[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

WO2019237813A1 - 一种服务资源的调度方法及装置 - Google Patents

一种服务资源的调度方法及装置 Download PDF

Info

Publication number
WO2019237813A1
WO2019237813A1 PCT/CN2019/082472 CN2019082472W WO2019237813A1 WO 2019237813 A1 WO2019237813 A1 WO 2019237813A1 CN 2019082472 W CN2019082472 W CN 2019082472W WO 2019237813 A1 WO2019237813 A1 WO 2019237813A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
address
domain name
virtual
reputation value
Prior art date
Application number
PCT/CN2019/082472
Other languages
English (en)
French (fr)
Inventor
王照旗
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2019237813A1 publication Critical patent/WO2019237813A1/zh
Priority to US17/119,720 priority Critical patent/US11671402B2/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5061Pools of addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Definitions

  • the embodiments of the present application relate to the field of information security technologies, and in particular, to a method and an apparatus for scheduling service resources.
  • cloud-based services are that network service providers rent server clusters provided by network infrastructure providers, and these servers use virtual IP addresses to provide services to users.
  • a network service provider can be considered a "tenant" of network infrastructure. When a user accesses a domain name of a network service provider, the domain name is first resolved into a virtual IP address, and the user then enjoys network services by accessing the virtual IP address.
  • cloud-based distributed denial of service (DDoS) attack defense services and cloud firewall products are proposed.
  • Cloud-based DDoS attack defense services or cloud firewall products use multiple network security devices to securely detect traffic to the protected server.
  • a network security device fails or is attacked, it can be switched to other network security devices.
  • the function of performing safety inspection On the one hand, it guarantees the security of the protected server, and on the other hand, it guarantees service availability for users.
  • Each network security device has a virtual IP address, and the domain name of the tenant is resolved to the virtual IP address of one of the network security devices.
  • Threat-based scheduling analysis means that in the cloud-based DDoS attack defense service and cloud firewall, the tenant domain name can be randomly scheduled and resolved to other available virtual IPs based on the state of the tenant's business being attacked.
  • the cloud-based DDoS attack defense service and cloud firewall stop resolving the tenant domain name to the attacked virtual IP address and resolve the domain name to another available virtual IP address.
  • DNS domain name system
  • HTTPDNS HTTP-based DNS
  • the domain name of a tenant is www.abc.com
  • the IP address resource pool corresponding to the domain name www.abc.com includes VIP1 and VIP2
  • VIP1 is the IP address of network security device 1
  • VIP2 is the IP address of network security device 2. address.
  • FIG. 1 when a user initiates an access request to a domain name (www.abc.com), the DNS server queries the corresponding virtual IP address of the domain name www.abc.com as VIP1.
  • the domain name resolution result VIP1 is returned to the user, and the user accesses VIP1 to obtain services such as the web page provided by www.abc.com.
  • the network security device 1 may report the attack information to the scheduling module.
  • the scheduling module updates the status of VIP1 as unavailable or under attack, and queries the domain name of the tenant through VIP1, and queries the available VIP in the IP address resource pool according to the tenant's domain name as VIP2, thereby notifying the DNS to update the domain name of www.abc.com. Resolve the address as VIP2 to divert attack traffic to the network security device 2 corresponding to VIP2.
  • the method for scheduling according to the attack information reported by the network security device switches the traffic accessing the tenant service to another network security device after the attack.
  • These flows include both traffic from hackers and traffic from normal users.
  • the traffic may affect the service quality of normal users, causing normal users to fail to use the tenant's services or slow down access.
  • the embodiments of the present application provide a method and device for scheduling service resources, which can alleviate that when a traditional cloud DDoS attack defense service or a cloud firewall product is dispatched in response to an attack, existing normal users cannot normally use the services of the tenant or appear to access Slow down issue.
  • a method for scheduling service resources is provided, which is applied to a network including a terminal, a business server, a domain name system server, and at least one network security device.
  • Each of the at least one network security device has one A virtual IP address, in which the domain name of the service provided by the service server is mapped into an IP address resource pool, the IP address resource pool includes at least two virtual IP addresses, and the method includes: the domain name system The server receives a domain name resolution request sent by the first terminal, where the domain name resolution request includes the domain name; and from the IP address resource pool, according to the terminal reputation value of the first terminal and the IP reputation value of each virtual IP address in the IP address resource pool.
  • a virtual IP address is selected, a terminal reputation value of a terminal is used to indicate the security degree of the terminal, and an IP reputation value of a virtual IP address is used to indicate the security degree of the virtual IP address.
  • the domain name system server selects a virtual IP address for the terminal based on the terminal reputation value of the terminal and the IP reputation value of each virtual IP address in the IP address resource pool, so that the terminal accesses the selected virtual IP address to enjoy network services.
  • only a small amount of terminal traffic is dispatched to other network security devices.
  • the access traffic of normal users is also switched to ensure that most normal users can use the tenant's services normally without affecting the quality of service.
  • selecting a virtual IP address includes: if the terminal reputation value of the first terminal is greater than or equal to the first user threshold, determining a first virtual IP address set from the IP address resource pool, and a first virtual IP address set The IP reputation value of each virtual IP address in the virtual IP address is greater than or equal to the first service threshold; selecting a virtual IP address from the first virtual IP address set.
  • the domain name system server can select a higher security virtual IP address for a terminal with higher security, thereby ensuring that a terminal with higher security can enjoy higher quality services, thereby improving network performance and user experience.
  • the method further includes: the domain name system server receives a domain name resolution request sent by the second terminal, and the domain name resolution request sent by the second terminal includes the domain name; if the terminal reputation of the second terminal If the value is less than the second user threshold, a second virtual IP address set is determined from the IP address resource pool, and the IP reputation value of each virtual IP address in the second virtual IP address set is less than the second service threshold, where the first user The threshold is greater than or equal to the second user threshold, the first service threshold is greater than or equal to the second service threshold; selecting a virtual IP address from the second virtual IP address set; sending a domain name resolution response to the second terminal, the domain name resolution response carrying A virtual IP address selected from the second virtual IP address set.
  • the domain name system server can select a less secure virtual IP address for a less secure terminal, thereby ensuring that a less secure terminal enjoys a lower quality service to avoid a less secure server.
  • the access of the terminal to other terminals affects network performance.
  • the method further includes: obtaining a terminal reputation value of the first terminal and an IP reputation value of each virtual IP address.
  • acquiring the terminal reputation value of the first terminal includes: receiving the terminal reputation value of the first terminal sent by the first terminal; or receiving terminal device parameters sent by the first terminal, The terminal reputation value of the first terminal is determined according to the terminal device parameters.
  • several methods are provided for the domain name system server to obtain the terminal reputation value, which improves the diversity of obtaining the terminal reputation value.
  • the domain name system server can reduce the terminal reputation value. Value of power consumption.
  • the terminal reputation value of the first terminal is carried in a domain name resolution request sent by the first terminal, or the terminal device parameters of the first terminal are carried in a domain name resolution request sent by the first terminal in.
  • the number of signaling interactions between the DNS server and the terminal is reduced.
  • the terminal device parameters include at least one hardware fingerprint
  • determining the terminal reputation value of the first terminal according to the terminal device parameters includes: querying a preset value corresponding to each hardware fingerprint in the at least one hardware fingerprint.
  • a reputation score is set, and a terminal reputation value of the first terminal is determined according to a preset reputation score corresponding to each hardware fingerprint.
  • the at least one hardware fingerprint includes one or more of the following: GPS fingerprint, Bluetooth fingerprint, battery fingerprint, camera fingerprint, Fingerprint of wifi module, fingerprint of temperature sensor, fingerprint of microphone module.
  • the terminal device parameters further include at least one software fingerprint, determining the terminal reputation value of the first terminal according to the terminal device parameters, and further including: querying each software fingerprint corresponding to at least one software fingerprint A predetermined reputation score of the first terminal to determine the terminal reputation value of the first terminal according to the preset reputation score corresponding to each software fingerprint; wherein at least one software fingerprint includes one or more of the following: an international mobile device identification code IMEI, a universal unique identification Code UUID, network type, terminal type, operating system type, network mode, battery temperature, power characteristics, mobile phone model, SIM card sequence, mobile phone number.
  • IMEI international mobile device identification code
  • UUID universal unique identification Code
  • the terminal device parameters further include at least one piece of malicious information
  • determining the terminal reputation value of the first terminal according to the terminal device parameters further includes: querying each malicious piece of the at least one piece of malicious information.
  • the preset reputation score corresponding to the information, and the terminal reputation value of the first terminal is determined according to the preset reputation score corresponding to each malicious information; wherein at least one piece of malicious information includes one or more of the following: CPU malicious information, stored in memory File corresponding malicious information, API DEMOS malicious information, DevTools malicious information, application permission malicious information, abnormal port information, abnormal process information.
  • the terminal device parameters further include the number of connections and transmission traffic, and determining the terminal reputation value of the first terminal according to the terminal device parameters, further including: when the number of connections and / or transmission traffic is abnormal In the state, the terminal reputation value of the first terminal is updated.
  • acquiring the IP reputation value of each virtual IP address includes: receiving attack information sent by one network security device among at least one network security device, and the attack information includes Attack IP address; determine the IP reputation value of each virtual IP address based on the attacked IP address.
  • the attack information further includes an IP address of the attack source
  • the method further includes: if the IP address of the attack source is the IP address of the first terminal, updating the terminal reputation of the first terminal value.
  • the domain name system server can ensure the validity of the terminal reputation value and the IP reputation value of each virtual IP address by determining or updating the terminal reputation value and the IP reputation value of each virtual IP address. It is ensured that an appropriate virtual IP address is selected from the IP address resource pool according to the terminal reputation value and the IP reputation value of each virtual IP address, thereby improving the accuracy of the virtual IP address selection.
  • a method for scheduling service resources is provided, which is applied to a network including a terminal, a business server, a domain name system server, and at least one network security device.
  • Each of the at least one network security device has a virtual device.
  • IP address, in the domain name system server, the domain name of the service provided by the service server is mapped to an IP address resource pool, and the IP address resource pool includes at least two virtual IP addresses.
  • the method includes: a terminal obtaining terminal device parameters, The terminal device parameters are used to determine the terminal reputation value, and the terminal reputation value is used to indicate the security level of the terminal; send a domain name resolution request to the domain name system server, the domain name resolution request includes the domain name; and receive a domain name resolution response sent by the domain name system server
  • the domain name resolution response carries a virtual IP address in the IP address resource pool.
  • the virtual IP address carried in the domain name resolution response is the IP address of each virtual IP address in the IP address resource pool of the domain name system server according to the terminal ’s reputation value.
  • the reputation value is selected from the IP address resource pool Yes, the IP reputation value of a virtual IP address is used to indicate the security level of the virtual IP address.
  • the terminal obtains the parameters of the terminal device, so that the domain name system server can select for the terminal according to the IP reputation value of each virtual IP address in the IP address resource pool and the terminal reputation value determined based on the terminal device parameters.
  • a virtual IP address so that the terminal can access the selected virtual IP address to correspond to the network security device to ensure the security of the terminal in enjoying network services. In this way, when a hacker attack occurs, the probability of service quality degradation of the terminal is reduced.
  • the method before sending a domain name resolution request to the domain name system server, the method includes: sending terminal device parameters to the domain name system server; or determining a terminal reputation value according to the terminal device parameters, and sending the terminal reputation value to the domain name
  • the system server sends the terminal reputation value.
  • several methods are provided for obtaining the terminal reputation value, which improves the diversity of obtaining the terminal reputation value, and at the same time sends the terminal device parameters to the domain name system server, so that the domain name system server determines the terminal reputation value according to the terminal device parameters In this case, the power consumption of the terminal can be reduced.
  • the terminal device parameters or the terminal reputation value are carried in the domain name resolution request.
  • the signaling interaction between the DNS server and the terminal is reduced.
  • determining the terminal reputation value according to the terminal device parameters includes: querying a preset reputation score corresponding to each hardware fingerprint in the at least one hardware fingerprint. , Determine the terminal reputation value according to the preset reputation score corresponding to each hardware fingerprint; wherein at least one hardware fingerprint includes one or more of the following: GPS fingerprint, Bluetooth fingerprint, battery fingerprint, camera fingerprint, wifi module fingerprint, temperature sensor fingerprint Fingerprint of microphone module.
  • the terminal device parameters further include at least one software fingerprint
  • the terminal reputation value is determined according to the terminal device parameters, and further includes: querying a preset reputation corresponding to each software fingerprint in the at least one software fingerprint
  • the terminal's reputation value is determined according to a preset reputation score corresponding to each software fingerprint; wherein at least one software fingerprint includes one or more of the following: international mobile equipment identification code IMEI, universal unique identification code UUID, network type, terminal type , Operating system type, network mode, battery temperature, power characteristics, SIM card sequence, mobile phone number.
  • the terminal device parameters further include at least one malicious information
  • the terminal reputation value is determined according to the terminal device parameters, and further includes: querying a preset reputation corresponding to each malicious information in the at least one malicious information And determine the terminal reputation value according to a preset reputation score corresponding to each piece of malicious information; wherein at least one piece of malicious information includes one or more of the following: CPU malicious information, malicious information corresponding to a file stored in a memory, and API DEMOS malicious information , DevTools malicious information, application permission malicious information, abnormal port information, abnormal process information.
  • the terminal device parameters further include the number of connections and transmission traffic
  • the terminal reputation value is determined according to the terminal device parameters, and further includes: when the number of connections and / or transmission traffic is in an abnormal state, updating Terminal reputation value.
  • the terminal can ensure the validity of the terminal reputation value, thereby ensuring that the IP address resources are obtained from the IP address resources according to the terminal reputation value and the IP reputation value of each virtual IP address.
  • a suitable virtual IP address is selected from the pool, thereby improving the accuracy of virtual IP address selection.
  • a domain name system server may implement a function of a method for scheduling service resources provided by any one of the foregoing first aspect to the first possible implementation manner of the first aspect.
  • the functions may be implemented by hardware, and may also be implemented by hardware executing corresponding software.
  • the hardware or software includes one or more units corresponding to the above functions.
  • the domain name system server includes a processor, a memory, a communication interface, and a bus, and the processor, the memory, and the communication interface are connected through the bus; the memory is used to store program code, and the communication interface is used to Support the DNS server to communicate.
  • the program code is executed by the processor, make the DNS server execute the service resource scheduling method provided in the first aspect or any possible implementation manner of the first aspect. step.
  • a terminal may implement a function of a method for scheduling a service resource provided by any one of the foregoing second to second possible implementation manners.
  • the functions may be implemented by hardware, and may also be implemented by hardware executing corresponding software.
  • the hardware or software includes one or more units corresponding to the above functions.
  • the terminal includes a processor, a memory, a communication interface, and a bus, and the processor, the memory, and the communication interface are connected through the bus; the memory is used to store program code, and the communication interface is used to support the
  • the domain name system server performs communication, and when the program code is executed by the processor, causes the domain name system server to execute the steps in the method for scheduling service resources provided by the second aspect or any possible implementation manner of the second aspect.
  • a system includes a terminal, a service server, a domain name system server, and at least one network security device.
  • the domain name system server is the third aspect or any possible implementation manner of the third aspect.
  • the provided domain name system server, and / or the terminal is a terminal provided by the fourth aspect or any possible implementation manner of the fourth aspect.
  • a computer-readable storage medium stores instructions, and when the computer-readable storage medium runs on a computer, the computer executes the first aspect described above, or the first aspect.
  • a method for scheduling service resources provided by any possible implementation manner.
  • a computer-readable storage medium stores instructions that, when run on a computer, cause the computer to execute the second aspect, or the second aspect.
  • a method for scheduling service resources provided by any possible implementation manner.
  • a computer program product containing instructions is provided.
  • the computer program product When the computer program product is run on a computer, the computer executes the services provided by the foregoing first aspect, or any possible implementation manner of the first aspect. Scheduling method of resources.
  • a computer program product containing instructions which, when run on a computer, causes the computer to execute the services provided by the second aspect, or any possible implementation manner of the second aspect. Scheduling method of resources.
  • a chip system in another aspect of the present application, includes a memory, a processor, a bus, and a communication interface.
  • the memory stores codes and data.
  • the processor and the memory are connected through the bus, and the processor runs the code in the memory.
  • the chip system is caused to execute the method for scheduling service resources provided by the first aspect or any possible implementation manner of the first aspect.
  • a chip system in another aspect of the present application, includes a memory, a processor, a bus, and a communication interface.
  • the memory stores codes and data.
  • the processor and the memory are connected through the bus, and the processor runs the code in the memory.
  • the chip system is caused to execute the method for scheduling service resources provided by the second aspect or any possible implementation manner of the second aspect.
  • the apparatus, computer storage medium, or computer program product for any method for scheduling service resources provided above is used to execute the corresponding method provided above. Therefore, the beneficial effects it can achieve can be referred to above. The beneficial effects of the corresponding methods provided herein are not repeated here.
  • FIG. 1 is a schematic diagram of a scheduling service resource in the prior art
  • FIG. 2 is a schematic structural diagram of a network system according to an embodiment of the present application.
  • FIG. 3 is a schematic flowchart of a method for scheduling service resources according to an embodiment of the present application
  • FIG. 4 is a schematic flowchart of another method for scheduling service resources according to an embodiment of the present application.
