A network protection system, method and storage medium

By using Kubernetes containerization technology, an independent protection instance is implemented for each tenant in the cloud WAF system, which solves the problem of shared protection system failures affecting multiple tenants and achieves security isolation and improved business continuity between tenants.

CN116800451BActive Publication Date: 2026-06-19CHINA MOBILE (SUZHOU) SOFTWARE TECH CO LTD +1

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
CHINA MOBILE (SUZHOU) SOFTWARE TECH CO LTD
Filing Date
2022-10-11
Publication Date
2026-06-19

Smart Images

  • Figure CN116800451B_ABST
    Figure CN116800451B_ABST
Patent Text Reader

Abstract

This application discloses a network protection system, deployment method, and storage medium. The system includes: a management node and a data processing node; the management node includes a service activation module and a configuration management module; the service activation module is used to receive service activation requests and activate the corresponding service based on the service activation requests; record service information and user information corresponding to the service; and send the service information to the data processing node; the configuration management module is used to create a security protection source station corresponding to the user information; configure the security protection source station with the corresponding protection information; and send the protection information to the data processing node; the data processing node is used to create a protection instance corresponding to the user information based on the service information and protection information, and forward the access traffic corresponding to the security protection source station to the protection instance, so that the protection instance can detect and clean the access traffic.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of network security protection, and in particular to a network protection system, method and storage medium. Background Technology

[0002] In the existing technology, various cloud service providers and security service providers have created cloud-based Web Application Firewall (WAF) systems to provide software as a service (SaaS) network application protection services to tenants on or under the cloud service. Users can select the corresponding protection policy for the origin server from various basic protection policies provided by the cloud WAF to protect the origin server according to their origin server protection needs.

[0003] Currently, cloud WAF is mainly implemented using high-defense proxy technology and security resource pools. However, when cloud WAF is implemented using high-defense proxy technology and security resource pools, all tenants still share a single security protection system during the processing of access traffic data from different tenants. It is not possible to deploy a separate protection instance for each tenant. If the shared security protection system fails, it will affect the business security protection function of each tenant, resulting in poor business security protection for each tenant. Summary of the Invention

[0004] In view of this, the embodiments of this application aim to provide a network protection system, method and storage medium that can deploy a separate protection instance for each tenant, realize the isolation of business security protection functions between different tenants, and improve the business security protection function of each tenant.

[0005] To achieve the above objectives, the technical solution of this application is implemented as follows:

[0006] In a first aspect, embodiments of this application provide a network protection system, comprising: a management node and a data processing node; the management node includes a service activation module and a configuration management module; the service activation module is used to receive a service activation request and activate the corresponding service based on the service activation request; record service information and user information corresponding to the service; and send the service information to the data processing node; the configuration management module is used to create a security protection source station corresponding to the user information; configure the security protection source station with the corresponding protection information; and send the protection information to the data processing node; the data processing node is used to create a protection instance corresponding to the user information based on the service information and the protection information, and forward the access traffic corresponding to the security protection source station to the protection instance, so that the protection instance can detect and clean the access traffic.

[0007] Secondly, embodiments of this application provide a network protection method applied to a network protection system, the method comprising:

[0008] Upon receiving a service activation request, the service activation module activates the corresponding service based on the request; records the service information and user information corresponding to the service; and sends the service information to the data processing node.

[0009] The configuration management module creates a security protection source station corresponding to the user information; configures the corresponding protection information on the security protection source station; and sends the protection information to the data processing node.

[0010] Based on service and protection information, the data processing node creates protection instances corresponding to user information and forwards access traffic from the security protection source site to the protection instances, so that the protection instances can detect and clean the access traffic.

[0011] Thirdly, embodiments of this application provide a storage medium on which a computer program is stored, which, when executed, implements the aforementioned network protection method.

[0012] This application provides a network protection system, method, and storage medium. The network protection system includes: a management node and a data processing node. The management node includes a service activation module and a configuration management module. The service activation module is used to receive service activation requests and activate corresponding services based on the service activation requests; record service information and user information corresponding to the services; and send the service information to the data processing node. The configuration management module is used to create a security protection source station corresponding to the user information; configure the security protection source station with the corresponding protection information; and send the protection information to the data processing node. The data processing node is used to create a protection instance corresponding to the user information based on the service information and protection information, and forward the access traffic corresponding to the security protection source station to the protection instance so that the protection instance can detect and clean the access traffic. By adopting the above-mentioned network protection system implementation scheme, during the network protection process, tenants can activate corresponding services through the service activation module in the management node. Different tenants create corresponding security protection source stations in the activated services and set the security protection information corresponding to different tenants in the source stations. The data processing node creates protection instances corresponding to the protection source stations of different tenants according to the security protection information set in the different source stations. By deploying a protection instance for each tenant, when access traffic arrives, the access traffic of different tenants is forwarded to the corresponding protection instance for detection and cleaning according to the corresponding forwarding policy. During the protection of the source station, the tenants do not interfere with each other, and if the protection instance of one tenant fails, it will not affect the protection function of the protection source station of the corresponding protection instances of other tenants. This can realize the isolation of security protection functions between different tenants and improve the business security protection function of each tenant. Attached Figure Description

[0013] Figure 1 A schematic diagram of a network protection system provided in this application embodiment. Figure 1 ;

[0014] Figure 2 A schematic diagram illustrating an exemplary protection instance upgrade process provided in this application embodiment;

[0015] Figure 3 A schematic diagram of a network protection system provided in this application embodiment. Figure 2 ;

[0016] Figure 4 This is a flowchart of a network protection method provided in an embodiment of this application. Detailed Implementation

[0017] To gain a more detailed understanding of the features and technical content of the embodiments of this application, the technical solution of this application will be further described in detail below with reference to the accompanying drawings and specific embodiments. The accompanying drawings are for reference only and are not intended to limit the embodiments of this application.

[0018] Unless otherwise defined, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein is for the purpose of describing embodiments of this application only and is not intended to be limiting of this application.

[0019] In the following description, references to "some embodiments" refer to a subset of all possible embodiments. It is understood that "some embodiments" may be the same or different subsets of all possible embodiments and may be combined with each other without conflict. It should also be noted that the terms "first / second / third" used in the embodiments of this application are merely for distinguishing similar objects and do not represent a specific ordering of objects. It is understood that "first / second / third" may be interchanged in a specific order or sequence where permitted, so that the embodiments of this application described herein can be implemented in orders other than those illustrated or described herein.

