Search

CN-122001604-A - Traffic safety processing method, system, device, equipment, storage medium and product

CN122001604ACN 122001604 ACN122001604 ACN 122001604ACN-122001604-A

Abstract

The application provides a traffic safety processing method, a traffic safety processing system, traffic safety processing device, traffic safety processing equipment, traffic safety processing storage media and traffic safety processing products. The method comprises the steps of obtaining network traffic sent from a user terminal to the Internet from an access network, matching the network traffic with a self-defined security policy, determining target traffic classification identification information corresponding to the network traffic according to the self-defined security policy under the condition that the matching is successful, matching the network traffic with a service scene security policy under the condition that the matching is failed, determining target traffic classification identification information corresponding to the network traffic, matching the corresponding target security policy according to the target traffic classification identification information, and performing security processing on the network traffic according to a security capability node corresponding to the target security policy.

Inventors

  • YE RONGWEI
  • CHANG JIAYUE
  • ZHANG FENG
  • DONG HANG
  • JIANG YIJIAO
  • HUANG YIMING
  • GAO LIANG

Assignees

  • 中移(杭州)信息技术有限公司
  • 中国移动通信集团有限公司

Dates

Publication Date
20260508
Application Date
20241108

Claims (14)

  1. 1. A traffic security processing method, applied to an edge cloud node, the method comprising: acquiring network traffic sent from a user terminal to the Internet from an access network; matching the network traffic with a custom security policy; Under the condition of successful matching, determining target flow classification identification information corresponding to the network flow according to the self-defined security policy; Under the condition of failure in matching, matching the network traffic with a service scene security policy, and determining target traffic classification identification information corresponding to the network traffic; Matching corresponding target security strategies according to the target flow classification identification information; And carrying out security processing on the network traffic according to the security capability node corresponding to the target security policy.
  2. 2. The traffic safety processing method according to claim 1, wherein said matching the network traffic with a custom security policy comprises: acquiring user identity information in the network traffic; and matching the user identity information with a self-defined security policy.
  3. 3. The traffic safety processing method according to claim 1, wherein the matching the network traffic with a traffic scenario safety policy, determining target traffic classification identification information corresponding to the network traffic, includes: Acquiring network characteristic information in the network traffic, wherein the network characteristic information comprises network protocol information in a network data packet; and matching the network protocol information with a service scene security policy, and determining flow classification identification information corresponding to the network flow.
  4. 4. The traffic safety processing method according to claim 3, wherein after said matching the network protocol information with a traffic scenario safety policy and determining traffic class identification information corresponding to the network traffic, the method further comprises: under the condition that the matching of the network characteristic information and the service scene security policy fails, updating the service scene security policy according to the security service change information; and matching the network characteristic information with the updated business scene security policy, and determining flow classification identification information corresponding to the network flow.
  5. 5. The traffic safety processing method according to claim 1, wherein the safety policy includes safety service information and process flow information related to a service scenario, and the performing, by the safety capability node corresponding to the target safety policy, safety processing on the network traffic includes: Determining a corresponding security capability node according to the security service information; And forwarding the network traffic through the security capability node according to the sequence corresponding to the processing flow information, and performing security processing.
  6. 6. The traffic safety processing method according to claim 5, wherein forwarding, by the safety capability node, the network traffic in the order corresponding to the process flow information, and performing safety processing, includes: taking the first security capability node in the processing flow information as a target node according to the sequence corresponding to the processing flow information; Forwarding the network traffic to the target node, and performing security processing on the network traffic through the target node; And removing the target node from the processing flow information, and returning to the step of taking the first security capability node in the processing flow information as the target node according to the sequence corresponding to the processing flow information until the network traffic passes through all the security capability nodes in the processing flow information.
  7. 7. The traffic safety processing method according to claim 1, wherein before said matching the network traffic with a custom security policy, the method further comprises: Receiving a security service request of a user; checking whether corresponding flow classification identification information and a security policy exist in the security service request; Under the condition that corresponding flow classification identification information and a security policy exist, updating the flow classification identification information and/or the security policy according to the security service request; Under the condition that the corresponding flow classification identification information and the security policy do not exist, building corresponding user security service information and the flow classification identification information and the security policy corresponding to the user security service information according to the security service request.
  8. 8. The flow rate security processing method according to any one of claims 1 to 7, characterized in that the method further comprises: Under the condition that user safety service updating information is received, determining a corresponding safety capability node according to the user safety service updating information; Updating the user security service information based on the security capability node according to the processing flow information corresponding to the user security service updating information; Decomposing the updated user security service information into a plurality of security capability service units; And forwarding the network traffic through the security capability nodes according to forwarding logic corresponding to each security capability service unit.
  9. 9. The flow safety processing system is characterized by comprising drainage equipment, a flow classification module, a safety control module, a flow forwarding module and a safety capability pool, wherein the safety capability pool comprises a plurality of safety capability nodes: The drainage equipment is used for acquiring network traffic sent from the user terminal to the Internet from the access network; the flow classification module is used for matching the network flow with a self-defined security policy; The flow classification module is further used for determining target flow classification identification information corresponding to the network flow according to the self-defined security policy under the condition that the matching is successful; The flow classification module is further used for matching the network flow with a service scene security policy under the condition of failure in matching, and determining target flow classification identification information corresponding to the network flow; The safety control module is used for matching corresponding target safety strategies according to the target flow classification identification information; And the flow forwarding module is used for carrying out security processing on the network flow according to the security capability node corresponding to the target security policy.
  10. 10. The traffic safety processing system according to claim 9, wherein the safety policy includes safety service information and process flow information related to a traffic scenario, and the safety control module is further configured to determine a corresponding safety capability node according to the safety service information; And the flow forwarding module is also used for forwarding the network flow through the security capability node according to the sequence corresponding to the processing flow information and performing security processing.
  11. 11. A flow safety handling apparatus, the apparatus comprising: The acquisition module is used for acquiring network traffic sent from the user terminal to the Internet from the access network; the matching module is used for matching the network traffic with a self-defined security policy; the determining module is used for determining target flow classification identification information corresponding to the network flow according to the self-defined security policy under the condition that the matching is successful; The matching module is also used for matching the network traffic with a service scene security policy under the condition of failure in matching, and determining target traffic classification identification information corresponding to the network traffic; The matching module is also used for matching the corresponding target security policy according to the target flow classification identification information; And the processing module is used for carrying out security processing on the network traffic according to the security capability node corresponding to the target security policy.
  12. 12. A traffic safety handling device, characterized in that the device comprises a processor and a memory storing computer program instructions, which are read and executed by the processor to implement the traffic safety handling method according to any of claims 1-8.
  13. 13. A computer readable storage medium, wherein computer program instructions are stored on the computer readable storage medium, which when executed by a processor, implement the traffic safety handling method according to any of claims 1-8.
  14. 14. A computer program product, characterized in that instructions in the computer program product, when executed by a processor of an electronic device, cause the electronic device to perform the traffic safety handling method according to any of claims 1-8.

