Traffic information testing method, device and system
A technology of traffic information and testing method, applied in the field of information security, can solve the problems of easy theft of secret keys, inconvenient security control, insufficient security, etc., to reduce passive transformation, facilitate security control, and improve security performance.
Pending Publication Date: 2021-11-02
INDUSTRIAL AND COMMERCIAL BANK OF CHINA
0 Cites 0 Cited by
AI-Extracted Technical Summary
Problems solved by technology
[0003] 1. Insufficient security, the secret key is easy to be stolen
[0004] 2. If complex desensitization logic is involved, the application needs to de...
Method used
(1) use the asymmetric encryption method of higher security to transfer data, realize flow information desensitization without intrusion, reduce the passive transformation of application end;
Asymmetric encryption: be made up of public key and private key, public key is encrypted, and private key is decrypted, avoids secret key information being stolen by hacker in secret key synchronous process, has higher security, and workflow example: A to B conveys information, A and B have their own set of public key and private key, A uses B's public key to encrypt the plaintext and sends it to B, and B uses B's private key to decrypt it.
Flow recording platform: support to record the production environment transaction flow, and carry out program logic verification in the test environment replay flow, solve the problem of incomplete coverage of boundary scenes during conventional testing, reveal the risk of system upgrade in advance, and improve the robustness of the system .
In summary, the computer equipment of the embodiment of the present invention first pulls the file block from the application side according to the forward index, then decrypts the detailed information corresponding to the secret key label in the file block according to the private key, and finally parses the decrypted file After obtaining the traffic information, send it to the application side so that the application side can simulate the traffic information, desensitize the traffic information without intrusion, reduce the passive transformation of the application side, facilitate unified security management and control, and improve the security performance of the traffic recording platform.
In summary, the computer-readable storage medium of the embodiment of the present invention first pulls the file block from the application side according to the forward index, and then decrypts the detailed information corresponding to the secret key label in the file block according to the private key, and finally parses through The decrypted file blocks are sent to the application after obtaining the flow information so that the application can simulate the flow information, desensitize the flow information without intrusion, reduce the passive transformation of the application, facilitate unified security management and control, and improve the traffic recordi...
Abstract
The invention provides a traffic information testing method, device and system, belongs to the technical field of information security, and can be applied to the financial field or other fields. The traffic information testing method comprises the following steps: receiving a forward index and a key label from an application end, and pulling a file block from the application end according to the forward index; decrypting the detail information corresponding to the key label in the file block according to a private key; and analyzing the decrypted file block to obtain traffic information, and sending the traffic information to the application end to enable the application end to perform simulation test on the traffic information. According to the invention, traffic information desensitization can be realized without invasion, passive transformation of the application end is reduced, unified security control is facilitated, and the security performance of a traffic recording platform is improved.
Application Domain
Data switching networks
Technology Topic
Computer networkData mining +4
Image
Examples
- Experimental program(1)
Example Embodiment
[0029] Next, the technical solutions in the embodiments of the present invention will be described in connection with the drawings of the embodiments of the present invention, and it is understood that the described embodiments are merely the embodiments of the present invention, not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art are in the range of the present invention without making creative labor premise.
[0030] Those skilled in the art will appreciate that embodiments of the present invention can be implemented as a system, apparatus, device, method, or computer program product. Therefore, the present disclosure can be embodied in the form of a full hardware, a complete software (including firmware, resident software, microcode, etc.), or in combination of hardware and software.
[0031] In view of the insufficient security of the prior art, it is inconvenient to do a unified safety control. The embodiment of the present invention provides a flow information test method, device and system. The purpose is to record traffic information in the production environment to simulate in the test environment. The investigation and root positioning of fault information is performed without damaging the production environment. The invention will be described in detail below with reference to the accompanying drawings.
[0032] The key terms referred to in the present invention are defined as follows:
[0033] Flow recording platform: Supports recording of production environment transaction traffic, and procedural logic verification in test environment, solving the problem of boundary scene coverage in conventional testing, revealing the risk of system upgrade, and enhance system robustness.
[0034] Key Tag: Use Key / Value form, for example: "EncryptKey": "HZ5-BMS-SM4-2", when "EncryptKey" does not process the time, otherwise it is considered not required.
[0035] Encrypted keyword: Keyword information that needs to be encrypted, such as the customer number is a cryptographic keyword.
[0036] Index: It is a mapping relationship, such as a directory of a document, pointing to XX content in the xx page.
[0037] Row index: find Value via Key, at which time Key is the file block name, the feature information of the associated file block can be searched by the file block name.
