Network traffic processing method and apparatus, electronic device, and storage medium

By mounting a network traffic detection tool in the operating system, generating tuple information and performing policy parsing, the security and universality issues caused by hardware changes in network traffic processing are resolved, achieving flexible and accurate network traffic processing and enhanced security.

CN116527309BActive Publication Date: 2026-07-14INDUSTRIAL AND COMMERCIAL BANK OF CHINA

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
INDUSTRIAL AND COMMERCIAL BANK OF CHINA
Filing Date
2023-03-10
Publication Date
2026-07-14

AI Technical Summary

Technical Problem

In existing technologies, whitelists and other related rules in the network traffic processing process become invalid due to changes in operating system and server hardware, resulting in low network security and poor universality.

Method used

By mounting network traffic detection tools in the operating system, tuple information is generated and policy parsing is performed based on the target port to generate target processing policies. These policies are then combined with custom policies to process network traffic, including intercepting or loading network traffic.

Benefits of technology

It improves the versatility and network security of network traffic detection tools, ensuring accurate and flexible handling of network traffic even with changes in operating system hardware, and reducing viruses and unauthorized access.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN116527309B_ABST
    Figure CN116527309B_ABST
Patent Text Reader

Abstract

The present disclosure provides a network traffic processing method and device, electronic equipment and storage medium, which can be applied to the technical field of network security. The method comprises: in response to receiving network data, using a network traffic detection tool mounted in an operating system to perform packet analysis on network traffic of the network data to generate multivariate information; based on a target port in the multivariate information, performing policy analysis on the network traffic to generate a target processing policy; and based on the target processing policy and a custom policy written by a user based on a detection requirement of the operating system, processing the network traffic.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This disclosure relates to the field of network security technology, and more specifically, to a network traffic processing method, apparatus, electronic device, storage medium, and program product. Background Technology

[0002] With the development of technology, network security is receiving increasing attention from various enterprise platforms. Various types of network traffic can enter business systems and upper-layer applications through network interface cards (NICs), potentially causing damage to these systems. To prevent malicious network access from damaging, altering, or leaking data within the network system and to ensure its secure and reliable operation, security detection of network access is necessary. Related technologies include using antivirus software to check local files or processes and employing whitelists and domain names for coarse-grained processing of network traffic packets.

[0003] In the process of realizing the present invention, the inventors discovered that the related technology has at least the following problems: in the process of processing network traffic, whitelists and other related rules may become invalid due to changes in the server hardware running the operating system, resulting in poor universality and low network security. Summary of the Invention

[0004] In view of the above, embodiments of this disclosure provide a network traffic processing method, apparatus, electronic device, storage medium, and program product.

[0005] One aspect of this disclosure provides a network traffic processing method, comprising: in response to receiving network data, performing packet analysis on the network traffic of the network data using a network traffic detection tool mounted in the operating system to generate tuple information; performing policy parsing on the network traffic based on the target port in the tuple information to generate a target processing policy; and processing the network traffic based on the target processing policy and a custom policy written by the user based on the detection requirements of the operating system.

[0006] According to embodiments of this disclosure, the above-mentioned strategy parsing of network traffic based on the target port in the tuple information to generate a target processing strategy includes: determining the dataset corresponding to the network traffic packet in a clustering information table based on the target port, wherein the clustering information table includes multiple datasets obtained by clustering analysis of multiple sample packets; matching the tuple information with multiple data packets in the dataset to generate a matching result; and generating a target processing strategy for the packet based on the matching result.

[0007] According to embodiments of this disclosure, the target processing strategy for generating the message based on the matching result includes: when the tuple information does not belong to any category of data packet in the dataset, determining that the target processing strategy is to intercept the message based on a preset interception rule; and when the tuple information belongs to any category of data packet in the dataset, determining that the target processing strategy is to load the message using the kernel processing function in the operating system.

[0008] According to embodiments of this disclosure, before performing packet analysis on the network traffic of the network data using a network traffic detection tool mounted in the operating system, the method further includes: using the network traffic detection tool to call a soft interrupt handling function in the kernel of the operating system to interrupt the transmission of the network data.

[0009] According to an embodiment of this disclosure, the method further includes: responding to an access request to the clustering information table, identifying the access request based on a preset access rule to obtain an identification result; and displaying the clustering information table if the identification result is successful.

[0010] According to embodiments of this disclosure, the processing of network traffic based on the target processing strategy and the user-defined strategy based on the detection requirements of the operating system includes: processing the network traffic based on the target processing strategy to obtain a processing result; and, if the processing result is to block the network traffic, processing the network traffic based on the defined strategy, wherein the defined strategy includes user-defined whitelist rules.

[0011] According to an embodiment of this disclosure, before responding to receiving network data, the method further includes: receiving the network traffic detection tool from the development end, wherein the network traffic detection tool is logic code written based on traffic monitoring business requirements; and dynamically mounting the network traffic detection tool to the operating system.

[0012] According to embodiments of this disclosure, different target ports correspond to different processes, and the method further includes: sending the loaded network traffic to the process corresponding to the target port when the network traffic is not intercepted.

[0013] Another aspect of this disclosure provides a network traffic processing apparatus, comprising: a packet analysis module, configured to, in response to receiving network data, perform packet analysis on the network traffic of the network data using a network traffic detection tool mounted in the operating system, and generate tuple information; a policy parsing module, configured to perform policy parsing on the network traffic based on the target port in the tuple information, and generate a target processing policy; and a processing module, configured to process the network traffic based on the target processing policy and a custom policy written by a user based on the detection requirements of the operating system.

