Data access method and device, storage medium and electronic equipment
By acquiring raw message data and utilizing protocol fingerprinting models and Bayesian inference algorithms, non-standard ports and private protocols are identified and accessed, solving the problem of insufficient support for non-standard protocols in existing technologies and achieving efficient data access in complex network environments.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- BEIJING BOTONG CHUANGXIN TECH CO LTD
- Filing Date
- 2026-03-30
- Publication Date
- 2026-06-09
AI Technical Summary
Existing data access methods have limited support for non-standard and proprietary protocols, making it difficult to meet access needs in diverse scenarios. In particular, in dynamic Internet protocol environments, connection failures are easily caused by human configuration errors.
By acquiring raw message data, a pre-built protocol fingerprinting model is used to identify the protocol type of the target data source based on a Bayesian inference algorithm. Combined with active probing and dynamic probability update mechanisms, non-standard ports and private protocols are identified and accessed.
It enables rapid and accurate identification and access to target data sources in complex network environments, improves adaptability to private protocols and non-standard deployment environments, and meets access needs in diverse data integration, disaster recovery replication, and security audit scenarios.
Smart Images

Figure CN122179348A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of computer network technology, and more specifically to a data access method, a data access device, a machine-readable storage medium, and an electronic device. Background Technology
[0002] As enterprises continue to deepen their digital transformation, data source types are becoming increasingly diversified. Currently, data integration involves not only traditional relational databases such as Oracle Database, MySQL, and Microsoft SQL Server, but also non-relational databases like MongoDB and Redis, big data components such as Hive and Kafka, and numerous legacy systems using proprietary protocols. Against this backdrop, how to efficiently and securely access various heterogeneous data sources has become a critical issue that urgently needs to be addressed in data integration, disaster recovery replication, and security auditing applications.
[0003] Traditional data source access methods rely on manual verification of protocol type, Internet Protocol Address (IP address), port number, and authentication parameters. In large-scale clusters or dynamic Internet Protocol (IP) environments, this method is not only costly to maintain but also highly susceptible to connection failures due to human configuration errors. Existing tools are mostly based on static rule bases (such as default port matching). Once the target system uses a non-standard port (e.g., Oracle running on a port other than 1521) or undergoes NAT translation, the static rules become invalid, leading to access interruption.
[0004] In summary, existing data access methods have limited support for non-standard and proprietary protocols, making it difficult to meet access needs in diverse scenarios. Summary of the Invention
[0005] The purpose of this invention is to provide a data access method, a data access device, a machine-readable storage medium, and an electronic device. This method can effectively identify private protocols running on non-standard ports, those that have undergone network address translation, or even those that have been partially obfuscated or modified. It overcomes the limitation of traditional static rule bases, which can only identify standard ports and public protocols, and significantly improves adaptability to private protocols and non-standard deployment environments.
[0006] To achieve the above objectives, the first aspect of this application provides a data access method, comprising: Obtain raw message data, which is the message data during the handshake phase between the business end and the target data source; Based on the original message data, a pre-set protocol fingerprinting model is used to identify the protocol type corresponding to the target data source, and the initial confidence probability of each candidate protocol is obtained. Based on the initial confidence probability of each candidate protocol, determine whether the protocol type corresponding to the target data source is a candidate protocol; If the protocol type corresponding to the target data source is determined to be a non-candidate protocol, the protocol type of the target data source is probed with the goal of identifying the protocol type, the probe results are obtained, and the predicted protocol type is determined based on the probe results and the initial confidence probability of each candidate protocol. Based on the prediction protocol type, access the target data source.
[0007] In this embodiment of the application, the step of identifying the protocol type corresponding to the target data source based on the original message data using a preset protocol fingerprinting model to obtain the initial confidence probability of each candidate protocol includes: Based on the original message data, the feature vector is determined; Based on the feature vector, a pre-set protocol fingerprinting model is used to identify the protocol type corresponding to the target data source, and the initial confidence probability of each candidate protocol is obtained. The pre-set protocol fingerprinting model is constructed based on the Bayesian inference algorithm.
[0008] In this embodiment of the application, determining the feature vector based on the original message data includes: Multiple bytes are extracted from the original message data to obtain an analysis sample; The probability distribution of each byte in the analyzed sample is calculated; Based on the probability distribution of each byte in the analysis sample, the Shannon entropy value of the analysis sample is calculated to obtain the feature vector, wherein different Shannon entropy values have corresponding standard protocols.
[0009] In this embodiment of the application, determining whether the protocol type corresponding to the target data source is a candidate protocol based on the initial confidence probability of each candidate protocol includes: Based on the initial confidence probability of each candidate protocol, the maximum confidence probability value is obtained; Determine whether the maximum confidence probability value is lower than a preset confidence threshold; If the maximum confidence probability value is determined to be lower than the preset confidence threshold, the protocol type corresponding to the target data source is determined to be a non-candidate protocol.
[0010] In this embodiment of the application, the step of detecting the protocol type of the target data source with the goal of identifying the protocol type and obtaining the detection result includes: With the goal of identifying protocol types, corresponding probe packets are constructed based on the feature codes of each candidate protocol, and the probe packets are sent to the target data source. Obtain the response packets corresponding to each probe packet to get the probe results.
[0011] In this embodiment of the application, determining the predicted protocol type based on the detection results and the initial confidence probabilities of each candidate protocol includes: Based on the initial confidence probability of the response packet and candidate protocol corresponding to each probe packet, update the confidence probability of the candidate protocol corresponding to each probe packet; Based on the confidence probability of each candidate protocol, the predicted protocol type is determined.
[0012] In this embodiment of the application, updating the confidence probability of the candidate protocol corresponding to each probe packet based on the initial confidence probability of the response packet and the candidate protocol corresponding to each probe packet includes: A1: Update the confidence probability of the candidate protocol corresponding to the probe packet based on the initial confidence probability of the response packet and the candidate protocol corresponding to the probe packet; A2: Determine whether the confidence probability of each candidate protocol meets the preset convergence condition, wherein the preset convergence condition is that there is only one confidence probability among the candidate protocols that meets the preset threshold. A3: If it is determined that the confidence probability of each candidate protocol does not meet the preset convergence condition, select the next probe packet and jump to execute A1 until the confidence probability of each candidate protocol meets the preset convergence condition.
[0013] In this embodiment of the application, updating the confidence probability of the candidate protocol corresponding to the probe packet based on the initial confidence probability of the response packet corresponding to the probe packet and the candidate protocol includes: The likelihood value is calculated based on the response packet corresponding to the probe packet and the preset likelihood function; Based on the likelihood value and the initial confidence probability of the candidate protocol corresponding to the probe packet, the posterior confidence probability of the candidate protocol corresponding to the probe packet is calculated to update the confidence probability of the candidate protocol corresponding to the probe packet.
[0014] In this embodiment of the application, determining the predicted protocol type based on the confidence probability of each candidate protocol includes: Among the candidate protocols, the candidate protocols whose confidence probability satisfies the preset threshold are determined to obtain the target protocol; Based on the probe packets corresponding to the target protocol, the predicted protocol type is determined.