Description

Traffic safety processing method, system, device, equipment, storage medium and product Technical Field The present application relates to the field of network engineering technologies, and in particular, to a traffic security processing method, system, device, equipment, storage medium, and product. Background Along with the acceleration of the current digital transformation and the continuous development of the emerging technologies such as the Internet of things, edge computing and the like, the network service has more and more abundant scenes, the deployment environment is more and more flexible, and the traditional network security defense scheme is greatly challenged. In the face of ubiquitous service access boundaries and security guarantee requirements, conventional security construction ideas and localized deployment security product schemes based on security boundaries and centralized management and control have not been able to cope with these emerging requirements. In recent years, more and more security vendors and cloud vendors have attempted to solve the experience and security problems of centralized access with security capability services deployed in the cloud. The near-source safety monitoring protection and network safety fusion scheduling is a main protection idea of the network safety at present. The Secure access service edge (Secure ACCESS SERVICE EDGE, SASE) is an emerging Secure service that combines wide area network access with network security, delivering services in a form that dynamically orchestrates security based on entity identity, real-time context, security compliance policies comprehensively throughout network access activities. SASE can provide a series of rich network and security functions, and can perform security monitoring, protection and forwarding on traffic, and threat detection and control of network access behaviors are realized at edge network nodes. However, the security capability arrangement scheme realized based on the SASE architecture can only provide an inherent security policy, and along with the diversification of services, the existing security solution cannot be suitable for different service scenes, and the user side is required to submit own information and a certain local security capability, otherwise, security is difficult to guarantee, and the differentiated security requirement of the user cannot be met. Disclosure of Invention The embodiment of the application provides a flow safety processing method, a system, a device, equipment, a storage medium and a product, which can improve the safety protection capability and meet the differentiated safety requirements of users. In a first aspect, the present application provides a traffic security processing method, applied to an edge cloud node, the method comprising: acquiring network traffic sent from a user terminal to the Internet from an access network; matching the network traffic with a custom security policy; Under the condition of successful matching, determining target flow classification identification information corresponding to the network flow according to the self-defined security policy; under the condition of failure in matching, matching the network characteristic information with a service scene security policy, and determining target flow classification identification information corresponding to the network flow; Matching corresponding target security strategies according to the target flow classification identification information; And carrying out security processing on the network traffic according to the security capability node corresponding to the target security policy. In some possible implementations, the matching the network traffic with a custom security policy includes: acquiring user identity information in the network traffic; and matching the user identity information with a self-defined security policy. In some possible implementations, the matching the network feature information with a service scenario security policy, determining target traffic classification identification information corresponding to the network traffic, includes: Acquiring network characteristic information in the network traffic, wherein the network characteristic information comprises network protocol information in a network data packet; and matching the network protocol information with a service scene security policy, and determining flow classification identification information corresponding to the network flow. In some possible implementations, after the matching the network protocol information with the traffic scenario security policy and determining the traffic classification identification information corresponding to the network traffic, the method further includes: under the condition that the matching of the network characteristic information and the service scene security policy fails, updating the service scene security policy according to the security service change i