[0014] Another aspect of this disclosure provides an electronic device, including: one or more processors; and a memory for storing one or more programs, wherein when the one or more programs are executed by the one or more processors, the one or more processors cause the one or more processors to perform the methods described above.

[0015] Another aspect of this disclosure provides a computer-readable storage medium storing computer-executable instructions that, when executed, implement the method described above.

[0016] Another aspect of this disclosure provides a computer program product including computer-executable instructions that, when executed, implement the method described above.

[0017] According to embodiments of this disclosure, when the operating system receives network data, it uses a network traffic detection tool mounted on the operating system to perform packet analysis on the network traffic. The network traffic is then processed based on target processing strategies and user-defined strategies written according to the operating system's detection requirements. Processing network data before it enters the server reduces the risk of various viruses, Trojans, and unauthorized access from the source. Based on the target port in the tuple information, policy parsing is performed on the network traffic; different target ports have corresponding target processing strategies, making network traffic processing more flexible and accurate. Because the technique of mounting the network traffic detection tool on the operating system is adopted, it at least partially overcomes the technical problem of processing strategies becoming ineffective due to changes in server hardware, improving the versatility of the network traffic detection tool and effectively enhancing network security. Attached Figure Description

[0018] The above and other objects, features and advantages of this disclosure will become clearer from the following description of embodiments with reference to the accompanying drawings, in which:

[0019] Figure 1 This illustration schematically shows an exemplary system architecture to which network traffic processing methods and apparatus can be applied according to embodiments of the present disclosure;

[0020] Figure 2 A flowchart illustrating a network traffic processing method according to an embodiment of the present disclosure is shown schematically.

[0021] Figure 3 A flowchart illustrating a network traffic processing method according to another embodiment of the present disclosure is shown schematically;

[0022] Figure 4 A flowchart illustrating a network traffic processing method according to an embodiment of the present disclosure is shown.

[0023] Figure 5 A block diagram of a network traffic processing apparatus according to an embodiment of the present disclosure is shown schematically.

[0024] Figure 6 A block diagram schematically illustrates an electronic device suitable for implementing a network traffic processing method according to an embodiment of the present disclosure. Detailed Implementation

[0025] The embodiments of the present disclosure will now be described with reference to the accompanying drawings. However, it should be understood that these descriptions are exemplary only and are not intended to limit the scope of the disclosure. In the following detailed description, numerous specific details are set forth to provide a thorough understanding of the embodiments of the present disclosure for ease of explanation. However, it will be apparent that one or more embodiments may be practiced without these specific details. Furthermore, descriptions of well-known structures and techniques are omitted in the following description to avoid unnecessarily obscuring the concepts of the present disclosure.

[0026] The terminology used herein is for the purpose of describing particular embodiments only and is not intended to limit this disclosure. The terms “comprising,” “including,” etc., as used herein indicate the presence of the stated features, steps, operations, and / or components, but do not exclude the presence or addition of one or more other features, steps, operations, or components.

[0027] All terms used herein (including technical and scientific terms) have the meanings commonly understood by those skilled in the art, unless otherwise defined. It should be noted that the terms used herein are to be interpreted in a manner consistent with the context of this specification, and not in an idealized or overly rigid way.

[0028] When using expressions such as "at least one of A, B, and C," the expression should generally be interpreted in accordance with the meaning commonly understood by a person skilled in the art (e.g., "a system having at least one of A, B, and C" should include, but is not limited to, systems having A alone, having B alone, having C alone, having A and B, having A and C, having B and C, and / or having A, B, and C, etc.). Similarly, when using expressions such as "at least one of A, B, or C," the expression should generally be interpreted in accordance with the meaning commonly understood by a person skilled in the art (e.g., "a system having at least one of A, B, or C" should include, but is not limited to, systems having A alone, having B alone, having C alone, having A and B, having A and C, having B and C, and / or having A, B, and C, etc.).

[0029] In the technical solutions disclosed herein, the collection, storage, use, processing, transmission, provision, disclosure, and application of data (including but not limited to user personal information) comply with the provisions of relevant laws and regulations, necessary confidentiality measures have been taken, and they do not violate public order and good morals.

[0030] In related technologies, when a network interface card (NIC) receives a data packet, it triggers a hardware interrupt. This hardware interrupt then triggers the NIC driver to initiate a software interrupt. The kernel's software interrupt handler (ksofttirqd) is responsible for handling the software interrupt logic, and the kernel software interrupt process calls the handler function (net_rx_action) to process the received network data. After network traffic enters various business systems and upper-layer applications, it utilizes the preset whitelists in various antivirus software and coarse-grained traffic control based on domain names to detect and kill static files and running processes on the server.

[0031] Processing network traffic after it enters various business systems and upper-layer applications leads to lower server security. Furthermore, during the network traffic processing, whitelists and other related rules may become invalid due to changes in the server hardware running the operating system, resulting in poor versatility.