  • FIG. 5 is a first schematic structural diagram of a device according to an embodiment of the present application.
  • FIG. 6 is a second schematic structural diagram of a device according to an embodiment of the present application.
  • FIG. 7 is a third structural schematic diagram of a device according to an embodiment of the present application.
  • FIG. 8 is a fourth structural schematic diagram of a device according to an embodiment of the present application.
  • FIG. 9 is a schematic structural diagram of a device according to an embodiment of the present application.
  • FIG. 10 is a schematic diagram of a structure of a device according to an embodiment of the present application.
  • At least one means one or more, and “multiple” means two or more.
  • “And / or” describes the association relationship of related objects, and indicates that there can be three kinds of relationships, for example, A and / or B can indicate: A exists alone, A and B exist simultaneously, and B alone exists, where A, B can be singular or plural.
  • the character “/” generally indicates that the related objects are an "or” relationship.
  • “At least one or more of the following" or similar expressions refers to any combination of these items, including any combination of single or plural items.
  • At least one item (a), a, b, or c may represent: a, b, c, a-b, a-c, b-c, or a-b-c, where a, b, and c may be single or multiple.
  • FIG. 2 is a schematic diagram of a network system architecture according to an embodiment of the present application.
  • the network system architecture includes a terminal 201, at least one network security device 202, a domain name system server 203, and a service server 204.
  • the terminal 201 may include one or more terminals, and the terminal 201 may include a handheld device (for example, a mobile phone, a tablet computer, etc.), a computer, a vehicle-mounted device, and a smart wearable device.
  • the terminal 201 may be installed with client software provided by a network service provider, such as a game client, a mobile shopping client, an instant chat client, and a browser.
  • the client software may be used to initiate a service.
  • the business server 204 is a server that provides various business services for the terminal 201.
  • the business server 204 may be a Web server, a file transfer protocol (FTP) application server, a game application server, an e-commerce application server, and so on.
  • FTP file transfer protocol
  • the domain name system server 203 may be used to provide a domain name resolution function for the terminal 201 and manage the relationship between the domain names of different network service providers and their leased virtual IP addresses.
  • the domain name is first resolved into a virtual IP address, and the user then enjoys the network service provided by the business server 204 by accessing the virtual IP address.
  • the domain name system server 203 may be a DNS server, an HTTPDNS server, or a server in which a DNS server and a TTPDNS server are co-located.
  • the at least one network security device 202 may be a network security device in the cloud and includes one or more network security devices.
  • the at least one network security device 202 is configured to provide security protection for the service server 204.
  • each network security device may The traffic sent by the business server 204 is monitored and security detected, and threatened traffic is intercepted and filtered, thereby protecting the security of the business server 204.
  • Each network security device in the at least one network security device 202 may correspond to a virtual IP address.
  • the domain name is first resolved to a virtual IP address by the domain name system server 203, and the resolved virtual IP address is sent to the user, and the user then accesses the virtual IP address by Corresponding network security equipment to enjoy network services provided by the business server 204.
  • the network security device monitors and detects the security of the traffic sent by the user. If the traffic sent by the user is not threatening, it can be re-assigned to the business server 204 to provide users with the corresponding
  • the network service can ensure the security of the business server 204 by monitoring and detecting the security of the traffic sent by the user.
  • FIG. 3 is a schematic flowchart of a service resource scheduling method according to an embodiment of the present application.
  • the method is applied to a network including a terminal, a service server, a domain name system server, and at least one network security device.
  • Each network security device has a virtual IP address.
  • the domain name of the service provided by the service server in the DNS server is mapped to an IP address resource pool.
  • the IP address resource pool includes at least two virtual IP addresses. See Figure 3.
  • the method includes the following steps.
  • S301 The terminal sends a domain name resolution request to a domain name system server, where the domain name resolution request includes the domain name.
  • S302 The domain name system server receives a domain name resolution request sent by the terminal.
  • the domain name resolution request is the same as that in S301.
  • the domain name is the domain name of the service provided by the service server.
  • the domain name system server can be used to provide the domain name resolution function for the terminal.
  • the terminal may send a domain name resolution request to the domain name system server, and carry the domain name in the domain name resolution request.
  • the domain name resolution request can be used to request the domain name system server to perform domain name resolution on the domain name, so that the domain name system server can receive a domain name resolution request including the domain name.
  • the domain name of the service provided by the service server is www.abc.com.
  • the terminal needs to access the service provided by the service server, the terminal sends a domain name resolution request carrying the domain name www.abc.com to the domain name system server. So that the domain name system server can receive a domain name resolution request that includes the domain name (www.abc.com).
  • the domain name system server selects a virtual IP address from at least two virtual IP addresses included in the IP address resource pool according to the terminal reputation value of the terminal and the IP reputation value of each virtual IP address in the IP address resource pool.
  • the terminal reputation value of the terminal is used to indicate the security degree of the terminal, that is, the terminal reputation value of the terminal is related to the security degree of the terminal, and the specific calculation method can be flexibly set according to the actual situation and the working habits of the administrator.
  • the terminal reputation value of the terminal may be positively related to the security level of the terminal.
  • the terminal's terminal reputation value when the terminal's terminal reputation value is larger, it indicates that the terminal is more secure; when the terminal's terminal reputation value is smaller, It means that the terminal's security level is lower; or, the terminal's terminal reputation value can be inversely related to the terminal's security level, that is, the smaller the terminal's terminal reputation value, the higher the terminal's security level; when The larger the terminal reputation value of the terminal, the lower the security level of the terminal.
  • the embodiment of the present application does not specifically limit the relationship between the terminal reputation value of the terminal and the security degree of the terminal.
  • the IP resource pool includes at least two virtual IP addresses. Each virtual IP address in the at least two virtual IP addresses will have an IP reputation value.
  • the IP reputation value of a virtual IP address is used to indicate the degree of security of the virtual IP address. . When the IP reputation value of a virtual IP address is greater, it indicates that the virtual IP address is more secure. Therefore, when a terminal accesses a service provided by a service server through the virtual IP address, the quality of service of the service enjoyed by the terminal May be higher. The smaller the IP reputation value of a virtual IP address, the lower the security level of the virtual IP address. Therefore, when a terminal accesses the service provided by the service server through the virtual IP address, the service quality of the service enjoyed by the terminal may be Will be lower.
  • the domain name system server selects a virtual IP address from at least two virtual IP addresses included in the IP address resource pool according to the terminal reputation value of the terminal and the IP reputation value of each virtual IP address in the IP address resource pool Can be selected in the following ways: when the terminal reputation value is greater than or equal to the first user threshold, a first virtual IP address set is determined from the IP address resource pool, and each virtual IP address in the first virtual IP address set The IP reputation value is greater than or equal to the first service threshold, and a virtual IP address is selected from the first virtual IP address set; or when the terminal reputation value is less than the second user threshold, the second virtual IP is determined from the IP address resource pool Address set, the IP reputation value of each virtual IP address in the second virtual IP address set is less than the second service threshold, and a virtual IP address is selected from the second virtual IP address set.
  • the domain name system server uses the terminal's terminal reputation value and the IP reputation value of each virtual IP address in the IP address resource pool. The process of selecting a virtual IP address in the pool is exemplified.
  • the domain name of the service provided by the service server is www.abc.com.
  • the IP address resource pool mapped to the domain name www.abc.com in the domain name system server includes VIP1, VIP2, VIP3, and VIP4.
  • VIP1, VIP2, VIP3 and VIP4 are the virtual IP addresses of four different network security devices.
  • Terminal a and terminal b respectively request the domain name system server for domain name resolution of the domain name www.abc.com.
  • the terminal reputation values of terminals a and b are 7 and 2, respectively, and the IP reputation values of VIP1 to VIP4 are 3, 5, 7, and 9, respectively, and the first user threshold and the second user threshold are 6 and 3, respectively.
  • the service threshold and the second service threshold are 7 and 4, respectively.
  • the DNS server can be selected in the following ways: the terminal reputation value 7 of terminal a is greater than the first user threshold 6, and the first virtual IP address set determined in VIP1 to VIP4 includes VIP3 and VIP4 (that is, the IP reputation values of VIP3 and VIP4 are greater than Or equal to the first service threshold 7), select VIP4 for terminal a from VIP3 and VIP4; the terminal reputation value 2 of terminal b is less than the second user threshold 3, and the second virtual IP address set determined from VIP1 to VIP4 includes VIP1 (VIP1 And the IP reputation value 3 is smaller than the second service threshold 4), and VIP1 is selected for the terminal b.
  • the first user threshold and the second user threshold may be preset thresholds of the terminal reputation value, the first user threshold is greater than or equal to the second user threshold, and the first user threshold and the second user threshold may be non-negative numbers.
  • the first user threshold may be 6 and the second user threshold may be 3.
  • the first service threshold and the second service threshold may also be pre-set thresholds of the IP reputation value.
  • the first service threshold is greater than or equal to the second service threshold.
  • the first service threshold and the second service threshold may also be non-negative numbers.
  • the first service threshold may be 7 and the second user threshold may be 4.
  • the first virtual IP address set may include at least one virtual IP address
  • the second virtual IP address set may also include at least one virtual IP address
  • the first virtual IP address set and the second virtual IP address set may be based on the first
  • the service threshold and the second service threshold are respectively a virtual IP address set determined from an IP address resource pool.
  • the domain name system server may directly use the virtual IP address as the selected virtual IP address.
  • the domain name system server selects a virtual IP address from the first virtual IP address set, and the selected IP address may be any one of the first virtual IP address set Or a virtual IP address with the highest IP reputation value, or a virtual IP address with the lowest IP reputation value, which is not specifically limited in this embodiment of the present application.
  • the domain name system server sends a domain name resolution response to the terminal, and the domain name resolution response carries the selected virtual IP address.
  • S305 The terminal receives a domain name resolution response sent by the domain name system server.
  • the domain name resolution response is the same as that in S304.
  • the domain name system server may carry the selected virtual IP address in the domain name resolution response and send it to the terminal.
  • the terminal may use the virtual IP address carried in the domain name resolution response for business access. .
  • the terminal may use the terminal IP address as the source address and the virtual IP address as the destination address to send a message to the network security device corresponding to the virtual IP address.
  • the message can be redirected to the business server to provide business services to the terminal.
  • terminal a can use VIP4 for service access. That is, terminal a uses the IP address of terminal a as the source address and VIP4 as the destination address, and sends a message to the network security device corresponding to VIP4, so that the network security device re-enables the message after determining that the message is not threatening. Directed to the business server to provide business services for terminal a.
  • the domain name system server selects a virtual IP address for the terminal based on the terminal's terminal reputation value and the IP reputation value of each virtual IP address in the IP address resource pool, so that the terminal selects To enjoy network services, so that when a hacker attack occurs, the access traffic of normal users will not be switched, thereby ensuring that normal users can use the tenant's services normally without affecting the quality of service.
  • the DNS server can select virtual IP addresses with different security levels for terminals with different security levels, thereby ensuring that terminals with higher security levels can enjoy higher quality services and improve user experience.
  • the method may further include: S306.
  • the DNS server obtains the terminal reputation value and the IP reputation value of each virtual IP address.
  • the manner in which the domain name system server obtains the terminal reputation value may include: the domain name system server receives the terminal reputation value sent by the terminal; or the domain name system server receives the terminal device parameters sent by the terminal, and determines the terminal according to the terminal device parameters Reputation value.
  • the domain name system server receives the terminal reputation value sent by the terminal
  • the domain name system server receives the terminal device parameters sent by the terminal, and determines the terminal according to the terminal device parameters Reputation value.
  • the terminal may carry the terminal reputation value in the domain name resolution request in S301, and send the terminal reputation value to the domain name through the domain name resolution request
  • the system server can reduce the power consumption of the domain name system server to determine the reputation value of the terminal, and can also reduce the number of signaling interactions between the terminal and the domain name system server.
  • the terminal may also send the terminal reputation value to the domain name system server through other signaling, which is not limited in this embodiment of the present application.
  • the terminal before the terminal sends a domain name resolution request to the domain name system server, the terminal can detect its own device parameters to obtain terminal device parameters, and determine the terminal reputation value according to the terminal device parameters.
  • the terminal device parameter may include at least one hardware fingerprint
  • determining the terminal reputation value according to the terminal device parameter includes: querying a preset reputation score corresponding to each hardware fingerprint in at least one hardware fingerprint, and according to each hardware fingerprint The corresponding preset reputation score determines the reputation value of the terminal.
  • at least one hardware fingerprint includes one or more of the following: a global positioning system (GPS) fingerprint, a Bluetooth fingerprint, a battery fingerprint, a camera fingerprint, a wireless fidelity (wifi) module fingerprint, and a temperature sensor fingerprint Fingerprint of microphone module.
  • the parameter of the terminal device includes a hardware fingerprint, which may mean that the terminal includes hardware corresponding to the hardware fingerprint. If the terminal does not include a temperature sensor, the temperature sensor fingerprint will not be included in the terminal device parameters. For example, if the terminal only includes a Bluetooth module and a battery, the terminal device parameters include a Bluetooth fingerprint and a battery fingerprint.
  • each hardware fingerprint can be assigned a preset reputation score in advance, and the preset reputation value corresponding to each hardware fingerprint may be the same or different.
  • the terminal device parameter includes at least one hardware fingerprint
  • the terminal may query a preset reputation score corresponding to each hardware fingerprint in the at least one hardware fingerprint, and sum the preset reputation scores corresponding to each hardware fingerprint ( It is referred to as the sum of the hardware reputation points hereinafter, and the sum of the hardware reputation points is determined as the reputation value of the terminal.
  • the sum of the hardware reputation points is determined as the reputation value of the terminal. For example, if at least one hardware fingerprint includes a GPS fingerprint, a Bluetooth fingerprint, a battery fingerprint, and a camera fingerprint, and the corresponding preset credit score is 0.6, the sum of the obtained hardware credit scores is 2.4, so that the terminal credit value is 2.4.
  • the battery fingerprint refers to the fact that when a hardware component such as a battery exists in the terminal device, the processor of the terminal device obtains the battery type, charging, discharging, and power consumption information. Optionally, the processor obtains the foregoing information through a power management system.
  • the terminal device parameter may further include at least one software fingerprint
  • the terminal reputation value is determined according to the terminal device parameter, further including: querying a preset reputation score corresponding to each software fingerprint in at least one software fingerprint, and according to each A preset reputation score corresponding to each software fingerprint determines the terminal reputation value.
  • at least one software fingerprint includes one or more of the following: international mobile equipment identity (IMEI), universally unique identifier (UUID), network type, terminal type, operating system type, Network mode, battery temperature, power characteristics, SIM card sequence, mobile phone number.
  • IMEI international mobile equipment identity
  • UUID universally unique identifier
  • network type terminal type
  • operating system type Operating system type
  • Network mode battery temperature
  • battery temperature and remaining power characteristics are obtained using an interface provided by an operating system of the terminal device.
  • the network type can be wifi, 3G, or 4G, etc .
  • the terminal type can refer to different manufacturers (for example, company A or B), or an emulator, etc .
  • the operating system type can be Android (android ) System or IOS system
  • network mode can be telecommunications, mobile or China Unicom
  • battery temperature can be 0 or non-zero, or specific temperature, etc .
  • power characteristics can be characteristics of power changes, such as non-sustained 50%
  • IMEI The UUID, SIM card sequence, and mobile phone number can be a specific numerical sequence or an identifier indicating whether it exists.
  • each software fingerprint may also be assigned a preset reputation score in advance, and the preset reputation value corresponding to each software fingerprint may be the same or different.
  • the terminal device parameter further includes at least one software fingerprint
  • the terminal may query the preset reputation score corresponding to each software fingerprint in the at least one software fingerprint, and sum the preset reputation score corresponding to each software fingerprint.
  • the sum of software reputation points the sum of the sum of hardware reputation points and the sum of software reputation points is determined as the terminal reputation value.
  • the sum of the hardware reputation score is 2.4
  • at least one software fingerprint includes IMEI, UUID
  • the network type is 3G
  • the network mode is mobile
  • the corresponding preset reputation score is 0.3
  • the sum of the software reputation score is 1.2 So that the terminal reputation value is 3.6.
  • the terminal device parameter may further include at least one malicious information
  • the terminal reputation value is determined according to the terminal device parameter, and further includes: querying a preset reputation score corresponding to each malicious information in the at least one malicious information, and according to each The preset reputation score corresponding to each piece of malicious information determines the reputation value of the terminal.
  • at least one piece of malicious information includes one or more of the following: CPU malicious information, malicious information corresponding to files stored in the memory, application programming interface (DEMOS) API malicious information, and developer tools (developer tools) , DevTools) malicious information, malicious application permissions information, abnormal port information, abnormal process information.
  • the API DEMOS here refers to the description document used to describe the API, for example, the description document used to describe the API's classes and usage methods.
  • DevTools is an open debugging tool that is usually hidden in the Android emulator. It provides developers with powerful debugging support and can be used to help developers analyze the performance of current software.
  • the detection result corresponding to the malicious information may be non-existent or safe, that is, the corresponding malicious file is not detected or the inherent file is detected.
  • the detection result corresponding to the malicious information may be presence or insecurity, that is, a corresponding malicious file is detected or a detection file in which the malicious information does not exist.
  • the CPU malicious information may be used to indicate that no goldfish malicious file or Intel file or amd file is detected in the CPU;
  • the files stored in the memory may include photo albums, text messages, communication records, malicious logs, and temperature files.
  • the malicious information corresponding to the file stored in the memory may be used to indicate that no malicious information is detected in the above file;
  • the API DEMOS malicious information is used to indicate that the application program interface indicated by the API DEMOS document has not detected malicious information ;
  • the tool indicated by DevTools does not detect malicious information; application permission malicious information can be used to indicate that permissions that affect the security of the application or terminal are not open; abnormal port information can be used to indicate that abnormal ports have not been detected; abnormal process information can be used to indicate No abnormal process detected.
