阅读说明：本技术 Arp欺骗攻击检测方法、装置、计算机设备和存储介质 (ARP spoofing attack detection method, device, computer equipment and storage medium ) 是由 王金贺 梁志宏 陈海光 彭伯庄 邱荣发 胡朝辉 赖宇阳 吴佩泽 张丽娟 邓建峰 于 2020-11-30 设计创作，主要内容包括：本申请涉及一种ARP欺骗检测方法、装置、计算机设备和存储介质。方法包括：获取待分析局域网中各主机的镜像流量；从所述镜像流量中提取ARP回复报文；根据所述ARP回复报文携带的MAC地址和IP地址,通过构建MAC地址和IP地址的映射表,对所述ARP回复报文进行初步检测；当所述初步检测的结果存在异常时,根据所述ARP回复报文信息,生成与主机对应的目标特征向量；基于预设的基准参考库,对所述目标特征向量进行二次检测,确定是否存在ARP欺骗攻击。采用本方法能够精准的捕获ARP欺骗攻击,达到了局域网内各主机的ARP欺骗检测,实现了精准全面的ARP欺骗检测。(The application relates to an ARP spoofing detection method, an ARP spoofing detection device, computer equipment and a storage medium. The method comprises the following steps: acquiring mirror image flow of each host in a local area network to be analyzed; extracting an ARP reply message from the mirror image flow; according to the MAC address and the IP address carried by the ARP reply message, constructing a mapping table of the MAC address and the IP address, and carrying out preliminary detection on the ARP reply message; when the result of the preliminary detection is abnormal, generating a target characteristic vector corresponding to the host according to the ARP reply message information; and carrying out secondary detection on the target characteristic vector based on a preset reference library to determine whether ARP spoofing attack exists or not. By adopting the method, the ARP spoofing attack can be accurately captured, the ARP spoofing detection of each host in the local area network is achieved, and the accurate and comprehensive ARP spoofing detection is realized.)

1. An ARP spoofing attack detection method, the method comprising:

acquiring mirror image flow of each host in a local area network to be analyzed, and extracting an ARP reply message from the mirror image flow;

according to the MAC address and the IP address carried by the ARP reply message, constructing a mapping table of the MAC address and the IP address, and carrying out preliminary detection on the ARP reply message;

when the result of the preliminary detection is abnormal, generating a target characteristic vector corresponding to the host according to the ARP reply message;

and carrying out secondary detection on the target characteristic vector based on a preset reference library to determine whether ARP spoofing attack exists or not.

2. The method according to claim 1, wherein before performing secondary detection on the target feature vector based on a preset reference library and determining whether there is an ARP spoofing attack, further comprising:

acquiring historical network flow data corresponding to a host;

performing data modeling according to the historical network traffic data to obtain the corresponding feature vector;

carrying out standardization processing on the feature vector to obtain a standardized feature vector;

and clustering the standardized feature vectors, and constructing a reference library according to a clustering result.

3. The method of claim 2, wherein the modeling data based on the historical network traffic data to obtain the corresponding feature vector comprises:

acquiring attribute information corresponding to a host from the historical network flow data based on a preset time interval;

and generating a feature vector corresponding to the host according to the attribute information.

4. The method of claim 2, wherein the clustering the normalized feature vectors and constructing a benchmark reference library according to the clustering result comprises:

clustering the standardized feature vectors to obtain clustering results, wherein the clustering results comprise abnormal classes and normal classes;

and when the clustering result does not accord with the preset clustering requirement, discarding the standardized feature vector corresponding to the abnormal class, and performing clustering again until the obtained clustering result accords with the preset clustering requirement, wherein the preset clustering requirement comprises that the number difference value of the abnormal class and the normal class meets the preset difference value requirement or the ratio of the intra-class distance to the inter-class distance of the abnormal class and the normal class is greater than a preset value.

5. The method according to claim 1, wherein the preliminary detection of the ARP reply packet by constructing a mapping table of MAC addresses and IP addresses according to the MAC address and IP address carried by the ARP reply packet comprises:

constructing a mapping table according to a message sequence formed by ARP reply messages to be detected, wherein the mapping table comprises an MAC address and an IP address carried by a first message in the message sequence;

when the MAC address carried by the message to be detected in the message sequence exists in the mapping table, extracting the mapping IP address of the MAC address from the mapping table;

and when the mapping IP address is inconsistent with the IP address carried by the message to be detected, judging that the primary detection result of the ARP reply message is abnormal.

6. The method according to claim 5, wherein after constructing a mapping table according to a message sequence formed by the ARP reply message to be detected, the method further comprises:

and when the MAC address carried by the message to be detected in the message sequence does not exist in the mapping table, updating the MAC address and the IP address carried by the message to be processed to the mapping table.

7. The method of claim 4, wherein the secondary detection of the target feature vector is performed based on a preset reference library, and the determining whether the ARP spoofing attack exists comprises:

acquiring a central point of a normal class in a preset reference library;

calculating the distance between the target feature vector and the central point;

when the distance is smaller than the intra-class distance of the normal class, judging that ARP spoofing attack does not exist;

and when the distance is not smaller than the intra-class distance of the normal class, judging that ARP spoofing attack exists.

8. An ARP spoofing attack detection apparatus, the apparatus comprising:

the data acquisition module is used for acquiring the mirror image flow of each host in the local area network to be analyzed;

the data extraction module is used for extracting an ARP reply message from the mirror image flow;

the preliminary detection module is used for preliminarily detecting the ARP reply message by constructing a mapping table of the MAC address and the IP address according to the MAC address and the IP address carried by the ARP reply message;

the vector generation module is used for generating a target characteristic vector corresponding to the host according to the ARP reply message information when the result of the primary detection is abnormal;

and the secondary detection module is used for carrying out secondary detection on the target characteristic vector based on a preset reference library and determining whether ARP spoofing attack exists or not.

9. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor, when executing the computer program, implements the steps of the method of any of claims 1 to 7.

10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 7.

Technical Field

The present application relates to the field of power monitoring technologies, and in particular, to a method and an apparatus for detecting ARP spoofing attack, a computer device, and a storage medium.