[0038] Rolling index: find Value through Key, the key is the feature information of the file block, such as finding the secret key tag to TRUE, the service name A information is stored in which file blocks.
[0039] Secretary management device: Uniform use in order to achieve a unified secure key management device.
[0040] Asymmetric encryption: consists of public key and private key, public key encryption, private key decryption, avoid stealing the secret key information in the secret key, high security, workflow example: Availabate information , A and B have their own set of public keys, private keys, and the public key using B using B will be encrypted and sent to B, and B Use B. The private key can be decrypted.
[0041] Key Information: Information related to the secret key, can detect unique public key information, such as application name, secret key name, secret key, and the secret name, according to the secret key information.
[0042] figure 1 It is a flow chart of the flow information test method in the embodiment of the present invention. figure 2 It is a flow chart of the flow information test method in another embodiment of the present invention. like Figure 1 - Figure 2 As shown, the flow information test method includes:
[0043] S101: Receive the positive row index and the secret key tag from the application, pull the file block from the application end according to the positive row index.
[0044] In distributed scenarios, each application may just be a micro service, to complete a complete transaction requires multiple micro-service calls or calls, and record traffic information on the full link, you need to install in each micro service. An Agent, the application will consist of multiple App (applications) and multiple Agents, each app is embedded into the installation and encryption of traffic information, ensuring security under the premise of collecting.
[0045] Before S101 is executed, it includes: calling the secret key management device, generating a public key and private key based on the read end of the secret key information pre-entered in advance. The secret key information includes an application name, a secret key name, a secret key, and a secret key. The private key is stored in the server locally in the traffic recording platform.
[0046] Among them, the secret key label is obtained by the application end through a pre-packaged public method. The essence is a distributed interceptor (such as a Dubbo interceptor) that can intercept traffic information of service calls, including time, IP, input parameters, output parameters, service names, and server names. AGPCCONTEXT.GETRECORDTAG, which can intercept the call service to obtain the actual value of the call service. Application End and Flow Recording Platform consensus an interface, call the traffic recording platform interface to send the secret key tag to the traffic recording platform.
[0047] image 3 It is a schematic diagram of the translation of the secret key tag in the embodiment of the present invention. like image 3As shown, multiple micro services are passed on the full link, and the tag information layer is passed, and the RPCContext using Dubbo can be saved in the link. For example, service A establish a secret key tag, when the service A calls the service B, the service A uses RPCContext.seRecordtag to initialize the key tag, and the service B uses the RPCContext.getRecordTAG to block the service A to obtain the actual value of the secret key tag. When the service B calls the service C, the secret key is still saved, so it can get a full link to get and determine the value of the secret key tag.
[0048] In an embodiment, the file block is drawn from the application terminal according to the positive row index.
[0049] Generate a reverse row index according to the positive row index, and pull the file block from the application end according to the inverted index.
[0050] When the specifier is implemented, the positive row index is stored in the mapping relational table, and the inverted index is revealed in accordance with information such as encryption keywords. The inverted index will record a certain period of time, which of the file blocks associated with a service name are in which the servers are subsequently drawn from the automated operation and maintenance tool ANSIBLE or other batch operations tools to the application end batch.
[0051] Among them, the positive row index is generated by the application end. Application is scanned all documents, looped sexy, record file names, location information, and appearances, and store this mapping relationship table or file as an index. The frequency of the reporting index can be ended from the previous file block, and the next file block is started.
[0052] Indexes include raying index and inverted indexes. For example: 5 files under a folder, named: TXT, 2.TXT, 3.TXT, 4.TXT, 5.TXT. 1.TXT: I love to learn, 2.txt: I don't want to work. As shown in Table 1, the row index is the number and location of the words or words in the file ID, record files.
[0053] Table 1
[0054] TXT Me: 1 time, 1, love: 2 times, 2 .. 2.TXT Me: 1 time, 1 bit, no: 2 times, 2 digits ..
[0055] As shown in Table 2, the inverted indexes or words are keywords, and record a word or word appears in the location of the document.
[0056] Table 2
[0057] I 1.TXT: 1 time, 1 bit, 2.txt: 1 time, 1 bit .. Love 1.txt: 1 time, 2 ..
[0058] S102: Decrypts the details of the secret key tag in the file block according to the private key.
