An SD-WAN risk control routing adaptation method, device, medium and product
By employing a closed-loop risk control routing system—comprising multi-dimensional risk control feature extraction on the CPE side, dynamic label generation on the Orch side, and adaptation feedback on the PoP side—the problem of insufficient risk control identification in SD-WAN routing is solved, enabling efficient access to risk-sensitive services and improving stability.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- BEIJING QINGWANG TECH CORP
- Filing Date
- 2025-12-23
- Publication Date
- 2026-06-16
AI Technical Summary
Existing SD-WAN routing technology has failed to effectively integrate into risk control, resulting in insufficient identification of tenant behavior compliance, high IP blocking rates, low access success rates, inability to adapt to real-time anti-protection rules for various risk-sensitive services, and low routing accuracy.
By extracting and reporting multi-dimensional risk control feature vectors on the CPE side, generating dynamic risk control labels on the Orch side, and adapting and providing feedback on the PoP side, a closed-loop risk control routing system is constructed. This system synchronizes anti-protection features in real time, generates dynamic risk control labels, and selects the optimal exit node using a multi-dimensional scoring model to ensure reliable data transmission.
It significantly reduced the false positive rate of anti-protection measures for risk-sensitive services, improved access success rate and stability, reduced IP blocking rate, and improved network performance and service access success rate.
Smart Images

Figure CN121567459B_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of traffic scheduling, and in particular to an SD-WAN risk control routing adaptation method, device, medium, and product. Background Technology
[0002] As enterprises accelerate their digital transformation, multinational offices, cross-border e-commerce businesses, SaaS applications, and financial cloud services are placing higher demands on network connectivity quality and access compliance. Against this backdrop, Software-Defined Wide Area Network (SD-WAN), with its flexible path scheduling, bandwidth aggregation, and centralized management capabilities, has become the mainstream choice for multi-tenant enterprise network architectures. SD-WAN utilizes software for network resource scheduling, with a core architecture consisting of "Customer Premises Equipment (CPE) + Orchestrator + Points of Presence (PoP) / egress nodes." The Orchestrator (controller) is the core hub of SD-WAN, pre-storing tenant information, deploying risk control models, and responsible for tag generation and PoP matching. The CPE possesses capabilities for traffic risk control feature extraction, behavior classification, and encrypted reporting. The PoP has IP reputation management and anti-protection adaptation capabilities, receiving risk control scheduling instructions from the Orchestrator. In the SD-WAN multi-tenant architecture, when tenants access various risk-sensitive services via "CPE→PoP," the anti-protection mechanisms (anti-automation, anti-fraud) of these services primarily target "abnormal behavior," "suspicious IPs," and "homogeneous characteristics" for restrictions (such as blocking IPs, triggering CAPTCHAs, and limiting access frequency). However, current SD-WAN deployments face an increasingly prominent challenge: the success rate of tenant access to "risk-sensitive services" continues to decline. Risk-sensitive services are those that are sensitive to access behavior, IP reputation, and request characteristics, and have strict anti-automation / anti-fraud protection mechanisms (such as Google, cross-border e-commerce platforms, enterprise cloud services, financial risk control systems, etc.).
[0003] To address the aforementioned issues, existing SD-WAN routing technologies include static routing schemes based on bandwidth / latency and PoP mapping schemes based on static labels. The bandwidth / latency-based static routing scheme assigns a fixed exit PoP based on the tenant's preset bandwidth requirements and PoP network latency. The CPE does not process traffic characteristics and simply forwards traffic to the designated PoP. PoPs are statically assigned IPs without distinguishing between tenant risks. However, high-risk tenants (such as those using automated tools) share the same PoP IP with low-risk tenants, leading to cross-contamination and IP blocking by risk-sensitive services. Furthermore, it fails to adapt to anti-protection rules for various services, resulting in a disconnect between routing decisions and risk control requirements. The static label-based PoP mapping scheme, on the other hand, pre-configures a "tenant industry label → PoP" mapping table in Orch (e.g., "foreign trade tenant → PoP A"), with fixed labels. PoPs are assigned IP pools based on labels, without considering IP reputation or anti-protection pass rates. However, the tags lack risk control dimensions (such as "compliance" and "risk level") and cannot respond to changes in tenant dynamic behavior (such as a normal tenant suddenly making high-frequency requests); Orch does not synchronize the anti-protection features of various risk control sensitive services in real time, and the accuracy of PoP matching is low (mismatch rate > 50%).
[0004] It is evident that existing SD-WAN routing technologies have key flaws:
[0005] (1) The routing only focuses on "connectivity" (bandwidth, latency) and does not incorporate risk control dimensions, making it impossible to identify the compliance of tenant behavior (such as whether high-frequency requests conform to normal user logic).
[0006] (2) Orch relies on static tags to allocate PoPs and does not combine real-time anti-protection rules for various risk control sensitive services (e.g., a PoP IP was recently frequently blocked by cross-border e-commerce platforms but was still allocated).
[0007] (3) CPE only forwards traffic and does not extract risk control related features, which makes Orch unable to accurately determine the tenant's risk level, resulting in a high IP blocking rate (industry average >40%) and a low access success rate (<60%).