  • the method for determining the terminal reputation value according to the preset reputation score corresponding to each malicious information is similar to the above-mentioned method for determining the terminal reputation value according to the preset reputation score corresponding to each software fingerprint. For details, refer to the above description. This is not repeated in the embodiment of the present application.
  • the terminal device parameters further include the number of connections and transmission traffic
  • the terminal reputation value is determined according to the terminal device parameters, and further includes: updating the terminal reputation value when the number of connections and / or transmission traffic is in an abnormal state.
  • the terminal may update the terminal reputation value determined in the foregoing manner according to the preset credit score corresponding to the number of connections and / or transmission traffic; when the number of connections and / or When the transmission traffic is in a normal state, the terminal can update the terminal's reputation value and only record the number of connections and / or transmission traffic.
  • the number of connections and the preset reputation score corresponding to the transmission traffic are both 1.
  • the terminal can pass at least one hardware fingerprint, at least one software fingerprint, and at least one malicious
  • the terminal reputation value determined by the information method is subtracted by 1 to implement updating of the terminal reputation value.
  • the terminal may determine whether the number of connections and / or transmission traffic is in an abnormal state in the following ways: When the number of connections or the increase in the number of connections is greater than or equal to a respective number threshold set in advance, the connection may be determined The number of times is abnormal. When the transmission traffic or the increment of the transmission traffic is greater than or equal to the respective flow threshold set in advance, it can be determined that the transmission traffic is in an abnormal state.
  • the terminal when the terminal obtains the parameters of the terminal device, it can be implemented by software development kits (SDKs) in the terminal.
  • SDKs software development kits
  • the SDK can detect hardware fingerprints, software fingerprints, malicious information, etc. .
  • the domain name system server receives the terminal device parameters sent by the terminal, and determines the terminal reputation value according to the terminal device parameters.
  • the terminal may carry the terminal device parameters in the domain name resolution request in S301, and send the terminal device parameters to the domain name system server through the domain name resolution request, thereby reducing the signaling between the terminal and the domain name system server. Interaction.
  • the terminal may also send the terminal device parameters to the domain name system server through other signaling, which is not limited in this embodiment of the present application.
  • the manner in which the domain name system server obtains the IP reputation value of each virtual IP address may include: the domain name system server receives attack information sent by one of the at least two network security devices, and the attack information includes the attacked IP Address; determine the IP reputation value of each virtual IP address based on the attacked IP address.
  • the network security device that detects the attack information may send the attack information to the domain name system server so that the domain name system server receives the attack information.
  • the attack information includes the IP address being attacked. If the attacked IP address is the virtual IP address of at least one network security device, that is, the attacked IP address belongs to the virtual IP address in the IP address resource pool, the DNS server can determine each IP address based on the attacked IP address. IP reputation value of the virtual IP address.
  • the DNS server can count the number of attacks corresponding to the attacked IP address, and determine the IP reputation value of each virtual IP address according to the number of attacks.
  • the IP reputation value of the virtual IP address with a larger number of attacks is lower, and the IP reputation value of the virtual IP address with a smaller number of attacks is higher.
  • the attack information may further include information such as an IP address of an attack source, an attack initiation time, an attack duration, and an attack traffic size.
  • the DNS server can determine the attack interval corresponding to the attacked IP address (that is, the interval between two adjacent attacks), the attack frequency (that is, the number of attacks per unit time), and the attacked IP address based on the attack information.
  • the IP address's end-access increment that is, the difference between the terminal access volume corresponding to the attacked IP address in two adjacent attacks
  • each virtual IP address is determined based on one or more of the information IP reputation value.
  • the domain name system server may also update the reputation value of the terminal.
  • the terminal's reputation value can be updated to the preset minimum reputation value, for example, the minimum reputation value is 2 .
  • the domain name system server may determine information such as the attack interval time, the attack frequency, and the larger the attack traffic corresponding to the IP address of the attack source, and update the terminal reputation value based on one or more of the information.
  • the attack interval time is smaller, the attack frequency is larger, and the attack traffic is larger, the terminal reputation value can be reduced; when the attack interval time is longer, the attack frequency is smaller, and the attack traffic is smaller, the terminal's reputation value can be reduced. Increase the terminal reputation value.
  • the terminal or the domain name system server may determine terminal status information of the terminal.
  • the terminal may determine terminal status information according to terminal device parameters, and send the terminal status information to a domain name system server.
  • the terminal status information is carried in a domain name resolution request, or the terminal sends the terminal status information to a domain name system server through other signaling.
  • the domain name system server determines terminal status information according to the terminal device parameters sent by the terminal.
  • the domain name system server may select a virtual IP address with the lowest or lower IP reputation value from the IP address resource pool, and then send it to the terminal through step S305.
  • the process of determining the terminal status information by the terminal or the domain name system server according to the terminal device parameters may be: if the sum of the hardware reputation values determined according to the terminal device parameters is less than the third user threshold, or determined according to the terminal device parameters If the sum of the sum of the hardware reputation value and the sum of the software reputation value is less than the fourth user threshold, it can be determined that the terminal status is abnormal, and the third user threshold is less than or equal to the fourth user threshold. Or the terminal device parameters do not include the battery fingerprint, or the power in the power characteristics does not change, or the terminal type is a fixed type such as an emulator, then it can be determined that the terminal status information is an abnormal state.
  • the domain name system server can ensure the validity of the terminal reputation value and the IP reputation value of each virtual IP address by obtaining or updating the terminal reputation value and the IP reputation value of each virtual IP address. It can ensure that an appropriate virtual IP address is selected from the IP address resource pool according to the terminal reputation value and the IP reputation value of each virtual IP address, thereby improving the accuracy of the virtual IP address selection.
  • different network security devices are selected to provide different terminals with security protection when accessing the same network service. In this way, when a hacker attack occurs, only a small amount of terminal traffic is dispatched to other network security devices, which will not affect most of the normal The user's access traffic is also switched to ensure that most normal users can use the tenant's services without affecting the service quality.
  • each network element such as a domain name system server and a terminal, includes a hardware structure and / or a software module corresponding to each function.
  • the present application can be implemented in the form of hardware, software, or a combination of hardware and computer software. Whether a certain function is performed by hardware or computer software-driven hardware depends on the specific application and design constraints of the technical solution. A professional technician can use different methods to implement the described functions for each specific application, but such implementation should not be considered to be beyond the scope of this application.
  • the function modules of the domain name system server and the terminal may be divided according to the foregoing method examples.
  • each function module may be divided corresponding to each function, or two or more functions may be integrated into one processing module.
  • the above integrated modules can be implemented in the form of hardware or software functional modules. It should be noted that the division of the modules in the embodiments of the present application is schematic, and is only a logical function division. In actual implementation, there may be another division manner. The following description is made by taking each function module corresponding to each function as an example.
  • FIG. 5 shows a schematic structural diagram of a device involved in the foregoing embodiment, and the device can implement the function of a domain name system server in the method provided in the embodiment of the present application.
  • the device may be a DNS server or a device that can support the DNS server to implement the functions of the DNS server in the embodiments of the present application.
  • the device is a chip system applied to the DNS server.
  • the device includes a receiving unit 501, a processing unit 502, and a sending unit 503.
  • the receiving unit 501 may be configured to support the device shown in FIG. 5 to perform step S302 in the foregoing method embodiment;
  • the processing unit 502 may be configured to support the device shown in FIG. 5 to perform step S303 in the above method embodiment; 503 is used to support the apparatus shown in FIG. 5 to execute step S304 in the foregoing method embodiment. All relevant content of each step involved in the above method embodiment can be referred to the functional description of the corresponding functional module, and will not be repeated here.
  • the chip system may be composed of a chip, and may also include a chip and other discrete devices.
  • the receiving unit 501 and the sending unit 503 in the embodiment of the present application may be a circuit, a device, an interface, a bus, a software module, a transceiver, or any other device that can implement communication.
  • the receiving unit 501 and the sending unit 503 may be a communication interface of a domain name system server or a chip system applied to the domain name system server.
  • the communication interface may be a transceiver circuit
  • the processing unit 502 may be an integrated domain name system server. Or it is applied to the processor of the chip system in the DNS server.
  • FIG. 6 shows a schematic diagram of a possible logical structure of the device involved in the foregoing embodiment, and the device can implement the function of the domain name system server in the method provided in the embodiment of the present application.
  • the device may be a domain name system server or a chip system applied to the domain name system server.
  • the device includes a processing module 512 and a communication module 513.
  • the processing module 512 is configured to control and manage the actions of the device shown in FIG. 6.
  • the processing module 512 is configured to perform steps of performing message or data processing on the device shown in FIG. 6.
  • the apparatus shown in FIG. 6 is supported to execute step S303 in the above method embodiment, and / or other processes used for the technology described herein.
  • the communication module 513 is configured to support the apparatus shown in FIG. 6 to perform S302 and S304 in the foregoing method embodiment.
  • the device shown in FIG. 6 may further include a storage module 511 for storing program code and data of the device.
  • the processing module 512 may be a processor or a controller, for example, it may be a central processing unit, a general-purpose processor, a digital signal processor, an application specific integrated circuit, a field programmable gate array, or other programmable logic devices, transistor logic devices, Hardware components or any combination thereof. It can implement or execute various exemplary logical blocks, modules, and circuits described in connection with the disclosure of the embodiments of the present application.
  • a processor may also be a combination that implements computing functions, such as a combination of one or more microprocessors, a combination of a digital signal processor and a microprocessor, and so on.
  • the communication module 513 may be a transceiver, a transceiver circuit, a communication interface, or the like.
  • the storage module 5111 may be a memory.
  • the processing module 512 is a processor 522
  • the communication module 513 is a communication interface 523 or a transceiver
  • the storage module 511 is a memory 521
  • the device involved in this embodiment of the present application may be the device shown in FIG.
  • the communication interface 523, the processor 522, and the memory 521 are connected to each other through a bus 524.
  • the bus 524 may be a PCI bus or an EISA bus.
  • the bus can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is used in FIG. 7, but it does not mean that there is only one bus or one type of bus.
  • the memory 521 is configured to store program code and data of the device.
  • the communication interface 523 is used to support the device to communicate with other devices, and the processor 522 is used to support the device to execute the program code stored in the memory 521 to implement the steps in the method provided in the embodiment of the present application.
  • the memory 521 may be included in the processor 522.
  • FIG. 8 shows a schematic structural diagram of a device involved in the foregoing embodiment, and the device can implement the functions of the terminal in the method provided in the embodiment of the present application.
  • the device may be a terminal or a device that can support the terminal to implement the functions of the terminal in the embodiments of the present application.
  • the device is a chip system applied to the terminal.
  • the device includes a processing unit 601, a sending unit 602, and a receiving unit 603.
  • the processing unit 601 may be configured to support the device shown in FIG. 8 to perform the steps of determining the terminal reputation value of the terminal in the foregoing method embodiment; and the sending unit 602 may be configured to support the device shown in FIG. 8 in the foregoing method embodiment.
  • Step S301; the receiving unit 603 is configured to support the apparatus shown in FIG. 8 to execute step S305 in the foregoing method embodiment. All relevant content of each step involved in the above method embodiment can be referred to the functional description of the corresponding functional module, and will not be repeated here.
  • an application program may be run in the processing unit 601, and a software development kit (SDK) is integrated in the application program.
  • SDK software development kit
  • the application program in the processing unit 601 may obtain terminal device parameters based on the SDK. That is, the SDK can directly detect and obtain at least one hardware fingerprint, at least one software fingerprint, and at least one malicious information. After that, the application can determine the terminal reputation value of the terminal according to the terminal device parameters obtained by the SDK.
  • the chip system may be composed of a chip, and may also include a chip and other discrete devices.
  • the sending unit 602 and the receiving unit 603 in the embodiment of the present application may be a circuit, a device, an interface, a bus, a software module, a transceiver, or any other device that can implement communication.
  • the sending unit 602 and the receiving unit 603 may be a terminal or a communication interface applied to a chip system in the terminal.
  • the communication interface may be a transceiver circuit
  • the processing unit 601 may be an integrated terminal or applied to the terminal.
  • On-chip processor On-chip processor.
  • FIG. 9 shows a schematic diagram of a possible logical structure of the device involved in the foregoing embodiment, and the device can implement the functions of the terminal in the method provided in the embodiment of the present application.
  • the device may be a terminal or a chip system applied in the terminal.
  • the device includes a processing module 612 and a communication module 613.
  • the processing module 612 is configured to control and manage the actions of the device shown in FIG. 9.
  • the processing module 612 is configured to perform steps of performing message or data processing on the device shown in FIG. 9.
  • the processing module 612 supports the apparatus shown in FIG. 9 to perform the steps of determining the terminal reputation value of the terminal in the foregoing method embodiment, and / or other processes used in the technology described herein to specifically determine the terminal reputation value of the terminal.
  • the process may be consistent with the process of the processing unit 601 described above.
  • the communication module 613 is configured to support the apparatus shown in FIG. 9 to perform S301 and S305 in the foregoing method embodiment.
  • the device shown in FIG. 9 may further include a storage module 611 for storing program code and data of the device.
  • the processing module 612 may be a processor or a controller.
  • the processing module 612 may be a central processing unit, a general-purpose processor, a digital signal processor, an application specific integrated circuit, a field programmable gate array, or other programmable logic devices, transistor logic devices, Hardware components or any combination thereof. It can implement or execute various exemplary logical blocks, modules, and circuits described in connection with the disclosure of the embodiments of the present application.
  • a processor may also be a combination that implements computing functions, such as a combination of one or more microprocessors, a combination of a digital signal processor and a microprocessor, and so on.
  • the communication module 613 may be a transceiver, a transceiver circuit, or a communication interface.
  • the storage module 6111 may be a memory.
  • the processing module 612 is a processor 622
  • the communication module 613 is a communication interface 623 or a transceiver
  • the storage module 611 is a memory 621
  • the device involved in this embodiment of the present application may be the device shown in FIG. 10.
  • the communication interface 623, the processor 622, and the memory 621 are connected to each other through a bus 624.
  • the bus 624 may be a PCI bus or an EISA bus.
  • the bus can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only a thick line is used in FIG. 10, but it does not mean that there is only one bus or one type of bus.
  • the memory 621 is configured to store program code and data of the device.
  • the communication interface 623 is used to support the device to communicate with other devices, and the processor 622 is used to support the device to execute the program code stored in the memory 621 to implement the steps in the method provided in the embodiment of the present application.
  • the memory 621 may be included in the processor 622.
  • An embodiment of the present application further provides a system, which includes a terminal, a service server, a domain name system server, and at least one network security device; wherein the domain name system server may be the one provided in any one of the foregoing figures 5 to 7
  • An apparatus, configured to execute the steps of the domain name server in the foregoing method embodiment; and / or the terminal is an apparatus provided in any of the diagrams in FIG. 8 to FIG. 10, and configured to execute the steps of the terminal in the foregoing method embodiment.
  • the methods provided in the embodiments of the present application may be implemented in whole or in part by software, hardware, firmware, or any combination thereof.
  • software When implemented in software, it may be implemented in whole or in part in the form of a computer program product.
  • the computer program product includes one or more computer instructions.
  • the computer program instructions When the computer program instructions are loaded and executed on a computer, the processes or functions described in accordance with the embodiments of the present application are wholly or partially generated.
  • the computer may be a general-purpose computer, a special-purpose computer, a computer network, a network device, or other programmable device.
  • the computer instructions may be stored in a computer-readable storage medium, or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be from a website site, a computer, a server, or a data center. Transmission by wire (such as coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (such as infrared, wireless, microwave, etc.) to another website site, computer, server, or data center.
  • the computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, a data center, and the like that includes one or more available medium integration.
  • the usable medium may be a magnetic medium (for example, a floppy disk, a hard disk, a magnetic tape), an optical medium (for example, a digital video disc (DVD)), or a semiconductor medium (for example, an SSD).
  • the embodiment of the present application further provides a computer-readable storage medium, where the computer-readable storage medium stores instructions, and when the computer-readable storage medium runs on the computer, the computer causes the computer to execute the domain name system server in the foregoing method embodiment.
  • the computer-readable storage medium stores instructions, and when the computer-readable storage medium runs on the computer, the computer causes the computer to execute the domain name system server in the foregoing method embodiment.
  • An embodiment of the present application further provides a computer-readable storage medium.
  • the computer-readable storage medium stores instructions, and when the computer-readable storage medium is run on a computer, the computer is caused to execute one or more steps of the terminal in the foregoing method embodiments. .
  • An embodiment of the present application further provides a computer program product containing instructions, which when executed on a computer, causes the computer to perform one or more steps of the domain name system server in the foregoing method embodiment.
  • the embodiment of the present application further provides a computer program product containing instructions, which when executed on a computer, causes the computer to execute one or more steps of the terminal in the foregoing method embodiments.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本申请公开了一种服务资源的调度方法及装置,涉及信息安全技术领域,用于在发生黑客攻击时,解决攻击流量内的正常用户不能正常使用租户的服务或者出现访问速度变慢的问题。该方法包括:域名系统服务器接收第一终端发送的域名解析请求,所述域名解析请求包括域名;根据所述第一终端的终端信誉值和IP地址资源池中每个虚拟IP地址的IP信誉值,从所述IP地址资源池包括的至少两个虚拟IP地址中,选择出一个虚拟IP地址;向所述第一终端发送域名解析响应,所述域名解析响应中携带选择出的虚拟IP地址。