[0020] In existing technologies, the following technical problems exist in the process of using cloud WAF for network protection: multi-tenant isolation only isolates the storage of different security protection configuration data, but the underlying security protection capabilities are still shared, making it impossible to deploy a separate security protection instance for each tenant. Once the underlying shared security protection capabilities fail, it will affect the failure of all multi-tenant security protection services; in addition, the shared security protection instance cannot self-heal after failure, requiring manual recovery, and it cannot be canary released, affecting business continuity and user experience; finally, new security vulnerability protection rules take effect globally when updated, and it is impossible to provide specific templates for specific tenants, or to perform one-click upgrade and rollback operations for specific templates.

[0021] To address the technical problems in the prior art, this application provides a network protection system 1, such as... Figure 1 As shown, network protection system 1 includes:

[0022] The system comprises a management node 10 and a data processing node 11. The management node 10 includes a service activation module 100 and a configuration management module 101. The service activation module 100 receives service activation requests and activates the corresponding service based on these requests; records service information and user information corresponding to the service; and sends the service information to the data processing node. The configuration management module 101 creates a security protection source station corresponding to the user information; configures the corresponding protection information on the security protection source station; and sends the protection information to the data processing node 11. The data processing node 11 creates a protection instance corresponding to the user information based on the service information and protection information, and forwards the access traffic corresponding to the security protection source station to the protection instance for detection and cleaning of the access traffic.

[0023] In this application embodiment, cloud WAF is the cloud mode of web application firewall. It is a protection product specifically designed for website web application attacks. Cloud WAF is developed based on the cloud. Users do not need to install software products. They only need to register an account on the webpage, add relevant information such as domain name, IP address, and ICP filing number, and resolve the domain name to the WAF protection node to achieve website protection.

[0024] In this embodiment of the application, when deploying the cloud WAF protection system, the cloud WAF protection system of different tenants is first instantiated, and then the instantiated cloud WAF protection system is deployed using Kubernetes containerization technology.

[0025] In this application embodiment, Kubernetes, also known as K8s or Kube, is the industry's most popular container orchestration tool launched by Google. It is an open-source container orchestrator technology used to automate the deployment, scaling, and management of containerized applications. K8s simplifies the deployment and management of microservice architecture applications. It achieves this by forming an abstraction layer on top of the cluster, allowing development teams to smoothly deploy applications. K8s is primarily used to control and manage application resource usage; automatically load balance requests between multiple instances of an application; monitor resource usage and resource limits; migrate application instances from one host to another when host resources are exhausted or a host crashes; and automatically utilize newly added resources when a new host joins the cluster.

[0026] In this embodiment of the application, the cloud WAF security protection system includes a management node 10 and a data processing node 11. Both the management node 10 and the data processing node 11 can be deployed in a K8s cluster. The management node 10 can manage the entire cluster, while the data processing node 11 is the node that actually processes the business.

[0027] In this embodiment of the application, in the K8s cluster, the management node 10 of the cloud WAF security protection system includes a service activation module 100. Tenants can initiate a service activation request message in the service activation module 100 according to their own needs. The service activation module 100 processes the tenant's request message to activate the WAF service and can activate the corresponding WAF service for the tenant who initiated the request.

[0028] In this embodiment of the application, when enabling a tenant's WAF service, the tenant information corresponding to the enabled WAF service and the enabled service information are recorded. The tenant information may be a specific operating company or a specific personal information, etc.; the service information may be the protection bandwidth, the service bandwidth, and the number of transactions per second (QPS), etc.

[0029] In this embodiment of the application, after the service activation module records the tenant information and service information corresponding to the activated WAF service, it can also send the recorded service information to the data processing node, and the data processing node can use the received service information to process the corresponding business.

[0030] In this embodiment of the application, the management node 10 also includes a configuration management module 101, which can be used to configure corresponding protection information for the WAF service opened by the tenant.

[0031] In the application embodiment, after the WAF service corresponding to the tenant is activated, the tenant can create a security protection source station corresponding to the tenant information through the configuration management module 101 in the management node 10.

[0032] For example, tenant A can activate a WAF service and create a security protection source site 1 for tenant A, while tenant B can activate a WAF service and create a security protection source site 2 for tenant B.

[0033] In this embodiment of the application, after the configuration management module 101 creates the security protection source station corresponding to the tenant information, it uses the configuration management module 101 to configure the protection information corresponding to the tenant information on the security protection source station. The protection information may be the protection source station IP, source station port number, and security protocol channel SSL certificate information, etc.

[0034] It should be noted that the protective information can be selected according to the actual situation, and no specific restrictions are made in this application.

[0035] In this embodiment of the application, the cloud WAF security protection system in the K8s cluster also includes a data processing node 11. When the configuration management module 101 configures the source IP, source port number, and SSL certificate information of the security protocol channel, it also sends an instruction message to the data processing node 11 to create a protection instance vWAF pod corresponding to the WAF service opened by the tenant.

[0036] It should be noted that the instruction messages sent by the configuration management module 101 carry the protection source IP, source port number, and SSL certificate information of the security protocol channel corresponding to the protection information.

[0037] In this embodiment of the application, when creating a protection instance vWAF pod corresponding to a WAF service opened by a tenant, the data processing node can create a protection instance vWAF pod corresponding to a WAF service opened by a tenant based on the service information sent by the service opening module, which includes protection bandwidth, QPS information, etc.

[0038] It should be noted that one tenant can correspond to multiple vWAF pods.

[0039] It should be noted that the specific implementation process for creating a protected instance vWAF pod is not limited to the method implemented in this application. Specifically, it can be selected according to the actual situation, and no specific limitation is made in this application.

[0040] In this embodiment of the application, after successfully creating a corresponding protection instance vWAF pod for the tenant, the protection information and service information carried in the sending command of the protection instance vWAF pod are set in the protection instance vWAF pod. Specifically, the source IP, source port number, protection bandwidth and QPS information can be set in the protection instance vWAF pod.

[0041] In this embodiment, after the configuration management module 101 sets the corresponding protection information and service information in the protection instance vWAF pod, the data processing node 11 can process the protection information and service information to obtain the protection instance tag corresponding to the protection instance. The protection instance tag is used to determine the protection instance corresponding to the access traffic, and the access traffic corresponding to the security protection source station is forwarded to the corresponding protection instance.

[0042] In this embodiment, specific rules can be used to generate vWAF pod tags corresponding to the protection instance based on the protection information and service information set in the protection instance. Specifically, the method for generating vWAF pod tags can be selected according to the actual situation, and no specific limitation is made in this application.