Background

In an industrial control system for power monitoring, when communication is needed between hosts in a local area network (or between a host and a gateway), an Address Resolution Protocol (ARP) Protocol is used to obtain a MAC Address corresponding to a target IP Address, however, an ARP spoofing attack occurs during the communication process, and the ARP spoofing attack causes an ARP cache entry of an ARP target to be maliciously replaced by sending a malicious ARP reply message to the target host in the local area network.

The existing detection method and detection tool for ARP speofs attack know the current mapping situation of IP (Internet Protocol Address) and MAC (Media Access Control) addresses in a local area network by reading the ARP cache table of a local host, monitor the network card flow of the local host, capture ARP reply messages, judge that ARP speofs attack occurs once finding that the ARP reply messages of the ARP cache table are attempted to be modified, and form an alarm.

However, the existing detection method and detection tool can only find the situation that the local host is attacked by the ARP speofs, and cannot find the ARP speofs among other hosts in the local area network, and usually, the detection method and detection tool only take whether the ARP cache table is modified as a unique judgment logic, which lacks a reference, has many misjudgments, and has small analysis flow, does not support a system to detect and monitor a plurality of local area networks, cannot analyze and monitor uniformly, and has the problem of detection limitation.

Disclosure of Invention

In view of the foregoing, it is desirable to provide a method, an apparatus, a computer device, and a storage medium for detecting ARP spoofing that can be performed accurately and comprehensively.

An ARP spoofing attack detection method, the method comprising:

acquiring mirror image flow of each host in a local area network to be analyzed, and extracting an ARP reply message from the image flow;

according to the MAC address and the IP address carried by the ARP reply message, the ARP reply message is preliminarily detected by constructing a mapping table of the MAC address and the IP address;

when the result of the initial detection is abnormal, replying message information according to the ARP to generate a target characteristic vector corresponding to the host;

and carrying out secondary detection on the target characteristic vector based on a preset reference library to determine whether ARP spoofing attack exists or not.

In one embodiment, based on a preset reference library, performing secondary detection on a target feature vector, and before determining whether an ARP spoofing attack exists, the method further includes:

acquiring historical network flow data corresponding to a host;

performing data modeling according to historical network flow data to obtain a feature vector corresponding to the host;

carrying out standardization processing on the feature vector to obtain a standardized feature vector;

and clustering the standardized feature vectors, and constructing a reference library according to a clustering result.

In one embodiment, the data modeling according to the historical network traffic data, and obtaining the feature vector corresponding to the host computer includes:

acquiring attribute information corresponding to a host from historical network flow data based on a preset time interval;

and generating a feature vector corresponding to the host according to the attribute information.

In one embodiment, clustering the normalized feature vectors, and constructing the reference library according to the clustering result includes:

clustering the standardized feature vectors to obtain clustering results, wherein the clustering results comprise abnormal classes and normal classes;

and when the clustering result does not accord with the preset clustering requirement, discarding the standardized feature vectors corresponding to the abnormal classes, and performing clustering again until the obtained clustering result accords with the preset clustering requirement, wherein the preset clustering requirement comprises that the number difference value of the abnormal classes and the normal classes meets the preset difference value requirement or the ratio of the intra-class distance and the inter-class distance of the abnormal classes and the normal classes is greater than a preset value.

In one embodiment, the preliminary detection of the ARP reply message by constructing a mapping table of the MAC address and the IP address according to the MAC address and the IP address carried by the ARP reply message includes:

constructing a mapping table according to a message sequence formed by the ARP reply messages to be detected, wherein the mapping table comprises an MAC address and an IP address carried by a first message in the message sequence;

when the MAC address carried by the message to be detected in the message sequence exists in the mapping table, extracting the mapping IP address of the MAC address from the mapping table;

and when the mapping IP address is inconsistent with the IP address carried by the message to be detected, judging that the preliminary detection result of the ARP reply message is abnormal.

In one embodiment, after constructing the mapping table according to the message sequence formed by the ARP reply message to be detected, the method further includes:

and when the MAC address carried by the message to be detected in the message sequence does not exist in the mapping table, updating the MAC address and the IP address carried by the message to be processed to the mapping table.

In one embodiment, the secondary detection of the target feature vector is performed based on a preset reference library, and the determining whether the ARP spoofing attack exists includes:

acquiring a central point of a normal class in a preset reference library;

calculating the distance between the target characteristic vector and the central point;

when the distance is smaller than the intra-class distance of the normal class, judging that ARP spoofing attack does not exist;

and when the distance is not less than the intra-class distance of the normal class, judging that the ARP spoofing attack exists.

An ARP spoofing attack detection apparatus, the apparatus comprising:

the data acquisition module is used for acquiring the mirror image flow of each host in the local area network to be analyzed and extracting the ARP reply message from the mirror image flow;

the primary detection module is used for carrying out primary detection on the ARP reply message by constructing a mapping table of the MAC address and the IP address according to the MAC address and the IP address carried by the ARP reply message;

the vector generation module is used for generating a target characteristic vector corresponding to the host according to the ARP reply message information when the initial detection result is abnormal;

and the secondary detection module is used for carrying out secondary detection on the target characteristic vector based on a preset reference library and determining whether the ARP spoofing attack exists or not.

A computer device comprising a memory and a processor, the memory storing a computer program, the processor implementing the following steps when executing the computer program:

acquiring the mirror image flow of each host in the local area network to be analyzed, and extracting an ARP reply message from the mirror image flow;

according to the MAC address and the IP address carried by the ARP reply message, the ARP reply message is preliminarily detected by constructing a mapping table of the MAC address and the IP address;

when the result of the initial detection is abnormal, replying message information according to the ARP to generate a target characteristic vector corresponding to the host;

and carrying out secondary detection on the target characteristic vector based on a preset reference library to determine whether ARP spoofing attack exists or not.

A computer-readable storage medium, on which a computer program is stored which, when executed by a processor, carries out the steps of:

acquiring the mirror image flow of each host in the local area network to be analyzed, and extracting an ARP reply message from the mirror image flow;

according to the MAC address and the IP address carried by the ARP reply message, the ARP reply message is preliminarily detected by constructing a mapping table of the MAC address and the IP address;

when the result of the initial detection is abnormal, replying message information according to the ARP to generate a target characteristic vector corresponding to the host;

and carrying out secondary detection on the target characteristic vector based on a preset reference library to determine whether ARP spoofing attack exists or not.