[0015] In this embodiment of the application, accessing the target data source based on the prediction protocol type includes: Based on the predicted protocol type, construct the access channel and access parameters; Based on the access channel and the access parameters, access the target data source.
[0016] In this embodiment of the application, access parameters are constructed based on the predicted protocol type, including: Get the set of open ports; Based on the predicted protocol type, candidate ports are determined from the set of open ports; Based on the preset variable parameters and the candidate ports, multiple sets of parameter combinations are generated; Based on the combination of the multiple sets of parameters, multiple access instructions are generated and the multiple access instructions are sent to the target data source; Obtain the access response data corresponding to each access command; Based on the access response data corresponding to each access command, the access parameters are determined from the multiple sets of parameter combinations.
[0017] A second aspect of this application provides a data access device, comprising: The acquisition module is used to acquire raw message data, which is the message data during the handshake phase between the business end and the target data source; The prediction module is used to identify the protocol type corresponding to the target data source based on the original message data using a preset protocol fingerprinting model, and obtain the initial confidence probability of each candidate protocol. The judgment module is used to determine whether the protocol type corresponding to the target data source is a candidate protocol based on the initial confidence probability of each candidate protocol; The determination module is used to detect the protocol type of the target data source when it is determined that the protocol type corresponding to the target data source is a non-candidate protocol, with the goal of identifying the protocol type, to obtain the detection result, and to determine the predicted protocol type based on the detection result and the initial confidence probability of each candidate protocol. The access module is used to access the target data source based on the prediction protocol type.
[0018] A third aspect of this application provides an electronic device, the electronic device comprising: At least one processor; A memory connected to the at least one processor; The memory stores instructions that can be executed by the at least one processor, and the at least one processor implements the above-described data access method by executing the instructions stored in the memory.
[0019] A fourth aspect of this application provides a machine-readable storage medium storing instructions that, when executed by a processor, configure the processor to perform the aforementioned data access method.
[0020] The above technical solution involves acquiring raw message data, specifically the message data from the handshake phase between the service end and the target data source. Based on this raw message data, a pre-set protocol fingerprinting model is used to identify the protocol type corresponding to the target data source, obtaining the initial confidence probability of each candidate protocol. Based on the initial confidence probabilities of each candidate protocol, it is determined whether the protocol type corresponding to the target data source is a candidate protocol. If the protocol type corresponding to the target data source is determined to be a non-candidate protocol, the protocol type of the target data source is probed with the goal of identifying the protocol type, obtaining the probe results. Based on the probe results and the initial confidence probabilities of each candidate protocol, a predicted protocol type is determined. Based on the predicted protocol type, the target data source is accessed. The protocol fingerprinting model enables a rapid and accurate preliminary judgment of the communication protocol of the target data source, especially when the target runs a standard protocol and is configured correctly, efficiently completing protocol matching and access preparation. For targets not falling within the scope of pre-defined candidate protocols or operating in complex environments, this solution effectively identifies private protocols running on non-standard ports, those undergoing network address translation, or even partial obfuscation or modification by probing the protocol type of the target data source. This mechanism overcomes the limitations of traditional static rule bases, which can only identify standard ports and public protocols, significantly improving adaptability to private protocols and non-standard deployment environments. Based on this, this solution is widely applicable to various complex real-world production environments, including legacy system access, cross-network domain data synchronization, and protocol penetration in security isolation scenarios. It fully meets the access needs of diverse data integration, disaster recovery replication, and security auditing scenarios, demonstrating excellent universality and scalability.
[0021] Other features and advantages of the embodiments of the present invention will be described in detail in the following detailed description section. Attached Figure Description
[0022] The accompanying drawings are provided to further illustrate embodiments of the present invention and form part of the specification. They are used together with the following detailed description to explain the embodiments of the present invention, but do not constitute a limitation thereof. In the drawings: Figure 1 The illustration shows a flowchart of a data access method according to an embodiment of this application; Figure 2 This illustration schematically shows an overall process diagram according to an embodiment of the present application; Figure 3 This illustration schematically shows a protocol fingerprint inference logic diagram based on multi-dimensional feature vectors (including entropy calculation) and active probes according to an embodiment of this application; Figure 4 A flowchart illustrating the parameter space dynamic optimization and optimal parameter selection algorithm according to an embodiment of this application is shown. Figure 5 This illustration schematically shows the architecture and byte stream semantic mapping principle of a memory-level virtualization protocol proxy container according to an embodiment of this application; Figure 6 The schematic diagram illustrates a structural schematic of a data access device according to an embodiment of this application; Figure 7 The diagram illustrates the internal structure of a computer device according to an embodiment of this application.
[0023] Explanation of reference numerals in the attached figures 410 - Acquisition module; 420 - Prediction module; 430 - Judgment module; 440 - Determination module; 450 - Access module; A01 - Processor; A02 - Network interface; A03 - Internal memory; A04 - Display screen; A05 - Input device; A06 - Non-volatile storage medium; B01 - Operating system; B02 - Computer program. Detailed Implementation
[0024] The specific embodiments of the present invention will be described in detail below with reference to the accompanying drawings. It should be understood that the specific embodiments described herein are for illustration and explanation only and are not intended to limit the scope of the present invention.
[0025] It should be noted that the acquisition, transmission, storage, use, and processing of data in the technical solution of this application all comply with relevant laws and regulations. In the embodiments of this application, certain existing industry solutions such as software, components, and models may be mentioned. These should be considered exemplary, intended only to illustrate the feasibility of implementing the technical solution of this application, and do not imply that the applicant has already used or necessarily used such solutions.
[0026] It should be noted that if the embodiments of this application involve directional indicators (such as up, down, left, right, front, back, etc.), the directional indicators are only used to explain the relative positional relationship and movement of each component in a certain specific posture (as shown in the figure). If the specific posture changes, the directional indicators will also change accordingly.
[0027] Furthermore, if the embodiments of this application involve descriptions such as "first" or "second," these descriptions are for descriptive purposes only and should not be construed as indicating or implying their relative importance or implicitly specifying the number of technical features indicated. Therefore, features defined with "first" or "second" may explicitly or implicitly include at least one of those features. Additionally, the technical solutions of various embodiments can be combined with each other, but this must be based on the ability of those skilled in the art to implement them. If the combination of technical solutions is contradictory or impossible to implement, it should be considered that such a combination of technical solutions does not exist and is not within the scope of protection claimed in this application.
[0028] Please refer to Figure 1 and Figure 2 , Figure 1 The illustration shows a flowchart of a data access method according to an embodiment of this application; Figure 2 The schematic diagram illustrates the overall process according to an embodiment of this application. This embodiment provides a data access method, including the following steps: Step 210: Obtain the original message data, which is the message data during the handshake phase between the business end and the target data source; In this embodiment, after obtaining the access entry information of the target data source, a lightweight network scan is first performed to detect live hosts and their open port sets in the network, thereby accurately locating available communication endpoints. Based on this, the raw message data exchanged between the service end and the target data source during the handshake phase (i.e., the initial interaction phase) is further captured. This raw message data typically contains key information such as protocol feature fields, authentication negotiation information, or connection parameters, which can accurately reflect the protocol type and communication behavior of the target system, providing a reliable data foundation for subsequent protocol feature extraction, dynamic adaptation, and connection establishment. The aforementioned access entry information refers to the basic network positioning parameters required to establish a connection with the target data source, including IP address and domain name.