[0043] In this embodiment of the application, there is a one-to-one correspondence between the vWAF pod tag and the protection instance vWAF pod. The vWAF pod tag can be used to identify a unique protection instance vWAF pod. When there is access traffic to the origin server that the tenant wants to protect, the vWAF pod tag can be used to identify the protection instance vWAF pod corresponding to the origin server that the tenant wants to protect.

[0044] It should be noted that this application achieves mutual isolation of protection capabilities between different tenants in the data processing node by creating different protection instances (vWAF pods) for different tenants.

[0045] In this embodiment of the application, the management node 10 also includes an object creation module. The object creation module can be used to create traffic forwarding objects for the data processing node 11 and associate the traffic forwarding objects with the protection instances, so as to forward the access traffic corresponding to the security protection source station to the corresponding protection instance through the traffic forwarding objects, thereby realizing the detection and cleaning of access traffic.

[0046] In this embodiment of the application, after the data processing node 11 completes the creation of the protection instance vWAF pod, the user can create an object service in the data processing node 11 for traffic forwarding through the object creation module in the management node 10.

[0047] In this embodiment of the application, when creating a traffic forwarding object service, the created traffic forwarding object service can be associated with the generated vWAF pod tag through fields set in the data table. The access traffic can be forwarded to different vWAF pod tags through the object service. The corresponding protection instance vWAF pod is determined through the vWAF pod tag, and the access traffic corresponding to the protection instance of that tenant is detected and cleaned.

[0048] In this embodiment of the application, during the process of accessing traffic forwarding through the object service, it is also necessary to create an entry Ingress object for traffic forwarding through the object service.

[0049] In this embodiment, the Ingress object can be created based on the service information or protection information configured in the protection source station.

[0050] It should be noted that Ingress objects can be created using methods other than those described in this application. Specifically, the choice can be made according to the actual situation, and no specific limitations are made in this application.

[0051] In this embodiment, after the Ingress object is created, different protected origin domain names are bound to corresponding forwarding object services in the Ingress object. Through the relationship between the Ingress object and the forwarding object service, access traffic corresponding to different protected origins can be forwarded to different forwarding object services through the entry Ingress object. Then, through the relationship between the forwarding object service and the vWAF pod tag, the protected instance vWAF pod that protects the access traffic is determined, so as to realize the protection of multiple user sites by the vWAF pod.

[0052] In this embodiment, the data processing node 11 can use the ingress object to determine the vWAF pod tag to be forwarded by the access traffic corresponding to the security protection source station through the associated forwarding object service. It can then use the vWAF pod tag to determine the protection instance corresponding to the security protection source station and use the determined security protection instance to detect and clean the access traffic.

[0053] It should be noted that, in the security protection instance, after detecting and cleaning the access traffic, the cleaned traffic is proxied back into the tenant's origin server to achieve security protection for the tenant's origin server.

[0054] Optionally, in this embodiment, the management node 10 further includes a log center, which outputs attack information when the protection instance detects attack information corresponding to attack traffic in the access traffic and transmits the attack information to the log center.

[0055] In this embodiment, when traffic accessing the tenant's origin server is forwarded to the tenant's corresponding protection instance vWAF pod, the protection instance vWAF pod in data processing node 11 detects the access traffic. When the protection instance vWAF pod in data processing node 11 detects attack traffic in the access traffic, the Agent log reporting module deployed in the sidecar mode in the protection instance vWAF pod collects detailed information of the attack traffic and transmits the detailed information of the attack traffic to the log center in management node 10. The tenant can view the detailed information of the attack information through the log center in management node 10.

[0056] It's important to note that traditional log collection methods require pre-deploying the log collection module (Agent) to the protection instance, and configuring collection rules only after the protection instance is configured. However, the Sidecar-based Agent log reporting module used in this application packages the log collection module (Agent) with the protection instance's vWAF Pod, automatically creating and configuring it as user services are created. This improves efficiency and, in the event of a failure, does not affect the normal collection and presentation of logs from other users, enabling fault isolation between different tenant protection origin servers.

[0057] Optionally, in this embodiment, the management node 10 further includes a policy management module, which is used to configure security protection policies for the protection instance so that the protection instance can use the security protection policies to detect and clean access traffic.

[0058] In this embodiment, after creating the protection instance and using it to protect the tenant's origin server, the tenant can also set custom security protection policies. Specifically, the tenant can customize security protection policy configuration information in the policy management module of the management node according to the needs of the protected origin server in the business. The custom security protection policy configuration can be a custom policy such as IP blacklist / whitelist, URL blacklist / whitelist, or traffic tagging.

[0059] In this embodiment, the tenant can set custom security protection policies in the protection instance corresponding to the protection source station through the management node according to the current needs of the protection source station. The protection instance can provide more secure protection for the protection source station according to the set security protection policies, thus improving the security of the protection source station.

[0060] Optionally, the management node 10 also includes an image center module, which processes the security protection policy and generates an image file corresponding to the security protection policy, so as to use the image file to realize the templated configuration of the security protection policy.

[0061] In this embodiment of the application, when a tenant modifies the created protection instance vWAFPod according to the current needs of the protection source station, a tenant-customized protection instance vWAF Pod is obtained.

[0062] In this embodiment, tenants can customize security protection policies in the protection instance. The image center module can generate a security protection configuration template for the protection instance vWAF Pod with the tenant's customized security protection policy and store the security protection configuration template in the database corresponding to the image center module in the form of an image.

[0063] It should be noted that different security protection policies can generate different security protection configuration templates for the vWAF Pods, and different security protection configuration templates correspond to different versions of the vWAF Pods.

[0064] In this embodiment of the application, when configuring security protection instances, different security protection instances can be configured using templates by directly obtaining the corresponding version of the security protection instance.

[0065] In this embodiment, when a tenant needs to add a security protection instance, the image file of the corresponding security protection instance can be obtained through the image center module. The tenant can directly use the obtained image file of the protection instance to implement custom security protection policy settings for the newly added protection instance without having to perform custom configuration for the newly added protection instance.

[0066] It should be noted that by using image version control, templated version control of different WAF protection strategies can be achieved, thereby allowing the selection of different image versions for WAF instance deployment based on different protection requirements.

[0067] Optionally, in this embodiment of the application, the mirror center module is also used to process each version of the protection instance to obtain multiple versions of protection instance image files, and to determine the target version of the protection instance image file from the multiple versions of the protection instance image files using a preset rolling upgrade strategy, and to change the current protection instance version based on the target version of the protection instance image file.