According to the ARP spoofing detection method, the device, the computer equipment and the storage medium, the ARP reply message is extracted from the mirror image flow by acquiring the mirror image flow of each host in the local area network to be analyzed; the detection range can be enlarged, massive global detection is realized, the ARP reply message is extracted from the mirror image flow, the accuracy of obtaining the ARP reply message is ensured, and the ARP reply message is preliminarily detected by constructing a mapping table of the MAC address and the IP address according to the MAC address and the IP address carried by the ARP reply message; the mapping table is the mapping relation between the MAC address and the IP address, the abnormal condition of the ARP reply message can be effectively captured, and when the result of the initial detection is abnormal, a target characteristic vector corresponding to the host is generated according to the ARP reply message information; the method can accurately capture the ARP spoofing attack, achieves the ARP spoofing detection of each host in the local area network, and realizes accurate and comprehensive ARP spoofing detection.

Drawings

FIG. 1 is a diagram of an exemplary embodiment of an ARP spoofing attack detection method;

FIG. 2 is a flow diagram illustrating a method for detecting ARP spoofing attacks in one embodiment;

FIG. 3 is a flowchart illustrating steps of constructing a reference library in an ARP spoofing attack detection method according to an embodiment;

FIG. 4 is a flowchart illustrating steps of constructing a benchmark reference library in the ARP spoofing attack detection method in another embodiment;

FIG. 5 is a flowchart illustrating steps of constructing a benchmark reference library in an ARP spoofing attack detection method in yet another embodiment;

FIG. 6 is a flowchart illustrating a method for detecting ARP spoofing attacks in another embodiment;

FIG. 7 is a flowchart illustrating a method for detecting ARP spoofing attacks in yet another embodiment;

FIG. 8 is a flowchart illustrating a method for detecting ARP spoofing attacks in yet another embodiment;

FIG. 9 is a flowchart illustrating a method for detecting ARP spoofing attacks in yet another embodiment;

FIG. 10 is a flowchart illustrating a method for ARP spoofing attack detection in one embodiment;

FIG. 11 is a flowchart illustrating steps of a process for constructing a reference library in an ARP spoofing attack detection method according to an embodiment;

FIG. 12 is a flowchart illustrating steps of an ARP spooff attack detection process in the ARP spoofing attack detection method in one embodiment;

FIG. 13 is a block diagram showing the structure of an ARP spoofing attack detecting apparatus according to an embodiment;

FIG. 14 is a diagram illustrating an internal structure of a computer device according to an embodiment.

Detailed Description

In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.

The ARP spoofing attack detection method can be applied to the application environment shown in FIG. 1. Wherein the terminal 102 communicates with the server 104 via a network. The terminal 102 acquires the mirror image flow of each host in the local area network to be analyzed from the server; and extracting an ARP reply message from the mirror image flow; according to the MAC address and the IP address carried by the ARP reply message, the terminal 102 performs preliminary detection on the ARP reply message by constructing a mapping table of the MAC address and the IP address; when the initial detection result is abnormal, the terminal 102 replies message information according to the ARP to generate a target characteristic vector corresponding to the host; based on a preset reference library, the terminal 102 performs secondary detection on the target feature vector to determine whether an ARP spoofing attack exists. The terminal 102 may be, but not limited to, various personal computers, notebook computers, smart phones, tablet computers, and portable wearable devices, the server 104 may be implemented by an independent server or a server cluster composed of a plurality of servers, and the method may be applied to a system including a terminal and a server, and implemented by interaction between the terminal and the server.

In an embodiment, as shown in fig. 2, an ARP spoofing attack detection method is provided, which is described by taking the method as an example applied to the terminal in fig. 1, where the terminal may be a local host, and the method includes the following steps:

step 202, obtaining the mirror image flow of each host in the local area network to be analyzed, and extracting the ARP reply message from the mirror image flow.

The mirror flow is acquired through a tool after the switch is configured, the switch can be configured to enable the mirror flow of each host in the local area network to be accessed into a system of the local host, the mirror flow is captured in the local area network through a DPDK (Data Plane Development Kit) tool, and the mirror flow is network flow Data of each host in the local area network acquired through the mirror. The ARP reply message is data carried after mirror image flow analysis, and comprises an MAC address and an IP address.

Specifically, the local host acquires the mirror image traffic of each host in the local area network to be analyzed from the server side through a DPDK (Data Plane Development Kit) tool, and stores the analyzed mirror image traffic in a server memory corresponding to the local host, so that the influence of network card I/O (INPUT/OUTPUT) on the system traffic processing rate is reduced, the traffic analysis speed is increased, and the local host extracts the ARP reply message and the corresponding ARP reply information in the ARP reply message from the mirror image traffic.

And step 204, according to the MAC address and the IP address carried by the ARP reply message, performing preliminary detection on the ARP reply message by constructing a mapping table of the MAC address and the IP address.

The ARP reply message carries an MAC address and an IP address, the MAC address corresponds to the IP address, the mapping table is a table for constructing the mapping relation between the MAC and the IP address, and the mapping table has data records of the corresponding MAC address.

Specifically, the local host searches whether a data record corresponding to the MAC address carried by the ARP reply message exists in a mapping table by constructing the mapping table of the MAC address and the IP address according to the MAC address and the IP address carried by the ARP reply message, determines whether a corresponding MAC address exists in the mapping table according to the data record of the MAC address, and performs preliminary detection on the ARP reply message.

And step 206, when the result of the initial detection is abnormal, generating a target characteristic vector corresponding to the host according to the ARP reply message information.

The condition that the result of the preliminary detection is abnormal means that the data record of the MAC address in the mapping table has the MAC address carried by the corresponding ARP reply message, but the IP address corresponding to the MAC address in the mapping table is not consistent with the IP address carried by the ARP reply message. The ARP reply message information is carried by the ARP reply message, the target characteristic vector is generated according to the attribute value in the ARP reply message information, the target characteristic vector is obtained according to each attribute value, and the target characteristic vector comprises a target P_src(target asset MAC is the destination packet for the source addressNumber), target P_dst(target asset MAC is the target packet number of the destination address), target RR_Dup(the same target number of ARP replies detected two times before and after), target RR_Diff(the target number of ARP replies detected twice before and after different), the target MI (the target IP information number corresponding to the target asset MAC), and the target IM (the asset MAC number corresponding to the target IP information).

