CN114257416B - Black and white list adjustment method and device - Google Patents
Black and white list adjustment method and device Download PDFInfo
- Publication number
- CN114257416B CN114257416B CN202111418073.9A CN202111418073A CN114257416B CN 114257416 B CN114257416 B CN 114257416B CN 202111418073 A CN202111418073 A CN 202111418073A CN 114257416 B CN114257416 B CN 114257416B
- Authority
- CN
- China
- Prior art keywords
- network
- source address
- data log
- request type
- network data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 39
- 238000001514 detection method Methods 0.000 claims abstract description 70
- 238000012545 processing Methods 0.000 claims description 47
- 230000008569 process Effects 0.000 claims description 8
- 238000004891 communication Methods 0.000 description 10
- 238000001914 filtration Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 7
- 230000008859 change Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 230000006399 behavior Effects 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000010399 physical interaction Effects 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/108—Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the application discloses a black-and-white list adjustment method, a black-and-white list adjustment device, electronic equipment and a computer readable storage medium, wherein the method comprises the following steps: acquiring a network data log packet, and extracting a network message in the network data log packet, wherein the network message comprises a source address; transmitting a source address based on the request type of the network message which is not included in the white list and the black list, so that a detection server returns a detection result after detecting the security of the source address; based on the security of the source address in the detection result, the application adds the request type of the network message in the corresponding blacklist or whitelist, achieves the purpose of dynamically adjusting the content of the blacklist, and improves the flexibility of the central control system for accessing the network service.
Description
Technical Field
The embodiment of the application relates to the technical field of communication, in particular to a black and white list adjustment method and device, electronic equipment and a computer readable storage medium.
Background
With the continuous development of automobile technology and network technology, most of central control systems of vehicles have access to the network, so as to provide convenient network technology service for driving the vehicles.
Currently, the central control system may also have a certain relationship with each logic control unit inside the vehicle, so that network communication security for the whole vehicle becomes more important. At present, a fixed white list is often used to filter network data packets, that is, a plurality of internet protocol (Internet Protocol, IP) addresses allowing access are set in the fixed white list, and only hosts with the IP addresses are allowed to access the central control system of the vehicle.
However, in the current scheme, the fixed white list can greatly limit the flexibility of the central control system of the vehicle in accessing network services, so that the network services of the central control system have a narrow application range, and the user experience of the central control system is reduced.
Disclosure of Invention
The embodiment of the application provides a black-and-white list adjustment method, a black-and-white list adjustment device, electronic equipment and a computer readable storage medium, which can solve the problems that the network service application range of a central control system in the related art is narrow and the user experience of the central control system is reduced. The technical scheme is as follows:
In a first aspect, a method for adjusting a black-and-white list is provided, and the method is applied to a central control system of a vehicle, and includes:
acquiring a network data log packet, and extracting a network message in the network data log packet, wherein the network message comprises a source address;
Based on the request type that neither the white list nor the black list includes the network message, the source address is sent to enable the detection server to return a detection result after the security detection of the source address;
and adding the request type of the network message in the corresponding blacklist or whitelist based on the security of the source address in the detection result.
In a second aspect, there is provided a black-and-white list adjustment device for a central control system of a vehicle, the device comprising:
The collecting module is used for obtaining a network data log packet and extracting a network message in the network data log packet, wherein the network message comprises a source address;
The processing module is used for sending the source address based on the request type of the network message which is not included in the white list and the black list, so that the detection server returns a detection result after the security of the source address is detected;
And the policy generation module is used for adding the request type of the network message in the corresponding blacklist or the whitelist based on the security of the source address in the detection result.
In a third aspect, an electronic device is provided that includes a processor and a memory; the memory stores at least one instruction for execution by the processor to implement the method of black and white list adjustment as described in the first aspect.
In a fourth aspect, there is provided a computer readable storage medium storing at least one instruction for execution by a processor to implement the method of adjusting a black-and-white list according to the first aspect.
According to the method for adjusting the black-and-white list, provided by the embodiment of the application, the network data log packet corresponding to the request type which is not included in the black-and-white list and the request type which is not included in the black-and-white list can be sent to the detection server for detection, and the request type of the network data log packet is dynamically added into the white-and-white list or the black-and-white list according to the detection result, so that the purpose of dynamically adjusting the content of the black-and-white list is achieved, the dynamic change capacity of the black-and-white list along with time is improved, the timeliness of the black-and-white list is further improved, the flexibility of accessing network services by the central control system is improved, the newly added security network services can be continuously accessed along with time, and the user experience is improved.