[0059] Wherein, the details are encrypted by the application terminal according to the public key obtained by the interface of the calling secret key management device. DETAILED APPLICATIONS When the application ends obtains the actual value of the secret key tag, the corresponding traffic information is encrypted according to the secret key tag. When the secret key is not empty, the flow information is encrypted to generate a detailed information, and the details are written to the file block. When the key label is empty, the traffic information is not encrypted, and the traffic information is directly written to the file block as a detailed information. The generation frequency of the file block can generate a file block for 1 hour, and a single file block does not exceed 10,000 lines to control the size and quantity of the file block.
[0060] When S102 is executed in particular, it is determined whether or not to decrypt the details of the file block in the file block according to the secret key tag. When the secret key is not empty, the details are decrypted to obtain flow information; when the secret key is empty, the details are not decrypted, and the details are directly used as traffic information.
[0061] S103: Solving the decrypted file block obtains traffic information, transmitting traffic information to the application to simulate the traffic information.
[0062] DETAILED DESCRIPTION OF THE INFORMATION The decrypted file block can obtain unprinted traffic information in the file block and display traffic information through the front end, including time, IP, service name, input parameters, output parameters, service name, and server names. The application ends the flow information to simulate the traffic information according to the input parameters and output parameters in the test environment, and reproduce the fault site. The application is based on the simulated results to investigate the specific reasons, support multiple playbacks, so as not to miss important information, contribute to the cause positioning and analysis.
[0063] figure 1 The execution body of the flow information test method can be a flow recording platform. Depend on figure 1 The flow information indicated, the flow information test method of the embodiment of the present invention first pulls the file block from the application terminal according to the positive row index, and then decrypt the details of the secret key in the file block according to the private key, and finally resolved After the traffic information is sent to the application, the application is sent to the application to simulate the traffic information, so as not to invade the traffic information desensitization, reduce the passive transformation of the application, easy to carry out safety control, improve the safety of traffic recording platform performance.
[0064] Based on the same inventive concept, the embodiment of the present invention also provides a flow information test apparatus, since the principle of the device solves the problem is similar to the flow information test method, so the implementation of the apparatus can see the implementation and repeating .
[0065] Figure 4 A block diagram of the flow information test apparatus in the embodiment of the present invention. like Figure 4 As shown, the flow information testing device includes:
[0066] Pull the module for receiving the positive row index and the secret key tag from the application side, and pull the file block from the application terminal according to the positive index;
[0067] The decryption module is used to decrypt the details corresponding to the secret key tag in the file block according to the private key;
[0068] The parsing module is used to resolve the decrypted file block to obtain traffic information, send traffic information to the application to simulate the flow information.
[0069] In summary, the flow information test apparatus of the embodiment of the present invention will pick up the file block from the application terminal according to the positive row index, and then decrypt the details of the secret key in the file block in accordance with the private key, and finally resolve the decrypted file block. After the traffic information is sent to the application to make the application end to simulate the traffic information, there is no intrusion to achieve traffic information desensitization, reduce the passive transformation of the application, easy to unify safety control, improve the security performance of the traffic recording platform.
[0070] The embodiment of the present invention further provides a specific embodiment of a computer device capable of implementing all the steps in the flow information test method in the above embodiment. Figure 5 It is a block diagram of the computer equipment in the embodiment of the present invention, see Figure 5 The computer device includes the following:
[0071] Processor 501 and Memory 502.
[0072] The processor 501 is configured to invoke the computer program in the memory 502, the processor to perform all the steps in the flow information test method in the above embodiment, for example, the processor execution The following steps are implemented when the computer program is described.
[0073] Receive the positive row index and the secret key tag from the application, pick the file block from the application end according to the positive row index;
[0074] Decrypt the details of the secret key tag in the file block according to the private key;
[0075] The decrypted file block obtains traffic information, send traffic information to the application to simulate the flow information.
[0076] In summary, the computer device of the embodiment of the present invention will take the file block from the application terminal according to the positive row index, and then decrypt the details of the secret key in the file block in accordance with the private key, and finally resolve the decrypted file block, get After the traffic information is sent to the application to make the application end to simulate the traffic information, there is no intrusion to achieve traffic information desensitization, reduce the passive transformation of the application, easy to unify safety control, improve the security performance of the traffic recording platform.
[0077] The embodiment of the present invention further provides a computer readable storage medium capable of implementing all steps in the flow information test method in the above embodiment, the computer readable storage medium stores a computer program, the computer program is executed by the processor A full step of implementing the flow information test method in the above embodiment, for example, when the processor performs the computer program:
[0078] Receive the positive row index and the secret key tag from the application, pick the file block from the application end according to the positive row index;
[0079] Decrypt the details of the secret key tag in the file block according to the private key;
[0080] The decrypted file block obtains traffic information, send traffic information to the application to simulate the flow information.