[0068] In this embodiment, when upgrading the protection function of the protection instance vWAF Pod corresponding to a tenant, during the release of the development software for each completed version of the protection instance, different versions of the protection instance vWAF Pod can be processed to generate image files corresponding to different versions of the protection instance. The generated image files are then transmitted to the image center module. The tenant selects the new image file corresponding to the protection instance from the image center module in the management node 10 and associates the new image file with the protection source station. Kubernetes uses a rolling upgrade strategy to gradually replace the old version of the protection instance vWAF Pod with the new version of the protection instance vWAF Pod, thus completing the version upgrade process of the protection instance vWAF Pod.

[0069] For example, such as Figure 2As shown, through the Controller (RC) in Kubernetes, multiple protection instance vWAF Pods can be associated under one RC. When upgrading a protection instance vWAF Pod from version v1 to version v2, a rolling upgrade strategy can be used. First, select the first version v1 protection instance vWAF Pod, then select a version v2 protection instance vWAF Pod from the image center, and replace the first version v1 protection instance vWAF Pod with the version v2 protection instance vWAF Pod. This completes the upgrade of one protection instance vWAF Pod in the protection instance corresponding to the tenant. Similarly, select the second version v1 protection instance vWAF Pod, then select a version v2 protection instance vWAF Pod from the image center, and replace the second version v1 protection instance vWAF Pod with the version v2 protection instance vWAF Pod. This completes the upgrade of the second protection instance vWAF Pod in the protection instance corresponding to the tenant, until all version v1 protection instance vWAF Pods corresponding to the tenant have been replaced with version v2 protection instance vWAF Pods.

[0070] It should be noted that when one or more protection instances in the vWAF Pod associated with the RC fail, the data processing node will create new protection instances vWAF Pods to ensure that the number of running protection instances vWAF Pods reaches the expected number.

[0071] In another embodiment of this application, when it is necessary to upgrade the protection policy corresponding to the protection instance, the protection policy corresponding to the protection instance can be a policy for protecting against 0-day vulnerabilities. This can be achieved by creating an image file of the protection instance corresponding to the updated protection policy, uploading the image file to the image center, and having the tenant select the new image file corresponding to the protection instance from the image center module in the management node and associate the new image file with the protection source server. Kubernetes uses a rolling upgrade strategy to gradually replace the old version of the protection instance vWAF Pod with the new version of the protection instance vWAF Pod, thus completing the process of upgrading the protection instance vWAF Pod version.

[0072] It should be noted that the rolling upgrade method used when upgrading the protection policy in a protection instance is the same as the process used when upgrading the protection function of the vWAF Pod corresponding to a tenant. For details, please refer to... Figure 2 The implementation process of the example in the example will not be described in detail here.

[0073] It should be noted that after completing the upgrade of the protection policy corresponding to the protection instance, if the protection policy in the upgraded protection instance is not effective in protecting the source site, the upgraded version can be rolled back. When rolling back the version of the protection instance, select the image file version corresponding to the protection instance to be rolled back from the image center module, and replace the image file version corresponding to the upgraded protection instance with the selected image file version.

[0074] It should be noted that the method for rolling back the protection instance version is the same as the method for upgrading the protection instance version. Both are handled by replacing one instance at a time. For details, please refer to the implementation process of the protection instance version upgrade, which will not be repeated here.

[0075] It should be noted that the protection system in this embodiment is implemented through containerization, which enables the canary release and self-healing of the protection system.

[0076] Optionally, the management node 10 also includes a monitoring center module. The monitoring center module is used to monitor the memory space used by the protection instance during operation. When the memory space used is greater than a preset memory space threshold, it sends an instance increase instruction to the data processing node. When the memory space used is less than the preset memory threshold, it sends an instance decrease instruction to the data processing node. The data processing node increases the protection instance corresponding to the security protection source station according to the instance increase instruction, and decreases the protection instance corresponding to the security protection source station according to the instance decrease instruction.

[0077] In this embodiment, when the monitoring center module detects that the processing capacity of the entire cluster is insufficient during operation, it can improve the processing capacity of the entire cluster by dynamically adding new K8s nodes. Specifically, when the CPU usage of the protection instance vWAF Pod corresponding to a tenant exceeds a set threshold during operation, the data processing node will automatically create a new protection instance vWAF Pod to alleviate the load pressure on the current protection instance vWAF Pod in the cluster. When the CPU usage threshold decreases, the number of vWAF Pods will be dynamically reduced to avoid wasting resources in the cluster.

[0078] It should be noted that the memory threshold can be selected according to the actual situation, and no specific limitation is made in this application.

[0079] It should be noted that the network protection system provided in this application provides containerization of WAF protection instances and multi-instance deployment of containerized protection instances using Kubernetes technology, enabling different tenants to correspond to one WAF protection instance. Furthermore, the upper-layer management node 10 establishes the association between the tenant protection source station and the WAF protection instance, and isolates the protection functions of different tenants on the data processing node 11. At the same time, the RC in Kubernetes can detect whether the running protection instance is abnormal. When an abnormality occurs, a new WAF instance is automatically created to achieve fault self-healing. In addition, a rolling upgrade strategy can be used to realize the canary release of protection instances, improving business continuity and user experience.

[0080] It is understood that the network protection system provided in this application embodiment allows tenants to activate corresponding services through the service activation module in the management node during network protection. Different tenants create corresponding security protection source stations in the activated services and set security protection information for different tenants in the source stations. The data processing node creates protection instances corresponding to the protection source stations of different tenants based on the security protection information set in the different source stations. By deploying a protection instance for each tenant, when access traffic arrives, the access traffic of different tenants is forwarded to the corresponding protection instance for detection and cleaning according to the corresponding forwarding policy. During the protection of the source station, the tenants do not interfere with each other, and if the protection instance of one tenant fails, it will not affect the protection function of the protection source station of the corresponding protection instances of other tenants. This can realize the isolation of security protection functions between different tenants and improve the business security protection function of each tenant.

[0081] Based on the above embodiments, by designing a core data object model, the association of different WAF instances for different tenants and multi-tenant isolation are realized. In this application, the core data object model and some fields corresponding to the network protection system can be represented by the following correspondence:

[0082] (1) The tenant object data model is shown in Table 1:

[0083] Table 1

[0084] Tenant ID Protected source station bandwidth User 1 www.xxx.com 5M

[0085] (2) The data model of the vWAF Pod object for protection instances is shown in Table 2:

[0086] Table 2

[0087] Protection Instance Identifier Protection Instance Name Protection Instance Version Protection Instance Identifier 1 Protection Instance Name 1 Protection Instance Version 1 Protection Instance Identifier 2 Protection Instance Name 2 Protection Instance Version 2

[0088] (3) The data model of the access traffic forwarding object service is shown in Table 3:

[0089] Table 3

[0090] Traffic forwarding object identifier Traffic forwarding object name Traffic forwarding object version Traffic forwarding object identifier 1 Traffic forwarding object name 1 Version 1

[0091] (4) The Ingress object data model for access traffic entry is shown in Table 4:

[0092] Table 4

[0093] Access Traffic Entry Object Identifier Access traffic entry object name Access Traffic Entry Object Name Version Access Traffic Entry Object Identifier 1 Access Traffic Entry Object Name 1 Version 1

[0094] (5) The correspondence between tenant objects and access traffic entry identifiers is shown in Table 5:

[0095] Table 5

[0096] Tenant ID Access Traffic Entry Identifier Tenant 1 Access traffic entry point 1

[0097] In this process, the user identifier and the access traffic entry identifier are associated.

