CN-122027285-A - Data processing method and device based on network security, gateway equipment and storage medium

Abstract

The embodiment of the application provides a data processing method, a device, gateway equipment and a storage medium based on network security, wherein the method comprises the steps that the gateway equipment carries out security detection on different types of messages to be detected by adopting different analysis sub-modules according to different detection task identifiers of the messages to be detected to obtain a message detection result, further judges whether first message data can be directly sent according to the message detection result, and can also regulate the number of the analysis sub-modules, and the analysis sub-modules can also stretch elastically, so that different types of detection tasks are sent to a plurality of analysis sub-modules to be executed in an asynchronous feedback mode, the processing time is saved, and a fault tolerance strategy is determined according to the execution result, so that the message security detection efficiency is improved.

Inventors

• LEI YONGCHENG

Assignees

• 成都西加云杉科技有限公司

Dates

Publication Date

20260512

Application Date

20260212

Claims (10)

1. 1. A data processing method based on network security, the method comprising: Judging whether the message data to be detected needs to be subjected to depth detection or not through a main control process, wherein the message data to be detected at least comprises messages of different protocol types or messages of different risk grades; Under the condition that depth detection is needed, the message data to be detected is sent to each analysis sub-module, so that each analysis sub-module detects the message data to be detected, wherein each analysis sub-module is used for executing different tasks, and the number of the analysis sub-modules is adjusted according to the number of detection tasks and the resource load information; receiving detection results fed back by each analysis sub-module in an asynchronous feedback mode, and triggering a fault-tolerant strategy under the condition that the detection results fed back by each analysis sub-module are not received, wherein the fault-tolerant strategy at least comprises speed limitation or bypass; Determining an execution strategy corresponding to the message data to be detected according to the detection result and the fault tolerance strategy, wherein the execution strategy at least comprises the steps of directly sending the message data to be detected or carrying out deep detection on the message data to be detected.
2. 2. The network security-based data processing method according to claim 1, wherein the determining, by the master control process, whether the to-be-detected message data needs to be deeply detected, where the to-be-detected message data includes at least messages of different protocol types or messages of different risk levels includes: classifying the message data to be detected according to detection task identifiers of the message data to be detected through a main control process to obtain different types of message data, wherein the detection task identifiers are used for identifying the message data of different detection tasks; under the condition that depth detection is needed, sending the message data to be detected to each analysis sub-module so that each analysis sub-module detects the message data to be detected, including: Dynamically adjusting the number of preset analysis sub-modules according to the number of the detection task identifiers and the resource load information; The analysis submodule is used for respectively detecting and processing the message data of different types to obtain a message detection result, wherein the message detection result at least comprises a security type and a processing strategy corresponding to the detection task identifier, and the analysis submodule is deployed in a containerized form and supports elastic expansion; the triggering fault-tolerant strategy under the condition that the detection result fed back by each analysis sub-module is not received comprises the following steps: And under the condition that the analysis submodule is unnecessary or the detection time is longer than a preset value, determining a fault-tolerant strategy corresponding to the message data to be detected, wherein the fault-tolerant strategy at least comprises modifying the detection task identifier to obtain a task identifier to be detected, and the task identifier to be detected comprises one of needing to be observed, temporarily bypassing depth detection or adopting a security strategy.
3. 3. The network security based data processing method of claim 2, wherein the method further comprises: performing preliminary filtering on the first message data according to a basic detection strategy to obtain a first detection result, wherein the basic detection strategy at least comprises five-tuple information, protocol category, preset white list and preset black list; Detecting the first detection result again by adopting a rapid path detection strategy, and judging whether the first message data is directly forwarded or not; and determining the first message data to be detected as the message data to be detected.
4. 4. The network security-based data processing method according to claim 2, wherein the classifying the to-be-detected message data according to the detection task identifier of the to-be-detected message data to obtain different types of message data includes: obtaining message parameters corresponding to the message data to be detected, wherein the message parameters at least comprise a data flow identifier, a time stamp and a classification category; and classifying the message data to be detected corresponding to the detection task identifier, and respectively storing the message data to be detected in different queues, wherein the queues at least comprise a message queue, a memory database, a distributed event stream platform, a working pool or a container dispatcher.
5. 5. The network security-based data processing method according to claim 2, wherein the classifying the message data to be detected according to the detection task identifier of the message data to be detected by the master control process to obtain different types of message data comprises: determining priority information of the different types of message data according to the flow types of the different types of message data, the risk level of the detection task identification of the message data and the resource load information; according to the priority information of the message data of different types, sending the message data of different types to the corresponding analysis sub-modules according to the high-low order of the priority information; and detecting the message data of different types through the analysis submodule to obtain a message detection result.
6. 6. The network security-based data processing method according to claim 5, wherein the detecting, by the analysis submodule, the different types of message data to obtain a message detection result includes: and carrying out one or more of the following detection operations on the message data of different types through the analysis submodule to obtain the message detection result, wherein the detection operation at least comprises one of uniform resource location system filtering, content filtering, virus scanning, behavior analysis or threat information query, the message detection result comprises a security type and a processing strategy corresponding to the detection task identifier, the security type comprises one of malicious, suspicious or safe, and the processing strategy comprises one of discarding, bypassing, speed limiting, sending or isolating.
7. 7. A network security based data processing method according to claim 3, wherein the method further comprises: and updating the basic detection strategy and the rapid path detection strategy according to the message detection result.
8. 8. A network security based data processing apparatus, the apparatus comprising: The classification module is used for judging whether the message data to be detected needs to be subjected to depth detection or not through a main control process, wherein the message data to be detected at least comprises messages of different protocol types or messages of different risk grades; The determining module is used for sending the message data to be detected to each analyzing sub-module under the condition that the depth detection is required, so that each analyzing sub-module detects the message data to be detected, wherein each analyzing sub-module is used for executing different tasks, and the number of the analyzing sub-modules is adjusted according to the number of the detecting tasks and the resource load information; The detection module is used for receiving the detection results fed back by the analysis sub-modules in an asynchronous feedback mode, and triggering a fault-tolerant strategy under the condition that the detection results fed back by the analysis sub-modules are not received, wherein the fault-tolerant strategy at least comprises speed limitation or bypass; And the adjusting module is used for determining an execution strategy corresponding to the message data to be detected according to the detection result and the fault tolerance strategy, wherein the execution strategy at least comprises the steps of directly sending the message data to be detected or carrying out deep detection on the message data to be detected.
9. 9. A gateway device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor is operable to implement the network security based data processing method of any of claims 1 to 7 when the program is executed by the processor.
10. 10. A computer-readable storage medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements the network security based data processing method of any of claims 1-7.