[0032] In view of the above, embodiments of this disclosure provide a network traffic processing method, a network traffic processing apparatus, an electronic device, a readable storage medium, and a computer program product. The network traffic processing method includes, in response to receiving network data, performing packet analysis on the network traffic of the network data using a network traffic detection tool mounted in the operating system to generate tuple information; performing policy parsing on the network traffic based on the target port in the tuple information to generate a target processing policy; and processing the network traffic based on the target processing policy and a custom policy written by the user based on the detection requirements of the operating system.

[0033] Figure 1This illustration schematically depicts an exemplary system architecture to which network traffic processing methods and apparatus can be applied according to embodiments of this disclosure. It should be noted that... Figure 1 The examples shown are merely examples of system architectures that can be applied to the embodiments of this disclosure, in order to help those skilled in the art understand the technical content of this disclosure, but do not mean that the embodiments of this disclosure cannot be used in other devices, systems, environments or scenarios.

[0034] like Figure 1 As shown, the system architecture 100 according to this embodiment may include terminal devices 101, 102, and 103, a network 104, and a server 105. The network 104 serves as a medium for providing a communication link between the terminal devices 101, 102, and 103 and the server 105. The network 104 may include various connection types, such as wired and / or wireless communication links.

[0035] Users can use terminal devices 101, 102, and 103 to interact with server 105 via network 104 to receive or send messages, etc. Various communication client applications can be installed on terminal devices 101, 102, and 103, such as shopping applications, web browser applications, search applications, instant messaging tools, email clients, and / or social platform software, etc. (for example only).

[0036] Terminal devices 101, 102, and 103 can be various electronic devices with displays and web browsing capabilities, including but not limited to smartphones, tablets, laptops, and desktop computers.

[0037] Server 105 can be a server that provides various services, such as a backend management server that supports websites browsed by users using terminal devices 101, 102, and 103 (for example only). The backend management server can analyze and process data such as received user requests, and feed back the processing results (such as web pages, information, or data obtained or generated according to user requests) to the terminal devices.

[0038] It should be noted that the network traffic processing method provided in this embodiment can generally be executed by server 105. Correspondingly, the network traffic processing device provided in this embodiment can generally be located in server 105. The network traffic processing method provided in this embodiment can also be executed by a server or server cluster that is different from server 105 and capable of communicating with terminal devices 101, 102, 103 and / or server 105. Correspondingly, the network traffic processing device provided in this embodiment can also be located in a server or server cluster that is different from server 105 and capable of communicating with terminal devices 101, 102, 103 and / or server 105. Alternatively, the network traffic processing method provided in this embodiment can also be executed by terminal devices 101, 102, or 103, or by other terminal devices different from terminal devices 101, 102, or 103. Accordingly, the network traffic processing device provided in this embodiment may also be disposed in terminal devices 101, 102, or 103, or in other terminal devices different from terminal devices 101, 102, or 103.

[0039] It should be understood that Figure 1 The number of terminal devices, networks, and servers shown is merely illustrative. Depending on implementation needs, any number of terminal devices, networks, and servers can be included.

[0040] Figure 2 A flowchart illustrating a network traffic processing method according to an embodiment of the present disclosure is shown schematically.

[0041] like Figure 2 As shown, the method includes operations S201 to S203.

[0042] In operation S201, in response to receiving network data, the network traffic analysis tool mounted in the operating system is used to perform packet analysis on the network traffic of the network data and generate tuple information.

[0043] In operation S202, based on the target port in the tuple information, the network traffic is parsed to generate the target processing policy.

[0044] In operation S203, network traffic is processed based on target processing strategies and user-defined strategies written based on operating system detection requirements.

[0045] According to embodiments of this disclosure, network data enters the server via a network interface card (NIC). When the NIC receives network data, it uses a network traffic analysis tool mounted on the operating system to analyze the network traffic, obtaining information elements such as the source IP address, protocol type, character encoding, source port, and destination port of the data packets. This information is then saved into a tuple to generate tuple information. For example, a 5-tuple might be: 192.168.0.1, TCP, UTF-8, 10000, 80.

[0046] According to embodiments of this disclosure, the policy parsing module in a network traffic detection tool determines the target processing policy corresponding to a packet by matching the target port of the source packet being forwarded in the network traffic against a classification information table in a database, based on the target port. The classification information table can be obtained through clustering or statistical methods.

[0047] According to embodiments of this disclosure, the network traffic detection tool receives user-defined policies remotely sent in real time via a user policy customization module. These custom policies can be logic code written by the user based on the operating system's detection requirements, or user-defined whitelist rules. The custom policies include various levels of traffic processing strategies, such as server-level, process-level, and user-level policies. For example, a custom policy might allow any UDP packets from 192.32.0.* to be processed without verification.

[0048] According to embodiments of this disclosure, network traffic is processed based on target processing policies and custom policies. If the network traffic is not blocked by any of the policies after processing, the packet is forwarded to the kernel's `net_rx_action` function, which loads the packet into memory for use by the corresponding process. If the network traffic is blocked by a policy after processing, it is processed according to preset blocking rules, such as discarding the packet.

[0049] According to embodiments of this disclosure, when the operating system receives network data, it uses a network traffic detection tool mounted on the operating system to perform packet analysis on the network traffic. The network traffic is then processed based on target processing strategies and user-defined strategies written according to the operating system's detection requirements. Processing network data before it enters the server reduces the risk of various viruses, Trojans, and unauthorized access from the source. Based on the target port in the tuple information, policy parsing is performed on the network traffic; different target ports have corresponding target processing strategies, making network traffic processing more flexible and accurate. Because the technique of mounting the network traffic detection tool on the operating system is adopted, it at least partially overcomes the technical problem of processing strategies becoming ineffective due to changes in server hardware, improving the versatility of the network traffic detection tool and effectively enhancing network security.

