CN101667935A - Method for monitoring network border security - Google Patents
Method for monitoring network border security Download PDFInfo
- Publication number
- CN101667935A CN101667935A CN200810042561A CN200810042561A CN101667935A CN 101667935 A CN101667935 A CN 101667935A CN 200810042561 A CN200810042561 A CN 200810042561A CN 200810042561 A CN200810042561 A CN 200810042561A CN 101667935 A CN101667935 A CN 101667935A
- Authority
- CN
- China
- Prior art keywords
- flow
- user
- application system
- monitoring
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention discloses a method for monitoring network border security, which monitors traffic, users and application systems of a network border respectively through a monitoring module. The information of the traffic, the users and the application systems of the network border acquired by the monitoring module is subjected to association analysis, and other monitoring information of the networkborder can be associated through information of the traffic, the users or the application systems; a relatively complete monitoring system is formed by association monitoring among the traffic, the users and the application systems of the network border; and more complete monitoring information can be acquired by associating relationships among the traffic, the users and the application systems and starting from the traffic, the users or the application systems. The method particularly has great assistance to security event processing and positioning so as to achieve aims of the invention.
Description
Technical field
The present invention relates to a kind of method for safety monitoring, particularly a kind of method for monitoring network border security that is applicable to field of computer information security.
Background technology
At present, traditional network management system only is concerned about the network hardware and flow information, and application system self care itself is professional; But,, when realizing network interconnection intercommunication, guarantee the network information security again along with each network system wishes that the demand that interconnects is strong day by day.Therefore, the safety of network boundary just seems particularly important to interconnecting of network, should guarantee can't invading of external network, prevents the leakage of internal information again; And, when the business that guarantees is normally mutual, tight monitoring function is arranged again.
The safety of network boundary is extremely important to interconnecting of network, and it is to have guaranteed a kind of effective ways of network boundary safety that network boundary is monitored; In existing network boundary method for supervising, only single carries out independent monitoring to user, application system and flow, and the monitor message of understanding user, application system or flow that can only be single can't be handled security incident and locate exactly.
Therefore, need a kind of method for monitoring network border security especially, can effectively user, application system and traffic monitoring be combined, strengthen the effect of monitoring.
Summary of the invention
Technical problem to be solved by this invention is to provide a kind of method for monitoring network border security, and flow, user and the application system of network boundary are carried out related monitoring, forms a more complete method for supervising; From wherein starting with, just can obtain more full monitor message, especially be very helpful for security incident processing, location.
Technical problem to be solved by this invention can be achieved through the following technical solutions:
A kind of method for monitoring network border security, it is characterized in that, described method for monitoring network border security is monitored flow, user and the application system of network boundary respectively by monitoring module, described monitoring module carries out association analysis with flow, user and the application system information of the network boundary that monitoring obtains, and can pass through one of them the informational linkage of flow, user or application system to other monitor message of network boundary.
In one embodiment of the invention, the network information that is associated as flow and registered application system between described flow and the application system compares, and flow is divided in each application system goes, and understands the flow information of each application system.
In one embodiment of the invention, if be not divided into the flow of application system, just these flow unifications are divided into unregistered flow.
In one embodiment of the invention, the raw address that is associated as flow and user between described flow and the user associates, the user that this flow is caused in the location.
In one embodiment of the invention, if flow be the unregistered service flow, the flow that has aggressive flow or have the worm feature, can find the associated user by raw address.
In one embodiment of the invention, being associated as when user access resources information between described user and the application system, related with the network resource information of application system registration, definitely understand the user in which application system of visit; The authority restriction of user capture has been monitored in be convenient to audit user's the visit behavior of application system from the side.
Method for monitoring network border security of the present invention, carry out the association monitoring between flow, user and the application system at network boundary, form a more complete monitoring system, by the contact between associate traffic, user and the application system, wherein start with from flow, user or application system, just can obtain more full monitor message, especially be very helpful, realize purpose of the present invention for security incident processing, location.
Description of drawings
Fig. 1 is the system applies block diagram of a kind of method for monitoring network border security of the present invention;
Fig. 2 is the structure chart of safety monitoring system of the present invention;
Fig. 3 is the related schematic diagram of application system of the present invention, flow and user three;
Fig. 4 is the flow of the present invention FB(flow block) related with application system;
Fig. 5 is the flow of the present invention FB(flow block) related with the user;
Fig. 6 is the user of the present invention FB(flow block) related with application system.