Drawings
Fig. 1 is a system architecture diagram of a black-and-white list adjustment method according to an embodiment of the present application;
fig. 2 is a flow chart of a method for adjusting a black-and-white list according to an embodiment of the present application;
Fig. 3 is a schematic structural diagram of a black-and-white list adjustment device according to an embodiment of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, the embodiments of the present invention will be described in further detail with reference to the accompanying drawings.
References herein to "a plurality" means two or more. "and/or", describes an association relationship of an association object, and indicates that there may be three relationships, for example, a and/or B, and may indicate: a exists alone, A and B exist together, and B exists alone. The character "/" generally indicates that the context-dependent object is an "or" relationship.
Referring to fig. 1, a system architecture diagram of a black-and-white list adjustment method according to an embodiment of the present application is shown. The central control system comprises: the central control system of the embodiment of the application can be a system based on a Linux kernel, and can be a system with other forms of kernels, the embodiment of the application is not limited to the system, and the network data log packet is a log-form data packet sent by an external host providing network service, and can be used for providing vehicle-mounted service, upgrading a vehicle machine and the like by the central control system.
A network Protocol stack (Protocol stack), also known as a network Protocol stack, is a specific software implementation of a network Protocol suite. One protocol in a network protocol suite is typically designed for one purpose only, which may make design easier. Because each protocol module typically communicates with two other protocol modules, one above the other, they are typically thought of as layers in the network protocol stack. The lowest level network protocol always describes the physical interaction with the hardware. Each advanced level adds more features. The user application only handles the uppermost network protocol.
The netfilter module is a firewall subsystem in kernel space introduced by Linux 2.4.X, and may consist of packet filtering tables containing a rule set used by the kernel to control packet filtering. The netfilter module serves as a generic, abstract framework that provides a complete set of hook function management mechanisms that enable, for example, packet filtering, network address translation, and protocol type based connection tracking. The netfilter architecture places some detection points at several positions of the whole network flow, and registers some processing functions at each detection point for processing, because the netfilter provides a framework of the whole firewall, each protocol realizes its own functions based on the netfilter framework, each protocol has an independent table to store its own configuration information, and they are configured and run completely independently.
The iptables module is understood to be a client agent, in particular a tool of the user space (userspace), for inserting, modifying and removing rules in the packet filtering table, through which the user can execute the user's security settings into the corresponding netfilter framework.
The Linux kernel module is an operating system kernel of the central control system and is used for providing a basic operating system kernel framework.
In the embodiment of the application, before the external network data log packet sequentially passes through the network protocol stack and the firewall netfilter module and reaches the Linux kernel module of the central control system of the vehicle, all the network data log packets reaching the central control system can be collected through the collecting module, then the collecting module can send the network data log packet to the processing module for processing, and the processing module can realize the basic filtering of the network data log packet through a white list and a black list in the netfilter module, wherein the white list comprises the fixed IP of a plurality of access hosts considered to be safe by the central control system, for example, the IP of the host used for sending an upgrading request of an Over-the-Air Technology (OTA) upgrade. The blacklist includes the IP of the access hosts that the fixed number of central control systems consider unsafe, e.g., the IP of hosts that have been validated for sending malicious interference requests. The processing module can filter basic network data log packets through a black-and-white list, for example, the network data log packets sent by the host IP in the black-list are allowed to enter the Linux kernel through the firewall, and the network data log packets sent by the host IP in the black-list are prevented from entering the Linux kernel through the firewall, and the like.
However, in practical applications, if the fixed white list and the fixed black list are adopted, the flexibility of the central control system of the vehicle in accessing the network service is greatly limited, so that the application range of the network service of the central control system is narrower, for example, after a period of time, the timeliness of data in the white list and the blacklist is poor, and some new hosts cannot provide services for the central control system because the new hosts are not in the black and white list.
In the embodiment of the present application, in order to solve the above problem, the processing module may send a host source IP address of a network data log packet that is not in a white list and is not in a black list to the detection server, where the detection server is configured to provide a service for detecting a malicious IP address, for example, in one case, the processing module may detect whether the IP address is an IP address of a network card or a port that is not open to the outside in the access central control system, and if so, the processing module is a malicious address; if not, the address is a normal address. In another case, whether the IP address is a malicious address may be determined by collecting feedback opinions about the IP address, and if a large number of feedback opinions indicate that the IP address is a malicious address, the IP address is a malicious address. After detection, the detection server can return a detection result of a source address to the processing module.