[0050] Figure 3 A flowchart illustrating a network traffic processing method according to another embodiment of the present disclosure is shown.

[0051] According to embodiments of this disclosure, such as Figure 3 As shown, when network data arrives at the operating system, the operating system kernel's soft interrupt handler (ksofttirqd) is responsible for handling the soft interrupt logic. Network traffic is processed using a network traffic detection tool. The processed network traffic can then be forwarded to the relevant processes running on the server for business processing after the receiving network data is processed by calling the processing function (net_rx_action). The processed network traffic can also be intercepted according to preset interception rules.

[0052] According to embodiments of this disclosure, generating a target processing policy by parsing network traffic based on the target port in the tuple information may include the following operations:

[0053] Based on the target port, the data set corresponding to the network traffic packets is determined in the clustering information table, which includes multiple data sets obtained by clustering analysis of multiple sample packets; the tuple information is matched with multiple data packets in the data set to generate matching results; and the target processing strategy for the packets is generated based on the matching results.

[0054] According to embodiments of this disclosure, the clustering information table treats tuple information from multiple sample packets targeting the same port as a single dataset. Each dataset includes multiple data packets. Then, a clustering algorithm (such as K-means) is applied to each dataset to obtain multiple clustering results. Each cluster represents a data packet type. For example, the clustering information table includes clustering analysis of the dataset targeting port 80, resulting in 6 data packet types.

[0055] The first category includes:

[0056] 192.168.0.*, TCP, ASCII, 50000, 80;

[0057] 192.168.0.*, TCP, ASCII, 110000, 80.

[0058] The second category includes:

[0059] 192.168.0.*, TCP, UTF-8, 10000, 80;

[0060] 192.168.0.*, TCP, UTF-8, 70000, 80.

[0061] The third category includes:

[0062] 192.168.0.*,TCP,GBK,90000,80;

[0063] 192.168.0.*,TCP,GBK,30000,80.

[0064] The fourth category includes;

[0065] 192.168.0.*, UDP, ASCII, 20000, 80;

[0066] 192.168.0.*, UDP, ASCII, 80000, 80.

[0067] The fifth category includes:

[0068] 192.168.0.*, UDP, UTF-8, 40000, 80;

[0069] 192.168.0.*, UDP, UTF-8, 100000, 80.

[0070] Category 6 includes:

[0071] 192.168.0.*, UDP, GBK, 60000, 80;

[0072] 192.168.0.*, UDP, GBK, 20000, 80.

[0073] According to embodiments of this disclosure, after determining the dataset corresponding to the target port in the clustering information table, the tuple information is matched with multiple data packets in the dataset to determine whether the tuple information belongs to any category of data packets in the clustering information table, thereby generating a matching result. For example, if a message 192.168.0.32, UDP, UTF-8, 40000, 80 is received, this message belongs to the fifth category of data packets, and the matching result is that the tuple information belongs to any category of data packets in the dataset. If another message 192.32.0.32, UDP, UTF-8, 43000, 80 is received, it is determined that this message does not belong to any category of port 80, and the matching result is that the tuple information does not belong to any category of data packets in the dataset. Based on the matching result, a target processing strategy for the message is generated. Since different target ports correspond to different processes, different target processing strategies are applied to different processes in the server, making the processing of network traffic more flexible and accurate.

[0074] According to embodiments of this disclosure, a target processing strategy for generating messages based on matching results may include the following steps:

[0075] If the data packet whose tuple information does not belong to any category in the dataset, the target processing strategy is to intercept the packet based on the preset interception rules; if the data packet whose tuple information belongs to any category in the dataset, the target processing strategy is to load the packet using the kernel processing function in the operating system.

[0076] According to embodiments of this disclosure, if a data packet whose tuple information does not belong to any category in the dataset, it indicates that the packet belongs to an unknown category and may contain viruses or be inconsistent with the business of this server. Therefore, the target processing strategy is to intercept it. The preset interception rule can be to directly discard the packet or to alert the administrator for manual judgment.

[0077] According to embodiments of this disclosure, if a packet whose tuple information does not belong to any category in the dataset indicates that the packet conforms to the service corresponding to this server, the packet is forwarded to the kernel's net_rx_action function, which will load the packet into memory for use by the corresponding process.

[0078] According to embodiments of this disclosure, before performing packet analysis on network traffic of network data using a network traffic detection tool mounted in the operating system, the method may further include the following operations:

[0079] By using network traffic detection tools, the software interrupt handling function in the kernel of the operating system is called to interrupt the transmission of network data.

[0080] According to embodiments of this disclosure, the kernel interaction module of the network traffic detection tool interacts with the kernel's ksofttirqd soft interrupt handling function to interrupt the transmission of network traffic, and introduce the network traffic into the network traffic detection tool for processing. If the processing is successful, the transmission continues, effectively improving network security from the source.

[0081] According to embodiments of this disclosure, the method may further include the following operations:

[0082] In response to an access request to the clustering information table, the access request is identified based on preset access rules to obtain the identification result; if the identification result is successful, the clustering information table is displayed.

