Search

CN-122027372-A - Two-layer network security defense method and device and electronic equipment

CN122027372ACN 122027372 ACN122027372 ACN 122027372ACN-122027372-A

Abstract

The application discloses a two-layer network security defense method, a device and electronic equipment, which relate to the technical field of computer network and information security and comprise the steps of receiving a first data packet reported by a virtual switch, judging the abnormal flow of the first data packet according to network topology information of the virtual switch to identify whether the first data packet is two-layer abnormal flow, generating interception suggestions and sending the interception suggestions to the virtual switch to request confirmation under the condition that the two-layer abnormal flow exists, triggering an external physical switch to intercept a subsequent data flow matched with the first data packet at an entrance of the two-layer network in response to the received confirmation response of the virtual switch, and solving the technical problem that the two-layer network security defense scheme cannot intercept the abnormal flow in advance to enter a host machine, so that the flow impacts the network.

Inventors

  • WANG CHUANLEI
  • WANG PEIHUI

Assignees

  • 济南浪潮数据技术有限公司
  • 郑州浪潮数据技术有限公司

Dates

Publication Date
20260512
Application Date
20260415

Claims (20)

  1. 1. The two-layer network security defense method is characterized by being applied to an intelligent analysis platform and comprising the following steps of: Receiving a first data packet reported by a virtual switch; according to the network topology information of the virtual switch, carrying out abnormal flow judgment on the first data packet so as to identify whether the first data packet is a two-layer abnormal flow; Under the condition that two layers of abnormal traffic are judged to exist, generating interception suggestions and sending the interception suggestions to the virtual switch to request confirmation; And responding to the received confirmation response of the virtual switch, triggering an external physical switch to intercept a subsequent data flow matched with the first data packet at a two-layer network entrance.
  2. 2. The two-layer network security defense method of claim 1 wherein the network topology information comprises a port Medium Access Control (MAC) address mapping table maintained by the virtual switch.
  3. 3. The two-layer network security defense method according to claim 2, wherein the abnormal traffic includes unknown unicast attack traffic and abnormal multicast traffic, and the performing abnormal traffic determination on the first packet according to network topology information of the virtual switch includes: judging that the first data packet is the unknown unicast attack flow under the condition that the first data packet is a unicast message and the destination MAC address of the first data packet is not in the port medium access control MAC address mapping table; and under the condition that the first data packet is a multicast message and the multicast message generates flooding on a plurality of physical interfaces, judging that the first data packet is the abnormal multicast flow.
  4. 4. The two-layer network security defense method of claim 3 wherein the interception suggestion comprises at least one of a destination MAC address of the first data packet, a message type of the first data packet, and a recommended interception policy.
  5. 5. The two-layer network security defense method of claim 1 wherein the first data packet is reported through a network link multicast communication mode and is simultaneously reported to the intelligent analysis platform and the control process of the virtual switch.
  6. 6. The two-layer network security defense method according to claim 5, wherein the network link multicast communication mode is configured such that the kernel mode data path of the virtual switch sends the first data packet to a predefined multicast group, and the receiving the first data packet reported by the virtual switch comprises: And receiving the first data packet by monitoring the predefined multicast group.
  7. 7. The two-tier network security defense method of claim 5, wherein generating and sending an interception suggestion to the virtual switch to request confirmation in the event that two-tier abnormal traffic is determined to exist, comprises: Sending the interception suggestion to a control process of the virtual switch; and receiving a confirmation response returned by the control process.
  8. 8. The two-layer network security defense method of claim 7 wherein the control process returned acknowledgement response is a result of a verification of the interception suggestion based on a local flow table rule of the control process.
  9. 9. The two-tier network security defense method of claim 1, further comprising: Under the condition that the confirmation response is confirmation interception, the destination MAC address, the source address, the timestamp and the interception result of the first data packet are written into a training set as training samples; And performing incremental training on the intelligent analysis platform based on the training set periodically.
  10. 10. A two-layer network security defense method, applied to a virtual switch, comprising: Reporting the acquired first data packet to an intelligent analysis platform; Receiving an interception suggestion sent by the intelligent analysis platform, wherein the interception suggestion is generated by judging abnormal traffic of the first data packet according to network topology information of the virtual switch; And checking the interception suggestion, and sending a confirmation response to the intelligent analysis platform under the condition that the checking result is that traffic interception needs to be carried out, so that the intelligent analysis platform responds to the confirmation response to trigger an external physical switch to intercept a subsequent data stream matched with the first data packet at a two-layer network entrance.
  11. 11. The two-tier network security defense method of claim 10 wherein the abnormal traffic comprises unknown unicast attack traffic and abnormal multicast traffic.
  12. 12. The two-layer network security defense method of claim 10, wherein reporting the acquired first data packet to the intelligent analysis platform comprises: Acquiring the first data packet from the network card through a kernel mode data path; and simultaneously reporting the first data packet to the intelligent analysis platform and the control process of the virtual switch in a network link multicast communication mode.
  13. 13. The two-layer network security defense method according to claim 12, wherein verifying the interception suggestion and sending a confirmation response to the intelligent analysis platform if the verification result is that traffic interception is required comprises: receiving the interception suggestion through the control process, and checking the interception suggestion; And under the condition that the flow interception is required, sending a confirmation response to the intelligent analysis platform through the control process.
  14. 14. The two-layer network security defense method of claim 13 wherein the interception suggestion comprises at least one of a destination MAC address of the first data packet, a message type of the first data packet, and a recommended interception policy.
  15. 15. The two-tier network security defense method of claim 14 wherein verifying the interception suggestion comprises: inquiring a local flow table rule of the control process; and under the condition that no flow table item matched with the destination MAC address of the first data packet exists, determining the verification result as flow interception.
  16. 16. A two-layer network security defense device, characterized in that it is located on an intelligent analysis platform, comprising: the first receiving module is used for receiving a first data packet reported by the virtual switch; The judging module is used for judging the abnormal flow of the first data packet according to the network topology information of the virtual switch so as to identify whether the first data packet is the two-layer abnormal flow or not; the generation module is used for generating an interception suggestion and sending the interception suggestion to a control process of the virtual switch to request confirmation under the condition that two layers of abnormal traffic are judged to exist; And the interception module is used for triggering the external physical switch to intercept the subsequent data flow matched with the first data packet at the entrance of the two-layer network in response to receiving the confirmation response of the control process.
  17. 17. A two-layer network security defense device located at a virtual switch, comprising: the reporting module is used for reporting the acquired first data packet to the intelligent analysis platform; the second receiving module is used for receiving interception suggestions sent by the intelligent analysis platform, wherein the interception suggestions are generated by judging abnormal traffic of the first data packet according to network topology information of the virtual switch; And the verification module is used for verifying the interception suggestion, and sending a confirmation response to the intelligent analysis platform under the condition that the verification result is that the flow interception needs to be carried out, so that the intelligent analysis platform responds to the confirmation response to trigger an external physical switch to intercept the subsequent data flow matched with the first data packet at the entrance of the two-layer network.
  18. 18. An electronic device, comprising: A memory for storing a computer program; A processor for implementing the steps of the two-tier network security defense method according to any one of claims 1 to 9 or the steps of the two-tier network security defense method according to any one of claims 10 to 15 when executing the computer program.
  19. 19. A computer readable storage medium, characterized in that the computer readable storage medium has stored therein a computer program, wherein the computer program when executed by a processor implements the steps of the two-tier network security defense method according to any one of claims 1 to 9 or the steps of the two-tier network security defense method according to any one of claims 10 to 15.
  20. 20. A computer program product comprising a computer program, characterized in that the computer program when executed by a processor implements the steps of the two-tier network security defense method according to any one of claims 1 to 9 or the steps of the two-tier network security defense method according to any one of claims 10 to 15.