[0008] Therefore, based on the above problems, there is an urgent need to provide an SD-WAN routing method that can improve the success rate and stability of access to risk-sensitive services while ensuring network performance. Summary of the Invention
[0009] The purpose of this application is to provide an SD-WAN risk control routing adaptation method, device, medium, and product that can improve the success rate and stability of access to risk-sensitive services while ensuring network performance.
[0010] To achieve the above objectives, this application provides the following solution:
[0011] In the first aspect, this application provides an SD-WAN risk control routing adaptation method, which includes: CPE-side risk control detection and reporting, Orch-side risk control routing, and PoP-side adaptation and feedback.
[0012] The CPE-side risk control detection and reporting specifically includes:
[0013] Multidimensional risk control feature vectors are extracted from the raw traffic of tenants accessing risk-sensitive services and associated with the target risk-sensitive service type; the raw traffic includes: HTTP / HTTPS request headers, request timestamps, tool features, access frequency, target service type, and request content summary;
[0014] Based on the multidimensional risk control feature vector and the target risk control sensitive service type, the tenant's risk level is initially determined;
[0015] The multidimensional risk control feature vector, the risk level, and the target risk control sensitive service type are encrypted and then reported to Orch in a triggered manner.
[0016] The Orch-side risk control routing specifically includes:
[0017] Real-time synchronization of anti-automation rules for various risk control-sensitive services to build an anti-protection feature database;
[0018] Based on the encrypted reported data, the anti-protection feature library, and the global data pre-stored in Orch, a compliance score is determined and a dynamic risk control label is generated. The global data pre-stored in Orch includes: tenant historical compliance records and PoP adaptation success rate. The dynamic risk control label includes risk level, compliance score, service type, IP reputation requirements of third-party security platforms, feature adaptation requirements, and anti-protection rules adapted to various risk-sensitive services.
[0019] Based on the dynamic risk control tags and the real-time status of each exit node, the optimal exit node is determined through a multi-dimensional scoring model.
[0020] Based on the information of the optimal exit node and the adaptation requirements of the dynamic risk control tag, a scheduling instruction is generated and sent to the CPE device and the optimal exit node; the scheduling instruction includes: forwarding target, IP pool type and feature adaptation requirements;
[0021] The export node-side adaptation and feedback specifically includes:
[0022] High-reputation IPs are allocated according to the scheduling instructions, and differentiated request characteristics are generated;
[0023] The high-reputation IP is bound to the differentiated request characteristics and forwarded to the target risk-sensitive service;
[0024] The access results of the target risk control sensitive services and the real-time status of the exit node are fed back to Orch.
[0025] Optionally, the step of extracting multi-dimensional risk control feature vectors from the raw traffic of tenants accessing risk-sensitive services and associating them with the target risk-sensitive service type specifically includes:
[0026] Based on the packet structure of the original traffic, structured data is extracted; the structured data includes: request headers, timestamps, and target URLs;
[0027] Tool features for matching raw traffic using regular expressions;
[0028] Use a trie to identify the type of target service;
[0029] Use a sliding window to determine the average access interval and peak periods;
[0030] Verify the completeness and format compliance of the fields in the HTTP / HTTPS request header to determine the compliance of the request header;
[0031] Normalize structured data, tool characteristics, target service type, average access interval and peak period, and request header compliance.
[0032] The normalized features are assembled in a preset order to generate an initial multidimensional risk control feature vector.
[0033] The initial multidimensional risk control feature vector is deduplicated and compressed to obtain the multidimensional risk control feature vector.
[0034] Optionally, the step of encrypting the multi-dimensional risk control feature vector, the risk level, and the target risk control sensitive service type and then triggering the reporting to Orch specifically includes:
[0035] The multi-dimensional risk control feature vector, the risk level, and the target risk control sensitive service type are encrypted using the AES encryption algorithm and CPE digital signature.
[0036] Report immediately when the risk level changes or the target risk control sensitive service type is switched.
[0037] Optionally, the step of determining a compliance score and generating a dynamic risk control label based on the encrypted reported data, the anti-protection feature library, and the tenant's historical compliance records specifically includes:
[0038] Based on the encrypted reported data, the anti-protection feature library, and the tenant's historical compliance records, a compliance score is determined based on the risk control model; the risk control model is a model that integrates logistic regression and random forest algorithms.
[0039] Dynamic risk control tags are generated based on compliance scores, encrypted reported data, the anti-protection feature library, and tenant historical compliance records.
[0040] Optionally, the multi-dimensional scoring model is used to determine the score of the egress node based on the score of IP reputation matching, the score of anti-protection pass rate, the score of load rate, and the score of network latency.
[0041] Optionally, the step of feeding back the access results of the target risk-sensitive service and the real-time status of the exit node to the Orch specifically includes:
[0042] If a ban occurs, immediately mark the corresponding high-reputation IP as temporarily disabled and trigger Orch to re-perform risk control routing.
[0043] Secondly, this application provides an SD-WAN risk control routing adaptation device, which includes: a CPE-side risk control detection system, an Orch-side risk control routing system, and a PoP-side risk control adaptation system;
[0044] The CPE-side risk control and detection system specifically includes:
[0045] The risk control feature extraction module is used to extract multi-dimensional risk control feature vectors from the raw traffic of tenants accessing risk control sensitive services and associate them with the target risk control sensitive service type; the raw traffic includes: HTTP / HTTPS request headers, request timestamps, tool features, access frequency, target service type, and request content summary;
[0046] The behavioral risk classification module is used to initially determine the risk level of a tenant based on the multidimensional risk control feature vector and the target risk control sensitive service type.