Further, the processing module may send a detection result of the source address to the policy generation module, and in the case that the detection result is that the source address is a secure address, the policy generation module may write, through the iptables module, an identifier of the source address and a corresponding access destination port as a request type into the white list, so that the processing module executes a policy that allows receiving a network data log packet having the request type; and under the condition that the detection result is that the source address is a malicious address, the policy generation module can write the source address and the identification of the target port which is accessed correspondingly into a blacklist through the iptables module as the request type, so that the processing module executes the policy for intercepting the network data log packet with the request type.
In the embodiment of the application, the network data log packet corresponding to the request types which are not included in the white list and the black list can be sent to the detection server for detection, and the request type of the network data log packet is dynamically added into the white list or the black list according to the detection result, so that the purpose of dynamically adjusting the content of the black list is achieved, the dynamic change capacity of the black list along with time is improved, the timeliness of the black list is improved, the flexibility of the central control system for accessing the network service is improved, the central control system can continuously access the newly added security network service along with time, and the user experience is improved.
Referring to fig. 2, a flowchart of a method for adjusting a black-and-white list according to an embodiment of the present application is shown. The embodiment is applied to a central control system of a vehicle by the method, and the method comprises the following steps:
Step 101, acquiring a network data log packet, and extracting a network message in the network data log packet, wherein the network message comprises a source address.
The embodiment of the application can be applied to a central control system of a vehicle, and the network data log packet is a data packet in a form of an external network service sending log, and can be used for the central control system to provide vehicle-mounted service, upgrade a vehicle machine and the like.
Specifically, the description of the specific implementation process of the embodiment of the present application may be performed based on the system architecture of the black-and-white list adjustment method provided in fig. 1, where before the external network data log packet sequentially passes through the network protocol stack and the firewall netfilter module to reach the Linux kernel module of the central control system of the vehicle, all the network data log packets that reach the central control system through the network protocol stack may be obtained through the collection module.
Further, in order to perform subsequent screening and filtering on the network data log packet, parameters related to the sending of the network data log packet by the external host, such as a source address, a protocol type, a destination port, etc. of the external host, are required to be acquired first, and these parameters are all present in a network packet of the network data log packet, so that these parameters may be acquired by extracting the network packet in the network data log packet.
Specifically, for the process of sending data to the central control system by the external host, the protocol header and the protocol tail information of the corresponding layer must be added in the data header from top to bottom for each layer, the data is transmitted in the form of frames when transmitted in the data link layer, and when one frame is accepted and submitted to the second layer for processing: stripping the frame head and the frame tail, so as to obtain a data packet; this packet is then submitted to the third layer: and (3) obtaining information in the data packet by identifying the packet header, and after the third layer is finished, giving the data with the header removed to the fourth layer, wherein the data are messages. Aiming at the process that the central control system receives data sent by an external host, the protocol head and the protocol tail information encapsulated by the previous layer must be released every time the data passes through one layer from bottom to top, and the information contained in the header of the message can be obtained by decapsulating the network data log packet, wherein the format is as follows:
Source—Destination—Protoco—Source Port—Destination Port—Interface—Counts;
source, source address;
destination, destination address;
protocol type;
Source Port;
destination Port;
An Interface is an accessed vehicle network card;
counts, number of times the same IP accesses the vehicle.
Step 102, based on the request types of the network messages not included in the white list and the black list, the source address is sent so that the detection server returns a detection result after the security detection of the source address.
In the embodiment of the present application, referring to fig. 1, the central control system may implement, through the processing module, basic filtering of the network data log packet based on a white list and a black list in the netfilter, where the white list includes the IP of the access host that is considered to be safe by the fixed plurality of central control systems. The blacklist comprises a plurality of fixed IP (Internet protocol) of the central control system for accessing the host which is considered unsafe, and basic network data log packets are filtered, for example, the network data log packets sent by the IP of the host in the whitelist are allowed to enter the Linux kernel through the firewall, and the network data log packets sent by the IP of the host in the blacklist are prevented from entering the Linux kernel through the firewall, and the like.