[0029] Step 220: Based on the original message data, a preset protocol fingerprinting model is used to identify the protocol type corresponding to the target data source, and the initial confidence probability of each candidate protocol is obtained. In this embodiment, after acquiring the original message data, a pre-built protocol fingerprinting model can be used to intelligently predict the protocol type used by the data source. This model can be a pre-trained model obtained through offline training. Its core algorithm is based on Bayesian inference principles, capable of calculating the initial confidence probability of each candidate protocol type by statistically analyzing the protocol features (such as specific fields, byte sequences, message formats, etc.) carried in the message data. Specifically, the model can be a pre-stored feature fingerprint database of various standard and proprietary protocols. During actual identification, the current message features are compared with the fingerprint database, and the posterior probability of each protocol is updated according to the Bayesian formula, thereby outputting the prediction result of the protocol type with the highest confidence. This probabilistic identification mechanism can effectively handle the protocol ambiguity problem in non-standard ports and dynamic environments, and can also provide a reliable decision basis for dynamically adapted connections.
[0030] Please refer to Figure 3 , Figure 3 The diagram illustrates a protocol fingerprint inference logic based on multidimensional feature vectors (including entropy calculation) and active probes according to an embodiment of this application.
[0031] In some embodiments, the step of identifying the protocol type corresponding to the target data source using a pre-set protocol fingerprinting model based on the original message data to obtain the initial confidence probability of each candidate protocol includes: First, based on the original message data, the feature vector is determined; In this embodiment, multi-dimensional feature vectors can be extracted from the original message data to characterize the protocol behavior features of the target data source. Specifically, the extracted features include: Port activity can be based on capturing network packets and continuously monitoring the data stream of a target port. It can count the number of data packets received and sent by the port, the number of connection attempts, and the duration of connection maintenance within a preset time window. This can reflect the communication frequency and connection stability of the target port within a unit of time, and help determine the service type and operating status. The byte sequence characteristics of TCP handshake packets can be used by the protocol parsing module to extract the raw byte payload from the three-way handshake packets of a TCP connection. The focus is on the value distribution and byte order of specific fields (such as window size, option fields, sequence number, etc.) during the handshake phase, forming a fixed-length sequence vector to reveal the unique identifier of the underlying protocol stack. Based on the randomness of the payload calculated by Shannon entropy, the byte frequency of the payload part of the application layer protocol data unit can be statistically analyzed, the probability of each byte appearing can be calculated, and the randomness measure of the payload can be obtained according to the Shannon entropy formula, thereby distinguishing between structured protocols (such as database protocols) and randomized data (such as encrypted traffic). First packet response timing jitter is recorded using a high-precision timestamp to record the time interval between sending a request data packet and receiving the first response data packet. Multiple times are continuously collected to calculate the mean, variance, and standard deviation to reflect the processing logic and network latency characteristics of the target system.
[0032] In some embodiments, determining the feature vector based on the original message data includes: The first step is to extract multiple bytes from the original message data to obtain an analysis sample; In this embodiment, the first N bytes (e.g., N=256) of the target port handshake phase can be extracted from the original message data as an analysis sample. The analysis sample can be represented as S = {b1, b2, ..., bN}.
[0033] The second step is to calculate the probability distribution of each byte in the analyzed sample; In this embodiment, the frequency n_k of each byte k (k ∈ {0, 1, …, 255}) in the sample is first counted, and its probability distribution P(k) is calculated: P(k) = n_k / N.
[0034] The third step is to calculate the Shannon entropy value of the analysis sample based on the probability distribution of each byte in the analysis sample, and obtain the feature vector. Different Shannon entropy values have corresponding standard protocols.
[0035] In this embodiment, the Shannon entropy value H(S) of each target port in the analysis sample can be calculated using the following formula: H(S) = -Σ [P(k) · log2(P(k)] (k is summed from 0 to 255) (this term is defined as 0 when P(k) = 0). For example, in the above example, the system calculates that the H(S) of the initial packet of port 20088 is 6.85 bits. If H(S) < 4.5: it is usually a text protocol (such as HTTP), with a concentrated character distribution. If 4.5 ≤ H(S) < 7.0: it is usually a structured binary protocol (such as Oracle TNS). If H(S) ≥ 7.0: it is usually a strongly encrypted or compressed stream. Since 6.85 falls in the medium-high energy range, the system initially judges that the port is running a binary database protocol rather than a normal web service, thus excluding HTTP / HTTPS options and narrowing the identification range.
[0036] It should be noted that, to further eliminate local fluctuations, the normalized entropy value H_norm of the sliding window can also be calculated as a component of the final feature vector: H_norm = (1 / W) · Σ [H(S_j) / 8.0] (j is summed from 1 to W), where W is the number of sliding windows and 8.0 is the theoretical maximum entropy value of 8 bits. This value can be used as a feature vector input into subsequent models.
[0037] By calculating the randomness of the payload based on Shannon entropy, the degree of disorder in the byte distribution of the message payload can be quantified by information entropy, thereby distinguishing between structured protocols (such as database protocols) and randomized data (such as encrypted traffic).
[0038] Then, based on the feature vector, a pre-set protocol fingerprinting model is used to identify the protocol type corresponding to the target data source, and the initial confidence probability of each candidate protocol is obtained. The pre-set protocol fingerprinting model is constructed based on the Bayesian inference algorithm.
[0039] In this embodiment, by inputting the aforementioned feature vectors into a preset protocol fingerprinting model, the initial confidence probability of each candidate protocol can be accurately obtained.
[0040] Step 230: Based on the initial confidence probability of each candidate protocol, determine whether the protocol type corresponding to the target data source is a candidate protocol; In this embodiment, the above judgment can be made by setting a confidence threshold according to actual needs, and by comparing the initial confidence probability of each candidate protocol with the confidence threshold to determine whether it is a candidate protocol.
[0041] In some embodiments, to quickly determine whether the protocol type corresponding to the target data source is a candidate protocol based on the initial confidence probability of each candidate protocol, the following steps are included: First, based on the initial confidence probability of each candidate protocol, the maximum confidence probability value is obtained; Then, it is determined whether the maximum confidence probability value is lower than a preset confidence threshold; Then, if the maximum confidence probability value is determined to be lower than the preset confidence threshold, the protocol type corresponding to the target data source is determined to be a non-candidate protocol. Then, if the maximum confidence probability value is not lower than the preset confidence threshold, the protocol type corresponding to the target data source is determined as a candidate protocol.
[0042] In this embodiment, the maximum value can be selected from the initial confidence probabilities of each candidate protocol, thus obtaining the maximum confidence probability value. Then, this maximum value is compared with a preset confidence threshold. If the maximum value is lower than the preset confidence threshold, it is considered a non-candidate protocol; otherwise, it is considered a candidate protocol.
