CN102082728B - Dynamic loading method for filtering rules of network audit system - Google Patents
Dynamic loading method for filtering rules of network audit system Download PDFInfo
- Publication number
- CN102082728B CN102082728B CN2010106116817A CN201010611681A CN102082728B CN 102082728 B CN102082728 B CN 102082728B CN 2010106116817 A CN2010106116817 A CN 2010106116817A CN 201010611681 A CN201010611681 A CN 201010611681A CN 102082728 B CN102082728 B CN 102082728B
- Authority
- CN
- China
- Prior art keywords
- filtering rule
- order
- filtering
- packet
- modification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001914 filtration Methods 0.000 title claims abstract description 94
- 238000012550 audit Methods 0.000 title claims abstract description 27
- 238000011068 loading method Methods 0.000 title claims abstract description 13
- 230000004048 modification Effects 0.000 claims abstract description 32
- 238000012986 modification Methods 0.000 claims abstract description 32
- 238000000034 method Methods 0.000 claims abstract description 17
- 230000008878 coupling Effects 0.000 abstract description 3
- 238000010168 coupling process Methods 0.000 abstract description 3
- 238000005859 coupling reaction Methods 0.000 abstract description 3
- 238000012217 deletion Methods 0.000 description 3
- 230000037430 deletion Effects 0.000 description 3
- 238000000151 deposition Methods 0.000 description 2
- 241001269238 Data Species 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000005242 forging Methods 0.000 description 1
- 238000011017 operating method Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a dynamic loading method for filtering rules of a network audit system, which belongs to the field of network audit. The method comprises the following steps: 1) using each decoding module of the system to establish a filtering sub-module, and storing a filtering rule file into a filtering rule table of each filtering sub-module; 2) comparing the filtering rule files which are newly loaded during the operation of the system with the filtering rule files which are locally currently stored, and generating filtering rule modification commands; 3) using the system to packet the filtering rule modification commands into a modification command data packet, and sending the modification command data packet to an input module; 4) using the input module to identify the modification command data packet and send to each decoding module; 5) using the decoding modules to send the analyzed filtering rule modification commands to the filtering sub-modules; and 6) using each filtering sub-module to modify the filtering rule table according to the filtering rule modification command. By adopting the method, the update operation can be directly performed on the filtering rule tables, the safety of the operation of the system can be greatly improved, and the coupling strength of the system can be simultaneously increased.
Description
Technical field
The present invention relates to relate to a kind of filtering rule dynamic loading method of network audit system, belong to network audit field, can be used for improving the performance that network audit system loads filtering rule.
Background technology
Along with the develop rapidly of the Internet bandwidth and application, the data volume that network audit system is handled is increasing, the data how in the data of magnanimity, to find us to be concerned about, and this just needs us that the filtering rule of a cover oneself own is arranged.The essence of filtering rule is exactly the critical data that we need be concerned about, for example IP, user name, application protocol, keyword or the like.Through these filtering rules, network audit system just can filter output with its data of intercepting and capturing, thereby obtains the data that we want.
But filtering rule is not unalterable; Need delete and add filtering rule according to our demand; But network audit system be one to performance and the exigent system of real-time; Revise filtering rule when this just needs us to move in system, and will accomplish to drop to minimum the influence of system.
Network audit system is considered the needs of performance, and filtering rule generally all is stored in the memory database of building in the system, and we can be its called after filter rule list.After system obtains new rule, just go to revise filter rule list, increase or deletion, modification process can resolve into for two steps, and deletion is earlier added again.
In existing network audit system, when revising filter rule list, often need quit work, after finishing, modification works on again, can cause losing of some critical datas like this.And can increase the stiffness of coupling between module and the module.
Summary of the invention
In the existing network auditing system, the deficiency of dynamic load filtering rule method the object of the present invention is to provide a kind of filtering rule dynamic loading method of network audit system.
Technical scheme of the present invention is:
A kind of filtering rule dynamic loading method of network audit system the steps include:
1) network audit system is that each decoder module of system is set up one and filtered submodule, and the filtering rule file of network audit system scanning of home storage also is stored in each filter rule list of filtering submodule;
2) network audit system filtering rule file that system is moved filtering rule file and the local current storage of stylish loading compares and generates filtering rule and revises order;
3) after network audit system is packaged into the modification command packet with the filtering rule modification order that generates, send to the input module of system; Said modification command packet is: in the packet header with the general network packet identification information is set, the storage part storage rule of general network packet is revised order;
4) input module identifies according to identification information and revises command packet and send it to each decoder module;
5) decoder module is resolved revising command packet, obtains filtering rule and revises order and send it to the corresponding filtration submodule of current decoder module;
6) filter submodule is revised order modification oneself based on filtering rule filter rule list.