Specifically, when the initial detection result is abnormal, the local host extracts attribute information corresponding to the asset MAC from the ARP reply message information based on a preset time interval, generates a target feature vector corresponding to the asset MAC according to the attribute information, standardizes the target feature vector to obtain a standardized target feature vector, and updates the standardized target feature vector to the target feature vector.

And step 208, carrying out secondary detection on the target characteristic vector based on a preset reference library, and determining whether ARP spoofing attack exists or not.

The method comprises the steps that a reference library is preset, the reference library comprises a normal-class standardized asset vector set, standardized asset vectors are obtained by standardizing feature vectors, normal classes and abnormal classes can be obtained by clustering the standardized asset vectors, clustering processing is based on a clustering method, secondary detection is used for detecting whether target feature vectors are normal classes, whether ARP spoofing attacks exist can be detected through the secondary detection, the ARP spoofing attacks are ARP speofs, and malicious ARP reply messages are sent to a target host in a local area network to cause the class of malicious attack behaviors of the ARP cache table entries of ARP targets to be replaced maliciously.

Specifically, based on a preset reference library, the local host performs secondary detection on the target feature vector, calculates whether the current target feature vector falls into a normal class, and if the current target feature vector falls into the normal class, the current target feature vector is regarded as a normal behavior, and if the current target feature vector does not fall into the normal class, an ARP spoofing attack behavior exists, and alarm information is sent and displayed on a system of the local host.

In the ARP spoofing attack detection method, the mirror flow of each host in the local area network to be analyzed is obtained; extracting an ARP reply message from the mirror image flow; the detection range can be enlarged, the massive global detection range is reached, the data are acquired in a one-to-one correspondence mode, the accuracy of information acquisition is guaranteed, and according to the MAC address and the IP address carried by the ARP reply message, the ARP reply message is subjected to preliminary detection by constructing a mapping table of the MAC address and the IP address; mapping relations between the MAC addresses and the IP addresses are in one-to-one correspondence in the mapping tables, abnormal conditions can be effectively captured, and when the result of initial detection is abnormal, message information is replied according to the ARP to generate target feature vectors corresponding to the host; the method has the advantages that the target characteristic vector is secondarily detected based on the preset reference library, whether ARP spoofing attack exists or not is determined, the target characteristic vector is detected based on the reference library, the detection accuracy is improved, the method widens the abnormal analysis range of the system by accessing the flow of the mirror image port of the switch, breaks through the limitation of only detecting a local host, and realizes the ARP spoofs attack behavior of other assets in the local area network. And the asset reference library is used as a judgment condition for ARP spooff attack, so that the detection accuracy can be effectively improved, and the invalid alarm amount processed by the operation and maintenance attendant on duty every day can be reduced. The method can accurately capture ARP spoofing attack, achieves ARP spoofing detection of each host in the local area network, and achieves accurate and comprehensive ARP spoofing detection.

In one embodiment, as shown in fig. 3, performing secondary detection on the target feature vector based on a preset reference library, before determining whether there is an ARP spoofing attack, that is, before step 208, further includes:

step 302, obtaining historical network traffic data corresponding to the host.

The historical network traffic data refers to historical network communication traffic data, and the host refers to all hosts in the local area network. The local host acquires historical network flow data corresponding to each host in the local area network, and the acquired historical network flow data is not less than one week.

And 304, performing data modeling according to the historical network traffic data to obtain a feature vector corresponding to the host.

Extracting a MAC address corresponding to each asset from historical network flow data, extracting corresponding attribute information according to the MAC address corresponding to each asset based on a preset time interval, wherein the attribute information comprises attribute values, and taking all the attribute values in the attribute information as corresponding feature vectors of the asset within the change time, and the feature vectors are asset vectors, wherein one asset can be a host.

Step 306, the feature vector is normalized to obtain a normalized feature vector.

The local host normalizes the feature vector, and normalizes each attribute value, for example, sets one of the attribute value sets a, removes the maximum value and the minimum value of a, and obtains the average value of the attribute as the reference value B of the attribute_AAnd dividing all the attribute values in the asset vector by the reference values of the corresponding attribute value sets respectively to obtain a standardized asset vector, namely the standardized feature vector.

And 308, clustering the standardized feature vectors, and constructing a reference library according to a clustering result.

In one embodiment, the local host forms the standardized feature vectors into a standardized feature vector set, clustering processing is performed on the standardized feature vectors by a clustering method, the result of clustering processing is to divide the standardized feature vector set into a normal class and an abnormal class, the standardized feature vectors corresponding to the abnormal classes are discarded according to a preset clustering requirement, clustering processing is performed again until the obtained clustering result meets the preset clustering requirement, a final standardized feature vector is obtained, and a corresponding reference library is constructed.

In the embodiment, historical network flow data corresponding to a host is obtained, data modeling is performed according to the historical network flow data to obtain characteristic vectors corresponding to the host, the data are obtained in a one-to-one correspondence mode, accuracy of obtained information is guaranteed, the characteristic vectors are subjected to standardization processing to obtain standardized characteristic vectors, the standardized characteristic vectors are clustered, a benchmark reference library is built according to clustering results, the benchmark reference library built according to the characteristic vectors is used as a judgment condition for subsequent ARP spoofs attacks, detection accuracy can be effectively improved, and invalid alarm amount processed by operation and maintenance staff on duty every day is reduced.

In one embodiment, as shown in fig. 4, data modeling is performed according to the historical network traffic data to obtain a feature vector corresponding to the host, that is, step 304 includes:

step 402, acquiring attribute information corresponding to the host from historical network traffic data based on a preset time interval.

In one embodiment, the time interval may be set according to actual needs. Taking the setting of the time interval to 5 seconds as an example, the local host acquires the MAC address corresponding to each asset from the historical network traffic data every 5 seconds, extracts corresponding attribute information according to the MAC address corresponding to each host, wherein the attribute information comprises P_src(number of packets with asset MAC as source address), P_dst(packet number with asset MAC as destination Address), RR_Dup(the same number of ARP replies detected two times before and after), RR_DiffAttribute value sets of (the number of ARP replies detected two times before and after different), MI (the number of IP information corresponding to asset MAC), IM, and (the number of asset MAC corresponding to IP information).