[0083] According to embodiments of this disclosure, when accessing a clustering information table, an access request is sent, and the request is responded to by identifying the user based on preset access rules. These preset access rules can be the identity information of specified industry personnel. If the identification is successful, the clustering information table is displayed. If the access fails, the message "Access denied" is displayed as a warning. By setting preset access rules, malicious actors are prevented from modifying network traffic based on the clustering results in the clustering information table, causing network traffic detection tools to fail to intercept them, thus effectively improving network security.

[0084] Figure 4 A schematic flowchart of a network traffic processing method according to an embodiment of the present disclosure is shown.

[0085] like Figure 4 As shown, network traffic is processed based on the target processing strategy and the user's custom strategy written based on the operating system's detection requirements, which may include operations S401 to S404.

[0086] In operation S401, network traffic is processed based on the target processing strategy to obtain the processing results.

[0087] In operation S402, the network traffic is determined to be blocked based on the processing result of the target processing policy.

[0088] When operating S403, if the processing result is to block network traffic, the network traffic is processed based on a custom policy to obtain the processing result.

[0089] When operating S404, the system determines whether network traffic has been blocked based on the processing results of a custom policy.

[0090] When operating S405, if the processing result is not to block network traffic, the network traffic is forwarded to the process running on the server for business processing.

[0091] According to embodiments of this disclosure, the target processing policy has a higher priority than the custom policy. If the processing result obtained through the target processing policy is no network traffic interception, the packet is directly loaded into memory for use by the corresponding process, without further processing through the custom policy. If the processing result obtained through the target processing policy is network traffic interception, then the custom policy is used for processing. For example: If a packet with the following headers is received: 192.32.0.32, UDP, UTF-8, 43000, 80, it is determined that the packet does not belong to any category of port 80. However, if the whitelist rule states that any UDP protocol data packet from 192.32.0.* does not require verification, it is forwarded to net_rx_action for further processing. If another packet with the same headers: 192.32.0.32, TCP, UTF-8, 43000, 80, also does not belong to any category of port 80, but is not in the whitelist rule, it is intercepted according to the preset interception rule. By processing network traffic using different policies, more flexible and accurate network traffic detection is achieved. The target processing strategy takes higher priority than the custom strategy. In the process of network traffic detection, it is closer to the operating system and reduces the risk to the operating system.

[0092] According to embodiments of this disclosure, different target ports correspond to different processes, and the method may further include the following operations:

[0093] If the network traffic is not intercepted, the loaded network traffic will be sent to the process corresponding to the target port.

[0094] According to embodiments of this disclosure, different target ports correspond to different processes, and different target processing strategies are applied to different processes within the server, resulting in more flexible and precise handling of network traffic. If network traffic is not intercepted, it indicates that the current network traffic poses no risk to the server's operating system, and the network traffic, after being loaded into the storage unit, is sent to the corresponding process for use.

[0095] According to embodiments of this disclosure, before receiving network data, the method may further include the following operations:

[0096] Receive network traffic detection tools from the development team, where the network traffic detection tools are logic code written based on traffic monitoring business requirements; dynamically mount the network traffic detection tools into the operating system.

[0097] According to embodiments of this disclosure, by mounting a network traffic detection tool in the server operating system, compared to the traditional method of checking local files or processes with antivirus software, network traffic can be detected and filtered before it enters the server for storage or execution, effectively improving server security. Furthermore, it does not become ineffective due to changes in server hardware running the operating system, demonstrating good versatility.

[0098] According to embodiments of this disclosure, when network data arrives in the operating system, the operating system kernel's soft interrupt handler (ksofttirqd) is responsible for handling the soft interrupt logic. A network traffic detection tool is used to process the network traffic; the implementation steps of the network traffic detection tool are as follows:

[0099] Step 1: Use the kernel interaction module of the network traffic detection tool to interact with the kernel's ksofttirqd soft interrupt handling function to interrupt the transmission of network traffic and introduce the network traffic into the network traffic detection tool for processing.

[0100] Step 2: After receiving the network traffic received by the network card, the network traffic detection tool calls the network traffic analysis module of the network traffic detection tool to analyze the packets, obtain information elements such as the source IP address, protocol type, character encoding, source port, and destination port of the data packets in the network data, and save them into a tuple to generate tuple information.

[0101] Step 3: Using the policy parsing module in the network traffic detection tool, based on the target port of the source packet being forwarded in the network traffic, match it with the clustering information table in the database, thereby determining the target processing policy corresponding to the packet. The network traffic detection tool will receive user-defined policies remotely issued in real time according to the user policy customization module.

[0102] Step 4: Process network traffic based on the target processing policy and the custom policy. If the processing result obtained by the target processing policy is not to intercept network traffic, the packet is forwarded to the kernel's net_rx_action function. The function will load the packet into memory for use by the corresponding process, and will not process it again through the custom policy.

[0103] If the processing result of the target processing strategy is to intercept network traffic, then the traffic is processed using a custom strategy. If the processing result of the custom strategy is not to intercept network traffic, the packet is forwarded to the kernel's `net_rx_action` function, which loads the packet into memory for use by the appropriate process. If the processing result of the custom strategy is to intercept network traffic, then data is intercepted according to preset interception rules.

[0104] Figure 5 A block diagram of a network traffic processing apparatus according to an embodiment of the present disclosure is shown schematically.

[0105] like Figure 5 As shown, the network traffic processing device 500 includes a packet analysis module 510, a policy parsing module 520, and a processing module 530.