[0043] If the protocol type corresponding to the target data source is determined to be a candidate protocol, the predicted protocol type is determined based on the initial confidence probability of each candidate protocol. In this embodiment, if the protocol type corresponding to the target data source is determined to be a candidate protocol, the candidate protocol with the highest initial confidence probability among all candidate protocols can be used as the predicted protocol type.
[0044] Step 240: If the protocol type corresponding to the target data source is determined to be a non-candidate protocol, the protocol type of the target data source is probed with the goal of identifying the protocol type, the probe results are obtained, and the predicted protocol type is determined based on the probe results and the initial confidence probability of each candidate protocol. In this embodiment, if the protocol type corresponding to the target data source is a non-candidate protocol, an active probe sequence mechanism can be further triggered. This mechanism can induce a response from the target data source in a non-intrusive manner by sending a set of carefully arranged instruction packets with a clear sequence and specific probing intent. Based on the content, format, timing characteristics, and protocol behavior patterns of the response, the true protocol type is gradually inferred. This process is similar to "protocol fingerprinting" of unknown communication entities, which can effectively identify private protocols, services on non-standard ports, obfuscated traffic, or back-to-back connections that have undergone protocol conversion, thereby providing accurate basic information for subsequent connection adaptation, data parsing, or security analysis.
[0045] In some embodiments, the step of probing the protocol type of the target data source with the goal of identifying the protocol type and obtaining the probing results includes: First, with the goal of identifying the protocol type, corresponding probe packets are constructed based on the feature codes of each candidate protocol, and the probe packets are sent to the target data source. Then, the response packets corresponding to each probe packet are obtained to get the probe results.
[0046] In this embodiment, for each candidate protocol, a probe data packet containing the protocol's unique feature code can be constructed according to its protocol specifications (such as specific command words in the handshake request, fixed magic number in the protocol header, feature fields in the authentication interaction, etc.). By aggregating probe packets designed for all candidate protocols, a probe packet set covering the feature codes of multiple standard protocols is formed. During probe implementation, probe packets are injected into the target port one by one according to a preset strategy (such as concurrent sending), and a response monitoring time window is opened after sending to capture various response information fed back by the target system, thus obtaining the probe results. The monitored indicators include: return codes (such as response flags in the TCP / IP protocol, error codes or acknowledgment codes defined by the application layer protocol), and the degree of matching between the return codes and expected values is used to determine protocol compatibility; connection reset behavior (such as the phenomenon of the target port actively sending an RST packet to close the connection), which usually indicates that the probe packet is incompatible with the target protocol and can quickly eliminate candidate protocols; and data packet length distribution (i.e., the length range and fluctuation of the target response packet), as different protocols often have unique patterns in the response length to specific requests, which can help distinguish protocol types. By comprehensively analyzing the above multi-dimensional response characteristics, the range of candidate protocols can be effectively narrowed down, and the actual protocol and version running on the target port can be determined, providing a reliable basis for subsequent dynamic connection adaptation.
[0047] In some embodiments, determining the predicted protocol type based on the detection results and the initial confidence probabilities of each candidate protocol includes: First, based on the initial confidence probability of the response packet and candidate protocol corresponding to each probe packet, the confidence probability of the candidate protocol corresponding to each probe packet is updated. Then, based on the confidence probability of each candidate protocol, the predicted protocol type is determined.
[0048] In this embodiment, during the active probing process, Bayes' theorem can be used to dynamically update the confidence levels of candidate protocols, achieving gradual convergence and accurate identification of protocol types. Specifically, the initial confidence probability of a candidate protocol can be used as a prior probability. After sending a probe packet designed for a specific candidate protocol and receiving a response from the target port, the likelihood of each candidate protocol appearing under the current response characteristics is calculated based on the features presented by the response (such as the degree of return code matching, whether a connection reset is triggered, and the data packet length distribution). Subsequently, based on Bayes' theorem, the prior probability and likelihood are combined to calculate the updated posterior probability, i.e., the new confidence level of each candidate protocol. As multiple probe packets are sent sequentially and corresponding response features are continuously added, the confidence level of each candidate protocol will be continuously adjusted according to the actual response feedback: the confidence level of candidate protocols with high matching degree with response features gradually increases, while the confidence level of candidate protocols with low matching degree or no matching degree gradually decreases. After multiple rounds of probing and updating, the confidence levels of each candidate protocol will gradually converge until the confidence level of a certain candidate protocol exceeds a preset threshold or remains unique, thereby determining the target access protocol actually running on the target port.
[0049] This dynamic probability update mechanism makes the protocol identification process adaptive and robust, effectively dealing with non-standard configurations, dynamic environments, and ambiguous responses, and providing accurate and reliable protocol basis for subsequent data source access.
[0050] In some embodiments, updating the confidence probability of the candidate protocol corresponding to each probe packet based on the initial confidence probability of the response packet and the candidate protocol corresponding to each probe packet includes: A1: Update the confidence probability of the candidate protocol corresponding to the probe packet based on the initial confidence probability of the response packet and the candidate protocol corresponding to the probe packet; A2: Determine whether the confidence probability of each candidate protocol meets the preset convergence condition, wherein the preset convergence condition is that there is only one confidence probability among the candidate protocols that meets the preset threshold. A3: If it is determined that the confidence probability of each candidate protocol does not meet the preset convergence condition, select the next probe packet and jump to execute A1 until the confidence probability of each candidate protocol meets the preset convergence condition.
[0051] In this embodiment, to accurately determine the actual protocol type running in the target data source, an iterative probing and confidence update mechanism based on Bayesian inference can be used. Specifically, firstly, the initial confidence probability of each candidate protocol is obtained as prior information based on previous passive identification or multi-dimensional feature analysis. Then, an active probing round is initiated, selecting a probe packet from a pre-built probe packet set and sending it to the target port, capturing the corresponding response packet. Based on the features presented by the response packet, combined with the prior confidence probabilities of each candidate protocol, the posterior probability of each candidate protocol appearing under the given response features is calculated using the Bayesian formula, thereby updating the confidence probability of the corresponding candidate protocol. After completing one update, it is then determined whether the confidence probabilities of each candidate protocol meet the preset convergence condition. The convergence condition is specifically set as follows: among all candidate protocols, only one candidate protocol has a confidence probability that reaches or exceeds a preset threshold (e.g., 95%), indicating that the protocol identification result has sufficient determinism and can uniquely lock the target access protocol. If the convergence condition is not met, the next probe packet is selected according to the preset probe strategy (such as sorting by confidence or by protocol feature distinguishability), and the above sending, response capture and confidence update steps are repeated until the confidence probability of each candidate protocol finally meets the convergence condition, that is, converges to the unique target protocol.
[0052] Through this iterative process of active detection and dynamic probability correction, this scheme can adaptively eliminate protocol ambiguity and significantly improve the accuracy and robustness of protocol identification in complex network environments and non-standard configurations.
[0053] In some embodiments, updating the confidence probability of the candidate protocol corresponding to the probe packet based on the initial confidence probability of the response packet corresponding to the probe packet and the candidate protocol includes: The first step is to calculate the likelihood value based on the response packet corresponding to the probe packet and the preset likelihood function; The second step is to calculate the posterior confidence probability of the candidate protocol corresponding to the probe packet based on the likelihood value and the initial confidence probability of the candidate protocol corresponding to the probe packet, so as to update the confidence probability of the candidate protocol corresponding to the probe packet.