[0047] The encrypted reporting module is used to encrypt the multidimensional risk control feature vector, the risk level, and the target risk control sensitive service type and then report them to Orch in a triggered manner.
[0048] The Orch-side risk control and routing system specifically includes:
[0049] The anti-protection feature synchronization module is used to synchronize the anti-automation rules of various risk control sensitive services in real time and build an anti-protection feature library.
[0050] The risk control model calculation module is used to determine the compliance score and generate dynamic risk control tags based on the encrypted reported data, the anti-protection feature library, and the global data pre-stored in Orch. The global data pre-stored in Orch includes: tenant historical compliance records and PoP adaptation success rate. The dynamic risk control tags include risk level, compliance score, service type, IP reputation requirements of third-party security platforms, feature adaptation requirements, and anti-protection rules adapted to various risk control sensitive services.
[0051] The PoP risk control adaptability calculation module is used to determine the optimal exit node based on the dynamic risk control tags and the real-time status of each exit node through a multi-dimensional scoring model.
[0052] The scheduling instruction generation module is used to generate scheduling instructions and send them to the CPE device and the optimal exit node based on the information of the optimal exit node and the adaptation requirements of the dynamic risk control label. The scheduling instructions include: forwarding target, IP pool type and feature adaptation requirements.
[0053] The PoP-side risk control adaptation system specifically includes:
[0054] The IP reputation management module allocates high-reputation IPs according to the scheduling instructions and generates differentiated request characteristics;
[0055] The tenant-IP-feature binding module is used to bind the high-reputation IP with the differentiated request features and forward it to the target risk control sensitive service;
[0056] The status feedback module is used to feed back the access results of the target risk control sensitive service and the real-time status of the exit node to the Orch.
[0057] Thirdly, this application provides a computer device, including: a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the computer program to implement the SD-WAN risk control routing adaptation method.
[0058] Fourthly, this application provides a computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements the SD-WAN risk control routing adaptation method.
[0059] Fifthly, this application provides a computer program product, including a computer program that, when executed by a processor, implements the SD-WAN risk control routing adaptation method.
[0060] According to the specific embodiments provided in this application, this application has the following technical effects:
[0061] This application provides an SD-WAN risk control routing adaptation method, device, medium, and product. It extracts multi-dimensional risk control feature vectors and triggers reporting on the CPE side. For various risk-sensitive services, it extracts multi-dimensional risk control feature vectors such as request frequency and tool identifiers, and performs preliminary classification based on target service types. Encrypted triggering reporting ensures data reliability, addressing the deficiency of existing CPEs lacking risk control awareness capabilities. On the Orch side, it generates dynamic risk control tags based on multi-service anti-protection rules, synchronizing anti-protection features of various risk-sensitive services in real time. It integrates global data to calculate compliance scores, generating dynamic risk control tags with service adaptation requirements, overcoming the limitation of static tags in adapting to multi-service risk control needs. It quantifies the PoP risk control adaptability score and closed-loop routing, establishing a multi-dimensional scoring model including IP reputation, anti-protection pass rate, and load rate to match the optimal PoP. It dynamically adjusts strategies based on access status feedback, solving the problem of existing routing focusing only on connectivity and having low adaptation accuracy. This application achieves a closed loop of "risk control detection → tag generation → PoP adaptation → status feedback," reducing the false positive rate of anti-protection measures for risk-sensitive services from the source and improving the access success rate. This, in turn, enhances the access success rate and stability of risk-sensitive services while ensuring network performance. Attached Figure Description
[0062] To more clearly illustrate the technical solutions in the embodiments of this application or the prior art, the drawings used in the embodiments will be briefly introduced below. Obviously, the drawings described below are only some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0063] Figure 1 This is a schematic diagram of an SD-WAN risk control routing adaptation method in one embodiment of this application;
[0064] Figure 2 This is a schematic diagram of the structure of an SD-WAN risk control routing adaptation device in one embodiment of this application. Detailed Implementation
[0065] The technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, and not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this application.
[0066] To make the above-mentioned objectives, features and advantages of this application more apparent and understandable, the application will be further described in detail below with reference to the accompanying drawings and specific embodiments.
[0067] In one exemplary embodiment, such as Figure 1 As shown, an SD-WAN risk control routing adaptation method is provided, which includes:
[0068] S1, CPE-side risk control detection and reporting;
[0069] S1 specifically includes:
[0070] S11: Extract multi-dimensional risk control feature vectors from the raw traffic of tenants accessing risk-sensitive services and associate them with the target risk-sensitive service type; CPE pre-stores 7-day historical baseline data of tenants;
[0071] The raw traffic includes: HTTP / HTTPS request headers, request timestamps, tool characteristics, access frequency, target service type, and request content summary;
[0072] S11 specifically includes:
[0073] S111 utilizes the embedded DPDK protocol parsing system to capture raw traffic at line speed, parse the packet structure, and extract structured data; the structured data includes: request headers (User-Agent, Accept-Language), timestamps, and target URLs;
[0074] S112, start the intelligent rule matching engine and use regular expressions to match the tool features of the raw traffic (such as webdriver=true).