Description

一种服务资源的调度方法及装置
本申请要求于2018年6月15日提交中国国家知识产权局、申请号为201810619416.X、申请名称为“一种服务资源的调度方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。
技术领域
本申请实施例涉及信息安全技术领域,尤其涉及一种服务资源的调度方法及装置。
背景技术
基于云端的服务的一种实现方式是网络服务提供商租用网络基础设施提供商提供的服务器集群,这些服务器利用虚拟IP地址为用户提供服务。网络服务提供商可以被视为网络基础设施的“租户”。当用户访问网络服务提供商的域名时,该域名首先被解析为一个虚拟IP地址,用户再通过访问该虚拟IP地址享受网络服务。
为了保证基于云端的服务的安全性,提出了基于云端的分布式拒绝服务(distributed denial of service,DDoS)攻击防御服务和云防火墙类产品。基于云端的DDoS攻击防御服务或云防火墙类产品通过多个网络安全设备对访问受保护服务器的流量进行安全检测,当一个网络安全设备出现故障或受到攻击时,可以进行切换,由其他网络安全设备执行安全检测的功能。一方面保证了受保护服务器的安全性,另一方面对用户来说,保证了服务可用性。
基于云端的DDoS攻击防御服务或云防火墙类产品的一个重要特性是基于威胁的调度解析。每个网络安全设备分别具有一个虚拟IP地址,租户的域名被解析为其中一个网络安全设备的虚拟IP地址。当用户访问虚拟IP地址时,该虚拟IP地址对应的网络安全设备对来自于用户的报文进行威胁检测,如果报文无威胁,则将报文重定向到真实的受保护服务器上。基于威胁的调度解析是指在基于云端的DDoS攻击防御服务和云防火墙中,可以根据租户业务被攻击的状态,将租户域名随机地调度解析到其他可用的虚拟IP上。例如,在当前租户业务使用的虚拟IP地址被攻击时,基于云端的DDoS攻击防御服务和云防火墙停止将租户域名解析为被攻击的虚拟IP地址,并将域名解析为另一个可用的虚拟IP地址,通过另一个可用的虚拟IP地址为用户提供服务。也即是,通过将攻击检测和域名解析系统(domain name system,DNS)解析相结合,或者将攻击检测和基于HTTP的DNS(HTTPDNS)解析相结合,有效地将不同程度的攻击分流到不同带宽大小的抗攻击的网络安全设备内,有效缓解攻击,清洗异常流量,保证业务不中断。
比如,某一租户的域名为www.abc.com,域名www.abc.com对应的IP地址资源池中包括VIP1和VIP2,VIP1是网络安全设备1的IP地址,VIP2是网络安全设备2的IP地址。如图1所示,当用户发起向域名(www.abc.com)的访问请求时,DNS服务器查询域名www.abc.com的对应的虚拟IP地址为VIP1。将域名解析结果VIP1返回给用户,用户通过访问VIP1获得域名为www.abc.com提供的网页等服务。若黑客攻击VIP1,且VIP1对应的网络安全设备1判断攻击流量超过阈值,则网络安全设备1可上报攻击信息至调度模块。 调度模块将VIP1的状态更新为不可用或被攻击中,并通过VIP1查询租户的域名,根据租户的域名查询IP地址资源池中可用的VIP为VIP2,从而通知DNS更新域名www.abc.com的解析地址为VIP2,以将攻击流量转移至VIP2对应的网络安全设备2中。
上述根据网络安全设备上报的攻击信息进行调度的方法,在攻击发生后,将访问租户服务的流量切换到另一网络安全设备上,这些流量中同时包含来自于黑客的流量和来自于正常用户的流量,可能会影响正常用户的服务质量,导致正常用户不能正常使用租户的服务或者出现访问速度变慢的问题。
发明内容
本申请的实施例提供一种服务资源的调度方法及装置,能够缓解传统云端的DDoS攻击防御服务或云防火墙类产品在应对攻击而调度时,存在的正常用户不能正常使用租户的服务或者出现访问速度变慢的问题。
第一方面,提供一种服务资源的调度方法,应用于包括终端、业务服务器、域名系统服务器和至少一个网络安全设备的网络中,该至少一个网络安全设备中的每个网络安全设备分别具有一个虚拟IP地址,在该域名系统服务器中该业务服务器所提供的业务的域名被映射为一个IP地址资源池,该IP地址资源池中包括至少两个该虚拟IP地址,该方法包括:该域名系统服务器接收第一终端发送的域名解析请求,该域名解析请求包括该域名;根据第一终端的终端信誉值和该IP地址资源池中每个虚拟IP地址的IP信誉值,从该IP地址资源池包括的至少两个虚拟IP地址中,选择出一个虚拟IP地址,一个终端的终端信誉值用于指示该终端的安全程度,一个虚拟IP地址的IP信誉值用于指示该虚拟IP地址的安全程度;向第一终端发送域名解析响应,该域名解析响应中携带选择出的虚拟IP地址。
上述技术方案中,域名系统服务器通过该终端的终端信誉值和IP地址资源池中每个虚拟IP地址的IP信誉值,为该终端选择一个虚拟IP地址,以使该终端通过访问选择出的虚拟IP地址来享受网络服务。换句话说,选择不同的网络安全设备为不同终端提供访问同一网络服务时的安全保障,这样可以在发生黑客攻击时,仅有少量终端的流量被调度到其他网络安全设备,不会对大多数正常用户的访问流量也进行切换,从而保证多数正常用户能够正常使用租户的服务,且不会影响服务质量。
在第一方面的一种可能的实现方式中,根据第一终端的终端信誉值和该IP地址资源池中每个虚拟IP地址的IP信誉值,从该IP地址资源池包括的至少两个虚拟IP地址中,选择出一个虚拟IP地址,包括:如果第一终端的终端信誉值大于或等于第一用户阈值,从该IP地址资源池中确定第一虚拟IP地址集合,第一虚拟IP地址集合中的每个虚拟IP地址的IP信誉值大于或等于第一服务阈值;从第一虚拟IP地址集合中选择一个虚拟IP地址。上述可能的实现方式中,域名系统服务器可以为安全程度较高的终端选择安全程度较高的虚拟IP地址,从而保证安全程度较高的终端可以享受更高质量的服务,进而提高了网络性能和用户体验。
在第一方面的一种可能的实现方式中,该方法还包括:域名系统服务器接收第二终端发送的域名解析请求,第二终端发送的域名解析请求包括该域名;如果第二终端的终端信誉值小于第二用户阈值,从该IP地址资源池中确定第二虚拟IP地址集合,第二虚拟IP 地址集合中的每个虚拟IP地址的IP信誉值小于第二服务阈值,其中,第一用户阈值大于或等于第二用户阈值,第一服务阈值大于或等于第二服务阈值;从第二虚拟IP地址集合中选择一个虚拟IP地址;向第二终端发送域名解析响应,该域名解析响应中携带从第二虚拟IP地址集合中选择出的虚拟IP地址。上述可能的实现方式中,域名系统服务器可以为安全程度较低的终端选择安全程度较低的虚拟IP地址,从而保证安全程度较低的终端享受较低质量的服务,以避免安全程度较低的终端对其他终端的访问造成影响,提高了网络性能。
在第一方面的一种可能的实现方式中,该方法还包括:获取第一终端的终端信誉值和所述每个虚拟IP地址的IP信誉值。
在第一方面的一种可能的实现方式中,获取第一终端的终端信誉值,包括:接收第一终端发送的第一终端的终端信誉值;或者,接收第一终端发送的终端设备参数,根据终端设备参数确定第一终端的终端信誉值。上述可能的实现方式中,提供了域名系统服务器获取终端信誉值几种方式,提高了获取终端信誉值的多样性,同时通过接收该终端发送的终端信誉值时,可以降低域名系统服务器获取终端信誉值的功耗。
在第一方面的一种可能的实现方式中,第一终端的终端信誉值携带在第一终端发送的域名解析请求中,或者第一终端的终端设备参数携带在第一终端发送的域名解析请求中。上述可能的实现方式中,降低了域名系统服务器与终端之间的信令交互次数。
在第一方面的一种可能的实现方式中,终端设备参数包括至少一个硬件指纹,根据终端设备参数确定第一终端的终端信誉值,包括:查询至少一个硬件指纹中每个硬件指纹对应的预设信誉分,根据每个硬件指纹对应的预设信誉分确定第一终端的终端信誉值;其中,至少一个硬件指纹包括以下的一个或多个:GPS指纹、蓝牙指纹、电池指纹、相机指纹、wifi模块指纹、温度传感器指纹、麦克风模块指纹。
在第一方面的一种可能的实现方式中,终端设备参数还包括至少一个软件指纹,根据终端设备参数确定第一终端的终端信誉值,还包括:查询至少一个软件指纹中每个软件指纹对应的预设信誉分,根据每个软件指纹对应的预设信誉分确定第一终端的终端信誉值;其中,至少一个软件指纹包括以下的一个或者多个:国际移动设备识别码IMEI、通用唯一识别码UUID、网络类型、终端类型、操作系统类型、网络模式、电池温度、电量特性、手机型号、SIM卡序列、手机号。
在第一方面的一种可能的实现方式中,终端设备参数还包括至少一个恶意信息,根据该终端设备参数确定第一终端的终端信誉值,还包括:查询该至少一个恶意信息中每个恶意信息对应的预设信誉分,根据每个恶意信息对应的预设信誉分确定第一终端的终端信誉值;其中,至少一个恶意信息包括以下的一个或多个:CPU恶意信息、存储器中保存的文件对应的恶意信息、API DEMOS恶意信息、DevTools恶意信息、应用权限恶意信息、异常端口信息、异常进程信息。
在第一方面的一种可能的实现方式中,终端设备参数还包括连接次数和传输流量,根据终端设备参数确定第一终端的终端信誉值,还包括:当连接次数和/或传输流量处于异常状态时,更新第一终端的终端信誉值。
在第一方面的一种可能的实现方式中,获取所述每个虚拟IP地址的IP信誉值,包括:接收至少一个网络安全设备中的一个网络安全设备发送的攻击信息,该攻击信息包括被攻击的IP地址;根据被攻击的IP地址,确定每个虚拟IP地址的IP信誉值。
在第一方面的一种可能的实现方式中,该攻击信息还包括攻击源的IP地址,该方法还包括:若攻击源的IP地址为第一终端的IP地址,更新第一终端的终端信誉值。
上述可能的几种实现方式中,域名系统服务器通过确定或更新终端信誉值和每个虚拟IP地址的IP信誉值,可以保证终端信誉值和每个虚拟IP地址的IP信誉值的有效性,从而保证在根据终端信誉值和每个虚拟IP地址的IP信誉值,从IP地址资源池中选择出一个合适的虚拟IP地址,进而提高了虚拟IP地址选择的准确性。
第二方面,提供一种服务资源的调度方法,应用于包括终端、业务服务器、域名系统服务器和至少一个网络安全设备的网络中,至少一个网络安全设备中的每个网络安全设备分别具有一个虚拟IP地址,在域名系统服务器中该业务服务器所提供的业务的域名被映射为一个IP地址资源池,IP地址资源池中包括至少两个该虚拟IP地址,该方法包括:终端获取终端设备参数,终端设备参数用于确定该终端的终端信誉值,终端信誉值用于指示该终端的安全程度;向域名系统服务器发送域名解析请求,域名解析请求包括该域名;接收域名系统服务器发送的域名解析响应,域名解析响应中携带IP地址资源池中的一个虚拟IP地址,域名解析响应中携带的该虚拟IP地址是域名系统服务器根据该终端的信誉值和IP地址资源池中每个虚拟IP地址的IP信誉值从IP地址资源池中选择出的,一个虚拟IP地址的IP信誉值用于指示该虚拟IP地址的安全程度。
上述技术方案中,终端通过获得该终端设备参数,以便于域名系统服务器根据IP地址资源池中每个虚拟IP地址的IP信誉值、以及基于终端设备参数确定出的终端信誉值,为该终端选择一个虚拟IP地址,以使该终端通过访问选择出的虚拟IP地址来对应的网络安全设备保障终端享受网络服务过程中的安全性。这样可以在发生黑客攻击时,减少该终端的服务质量下降的几率。
在第二方面的一种可能的实现方式中,向域名系统服务器发送域名解析请求之前,该方法包括:向域名系统服务器发送终端设备参数;或者,根据终端设备参数确定终端信誉值,并向域名系统服务器发送终端信誉值。上述可能的实现方式中,提供了获取终端信誉值几种方式,提高了获取终端信誉值的多样性,同时向域名系统服务器发送终端设备参数,以使域名系统服务器根据终端设备参数确定终端信誉值时,可以降低该终端的功耗。
在第二方面的一种可能的实现方式中,终端设备参数、或者终端信誉值携带在域名解析请求中。上述可能的实现方式中,降低了域名系统服务器与终端之间的信令交互。
在第二方面的一种可能的实现方式中,终端设备参数包括至少一个硬件指纹,则根据终端设备参数确定终端信誉值,包括:查询至少一个硬件指纹中每个硬件指纹对应的预设信誉分,根据每个硬件指纹对应的预设信誉分确定终端信誉值;其中,至少一个硬件指纹包括以下的一个或多个:GPS指纹、蓝牙指纹、电池指纹、相机指纹、wifi模块指纹、温度传感器指纹、麦克风模块指纹。
在第二方面的一种可能的实现方式中,终端设备参数还包括至少一个软件指纹,根据终端设备参数确定终端信誉值,还包括:查询至少一个软件指纹中每个软件指纹对应的预设信誉分,根据每个软件指纹对应的预设信誉分确定终端信誉值;其中,至少一个软件指纹包括以下的一个或者多个:国际移动设备识别码IMEI、通用唯一识别码UUID、网络类型、终端类型、操作系统类型、网络模式、电池温度、电量特性、SIM卡序列、手机号。
在第二方面的一种可能的实现方式中,终端设备参数还包括至少一个恶意信息,根据终端设备参数确定终端信誉值,还包括:查询至少一个恶意信息中每个恶意信息对应的预 设信誉分,根据每个恶意信息对应的预设信誉分确定终端信誉值;其中,至少一个恶意信息包括以下的一个或多个:CPU恶意信息、存储器中保存的文件对应的恶意信息、API DEMOS恶意信息、DevTools恶意信息、应用权限恶意信息、异常端口信息、异常进程信息。
在第二方面的一种可能的实现方式中,终端设备参数还包括连接次数和传输流量,根据终端设备参数确定终端信誉值,还包括:当连接次数和/或传输流量处于异常状态时,更新终端信誉值。
上述可能的几种实现方式中,该终端通过确定或更新终端信誉值,可以保证终端信誉值的有效性,从而保证在根据终端信誉值和每个虚拟IP地址的IP信誉值,从IP地址资源池中选择出一个合适的虚拟IP地址,进而提高了虚拟IP地址选择的准确性。
第三方面,提供了一种域名系统服务器,该域名系统服务器可以实现上述第一方面至第一方面的任一种可能的实现方式所提供的一种服务资源的调度方法的功能。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。硬件或软件包括一个或多个上述功能相应的单元。
在第三方面的一种可能的实现方式中,该域名系统服务器包括处理器、存储器、通信接口和总线,处理器、存储器和通信接口通过总线连接;存储器用于存储程序代码,通信接口用于支持该域名系统服务器进行通信,当该程序代码被处理器执行时,使得该域名系统服务器执行上述第一方面或第一方面的任一种可能的实现方式所提供的服务资源的调度方法中的步骤。
第四方面,提供了一种终端,该终端可以实现上述第二方面至第二方面的任一种可能的实现方式所提供的一种服务资源的调度方法的功能。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。硬件或软件包括一个或多个上述功能相应的单元。
在第四方面的一种可能的实现方式中,该终端包括处理器、存储器、通信接口和总线,处理器、存储器和通信接口通过总线连接;存储器用于存储程序代码,通信接口用于支持该域名系统服务器进行通信,当该程序代码被处理器执行时,使得该域名系统服务器执行上述第二方面或第二方面的任一种可能的实现方式所提供的服务资源的调度方法中的步骤。
第五方面,提供一种系统,该系统包括终端、业务服务器、域名系统服务器和至少一个网络安全设备,其中,所述域名系统服务器为第三方面或者第三方面的任一种可能的实现方式所提供的域名系统服务器,和/或所述终端为第四方面或者第四方面的任一种可能的实现方式所提供的终端。
本申请的又一方面,提供了一种计算机可读存储介质,所述计算机可读存储介质中存储有指令,当其在计算机上运行时,使得计算机执行上述第一方面、或者第一方面的任一种可能的实现方式所提供的服务资源的调度方法。
本申请的又一方面,提供了一种计算机可读存储介质,所述计算机可读存储介质中存储有指令,当其在计算机上运行时,使得计算机执行上述第二方面、或者第二方面的任一种可能的实现方式所提供的服务资源的调度方法。
本申请的又一方面,提供了一种包含指令的计算机程序产品,当其在计算机上运行时,使得计算机执行上述第一方面、或者第一方面的任一种可能的实现方式所提供的服务资源的调度方法。
本申请的又一方面,提供了一种包含指令的计算机程序产品,当其在计算机上运行时, 使得计算机执行上述第二方面、或者第二方面的任一种可能的实现方式所提供的服务资源的调度方法。
本申请的又一方面,提供了一种芯片系统,该芯片系统包括存储器、处理器、总线和通信接口,存储器中存储代码和数据,处理器与存储器通过总线连接,处理器运行存储器中的代码使得该芯片系统执行第一方面或第一方面的任一种可能的实现方式所提供的服务资源的调度方法。
本申请的又一方面,提供了一种芯片系统,该芯片系统包括存储器、处理器、总线和通信接口,存储器中存储代码和数据,处理器与存储器通过总线连接,处理器运行存储器中的代码使得该芯片系统执行第二方面或第二方面的任一种可能的实现方式所提供的服务资源的调度方法。
可以理解地,上述提供的任一种服务资源的调度方法的装置、计算机存储介质或者计算机程序产品均用于执行上文所提供的对应的方法,因此,其所能达到的有益效果可参考上文所提供的对应的方法中的有益效果,此处不再赘述。
附图说明
图1为现有技术中一种调度服务资源的示意图;
图2为本申请实施例提供的一种网络系统的架构示意图;
图3为本申请实施例提供的一种服务资源的调度方法的流程示意图;