[0054] In this embodiment, during active probing, each time a probe packet is sent to the target port and a corresponding response packet is received, the likelihood value is calculated based on the characteristics of the response packet (such as return code, connection reset flag, packet length, etc.) and a preset likelihood function. Then, this likelihood value is fused with the initial confidence probability (i.e., prior probability) of the current candidate protocol using Bayes' theorem to calculate the posterior confidence probability of the candidate protocol, thus dynamically updating the confidence level of the candidate protocol. Through this mechanism, the response information obtained in each round of probing is used to correct the belief in the protocol type, gradually bringing the confidence level closer to the actual protocol and providing an accurate basis for subsequent convergence judgments.
[0055] For example, an initial prior confidence probability of P(π_i) was output for each candidate protocol (Oracle, MySQL, PostgreSQL). Assume that the probability for Oracle is 0.45 and for MySQL is 0.35, indicating high uncertainty. An active probe sequence is then triggered. The system sends an Oracle-specific TNS connection request frame (Probe1) and detects that the target returns a response packet (R1) conforming to the TNS specification.
[0056] At this point, the system updates the confidence level using Bayes' theorem. Let the likelihood function be defined as L(R1|π_i), then: For Oracle (π_ora): The response is as expected, with L(R1|π_ora) = 0.95.
[0057] For MySQL (π_mys): MySQL will usually disconnect or return an error when it receives a TNS packet. Set L(R1|π_mys) = 0.02.
[0058] Calculate the posterior probability P(π_i | R1) using Bayes' theorem: P(π_i | R1) = [L(R1|π_i)·P(π_i)] / Σ[L(R1|π_k) · P(π_k)] (k sum) Substituting the values into the calculation: Numerator (Oracle): 0.95 × 0.45 = 0.4275; Numerator (MySQL): 0.02 × 0.35 = 0.007; Denominator (normalization coefficient): ≈ 0.4275 + 0.007 + ... ≈ 0.44 The updated probabilities are: P(Oracle | R1) ≈ 0.4275 / 0.44 ≈ 0.97 • P(MySQL | R1) ≈ 0.007 / 0.44 ≈ 0.016.
[0059] After one probe test, Oracle's confidence level surged from 45% to 97%. The system determined that the termination condition was met (P>0.95), immediately stopped subsequent probes, locked the target protocol to Oracle, and avoided excessive network interaction from interfering with the target system.
[0060] In some embodiments, determining the predicted protocol type based on the confidence probabilities of each candidate protocol includes: First, among the candidate protocols, the candidate protocols whose confidence probability satisfies a preset threshold are determined to obtain the target protocol; Then, based on the probe packets corresponding to the target protocol, the predicted protocol type is determined.
[0061] In this embodiment, all candidate protocols can be traversed, and their confidence probabilities can be determined one by one to see if they reach or exceed a preset threshold (e.g., 95%). If there is only one candidate protocol whose confidence probability meets the threshold condition, while the confidence probabilities of the remaining candidate protocols are significantly lower than the threshold, then the candidate protocol is determined as the target protocol. Based on this, according to the feature patterns presented by the probe packet corresponding to the target protocol (i.e., the feature code probe packet designed for the protocol in the previous probe process) and its response packet, the prediction protocol type of the target data source is finally determined.
[0062] This process ensures the uniqueness and reliability of the protocol identification results, laying a solid foundation for subsequent data source access based on precise protocol types.
[0063] Step 250: Based on the prediction protocol type, access the target data source.
[0064] In this embodiment, based on the predicted protocol type, an adapted connection request can be dynamically assembled, carrying necessary authentication parameters (such as username, password, or token) and network address information (such as IP address and port number), to initiate a formal connection establishment process to the target data source. Since the adopted protocol type has undergone bidirectional verification through multiple rounds of active probing and actual response characteristics, the accuracy of protocol matching is ensured, effectively avoiding connection failures or data parsing errors caused by protocol misjudgment. This adaptive access mechanism is not only compatible with standard protocols but also handles non-standard ports, proprietary protocol variants, and dynamic network environments, significantly improving access success rates and operational efficiency in scenarios such as data integration, disaster recovery replication, and security auditing.
[0065] In some embodiments, accessing the target data source based on the prediction protocol type includes: First, based on the predicted protocol type, an access channel and access parameters are constructed; Then, based on the access channel and the access parameters, the target data source is accessed.
[0066] In this embodiment, firstly, based on the determined predicted protocol type, an access channel adapted to that protocol is dynamically constructed. This involves establishing a network communication link with the target data source according to protocol specifications (such as transport layer protocol type, message format, handshake process, etc.), and simultaneously generating corresponding access parameters, including target address information (IP address and port number), authentication credentials (such as username, password, or token), protocol version identifier, and necessary connection timeout and retry policies. Subsequently, using the constructed access channel and complete access parameters, a formal connection request is initiated to the target data source, completing the protocol handshake, authentication, and session establishment processes, ultimately achieving stable access to the target data source.
[0067] Please refer to Figure 4 , Figure 4 The flowchart of the parameter space dynamic optimization and optimal parameter selection algorithm according to an embodiment of this application is illustrated.
[0068] In some embodiments, access parameters are constructed based on the predicted protocol type, including: First, obtain the set of open ports; In this embodiment, the aforementioned set of open ports can be obtained by network scanning during the initial interaction phase.
[0069] Then, based on the predicted protocol type, candidate ports are determined from the set of open ports; In this embodiment, based on the set of open ports obtained from previous network scanning, and according to the protocol fingerprint features (such as default port range, handshake packet feature code, etc.) corresponding to the determined predicted protocol type, a list of potential ports that meet the target protocol features can be selected as candidate ports.
[0070] Then, based on the preset variable parameters and the candidate ports, multiple sets of parameter combinations are generated; In this embodiment, multiple sets of parameter combinations can be generated in combination with the candidate ports for the variable parameters that may be involved in the data source access process (including but not limited to authentication mode, character set encoding, connection timeout threshold, data transmission buffer size, etc.). Each set of parameter combinations represents a possible access configuration scheme.
[0071] Then, based on the multiple sets of parameter combinations, multiple access instructions are generated and sent to the target data source; In this embodiment, these parameter combinations can be encapsulated into access commands and sent to the target data source in a parallel or high-concurrency manner in an isolated sandbox environment to simulate real access scenarios and test the connection effect under different configurations.
[0072] Then, obtain the access response data corresponding to each access command; In this embodiment, access response data corresponding to each set of parameters can be captured and recorded in real time, including key performance data such as connection establishment latency, handshake success rate, and link stability indicators (such as packet loss rate and retransmission count) during connection maintenance.
[0073] Finally, based on the access response data corresponding to each access command, the access parameters are determined from the multiple sets of parameter combinations.
[0074] In this embodiment, based on all the access response data obtained, a heuristic search algorithm (such as genetic algorithm, simulated annealing or particle swarm optimization algorithm) is used to comprehensively evaluate and sort the parameter combinations of each group, and automatically locate the access parameter set that can achieve the best connection performance and stability, which is used as the standard configuration for the final access target data source.