[0098] (6) The correspondence between access traffic entry points and access traffic forwarding objects is shown in Table 6:

[0099] Table 6

[0100] Access Traffic Entry Identifier Traffic forwarding object identifier Access traffic entry point 1 Traffic forwarding object identifier 1

[0101] The access traffic entry identifier is associated with the identifier of the traffic forwarding object service.

[0102] (7) The correspondence between access traffic forwarding objects and protection instances is shown in Table 7:

[0103] Table 7

[0104] Traffic forwarding object identifier Protection Instance Identifier Traffic forwarding object identifier 1 Protection Instance Identifier 1 Traffic forwarding object identifier 2 Protection Instance Identifier 2

[0105] In this process, the identification information of the traffic forwarding object service is associated with the protection instance identifier.

[0106] Based on the above embodiments, a network protection system is provided in this application, such as... Figure 3 As shown, the network protection system includes a management node, a data processing node, and a database. The management node includes a service activation module, a configuration management module, a policy management module, a monitoring center module, an object creation module, a log center, and a mirror center. The data processing node is mainly responsible for detecting and cleaning attack traffic in the tenant's origin server, and then proxying the cleaned traffic back to the tenant's origin server to achieve security protection for the origin server. The data processing node is equipped with an ingress object, a forwarding object service, a protection instance vWAF Pod, and a log collection module that runs as a sidecar.

[0107] The service activation module is used to receive service activation requests, activate the corresponding services based on the service activation requests, record the service information and user information corresponding to the services, and send the service information to the data processing node.

[0108] The configuration management module is used to create security protection source stations corresponding to user information; configure the corresponding protection information on the security protection source stations; and send the protection information to the data processing nodes.

[0109] The policy management module is used to configure security protection policies for protection instances, so that the protection instances can use the security protection policies to detect and clean up access traffic.

[0110] The monitoring center module is used to monitor the memory space used by the protection instance during operation. When the memory space used is greater than the preset memory space threshold, it sends an instance increase instruction to the data processing node, and when the memory space used is less than the preset memory threshold, it sends an instance decrease instruction to the data processing node.

[0111] The object creation module is used to create traffic forwarding objects for data processing nodes and associate the traffic forwarding objects with protection instances, so as to forward the access traffic corresponding to the security protection site to the corresponding protection instance through the traffic forwarding objects, thereby realizing the detection and cleaning of access traffic.

[0112] The log center is used to output attack information when the protection instance detects attack information corresponding to attack traffic in the access traffic and transmits the attack information to the log center.

[0113] The image center module is used to process security protection policies and generate image files corresponding to the security protection policies, so as to realize the templated configuration of security protection policies using image files.

[0114] The mirror center module is also used to process each version of the protection instance, generate a corresponding version of the protection instance image file, obtain multiple versions of the protection instance image files, and use a preset rolling upgrade strategy to determine the target version of the protection instance image file from the multiple versions of the protection instance image file, and make changes to the current protection instance version based on the target version of the protection instance image file.

[0115] The data processing node is used to create protection instances corresponding to user information based on service information and protection information, and to forward access traffic corresponding to the security protection source station to the protection instance so that the protection instance can detect and clean the access traffic.

[0116] The data processing node is also used to add protection instances corresponding to the security protection source station based on the instance add command, and to reduce the protection instances corresponding to the security protection source station based on the instance reduce command.

[0117] The data processing node is also used to process protection information and service information to obtain protection instance tags corresponding to the protection instances. The protection instance tags are used to determine the protection instance corresponding to the access traffic, and the access traffic corresponding to the security protection source station is forwarded to the corresponding protection instance.

[0118] The protection instance vWAF Pod is used to collect attack information corresponding to the attack traffic when attack traffic is detected in the access traffic, and transmit the attack information to the log center.

[0119] The Ingress object is used as the entry point for access traffic to enter the protection instance. The service object to be forwarded is determined through the Ingress object.

[0120] The forwarding object service is used to forward access traffic to the corresponding protection instance when performing access traffic forwarding.

[0121] The log collection module, which operates in a sidecar mode, is used to collect attack information corresponding to attack traffic and transmit the attack information to the log center.

[0122] This application provides a network protection method, applied to a network protection system, such as... Figure 4 As shown, the method includes:

[0123] S101. Upon receiving a service activation request, the service activation module activates the corresponding service based on the request; records the service information and user information corresponding to the service; and sends the service information to the data processing node.

[0124] In this embodiment of the application, the cloud WAF security protection system includes a management node and a data processing node. Both the management node and the data processing node can be deployed in a K8s cluster. The management node can manage the entire cluster, while the data processing node is the node that actually processes the business.

[0125] In this embodiment of the application, the management node of the cloud WAF security protection system in the K8s cluster includes a service activation module. Tenants can initiate a service activation request message in the service activation module according to their own needs. The service activation module processes the tenant's request message to activate the WAF service and activates the corresponding WAF service for the tenant.

[0126] In this embodiment of the application, during the process of enabling the tenant WAF service, the tenant information corresponding to the WAF service and the enabled service information are recorded. The tenant information may be a specific operating company or a specific personal information, etc.; the service information may be the protection bandwidth, business bandwidth and the number of transactions per second (QPS), etc.

[0127] In this embodiment of the application, after the service activation module records the tenant information and service information corresponding to the activated WAF service, it can also send the recorded service information to the data processing node, and the data processing node can use the received service information to process the corresponding business.

[0128] S102. The configuration management module creates a security protection source station corresponding to the user information; configures the corresponding protection information on the security protection source station; and sends the protection information to the data processing node.

[0129] In the application embodiment, after the WAF service corresponding to the tenant is activated, the tenant can create a security protection source station corresponding to the tenant information through the configuration management module in the management node.