[0106] The packet analysis module 510 is used to respond to received network data by using a network traffic detection tool mounted on the operating system to perform packet analysis on the network traffic of the network data and generate tuple information.

[0107] The policy parsing module 520 is used to parse network traffic based on the target port in the tuple information and generate the target processing policy.

[0108] The processing module 530 is used to process network traffic based on the target processing strategy and the user's custom strategy written based on the operating system detection requirements.

[0109] According to embodiments of this disclosure, when the operating system receives network data, it uses a network traffic detection tool mounted on the operating system to perform packet analysis on the network traffic. The network traffic is then processed based on target processing strategies and user-defined strategies written according to the operating system's detection requirements. Processing network data before it enters the server reduces the risk of various viruses, Trojans, and unauthorized access from the source. Based on the target port in the tuple information, policy parsing is performed on the network traffic; different target ports have corresponding target processing strategies, making network traffic processing more flexible and accurate. Because the technique of mounting the network traffic detection tool on the operating system is adopted, it at least partially overcomes the technical problem of processing strategies becoming ineffective due to changes in server hardware, improving the versatility of the network traffic detection tool and effectively enhancing network security.

[0110] According to embodiments of this disclosure, the policy parsing module 520 includes a dataset determination submodule, a matching submodule, and a policy generation submodule.

[0111] The dataset determination submodule is used to determine the dataset corresponding to the network traffic packets based on the target port in the clustering information table. The clustering information table includes multiple datasets obtained by clustering analysis of multiple sample packets.

[0112] The matching submodule is used to match tuple information with multiple data packets in the dataset to generate matching results.

[0113] The strategy generation submodule is used to generate target processing strategies for messages based on the matching results.

[0114] According to embodiments of this disclosure, the policy generation submodule includes an interception unit and a loading unit.

[0115] The interception unit is used to determine the target processing strategy for packets that do not belong to any category in the dataset when the tuple information does not belong to any category in the dataset. The strategy is to intercept the packets based on the preset interception rules.

[0116] The loading unit is used to determine the target processing strategy for packets that belong to any category in the dataset, such that the tuple information belongs to any category of the data packet, and to load the packet using the kernel processing function in the operating system.

[0117] According to embodiments of this disclosure, the network traffic processing device 500 further includes an interrupt module.

[0118] The interrupt module is used to interrupt network data transmission by calling the kernel's software interrupt handling function in the operating system using network traffic detection tools.

[0119] According to embodiments of this disclosure, the network traffic processing device 500 further includes an identification module and a display module.

[0120] The identification module is used to respond to access requests to the clustering information table, identify the access requests based on preset access rules, and obtain the identification results.

[0121] The display module is used to display the clustering information table when the recognition result is successful.

[0122] According to embodiments of this disclosure, the processing module 530 includes a first processing submodule and a second processing submodule.

[0123] The first processing submodule is used to process network traffic based on the target processing strategy and obtain the processing result.

[0124] The second processing submodule is used to process network traffic based on a custom strategy when the processing result is network traffic interception. The custom strategy includes user-defined whitelist rules.

[0125] According to embodiments of this disclosure, the network traffic processing device 500 further includes a receiving module and a mounting module.

[0126] The receiving module is used to receive network traffic detection tools from the development side. These network traffic detection tools are logic codes written based on traffic monitoring business requirements.

[0127] The mounting module is used to dynamically mount network traffic detection tools to the operating system.

[0128] According to embodiments of this disclosure, the network traffic processing apparatus 500 further includes a sending module.

[0129] The sending module is used to send the loaded network traffic to the process corresponding to the target port when the network traffic is not intercepted.

[0130] Any one or more of the modules, submodules, and units according to embodiments of this disclosure, or at least part of the functions of any one or more of them, can be implemented in one module. Any one or more of the modules, submodules, and units according to embodiments of this disclosure can be implemented by dividing them into multiple modules. Any one or more of the modules, submodules, and units according to embodiments of this disclosure can be at least partially implemented as hardware circuits, such as Field Programmable Gate Arrays (FPGAs), Programmable Logic Arrays (PLAs), Systems-on-Chip, Systems-on-Substrate, Systems-on-Package, Application-Specific Integrated Circuits (ASICs), or implemented in hardware or firmware by any other reasonable means of integrating or packaging circuits, or implemented in software, hardware, or firmware, or in a suitable combination of any of these three implementation methods. Alternatively, one or more of the modules, submodules, and units according to embodiments of this disclosure can be at least partially implemented as computer program modules, which, when run, can perform corresponding functions.

[0131] For example, any plurality of the message analysis module 510, policy parsing module 520, and processing module 530 may be combined into one module / unit / subunit, or any one of these modules / units / subunits may be split into multiple modules / units / subunits. Alternatively, at least part of the functionality of one or more of these modules / units / subunits may be combined with at least part of the functionality of other modules / units / subunits and implemented in one module / unit / subunit. According to embodiments of this disclosure, at least one of the message analysis module 510, policy parsing module 520, and processing module 530 may be at least partially implemented as hardware circuitry, such as a field-programmable gate array (FPGA), a programmable logic array (PLA), a system-on-a-chip, a system-on-a-substrate, a system-on-package, an application-specific integrated circuit (ASIC), or any other reasonable means of integrating or packaging circuitry, or implemented in software, hardware, or firmware, or in any suitable combination of any of these three implementation methods. Alternatively, at least one of the message analysis module 510, the policy parsing module 520, and the processing module 530 may be implemented at least partially as a computer program module, which can perform corresponding functions when the computer program module is run.