[0075] S113, use a trie to identify the target service type (such as the cross-border e-commerce product query path).
[0076] S114, Use a sliding window to determine the average access interval and peak period; Specifically, run a 10-minute sliding window time-series statistics system to accumulate the request frequency within the window, calculate the average access interval, and identify the peak period.
[0077] S115, invoke the RFC 7230 compliance verification system to verify the integrity and format specifications of the HTTP / HTTPS request header fields, and obtain the request header compliance (0-1 compliance score).
[0078] S116 normalizes structured data, tool characteristics, target service type, average access interval and peak period, and request header compliance.
[0079] Specifically, the feature type conversion system is activated to convert Boolean features (tool exists = 1 / does not exist = 0) and enumerated features (financial services = 1.0 / cross-border e-commerce = 0.8) into quantized values; the Min-Max normalization system is run to map time-series features such as request frequency and access interval to the [0,1] range (e.g., 50 times / 10 minutes → quantized value 0.5); and the outlier correction system is triggered to quantize extreme values that exceed the reasonable range (e.g., >1000 times / 10 minutes) according to the upper limit threshold (1.0).
[0080] S117: Assemble the normalized features in a preset order to generate an initial multidimensional risk control feature vector.
[0081] Specifically, the configuration is done through a feature-based configuration system (which supports remote adjustment via Orch), and the components are assembled in a preset order (request frequency → average interval → tool identifier → compliance score → service type → time period compliance).
[0082] Start the automated vector assembly system to generate multidimensional risk control feature vectors (e.g., [0.5, 0.47, 1, 0.9, 0.8, 1]).
[0083] Run the vector quality verification system to verify dimensional integrity and quantization range ([0,1]).
[0084] S118, the initial multidimensional risk control feature vector is deduplicated and compressed to obtain the multidimensional risk control feature vector.
[0085] Feature deduplication and compression specifically include:
[0086] (1) Deduplication: Deploy an MD5 hash cache management system to calculate the hash value of the feature field and store it in a memory cache table (valid for 10 minutes). Duplicate hash values are discarded directly.
[0087] (2) Compression: Core features with a contribution of ≥0.1 are selected by information gain algorithm, and after PCA dimension reduction (cumulative variance contribution rate ≥90%), lossless compression is performed using LZ77 algorithm (compression ratio 3:1), and CRC32 check code is added.
[0088] S12, Based on the multi-dimensional risk control feature vector and the target risk control sensitive service type, the risk level of the tenant is initially determined;
[0089] Based on the multi-dimensional risk control feature vector, the target risk-sensitive service type, and the tenant basic information (registered industry, SLA level) pre-stored in the CPE, the local rule engine is started, and the configurable threshold rule set synchronized by Orch is loaded, as shown in Table 1. The local baseline data is called to calculate the request frequency deviation (deviation = (current window frequency - baseline frequency) / baseline frequency), and the basic level is determined according to the threshold (low ≤ 30% / medium 30%-50% / high > 50%). If the tool identifier quantification value = 1, the current risk level is automatically increased by one level (low → medium / medium → high). If the target service is financial services (quantification value = 1.0), all risk thresholds are reduced by 20% (medium risk 30% → 24%). If the access time period does not match (quantification value = 0), the threshold is relaxed by 10% (medium risk 30% → 33%). If the request header compliance score is ≤ 0.6, it is directly determined as medium risk, and subsequent dimension verification is skipped. Based on the above determination results, a preliminary low / medium / high risk level is generated.
[0090] Table 1
[0091]
[0092] Specifically, the feature vector [0.5, 0.47, 1, 0.9, 0.8, 1] → deviation 50% (medium risk) → tool identifier = 1 (upgraded to high risk) → cross-border e-commerce service (threshold unchanged) → compliance score 0.9 (passed) → final judgment of high risk.
[0093] S13, after encrypting the multidimensional risk control feature vector, the risk level and the target risk control sensitive service type, the report is sent to Orch in a triggered manner;
[0094] S13 specifically includes:
[0095] S131, AES encryption algorithm and CPE digital signature are used to encrypt the multi-dimensional risk control feature vector, the risk level and the target risk control sensitive service type to prevent tampering and forgery;
[0096] S132, when the risk level changes or the target risk control sensitive service type is switched, report immediately; when there is no change, report in batches every 1 minute.
[0097] S2, Orch-side risk control route selection;
[0098] S2 specifically includes:
[0099] S21, real-time synchronization of anti-automation rules for various risk control sensitive services, and construction of an anti-protection feature library;
[0100] Based on publicly available anti-protection rules for various risk-sensitive services, IP reputation data from third-party security platforms, and historical access failure records, the anti-protection feature database is updated in real time and stored in categories according to service type (such as Google's request frequency threshold, IP geographical restrictions for cross-border e-commerce, and device fingerprint detection rules for financial services); high-risk PoPs are marked with warnings (e.g., if a PoP has had ≥5 IPs blocked by 3 types of services in the past hour → marked as "warning status").