[0075] Through this adaptive parameter optimization mechanism, this solution can ensure a high success rate and high reliability of data source access in complex network environments and under non-standard configuration conditions.
[0076] For example, in the above scenario, after locking the Oracle connection, the system attempts multiple combinations in the background, such as (SID: ORCL) and (ServiceName: ORCLPDB). Monitoring reveals that the connection with ServiceName=ORCLPDB takes the shortest time (12ms), so this parameter is automatically selected.
[0077] Please refer to Figure 5 , Figure 5This illustration schematically depicts the architecture and byte stream semantic mapping principle of a memory-level virtualized protocol proxy container according to an embodiment of this application. In one embodiment, for the access channel, a memory-level virtualized protocol semantic mapping channel can be constructed to achieve efficient and transparent access with the target data source. Specifically, this channel is implemented by launching a dynamic protocol proxy container, which can run on the access gateway side without deploying any proxy components or modifying the original business logic on the source system, thus possessing the significant advantage of zero-intrusion access. This channel has a bidirectional semantic translation mechanism. Specifically, when an application layer request (such as a standard structured query language statement or a descriptive state transfer application interface call) is intercepted from the business side, the proxy container uses its built-in byte stream semantic mapping engine to convert the above standard request into a binary instruction stream required by the source private protocol in real time, thereby achieving low-level adaptation to heterogeneous protocols. Conversely, when the source system returns response data, the engine decodes the binary stream of the private protocol format into a standard data format (such as a relational data table or a JavaScript object representation structure) in real time and sends it back to the business side, thereby shielding the heterogeneity of the underlying protocol at the business layer. This channel also features state maintenance and anomaly self-healing mechanisms. Specifically, the proxy container continuously maintains the session state machine, recording context information such as the current connection's protocol version, session identifier, and sequence number. When protocol feature drift is detected (e.g., changes in handshake characteristics due to target system upgrades, address rebinding in a network address translation environment, or changes in private protocol versions), the system automatically determines that the current mapped channel has failed and triggers a fallback mechanism, re-executing the aforementioned step S220 to dynamically re-infer the target protocol type and version. Once the new protocol features are confirmed, the semantic mapping channel is rebuilt, thereby achieving automatic recovery and continuous availability of the access link. Through this mechanism, this solution can ensure high availability, low latency, and strong consistency of data access in complex network environments and private protocol scenarios. Through a scalable protocol fingerprinting model and mapping engine, it can quickly adapt to new databases or unknown private protocols.
[0078] For example, in the above example, a memory-level proxy container is started. When the business system sends a standard JDBC query `SELECT * FROM users`, the proxy container does not rely on the native driver. Instead, it directly constructs a binary data packet conforming to the Oracle TNS protocol specification (including private fields such as checksum and sequence number) in memory and sends it to the target. The binary stream returned by the target database is parsed by the proxy container in real time and converted into JSON format before being returned to the business system. Throughout the entire process, no software is installed on the source Oracle database, and no configuration is modified, achieving complete zero intrusion.
[0079] It should be noted that the above method can be implemented entirely within the proxy container to achieve zero intrusion.
[0080] In the above implementation process, raw message data is acquired, which is the message data during the handshake phase between the business end and the target data source. Based on the raw message data, a pre-set protocol fingerprinting model is used to identify the protocol type corresponding to the target data source, obtaining the initial confidence probability of each candidate protocol. Based on the initial confidence probability of each candidate protocol, it is determined whether the protocol type corresponding to the target data source is a candidate protocol. If it is determined that the protocol type corresponding to the target data source is not a candidate protocol, the protocol type of the target data source is probed with the goal of identifying the protocol type, and the probe result is obtained. Based on the probe result and the initial confidence probability of each candidate protocol, the predicted protocol type is determined. Based on the predicted protocol type, the target data source is accessed. Through the protocol fingerprinting model, the communication protocol of the target data source can be quickly and accurately preliminarily judged, especially when the target runs a standard protocol and is configured in a standardized manner, it can efficiently complete protocol matching and access preparation. For targets not falling within the scope of pre-defined candidate protocols or operating in complex environments, this solution effectively identifies private protocols running on non-standard ports, those undergoing network address translation, or even partial obfuscation or modification by probing the protocol type of the target data source. This mechanism overcomes the limitations of traditional static rule bases, which can only identify standard ports and public protocols, significantly improving adaptability to private protocols and non-standard deployment environments. Based on this, this solution is widely applicable to various complex real-world production environments, including legacy system access, cross-network domain data synchronization, and protocol penetration in security isolation scenarios. It fully meets the access needs of diverse data integration, disaster recovery replication, and security auditing scenarios, demonstrating excellent universality and scalability.
[0081] Please refer to Figure 6 , Figure 6 The schematic diagram illustrates a structural schematic of a data access device according to an embodiment of this application. This embodiment provides a data access device including an acquisition module 410, a prediction module 420, a judgment module 430, a determination module 440, and an access module 450, wherein: The acquisition module 410 is used to acquire raw message data, which is the message data during the handshake phase between the business end and the target data source. The prediction module 420 is used to identify the protocol type corresponding to the target data source based on the original message data using a preset protocol fingerprint recognition model, and obtain the initial confidence probability of each candidate protocol. The judgment module 430 is used to determine whether the protocol type corresponding to the target data source is a candidate protocol based on the initial confidence probability of each candidate protocol; The determination module 440 is used to detect the protocol type of the target data source with the goal of identifying the protocol type when the protocol type corresponding to the target data source is determined to be a non-candidate protocol, obtain the detection result, and determine the predicted protocol type based on the detection result and the initial confidence probability of each candidate protocol. Access module 450 is used to access the target data source based on the prediction protocol type.
[0082] The data access device includes a processor and a memory. The acquisition module 410, prediction module 420, judgment module 430, determination module 440 and access module 450 are all stored as program units in the memory. The processor executes the program units stored in the memory to realize the corresponding functions.
[0083] The processor contains a kernel, which retrieves the corresponding program units from memory. One or more kernels can be configured, and data access is achieved by adjusting kernel parameters.
[0084] The memory may include non-permanent memory in computer-readable media, such as random access memory (RAM) and / or non-volatile memory, such as read-only memory (ROM) or flash RAM, and the memory includes at least one memory chip.
[0085] This invention provides a machine-readable storage medium storing a program that, when executed by a processor, implements the data access method.
[0086] This invention provides a processor for running a program, wherein the program executes the data access method during runtime.
[0087] In one embodiment, a computer device is provided, which may be a terminal, and its internal structure diagram may be as follows: Figure 7As shown, the computer device includes a processor A01, a network interface A02, a display screen A04, an input device A05, and a memory (not shown) connected via a system bus. The processor A01 provides computing and control capabilities. The memory includes internal memory A03 and a non-volatile storage medium A06. The non-volatile storage medium A06 stores an operating system B01 and a computer program B02. The internal memory A03 provides an environment for the operation of the operating system B01 and the computer program B02 stored in the non-volatile storage medium A06. The network interface A02 is used for communication with external terminals via a network connection. When the computer program is executed by the processor A01, it implements a data access method. The display screen A04 can be a liquid crystal display (LCD) or an e-ink display. The input device A05 can be a touch layer covering the display screen, buttons, a trackball, or a touchpad mounted on the computer device casing, or an external keyboard, touchpad, or mouse.