Step 404, generating a feature vector corresponding to the host according to the attribute information.

In one embodiment, P contained in the attribute information is converted into P according to the attribute information_src、P_dst、RR_Dup、RR_DiffAll attribute values in MI and IM are used as the corresponding feature vector of the asset in the time, where the feature vector set may be represented as V ═ V<P_src，P_dst，RR_Dup，RR_Diff，MI，IM>。

In this embodiment, the attribute information corresponding to the host is acquired from the historical network traffic data based on the preset time interval, and the feature vector corresponding to the host is generated according to the plurality of attribute information acquired at the time interval, so that the accuracy of the acquired information is ensured.

In one embodiment, as shown in fig. 5, the normalized feature vectors are clustered, and a reference library is constructed according to the clustering result, i.e. step 308 includes:

step 502, performing clustering processing on the normalized feature vectors to obtain clustering results, wherein the clustering results comprise an abnormal class and a normal class.

In one embodiment, the normalized feature vectors form a normalized feature vector set SV, the local host performs clustering processing on the SV by a clustering method, and the result of the clustering processing is to divide the SV into a normal class and an abnormal class, where the normal class is a class with a larger cluster obtained by the clustering processing, and the abnormal class is a class with a smaller cluster obtained by the clustering processing.

And 504, when the clustering result does not meet the preset clustering requirement, discarding the standardized feature vectors corresponding to the abnormal classes, and performing clustering again until the obtained clustering result meets the preset clustering requirement, wherein the preset clustering requirement comprises that the number difference value of the abnormal classes and the normal classes meets the preset difference value requirement or the ratio of the intra-class distance to the inter-class distance of the abnormal classes and the normal classes is greater than a preset value.

In one embodiment, when the clustering result does not meet the preset clustering requirement, discarding the normalized feature vector corresponding to the abnormal class, and performing clustering again until the obtained clustering result meets the preset clustering requirement, specifically, comparing the normal class with the abnormal class, where meeting the preset clustering requirement includes two cases, where when the number difference between the abnormal class and the normal class meets the preset difference requirement, the first case is when the preset difference requirement is greater than zero, that is, when the number of the normal class is greater than the number of the abnormal class, and the ratio of SV is greater than 50%, at this time, a corresponding reference library is constructed according to the normalized feature vector of the normal class. And in the second case, the preset difference value is required to be zero when the normal class minus the abnormal class is equal to the preset value, the ratio of the intra-class distance to the inter-class distance is calculated, taking the preset value as 25% as an example, and when the ratio of the intra-class distance to the inter-class distance of the normal class to the abnormal class is greater than 25%, constructing a corresponding reference library according to the standardized feature vector of the normal class, wherein the inter-class distance is the central distance of the two classes.

In this embodiment, a clustering result is obtained by clustering the standardized feature vectors, where the clustering result includes an abnormal class and a normal class, and when the clustering result does not meet a preset clustering requirement, discarding the standardized feature vectors corresponding to the abnormal class, and performing clustering again until the obtained clustering result meets the preset clustering requirement, where the preset clustering requirement includes that a number difference between the abnormal class and the normal class meets a preset difference requirement or a ratio of an intra-class distance to an inter-class distance between the abnormal class and the normal class is greater than a preset value. By taking the reference library as a judgment condition for ARP spooff attack, the detection accuracy can be effectively improved, and the invalid alarm amount processed by the operation and maintenance attendant on duty every day is reduced. The method can accurately capture ARP spoofing attack, achieves ARP spoofing detection of each host in the local area network, and achieves accurate and comprehensive ARP spoofing detection.

In an embodiment, as shown in fig. 6, according to the MAC address and the IP address carried in the ARP reply packet, a mapping table of the MAC address and the IP address is constructed to perform preliminary detection on the ARP reply packet, that is, step 204 includes:

step 602, according to a message sequence formed by the ARP reply message to be detected, a mapping table is constructed, wherein the mapping table includes the MAC address and the IP address carried by the first message in the message sequence.

In one embodiment, according to a message sequence formed by an ARP reply message to be detected, extracting corresponding ARP reply information from the ARP reply message to be detected, and analyzing MAC information and IP information in the ARP reply information, where the MAC information refers to an MAC address and the IP information refers to an IP address, that is, an ARP reply message carries an MAC address and an IP address, the MAC address corresponds to the IP address, and a mapping table tmi (table of MAC to IP address) is constructed, where the mapping table includes the MAC address and the IP address carried by a first message in the message sequence. The mapping table is a table for constructing the mapping relationship between the MAC and the IP address, the mapping table has corresponding data records of the MAC, and the corresponding mapping IP address is obtained according to the data records of the MAC address.

And step 604, when the MAC address carried by the message to be detected in the message sequence exists in the mapping table, extracting the mapping IP address of the MAC address from the mapping table.

In one embodiment, when the MAC address carried by the to-be-detected ARP reply message in the message sequence has a corresponding MAC record in the mapping table TMI, the mapping IP address is compared with the IP address carried by the to-be-detected ARP reply message in the message sequence according to the mapping IP address corresponding to the MAC address in the MAC record, so as to obtain a comparison result, where the message sequence is formed according to the to-be-detected ARP reply message, the to-be-detected message is one to-be-detected ARP reply message waiting for detection in the message sequence, and the detection is performed on all ARP reply messages in the message sequence one by one.

And 606, judging that the preliminary detection result of the ARP reply message is abnormal when the mapping IP address is inconsistent with the IP address carried by the message to be detected.

In one embodiment, when the comparison result is that the mapping IP address is inconsistent with the IP address carried by the message to be detected, it is determined that the preliminary detection result of the ARP reply message is abnormal, where the mapping IP address is the corresponding mapping IP address obtained according to the data record of the MAC address in the mapping table TMI, the preliminary detection result is the detection processing performed on the ARP reply message based on the mapping table, and the preliminary detection is performed on all ARP reply messages in the message sequence one by one.