[0132] It should be noted that the network traffic processing device part in the embodiments of this disclosure corresponds to the network traffic processing method part in the embodiments of this disclosure. For a detailed description of the network traffic processing device part, please refer to the network traffic processing method part, which will not be repeated here.

[0133] Figure 6 A block diagram schematically illustrates an electronic device suitable for implementing a network traffic processing method according to an embodiment of the present disclosure. Figure 6 The electronic device shown is merely an example and should not be construed as limiting the functionality and scope of the embodiments disclosed herein.

[0134] like Figure 6As shown, an electronic device 600 according to an embodiment of this disclosure includes a processor 601, which can perform various appropriate actions and processes based on a program stored in read-only memory (ROM) 602 or a program loaded from storage portion 608 into random access memory (RAM) 603. The processor 601 may include, for example, a general-purpose microprocessor (e.g., a CPU), an instruction set processor and / or an associated chipset and / or a special-purpose microprocessor (e.g., an application-specific integrated circuit (ASIC)), etc. The processor 601 may also include onboard memory for caching purposes. The processor 601 may include a single processing unit or multiple processing units for performing different actions of the method flow according to an embodiment of this disclosure.

[0135] RAM 603 stores various programs and data required for the operation of electronic device 600. Processor 601, ROM 602, and RAM 603 are interconnected via bus 604. Processor 601 performs various operations of the method flow according to embodiments of the present disclosure by executing programs in ROM 602 and / or RAM 603. It should be noted that the programs may also be stored in one or more memories other than ROM 602 and RAM 603. Processor 601 may also perform various operations of the method flow according to embodiments of the present disclosure by executing programs stored in said one or more memories.

[0136] According to embodiments of this disclosure, the electronic device 600 may further include an input / output (I / O) interface 605, which is also connected to a bus 604. The system 600 may also include one or more of the following components connected to the I / O interface 605: an input section 606 including a keyboard, mouse, etc.; an output section 607 including a cathode ray tube (CRT), liquid crystal display (LCD), etc., and a speaker, etc.; a storage section 608 including a hard disk, etc.; and a communication section 609 including a network interface card such as a LAN card, modem, etc. The communication section 609 performs communication processing via a network such as the Internet. A drive 610 is also connected to the I / O interface 605 as needed. A removable medium 611, such as a disk, optical disk, magneto-optical disk, semiconductor memory, etc., is installed on the drive 610 as needed so that computer programs read from it can be installed into the storage section 608 as needed.

[0137] According to embodiments of this disclosure, the method flow according to embodiments of this disclosure can be implemented as a computer software program. For example, embodiments of this disclosure include a computer program product comprising a computer program carried on a computer-readable storage medium, the computer program containing program code for performing the methods shown in the flowchart. In such embodiments, the computer program can be downloaded and installed from a network via communication section 609, and / or installed from removable medium 611. When the computer program is executed by processor 601, it performs the functions defined in the system of embodiments of this disclosure. According to embodiments of this disclosure, the systems, devices, apparatuses, modules, units, etc., described above can be implemented by computer program modules.

[0138] This disclosure also provides a computer-readable storage medium, which may be included in the device / apparatus / system described in the above embodiments; or it may exist independently and not assembled into the device / apparatus / system. The computer-readable storage medium carries one or more programs that, when executed, implement the method according to the embodiments of this disclosure.

[0139] According to embodiments of this disclosure, the computer-readable storage medium can be a non-volatile computer-readable storage medium. Examples include, but are not limited to: portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination thereof. In this disclosure, the computer-readable storage medium can be any tangible medium that contains or stores a program that can be used by or in conjunction with an instruction execution system, apparatus, or device.

[0140] For example, according to embodiments of this disclosure, a computer-readable storage medium may include the ROM 602 and / or RAM 603 described above and / or one or more memories other than ROM 602 and RAM 603.

[0141] Embodiments of this disclosure also include a computer program product comprising a computer program containing program code for performing the methods provided in the embodiments of this disclosure. When the computer program product is run on an electronic device, the program code is used to enable the electronic device to implement the network traffic processing methods provided in the embodiments of this disclosure.

[0142] When the computer program is executed by the processor 601, it performs the functions defined in the system / apparatus of this disclosure embodiments. According to embodiments of this disclosure, the systems, apparatuses, modules, units, etc., described above can be implemented by computer program modules.

[0143] In one embodiment, the computer program may rely on a tangible storage medium such as an optical storage device or a magnetic storage device. In another embodiment, the computer program may also be transmitted and distributed in the form of signals over a network medium, and downloaded and installed via the communication section 609, and / or installed from the removable medium 611. The program code contained in the computer program can be transmitted using any suitable network medium, including but not limited to: wireless, wired, etc., or any suitable combination thereof.

[0144] According to embodiments of this disclosure, program code for executing the computer programs provided in embodiments of this disclosure can be written in any combination of one or more programming languages. Specifically, these computational programs can be implemented using high-level procedural and / or object-oriented programming languages, and / or assembly / machine languages. Programming languages ​​include, but are not limited to, languages ​​such as Java, C++, Python, "C", or similar programming languages. The program code can execute entirely on the user's computing device, partially on the user's device, partially on a remote computing device, or entirely on a remote computing device or server. In cases involving remote computing devices, the remote computing device can be connected to the user's computing device via any type of network, including a local area network (LAN) or a wide area network (WAN), or it can be connected to an external computing device (e.g., via the Internet using an Internet service provider).