[0101] S22. Based on the encrypted reported data (after decryption and verification), the anti-protection feature library, and the global data pre-stored in Orch, determine the compliance score and generate a dynamic risk control label; the global data pre-stored in Orch includes: tenant historical compliance records and PoP adaptation success rate; the dynamic risk control label includes risk level, compliance score, service type, IP reputation requirements of third-party security platforms, feature adaptation requirements, and anti-protection rules adapted to various risk control sensitive services;
[0102] S22 specifically includes:
[0103] S221. Based on the encrypted reported data, the anti-protection feature library, and the tenant's historical compliance records, a compliance score is determined based on the risk control model. The risk control model is a model that integrates logistic regression and random forest algorithms (e.g., medium risk + good historical compliance record + lenient target service rules → compliance score of 82 points).
[0104] S222, Based on the compliance score, the encrypted reported data, the anti-protection feature library, and the tenant's historical compliance records, a dynamic risk control label is generated.
[0105] The format for generating dynamic risk control tags that integrate compliance scores, risk levels, and target service adaptation requirements is as follows:
[0106] risk=medium&compliance=82&service_type=cross_border&ip_credit=high&avoid_fingerprint=true (Requires high-reputation IP, avoids fingerprint homogenization);
[0107] As a specific implementation, an AI real-time prediction model (LSTM neural network model) is introduced on the Orch side. Based on the tenant's historical behavior and the trend of anti-protection rule changes, it predicts the access risk in the next 10 minutes and adjusts the PoP allocation strategy in advance. This further improves the accuracy of routing and is expected to reduce the blocking rate to below 3%. However, this requires Orch to have stronger computing power, and the development cost increases by 15%. It is suitable for large SD-WAN service providers.
[0108] S23, Based on the dynamic risk control tags and the real-time status of each exit node, the optimal exit node is determined through a multi-dimensional scoring model;
[0109] Establish a multi-dimensional scoring model for fit (out of 100 points), and allocate scores according to tag weights:
[0110] (1) IP reputation matching (40 points): High reputation IPs > 80% → 40 points, 50%-80% → 20 points, < 50% → 0 points;
[0111] (2) Anti-protection pass rate (30 points): The access success rate of the corresponding service type in the past 24 hours >90% → 30 points, 70%-90% → 15 points, <70% → 0 points;
[0112] (3) Load rate (20 points): Load < 50% → 20 points, 50%-80% → 10 points, > 80% → 0 points;
[0113] (4) Network latency (10 points): latency < 50ms → 10 points, 50-100ms → 5 points, > 100ms → 0 points;
[0114] Calculate the scores for each PoP: PoPX (90% high-reputation IPs + 92% pass rate + 35% load + 40ms latency → score 95 points) is the optimal PoP;
[0115] S24. Based on the information of the optimal egress node (ID, IP pool type, adaptation strategy) and the adaptation requirements of the dynamic risk control tag, a scheduling instruction is generated and sent to the CPE device and the optimal egress node; the scheduling instruction includes: forwarding target, IP pool type and feature adaptation requirements;
[0116] Generate standardized scheduling instructions, with explicit requirements: forward_to=PoP X&ip_pool=high_credit&fingerprint_differentiation=true&monitor_interval=30s (forward to PoP X, use high-credit IP pool, enable fingerprint differentiation, and monitor status every 30 seconds);
[0117] Synchronize instructions to the optimal PoP and reserve suitable IP resources and feature configurations in advance;
[0118] S3, PoP-side adaptation and feedback;
[0119] S3 specifically includes:
[0120] S31, allocate high-reputation IPs according to the scheduling instructions and generate differentiated request characteristics;
[0121] Assign high-reputation IPs (such as regional IPs suitable for cross-border e-commerce services) according to instructions.
[0122] If the instruction requires "fingerprint differentiation", then a unique request feature will be generated (based on tenant ID hash + IP region, ensuring that the similarity of features among different tenants under the same PoP is <50%).
[0123] S32, bind the high-reputation IP with the differentiated request characteristics, and forward it to the target risk control sensitive service;
[0124] Assemble requests that comply with anti-protection rules (replace IP, supplement differential characteristics, adjust request intervals); forward them to the target risk-sensitive service according to scheduling instructions; and send the adapted requests to the target service.
[0125] S33, feed back the access results (normal response / block / verification code and anti-protection status code) of the target risk-sensitive service and the real-time status of the egress node (current load and IP status) to the Orch.
[0126] If a ban occurs, the corresponding high-reputation IP will be immediately marked as temporarily disabled (24 hours), and Orch will be triggered to re-perform risk control routing.
[0127] As a specific implementation, after deploying a local risk control engine on the PoP side to receive dynamic risk control tags from Orch, the local IP and feature configurations are adjusted in real time without relying on secondary scheduling by Orch. This reduces cross-node communication latency and improves access response speed by 20%, but increases the hardware cost of the PoP node by 10%. This approach is suitable for latency-sensitive risk control services (such as high-frequency trading platforms).
[0128] The validity of this application is verified through specific embodiments below:
[0129] Foreign trade tenant "T001" accessed a cross-border e-commerce platform (a risk-sensitive service) via SD-WAN and suddenly used automated tools to query product information in batches (50 requests in 10 minutes).