[0081] In summary, the computer readable storage medium of the present invention first pulls the file block from the application terminal according to the positive row index, and then decrypt the details of the secret key tag in the file block according to the private key, and finally resolve the decrypted file. Block, send the traffic information to the application to make the application end to simulate the traffic information, to achieve the traffic information desensitization, reduce the passive transformation of the application, easy to unify safety control, improve the security performance of the traffic recording platform.
[0082] Based on the same inventive concept, the embodiment of the present invention also provides a flow information test system. Since the system solves the problem, the implementation of the system is similar, so the implementation of the system can see the implementation and repeating. .
[0083] Image 6 It is a schematic diagram of the interaction of the flow information test system in the embodiment of the present invention. Figure 7 It is an asymmetric encrypted decryption of the flow information test system in the embodiment of the present invention. like Figure 6 - Figure 7 As shown, the flow information test system includes:
[0084] Secretary management device;
[0085] Application terminal, used to invoke the secret key management device to enter the secret key information, intercept the call service to obtain the secret key tag and traffic information, encrypt the traffic information corresponding to the secret key label according to the public key obtained by the calling the secret key management device; Write the detailed information to the file block, generate a positive row index according to the file block, send a row index and the key label to the traffic recording platform; simulate the traffic information from the traffic recording platform;
[0086] Flow information test device, applied to traffic recording platform, used to call the secret key information in the secret key management device to generate public keys and private key; according to the positive row index, pull the file block from the application terminal; according to the private key The detailed information corresponding to the key tag is decrypted; the decrypted file block obtains traffic information, and the traffic information is sent to the application.
[0087] like Image 6 As shown, the application terminal is reported to the orthographic index and the key label to the traffic recording platform. The traffic recording platform pulls the file block from the application terminal, and the traffic recording platform uses the secret key to make a secret key. The core of the traffic recording platform side is a mapping table and a display, mainly implementing the following functions: 1, saving the positive row index reported in the mapping table and calculates the reverse row index; 2. The application terminal is drawn by the reverse row index; 3. Decrypt the acquired file block and resolve, and finally show in the front end.
[0088] like Figure 7, The secret key management apparatus mainly the following functions: 1, to provide the function of secret key information input; 2, providing for creating function secret key, randomly generated different environments for different secret key; 3 discloses flow record stored internet _pub interface provides an API for third-party call to get.
[0089] The present invention uses an asymmetric encryption or decryption algorithm, asymmetric encryption using a public and private key advantage of one pair of encryption and decryption to increase the security. Traffic recording platform retains the private key to decrypt, the application side to retain the public key used to encrypt.
[0090] Secret key information input 41: The secret key management apparatus side call input secret key information, including application name, name of the secret key, the secret key and secret key algorithm type name and the like.
[0091] Production of 42 keys: secret key management apparatus generates public and private traffic call recording platform. Among them, the public key stored in the secret key management device, the application side can be queried via interface calls, private key is kept in local traffic recording server platforms.
[0092] Transmitting the secret key tag 43: tag application side secret key is transmitted to the recording internet traffic, so that the need for internet traffic recording detailed information according to the secret key to decrypt the tag judgment.
[0093] Obtaining the public key from the secret key management apparatus 44: The side call management apparatus acquires a public key secret key for public key encryption using the traffic information (traffic information using public key cryptography, see 45).
[0094] File pull block 46: Recording internet traffic pulling The inverted index file blocks.
[0095] Using the private key to decrypt the file block 47: The secret key tag is not empty, traffic recording platform uses a private key to decrypt it.
[0096] Playback 48: The end of the playback of traffic information in a test environment.
[0097] Specific embodiments of the process of the present invention are as follows:
[0098] 1, calls the application side secret key management apparatus information input keys.
[0099] 2, secret key information flow test device calls the secret key information management apparatus generates public and private keys, public key stored in the secret key management device, the private key stored in the record flow platform.
[0100] 3, the application calls the terminal apparatus obtain the public key secret key management, call interception services to obtain flow information and tag keys, public keys to encrypt traffic information to generate detailed information on the secret key corresponding to the tag. FIG.
[0101] 4, the detailed information of the application side blocks written to the file, the file generating block according to the index n, and the index n transmission secret key to the flow label recorded internet.
[0102] 5, recording internet traffic from the application side pulling The positive index file blocks, according to the private key of the detailed information in a file block corresponding to the tag secret key is decrypted, the decrypted file blocks after parsing obtained flow rate information, traffic information will be sent to the application end.
[0103] 6, the application side of the test to simulate flow information.