[0145] The flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of the present disclosure. In this regard, each block in a flowchart or block diagram may represent a module, segment, or portion of code containing one or more executable instructions for implementing a specified logical function. It should also be noted that in some alternative implementations, the functions indicated in the blocks may occur in a different order than those indicated in the drawings. For example, two consecutively indicated blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in a block diagram or flowchart, and combinations of blocks in a block diagram or flowchart, may be implemented using a dedicated hardware-based system that performs the specified function or operation, or using a combination of dedicated hardware and computer instructions. Those skilled in the art will understand that the features recited in the various embodiments and / or claims of this disclosure can be combined and / or combined in various ways, even if such combinations or combinations are not expressly described in this disclosure. In particular, the features described in the various embodiments and / or claims of this disclosure may be combined and / or combined in various ways without departing from the spirit and teachings of this disclosure. All such combinations and / or combinations fall within the scope of this disclosure.

[0146] The embodiments of this disclosure have been described above. However, these embodiments are for illustrative purposes only and are not intended to limit the scope of this disclosure. Although various embodiments have been described above, this does not mean that the measures in the various embodiments cannot be used advantageously in combination. The scope of this disclosure is defined by the appended claims and their equivalents. Various substitutions and modifications can be made by those skilled in the art without departing from the scope of this disclosure, and all such substitutions and modifications should fall within the scope of this disclosure.

Claims

1. A method for processing network traffic, comprising: In response to receiving network data, the network traffic of the network data is analyzed using a network traffic detection tool mounted in the operating system to generate tuple information. Based on the target port in the tuple information, the network traffic is parsed to generate a target processing policy; The network traffic is processed based on the target processing strategy and the user-defined strategy written based on the detection requirements of the operating system. The method further includes, prior to performing packet analysis on the network traffic of the network data using a network traffic detection tool mounted in the operating system: Using the network traffic detection tool, the software interrupt handling function in the kernel of the operating system is invoked to interrupt the transmission of network data; The processing of network traffic based on the target processing strategy and the user-defined strategy written based on the operating system's detection requirements includes: The network traffic is processed based on the target processing strategy to obtain the processing result; If the processing result is to block the network traffic, the network traffic is processed based on the custom policy, which includes user-defined whitelist rules. If the processing result is that the network traffic is not intercepted, the loaded network traffic is sent to the process corresponding to the target port. Different target ports correspond to different processes, and different target processing strategies are applied to different processes in the server.

2. The method according to claim 1, wherein, The step of parsing the network traffic based on the target port in the tuple information to generate a target processing policy includes: Based on the target port, the dataset corresponding to the network traffic packets is determined in the clustering information table, which includes multiple datasets obtained by clustering analysis of multiple sample packets; The tuple information is matched with multiple data packets in the dataset to generate matching results; The target processing strategy for the message is generated based on the matching results.

3. The method according to claim 2, wherein, The target processing strategy for generating the message based on the matching result includes: If the data packet whose tuple information does not belong to any category in the dataset, the target processing strategy is determined to be to intercept the packet based on a preset interception rule; If the data packet whose tuple information belongs to any category in the dataset, the target processing strategy is determined to be to load the packet using the kernel processing function in the operating system.

4. The method according to claim 2, further comprising: In response to an access request to the clustering information table, the access request is identified based on preset access rules to obtain an identification result; If the identification result is successful, the clustering information table is displayed.

5. The method according to claim 1, wherein, Prior to receiving network data, the method further includes: Receive the network traffic detection tool from the development end, wherein the network traffic detection tool is logic code written based on traffic monitoring business requirements; The network traffic detection tool is dynamically mounted to the operating system.

6. A network traffic processing device, comprising: The packet analysis module is used to respond to received network data by using a network traffic detection tool mounted in the operating system to perform packet analysis on the network traffic of the network data and generate tuple information. The policy parsing module is used to parse the network traffic based on the target port in the tuple information and generate a target processing policy. The processing module is used to process the network traffic based on the target processing strategy and the user-defined strategy written based on the detection requirements of the operating system. The network traffic processing device further includes: The interrupt module is used to use the network traffic detection tool to call the soft interrupt handling function in the kernel of the operating system to interrupt the transmission of network data; The processing module is used for: The network traffic is processed based on the target processing strategy to obtain the processing result; If the processing result is to block the network traffic, the network traffic is processed based on the custom policy, which includes user-defined whitelist rules. If the processing result is that the network traffic is not intercepted, the loaded network traffic is sent to the process corresponding to the target port. Different target ports correspond to different processes, and different target processing strategies are applied to different processes in the server.

7. An electronic device, comprising: One or more processors; Memory, used to store one or more programs. Wherein, when the one or more programs are executed by the one or more processors, the one or more processors implement the method of any one of claims 1 to 5.

8. A computer-readable storage medium having stored thereon executable instructions that, when executed by a processor, cause the processor to perform the method of any one of claims 1 to 5.

9. A computer program product comprising a computer program, which, when executed by a processor, is used to implement the method of any one of claims 1 to 5.