Further, with respect to fig. 1, in the embodiment of the present application, the host source IP address of the network data log packet that is not on the white list and is not on the black list may be sent to the detection server by the processing module, where the detection server is used to provide a detection service of a malicious IP address, for example, in one case, by detecting whether the IP address is an IP address of a network card or a port that is not open to the outside in the access central control system, if yes, the IP address is a malicious address; if not, the address is a normal address. In another case, whether the IP address is a malicious address may be determined by collecting feedback opinions about the IP address, and if a large number of feedback opinions indicate that the IP address is a malicious address, the IP address is a malicious address. After detection, the detection server can return a detection result of a source address to the processing module.
Step 103, adding the request type of the network message in the corresponding blacklist or the whitelist based on the security of the source address in the detection result.
In the embodiment of the present application, referring to fig. 1, after detecting the security of the source address, the detection server may return a detection result to the processing module of the central control system, where the detection result includes the security of the source address, and different detection results correspond to different lists, for example, the detection result includes: the source address is a security address or the source address is a malicious address, and the blacklist is a list corresponding to a stored malicious address, and the whitelist is a list corresponding to a stored security address, so that the detection result of the source address being the security address corresponds to the whitelist, and the detection result of the source address being the malicious address corresponds to the blacklist, so that the policy generation module can add a request type of a network message in the corresponding list based on the security of the source address in the detection result, and the processing module further executes a processing policy of the network data log packet containing the request type in the list, namely, performs communication or disconnection communication on an external host sending the network data log packet.
Optionally, step 103 may specifically include:
and step 1031, adding the request type of the network message in the white list based on the detection result that the source address is a security address.
Referring to fig. 1, in case that the detected result is that the source address is a secure address, the policy generation module may write the source address and the identification of the destination port to be accessed correspondingly as a request type into a white list through the iptables module, so that the processing module executes a policy that allows receiving a network data log packet having the request type.
And step 1032, adding the request type of the network message in the blacklist based on the detection result that the source address is a malicious address.
Referring to fig. 1, in case that the detected result is that the source address is a malicious address, the policy generation module may write the source address and the identifier of the destination port to be accessed correspondingly into the blacklist as a request type through the iptables module, so that the processing module executes a policy of intercepting the network data log packet having the request type.
Optionally, the security address is an address requesting access to a network card and/or a port that is open to the outside; the malicious address is an address for requesting to access a network card and/or a port which are not open to the outside.
In the embodiment of the application. Because the central control system can have a certain relation with each logic control unit in the vehicle, the network communication safety of the whole vehicle becomes more important, various network cards or ports related to the network communication safety are arranged in the central control system, the network cards or ports can not be opened to the outside (such as a camera port in the vehicle, a user data transmission network card and the like) based on the safety, if an external host corresponding to a source address requests to access the network cards and/or ports which are not opened to the outside, the access of the external host can be considered to influence the network communication safety of the whole vehicle, and the source address of the external host can be determined as a malicious address. If the external host corresponding to the source address requests to access the network card and/or the port of the central control system, which are open to the outside, the access of the external host can be considered to not influence the network communication security of the whole vehicle, and the source address of the external host can be determined as a security address.
Optionally, after step 101, before step 102, it may further be performed: determining a request type of the white list excluding the network message based on the white list excluding the source address; and performing: and determining the request type of the blacklist which does not comprise the network message based on the blacklist which does not comprise the source address.
In the embodiment of the present application, the format of the information contained in the header of the network packet is as follows:
Source—Destination—Protoco—Source Port—Destination Port—Interface—Counts;
Source, source address; destination, destination address; protocol type; source Port; destination Port; an Interface is an accessed vehicle network card; the number of times the same IP accesses the vehicle machine, and the request type of the network message comprises the source address of the external host machine and the target port of the central control system of the vehicle which is requested to access by the external host machine.
It can be seen that, referring to fig. 1, if the processing module determines that the white list includes the Source address, the processing module may consider that the network data log packet of the central control system of the vehicle that is requested to be sent by the external host of the Source address is currently trusted, and if the processing module determines that the white list does not include the Source address, the processing module may consider that the network data log packet of the central control system of the vehicle that is requested to be sent by the external host of the Source address is not currently trusted, so, based on that the white list does not include the Source address, the request type of the network message in the network data log packet that is sent by the external host is determined when step 102 is executed.