Embodiment
For technological means, creation characteristic that the present invention is realized, reach purpose and effect is easy to understand, below in conjunction with concrete diagram, further set forth the present invention.
As shown in Figure 1, a kind of method for monitoring network border security, in the network boundary between network safety monitoring system is set, comprise the corresponding monitoring module that flow, user and application system to network boundary are monitored in the described safety monitoring system, flow, user and the application system information of the network boundary that the monitoring of described monitoring module is obtained are carried out association analysis, can obtain the whole monitor message of flow, user and application system of network boundary by one of them information of flow, user or application system.
As shown in Figure 2, in one embodiment of the invention, described safety monitoring system comprises uses registration management module, network flow detection module and granted access control module, and application system, flow and the user of network boundary monitored, concrete corresponding as follows:
Described application registration management module is monitored the application system, described application registration management module registers each application system need application system information such as accessed resources address, port range and agreement.
Described network flow detection module is monitored flow, and the flow information on the described network flow detection module collection network comprises flow informations such as source address, destination address, source port, destination interface agreement, byte number and bag number.
Described granted access control module is monitored the user, the information of described granted access control module control terminal user capture, and the source address of recording user, reference address and port.
Because the user is the main body of access application system, application system is accessed object; Simultaneously, in the user capture application system, also form certain network traffics, also can be described as the objective circumstances that user behavior causes, make between application system, flow and the user three and can produce association.
From user perspective, we can know which application system of user capture, cause which flow; From the angle of application system, we can tell these application systems of those flows visit and cause, by which user capture this application system; From the angle of flow, we can know that also this flow is relevant with application system with which user; In case security incident has taken place, we can provide more clue from relating to relevant information more fast, also the time of the location of just accelerating, provide convenience for disposing security incident fast.
As shown in Figure 3, application system, flow and user three's incidence relation are as follows:
Flow is related with application system
In one embodiment of the invention, the network information that is associated as flow and registered application system between described flow and the application system compares, and flow is divided in each application system goes, and understands the flow information of each application system.
If be not divided into the flow of application system, just these flow unifications are divided into unregistered flow.
The webmaster personnel can emphasis be concerned about the information of unregistered flow, and whether unusual with network, attack or viral worm be relevant.(referring to Fig. 4)
Flow is related with the user
In one embodiment of the invention, the raw address that is associated as flow and user between described flow and the user associates, the user that this flow is caused in the location.
In one embodiment of the invention, if flow be the unregistered service flow, the flow that has aggressive flow or have the worm feature, can find the associated user by raw address, handle security incident from the source.(referring to Fig. 5)
The user is related with application system
In one embodiment of the invention, being associated as when user access resources information between described user and the application system, related with the network resource information of application system registration, definitely understand the user in which application system of visit; The authority restriction of user capture has been monitored in be convenient to audit user's the visit behavior of application system from the side.(referring to Fig. 6)
More than show and described basic principle of the present invention and principal character and advantage thereof.The technical staff of the industry should understand; the present invention is not restricted to the described embodiments; that describes in the foregoing description and the specification just illustrates principle of the present invention; without departing from the spirit and scope of the present invention; the present invention also has various changes and modifications, and these changes and improvements all fall in the claimed scope of the invention.The claimed scope of the present invention is defined by appending claims and equivalent thereof.
Claims (6)
1, a kind of method for monitoring network border security, it is characterized in that, described method for monitoring network border security is monitored flow, user and the application system of network boundary respectively by monitoring module, described monitoring module carries out association analysis with flow, user and the application system information of the network boundary that monitoring obtains, and can pass through one of them the informational linkage of flow, user or application system to other monitor message of network boundary.
2, method for monitoring network border security as claimed in claim 1, it is characterized in that, the network information that is associated as flow and registered application system between described flow and the application system compares, flow is divided in each application system goes, understand the flow information of each application system.
3, method for monitoring network border security as claimed in claim 2 is characterized in that, if be not divided into the flow of application system, just these flow unifications is divided into unregistered flow.
4, method for monitoring network border security as claimed in claim 1 is characterized in that, the raw address that is associated as flow and user between described flow and the user associates, the user that this flow is caused in the location.
5, method for monitoring network border security as claimed in claim 4 is characterized in that, if flow be the unregistered service flow, the flow that has aggressive flow or have the worm feature, can find the associated user by raw address.