图4为本申请实施例提供的另一种服务资源的调度方法的流程示意图;
图5为本申请实施例提供的一种装置的结构示意图一;
图6为本申请实施例提供的一种装置的结构示意图二;
图7为本申请实施例提供的一种装置的结构示意图三;
图8为本申请实施例提供的一种装置的结构示意图四;
图9为本申请实施例提供的一种装置的结构示意图五;
图10为本申请实施例提供的一种装置的结构示意图六。
具体实施方式
本申请中,“至少一个”是指一个或者多个,“多个”是指两个或两个以上。“和/或”,描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B的情况,其中A,B可以是单数或者复数。字符“/”一般表示前后关联对象是一种“或”的关系。“以下至少一项(个)”或其类似表达,是指的这些项中的任意组合,包括单项(个)或复数项(个)的任意组合。例如,a,b或c中的至少一项(个),可以表示:a、b、c、a-b、a-c、b-c、或a-b-c,其中a、b、c可以是单个,也可以是多个。
需要说明的是,本申请中,“示例性的”或者“例如”等词用于表示作例子、例证或说明。本申请中被描述为“示例性的”或者“例如”的任何实施例或设计方案不应被解释为比其他实施例或设计方案更优选或更具优势。确切而言,使用“示例性的”或者“例如”等词旨在以具体方式呈现相关概念。
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行地描述。
本申请提供的服务资源的调度方法可适用于多种网络系统架构中。图2为本申请实施例提供的一种网络系统架构示意图。如图2所示,该网络系统架构中包括:终端201、至少一个网络安全设备202、域名系统服务器203和业务服务器204。
其中,终端201可以包括一个或者多个终端,终端201可以包括手持式设备(例如,手机、平板电脑等)、计算机、车载设备和智能穿戴设备等。终端201上可以安装有网络服务提供商提供的客户端软件,例如游戏客户端、手机购物客户端、即时聊天客户端以及浏览器等等,客户端软件可用于发起服务。
业务服务器204是为终端201提供各种业务服务的服务器,例如,业务服务器204可以是Web服务器、文件传输协议(file transfer protocol,FTP)应用服务器、游戏应用服务器、电子商务应用服务器等等。
域名系统服务器203可用于为终端201提供域名解析功能,以及管理不同网络服务提供商的域名与其租用的虚拟IP地址的关系。当用户访问网络服务提供商的域名时,该域名首先被解析为一个虚拟IP地址,用户再通过访问该虚拟IP地址享受业务服务器204提供的网络服务。示例性的,域名系统服务器203可以是DNS服务器、HTTPDNS服务器,或者DNS服务器与TTPDNS服务器合设的服务器。
至少一个网络安全设备202可以是云端的网络安全设备,且包括一个或者多个网络安全设备,至少一个网络安全设备202用于为业务服务器204提供安全防护,比如,每个网络安全设备可以对向业务服务器204发送的流量进行监控和安全检测,对存在威胁的流量进行拦截和过滤,从而保护业务服务器204的安全。至少一个网络安全设备202中的每个网络安全设备可以对应一个虚拟IP地址。
具体地,当用户访问网络服务提供商的域名时,该域名首先会通过域名系统服务器203被解析为一个虚拟IP地址,并将解析的虚拟IP地址发送给用户,用户再通过访问该虚拟IP地址对应的网络安全设备来享受业务服务器204提供的网络服务。在访问该虚拟IP地址的过程中,该网络安全设备会对用户发送的流量进行监控和安全检测,若用户发送的流量无威胁,则可以将其重定到业务服务器204上,以为用户提供相应的网络服务,通过对用户发送的流量进行监控和安全检测,可以保证业务服务器204的安全。
图3为本申请实施例提供的一种服务资源的调度方法的流程示意图,该方法应用于包括终端、业务服务器、域名系统服务器和至少一个网络安全设备的网络中,至少一个网络安全设备中的每个网络安全设备分别具有一个虚拟IP地址,在域名系统服务器中业务服务器所提供的业务的域名被映射为一个IP地址资源池,IP地址资源池中包括至少两个虚拟IP地址,参见图3,该方法包括以下几个步骤。
S301:该终端向域名系统服务器发送域名解析请求,该域名解析请求包括所述域名。
S302:域名系统服务器接收该终端发送的域名解析请求。其中,域名解析请求与S301中的一致。
其中,该域名是业务服务器所提供的业务的域名,域名系统服务器可用于为终端提供域名解析功能。当该终端需要访问业务服务器提供的业务时,该终端可以向域名系统服务器发送域名解析请求,并将该域名携带在域名解析请求中。其中,域名解析请求可用于请求域名系统服务器对该域名进行域名解析,从而域名系统服务器可以接收到包括该域名的域名解析请求。
例如,业务服务器所提供的业务的域名为www.abc.com,当该终端需要访问业务服务 器提供的业务时,则该终端将携带该域名www.abc.com的域名解析请求发送给域名系统服务器,从而域名系统服务器可以接收到包括该域名(www.abc.com)的域名解析请求。
S303:域名系统服务器根据该终端的终端信誉值和IP地址资源池中每个虚拟IP地址的IP信誉值,从IP地址资源池包括的至少两个虚拟IP地址中,选择出一个虚拟IP地址。
其中,该终端的终端信誉值用于指示该终端的安全程度,即该终端的终端信誉值与该终端的安全程度有关,具体计算方式可以根据实际情况和管理员的工作习惯灵活设定。例如,该终端的终端信誉值可以与该终端的安全程度正相关,即当该终端的终端信誉值越大时,则表示该终端的安全程度越高;当该终端的终端信誉值越小时,则表示该终端的安全程度越低;或者,该终端的终端信誉值可以与该终端的安全程度反相关,即当该终端的终端信誉值越小时,则表示该终端的安全程度越高;当该终端的终端信誉值越大时,则表示该终端的安全程度越低。本申请实施例对该终端的终端信誉值与该终端的安全程度之间的关系不做具体限定。
IP资源池中包括至少两个虚拟IP地址,至少两个虚拟IP地址中的每个虚拟IP地址会有一个IP信誉值,一个虚拟IP地址的IP信誉值用于指示该虚拟IP地址的安全程度。当一个虚拟IP地址的IP信誉值越大时,则表示该虚拟IP地址的安全程度越高,从而当一个终端通过该虚拟IP地址访问业务服务器提供的业务时,该终端享受的业务的服务质量可能会较高。当一个虚拟IP地址的IP信誉值越小时,则表示该虚拟IP地址的安全程度越低,从而当一个终端通过该虚拟IP地址访问业务服务器提供的业务时,该终端享受的业务的服务质量可能会较低。
具体地,当域名系统服务器根据该终端的终端信誉值和IP地址资源池中每个虚拟IP地址的IP信誉值,从IP地址资源池包括的至少两个虚拟IP地址中选择出一个虚拟IP地址时,可以通过以下方式选择:当该终端信誉值大于或等于第一用户阈值时,从IP地址资源池中确定第一虚拟IP地址集合,第一虚拟IP地址集合中的每个虚拟IP地址的IP信誉值大于或等于第一服务阈值,从第一虚拟IP地址集合中选择一个虚拟IP地址;或者,当该终端信誉值小于第二用户阈值时,从IP地址资源池中确定第二虚拟IP地址集合,第二虚拟IP地址集合中的每个虚拟IP地址的IP信誉值小于第二服务阈值,从第二虚拟IP地址集合中选择一个虚拟IP地址。
为便于理解,下面假设终端的终端信誉值与终端的安全程度正相关,对域名系统服务器根据该终端的终端信誉值和IP地址资源池中每个虚拟IP地址的IP信誉值,从IP地址资源池中选择虚拟IP地址的过程进行举例说明。
示例性的,业务服务器提供的业务的域名为www.abc.com。在域名系统服务器中域名www.abc.com映射的IP地址资源池包括VIP1、VIP2、VIP3和VIP4。VIP1、VIP2、VIP3和VIP4分别是4个不同的网络安全设备的虚拟IP地址。终端a和终端b分别向域名系统服务器请求该域名www.abc.com的域名解析。假设终端a和终端b的终端信誉值分别为7和2,VIP1至VIP4的IP信誉值分别为3、5、7和9,第一用户阈值和第二用户阈值分别为6和3,第一服务阈值和第二服务阈值分别为7和4。则域名系统服务器可以通过以下方式选择:终端a的终端信誉值7大于第一用户阈值6,VIP1至VIP4中确定的第一虚拟IP地址集合包括VIP3和VIP4(即VIP3和VIP4的IP信誉值大于或等于第一服务阈值7),从VIP3和VIP4中为终端a选择VIP4;终端b的终端信誉值2小于第二用户阈值3,VIP1至VIP4中确定的第二虚拟IP地址集合包括VIP1(VIP1的IP信誉值3小于第二服务阈值4), 为终端b选择VIP1。
需要说明的是,第一用户阈值和第二用户阈值可以是事先设置的终端信誉值的门限,第一用户阈值大于或等于第二用户阈值,第一用户阈值和第二用户阈值可以为非负数,比如,第一用户阈值可以为6,第二用户阈值可以为3。第一服务阈值和第二服务阈值也可以是事先设置的IP信誉值的门限,第一服务阈值大于或等于第二服务阈值,第一服务阈值和第二服务阈值也可以为非负数,比如,第一服务阈值可以为7,第二用户阈值可以为4。
另外,第一虚拟IP地址集合可以包括至少一个虚拟IP地址,第二虚拟IP地址集合也可以至少包括一个虚拟IP地址,第一虚拟IP地址集合和第二虚拟IP地址集合可以是事先根据第一服务阈值和第二服务阈值分别从IP地址资源池中确定的虚拟IP地址集合。
当确定的第一虚拟IP地址集合仅包括一个虚拟IP地址时,则域名系统服务器可以直接将该虚拟IP地址作为选择的虚拟IP地址。当确定的第一虚拟IP地址集合包括多个虚拟IP地址时,则域名系统服务器从第一虚拟IP地址集合选择一个虚拟IP地址,选择的IP地址可以是第一虚拟IP地址集合中的任意一个、或者是IP信誉值最大的虚拟IP地址,或者IP信誉值最小的虚拟IP地址等,本申请实施例对此不做具体限定。
需要说明的是,域名系统服务器从第二虚拟IP地址集合中选择一个虚拟IP地址的方式与上述从第一虚拟IP地址集合中选择一个虚拟IP地址的方式类似,具体参见上述描述,本申请实施例在此不再赘述。
S304:域名系统服务器向该终端发送域名解析响应,域名解析响应中携带选择出的虚拟IP地址。
S305:该终端接收域名系统服务器发送的域名解析响应。其中,域名解析响应与S304中的一致。
其中,域名系统服务器可以将选择出的虚拟IP地址携带在域名解析响应中发送给该终端,当该终端接收到域名解析响应时,该终端可以使用域名解析响应中携带的虚拟IP地址进行业务访问。具体地,该终端可以将终端的IP地址作为源地址、将该虚拟IP地址作为目的地址,向该虚拟IP地址对应的网络安全设备发送报文,该网络安全设备在确定该报文无威胁之后,可以将该报文重定向到业务服务器上,以为该终端提供业务服务。
例如,该终端为上述示例中的终端a,终端a接收的域名解析响应中携带的虚拟IP地址为VIP4,则终端a可以使用VIP4进行业务访问。即终端a将终端a的IP地址作为源地址,将VIP4作为目的地址,向VIP4对应的网络安全设备发送报文,以使该网络安全设备在确定该报文无威胁之后,将该报文重定向到业务服务器上,以为终端a提供业务服务。
在本申请实施例中,域名系统服务器通过该终端的终端信誉值和IP地址资源池中每个虚拟IP地址的IP信誉值,为该终端选择一个虚拟IP地址,以使该终端通过访问选择出的虚拟IP地址来享受网络服务,这样可以在发生黑客攻击时,不会对正常用户的访问流量也进行切换,从而保证正常用户能够正常使用租户的服务,且不会影响服务质量。同时,域名系统服务器可以为不同安全程度的终端选择不同安全程度的虚拟IP地址,从而保证安全程度较高的终端可以享受更高质量的服务,提高了用户体验。
进一步地,结合图3,参见图4,在上述步骤S303之前,该方法还可以包括:S306。
S306:域名系统服务器获取该终端信誉值和每个虚拟IP地址的IP信誉值。
第一,域名系统服务器获取该终端信誉值的方式可以包括:域名系统服务器接收该终 端发送的终端信誉值;或者,域名系统服务器接收该终端发送的终端设备参数,根据该终端设备参数确定该终端信誉值。下面分别进行阐述。
(a)、当该终端信誉值是由该终端发送给域名系统服务器时,该终端可以将该终端信誉值携带在S301中的域名解析请求中,通过域名解析请求将该终端信誉值发送给域名系统服务器,从而可以降低域名系统服务器确定该终端信誉值的功耗,同时还可以减小该终端与域名系统服务器之间的信令交互次数。当然,在实际应用中,该终端也可以通过其他的信令将该终端信誉值发送给域名系统服务器,本申请实施例对此不做限定。
相应地,该终端在向域名系统服务器发送域名解析请求之前,该终端可以检测自身的设备参数,以获取终端设备参数,并根据该终端设备参数确定该终端信誉值。
具体地,该终端设备参数可以包括至少一个硬件指纹,则根据该终端设备参数确定该终端信誉值,包括:查询至少一个硬件指纹中每个硬件指纹对应的预设信誉分,根据每个硬件指纹对应的预设信誉分确定该终端信誉值。其中,至少一个硬件指纹包括以下的一个或多个:全球定位系统(global positioning system,GPS)指纹、蓝牙指纹、电池指纹、相机指纹、无线保真(wireless fidelity,wifi)模块指纹、温度传感器指纹、麦克风模块指纹。该终端设备参数中包括某一硬件指纹,可以是指该终端中包括该硬件指纹对应的硬件,若该终端中不包括温度传感器,则该终端设备参数中不会包括温度传感器指纹。比如,该终端中仅包括蓝牙模块和电池,则该终端设备参数中会包括蓝牙指纹和电池指纹。
示例性的,每个硬件指纹可以事先分配一个预设信誉分,且每个硬件指纹对应的预设信誉值可能相同,也可能不同。当该终端设备参数包括至少一个硬件指纹时,该终端可以查询至少一个硬件指纹中每个硬件指纹对应的预设信誉分,并将所述每个硬件指纹对应的预设信誉分进行求和(后续称为硬件信誉分之和),将硬件信誉分之和确定为该终端信誉值。比如,至少一个硬件指纹包括GPS指纹、蓝牙指纹、电池指纹和相机指纹,且对应的预设信誉分均为0.6,则得到的硬件信誉分之和为2.4,从而该终端信誉值为2.4。其中电池指纹是指终端设备中存在电池这一硬件组件时,终端设备的处理器得到电池的类型、充电、放电、功耗等信息。可选地,处理器通过电源管理系统得到上述信息。
可选地,该终端设备参数还可以包括至少一个软件指纹,则根据该终端设备参数确定该终端信誉值,还包括:查询至少一个软件指纹中每个软件指纹对应的预设信誉分,根据每个软件指纹对应的预设信誉分确定该终端信誉值。其中,至少一个软件指纹包括以下的一个或者多个:国际移动设备识别码(international mobile equipment identity,IMEI)、通用唯一识别码(universally unique identifier,UUID)、网络类型、终端类型、操作系统类型、网络模式、电池温度、电量特性、SIM卡序列、手机号。其中,电池温度、剩余电量特性是利用终端设备的操作系统提供的接口获取到的。
其中,网络类型可以是wifi、3G或者4G等;终端类型可以是指生产终端的不同厂商(比如,A公司或B公司等)或者为模拟器(emulator)等;操作系统类型可以是安卓(android)系统或者IOS系统等;网络模式可以是电信、移动或者联通;电池温度可以是0或者非0,或者是具体的温度等;电量特性可以是电量变化的特性,比如非持续50%;IMEI、UUID、SIM卡序列和手机号可以是具体的数值序列,也可以是表示是否存在的标识。
示例性的,每个软件指纹也可以事先分配一个预设信誉分,且每个软件指纹对应的预设信誉值可能相同,也可能不同。当该终端设备参数还包括至少一个软件指纹时,该终端可以查询至少一个软件指纹中每个软件指纹对应的预设信誉分,并将所述每个软件指纹对 应的预设信誉分进行求和(后续称为软件信誉分之和),将硬件信誉分之和与软件信誉分之和的总和确定为该终端信誉值。比如,硬件信誉分之和为2.4,至少一个软件指纹包括IMEI、UUID、网络类型为3G、以及网络模式为移动,且对应的预设信誉分均为0.3,则得到的软件信誉分之和1.2,从而该终端信誉值为3.6。
可选地,该终端设备参数还可以包括至少一个恶意信息,则根据该终端设备参数确定该终端信誉值,还包括:查询至少一个恶意信息中每个恶意信息对应的预设信誉分,根据每个恶意信息对应的预设信誉分确定该终端信誉值。其中,至少一个恶意信息包括以下的一个或多个:CPU恶意信息、存储器中保存的文件对应的恶意信息、应用程序接口说明(application programming interface DEMOS,API DEMOS)恶意信息、开发者工具(developer tools,DevTools)恶意信息、应用权限恶意信息、异常端口信息、异常进程信息。
这里的API DEMOS是指用于描述API的说明文档,比如,用于描述API的类和使用方法的说明文档,在按照或者使用API时,会为API配置相关说明文档用于说明。DevTools是开放调试工具,通常隐藏在安卓模拟器中,为开发人员提供了强大的调试支持,可用于帮助开发人员分析当前软件的性能等。
其中,当至少一个恶意信息中包括某一恶意信息时,可以是指该恶意信息对应的检测结果为不存在或者安全,即未检测到对应的恶意文件或者检测到固有文件等;当至少一个恶意信息中未包括某一恶意信息时,则可以是指该恶意信息对应的检测结果为存在或者不安全,即检测到了对应的恶意文件或者不存在该恶意信息的检测文件。