Further, said network audit system adopts the filtering rule file of individual threads scanning of home storage.
Further, the Ethernet head MAC Address in general network bag packet header is arranged to identification information, storage part storage rule is revised order, generate said modification command packet.
Further, the load protocol fields in general network packet packet header is arranged to identification information, storage part storage rule is revised order, generate said modification command packet.
Further, the IP head or the UDP head in general network bag packet header are arranged to identification information, storage part storage rule is revised order, generate said modification command packet.
Further, the numerical value of said identification information for setting.
Further, the filtering rule file of the filtering rule file that newly loads and local current storage being compared and generate filtering rule revises the method for order and is: the filtering rule file of relatively newer loading and the filtering rule file of local current storage; To order at the new filtering rule that has in the filtering rule file and do not have in the current filtering rule file that loads, be generated as newly-increased order; With newly loading the filtering rule order that does not have in the filtering rule file and have in the current filtering rule file, be generated as delete command; To newly load in the filtering rule file with in the current filtering rule file all has but the order of different filtering rule, is generated as and revises order.
System configuration of the present invention is as shown in Figure 1, and the following main modular of the need of work of a common network audit system is formed:
Input module, it mainly acts on is to obtain packet, and to underlying protocol decoding, the algorithm through certain load balancing is distributed to each decoder module.
Decoder module, it mainly acts on is that decoding is analyzed in application layer load in the packet, and gives output module with decoded data passes, generally all a plurality of decoder modules can be arranged in the present network audit system.
Output module, it mainly acts on exactly decoded data is outputed to our appointed positions.
Each decoder module also needs one and filters submodule, and each filters submodule and is in charge of a filter rule list, and each filters the data of depositing in the rule list in the submodule is identical.Decoder module is in the process of decoding, and the data that need decode oneself are filtered through the filtering rule in the filter table, and output if desired just need be given output module this data passes.
When system moved, we need revise filtering rule, and we also need a filtering rule administration module; It can be the thread of an isolated operation; What its input was imported should be new filtering rule, and its meeting and old rule comparison generate the order of revising filtering rule then; It can be packaged into original network packet to these orders then, passes to input module.
Next input module can be given each decoder module with the packet delivery of this type, and decoder module can decompose out with the order of the modification in this packet, passes to the filtration submodule, filters submodule and can revise the corresponding data in the filter rule list based on order.
Compared with prior art, advantage of the present invention and good effect are:
Adopt method of the present invention; Can not need the halt system operation in the modification filter rule list; Directly filter rule list is upgraded operation, thereby improved the fail safe of system's operation greatly, method of the present invention has increased the stiffness of coupling between system module and the module simultaneously.
Description of drawings
Fig. 1, system construction drawing of the present invention;
Fig. 2, the inventive method flow chart.
Embodiment
Input module, decoder module, output module, filtration submodule and filtering rule administration module have been the present invention relates to.Method flow of the present invention is as shown in Figure 2, and concrete operating procedure is:
During system start-up; Input module, decoder module, output module start the back and start the worker thread of revising filtering rule; The filtering rule file of depositing on this thread meeting scanning of home disk is set up directly for then each decoder module and is filtered submodule, and filter rule list.
In the middle of system's operation, if we need issue new filtering rule, we only need new filtration rule file is put in system's designated directory so; The filtering rule administration module can load new filtering rule file then; And compare with old filtering rule, generating then and revise order, the rule that generates order can be followed following three principles; In new old then not the ordering that have for newly-increased; Old the new delete command that then is not arranged, new and old all have but differently can be regarded as revising order, revises order and can be decomposed into deletion and adding order.
And these orders are packaged into the modification command packet, and the form of this packet is identical with the primitive network packet, and just the data of application layer are passed input module then for revising order; The form of revising command packet is as shown in table 1.For the ease of this packet of input module identification, we need do some special settings at data packet head, for example, the MAC Address and the load protocol fields of Ethernet head are arranged to special numerical value.
The form of table 1, modification command packet
| The underlying protocol head of forging (Ethernet head, IP head, UDP head) |
| Data division is deposited rules modification order 1 |
| Order 2 |
| Order 3 |
| Order 4 |
| Order 5 |
It is the packet of revising regular command that input module is judged through the particular values in the data packet head, sends to all decoder modules to this packet then.