[0130] Execution on the CPE side:
[0131] Extract risk control feature vector: [Frequency=50, Interval=2.8, Tool Identifier=1, Request Header Compliance=0.9, Service Type=Cross-border E-commerce]; initially determined to be "medium risk", and reported to Orch with encryption.
[0132] Orch-side execution:
[0133] Synchronize with the anti-protection rules of the cross-border e-commerce platform (allow reasonable high-frequency queries, prohibit the same fingerprint + high frequency); calculate a compliance score of 82, and generate the tag risk=medium&compliance=82&service_type=cross_border&ip_credit=high&avoid_fingerprint=true; calculate the PoP suitability: PoPX score of 95 (high-reputation IP + 92% pass rate), determined as the optimal PoP; issue instructions: forward to PoP X, use high-reputation IP, enable fingerprint differentiation.
[0134] Execution on the PoP side:
[0135] Assign a high-reputation US IP address (2.3.4.5) suitable for cross-border e-commerce; generate differentiated characteristics (UA = Chrome 124 + en-US language); after binding, forward the request, and the cross-border e-commerce platform returns a normal response.
[0136] Tenant access success rate increased from 55% with existing technology to 93%, and PoPX's IP blocking rate decreased from 40% to below 5%.
[0137] Technical effects:
[0138] (1) Wide adaptability: It covers various risk control sensitive services such as Google, cross-border e-commerce, and financial services, without the need for customization for a single service;
[0139] (2) The false judgment rate has been significantly reduced: Through the risk control routing closed loop, the IP blocking rate of various risk control sensitive services has been reduced from 40%+ to below 5%, and the CAPTCHA trigger rate has been reduced from 30% to 8%;
[0140] (3) Improved resource utilization: PoP risk control adaptation increases IP resource utilization from 50% to 85%, and reduces the usage of high-cost, high-reputation IPs by 60%.
[0141] (4) Reduced operating costs: IP procurement costs decreased by 30%, and the after-sales complaint rate (due to access failures) decreased by 80%;
[0142] (5) Value-added service capabilities: Differentiated packages can be launched based on compliance scores and risk control labels (such as priority routing rights for highly compliant tenants), which is expected to increase revenue by 20%;
[0143] (6) Improved customer stickiness: The success rate of accessing various risk-sensitive services remained stable at 90%+, and the tenant retention rate increased by 35%.
[0144] Based on the same inventive concept, this application also provides an SD-WAN risk control routing adaptation device for implementing the SD-WAN risk control routing adaptation method described above. The solution provided by this device is similar to the implementation described in the above method. Therefore, the specific limitations of one or more SD-WAN risk control routing adaptation device embodiments provided below can be found in the limitations of the SD-WAN risk control routing adaptation method described above, and will not be repeated here.
[0145] In one exemplary embodiment, such as Figure 2 As shown, an SD-WAN risk control routing adapter device is provided, including: a CPE-side risk control detection system, an Orch-side risk control routing system, and a PoP-side risk control adapter system;
[0146] The CPE-side risk control and detection system specifically includes:
[0147] The risk control feature extraction module is used to extract multi-dimensional risk control feature vectors from the raw traffic of tenants accessing risk control sensitive services and associate them with the target risk control sensitive service type; the raw traffic includes: HTTP / HTTPS request headers, request timestamps, tool features, access frequency, target service type, and request content summary;
[0148] The behavioral risk classification module is used to initially determine the risk level of a tenant based on the multidimensional risk control feature vector and the target risk control sensitive service type.
[0149] The encrypted reporting module is used to encrypt the multidimensional risk control feature vector, the risk level, and the target risk control sensitive service type and then report them to Orch in a triggered manner.
[0150] The Orch-side risk control and routing system specifically includes:
[0151] The anti-protection feature synchronization module is used to synchronize the anti-automation rules of various risk control sensitive services in real time and build an anti-protection feature library.
[0152] The risk control model calculation module is used to determine the compliance score and generate dynamic risk control tags based on the encrypted reported data, the anti-protection feature library, and the global data pre-stored in Orch. The global data pre-stored in Orch includes: tenant historical compliance records and PoP adaptation success rate. The dynamic risk control tags include risk level, compliance score, service type, IP reputation requirements of third-party security platforms, feature adaptation requirements, and anti-protection rules adapted to various risk control sensitive services.
[0153] The PoP risk control adaptability calculation module is used to determine the optimal exit node based on the dynamic risk control label and the real-time status of each exit node through a multi-dimensional scoring model.
[0154] The scheduling instruction generation module is used to generate scheduling instructions and send them to the CPE device and the optimal exit node based on the information of the optimal exit node and the adaptation requirements of the dynamic risk control label. The scheduling instructions include: forwarding target, IP pool type and feature adaptation requirements.
[0155] The PoP-side risk control adaptation system specifically includes:
[0156] The IP reputation management module allocates high-reputation IPs according to the scheduling instructions and generates differentiated request characteristics;
[0157] The tenant-IP-feature binding module is used to bind the high-reputation IP with the differentiated request features and forward it to the target risk control sensitive service;
[0158] The status feedback module is used to feed back the access results of the target risk control sensitive service and the real-time status of the exit node to the Orch.