[0088] Those skilled in the art will understand that Figure 7 The structure shown is merely a block diagram of a portion of the structure related to the present application and does not constitute a limitation on the computer device to which the present application is applied. Specific computer devices may include more or fewer components than those shown in the figure, or combine certain components, or have different component arrangements.
[0089] In one embodiment, the data access device provided in this application can be implemented as a computer program, and the computer program can be implemented as follows: Figure 7 It runs on the computer device shown. The computer device's memory can store the various program modules that make up the data access device, for example, Figure 6 The diagram shows an acquisition module 410, a prediction module 420, a judgment module 430, a determination module 440, and an access module 450. The computer program comprised of these modules causes the processor to execute the steps of the data access methods in the various embodiments of this application described in this specification.
[0090] Figure 7 The computer equipment shown can be used as follows Figure 6 The acquisition module 410 in the data access device shown executes step 210. The computer device can execute step 220 through the prediction module 420. The computer device can execute step 230 through the judgment module 430. The computer device can execute step 240 through the determination module 440. The computer device can execute step 250 through the access module 450.
[0091] This application provides an electronic device, comprising: at least one processor; and a memory connected to the at least one processor; wherein the memory stores instructions executable by the at least one processor, and the at least one processor implements the aforementioned data access method by executing the instructions stored in the memory. When the processor executes the instructions, it performs the following steps: Obtain raw message data, which is the message data during the handshake phase between the business end and the target data source; Based on the original message data, a pre-set protocol fingerprinting model is used to identify the protocol type corresponding to the target data source, and the initial confidence probability of each candidate protocol is obtained. Based on the initial confidence probability of each candidate protocol, determine whether the protocol type corresponding to the target data source is a candidate protocol; If the protocol type corresponding to the target data source is determined to be a non-candidate protocol, the protocol type of the target data source is probed with the goal of identifying the protocol type, the probe results are obtained, and the predicted protocol type is determined based on the probe results and the initial confidence probability of each candidate protocol. Based on the prediction protocol type, access the target data source.
[0092] In one embodiment, the step of identifying the protocol type corresponding to the target data source using a pre-set protocol fingerprinting model based on the original message data to obtain the initial confidence probability of each candidate protocol includes: Based on the original message data, the feature vector is determined; Based on the feature vector, a pre-set protocol fingerprinting model is used to identify the protocol type corresponding to the target data source, and the initial confidence probability of each candidate protocol is obtained. The pre-set protocol fingerprinting model is constructed based on the Bayesian inference algorithm.
[0093] In one embodiment, determining the feature vector based on the original message data includes: Multiple bytes are extracted from the original message data to obtain an analysis sample; The probability distribution of each byte in the analyzed sample is calculated; Based on the probability distribution of each byte in the analysis sample, the Shannon entropy value of the analysis sample is calculated to obtain the feature vector, wherein different Shannon entropy values have corresponding standard protocols.
[0094] In one embodiment, determining whether the protocol type corresponding to the target data source is a candidate protocol based on the initial confidence probability of each candidate protocol includes: Based on the initial confidence probability of each candidate protocol, the maximum confidence probability value is obtained; Determine whether the maximum confidence probability value is lower than a preset confidence threshold; If the maximum confidence probability value is determined to be lower than the preset confidence threshold, the protocol type corresponding to the target data source is determined to be a non-candidate protocol.
[0095] In one embodiment, the step of probing the protocol type of the target data source with the goal of identifying the protocol type and obtaining the probing results includes: With the goal of identifying protocol types, corresponding probe packets are constructed based on the feature codes of each candidate protocol, and the probe packets are sent to the target data source. Obtain the response packets corresponding to each probe packet to get the probe results.
[0096] In one embodiment, determining the predicted protocol type based on the detection results and the initial confidence probabilities of each candidate protocol includes: Based on the initial confidence probability of the response packet and candidate protocol corresponding to each probe packet, update the confidence probability of the candidate protocol corresponding to each probe packet; Based on the confidence probability of each candidate protocol, the predicted protocol type is determined.
[0097] In one embodiment, updating the confidence probability of the candidate protocol corresponding to each probe packet based on the initial confidence probability of the response packet and the candidate protocol corresponding to each probe packet includes: A1: Update the confidence probability of the candidate protocol corresponding to the probe packet based on the initial confidence probability of the response packet and the candidate protocol corresponding to the probe packet; A2: Determine whether the confidence probability of each candidate protocol meets the preset convergence condition, wherein the preset convergence condition is that there is only one confidence probability among the candidate protocols that meets the preset threshold. A3: If it is determined that the confidence probability of each candidate protocol does not meet the preset convergence condition, select the next probe packet and jump to execute A1 until the confidence probability of each candidate protocol meets the preset convergence condition.
[0098] In one embodiment, updating the confidence probability of the candidate protocol corresponding to the probe packet based on the initial confidence probability of the response packet corresponding to the probe packet and the candidate protocol includes: The likelihood value is calculated based on the response packet corresponding to the probe packet and the preset likelihood function; Based on the likelihood value and the initial confidence probability of the candidate protocol corresponding to the probe packet, the posterior confidence probability of the candidate protocol corresponding to the probe packet is calculated to update the confidence probability of the candidate protocol corresponding to the probe packet.
[0099] In one embodiment, determining the predicted protocol type based on the confidence probabilities of each candidate protocol includes: Among the candidate protocols, the candidate protocols whose confidence probability satisfies the preset threshold are determined to obtain the target protocol; Based on the probe packets corresponding to the target protocol, the predicted protocol type is determined.
[0100] In one embodiment, accessing the target data source based on the prediction protocol type includes: Based on the predicted protocol type, construct the access channel and access parameters; Based on the access channel and the access parameters, access the target data source.
[0101] In one embodiment, based on the predicted protocol type, access parameters are constructed, including: Get the set of open ports; Based on the predicted protocol type, candidate ports are determined from the set of open ports; Based on the preset variable parameters and the candidate ports, multiple sets of parameter combinations are generated; Based on the combination of the multiple sets of parameters, multiple access instructions are generated and the multiple access instructions are sent to the target data source; Obtain the access response data corresponding to each access command; Based on the access response data corresponding to each access command, the access parameters are determined from the multiple sets of parameter combinations.
[0102] Those skilled in the art will understand that embodiments of this application can be provided as methods, systems, or computer program products. Therefore, this application can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, this application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.
[0103] This application is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of this application. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, generate instructions for implementing the flowchart... Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.
[0104] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.
[0105] These computer program instructions may also be loaded onto a computer or other programmable data processing equipment to cause a series of operational steps to be performed on the computer or other programmable equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.
[0106] In a typical configuration, a computing device includes one or more processors (CPU), input / output interfaces, network interfaces, and memory.
[0107] Memory may include non-persistent memory in computer-readable media, such as random access memory (RAM) and / or non-volatile memory, such as read-only memory (ROM) or flash RAM. Memory is an example of computer-readable media.