After decoder module receives this packet, will revise order and decompose out, pass to the filtration submodule.Filter submodule according to revising order, revise filter rule list.
Claims (7)
1. the filtering rule dynamic loading method of a network audit system the steps include:
1) network audit system is that each decoder module of system is set up one and filtered submodule, and the filtering rule file of network audit system scanning of home storage also is stored in each filter rule list of filtering submodule;
2) network audit system filtering rule file that system is moved filtering rule file and the local current storage of stylish loading compares and generates filtering rule and revises order;
3) after network audit system is packaged into the modification command packet with the filtering rule modification order that generates, send to the input module of system; Said modification command packet is: in the packet header with the general network packet identification information is set, with the storage part stored filter rules modification order of general network packet;
4) input module identifies according to identification information and revises command packet and send it to each decoder module;
5) decoder module is resolved revising command packet, obtains filtering rule and revises order and send it to the corresponding filtration submodule of current decoder module;
6) filter submodule is revised order modification oneself based on filtering rule filter rule list.
2. the method for claim 1 is characterized in that said network audit system adopts the filtering rule file of individual threads scanning of home storage.
3. method as claimed in claim 2 is characterized in that the Ethernet head MAC Address in general network packet packet header is arranged to identification information, with the order of storage part stored filter rules modification, generates said modification command packet.
4. method as claimed in claim 2 is characterized in that the load protocol fields in general network packet packet header is arranged to identification information, with the order of storage part stored filter rules modification, generates said modification command packet.
5. method as claimed in claim 2 is characterized in that the IP head or the UDP head in general network packet packet header are arranged to identification information, with the order of storage part stored filter rules modification, generates said modification command packet.
6. like claim 3 or 4 or 5 described methods, it is characterized in that the numerical value of said identification information for setting.
7. like claim 1 or 2 or 3 or 4 or 5 described methods, it is characterized in that filtering rule file with the filtering rule file that newly loads and local current storage compares and generates filtering rule and revises the method for order and be: the filtering rule file of relatively newer loading and the filtering rule file of local current storage; To order at the new filtering rule that has in the filtering rule file and do not have in the current filtering rule file that loads, be generated as newly-increased order; With newly loading the filtering rule order that does not have in the filtering rule file and have in the current filtering rule file, be generated as delete command; To newly load in the filtering rule file with in the current filtering rule file all has but the order of different filtering rule, is generated as and revises order.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010106116817A CN102082728B (en) | 2010-12-28 | 2010-12-28 | Dynamic loading method for filtering rules of network audit system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010106116817A CN102082728B (en) | 2010-12-28 | 2010-12-28 | Dynamic loading method for filtering rules of network audit system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102082728A CN102082728A (en) | 2011-06-01 |
| CN102082728B true CN102082728B (en) | 2012-07-25 |
Family
ID=44088484
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010106116817A Active CN102082728B (en) | 2010-12-28 | 2010-12-28 | Dynamic loading method for filtering rules of network audit system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102082728B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103780460B (en) * | 2014-01-15 | 2017-06-30 | 珠海市佳讯实业有限公司 | It is a kind of that the system that TAP device hardwares are filtered is realized by FPGA |
| CN107038161B (en) * | 2015-07-13 | 2021-03-26 | 阿里巴巴集团控股有限公司 | Equipment and method for filtering data |
| CN105681317A (en) * | 2016-02-03 | 2016-06-15 | 国网智能电网研究院 | Novel business and database auditing engine |
| CN107888584A (en) * | 2017-11-07 | 2018-04-06 | 北京亿赛通网络安全技术有限公司 | A kind of network audit system and its data processing method |
| CN110401642A (en) * | 2019-07-10 | 2019-11-01 | 浙江中烟工业有限责任公司 | A kind of acquisition of industry control flow and protocol analysis method |
| CN113242150B (en) * | 2021-06-03 | 2022-11-22 | 上海天旦网络科技发展有限公司 | Calico network plug-in-based data packet capturing method and system in K8s |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1567827A (en) * | 2003-06-25 | 2005-01-19 | 上海电信住宅宽频网络有限公司 | Intelligent monitoring control platform for broadband telecommunication network |
