对象的域名匹配规则匹配,其中,所述hyperscan引擎写入了域名关键字和对应ID编号供匹配使用。Based on the domain name of the receiver and the domain name of the sender, the hyperscan engine determines whether the network traffic to be processed matches the preset domain name matching rule of the target object, wherein the hyperscan engine writes Enter the domain name keywords and corresponding ID numbers for matching. 7.根据权利要求1所述的方法,其特征在于,所述待处理流量具体为经过DNS设备的DNS流量。7. The method according to claim 1, wherein the traffic to be processed is specifically DNS traffic passing through a DNS device. 8.一种基于域名的网络流量处理装置,其特征在于,所述装置包括:8. A network traffic processing device based on a domain name, characterized in that the device comprises: 获取单元,用于获取待处理网络流量,其中,所述待处理网络流量用来分析是否属于预设的目标对象的网络流量;An acquisition unit, configured to acquire network traffic to be processed, wherein the network traffic to be processed is used to analyze whether the network traffic belongs to a preset target object; 提取单元,用于在应用层面提取所述待处理网络流量的接收方的域名和发送方的域名;An extraction unit, configured to extract the domain name of the receiver and the domain name of the sender of the network traffic to be processed at the application level; 确定单元,用于根据所述接收方的域名和所述发送方的域名,确定所述待处理网络流量是否与预设的所述目标对象的域名匹配规则匹配,若匹配,则确定所述待处理网络流量属于所述目标对象的网络流量。A determining unit, configured to determine whether the network traffic to be processed matches the preset domain name matching rule of the target object according to the domain name of the receiver and the domain name of the sender, and if so, determine that the network traffic to be processed matches the preset domain name matching rule of the target object. Processing network traffic belonging to the target object. 9.一种处理设备,其特征在于,包括处理器和存储器,所述存储器中存储有计算机程序,所述处理器调用所述存储器中的计算机程序时执行如权利要求1至7任一项所述的方法。9. A processing device, characterized in that it comprises a processor and a memory, a computer program is stored in the memory, and when the processor invokes the computer program in the memory, it executes the process described in any one of claims 1 to 7. described method. 10.一种计算机可读存储介质,其特征在于,所述计算机可读存储介质存储有多条指令,所述指令适于处理器进行加载,以执行权利要求1至7任一项所述的方法。10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a plurality of instructions, and the instructions are suitable for being loaded by a processor to execute the method described in any one of claims 1 to 7. method.
CN202211626406.1A 2022-12-16 2022-12-16 A network traffic processing method, device and processing equipment based on domain name Active CN115955423B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211626406.1A CN115955423B (en) 2022-12-16 2022-12-16 A network traffic processing method, device and processing equipment based on domain name

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211626406.1A CN115955423B (en) 2022-12-16 2022-12-16 A network traffic processing method, device and processing equipment based on domain name

Publications (2)

Publication Number Publication Date
CN115955423A true CN115955423A (en) 2023-04-11
CN115955423B CN115955423B (en) 2025-02-11

Family

ID=87296480

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211626406.1A Active CN115955423B (en) 2022-12-16 2022-12-16 A network traffic processing method, device and processing equipment based on domain name

Country Status (1)

Country Link
CN (1) CN115955423B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180139229A1 (en) * 2016-11-11 2018-05-17 Verisign, Inc. Profiling domain name system (dns) traffic
CN108632202A (en) * 2017-03-16 2018-10-09 哈尔滨英赛克信息技术有限公司 A kind of mass data is made a block booking the DNS deception measures under scape
CN115333765A (en) * 2022-06-24 2022-11-11 国家工业信息安全发展研究中心 Network traffic screening method and system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180139229A1 (en) * 2016-11-11 2018-05-17 Verisign, Inc. Profiling domain name system (dns) traffic
CN108632202A (en) * 2017-03-16 2018-10-09 哈尔滨英赛克信息技术有限公司 A kind of mass data is made a block booking the DNS deception measures under scape
CN115333765A (en) * 2022-06-24 2022-11-11 国家工业信息安全发展研究中心 Network traffic screening method and system

Also Published As

Publication number Publication date
CN115955423B (en) 2025-02-11

Similar Documents

Publication Publication Date Title
CN107534690A (en) Collect Domain Name System Traffic
CN102223411A (en) Method, system and client for downloading files using P2P technology
CN110198530B (en) Flow-free service scheduling processing method, device, equipment and storage medium
WO2021120763A1 (en) Network card binding method and apparatus for multi-network card server, and electronic device and storage medium
CN107547310A (en) A kind of user behavior association analysis method and system based on bypass audit device
CN105099735B (en) A kind of method and system for obtaining magnanimity more detailed logging
CN108494755A (en) Method and device for transmitting application programming interface API request
CN112073512A (en) Data processing method and device
CN112769635B (en) Service identification method and device for multi-granularity feature analysis
CN108600120A (en) A method of realizing NAT based on DPDK
CN115484110A (en) DDOS processing method and device, electronic equipment and storage medium
CN114510486A (en) Dimension table data processing method and device, electronic equipment and storage medium
CN118764398A (en) Message processing method, device and electronic device
CN115955423A (en) Domain name-based network traffic processing method, device and processing equipment
JP5662735B2 (en) How to improve call tracing
CN116707912A (en) Attack network identification method, device, server and storage medium
CN114928638B (en) A network behavior analysis method, device and monitoring equipment
WO2017000540A1 (en) Data query method and device
CN113656731B (en) Advertisement page processing method and device, electronic equipment and storage medium
CN110868360B (en) Flow statistics method, electronic equipment, system and medium
CN101827068A (en) Business scenario reduction method and device
CN118200898A (en) Dynamic device identification generation method, device, device and computer storage medium
CN115865739A (en) Network asset detection method and device, electronic equipment and storage medium
CN111106980B (en) A kind of bandwidth binding detection method and device
CN114095471B (en) Address conversion method, device and address tracing method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20241226

Address after: 200333, 5th floor, No. 3, Lane 556, Daduhe Road, Putuo District, Shanghai

Applicant after: Shanghai Anbotong Technology Co.,Ltd.

Country or region after: China

Address before: 200062 floors 2, 3, 21 and 22, No. 89, Yunling East Road, Putuo District, Shanghai

Applicant before: Shanghai Ambiton Information Technology Co.,Ltd.

Country or region before: China

TA01 Transfer of patent application right
GR01 Patent grant
GR01 Patent grant