示例性的,CPU恶意信息可以用于指示CPU中未检测到goldfish恶意文件或检测到Intel文件或者amd文件;存储器中保存的文件可以包括相册、短信、通讯记录、恶意日志、以及温度文件等中的一个或者多个,存储器中保存的文件对应的恶意信息可以用于指示在上述文件中未检测到恶意信息;API DEMOS恶意信息用于指示API DEMOS文档所指示的应用程序接口未检测到恶意信息;DevTools所指示的工具未检测到恶意信息;应用权限恶意信息可以用于指示未开放影响应用或终端安全的权限;异常端口信息可以用于指示未检测到异常端口;异常进程信息可以用于指示未检测到异常进程。
需要说明的是,根据每个恶意信息对应的预设信誉分确定该终端信誉值的方式,与上述根据每个软件指纹对应的预设信誉分确定该终端信誉值的方式类似,具体参见上述描述,本申请实施例对此不再赘述。
可选地,该终端设备参数还包括连接次数和传输流量,则根据该终端设备参数确定该终端信誉值,还包括:当连接次数和/或传输流量处于异常状态时,更新该终端信誉值。具体地,当连接次数和/或传输流量处于异常状态时,该终端可以根据连接次数和/或传输流量对应的预设信誉分,更新通过上述方式确定的终端信誉值;当连接次数和/或传输流量处于正常状态时,该终端可以更新该终端信誉值,仅记录该连接次数和/或传输流量。
比如,连接次数和传输流量对应的预设信誉分均为1,当连接次数处于异常状态、传输流量处于正常状态时,该终端可以将通过至少一个硬件指纹、至少一个软件指纹、以及至少一个恶意信息方式确定的终端信誉值减去1,以实现对该终端信誉值的更新。
示例性的,该终端可以通过以下方式确定连接次数和/或传输流量是否处于异常状态:当该连接次数或者连接次数的增量大于或等于事先设置的各自的次数门限时,则可以确定该连接次数处于异常状态。当该传输流量或者传输流量的增量大于或等于事先设置的各自 的流量门限时,则可以确定该传输流量处于异常状态。
需要说明的是,该终端获取该终端设备参数时,可以通过该终端中的软件开发工具包(software development kits,SDK)来实现,比如,通过SDK来检测硬件指纹、软件指纹以及恶意信息等等。
(b)、域名系统服务器接收该终端发送的终端设备参数,根据该终端设备参数确定该终端信誉值。
其中,该终端可以将该终端设备参数携带在S301中的域名解析请求中,通过域名解析请求将该终端设备参数发送给域名系统服务器,从而可以减小该终端与域名系统服务器之间的信令交互。当然,在实际应用中,该终端也可以通过其他的信令将该终端设备参数发送给域名系统服务器,本申请实施例对此不做限定。
需要说明的是,域名系统服务器根据该终端设备参数确定该终端信誉值的具体过程,与上述(a)中该终端根据该终端设备参数确定该终端信誉值的具体过程类似,具体参见上述描述,本申请实施例对此不再赘述。
第二、域名系统服务器获取每个虚拟IP地址的IP信誉值的方式可以包括:域名系统服务器接收至少两个网络安全设备中的一个网络安全设备发送的攻击信息,该攻击信息包括被攻击的IP地址;根据被攻击的IP地址,确定每个虚拟IP地址的IP信誉值。
其中,当至少一个网络安全设备中的一个网络安全设备检测到攻击信息时,检测到攻击信息的网络安全设备可向域名系统服务器发送攻击信息,以使该域名系统服务器接收到该攻击信息,该攻击信息包括被攻击的IP地址。如果被攻击的IP地址为至少一个网络安全设备的虚拟IP地址,即被攻击的IP地址属于IP地址资源池中的虚拟IP地址,则该域名系统服务器可以根据被攻击的IP地址,确定每个虚拟IP地址的IP信誉值。
示例性的,域名系统服务器可以统计被攻击的IP地址对应的被攻击次数,根据该被攻击次数,确定每个虚拟IP地址的IP信誉值。其中,被攻击次数越大的虚拟IP地址的IP信誉值越低,攻击次数越小的虚拟IP地址的IP信誉值越高。
可选地,该攻击信息还可以包括攻击源的IP地址、攻击发起时间、攻击持续时间、攻击流量大小等信息。相应地,域名系统服务器可以根据该攻击信息,确定被攻击的IP地址对应的攻击间隔时间(即相邻两次攻击的间隔时间)、攻击频率(即单位时间内的攻击次数)以及被攻击的IP地址的端访问增量(即被攻击的IP地址在相邻两次攻击中对应的终端访问量的差值)等信息,并基于所述信息中的一个或者多个确定每个虚拟IP地址的IP信誉值。其中,攻击间隔时间越小、攻击频率越大、攻击流量越大(比如,攻击流量超过流量阈值)以及端访问增量越大的虚拟IP地址的IP信誉值越低;攻击间隔时间越大、攻击频率越小、攻击流量越小以及端访问增量越小的虚拟IP地址的IP信誉值越高。
进一步地,当该攻击信息还包括攻击源的IP地址时,若攻击源的IP地址为该终端的IP地址,域名系统服务器还可以更新该终端信誉值。
示例性的,若攻击源的IP地址为该终端的IP地址,且攻击源的IP地址属于黑名单,则可以将该终端信誉值更新为事先设置的最低信誉值,比如,最低信誉值为2,则可以将该将终端信誉值更新为2。或者,域名系统服务器还可以确定攻击源的IP地址对应的攻击间隔时间、攻击频率、以及攻击流量越大等信息,并基于所述信息中的一个或者多个更新该终端信誉值。其中,当攻击间隔时间越小、攻击频率越大、以及攻击流量越大时,则可以减小该终端信誉值;当攻击间隔时间越大、攻击频率越小、以及攻击流量越小时,则可 以增大该终端信誉值。
进一步地,该终端或者域名系统服务器还可以确定该终端的终端状态信息。其中,该终端可以根据终端设备参数,确定终端状态信息,并将该终端状态信息发送给域名系统服务器。可选地,该终端状态信息携带在域名解析请求中,或者该终端通过其他信令将该终端状态信息发送给域名系统服务器。或者,域名系统服务器根据该终端发送的终端设备参数,确定终端状态信息。
相应地,当该终端状态信息为异常状态时,域名系统服务器可以从IP地址资源池中选择一个IP信誉值最低或者较低的虚拟IP地址,进而通过步骤S305将其发送给该终端。
示例性的,该终端或者域名系统服务器根据该终端设备参数,确定终端状态信息的过程可以为:若根据终端设备参数确定的硬件信誉值之和小于第三用户阈值,或者根据终端设备参数确定的硬件信誉值之和与软件信誉值之和的总和小于第四用户阈值,则可以确定该终端状态为异常状态,第三用户阈值小于或等于第四用户阈值。或者该终端设备参数中不包括电池指纹,或者电量特性中电量未变化、或者该终端类型为模拟器等固定类型,则可以确定该终端状态信息为异常状态。
在本申请实施例中,域名系统服务器通过获取或更新该终端信誉值和每个虚拟IP地址的IP信誉值,可以保证该终端信誉值和每个虚拟IP地址的IP信誉值的有效性,从而可以保证在根据该终端信誉值和每个虚拟IP地址的IP信誉值,从IP地址资源池中选择出一个合适的虚拟IP地址,进而提高了虚拟IP地址选择的准确性。换句话说,选择不同的网络安全设备为不同终端提供访问同一网络服务时的安全保障,这样在发生黑客攻击时,仅有少量终端的流量被调度到其他网络安全设备,不会对大多数正常用户的访问流量也进行切换,从而保证多数正常用户能够正常使用租户的服务,且不会影响服务质量。
上述主要从各个网元之间交互的角度对本申请实施例提供的方案进行了介绍。可以理解的是,各个网元,例如域名系统服务器、终端等,为了实现上述功能,其包含了执行各个功能相应的硬件结构和/或软件模块。本领域技术人员应该很容易意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,本申请能够以硬件、软件或硬件和机软件相结合形式来实现。某个功能究竟以硬件还是计算机软件驱动硬件的方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。
本申请实施例可以根据上述方法示例对域名系统服务器和终端进行功能模块的划分,例如,可以对应各个功能划分各个功能模块,也可以将两个或两个以上的功能集成在一个处理模块中。上述集成的模块既可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。需要说明的是,本申请实施例中对模块的划分是示意性的,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式。下面以采用对应各个功能划分各个功能模块为例进行说明。
图5示出了上述实施例中所涉及的一种装置的结构示意图,该装置可以实现本申请实施例提供的方法中域名系统服务器的功能。该装置可以为域名系统服务器或者为可以支持域名系统服务器实现本申请实施例中域名系统服务器的功能的装置,例如该装置为应用于域名系统服务器中的芯片系统。该装置包括:接收单元501、处理单元502和发送单元503。其中,接收单元501可以用于支持图5所示的装置执行上述方法实施例中的步骤S302;处理单元502可以用于支持图5所示的装置执行上述方法实施例中的步骤S303;发送单元 503用于支持图5所示的装置执行上述方法实施例中的步骤S304。上述方法实施例涉及的各步骤的所有相关内容均可以援引到对应功能模块的功能描述,在此不再赘述。
可选的,本申请的实施例中,芯片系统可以由芯片构成,也可以包含芯片和其他分立器件。
可选的,本申请实施例中的接收单元501和发送单元503可以为电路、器件、接口、总线、软件模块、收发器或者其它任意可以实现通信的装置。
可选地,接收单元501和发送单元503可以为域名系统服务器或者应用于域名系统服务器中的芯片系统的通信接口,例如,该通信接口可以为收发电路,处理单元502可以为集成在域名系统服务器或者应用于域名系统服务器中的芯片系统的处理器上。
图6示出了上述实施例中所涉及的装置的一种可能的逻辑结构示意图,该装置可以实现本申请实施例提供的方法中域名系统服务器的功能。该装置可以为域名系统服务器或者应用于域名系统服务器中的芯片系统,该装置包括:处理模块512和通信模块513。处理模块512用于对图6所示的装置的动作进行控制管理,例如,处理模块512用于执行在图6所示的装置侧进行消息或数据处理的步骤。例如,支持图6所示的装置执行上述方法实施例中的步骤S303,和/或用于本文所描述的技术的其他过程。通信模块513用于支持图6所示的装置执行上述方法实施例中的S302以及S304。可选的,图6所示的装置还可以包括存储模块511,用于存储该装置的程序代码和数据。
其中,处理模块512可以是处理器或控制器,例如可以是中央处理器单元,通用处理器,数字信号处理器,专用集成电路,现场可编程门阵列或者其他可编程逻辑器件、晶体管逻辑器件、硬件部件或者其任意组合。其可以实现或执行结合本申请实施例公开内容所描述的各种示例性的逻辑方框,模块和电路。处理器也可以是实现计算功能的组合,例如包含一个或多个微处理器组合,数字信号处理器和微处理器的组合等等。通信模块513可以是收发器、收发电路或通信接口等。存储模块5111可以是存储器。
当处理模块512为处理器522,通信模块513为通信接口523或收发器时,存储模块511为存储器521时,本申请实施例所涉及的装置可以为图7所示的装置。
其中,通信接口523、处理器522以及存储器521通过总线524相互连接;总线524可以是PCI总线或EISA总线等。总线可以分为地址总线、数据总线、控制总线等。为便于表示,图7中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。其中,存储器521用于存储该装置的程序代码和数据。通信接口523用于支持该装置与其他设备通信,处理器522用于支持该装置执行存储器521中存储的程序代码以实现本申请实施例所提供的方法中的步骤。
可选地,存储器521可以包括于处理器522中。
图8示出了上述实施例中所涉及的一种装置的结构示意图,该装置可以实现本申请实施例提供的方法中终端的功能。该装置可以为终端或者为可以支持终端实现本申请实施例中终端的功能的装置,例如该装置为应用于终端中的芯片系统。该装置包括:处理单元601、发送单元602和接收单元603。其中,处理单元601可以用于支持图8所示的装置执行上述方法实施例中确定该终端的终端信誉值的步骤;发送单元602可以用于支持图8所示的装置执行上述方法实施例中的步骤S301;接收单元603用于支持图8所示的装置执行上述方法实施例中的步骤S305。上述方法实施例涉及的各步骤的所有相关内容均可以援引到对应功能模块的功能描述,在此不再赘述。
可选的,该处理单元601中可以运行有应用程序,该应用程序中集成有软件开发工具包(software development kits,SDK),该处理单元601中的应用程序可以基于SDK来获取终端设备参数,即SDK可以直接检测并获取至少一个硬件指纹、至少一个软件指纹以及至少一个恶意信息等;之后,应用程序可以根据SDK获取的终端设备参数确定该终端的终端信誉值。
可选的,本申请的实施例中,芯片系统可以由芯片构成,也可以包含芯片和其他分立器件。
可选的,本申请实施例中的发送单元602和接收单元603可以为电路、器件、接口、总线、软件模块、收发器或者其它任意可以实现通信的装置。
可选地,发送单元602和接收单元603可以为终端或者应用于终端中的芯片系统的通信接口,例如,该通信接口可以为收发电路,处理单元601可以为集成在终端或者应用于终端中的芯片系统的处理器上。
图9示出了上述实施例中所涉及的装置的一种可能的逻辑结构示意图,该装置可以实现本申请实施例提供的方法中终端的功能。该装置可以为终端或者应用于终端中的芯片系统,该装置包括:处理模块612和通信模块613。处理模块612用于对图9所示的装置的动作进行控制管理,例如,处理模块612用于执行在图9所示的装置侧进行消息或数据处理的步骤。例如,处理模块612支持图9所示的装置执行上述方法实施例中确定该终端的终端信誉值的步骤,和/或用于本文所描述的技术的其他过程,具体确定该终端的终端信誉值的过程可以与上述处理单元601的过程一致。通信模块613用于支持图9所示的装置执行上述方法实施例中的S301以及S305。可选的,图9所示的装置还可以包括存储模块611,用于存储该装置的程序代码和数据。
其中,处理模块612可以是处理器或控制器,例如可以是中央处理器单元,通用处理器,数字信号处理器,专用集成电路,现场可编程门阵列或者其他可编程逻辑器件、晶体管逻辑器件、硬件部件或者其任意组合。其可以实现或执行结合本申请实施例公开内容所描述的各种示例性的逻辑方框,模块和电路。处理器也可以是实现计算功能的组合,例如包含一个或多个微处理器组合,数字信号处理器和微处理器的组合等等。通信模块613可以是收发器、收发电路或通信接口等。存储模块6111可以是存储器。
当处理模块612为处理器622,通信模块613为通信接口623或收发器时,存储模块611为存储器621时,本申请实施例所涉及的装置可以为图10所示的装置。
其中,通信接口623、处理器622以及存储器621通过总线624相互连接;总线624可以是PCI总线或EISA总线等。总线可以分为地址总线、数据总线、控制总线等。为便于表示,图10中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。其中,存储器621用于存储该装置的程序代码和数据。通信接口623用于支持该装置与其他设备通信,处理器622用于支持该装置执行存储器621中存储的程序代码以实现本申请实施例所提供的方法中的步骤。
可选地,存储器621可以包括于处理器622中。
本申请实施例还提供一种系统,该系统包括终端、业务服务器、域名系统服务器和至少一个网络安全设备;其中,该域名系统服务器可以为上述图5至图7中任一图示所提供的装置,用于执行上述方法实施例中域名服务器的步骤;和/或该终端为图8至图10中任一图示所提供的装置,用于执行上述方法实施例中终端的步骤。
本申请实施例提供的方法中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机程序指令时,全部或部分地产生按照本申请实施例描述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、网络设备或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,所述计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(digital subscriber line,DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机可以存取的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质(例如,软盘、硬盘、磁带)、光介质(例如,数字视频光盘(digital video disc,DVD))、或者半导体介质(例如,SSD)等。
基于这样的理解,本申请实施例还提供一种计算机可读存储介质,所述计算机可读存储介质中存储有指令,当其在计算机上运行时,使得计算机执行上述方法实施例中域名系统服务器的一个或者多个步骤。
本申请实施例还提供了一种计算机可读存储介质,所述计算机可读存储介质中存储有指令,当其在计算机上运行时,使得计算机执行上述方法实施例中终端的一个或者多个步骤。
本申请实施例还提供了一种包含指令的计算机程序产品,当其在计算机上运行时,使得计算机执行上述方法实施例中域名系统服务器的一个或者多个步骤。
本申请实施例还提供了一种包含指令的计算机程序产品,当其在计算机上运行时,使得计算机执行上述方法实施例中终端的一个或者多个步骤。
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以所述权利要求的保护范围为准。