| CN101383710A (en) * | 2008-10-14 | 2009-03-11 | 沈阳海正科技有限公司 | Dynamic packet detecting technique based on two-dimensional PATRIE algorithm |
| CN101771569A (en) * | 2010-01-15 | 2010-07-07 | 莱克斯科技(北京)有限公司 | High-speed parallel network protocol and application analysis method |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP5038887B2 (en) * | 2004-04-15 | 2012-10-03 | クリアパス・ネットワークス・インコーポレーテッド | System and method for managing a network |
-
2010
- 2010-12-28 CN CN2010106116817A patent/CN102082728B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1567827A (en) * | 2003-06-25 | 2005-01-19 | 上海电信住宅宽频网络有限公司 | Intelligent monitoring control platform for broadband telecommunication network |
| CN101383710A (en) * | 2008-10-14 | 2009-03-11 | 沈阳海正科技有限公司 | Dynamic packet detecting technique based on two-dimensional PATRIE algorithm |
| CN101771569A (en) * | 2010-01-15 | 2010-07-07 | 莱克斯科技(北京)有限公司 | High-speed parallel network protocol and application analysis method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102082728A (en) | 2011-06-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102082728B (en) | Dynamic loading method for filtering rules of network audit system | |
| CN102857493B (en) | Content filtering method and device | |
| US11231912B2 (en) | Post-deployment modification of information-technology application using lifecycle blueprint | |
| CN105871930A (en) | Self-adaptive firewall security policy configuration method and system based on applications | |
| CN107615277A (en) | System and method for inquiring about data source | |
| CN105260203B (en) | A kind of Hadoop deployment and collocation method based on model | |
| CN107251013B (en) | Data query method, device and database system | |
| CN109857527A (en) | A kind of distributed task dispatching method, system, distributed devices and Redis database | |
| US11086904B2 (en) | Data query method and apparatus | |
| CN105812326A (en) | Heterogeneous firewall strategy centralized control method and heterogeneous firewall strategy centralized control system | |
| CN104461502A (en) | Task management method and system based on Hadoop | |
| CN103595826A (en) | Method for preventing IP and MAC of virtual machine from being faked | |
| CN108243253A (en) | A kind of block chain node synchronous mode | |
| CN101000677A (en) | Matching method and system of marketing business recommended | |
| CN104978256A (en) | Log output method and equipment | |
| CN107357831A (en) | Configurable flow instance data distribution formula storage method and system | |
| CN107229628B (en) | Distributed database preprocessing method and device | |
| CN109005198A (en) | A kind of controller attack protection security strategy generation method and system | |
| CN102915344A (en) | SQL (structured query language) statement processing method and device | |
| CN110009514A (en) | Extracting method, device, terminal and the computer readable storage medium of data | |
| CN104484204A (en) | Method and device for task running | |
| CN103106269B (en) | A kind of web service composition method about subtracted based on search volume | |
| CN104461548A (en) | Code fragment adding method and device | |
| CN107276835A (en) | A kind of clustered deploy(ment) collocation method and system | |
| CN105282099A (en) | Firewall command generation method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: Dynamic loading method for filtering rules of network audit system Effective date of registration: 20140623 Granted publication date: 20120725 Pledgee: China Co truction Bank Corp Beijing Zhongguancun branch Pledgor: Rui-an Science and Technology Co., Ltd., Beijing Registration number: 2014990000497 |
|
| PLDC | Enforcement, change and cancellation of contracts on pledge of patent right or utility model | ||
| PC01 | Cancellation of the registration of the contract for pledge of patent right | ||
| PC01 | Cancellation of the registration of the contract for pledge of patent right |
Date of cancellation: 20180327 Granted publication date: 20120725 Pledgee: China Co truction Bank Corp Beijing Zhongguancun branch Pledgor: Rui-an Science and Technology Co., Ltd., Beijing Registration number: 2014990000497 |
|
| PE01 | Entry into force of the registration of the contract for pledge of patent right | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: Dynamic loading method for filtering rules of network audit system Effective date of registration: 20180627 Granted publication date: 20120725 Pledgee: China Co truction Bank Corp Beijing Zhongguancun branch Pledgor: Rui-an Science and Technology Co., Ltd., Beijing Registration number: 2018110000015 |
|
| PC01 | Cancellation of the registration of the contract for pledge of patent right | ||
| PC01 | Cancellation of the registration of the contract for pledge of patent right |
Date of cancellation: 20210128 Granted publication date: 20120725 Pledgee: China Co. truction Bank Corp Beijing Zhongguancun branch Pledgor: Run Technologies Co.,Ltd. Beijing Registration number: 2018110000015 |