[0108] Computer-readable media includes both permanent and non-permanent, removable and non-removable media that can store information using any method or technology. Information can be computer-readable instructions, data structures, modules of programs, or other data. Examples of computer storage media include, but are not limited to, phase-change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technologies, CD-ROM, digital versatile optical disc (DVD) or other optical storage, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other non-transferable medium that can be used to store information accessible by a computing device. As defined herein, computer-readable media does not include transient computer-readable media, such as modulated data signals and carrier waves.
[0109] It should also be noted that the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such process, method, article, or apparatus. Unless otherwise specified, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes that element.
[0110] The above are merely embodiments of this application and are not intended to limit the scope of this application. Various modifications and variations can be made to this application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this application should be included within the scope of the claims of this application.
Claims
1. A data access method, characterized in that, include: Obtain raw message data, which is the message data during the handshake phase between the business end and the target data source; Based on the original message data, a pre-set protocol fingerprinting model is used to identify the protocol type corresponding to the target data source, and the initial confidence probability of each candidate protocol is obtained. Based on the initial confidence probability of each candidate protocol, determine whether the protocol type corresponding to the target data source is a candidate protocol; If the protocol type corresponding to the target data source is determined to be a non-candidate protocol, the protocol type of the target data source is probed with the goal of identifying the protocol type, the probe results are obtained, and the predicted protocol type is determined based on the probe results and the initial confidence probability of each candidate protocol. Based on the prediction protocol type, access the target data source.
2. The data access method according to claim 1, characterized in that, Based on the original message data, a pre-set protocol fingerprinting model is used to identify the protocol type corresponding to the target data source, obtaining the initial confidence probability of each candidate protocol, including: Based on the original message data, the feature vector is determined; Based on the feature vector, a pre-set protocol fingerprinting model is used to identify the protocol type corresponding to the target data source, and the initial confidence probability of each candidate protocol is obtained. The pre-set protocol fingerprinting model is constructed based on the Bayesian inference algorithm.
3. The data access method according to claim 2, characterized in that, The step of determining the feature vector based on the original message data includes: Multiple bytes are extracted from the original message data to obtain an analysis sample; The probability distribution of each byte in the analyzed sample is calculated; Based on the probability distribution of each byte in the analysis sample, the Shannon entropy value of the analysis sample is calculated to obtain the feature vector, wherein different Shannon entropy values have corresponding standard protocols.
4. The data access method according to claim 1, characterized in that, The step of determining whether the protocol type corresponding to the target data source is a candidate protocol based on the initial confidence probability of each candidate protocol includes: Based on the initial confidence probability of each candidate protocol, the maximum confidence probability value is obtained; Determine whether the maximum confidence probability value is lower than a preset confidence threshold; If the maximum confidence probability value is determined to be lower than the preset confidence threshold, the protocol type corresponding to the target data source is determined to be a non-candidate protocol.
5. The data access method according to claim 1, characterized in that, The step of detecting the protocol type of the target data source with the goal of identifying the protocol type, and obtaining the detection results, includes: With the goal of identifying protocol types, corresponding probe packets are constructed based on the feature codes of each candidate protocol, and the probe packets are sent to the target data source. Obtain the response packets corresponding to each probe packet to get the probe results.
6. The data access method according to claim 5, characterized in that, The process of determining the predicted protocol type based on the detection results and the initial confidence probabilities of each candidate protocol includes: Based on the initial confidence probability of the response packet and candidate protocol corresponding to each probe packet, update the confidence probability of the candidate protocol corresponding to each probe packet; Based on the confidence probability of each candidate protocol, the predicted protocol type is determined.
7. The data access method according to claim 6, characterized in that, The step of updating the confidence probability of the candidate protocol corresponding to each probe packet based on the initial confidence probability of the response packet and candidate protocol corresponding to each probe packet includes: A1: Update the confidence probability of the candidate protocol corresponding to the probe packet based on the initial confidence probability of the response packet and the candidate protocol corresponding to the probe packet; A2: Determine whether the confidence probability of each candidate protocol meets the preset convergence condition, wherein the preset convergence condition is that there is only one confidence probability among the candidate protocols that meets the preset threshold. A3: If it is determined that the confidence probability of each candidate protocol does not meet the preset convergence condition, select the next probe packet and jump to execute A1 until the confidence probability of each candidate protocol meets the preset convergence condition.
8. The data access method according to claim 6, characterized in that, The step of updating the confidence probability of the candidate protocol corresponding to the probe packet based on the initial confidence probability of the response packet and the candidate protocol corresponding to the probe packet includes: The likelihood value is calculated based on the response packet corresponding to the probe packet and the preset likelihood function; Based on the likelihood value and the initial confidence probability of the candidate protocol corresponding to the probe packet, the posterior confidence probability of the candidate protocol corresponding to the probe packet is calculated to update the confidence probability of the candidate protocol corresponding to the probe packet.
9. The data access method according to claim 7, characterized in that, The process of determining the predicted protocol type based on the confidence probabilities of each candidate protocol includes: Among the candidate protocols, the candidate protocols whose confidence probability satisfies the preset threshold are determined to obtain the target protocol; Based on the probe packets corresponding to the target protocol, the predicted protocol type is determined.
10. The data access method according to claim 1, characterized in that, The step of accessing the target data source based on the prediction protocol type includes: Based on the predicted protocol type, construct the access channel and access parameters; Based on the access channel and the access parameters, access the target data source.
11. The data access method according to claim 10, characterized in that, Based on the predicted protocol type, access parameters are constructed, including: Get the set of open ports; Based on the predicted protocol type, candidate ports are determined from the set of open ports; Based on the preset variable parameters and the candidate ports, multiple sets of parameter combinations are generated; Based on the combination of the multiple sets of parameters, multiple access instructions are generated and the multiple access instructions are sent to the target data source; Obtain the access response data corresponding to each access command; Based on the access response data corresponding to each access command, the access parameters are determined from the multiple sets of parameter combinations.
12. A data access device, characterized in that, include: The acquisition module is used to acquire raw message data, which is the message data during the handshake phase between the business end and the target data source; The prediction module is used to identify the protocol type corresponding to the target data source based on the original message data using a preset protocol fingerprinting model, and obtain the initial confidence probability of each candidate protocol. The judgment module is used to determine whether the protocol type corresponding to the target data source is a candidate protocol based on the initial confidence probability of each candidate protocol; The determination module is used to detect the protocol type of the target data source when it is determined that the protocol type corresponding to the target data source is a non-candidate protocol, with the goal of identifying the protocol type, to obtain the detection result, and to determine the predicted protocol type based on the detection result and the initial confidence probability of each candidate protocol. The access module is used to access the target data source based on the prediction protocol type.
13. An electronic device, characterized in that, The electronic device includes: At least one processor; A memory connected to the at least one processor; The memory stores instructions executable by the at least one processor, which implements the data access method according to any one of claims 1 to 11 by executing the instructions stored in the memory.
14. A machine-readable storage medium storing instructions thereon, characterized in that, When executed by a processor, this instruction causes the processor to be configured to perform the data access method according to any one of claims 1 to 11.