If the processing module judges that the blacklist includes the source address, the network data log packet sent by the external host of the source address to the central control system of the vehicle can be considered to be intercepted currently, if the processing module judges that the blacklist does not include the source address, the network data log packet sent by the external host of the source address to the central control system of the vehicle can be considered to be not intercepted currently, therefore, based on that the blacklist does not include the source address, the request type of the network message in the network data log packet sent by the external host is determined when the step 102 is executed.
Further, in a preferred embodiment, since the Destination Port in the network message is a Destination Port of the central control system of the vehicle that the external host requests to access, the determination of whether the black-and-white list includes the request type of the network message may also be performed in combination with the security of the source address of the external host and the security of the Destination Port that the external host requests to access. If the processing module judges that the white list includes the source address and the identifier of the target port, the processing module can consider that the network data log packet sent by the external host request of the source address to the target port of the central control system is currently trusted, if the processing module judges that the white list does not include the source address and the identifier of the target port, the processing module can consider that the network data log packet sent by the external host request of the source address to the target port of the central control system is not currently trusted, so that based on the white list not including the source address and the identifier of the target port, the request type of the network message in the network data log packet sent by the external host is also determined when the step 102 is executed.
If the processing module judges that the blacklist comprises the source address and the identifier of the target port, the processing module can consider that the network data log packet of the external host request of the source address sent to the target port of the central control system is required to be intercepted currently, if the processing module judges that the blacklist does not comprise the source address and the identifier of the target port, the processing module can consider that the network data log packet of the external host request of the source address sent to the target port of the central control system is not required to be intercepted currently, for example, the blacklist comprises the source address of the external host, which indicates that the external host is a host corresponding to a malicious address, and the sent data is required to be intercepted; the blacklist includes the identifier of the target port, which indicates that the target port is a sensitive port (such as a camera interface) that the central control system does not open to the outside, so, based on the blacklist does not include the identifier of the source address and the target port, the request type of the network message in the network data log packet sent by the external host may also be determined when the step 102 is executed.
According to the embodiment of the application, under the scheme of carrying out black-and-white list management by combining the identification of the source address and the target port, the network data log packet can be filtered by further combining the safety of the target port accessed by an external host on the basis of analyzing the safety of the source address, so that the safety management of the sensitive port in the central control system is effectively realized, and the communication safety of the central control system is further improved.
Optionally, after step 101, before step 102, it may further be performed: and executing a strategy for allowing to receive the network data log packet with the request type based on the request type of the network message included in the white list. And performing: and executing a strategy for intercepting the network data log packet with the request type based on the request type including the network message in the blacklist.
Referring to fig. 1, if the processing module determines that the white list includes the source address and the identifier of the destination port, the white list may be considered to include the request type of the network packet in the network data log packet sent by the external host, where the external host with the source address requests that the behavior of accessing the destination port of the central control system of the vehicle is currently trusted, so that the firewall netfilter may execute a policy that allows receiving the network data log packet with the request type, so that the network data log packet may enter the Linux kernel of the central control system.
If the processing module judges that the blacklist comprises the source address and the identification of the target port, the blacklist can be considered to comprise the request type of the network message in the network data log packet sent by the external host, and the behavior of the external host with the source address for requesting to access the target port of the central control system of the vehicle is required to be intercepted currently, so that a firewall netfilter can execute a strategy for intercepting the network data log packet with the request type, and the network data log packet is prevented from entering a Linux kernel of the central control system.
Optionally, the network packet further includes: the number of accesses to the source address; after step 101, steps 104 and 105 may also be performed sequentially:
and 104, counting the network resource occupation amount of the network data log packet in a preset time period according to the access times of the source address included in the network message.
In the embodiment of the present application, the format of the information contained in the header of the network packet is as follows:
Source—Destination—Protoco—Source Port—Destination Port—Interface—Counts;
the Counts are the times of accessing the vehicle machine by the same IP, namely the times of accessing the central control system by an external host of a source address included in the network message. Based on the parameter, the network resource occupation amount of the network data log packet in the preset time period can be counted, and the network resource occupation amount can be used for representing the current network bandwidth occupation amount of the external host.
And 105, executing a strategy for intercepting the network data log packet or executing a strategy for limiting the speed of a process for receiving the network data log packet based on the network resource occupation amount being greater than or equal to a preset threshold value.