In the embodiment, a mapping table is constructed according to a message sequence formed by ARP reply messages to be detected, wherein the mapping table comprises an MAC address and an IP address carried by a first message in the message sequence, when the MAC address carried by the messages to be detected in the message sequence exists in the mapping table, a mapping IP address of the MAC address is extracted from the mapping table, and when the mapping IP address is inconsistent with the IP address carried by the messages to be detected, the condition that an initial detection result of the ARP reply messages is abnormal can be achieved, and the initial detection of the ARP reply messages can be carried out by constructing the mapping table of the MAC address and the IP address; the mapping relation between the MAC address and the IP address is one-to-one corresponding to the mapping table, so that the abnormal condition of the ARP reply message can be effectively captured, and the ARP spooff attack can be preliminarily detected.

In an embodiment, as shown in fig. 7, after constructing the mapping table according to the message sequence formed by the ARP reply message to be detected, that is, after step 602, the method further includes:

step 702, when the MAC address carried by the message to be detected in the message sequence does not exist in the mapping table, the MAC address and the IP address carried by the message to be processed are updated to the mapping table.

In one embodiment, when the MAC address carried by the to-be-detected message in the message sequence does not exist in the mapping table TMI, it is determined that the preliminary detection result of the ARP reply message is not abnormal, and at this time, when the mapping table TMI does not have a corresponding MAC record, the MAC address and the IP address carried by the to-be-processed message are updated to the mapping table TMI, and are added to the mapping table TMI as a new MAC record.

In the embodiment, when the MAC address carried by the to-be-detected message in the message sequence does not exist in the mapping table, the MAC address and the IP address carried by the to-be-processed message are updated to the mapping table, so that the mapping table TMI can be updated in real time, the detection range is effectively expanded by updating the mapping table TMI in real time, the abnormal condition of the ARP reply message can be captured more effectively, and the ARP speof attack is preliminarily detected.

In one embodiment, as shown in fig. 8, the target feature vector is secondarily detected based on a preset reference library to determine whether there is an ARP spoofing attack, that is, step 208 includes:

step 802, obtaining a central point of a normal class in a preset reference library.

In one embodiment, the local host obtains a central point of a normal class in a preset reference library, wherein the preset reference library is constructed according to a normal class standardized feature vector set, and the central point is a central point of a standardized feature vector in the normal class.

And step 804, calculating the distance between the target characteristic vector and the central point.

In one embodiment, the local host computes a target feature vector target P_srcTarget P_dstTarget RR_DupTarget RR_DiffTarget MI and distance of target IM from the center point.

And step 806, when the distance is smaller than the intra-class distance of the normal class, judging that the ARP spoofing attack does not exist.

In one embodiment, when the distance between the target feature vector and the central point is smaller than the intra-class distance of the normal class, that is, the target feature vector falls in the normal class, it is determined that there is no ARP spoofing attack.

And 808, judging that the ARP spoofing attack exists when the distance is not less than the intra-class distance of the normal class.

In one embodiment, when the distance between the target feature vector and the central point is not less than the intra-class distance of the normal class, that is, the target feature vector does not have the normal class, an abnormality exists at the time, and it is determined that an ARP spoofing attack exists.

In the embodiment, the distance between the target characteristic vector and the central point is calculated by acquiring the central point of a normal class in a preset reference library, when the distance is smaller than the intra-class distance of the normal class, it is determined that the ARP spoofing attack does not exist, when the distance is not smaller than the intra-class distance of the normal class, it is determined that the ARP spoofing attack exists, through secondary detection, it is determined whether the ARP spoofing attack exists, the reference library is used as a reference, and through detection of the target characteristic vector, the detection accuracy is improved.

In one embodiment, as shown in fig. 9, there is provided an ARP spoofing attack detection method including the following steps 902 to 932.

Step 902, obtaining the mirror flow of each host in the local area network to be analyzed, and extracting the ARP reply message from the mirror flow.

And 904, constructing a mapping table according to a message sequence formed by the ARP reply message to be detected, wherein the mapping table comprises the MAC address and the IP address carried by the first message in the message sequence.

Step 906, when the MAC address carried by the message to be detected in the message sequence does not exist in the mapping table, the MAC address and the IP address carried by the message to be processed are updated to the mapping table.

And 908, when the MAC address carried by the message to be detected in the message sequence exists in the mapping table, extracting the mapping IP address of the MAC address from the mapping table.

And step 910, when the mapping IP address is inconsistent with the IP address carried by the message to be detected, judging that the primary detection result of the ARP reply message is abnormal.

And 912, when the result of the initial detection is abnormal, generating a target characteristic vector corresponding to the host according to the ARP reply message information.

Step 914, obtain the historical network traffic data corresponding to the host.

Step 916, acquiring the attribute information corresponding to the host from the historical network traffic data based on the preset time interval.

Step 918, generating a feature vector corresponding to the host according to the attribute information.

Step 920, standardizing the feature vector to obtain a standardized feature vector.

Step 922, clustering the standardized feature vectors to obtain clustering results, wherein the clustering results comprise abnormal classes and normal classes;

and 924, when the clustering result does not meet the preset clustering requirement, discarding the standardized feature vectors corresponding to the abnormal classes, performing clustering again until the obtained clustering result meets the preset clustering requirement, and constructing a reference library according to the clustering result meeting the preset clustering requirement.

In step 926, the center point of the normal class in the preset reference library is obtained.

Step 928, calculating the distance between the target feature vector and the central point.

In step 930, when the distance is smaller than the intra-class distance of the normal class, it is determined that there is no ARP spoofing attack.

Step 932, when the distance is not less than the intra-class distance of the normal class, determining that an ARP spoofing attack exists.

In an application example, the present application further provides an application scenario, as shown in fig. 10, where the application scenario applies the ARP spoofing attack detection method described above. Specifically, the application of the ARP spoofing attack detection method in the application scenario is as follows:

in one embodiment, historical traffic is read and an asset vector is constructed. The historical flow refers to historical network flow data corresponding to a host, the asset vector is a vector used for describing a certain time state of an asset, the asset vector is a feature vector, and one asset in the asset vector can be understood as a host. Specifically, a local host acquires historical traffic corresponding to each host in a local area network, acquires historical traffic with time not less than one week, extracts a MAC address corresponding to each asset from the historical traffic, wherein the MAC may also be referred to as an asset, extracts corresponding attribute information according to the MAC address corresponding to each asset based on a preset time interval, the attribute information includes attribute values, and uses all the attribute values in the attribute information as asset vectors corresponding to the asset within the time.