[0159] In one exemplary embodiment, a computer device is provided, which may be a server or a terminal. The computer device includes a processor, memory, input / output interfaces (I / O), and a communication interface. The processor, memory, and I / O interfaces are connected via a system bus, and the communication interface is connected to the system bus via the I / O interfaces. The processor of the computer device provides computing and control capabilities. The memory of the computer device includes non-volatile storage media and internal memory. The non-volatile storage media stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The I / O interfaces of the computer device are used for exchanging information between the processor and external devices. The communication interface of the computer device is used for communication with external terminals via a network connection. When the computer program is executed by the processor, it implements an SD-WAN risk control routing adaptation method.
[0160] In one exemplary embodiment, a computer device is provided, including a memory and a processor, wherein the memory stores a computer program, and the processor executes the computer program to implement the steps in the above-described method embodiments.
[0161] In one exemplary embodiment, a computer-readable storage medium is provided storing a computer program that, when executed by a processor, implements the steps in the above-described method embodiments.
[0162] In one exemplary embodiment, a computer program product is provided, including a computer program that, when executed by a processor, implements the steps in the above-described method embodiments.
[0163] It should be noted that the user information (including but not limited to user device information, user personal information, etc.) and data (including but not limited to data used for analysis, data stored, data displayed, etc.) involved in this application are all information and data authorized by the user or fully authorized by all parties, and the collection, use and processing of the relevant data must comply with relevant regulations.
[0164] Those skilled in the art will understand that all or part of the processes in the above embodiments can be implemented by a computer program instructing related hardware. The computer program can be stored in a non-volatile computer-readable storage medium. When executed, the computer program can include the processes of the embodiments described above. Any references to memory, databases, or other media used in the embodiments provided in this application can include at least one of non-volatile and volatile memory. Non-volatile memory can include read-only memory (ROM), magnetic tape, floppy disk, flash memory, optical memory, high-density embedded non-volatile memory, resistive random access memory (ReRAM), magnetic random access memory (MRAM), ferroelectric random access memory (FRAM), phase change memory (PCM), graphene memory, etc. Volatile memory can include random access memory (RAM) or external cache memory, etc. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM).
[0165] The databases involved in the embodiments provided in this application may include at least one type of relational database and non-relational database. Non-relational databases may include, but are not limited to, blockchain-based distributed databases. The processors involved in the embodiments provided in this application may be general-purpose processors, central processing units, graphics processing units, digital signal processors, programmable logic devices, quantum computing-based data processing logic devices, etc., and are not limited to these.
[0166] In this application, all actions to acquire signals, information, or data are carried out in compliance with the relevant data protection laws and policies of the country where the location is situated, and with the authorization granted by the owner of the relevant device.
[0167] The technical features of the above embodiments can be combined in any way. For the sake of brevity, not all possible combinations of the technical features in the above embodiments are described. However, as long as there is no contradiction in the combination of these technical features, they should be considered to be within the scope of this specification.
[0168] This document uses specific examples to illustrate the principles and implementation methods of this application. The descriptions of the above embodiments are only for the purpose of helping to understand the methods and core ideas of this application. Furthermore, those skilled in the art will recognize that, based on the ideas of this application, there will be changes in the specific implementation methods and application scope. Therefore, the content of this specification should not be construed as a limitation of this application.
Claims
1. An SD-WAN risk control routing adaptation method, characterized in that, The SD-WAN risk control routing adaptation method includes: CPE-side risk control detection and reporting, Orch-side risk control routing, and PoP-side adaptation and feedback. The CPE-side risk control detection and reporting specifically includes: Multidimensional risk control feature vectors are extracted from the raw traffic of tenants accessing risk-sensitive services and associated with the target risk-sensitive service type; the raw traffic includes: HTTP / HTTPS request headers, request timestamps, tool features, access frequency, target service type, and request content summary; Based on the multidimensional risk control feature vector and the target risk control sensitive service type, the tenant's risk level is initially determined; The multidimensional risk control feature vector, the risk level, and the target risk control sensitive service type are encrypted and then reported to Orch in a triggered manner. The Orch-side risk control routing specifically includes: Real-time synchronization of anti-automation rules for various risk control-sensitive services to build an anti-protection feature database; Based on the encrypted reported data, the anti-protection feature library, and the global data pre-stored in Orch, a compliance score is determined and a dynamic risk control label is generated. The global data pre-stored in Orch includes: tenant historical compliance records and PoP adaptation success rate. The dynamic risk control label includes risk level, compliance score, service type, IP reputation requirements of third-party security platforms, feature adaptation requirements, and anti-protection rules adapted to various risk-sensitive services. Based on the dynamic risk control tags and the real-time status of each exit node, the optimal exit node is determined through a multi-dimensional scoring model. Based on the information of the optimal exit node and the adaptation requirements of the dynamic risk control tag, a scheduling instruction is generated and sent to the CPE device and the optimal exit node; the scheduling instruction includes: forwarding target, IP pool type and feature adaptation requirements; The PoP-side adaptation and feedback specifically include: High-reputation IPs are allocated according to the scheduling instructions, and differentiated request characteristics are generated; The high-reputation IP is bound to the differentiated request characteristics and forwarded to the target risk-sensitive service; The access results of the target risk control sensitive services and the real-time status of the exit node are fed back to Orch.