In the embodiment of the application, since the network bandwidth of the central control system has a fixed upper limit, if the network resource occupation amount of a certain external host is too large, the network bandwidth which can be dominated by other external hosts is insufficient or too small when the network resource occupation amount of one external host is larger than or equal to a preset threshold, the strategy of intercepting the network data log packet or the strategy of limiting the speed in the process of receiving the network data log packet can be executed, so that the data interception or speed limiting is carried out on the external host with the excessively large network resource occupation amount, the sufficient share of the network bandwidth dominated by other external hosts is ensured, and the overall network performance of the central control system is improved.
In summary, in the method for adjusting the black-and-white list provided by the embodiment of the application, the network data log packet corresponding to the request type which is not included in the white list and the black list can be sent to the detection server for detection, and the request type of the network data log packet is dynamically added to the white list or the black list according to the detection result, so that the purpose of dynamically adjusting the content of the black-and-white list is achieved, the dynamic change capability of the black-and-white list along with time is improved, the timeliness of the black-and-white list is further improved, the flexibility of accessing the network service by the central control system is improved, the central control system can continuously access the newly added security network service along with time, and the user experience is improved.
Referring to fig. 3, a block diagram of a black-and-white list adjustment device according to an embodiment of the present application is shown. The embodiment is applied to a central control system of a vehicle by the device, and the device comprises:
A collecting module 201, configured to obtain a network data log packet, and extract a network packet in the network data log packet, where the network packet includes a source address; the specific implementation of the collection module 201 may refer to the description of the collection module in fig. 1.
A processing module 202, configured to send the source address to the detection server end, where the request types of the network messages are not included in the white list and the black list, so that the detection server end returns a detection result after detecting the security of the source address; the specific implementation of the processing module 202 may refer to the description of the processing module in fig. 1.
And the policy generation module 203 is configured to add a request type of the network packet to the corresponding blacklist or whitelist based on the security of the source address in the detection result. The specific implementation of the policy generation module 203 may refer to the description of the policy generation module in fig. 1.
Optionally, the policy generation module 203 includes:
a first policy generation sub-module, configured to add a request type of the network packet to the whitelist based on the detection result that the source address is a security address;
and the second policy generation sub-module is used for adding the request type of the network message in the blacklist based on the detection result that the source address is a malicious address.
Optionally, the network packet further includes: identification of the target port;
The apparatus further comprises:
A first determining module, configured to determine, based on an identifier of the whitelist that does not include the source address and the destination port, a request type of the whitelist that does not include the network packet;
and the second determining module is used for determining the request type of the network message which is not included in the blacklist based on the identifier of the source address or the target port which is not included in the blacklist. The first determining module and the second determining module may be modules embedded in the processing module in fig. 1 to implement part of the functions thereof.
Optionally, the apparatus further includes:
A first execution module, configured to execute, based on a request type including the network packet in the whitelist, a policy that allows receiving a network data log packet having the request type;
And the second execution module is used for executing a strategy for intercepting the network data log packet with the request type based on the request type comprising the network message in the blacklist. The first execution module and the second execution module may be modules embedded in the processing module in fig. 1 to implement part of the functions thereof.
Optionally, the security address is an address of a network card and/or a port which are/is requested to be accessed and opened to the outside; the malicious address is an address for requesting to access a network card and/or a port which are not open to the outside.
Optionally, the network packet further includes: the number of accesses to the source address;
The apparatus further comprises:
The statistics module is used for counting the network resource occupation amount of the network data log packet in a preset time period according to the access times of the source address included in the network message;
And the interception module is used for executing a strategy for intercepting the network data log packet or executing a strategy for limiting the speed in the process of receiving the network data log packet based on the fact that the network resource occupation amount is larger than or equal to a preset threshold value.
In summary, in the adjustment device for the black-and-white list provided by the embodiment of the application, the network data log packet corresponding to the request type which is not included in the white list and the black list can be sent to the detection server for detection, and the request type of the network data log packet is dynamically added to the white list or the black list according to the detection result, so that the purpose of dynamically adjusting the content of the black-and-white list is achieved, the dynamic change capability of the black-and-white list along with time is improved, the timeliness of the black-and-white list is further improved, the flexibility of accessing network services by the central control system is improved, the central control system can continuously access newly added security network services along with time, and the user experience is improved.