Description

Two-layer network security defense method and device and electronic equipment Technical Field The present application relates to the field of computer networks and information security technologies, and in particular, to a two-layer network security defense method, device and electronic equipment. Background In a cloud computing environment, data center network security is critical. The current mainstream security mechanism focuses on the IP level protection of the three-layer network, while the security threat to the two-layer network is not enough. In two-tier networks, typical security risks include broadcast loops, and in addition, there is a more covert threat-flooding of large numbers of unknown unicast frames. In the existing data center or cloud computing data center, the existing two-layer network security defense technical scheme is mostly to configure security rules on the data center or cloud host, and cannot intercept abnormal traffic in advance to enter the host, so that the traffic impacts the network, and the traffic or data is affected very badly. Disclosure of Invention The application provides a two-layer network security defense method, a device and electronic equipment, which at least solve the problem that the two-layer network security defense scheme in the related technology cannot intercept abnormal traffic in advance to enter a host machine, so that the traffic impacts the network. The application provides a two-layer network security defense method which is applied to an intelligent analysis platform and comprises the steps of receiving a first data packet reported by a virtual switch, judging abnormal traffic of the first data packet according to network topology information of the virtual switch to identify whether the first data packet is two-layer abnormal traffic, generating interception suggestions and sending the interception suggestions to a control process of the virtual switch to request confirmation under the condition that the two-layer abnormal traffic exists, and triggering an external physical switch to intercept a subsequent data stream matched with the first data packet at an entrance of the two-layer network in response to receiving a confirmation response of the control process. The application also provides a two-layer network security defense method which is applied to the virtual switch and comprises the steps of reporting an acquired first data packet to an intelligent analysis platform, receiving an interception suggestion sent by the intelligent analysis platform, wherein the interception suggestion is generated by judging abnormal traffic of the first data packet according to network topology information of the virtual switch, checking the interception suggestion, and sending a confirmation response to the intelligent analysis platform under the condition that a checking result is that traffic interception needs to be carried out, so that the intelligent analysis platform responds to the confirmation response, and triggering an external physical switch to intercept a subsequent data stream matched with the first data packet at a two-layer network entrance. The application also provides a two-layer network security defense device which is positioned on an intelligent analysis platform and comprises a first receiving module, a judging module, a generating module and an intercepting module, wherein the first receiving module is used for receiving a first data packet reported by a virtual switch, the judging module is used for judging the abnormal flow of the first data packet according to the network topology information of the virtual switch so as to identify whether the first data packet is the two-layer abnormal flow, the generating module is used for generating an intercepting suggestion and sending the intercepting suggestion to a control process of the virtual switch to request for confirmation under the condition that the two-layer abnormal flow exists, and the intercepting module is used for triggering an external physical switch to intercept a subsequent data flow matched with the first data packet at an entrance of the two-layer network in response to receiving the confirmation response of the control process. The application also provides a two-layer network security defense device which is positioned in the virtual switch and comprises a reporting module, a second receiving module and a checking module, wherein the reporting module is used for reporting the acquired first data packet to an intelligent analysis platform, the second receiving module is used for receiving an interception suggestion sent by the intelligent analysis platform, the interception suggestion is generated by judging abnormal flow of the first data packet according to network topology information of the virtual switch, the checking module is used for checking the interception suggestion and sending a confirmation response to the intelligent analysis platform under the condit