[0130] For example, tenant A can activate a WAF service and create a security protection source site 1 for tenant A, while tenant B can activate a WAF service and create a security protection source site 2 for tenant B.

[0131] In this embodiment of the application, after creating a security protection source station corresponding to the tenant information through the configuration management module, the protection information corresponding to the tenant is configured on the created security protection source station. The protection information may be the protection source station IP, source station port number, and security protocol channel SSL certificate information, etc.

[0132] In this embodiment of the application, the configuration management module can also carry protection information in the instruction message and send the protection information to the data processing node through the sent instruction message.

[0133] S103. The data processing node creates a protection instance corresponding to the user information based on the service information and protection information, and forwards the access traffic corresponding to the security protection source station to the protection instance so that the protection instance can detect and clean the access traffic.

[0134] In this embodiment of the application, when configuring the source IP, source port number, and SSL certificate information of the security protocol channel, an instruction message is sent to the data processing node to create a protection instance vWAF pod corresponding to the WAF service opened by the tenant.

[0135] It should be noted that the sent command message carries the corresponding protection information, such as the source IP address, source port number, and SSL certificate information for the security protocol channel.

[0136] In this embodiment of the application, when creating a protection instance vWAF pod corresponding to a WAF service opened by a tenant, the protection instance vWAF pod corresponding to the WAF service opened by the tenant is created according to the protection bandwidth and QPS information in the service information carried in the instruction.

[0137] It should be noted that one tenant can correspond to multiple vWAF pods.

[0138] It should be noted that the specific implementation process for creating a protected instance vWAF pod is not limited to the method implemented in this application. Specifically, it can be selected according to the actual situation, and no specific limitation is made in this application.

[0139] In this embodiment of the application, after successfully creating a corresponding protection instance vWAF pod for a tenant, the protection information and service information corresponding to the protection instance vWAF pod are set in the protection instance vWAF pod. This can be done by setting the origin IP, origin port number, and QPS information in the protection instance vWAF pod.

[0140] In this embodiment, after the corresponding protection information and service information are set in the protection instance vWAF pod, the data processing node can process the protection information and service information to obtain the protection instance tag corresponding to the protection instance; the protection instance corresponding to the access traffic is determined by the protection instance tag, and the access traffic corresponding to the security protection source station is forwarded to the corresponding protection instance.

[0141] In this embodiment, specific rules can be used to generate vWAF pod tags corresponding to the protection instance based on the protection information and service information set in the protection instance. Specifically, the method for generating vWAF pod tags can be selected according to the actual situation, and no specific limitation is made in this application.

[0142] In this embodiment of the application, there is a one-to-one correspondence between the vWAF pod tag and the protection instance vWAF pod. The vWAF pod tag can be used to identify a unique protection instance vWAF pod. When there is access traffic to the origin server that the tenant wants to protect, the vWAF pod tag can be used to identify the protection instance vWAF pod corresponding to the origin server that the tenant wants to protect.

[0143] It should be noted that this application achieves mutual isolation of protection capabilities between different tenants in the data processing node by creating different protection instances (vWAF pods) for different tenants.

[0144] In this embodiment, the management node also includes an object creation module, which can be used to create traffic forwarding objects for the data processing node; and associate the traffic forwarding objects with the protection instances to realize the process of forwarding the access traffic corresponding to the security protection source station to the corresponding protection instance, and detecting and cleaning the access traffic.

[0145] In this embodiment of the application, after the data processing node completes the creation of the protection instance vWAF pod, the user can create an object service in the data processing node for traffic forwarding through the object creation module in the management node.

[0146] In this embodiment of the application, when creating a traffic forwarding object service, the created traffic forwarding object service can be associated with the generated vWAF pod tag through fields set in the data table. The access traffic can be forwarded to different vWAF pod tags through the object service. The corresponding protection instance vWAF pod is determined through the vWAF pod tag, and the access traffic corresponding to the protection instance of that tenant is detected and cleaned.

[0147] In this embodiment of the application, during the process of accessing traffic forwarding through the object service, it is also necessary to create an entry Ingress object for traffic forwarding through the object service.

[0148] In this embodiment, the Ingress object can be created based on the service information or protection information configured in the protection source station.

[0149] It should be noted that Ingress objects can be created using methods other than those described in this application. Specifically, the choice can be made according to the actual situation, and no specific limitations are made in this application.

[0150] In this embodiment, after the Ingress object is created, different protected origin domain names are bound to corresponding forwarding service objects in the Ingress object. Through the relationship between the Ingress object and the forwarding service object, access traffic corresponding to different protected origin sites can be forwarded to different forwarding service objects through the entry Ingress object. Then, through the relationship between the forwarding service object and the vWAF pod tag, the protected instance vWAF pod that protects the access traffic is determined, so that the vWAF pod can protect multiple user sites.

[0151] In this embodiment, the data processing node can use the Ingress object to determine the vWAF pod tag to be forwarded from the access traffic corresponding to the security protection origin station through the associated forwarding object service. It can then use the vWAF pod tag to determine the protection instance corresponding to the security protection origin station and use the determined security protection instance to detect and clean the access traffic.

[0152] It should be noted that, in the security protection instance, after detecting and cleaning the access traffic, the cleaned traffic is proxied back into the tenant's origin server to achieve security protection for the tenant's origin server.

[0153] Optionally, in this embodiment of the application, when the protection instance detects attack information corresponding to attack traffic in the access traffic and transmits the attack information to the log center in the management node, the attack information is output through the log center.

[0154] In this embodiment, when traffic accessing the tenant's origin server is forwarded to the tenant's corresponding protection instance vWAF pod, the protection instance vWAF pod in the data processing node detects the access traffic. When the protection instance vWAF pod in the data processing node detects attack traffic in the access traffic, the Agent log reporting module running in the sidecar mode in the protection instance vWAF pod collects detailed information about the attack traffic and transmits the detailed information about the attack traffic to the log center in the management node. The tenant can view the detailed information of the attack information through the log center in the management node.

[0155] It's important to note that traditional log collection methods require pre-deploying the log collection module (Agent) to the protection instance, and configuring collection rules only after the protection instance is configured. However, the Sidecar-based Agent log reporting module used in this application packages the log collection module (Agent) with the protection instance's vWAF Pod, automatically creating and configuring it as user services are created. This improves efficiency and, in the event of a failure, does not affect the normal collection and presentation of logs from other users, enabling fault isolation between different tenant protection origin servers.

[0156] Optionally, in this embodiment, the policy management module in the management node can configure security protection policies for the protection instance, so that the protection instance can use the security protection policies to detect and clean access traffic.