Claims (39)

  1. 一种服务资源的调度方法,其特征在于,应用于包括终端、业务服务器、域名系统服务器和至少一个网络安全设备的网络中,所述至少一个网络安全设备中的每个网络安全设备分别具有一个虚拟IP地址,在所述域名系统服务器中所述业务服务器所提供的业务的域名被映射为一个IP地址资源池,所述IP地址资源池中包括至少两个所述虚拟IP地址,所述方法包括:
    所述域名系统服务器接收第一终端发送的域名解析请求,所述域名解析请求包括所述域名;
    根据所述第一终端的终端信誉值和所述IP地址资源池中每个虚拟IP地址的IP信誉值,从所述IP地址资源池包括的至少两个虚拟IP地址中,选择出一个虚拟IP地址,一个终端的终端信誉值用于指示所述终端的安全程度,一个虚拟IP地址的IP信誉值用于指示所述虚拟IP地址的安全程度;
    向所述第一终端发送域名解析响应,所述域名解析响应中携带选择出的虚拟IP地址。
  2. 根据权利要求1所述的服务资源的调度方法,其特征在于,所述根据所述第一终端的终端信誉值和所述IP地址资源池中每个虚拟IP地址的IP信誉值,从所述IP地址资源池包括的至少两个虚拟IP地址中,选择出一个虚拟IP地址,包括:
    如果所述第一终端的终端信誉值大于或等于第一用户阈值,从所述IP地址资源池中确定第一虚拟IP地址集合,所述第一虚拟IP地址集合中的每个虚拟IP地址的IP信誉值大于或等于第一服务阈值;
    从所述第一虚拟IP地址集合中选择一个虚拟IP地址。
  3. 根据权利要求1或2所述的服务资源的调度方法,其特征在于,所述方法还包括:
    所述域名系统服务器接收第二终端发送的域名解析请求,所述第二终端发送的所述域名解析请求包括所述域名;
    如果所述第二终端的终端信誉值小于第二用户阈值,从所述IP地址资源池中确定第二虚拟IP地址集合,所述第二虚拟IP地址集合中的每个虚拟IP地址的IP信誉值小于第二服务阈值,其中,所述第一用户阈值大于或等于所述第二用户阈值,所述第一服务阈值大于或等于所述第二服务阈值;
    从所述第二虚拟IP地址集合中选择一个虚拟IP地址;
    向所述第二终端发送域名解析响应,所述域名解析响应中携带从第二虚拟IP地址集合中选择出的虚拟IP地址。
  4. 根据权利要求1-3任一项所述的服务资源的调度方法,其特征在于,所述方法还包括:
    获取所述第一终端的终端信誉值和所述每个虚拟IP地址的IP信誉值。
  5. 根据权利要求4所述的服务资源的调度方法,其特征在于,获取所述第一终端的终端信誉值,包括:
    接收所述第一终端发送的所述第一终端的终端信誉值;或者,
    接收所述第一终端发送的终端设备参数,根据所述终端设备参数确定所述第一终端的终端信誉值。
  6. 根据权利要求5所述的服务资源的调度方法,其特征在于,所述第一终端的终端 信誉值携带在所述第一终端发送的所述域名解析请求中,或者所述第一终端的终端设备参数携带在所述第一终端发送的所述域名解析请求中。
  7. 根据权利要求5或6所述的服务资源的调度方法,其特征在于,所述终端设备参数包括至少一个硬件指纹,所述根据所述终端设备参数确定所述第一终端的终端信誉值,包括:
    查询所述至少一个硬件指纹中每个硬件指纹对应的预设信誉分,根据所述每个硬件指纹对应的预设信誉分确定所述第一终端的终端信誉值;
    其中,所述至少一个硬件指纹包括以下的一个或多个:GPS指纹、蓝牙指纹、电池指纹、相机指纹、wifi模块指纹、温度传感器指纹、麦克风模块指纹。
  8. 根据权利要求7所述的服务资源的调度方法,其特征在于,所述终端设备参数还包括至少一个软件指纹,所述根据所述终端设备参数确定所述第一终端的终端信誉值,还包括:
    查询所述至少一个软件指纹中每个软件指纹对应的预设信誉分,根据所述每个软件指纹对应的预设信誉分确定所述第一终端的终端信誉值;
    其中,所述至少一个软件指纹包括以下的一个或者多个:国际移动设备识别码IMEI、通用唯一识别码UUID、网络类型、终端类型、操作系统类型、网络模式、电池温度、电量特性、SIM卡序列、手机号。
  9. 根据权利要求8所述的服务资源的调度方法,其特征在于,所述终端设备参数还包括至少一个恶意信息,所述根据所述终端设备参数确定所述第一终端的终端信誉值,还包括:
    查询所述至少一个恶意信息中每个恶意信息对应的预设信誉分,根据所述每个恶意信息对应的预设信誉分确定所述第一终端的终端信誉值;
    其中,所述至少一个恶意信息包括以下的一个或多个:CPU恶意信息、存储器中保存的文件对应的恶意信息、API DEMOS恶意信息、DevTools恶意信息、应用权限恶意信息、异常端口信息、异常进程信息。
  10. 根据权利要求9所述的服务资源的调度方法,其特征在于,所述终端设备参数还包括连接次数和传输流量,所述根据所述终端设备参数确定所述第一终端的终端信誉值,还包括:
    当所述连接次数和/或所述传输流量处于异常状态时,更新所述第一终端的终端信誉值。
  11. 根据权利要求4所述的服务资源的调度方法,其特征在于,获取所述每个虚拟IP地址的IP信誉值,包括:
    接收所述至少一个网络安全设备中的一个网络安全设备发送的攻击信息,所述攻击信息包括被攻击的IP地址;
    根据所述被攻击的IP地址,确定所述每个虚拟IP地址的IP信誉值。
  12. 根据权利要求11所述的服务资源的调度方法,其特征在于,所述攻击信息还包括攻击源的IP地址,所述方法还包括:
    若所述攻击源的IP地址为所述第一终端的IP地址,更新所述第一终端的终端信誉值。
  13. 一种服务资源的调度方法,其特征在于,应用于包括终端、业务服务器、域名系统服务器和至少一个网络安全设备的网络中,所述至少一个网络安全设备中的每个网络安 全设备分别具有一个虚拟IP地址,在所述域名系统服务器中所述业务服务器所提供的业务的域名被映射为一个IP地址资源池,所述IP地址资源池中包括至少两个所述虚拟IP地址,所述方法包括:
    所述终端获取终端设备参数,所述终端设备参数用于确定所述终端的终端信誉值,所述终端信誉值用于指示所述终端的安全程度;
    向所述域名系统服务器发送域名解析请求,所述域名解析请求包括所述域名;
    接收所述域名系统服务器发送的域名解析响应,所述域名解析响应中携带所述IP地址资源池中的一个虚拟IP地址,所述域名解析响应中携带的所述虚拟IP地址是所述域名系统服务器根据所述终端的信誉值和所述IP地址资源池中每个虚拟IP地址的IP信誉值从所述IP地址资源池中选择出的,一个虚拟IP地址的IP信誉值用于指示所述虚拟IP地址的安全程度。
  14. 根据权利要求13所述的服务资源的调度方法,其特征在于,所述向所述域名系统服务器发送域名解析请求之前,所述方法包括:
    向所述域名系统服务器发送所述终端设备参数;或者,
    根据所述终端设备参数确定所述终端信誉值,并向所述域名系统服务器发送所述终端信誉值。
  15. 根据权利要求14所述的服务资源的调度方法,其特征在于,所述终端设备参数、或者所述终端信誉值携带在所述域名解析请求中。
  16. 根据权利要求14或15所述的服务资源的调度方法,其特征在于,所述终端设备参数包括至少一个硬件指纹,则所述根据所述终端设备参数确定所述终端信誉值,包括:
    查询所述至少一个硬件指纹中每个硬件指纹对应的预设信誉分,根据所述每个硬件指纹对应的预设信誉分确定所述终端信誉值;
    其中,所述至少一个硬件指纹包括以下的一个或多个:GPS指纹、蓝牙指纹、电池指纹、相机指纹、wifi模块指纹、温度传感器指纹、麦克风模块指纹。
  17. 根据权利要求16所述的服务资源的调度方法,其特征在于,所述终端设备参数还包括至少一个软件指纹,所述根据所述终端设备参数确定所述终端信誉值,还包括:
    查询所述至少一个软件指纹中每个软件指纹对应的预设信誉分,根据所述每个软件指纹对应的预设信誉分确定所述终端信誉值;
    其中,所述至少一个软件指纹包括以下的一个或者多个:国际移动设备识别码IMEI、通用唯一识别码UUID、网络类型、终端类型、操作系统类型、网络模式、电池温度、电量特性、SIM卡序列、手机号。
  18. 根据权利要求17所述的服务资源的调度方法,其特征在于,所述终端设备参数还包括至少一个恶意信息,所述根据所述终端设备参数确定所述终端信誉值,还包括:
    查询所述至少一个恶意信息中每个恶意信息对应的预设信誉分,根据所述每个恶意信息对应的预设信誉分确定所述终端信誉值;
    其中,所述至少一个恶意信息包括以下的一个或多个:CPU恶意信息、存储器中保存的文件对应的恶意信息、API DEMOS恶意信息、DevTools恶意信息、应用权限恶意信息、异常端口信息、异常进程信息。
  19. 根据权利要求18所述的服务资源的调度方法,其特征在于,所述终端设备参数还包括连接次数和传输流量,所述根据所述终端设备参数确定所述终端信誉值,还包括:
    当所述连接次数和/或所述传输流量处于异常状态时,更新所述终端信誉值。
  20. 一种域名系统服务器,其特征在于,应用于包括终端、业务服务器、所述域名系统服务器和至少一个网络安全设备的网络中,所述至少一个网络安全设备中的每个网络安全设备分别具有一个虚拟IP地址,在所述域名系统服务器中所述业务服务器所提供的业务的域名被映射为一个IP地址资源池,所述IP地址资源池中包括至少两个所述虚拟IP地址,所述域名系统服务器包括:
    接收单元,用于接收第一终端发送的域名解析请求,所述域名解析请求包括所述域名;
    处理单元,用于根据所述第一终端的终端信誉值和所述IP地址资源池中每个虚拟IP地址的IP信誉值,从所述IP地址资源池包括的至少两个虚拟IP地址中,选择出一个虚拟IP地址,一个终端的终端信誉值用于指示所述终端的安全程度,一个虚拟IP地址的IP信誉值用于指示所述虚拟IP地址的安全程度;
    发送单元,用于向所述第一终端发送域名解析响应,所述域名解析响应中携带选择出的虚拟IP地址。
  21. 根据权利要求20所述的域名系统服务器,其特征在于,所述处理单元,还用于:
    如果所述第一终端的终端信誉值大于或等于第一用户阈值,从所述IP地址资源池中确定第一虚拟IP地址集合,所述第一虚拟IP地址集合中的每个虚拟IP地址的IP信誉值大于或等于第一服务阈值;
    从所述第一虚拟IP地址集合中选择一个虚拟IP地址。
  22. 根据权利要求20或21所述的域名系统服务器,其特征在于,
    所述接收单元,还用于接收第二终端发送的域名解析请求,所述第二终端发送的所述域名解析请求包括所述域名;
    所述处理单元,还用于如果所述第二终端的终端信誉值小于第二用户阈值,从所述IP地址资源池中确定第二虚拟IP地址集合,从所述第二虚拟IP地址集合中选择一个虚拟IP地址,所述第二虚拟IP地址集合中的每个虚拟IP地址的IP信誉值小于第二服务阈值,其中,所述第一用户阈值大于或等于所述第二用户阈值,所述第一服务阈值大于或等于所述第二服务阈值;
    所述发送单元,还用于向所述第二终端发送域名解析响应,所述域名解析响应中携带从第二虚拟IP地址集合中选择出的虚拟IP地址。
  23. 根据权利要求20-22任一项所述的域名系统服务器,其特征在于,所述接收单元,还用于:
    获取所述第一终端的终端信誉值和所述每个虚拟IP地址的IP信誉值。
  24. 根据权利要求23所述的域名系统服务器,其特征在于,
    所述接收单元,还用于接收所述第一终端发送的所述第一终端的终端信誉值;或者,
    所述接收单元,还用于接收所述第一终端发送的终端设备参数;所述处理单元,还用于根据所述终端设备参数确定所述第一终端的终端信誉值。
  25. 根据权利要求24所述的域名系统服务器,其特征在于,所述第一终端的终端信誉值携带在所述第一终端发送的所述域名解析请求中,或者所述第一终端的终端设备参数携带在所述第一终端发送的所述域名解析请求中。
  26. 根据权利要求24或25所述的域名系统服务器,其特征在于,所述终端设备参数包括至少一个硬件指纹,所述处理单元,还用于:
    查询所述至少一个硬件指纹中每个硬件指纹对应的预设信誉分,根据所述每个硬件指纹对应的预设信誉分确定所述第一终端的终端信誉值;
    其中,所述至少一个硬件指纹包括以下的一个或多个:GPS指纹、蓝牙指纹、电池指纹、相机指纹、wifi模块指纹、温度传感器指纹、麦克风模块指纹。
  27. 根据权利要求26所述的域名系统服务器,其特征在于,所述终端设备参数还包括至少一个软件指纹,所述处理单元,还用于:
    查询所述至少一个软件指纹中每个软件指纹对应的预设信誉分,根据所述每个软件指纹对应的预设信誉分确定所述第一终端的终端信誉值;
    其中,所述至少一个软件指纹包括以下的一个或者多个:国际移动设备识别码IMEI、通用唯一识别码UUID、网络类型、终端类型、操作系统类型、网络模式、电池温度、电量特性、手机型号、SIM卡序列、手机号。
  28. 根据权利要求27所述的域名系统服务器,其特征在于,所述终端设备参数还包括至少一个恶意信息,所述处理单元,还用于:
    查询所述至少一个恶意信息中每个恶意信息对应的预设信誉分,根据所述每个恶意信息对应的预设信誉分确定所述第一终端的终端信誉值;
    其中,所述至少一个恶意信息包括以下的一个或多个:CPU恶意信息、存储器中保存的文件对应的恶意信息、API DEMOS恶意信息、DevTools恶意信息、应用权限恶意信息、异常端口信息、异常进程信息。
  29. 根据权利要求28所述的域名系统服务器,其特征在于,所述终端设备参数还包括连接次数和传输流量,所述处理单元,还用于:
    当所述连接次数和/或所述传输流量处于异常状态时,更新所述第一终端的终端信誉值。
  30. 根据权利要求23所述的域名系统服务器,其特征在于,
    所述接收单元,还用于接收所述至少一个网络安全设备中的一个网络安全设备发送的攻击信息,所述攻击信息包括被攻击的IP地址;
    所述处理单元,还用于根据所述被攻击的IP地址,确定所述每个虚拟IP地址的IP信誉值。
  31. 根据权利要求30所述的域名系统服务器,其特征在于,所述攻击信息还包括攻击源的IP地址,所述处理单元,还用于:
    若所述攻击源的IP地址为所述第一终端的IP地址,更新所述第一终端的终端信誉值。
  32. 一种终端,其特征在于,应用于包括所述终端、业务服务器、域名系统服务器和至少一个网络安全设备的网络中,所述至少一个网络安全设备中的每个网络安全设备分别具有一个虚拟IP地址,在所述域名系统服务器中所述业务服务器所提供的业务的域名被映射为一个IP地址资源池,所述IP地址资源池中包括至少两个所述虚拟IP地址,所述终端包括:
    处理单元,用于获取终端设备参数,所述终端设备参数用于确定所述终端的终端信誉值,所述终端信誉值用于指示所述终端的安全程度;
    发送单元,用于向所述域名系统服务器发送域名解析请求,所述域名解析请求包括所述域名;
    接收单元,用于接收所述域名系统服务器发送的域名解析响应,所述域名解析响应中 携带所述IP地址资源池中的一个虚拟IP地址,所述域名解析响应中携带的所述虚拟IP地址是所述域名系统服务器根据所述终端的信誉值和所述IP地址资源池中每个虚拟IP地址的IP信誉值从所述IP地址资源池中选择出的,一个虚拟IP地址的IP信誉值用于指示所述虚拟IP地址的安全程度。
  33. 根据权利要求32所述的终端,其特征在于,
    所述发送单元,还用于向所述域名系统服务器发送所述终端设备参数;或者,
    所述处理单元,还用于根据所述终端设备参数确定所述终端信誉值;所述发送单元,还用于向所述域名系统服务器发送所述终端信誉值。
  34. 根据权利要求33所述的终端,其特征在于,所述终端设备参数、或者所述终端信誉值携带在所述域名解析请求中。
  35. 根据权利要求33或34所述的终端,其特征在于,所述终端设备参数包括至少一个硬件指纹,则所述处理单元,还用于:
    查询所述至少一个硬件指纹中每个硬件指纹对应的预设信誉分,根据所述每个硬件指纹对应的预设信誉分确定所述终端信誉值;
    其中,所述至少一个硬件指纹包括以下的一个或多个:GPS指纹、蓝牙指纹、电池指纹、相机指纹、wifi模块指纹、温度传感器指纹、麦克风模块指纹。
  36. 根据权利要求35所述的终端,其特征在于,所述终端设备参数还包括至少一个软件指纹,所述处理单元,还用于:
    查询所述至少一个软件指纹中每个软件指纹对应的预设信誉分,根据所述每个软件指纹对应的预设信誉分确定所述终端信誉值;
    其中,所述至少一个软件指纹包括以下的一个或者多个:国际移动设备识别码IMEI、通用唯一识别码UUID、网络类型、终端类型、操作系统类型、网络模式、电池温度、电量特性、手机型号、SIM卡序列、手机号。
  37. 根据权利要求36所述的终端,其特征在于,所述终端设备参数还包括至少一个恶意信息,所述处理单元,还用于:
    查询所述至少一个恶意信息中每个恶意信息对应的预设信誉分,根据所述每个恶意信息对应的预设信誉分确定所述终端信誉值;
    其中,所述至少一个恶意信息包括以下的一个或多个:CPU恶意信息、存储器中保存的文件对应的恶意信息、API DEMOS恶意信息、DevTools恶意信息、应用权限恶意信息、异常端口信息、异常进程信息。
  38. 根据权利要求37所述的终端,其特征在于,所述终端设备参数还包括连接次数和传输流量,所述处理单元,还用于:
    当所述连接次数和/或所述传输流量处于异常状态时,更新所述终端信誉值。
  39. 一种网络设备,其特征在于,所述网络设备包括存储器、处理器、总线和通信接口,存储器中存储代码和数据,处理器与存储器通过总线连接,处理器运行存储器中的代码使得所述网络设备执行权利要求1-12任一项所述的服务资源的调度方法,或者执行权利要求13-19任一项所述的服务资源的调度方法。
PCT/CN2019/082472 2018-06-15 2019-04-12 一种服务资源的调度方法及装置 WO2019237813A1 (zh)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US17/119,720 US11671402B2 (en) 2018-06-15 2020-12-11 Service resource scheduling method and apparatus