Description

Data processing method and device based on network security, gateway equipment and storage medium Technical Field The present application relates to the field of network security technologies, and in particular, to a data processing method and apparatus based on network security, a gateway device, and a storage medium. Background With the increasing network bandwidth, the gateway device receives packet data packets sent by each terminal, where the packet data packets may be sent by using different application protocols, for example HTTPS (Hypertext Transfer Protocol Secure, hypertext transfer security protocol), qic (Quick UDP Internet Connections, fast UDP network connection), ioT protocol (Internet of Things Protocol, internet of things communication protocol), and further the packet data packets may relate to different threat types, for example, zero trust, malicious script, APT (ADVANCED PERSISTENT THREAT, advanced long term threat), etc. The gateway equipment adopts a synchronous serial detection flow to carry out safety detection on each message data packet, so that after the detection of one message data packet is finished, the detection of the other message data packet is carried out, more time is required, and the detection efficiency is lower. Disclosure of Invention The application aims to provide a data processing method, a device, gateway equipment and a storage medium based on network security, which are characterized in that through the technical scheme of the embodiment of the application, a master control process is used for judging whether the data of a message to be detected needs to be subjected to deep detection, the data of the message to be detected at least comprises messages of different protocol types or messages of different risk levels, under the condition that the deep detection is needed, the data of the message to be detected is sent to each analysis submodule so that each analysis submodule is used for detecting the data of the message to be detected, the number of the analysis submodules is regulated according to the number of detection tasks and resource load information, through an asynchronous feedback mode, the fault tolerance strategy is triggered under the condition that the detection result fed back by each analysis submodule is not received, the fault tolerance strategy at least comprises speed limit or bypass, under the condition that the detection result and the fault tolerance strategy are needed, the execution strategy corresponding to the data of the message to be detected is determined, the execution strategy at least comprises the data of the message to be detected, the data to be detected is sent to each analysis submodule, the data to be detected is directly sent to each analysis submodule is used for carrying out detection on the data of the message to be detected, and the data to be detected can be directly detected by a pair of different types of the detection modules, and the detection modules can be directly analyzed according to the number of the detection results can be regulated, and the detection results can be directly different by the detection modules are different, and the detection modules are different in the detection results are different in the detection modules are different by the detection modules, and the detection modules are further can be analyzed and can be judged according to the detection results and different detection module and are different under the detection module and under the detection module is under the detection module and under the detection condition whether is under the detection, by combining the asynchronous feedback closed loop with the dynamic strategy updating mechanism, different types of detection tasks are sent to a plurality of analysis sub-modules for execution, so that the processing time is saved, the fault-tolerant strategy can be determined according to the execution result, and the message security detection efficiency is improved. In a first aspect, some embodiments of the present application provide a data processing method based on network security, including: Judging whether the message data to be detected needs to be subjected to depth detection or not through a main control process, wherein the message data to be detected at least comprises messages of different protocol types or messages of different risk grades; Under the condition that depth detection is needed, the message data to be detected is sent to each analysis sub-module, so that each analysis sub-module detects the message data to be detected, wherein each analysis sub-module is used for executing different tasks, and the number of the analysis sub-modules is adjusted according to the number of detection tasks and the resource load information; receiving detection results fed back by each analysis sub-module in an asynchronous feedback mode, and triggering a fault-tolerant strategy under the condition that the detection results fed b