DoS 检测支持vsys id

src/main/java/com/zdjizhi/etl/DosDetection.java

@@ -7,9 +7,10 @@ import inet.ipaddr.IPAddressString;
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.lang.text.StrBuilder;
 import org.apache.commons.lang3.concurrent.BasicThreadFactory;
-import org.apache.flink.api.common.functions.RichMapFunction;
 import org.apache.flink.configuration.Configuration;
 import org.apache.flink.shaded.guava18.com.google.common.collect.TreeRangeMap;
+import org.apache.flink.streaming.api.functions.ProcessFunction;
+import org.apache.flink.util.Collector;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -23,12 +24,12 @@ import java.util.concurrent.TimeUnit;
 /**
  * @author wlh
  */
-public class DosDetection extends RichMapFunction<DosSketchLog, DosEventLog> {
+public class DosDetection extends ProcessFunction<DosSketchLog, DosEventLog> {
 
     private static final Logger logger = LoggerFactory.getLogger(DosDetection.class);
     private static Map<String, Map<String, DosBaselineThreshold>> baselineMap = new HashMap<>();
     private final static NumberFormat PERCENT_INSTANCE = NumberFormat.getPercentInstance();
-    private HashMap<String, TreeRangeMap<IPAddress, DosDetectionThreshold>> thresholdRangeMap;
+    private HashMap<Integer,HashMap<String, TreeRangeMap<IPAddress, DosDetectionThreshold>>> thresholdRangeMap;
 
     private final static int BASELINE_SIZE = 144;
     private final static int STATIC_CONDITION_TYPE = 1;
@@ -58,28 +59,40 @@ public class DosDetection extends RichMapFunction<DosSketchLog, DosEventLog> {
     }
 
     @Override
-    public DosEventLog map(DosSketchLog value) {
-        DosEventLog finalResult = null;
+    public void processElement(DosSketchLog value, Context ctx, Collector<DosEventLog> out) {
+        ArrayList<DosEventLog> finalResults = new ArrayList<>();
         try {
             String destinationIp = value.getDestination_ip();
+            int vsysId = value.getVsys_id();
+            String key = destinationIp + "-" + vsysId;
             String attackType = value.getAttack_type();
             IPAddress destinationIpAddress = new IPAddressString(destinationIp).getAddress();
-            DosDetectionThreshold threshold = thresholdRangeMap.getOrDefault(attackType, TreeRangeMap.create()).get(destinationIpAddress);
-            logger.debug("当前判断IP：{}, 类型: {}", destinationIp, attackType);
-            if (threshold == null && baselineMap.containsKey(destinationIp)) {
-                finalResult = getDosEventLogByBaseline(value);
-            } else if (threshold == null && !baselineMap.containsKey(destinationIp)) {
-                finalResult = getDosEventLogBySensitivityThreshold(value);
+
+            DosDetectionThreshold threshold = null;
+            if (thresholdRangeMap.containsKey(vsysId)){
+                threshold = thresholdRangeMap.get(vsysId).getOrDefault(attackType, TreeRangeMap.create()).get(destinationIpAddress);
+            }
+
+            logger.debug("当前判断IP：{}, 类型: {}", key, attackType);
+            if (threshold == null && baselineMap.containsKey(key)) {
+                DosEventLog finalResult = getDosEventLogByBaseline(value,key);
+                finalResults.add(finalResult);
+            } else if (threshold == null && !baselineMap.containsKey(key)) {
+                DosEventLog finalResult = getDosEventLogBySensitivityThreshold(value);
+                finalResults.add(finalResult);
             } else if (threshold != null) {
-                finalResult = getDosEventLogByStaticThreshold(value, threshold);
+                finalResults = getDosEventLogByStaticThreshold(value, threshold);
             } else {
-                logger.debug("未获取到当前server IP：{} 类型 {} 静态阈值 和 baseline", destinationIp, attackType);
+                logger.debug("未获取到当前server IP：{} 类型 {} 静态阈值 和 baseline", key, attackType);
             }
 
         } catch (Exception e) {
             logger.error("判定失败\n {} \n{}", value, e);
         }
-        return finalResult;
+
+        for (DosEventLog dosEventLog:finalResults){
+            out.collect(dosEventLog);
+        }
     }
 
     private DosEventLog getDosEventLogBySensitivityThreshold(DosSketchLog value) {
@@ -93,13 +106,12 @@ public class DosDetection extends RichMapFunction<DosSketchLog, DosEventLog> {
         return result;
     }
 
-    private DosEventLog getDosEventLogByBaseline(DosSketchLog value) {
+    private DosEventLog getDosEventLogByBaseline(DosSketchLog value,String key) {
         DosEventLog result = null;
-        String destinationIp = value.getDestination_ip();
         String attackType = value.getAttack_type();
         long sketchSessions = value.getSketch_sessions();
         if (sketchSessions > NacosUtils.getIntProperty("static.sensitivity.threshold")) {
-            DosBaselineThreshold dosBaselineThreshold = baselineMap.get(destinationIp).get(attackType);
+            DosBaselineThreshold dosBaselineThreshold = baselineMap.get(key).get(attackType);
             Integer base = getBaseValue(dosBaselineThreshold, value);
             long diff = sketchSessions - base;
             result = getDosEventLog(value, base, diff, BASELINE_CONDITION_TYPE, SESSIONS_TAG);
@@ -107,7 +119,7 @@ public class DosDetection extends RichMapFunction<DosSketchLog, DosEventLog> {
         return result;
     }
 
-    private DosEventLog getDosEventLogByStaticThreshold(DosSketchLog value, DosDetectionThreshold threshold) {
+    private ArrayList<DosEventLog> getDosEventLogByStaticThreshold(DosSketchLog value, DosDetectionThreshold threshold) throws CloneNotSupportedException {
         long base = threshold.getSessionsPerSec();
         long diff = value.getSketch_sessions() - base;
         DosEventLog result = getDosEventLog(value, base, diff, STATIC_CONDITION_TYPE, SESSIONS_TAG);
@@ -121,7 +133,18 @@ public class DosDetection extends RichMapFunction<DosSketchLog, DosEventLog> {
                 result = getDosEventLog(value, base, diff, STATIC_CONDITION_TYPE, BITS_TAG);
             }
         }
-        return result;
+        ArrayList<DosEventLog> dosEventLogs = new ArrayList<>();
+        dosEventLogs.add(result);
+        Integer[] superiorIds = threshold.getSuperiorIds();
+        if (superiorIds != null && superiorIds.length > 0){
+            for (Integer integer:superiorIds){
+                DosEventLog clone = (DosEventLog) result.clone();
+                clone.setVsys_id(integer);
+                clone.setLog_id(SnowflakeId.generateId());
+                dosEventLogs.add(clone);
+            }
+        }
+        return dosEventLogs;
     }
 
     private DosEventLog getDosEventLog(DosSketchLog value, long base, long diff, int type, String tag) {
@@ -148,7 +171,7 @@ public class DosDetection extends RichMapFunction<DosSketchLog, DosEventLog> {
     private DosEventLog getResult(DosSketchLog value, long base, Severity severity, double percent, int type, String tag) {
         DosEventLog dosEventLog = new DosEventLog();
         dosEventLog.setLog_id(SnowflakeId.generateId());
-        dosEventLog.setCommon_vsys_id(1);
+        dosEventLog.setVsys_id(value.getVsys_id());
         dosEventLog.setStart_time(value.getSketch_start_time());
         dosEventLog.setEnd_time(value.getSketch_start_time() + value.getSketch_duration());
         dosEventLog.setAttack_type(value.getAttack_type());