Taking the time interval which can be set to 5 seconds as an example, the local host acquires the MAC address corresponding to each asset from the historical network flow data every 5 seconds, extracts corresponding attribute information according to the MAC address corresponding to each asset, and the attribute information comprises P_src(number of packets with asset MAC as source address), P_dst(packet number with asset MAC as destination Address), RR_Dup(the same number of ARP replies detected two times before and after), RR_Diff(the number of ARP replies detected in two consecutive times, which are different from each other), MI (the number of IP information corresponding to asset MAC) and IM (the number of asset MAC corresponding to IP information) attribute value sets, and P contained in the attribute information is assigned to each attribute value set according to the attribute information_src、P_dst、RR_Dup、RR_DiffAll attribute values in MI and IM are used as the corresponding asset vector of the asset in the time, and the set of asset vectors thereof can be represented as V ═ V<P_src，P_dst，RR_Dup，RR_Diff，MI，IM>。

In one embodiment, asset vectors are normalizedAnd (5) carrying out chemical treatment and constructing a benchmark reference library by a clustering method. The local host normalizes the feature vector, and normalizes each attribute value, for example, sets one of the attribute value sets a, removes the maximum value and the minimum value of a, and obtains the average value of the attribute as the reference value B of the attribute_AAll the attribute values in the asset vector are divided by the reference values of the corresponding attribute value sets to obtain a normalized asset vector, for example, the normalized asset vector may be represented as:

all of the standardized asset vectors described above are formed into a set SV. The local host carries out clustering processing on the SV through a clustering method, and the result of the clustering processing is to divide the SV into a normal class and an abnormal class, wherein the normal class is a class with larger clustering obtained through the clustering processing, and the abnormal class is a class with smaller clustering obtained through the clustering processing. The process of constructing the reference library can refer to fig. 11.

In one embodiment, the DPDK is used for capturing and analyzing the mirror port traffic of the local area network to be analyzed. The DPDK is a data plane development kit, and is a tool capable of acquiring a mirror image flow, where the mirror image port flow is a mirror image flow, and specifically, a local host acquires the mirror image flow of each host in a local area network to be analyzed from a server through the DPDK tool, and stores the analyzed mirror image flow in a server memory corresponding to the local host, so as to reduce the influence of network card I/O (INPUT/OUTPUT) on the system flow processing rate, improve the flow analysis speed, and extract an ARP reply message and corresponding ARP reply information in the ARP reply message from the mirror image flow.

In one embodiment, the ARP reply message is extracted, and an IP MAC mapping table is constructed and maintained. Specifically, according to a message sequence formed by the ARP reply message to be detected, the ARP reply message to be detected carries the MAC address and the IP address, the MAC address corresponds to the IP address, and a mapping table TMI is constructed, wherein the mapping table TMI comprises the MAC address and the IP address carried by the first message in the message sequence. The mapping table is a table for constructing a mapping relation between the MAC and the IP address, the mapping table has data records of the corresponding MAC address, and the corresponding mapped IP address can be obtained according to the data records of the MAC address.

In one embodiment, the current ARP reply message is detected and analyzed by integrating the reference library and the IP MAC mapping table, and whether the ARP reply message is an ARP speofs attack or not is judged.

Firstly, performing preliminary detection according to a mapping table TMI, when an MAC address carried by an ARP reply message to be detected in a message sequence has a data record of a corresponding MAC address in the mapping table TMI, comparing the mapped IP address with an IP address carried by the ARP reply message to be detected in the message sequence according to a mapped IP address corresponding to the MAC address in the data record to obtain a comparison result, wherein the message sequence is formed according to the ARP reply message to be detected, the message to be detected is one ARP reply message waiting for detection in the message sequence, and the detection is to detect all the ARP reply messages in the message sequence one by one. When the MAC address carried by the message to be detected in the message sequence does not exist in the mapping table TMI, judging that the primary detection result of the ARP reply message is not abnormal, and at the moment, updating the MAC address and the IP address carried by the message to be processed to the mapping table TMI when the mapping table TMI does not have corresponding MAC record, and adding the MAC address and the IP address carried by the message to be processed into the mapping table TMI as a new MAC record. And when the comparison result is that the mapping IP address is inconsistent with the IP address carried by the message to be detected, judging that the primary detection result of the ARP reply message is abnormal, wherein the mapping IP address is the mapping IP address which is obtained according to the MAC record in the mapping table TMI and corresponds to the MAC address, the primary detection result is the detection processing of the ARP reply message based on the mapping table, and the primary detection is the detection of all ARP reply messages in the message sequence one by one.

Then, when the result of the primary detection is abnormal, secondary detection is carried out according to the reference library, and the local host recovers message information from the ARP and provides the message information based on a preset time intervalTaking attribute information corresponding to the asset MAC, and generating a target feature vector corresponding to the asset MAC according to the attribute information, wherein the target feature vector is a target asset vector, and the target asset vector comprises a target P_src(target asset MAC is the target packet number for the source address), target P_dst(target asset MAC is the target packet number of the destination address), target RR_Dup(the same target number of ARP replies detected two times before and after), target RR_Diff(the target quantity of ARP replies detected in the two previous and next times is different), the target MI (the target IP information quantity corresponding to the target asset MAC) and the target IM (the quantity of the asset MAC corresponding to the target IP information), standardizing the target asset vector to obtain a standardized target asset vector, and updating the standardized target asset vector into a target special asset vector. The method comprises the steps that a local host acquires a central point of a normal class in a preset reference library, wherein the preset reference library is constructed according to a normal class standardized asset vector set, and the central point is the central point of a standardized asset vector in the normal class. Local host computing target asset vector target P_srcTarget P_dstTarget RR_DupTarget RR_DiffTarget MI and distance of target IM from the center point. And when the distance between the target characteristic vector and the central point is smaller than the intra-class distance of the normal class, namely the target asset vector falls in the normal class, judging that the ARP spoofing attack does not exist. And when the distance between the target asset vector and the central point is not less than the intra-class distance of the normal class, namely the target asset vector does not have the normal class, judging that the ARP spoofing attack exists if the target asset vector is abnormal. And if the detection result is ARP spoof attack, forming an alarm and displaying the alarm in the system. Fig. 12 is a diagram for constructing the detection of the ARP speofs attack.