2. The SD-WAN risk control routing adaptation method according to claim 1, characterized in that, The process of extracting multi-dimensional risk control feature vectors from the raw traffic of tenants accessing risk-sensitive services and associating them with the target risk-sensitive service type specifically includes: Based on the packet structure of the original traffic, structured data is extracted; the structured data includes: request headers, timestamps, and target URLs; Tool features for matching raw traffic using regular expressions; Use a trie to identify the type of target service; Use a sliding window to determine the average access interval and peak periods; Verify the completeness and format compliance of the fields in the HTTP / HTTPS request header to determine the compliance of the request header; Normalize structured data, tool characteristics, target service type, average access interval and peak period, and request header compliance. The normalized features are assembled in a preset order to generate an initial multidimensional risk control feature vector. The initial multidimensional risk control feature vector is deduplicated and compressed to obtain the multidimensional risk control feature vector.
3. The SD-WAN risk control routing adaptation method according to claim 1, characterized in that, The step of encrypting the multi-dimensional risk control feature vector, the risk level, and the target risk control sensitive service type and then triggering the reporting to Orch specifically includes: The multi-dimensional risk control feature vector, the risk level, and the target risk control sensitive service type are encrypted using the AES encryption algorithm and CPE digital signature. Report immediately when the risk level changes or the target risk control sensitive service type is switched.
4. The SD-WAN risk control routing adaptation method according to claim 1, characterized in that, The process of determining a compliance score and generating a dynamic risk control label based on the encrypted reported data, the anti-protection feature library, and the tenant's historical compliance records specifically includes: Based on the encrypted reported data, the anti-protection feature library, and the tenant's historical compliance records, a compliance score is determined based on the risk control model; the risk control model is a model that integrates logistic regression and random forest algorithms. Dynamic risk control tags are generated based on compliance scores, encrypted reported data, the anti-protection feature library, and tenant historical compliance records.
5. The SD-WAN risk control routing adaptation method according to claim 1, characterized in that, The multi-dimensional scoring model is used to determine the score of the egress node based on the score of IP reputation matching, the score of anti-protection pass rate, the score of load rate, and the score of network latency.
6. The SD-WAN risk control routing adaptation method according to claim 1, characterized in that, The step of feeding back the access results of the target risk-sensitive service and the real-time status of the exit node to the Orch specifically includes: If a ban occurs, immediately mark the corresponding high-reputation IP as temporarily disabled and trigger Orch to re-perform risk control routing.
7. An SD-WAN risk control and routing adaptation device, characterized in that, The SD-WAN risk control and routing adaptation equipment includes: a CPE-side risk control detection system, an Orch-side risk control and routing system, and a PoP-side risk control adaptation system. The CPE-side risk control and detection system specifically includes: The risk control feature extraction module is used to extract multi-dimensional risk control feature vectors from the raw traffic of tenants accessing risk control sensitive services and associate them with the target risk control sensitive service type; the raw traffic includes: HTTP / HTTPS request headers, request timestamps, tool features, access frequency, target service type, and request content summary; The behavioral risk classification module is used to initially determine the risk level of a tenant based on the multidimensional risk control feature vector and the target risk control sensitive service type. The encrypted reporting module is used to encrypt the multidimensional risk control feature vector, the risk level, and the target risk control sensitive service type and then report them to Orch in a triggered manner. The Orch-side risk control and routing system specifically includes: The anti-protection feature synchronization module is used to synchronize the anti-automation rules of various risk control sensitive services in real time and build an anti-protection feature library. The risk control model calculation module is used to determine the compliance score and generate dynamic risk control tags based on the encrypted reported data, the anti-protection feature library, and the global data pre-stored in Orch. The global data pre-stored in Orch includes: tenant historical compliance records and PoP adaptation success rate. The dynamic risk control tags include risk level, compliance score, service type, IP reputation requirements of third-party security platforms, feature adaptation requirements, and anti-protection rules adapted to various risk control sensitive services. The PoP risk control adaptability calculation module is used to determine the optimal exit node based on the dynamic risk control tags and the real-time status of each exit node through a multi-dimensional scoring model. The scheduling instruction generation module is used to generate scheduling instructions and send them to the CPE device and the optimal exit node based on the information of the optimal exit node and the adaptation requirements of the dynamic risk control label. The scheduling instructions include: forwarding target, IP pool type and feature adaptation requirements. The PoP-side risk control adaptation system specifically includes: The IP reputation management module allocates high-reputation IPs according to the scheduling instructions and generates differentiated request characteristics; The tenant-IP-feature binding module is used to bind the high-reputation IP with the differentiated request features and forward it to the target risk control sensitive service; The status feedback module is used to feed back the access results of the target risk control sensitive service and the real-time status of the exit node to the Orch.
8. A computer device, comprising: A memory, a processor, and a computer program stored in the memory and executable on the processor, characterized in that the processor executes the computer program to implement the SD-WAN risk control routing adaptation method according to any one of claims 1-6.
9. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by the processor, it implements the SD-WAN risk control routing adaptation method as described in any one of claims 1-6.
10. A computer program product, comprising a computer program, characterized in that, When the computer program is executed by the processor, it implements the SD-WAN risk control routing adaptation method as described in any one of claims 1-6.