[0104] In summary, the embodiment of the present invention, the flow rate information provided by the test system has the following advantages:
[0105] (1) using higher security asymmetric encryption data transfer, non-invasive flow rate information to achieve desensitization, reduced application side passive transformation;
[0106] (2) providing a uniform flow rate information to achieve desensitization program, the application side does not need to custom develop desensitization code can share a common logical, easy to unify security control;
[0107] (3) traffic information data recorded on the whole completely transparent to the user and no perception, give full consideration to the security of user data, there is no problem of data leakage, improve the safety performance of the traffic recording platform.
[0108] The specific embodiments described above are described in further detail purposes of the present invention, and it is understood that the above is intended to limit the embodiments of the invention. Protection range, any modification, equivalent replacement, improvement, etc., should be included within the scope of the invention within the scope of the invention.
[0109] Those skilled in the art that the present invention may also be listed in Example various illustrative logical blocks (illustrative logical block), means, and steps may be implemented by an electronic computer software, with hardware, or both. To clearly show alternative hardware and software of (interchangeability), the above-described various illustrative components (illustrative components), common unit and steps have described their function. This function is implemented by hardware or software depends upon the particular application and design requirements of the system. Those skilled in the art can for each particular application, various methods implement the described functionality, but such implementation should not be construed as beyond the scope of protection of the present invention.
[0110] The various illustrative logical blocks described in the embodiment of the present invention, or cells, or a device may be a general purpose processor, a digital signal processor, application specific integrated circuit (ASIC), field programmable gate arrays or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination thereof designed to implement functions or operations described. A general purpose processor may be a microprocessor, optionally, the general-purpose processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented by a combination of computing devices, such as a digital signal processor and a microprocessor, a plurality of microprocessors, one or more microprocessors combined a digital signal processor core, or any other similar configuration accomplish.
[0111] Examples are steps of a method or algorithm described in the embodiment of the present invention can be embedded directly in hardware, in a software module executed by a processor, or a combination of both. A software module may be stored in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, CD-ROM, or any other form of storage medium in the art. Illustratively, the storage medium may be coupled to the processor such that the processor can read information from the storage medium, and may be stored writing information to the storage medium. Alternatively, the storage medium may be integral to the processor. Processor and the storage medium may be provided in an ASIC, ASIC may be provided in a user terminal. Alternatively, the processor and the storage medium may be provided in a user terminal different components.
[0112] In one or more exemplary designs, the functions of the above-described embodiment of the present invention described embodiments may be implemented in hardware, software, firmware or any combination of the three. If implemented in software, the functions may be stored on computer-readable media, or transmitted as one or more instructions or code on a computer-readable form of the medium. Computer-readable media include computer storage media and so allow the computer to facilitate program from one place to the other parts of the communication medium. Storage medium may be any available media that can be accessed general purpose or special computer access. For example, such computer-readable media can include but are not limited to, RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other may be used to carry or store instructions or data structures and It may be other general purpose or special computer, or media program codes read a general purpose or special form of processor. Also, any connection may be suitably defined as a computer-readable medium, e.g., if software is transmitted from a website site, server, or other remote source through a coaxial cable, fiber optic cable, twisted pair, digital subscriber line (DSL) or to transmit infrared, radio, and microwave wireless manner, for example, is also included in the computer readable medium as defined. The disc (Disk) and disk (Disc) comprises a compact disc, laser disc, optical disc, DVD, floppy disk and blu-ray disc disks usually reproduce data magnetically, while discs usually reproduce data optically with a laser. Combinations of the above may also be included in the computer readable medium.
PUM


Description & Claims & Application Information
We can also present the details of the Description, Claims and Application information to help users get a comprehensive understanding of the technical details of the patent, such as background art, summary of invention, brief description of drawings, description of embodiments, and other original content. On the other hand, users can also determine the specific scope of protection of the technology through the list of claims; as well as understand the changes in the life cycle of the technology with the presentation of the patent timeline. Login to view more.
Similar technology patents
Control method and system of electric vehicle electric pile of fuel cell
Owner:WEICHAI POWER CO LTD
Electrolyte with thermocuring effect and preparation method of electrolyte
Owner:SHENZHEN HAIYING TECH
Child safety door fence
Owner:浙江鑫博婴童用品有限公司
Preparation method of nitrification organic matter and prepared nitrification organic matter
Owner:SHANDONG HIMILE CHEM TECH
Safe and rapid electric pole climbing tool
Owner:GUANGDONG POWER GRID CORP ZHAOQING POWER SUPPLY BUREAU