[0157] In this embodiment, after creating the protection instance and using it to protect the tenant's origin server, the tenant can also set custom security protection policies. Specifically, the tenant can customize security protection policy configuration information in the policy management module of the management node according to the needs of the protected origin server in the business. The custom security protection policy configuration can be a custom policy such as IP blacklist / whitelist, URL blacklist / whitelist, or traffic tagging.

[0158] In this embodiment, the tenant can set a custom security protection policy in the protection instance corresponding to the protection source station through the management node, based on the current protection requirements of the protection source station. The protection instance can provide more secure protection for the protection source station according to the set security protection policy, thus improving the security of the protection source station.

[0159] Optionally, the mirror center module in the management node can also process security protection policies and generate image files corresponding to the security protection policies, so as to use the image files to realize the templated configuration of security protection policies.

[0160] In this embodiment of the application, when a tenant modifies the created protection instance vWAFPod according to the current needs of the protection source station, a tenant-customized protection instance vWAF Pod is obtained.

[0161] In this embodiment, tenants can customize security protection policies in the protection instance. The image center module can generate a security protection configuration template for the protection instance vWAF Pod with the tenant's customized security protection policy and store the security protection configuration template in the database corresponding to the image center module in the form of an image.

[0162] It should be noted that different security protection policies can generate different security protection configuration templates for the vWAF Pods, and different security protection configuration templates correspond to different versions of the vWAF Pods.

[0163] In this embodiment of the application, when configuring security protection instances, different security protection instances can be configured using templates by directly obtaining the corresponding version of the security protection instance.

[0164] In this embodiment, when a tenant needs to add a security protection instance, the image file of the corresponding security protection instance can be obtained through the image center module. The tenant can directly use the obtained image file of the protection instance to implement custom security protection policy settings for the newly added protection instance without having to perform custom configuration for the newly added protection instance.

[0165] Optionally, in this embodiment of the application, the mirror center module can be used to process each version of the protection instance to obtain multiple versions of protection instance image files, and a target version of the protection instance image file can be determined from the multiple versions of the protection instance image files using a preset rolling upgrade strategy, and the current protection instance version can be changed based on the target version of the protection instance image file.

[0166] In this embodiment, when upgrading the protection function of the protection instance vWAF Pod corresponding to a tenant, the development software of the protection instance corresponding to each completed version is released. Different versions of the protection instance vWAF Pod can be processed to generate image files corresponding to different versions of the protection instance, and the generated image files are transmitted to the image center module. The tenant selects the new image file corresponding to the protection instance from the image center module in the management node and associates the new image file with the protection source station. Kubernetes uses a rolling upgrade strategy to gradually replace the old version of the protection instance vWAF Pod with the new version of the protection instance vWAF Pod, thus completing the process of upgrading the protection instance vWAF Pod version.

[0167] For example, such as Figure 2As shown, through the Controller (RC) in Kubernetes, multiple protection instance vWAF Pods can be associated under one RC. When upgrading a protection instance vWAF Pod from version v1 to version v2, a rolling upgrade strategy can be used. First, select the first version v1 protection instance vWAF Pod, then select a version v2 protection instance vWAF Pod from the image center, and replace the first version v1 protection instance vWAF Pod with the version v2 protection instance vWAF Pod. This completes the upgrade of one protection instance vWAF Pod in the protection instance corresponding to the tenant. Similarly, select the second version v1 protection instance vWAF Pod, then select a version v2 protection instance vWAF Pod from the image center, and replace the second version v1 protection instance vWAF Pod with the version v2 protection instance vWAF Pod. This completes the upgrade of the second protection instance vWAF Pod in the protection instance corresponding to the tenant, until all version v1 protection instance vWAF Pods corresponding to the tenant have been replaced with version v2 protection instance vWAF Pods.

[0168] It should be noted that when one or more protection instances in the vWAF Pod associated with the RC fail, the data processing node will create new protection instances vWAF Pods to ensure that the number of running protection instances vWAF Pods reaches the expected number.

[0169] In another embodiment of this application, when it is necessary to upgrade the protection policy corresponding to the protection instance, the protection policy corresponding to the protection instance can be a policy for protecting against 0-day vulnerabilities. This can be achieved by creating an image file of the protection instance corresponding to the updated protection policy, uploading the image file to the image center, and having the tenant select the new image file corresponding to the protection instance from the image center module in the management node and associate the new image file with the protection source server. Kubernetes uses a rolling upgrade strategy to gradually replace the old version of the protection instance vWAF Pod with the new version of the protection instance vWAF Pod, thus completing the process of upgrading the protection instance vWAF Pod version.

[0170] It should be noted that the rolling upgrade method used when upgrading the protection policy in a protection instance is the same as the process used when upgrading the protection function of the vWAF Pod corresponding to a tenant. For details, please refer to... Figure 2 The implementation process of the example in the example will not be described in detail here.

[0171] It should be noted that after completing the upgrade of the protection policy corresponding to the protection instance, if the protection policy in the upgraded protection instance is not effective in protecting the source site, the upgraded version can be rolled back. When rolling back the version of the protection instance, select the image file version corresponding to the protection instance to be rolled back from the image center module, and replace the image file version corresponding to the upgraded protection instance with the selected image file version.

[0172] It should be noted that the method for rolling back the protection instance version is the same as the method for upgrading the protection instance version. Both are handled by replacing one instance at a time. For details, please refer to the implementation process of the protection instance version upgrade, which will not be repeated here.

[0173] It should be noted that the protection system in this embodiment is implemented through containerization, which enables the canary release and self-healing of the protection system.

[0174] Optionally, the management node also includes a monitoring center module. The monitoring center module is used to monitor the memory space used by the protection instance during operation. When the memory space used is greater than a preset memory space threshold, it sends an instance increase instruction to the data processing node. When the memory space used is less than the preset memory threshold, it sends an instance decrease instruction to the data processing node. The data processing node increases the protection instance corresponding to the security protection source station according to the instance increase instruction, and decreases the protection instance corresponding to the security protection source station according to the instance decrease instruction.

[0175] In this embodiment, when the monitoring center module detects that the processing capacity of the entire cluster is insufficient during operation, it can improve the processing capacity of the entire cluster by dynamically adding new K8s nodes. Specifically, when the CPU usage of the protection instance vWAF Pod corresponding to a tenant exceeds a set threshold during operation, the data processing node will automatically create a new protection instance vWAF Pod to alleviate the load pressure on the current protection instance vWAF Pod in the cluster. When the CPU usage threshold decreases, the number of vWAF Pods will be dynamically reduced to avoid waste of resources in the cluster and achieve the effect of dynamic scaling.