6, method for monitoring network border security as claimed in claim 1, it is characterized in that, being associated as when user access resources information between described user and the application system, related with the network resource information of application system registration, definitely understand the user in which application system of visit; The authority restriction of user capture has been monitored in be convenient to audit user's the visit behavior of application system from the side.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN200810042561A CN101667935A (en) | 2008-09-05 | 2008-09-05 | Method for monitoring network border security |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN200810042561A CN101667935A (en) | 2008-09-05 | 2008-09-05 | Method for monitoring network border security |
Publications (1)
Publication Number | Publication Date |
---|---|
CN101667935A true CN101667935A (en) | 2010-03-10 |
Family
ID=41804388
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN200810042561A Pending CN101667935A (en) | 2008-09-05 | 2008-09-05 | Method for monitoring network border security |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN101667935A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102833354A (en) * | 2012-09-19 | 2012-12-19 | 公安部第三研究所 | Method for implementing domain boundary security monitoring in Internet |
CN107667505A (en) * | 2015-06-05 | 2018-02-06 | 思科技术公司 | System for monitoring and managing data center |
US11902122B2 (en) | 2015-06-05 | 2024-02-13 | Cisco Technology, Inc. | Application monitoring prioritization |
-
2008
- 2008-09-05 CN CN200810042561A patent/CN101667935A/en active Pending
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102833354A (en) * | 2012-09-19 | 2012-12-19 | 公安部第三研究所 | Method for implementing domain boundary security monitoring in Internet |
CN102833354B (en) * | 2012-09-19 | 2015-06-17 | 公安部第三研究所 | Method for implementing domain boundary security monitoring in Internet |
CN107667505A (en) * | 2015-06-05 | 2018-02-06 | 思科技术公司 | System for monitoring and managing data center |
CN107667505B (en) * | 2015-06-05 | 2020-12-29 | 思科技术公司 | System and method for monitoring and managing data center |
US11902122B2 (en) | 2015-06-05 | 2024-02-13 | Cisco Technology, Inc. | Application monitoring prioritization |
US11902120B2 (en) | 2015-06-05 | 2024-02-13 | Cisco Technology, Inc. | Synthetic data for determining health of a network security system |
US11924073B2 (en) | 2015-06-05 | 2024-03-05 | Cisco Technology, Inc. | System and method of assigning reputation scores to hosts |
US11936663B2 (en) | 2015-06-05 | 2024-03-19 | Cisco Technology, Inc. | System for monitoring and managing datacenters |
US11968102B2 (en) | 2015-06-05 | 2024-04-23 | Cisco Technology, Inc. | System and method of detecting packet loss in a distributed sensor-collector architecture |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3641225B1 (en) | Policy-driven compliance | |
CN101438255B (en) | Network and application attack protection based on application layer message inspection | |
EP2469797B1 (en) | System and method for secure complex event processing in heterogeneous environments | |
WO2014094151A1 (en) | System and method for monitoring data in a client environment | |
CN103761600A (en) | Platform and method for e-government affair comprehensive application | |
CN101009683A (en) | Computer system and method for processing network flow | |
US11265339B1 (en) | Network traffic monitoring | |
WO2016107510A1 (en) | Management method and apparatus for application programming interface (api) calling record | |
CN103684922A (en) | Outlet information privacy checking detection platform system based on SDN (self-defending network) and detection method | |
CN103326883A (en) | Uniform safety management and comprehensive audit system | |
Sicari et al. | Dynamic policies in internet of things: enforcement and synchronization | |
CN101945116A (en) | Method for exchanging cross-domain video data safely | |
CN101667935A (en) | Method for monitoring network border security | |
CN114339767B (en) | Signaling detection method and device, electronic equipment and storage medium | |
CN115225406A (en) | Security protection linkage information sharing system in wisdom garden | |
CN106470203A (en) | Information getting method and device | |
Wu et al. | Edge computing security protection from the perspective of classified protection of cybersecurity | |
US20150046507A1 (en) | Secure Network Data | |
EP4310709A2 (en) | Endpoint network sensor and related cybersecurity infrastructure | |
TW201916636A (en) | Network security management system | |
CN110572353A (en) | Cloud computing network security service | |
JP2004110806A (en) | Information filtering device, information filtering method, method execution program and program storage medium | |
CN116915503B (en) | Illegal external connection detection method and device, storage medium and electronic equipment | |
KR20100103126A (en) | Security management system using clustering method | |
CN109547397A (en) | Network security management system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C12 | Rejection of a patent application after its publication | ||
RJ01 | Rejection of invention patent application after publication |
Open date: 20100310 |