In the embodiment, the mirror flow of each host in the local area network to be analyzed is obtained; extracting an ARP reply message from the mirror image flow; the detection range can be enlarged, the massive global detection range is reached, the data are acquired in a one-to-one correspondence mode, the accuracy of information acquisition is guaranteed, and according to the MAC address and the IP address carried by the ARP reply message, the ARP reply message is preliminarily detected by constructing a mapping table of the MAC address and the IP address; mapping relations between MAC addresses and IP addresses are in one-to-one correspondence in the mapping tables, ARP reply message abnormal conditions can be effectively captured, and when the initial detection result is abnormal, message information is replied according to ARP, and target feature vectors corresponding to the host are generated; the method has the advantages that the target characteristic vector is secondarily detected based on the preset reference library, whether ARP spoof attack exists or not is determined, the target characteristic vector is detected based on the reference library, the detection accuracy is improved, the method expands the abnormal analysis range of the system by accessing the flow of the mirror image port of the switch, the limitation of only detecting a local host is broken, and the ARP spoof attack behaviors of other assets in the local area network are discovered. And the asset reference library is used as a judgment condition for ARP spooff attack, so that the detection accuracy can be effectively improved, and the invalid alarm amount processed by the operation and maintenance attendant on duty every day can be reduced. The method can accurately capture ARP spoof attacks, achieves ARP spoof all hosts in the local area network to detect, and achieves accurate and comprehensive ARP spoof detection.

It should be understood that, although the steps in the flowcharts in the above embodiments are shown in sequence as indicated by the arrows, the steps are not necessarily performed in sequence as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a part of the steps in each flowchart may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of performing the steps or stages is not necessarily sequential, but may be performed alternately or alternately with other steps or at least a part of the steps or stages in other steps.

In one embodiment, as shown in fig. 13, there is provided an ARP spoofing attack detecting apparatus including: a data acquisition module 1302, a preliminary detection module 1304, a vector generation module 1306, and a secondary detection module 1308, wherein:

a data obtaining module 1302, configured to obtain mirror image traffic of each host in the local area network to be analyzed, and extract an ARP reply packet from the mirror image traffic;

a preliminary detection module 1304, configured to perform preliminary detection on the ARP reply packet by constructing a mapping table of the MAC address and the IP address according to the MAC address and the IP address carried by the ARP reply packet;

a vector generation module 1306, configured to generate a target feature vector corresponding to the host according to the ARP reply message information when the result of the initial detection is abnormal;

a secondary detection module 1308, configured to perform secondary detection on the target feature vector based on a preset reference library, and determine whether an ARP spoofing attack exists.

In one embodiment, the ARP spoofing attack detection device further includes a reference library construction module, where the reference library construction module is used to obtain historical network traffic data corresponding to the host; performing data modeling according to historical network flow data to obtain a feature vector corresponding to the host; carrying out standardization processing on the feature vector to obtain a standardized feature vector; and clustering the standardized feature vectors, and constructing a reference library according to a clustering result.

In one embodiment, the reference library construction module is further configured to obtain attribute information corresponding to the host from historical network traffic data based on a preset time interval; and generating a feature vector corresponding to the host according to the attribute information.

In one embodiment, the reference library construction module is further configured to perform clustering processing on the normalized feature vectors to obtain a clustering result, where the clustering result includes an abnormal class and a normal class; and when the clustering result does not accord with the preset clustering requirement, discarding the standardized feature vectors corresponding to the abnormal classes, and performing clustering again until the obtained clustering result accords with the preset clustering requirement, wherein the preset clustering requirement comprises that the number difference value of the abnormal classes and the normal classes meets the preset difference value requirement or the ratio of the intra-class distance and the inter-class distance of the abnormal classes and the normal classes is greater than a preset value.

In one embodiment, the preliminary detection module is further configured to construct a mapping table according to a message sequence formed by the to-be-detected ARP reply message, where the mapping table includes an MAC address and an IP address carried by a first message in the message sequence; when the MAC address carried by the message to be detected in the message sequence exists in the mapping table, extracting the mapping IP address of the MAC address from the mapping table; and when the mapping IP address is inconsistent with the IP address carried by the message to be detected, judging that the preliminary detection result of the ARP reply message is abnormal.

In one embodiment, the preliminary detection module is further configured to update the MAC address and the IP address carried by the to-be-processed packet to the mapping table when the MAC address carried by the to-be-detected packet in the packet sequence does not exist in the mapping table.

In one embodiment, the secondary detection module is further configured to obtain a central point of a normal class in a preset reference library; calculating the distance between the target characteristic vector and the central point; when the distance is smaller than the intra-class distance of the normal class, judging that ARP spoofing attack does not exist; and when the distance is not less than the intra-class distance of the normal class, judging that the ARP spoofing attack exists.

For specific limitations of the ARP spoofing attack detection apparatus, reference may be made to the above limitations of the ARP spoofing attack detection method, which are not described herein again. The modules in the ARP spoofing attack detection device can be wholly or partially realized by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.

In one embodiment, a computer device is provided, which may be a terminal, and its internal structure diagram may be as shown in fig. 14. The computer device includes a processor, a memory, a communication interface, a display screen, and an input device connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operating system and the running of computer programs in the non-volatile storage medium, and the database of the computer device is used for storing network traffic data. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless communication can be realized through WIFI, an operator network, NFC (near field communication) or other technologies. The computer program is executed by a processor to implement an ARP spoofing attack detection method. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, a key, a track ball or a touch pad arranged on the shell of the computer equipment, an external keyboard, a touch pad or a mouse and the like.

Those skilled in the art will appreciate that the architecture shown in fig. 14 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.

In one embodiment, a computer device is further provided, which includes a memory and a processor, the memory stores a computer program, and the processor implements the steps of the above method embodiments when executing the computer program.

In an embodiment, a computer-readable storage medium is provided, on which a computer program is stored which, when being executed by a processor, carries out the steps of the above-mentioned method embodiments.

It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware related to instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database or other medium used in the embodiments provided herein can include at least one of non-volatile and volatile memory. Non-volatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical storage, or the like. Volatile Memory can include Random Access Memory (RAM) or external cache Memory. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), among others.

The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.

The above examples only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.