Embodiments of the present application also provide a computer readable medium storing at least one instruction, where the at least one instruction is loaded and executed by the processor to implement the method for adjusting a black-and-white list according to the foregoing embodiments.
Embodiments of the present application also provide a computer program product storing at least one instruction that is loaded and executed by the processor to implement the method for adjusting a black-and-white list according to the above embodiments.
Those skilled in the art will appreciate that in one or more of the examples described above, the functions described in the embodiments of the present application may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, these functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.
The foregoing description of the preferred embodiments of the application is not intended to limit the application to the precise form disclosed, and any such modifications, equivalents, and alternatives falling within the spirit and scope of the application are intended to be included within the scope of the application.
Claims (8)
1. A method for adjusting a black-and-white list, which is applied to a central control system of a vehicle, the method comprising:
acquiring a network data log packet, and extracting a network message in the network data log packet, wherein the network message comprises a source address;
Based on the request type that neither the white list nor the black list includes the network message, the source address is sent to enable the detection server to return a detection result after the security detection of the source address;
Based on the security of the source address in the detection result, adding the request type of the network message in the corresponding blacklist or whitelist;
the network message further includes: the number of accesses to the source address;
After the obtaining the network data log packet and extracting the network message in the network data log packet, the method further includes:
According to the access times of the source address included in the network message, counting the network resource occupation amount of the network data log packet in a preset time period;
Executing a strategy for intercepting the network data log packet or executing a strategy for limiting the speed of the process of receiving the network data log packet based on the network resource occupation amount being greater than or equal to a preset threshold value;
After the network data log packet is obtained and the network message in the network data log packet is extracted, before the source address is sent based on the request type that neither the white list nor the black list includes the network message, the method further includes:
Determining a request type of the white list excluding the network message based on the white list excluding the source address;
And determining the request type of the blacklist which does not comprise the network message based on the blacklist which does not comprise the source address.
2. The method according to claim 1, wherein adding the request type of the network packet in the corresponding blacklist or whitelist based on the security of the source address in the detection result to execute a processing policy for the network data log packet having the request type includes:
Based on the detection result that the source address is a safety address, adding the request type of the network message in the white list;
And adding the request type of the network message in the blacklist based on the detection result that the source address is a malicious address.
3. The method according to claim 1, wherein the method further comprises:
Executing a strategy for allowing to receive a network data log packet with the request type based on the request type comprising the network message in the white list;
And executing a strategy for intercepting the network data log packet with the request type based on the request type including the network message in the blacklist.
4. The method according to claim 2, wherein the secure address is an address requesting access to a network card and/or port that is open to the outside; the malicious address is an address for requesting to access a network card and/or a port which are not open to the outside.
5. A black-and-white list adjustment device applied to a central control system of a vehicle, the device comprising:
The collecting module is used for obtaining a network data log packet and extracting a network message in the network data log packet, wherein the network message comprises a source address;
The processing module is used for sending the source address based on the request type of the network message which is not included in the white list and the black list, so that the detection server returns a detection result after the security of the source address is detected;
The policy generation module is used for adding the request type of the network message in the corresponding blacklist or whitelist based on the security of the source address in the detection result so as to execute a processing policy of the network data log packet with the request type;
The apparatus further comprises:
The statistics module is used for counting the network resource occupation amount of the network data log packet in a preset time period according to the access times of the source address included in the network message;
The interception module is used for executing a strategy for intercepting the network data log packet or executing a strategy for limiting the speed of a process of receiving the network data log packet based on the fact that the network resource occupation amount is larger than or equal to a preset threshold value;
The apparatus further comprises:
A first determining module, configured to determine, based on an identifier of the whitelist that does not include the source address and the destination port, a request type of the whitelist that does not include the network packet;
and the second determining module is used for determining the request type of the network message which is not included in the blacklist based on the identification of the source address and the target port which are not included in the blacklist.
6. The apparatus of claim 5, wherein the policy generation module comprises:
A first policy generation sub-module, configured to add a request type of the network packet to the whitelist based on the detection result that the source address is a security address, so as to execute a policy that allows receiving a network data log packet with the request type;
And the second policy generation sub-module is used for adding the request type of the network message in the blacklist based on the detection result that the source address is a malicious address so as to execute a policy for intercepting the network data log packet with the request type.
7. An electronic device comprising a processor and a memory; the memory stores at least one instruction for execution by the processor to implement the black-and-white list adjustment method of any one of claims 1 to 4.