[0176] It should be noted that the memory threshold can be selected according to the actual situation, and no specific limitation is made in this application.

[0177] It should be noted that the data model used in the network protection method can be set with reference to the data object model and some fields involved in the network protection system, which will not be elaborated here.

[0178] It is understood that the network protection method provided in this application embodiment allows tenants to activate corresponding services through the service activation module in the management node during network protection. Different tenants create corresponding security protection source stations in the activated services and set security protection information for different tenants in the source stations. The data processing node creates protection instances corresponding to the protection source stations of different tenants based on the security protection information set in the different source stations. By deploying a protection instance for each tenant, when access traffic arrives, the access traffic of different tenants is forwarded to the corresponding protection instance for detection and cleaning according to the corresponding forwarding policy. During the protection of the source station, the tenants do not interfere with each other, and if the protection instance of one tenant fails, it will not affect the protection function of the protection source station of the corresponding protection instances of other tenants. This can realize the isolation of security protection functions between different tenants and improve the business security protection function of each tenant.

[0179] This application provides a storage medium storing a computer program thereon. The computer-readable storage medium stores one or more programs, which can be executed by one or more processors and applied in a network protection system 1. The computer program implements the network protection method described above. The processor can be at least one of an Application Specific Integrated Circuit (ASIC), a Digital Signal Processor (DSP), a Digital Signal Processing Device (DSPD), a Programmable Logic Device (PLD), a Field Programmable Gate Array (FPGA), a CPU, a controller, a microcontroller, or a microprocessor. It is understood that for different devices, the electronic device used to implement the above-described processor function can also be other types; this embodiment does not specifically limit the specific devices used.

[0180] It should be noted that, in this document, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Unless otherwise specified, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes that element.

[0181] Through the above description of the embodiments, those skilled in the art can clearly understand that the methods of the above embodiments can be implemented by means of software plus necessary general-purpose hardware platforms. Of course, they can also be implemented by hardware, but in many cases the former is a better implementation method. Based on this understanding, the technical solution of this disclosure, in essence, or the part that contributes to the related technology, can be embodied in the form of a software product. This computer software product is stored in a storage medium (such as ROM / RAM, magnetic disk, optical disk), and includes several instructions to cause an image display device (which may be a mobile phone, computer, server, air conditioner, or network device, etc.) to execute the methods described in the various embodiments of this disclosure.

[0182] The above description is merely a specific embodiment of this application, but the scope of protection of this application is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the scope of the technology disclosed in this application should be included within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of the claims.

Claims

1. A network protection system, characterized in that, The system includes a management node and a data processing node; the management node includes a service activation module, a configuration management module, and an object creation module. The service activation module is used to receive a service activation request and activate the corresponding service based on the service activation request; record the service information and user information corresponding to the service; and send the service information to the data processing node, wherein the service information includes protection bandwidth, business bandwidth and request transactions per second (QPS). The configuration management module is used to create a security protection source station corresponding to the user information; configure the protection information corresponding to the security protection source station on the security protection source station; and send the protection information to the data processing node. The protection information includes the protection source station IP, source station port number, and security protocol channel SSL certificate information. The data processing node is configured to create a protection instance corresponding to the user information based on the service information and the protection information, and to forward the access traffic corresponding to the security protection source station to the protection instance for the protection instance to detect and clean the access traffic; and to process the protection information and the service information to obtain a protection instance tag corresponding to the protection instance, determine the protection instance corresponding to the access traffic through the protection instance tag, and forward the access traffic corresponding to the security protection source station to the corresponding protection instance; The object creation module is used to create a traffic forwarding object for the data processing node and associate the traffic forwarding object with the protection instance, so as to forward the access traffic corresponding to the security protection source station to the corresponding protection instance through the traffic forwarding object, thereby realizing the detection and cleaning of the access traffic.

2. The system according to claim 1, characterized in that, The management node also includes: a monitoring center module; The monitoring center module is used to monitor the memory space used by the protection instance during operation. When the memory space used is greater than a preset memory space threshold, it sends an instance increase instruction to the data processing node. When the memory space used is less than the preset memory threshold, it sends an instance decrease instruction to the data processing node. The data processing node is configured to add a protection instance corresponding to the security protection source station based on the instance add instruction, and to reduce the protection instance corresponding to the security protection source station based on the instance reduce instruction.

3. The system according to claim 1, characterized in that, The management node also includes: a policy management module; The policy management module is used to configure security protection policies for the protection instance, so that the protection instance can use the security protection policies to detect and clean the access traffic.

4. The system according to claim 3, characterized in that, The management node also includes: a mirror center module; The image center module is used to process the security protection strategy and generate an image file corresponding to the security protection strategy, so as to use the image file to realize the templated configuration of the security protection strategy.

5. The system according to claim 4, characterized in that, The image center module is also used to process each version of the protection instance to obtain multiple versions of protection instance image files, and to determine the target version of the protection instance image file from the multiple versions of the protection instance image files using a preset rolling upgrade strategy, and to change the current protection instance version based on the target version of the protection instance image file.

6. The system according to claim 1, characterized in that, The management node also includes: a log center; The log center is used to output the attack information when the protection instance detects attack information corresponding to attack traffic in the access traffic and transmits the attack information to the log center.

7. A network protection method, characterized in that, Applied to the network protection system according to any one of claims 1-6, the method comprises: Upon receiving a service activation request, the service activation module activates the corresponding service based on the request; records the service information and user information corresponding to the service; and sends the service information to the data processing node. The service information includes protection bandwidth, business bandwidth, and transaction throughput (QPS). The configuration management module creates a security protection source station corresponding to the user information; configures the corresponding protection information on the security protection source station; and sends the protection information to the data processing node. The protection information includes the protection source station IP, source station port number, and security protocol channel SSL certificate information. Based on the service information and the protection information, the data processing node creates a protection instance corresponding to the user information, and forwards the access traffic corresponding to the security protection origin station to the protection instance, so that the protection instance can detect and clean the access traffic; and processes the protection information and the service information to obtain a protection instance tag corresponding to the protection instance, determines the protection instance corresponding to the access traffic through the protection instance tag, and forwards the access traffic corresponding to the security protection origin station to the corresponding protection instance; The object creation module is used to create a traffic forwarding object for the data processing node and associate the traffic forwarding object with the protection instance, so as to forward the access traffic corresponding to the security protection source station to the corresponding protection instance through the traffic forwarding object, thereby realizing the detection and cleaning of the access traffic.

8. A storage medium having a computer program stored thereon, characterized in that, When the computer program is executed, it implements the method as described in claim 7.