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810619416.X 2018-06-15
CN201810619416.XA CN110611723B (zh) 2018-06-15 2018-06-15 一种服务资源的调度方法及装置

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US17/119,720 Continuation US11671402B2 (en) 2018-06-15 2020-12-11 Service resource scheduling method and apparatus

Publications (1)

Publication Number Publication Date
WO2019237813A1 true WO2019237813A1 (zh) 2019-12-19

Family

ID=68842776

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/082472 WO2019237813A1 (zh) 2018-06-15 2019-04-12 一种服务资源的调度方法及装置

Country Status (3)

Country Link
US (1) US11671402B2 (zh)
CN (1) CN110611723B (zh)
WO (1) WO2019237813A1 (zh)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111262871A (zh) * 2020-01-19 2020-06-09 浙江每日互动网络科技股份有限公司 一种数据处理方法及装置、存储介质
CN113766043A (zh) * 2021-05-11 2021-12-07 腾讯科技(深圳)有限公司 配置目标容器的方法、装置、计算机设备及存储介质
CN113918332A (zh) * 2021-10-11 2022-01-11 中国人民解放军63620部队 大规模传感器中心级实时处理分布式资源动态调度方法
CN114257651A (zh) * 2021-12-09 2022-03-29 山石网科通信技术股份有限公司 请求响应方法、装置、网络设备及计算机可读存储介质
CN114257566A (zh) * 2020-09-11 2022-03-29 北京金山云网络技术有限公司 域名访问方法、装置和电子设备
TWI854941B (zh) 2024-02-07 2024-09-01 台灣大哥大股份有限公司 阻斷門號攻擊dns之系統及方法

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11695777B2 (en) * 2019-02-26 2023-07-04 Vmware, Inc. Hybrid access control model in computer systems
CN113242210B (zh) * 2021-04-09 2023-03-24 杭州闪电玩网络科技有限公司 一种基于用户等级分流的防DDoS方法和系统
US12015632B2 (en) * 2021-07-30 2024-06-18 Cisco Technology, Inc. Dynamic resource allocation for network security
CN114189493B (zh) * 2021-11-08 2024-04-12 深圳市酷开网络科技股份有限公司 分布式信令通信方法、计算机设备、信令系统及存储介质
CN114844662B (zh) * 2022-03-01 2024-03-12 天翼安全科技有限公司 一种网络安全策略管理方法、装置及设备
CN114553583B (zh) * 2022-03-01 2024-01-30 恒安嘉新(北京)科技股份公司 一种网络安全分析系统、方法、设备与存储介质
CN116743410A (zh) * 2022-03-03 2023-09-12 华为技术有限公司 一种通信方法,网络设备,终端和域名系统服务器
CN118784249A (zh) * 2023-03-30 2024-10-15 华为云计算技术有限公司 报文处理方法、安全设备管理方法、装置及系统

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103023924A (zh) * 2012-12-31 2013-04-03 网宿科技股份有限公司 基于内容分发网络的云分发平台的DDoS攻击防护方法和系统
CN103428310A (zh) * 2013-08-15 2013-12-04 网宿科技股份有限公司 基于虚拟ip的非http域名引导系统和方法
US20160234249A1 (en) * 2013-05-03 2016-08-11 John Wong Method and system for mitigation of distributed denial of service (ddos) attacks
CN106302313A (zh) * 2015-05-14 2017-01-04 阿里巴巴集团控股有限公司 基于调度系统的DDoS防御方法和DDoS防御系统

Family Cites Families (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7873695B2 (en) * 2004-05-29 2011-01-18 Ironport Systems, Inc. Managing connections and messages at a server by associating different actions for both different senders and different recipients
US20060182103A1 (en) * 2005-02-16 2006-08-17 Phantom Technologies, Llc. System and method for routing network messages
WO2006092826A1 (ja) * 2005-02-28 2006-09-08 Fujitsu Limited サービス制御システム、サービス制御方法およびサービス制御プログラム
US7926108B2 (en) * 2005-11-23 2011-04-12 Trend Micro Incorporated SMTP network security processing in a transparent relay in a computer network
JP4812123B2 (ja) * 2007-06-15 2011-11-09 株式会社リコー 情報処理装置およびプログラム
CN101339593B (zh) * 2007-07-04 2012-05-09 联想(北京)有限公司 软件安全性评估系统、用户能力和信任度评估系统和方法
CN101499996B (zh) * 2008-01-28 2012-05-23 中国电信股份有限公司 域名差异化解析方法和域名服务器
US8560616B1 (en) * 2010-09-27 2013-10-15 Amazon Technologies, Inc. IP management for outbound E-mails
US8856924B2 (en) * 2012-08-07 2014-10-07 Cloudflare, Inc. Mitigating a denial-of-service attack in a cloud-based proxy service
US9282086B2 (en) * 2013-04-26 2016-03-08 Broadcom Corporation Methods and systems for secured authentication of applications on a network
US10187410B2 (en) * 2015-06-30 2019-01-22 Microsoft Technology Licensing, Llc Automatically preventing and remediating network abuse
US9853975B2 (en) * 2015-08-26 2017-12-26 Ca, Inc. Restricting access to content based on measurements of user terminal operational performance
US9742795B1 (en) * 2015-09-24 2017-08-22 Amazon Technologies, Inc. Mitigating network attacks
US9967227B2 (en) * 2015-11-11 2018-05-08 Fastly, Inc. Enhanced content route selection in content delivery networks
US10904277B1 (en) * 2018-02-27 2021-01-26 Amazon Technologies, Inc. Threat intelligence system measuring network threat levels

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103023924A (zh) * 2012-12-31 2013-04-03 网宿科技股份有限公司 基于内容分发网络的云分发平台的DDoS攻击防护方法和系统
US20160234249A1 (en) * 2013-05-03 2016-08-11 John Wong Method and system for mitigation of distributed denial of service (ddos) attacks
CN103428310A (zh) * 2013-08-15 2013-12-04 网宿科技股份有限公司 基于虚拟ip的非http域名引导系统和方法
CN106302313A (zh) * 2015-05-14 2017-01-04 阿里巴巴集团控股有限公司 基于调度系统的DDoS防御方法和DDoS防御系统

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111262871A (zh) * 2020-01-19 2020-06-09 浙江每日互动网络科技股份有限公司 一种数据处理方法及装置、存储介质
CN114257566A (zh) * 2020-09-11 2022-03-29 北京金山云网络技术有限公司 域名访问方法、装置和电子设备
CN113766043A (zh) * 2021-05-11 2021-12-07 腾讯科技(深圳)有限公司 配置目标容器的方法、装置、计算机设备及存储介质
CN113766043B (zh) * 2021-05-11 2024-02-23 腾讯科技(深圳)有限公司 配置目标容器的方法、装置、计算机设备及存储介质
CN113918332A (zh) * 2021-10-11 2022-01-11 中国人民解放军63620部队 大规模传感器中心级实时处理分布式资源动态调度方法
CN114257651A (zh) * 2021-12-09 2022-03-29 山石网科通信技术股份有限公司 请求响应方法、装置、网络设备及计算机可读存储介质
TWI854941B (zh) 2024-02-07 2024-09-01 台灣大哥大股份有限公司 阻斷門號攻擊dns之系統及方法

Also Published As

Publication number Publication date
US20210144120A1 (en) 2021-05-13
CN110611723B (zh) 2021-05-11
CN110611723A (zh) 2019-12-24
US11671402B2 (en) 2023-06-06

Similar Documents

Publication Publication Date Title
WO2019237813A1 (zh) 一种服务资源的调度方法及装置
CN110351229B (zh) 一种终端ue管控方法及装置
Habibi et al. Heimdall: Mitigating the internet of insecure things
CN114145004B (zh) 用于使用dns消息以选择性地收集计算机取证数据的系统及方法
US8953479B2 (en) System and method for license enforcement for data center monitoring applications
EP3481029A1 (en) Internet defense method and authentication server
US9730075B1 (en) Systems and methods for detecting illegitimate devices on wireless networks
US20150188949A1 (en) Cloud-based network security
CN107347047B (zh) 攻击防护方法和装置
US10135785B2 (en) Network security system to intercept inline domain name system requests
US12003364B2 (en) Compromised network node detection system
CN107666473B (zh) 一种攻击检测的方法及控制器
CN109743294A (zh) 接口访问控制方法、装置、计算机设备及存储介质
US20230254146A1 (en) Cybersecurity guard for core network elements
CN106790299B (zh) 一种在无线接入点ap上应用的无线攻击防御方法和装置
CN108400953A (zh) 控制终端上网及终端上网的方法,路由器设备及终端
JP7462757B2 (ja) ネットワークセキュリティ保護方法及び保護デバイス
US9936008B2 (en) Method and system for dynamically shifting a service
CN115633359A (zh) Pfcp会话安全检测方法、装置、电子设备和存储介质
RU2776349C1 (ru) Системы и способы использования сообщений dns для селективного сбора компьютерных криминалистических данных
KR20120012229A (ko) 불필요한 패킷 송수신 차단 장치 및 그 방법
US20230141028A1 (en) Traffic control server and method
CN111385113B (zh) 一种vpn服务器集群的差异化接入方法及系统
CN116156503A (zh) 网络环境检测方法、装置、设备及存储介质
Faisal et al. Research Article An Analysis of DDoS Attacks on the Instant Messengers

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19820255

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19820255

Country of ref document: EP

Kind code of ref document: A1