8. A computer readable storage medium storing at least one instruction for execution by a processor to implement the method of black and white list adjustment of any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111418073.9A CN114257416B (en) | 2021-11-25 | 2021-11-25 | Black and white list adjustment method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111418073.9A CN114257416B (en) | 2021-11-25 | 2021-11-25 | Black and white list adjustment method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114257416A CN114257416A (en) | 2022-03-29 |
| CN114257416B true CN114257416B (en) | 2024-07-12 |
Family
ID=80793371
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111418073.9A Active CN114257416B (en) | 2021-11-25 | 2021-11-25 | Black and white list adjustment method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114257416B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118740410A (en) * | 2023-03-29 | 2024-10-01 | 华为技术有限公司 | Source address verification list acquisition method, device, electronic device and storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103428185A (en) * | 2012-05-24 | 2013-12-04 | 百度在线网络技术(北京)有限公司 | Message filtering/speed limit method, system and device |
| CN109474625A (en) * | 2018-12-25 | 2019-03-15 | 北京知道创宇信息技术有限公司 | Network safety protection method, device and embedded system |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101594269B (en) * | 2009-06-29 | 2012-05-02 | 成都市华为赛门铁克科技有限公司 | Method, device and gateway device for detecting abnormal connection |
| US9817987B2 (en) * | 2013-12-23 | 2017-11-14 | Dropbox, Inc. | Restricting access to content |
| CN104901971B (en) * | 2015-06-23 | 2019-03-15 | 北京东方棱镜科技有限公司 | The method and apparatus that safety analysis is carried out to network behavior |
| US11397801B2 (en) * | 2015-09-25 | 2022-07-26 | Argus Cyber Security Ltd. | System and method for controlling access to an in-vehicle communication network |
| WO2019116973A1 (en) * | 2017-12-15 | 2019-06-20 | パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ | Fraud detection device, in-vehicle network system, and fraud detection method |
-
2021
- 2021-11-25 CN CN202111418073.9A patent/CN114257416B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103428185A (en) * | 2012-05-24 | 2013-12-04 | 百度在线网络技术(北京)有限公司 | Message filtering/speed limit method, system and device |
| CN109474625A (en) * | 2018-12-25 | 2019-03-15 | 北京知道创宇信息技术有限公司 | Network safety protection method, device and embedded system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114257416A (en) | 2022-03-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3549015B1 (en) | Performing context-rich attribute-based services on a host | |
| US10454895B2 (en) | Method and apparatus for application awareness in a network | |
| US8005022B2 (en) | Host operating system bypass for packets destined for a virtual machine | |
| EP3226508B1 (en) | Attack packet processing method, apparatus, and system | |
| US7404205B2 (en) | System for controlling client-server connection requests | |
| US20080002731A1 (en) | Full data link bypass | |
| CN105939231B (en) | Shared access detection method and device | |
| CN110839017B (en) | Proxy IP address identification method, device, electronic equipment and storage medium | |
| EP3633948A1 (en) | Anti-attack method and device for server | |
| CN113992368B (en) | Honeypot cluster detection method and system based on directional drainage | |
| CN111865996A (en) | Data detection method and device and electronic equipment | |
| CN114710356A (en) | Data processing method and device of vehicle-mounted firewall and vehicle-mounted firewall equipment | |
| CN114257416B (en) | Black and white list adjustment method and device | |
| CN115883255B (en) | Data filtering method, device and computer readable medium | |
| CN111447199A (en) | Server risk analysis method, server risk analysis device, and medium | |
| CN111262782B (en) | Message processing method, device and equipment | |
| CN104883362A (en) | Method and device for controlling abnormal access behaviors | |
| CN109905352B (en) | Method, device and storage medium for auditing data based on encryption protocol | |
| CN117014225A (en) | Message content analysis method and device, electronic equipment and storage medium | |
| CN109729043B (en) | Method, device and system for preventing attack message | |
| CN117336275A (en) | Network equipment, IP address speed limiting method and device thereof and storage medium | |
| CN114244555A (en) | Method for adjusting security policy | |
| CN115033407A (en) | System and method for collecting and identifying flow suitable for cloud computing | |
| CN113572700A (en) | Flow detection method, system, device and computer readable storage medium | |
| CN116915503B (en) | Illegal external connection detection method and device, storage medium and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |