CN102223368B - System and method capable of realizing operation identification during monitoring of remote desktop protocol (RDP) - Google Patents
System and method capable of realizing operation identification during monitoring of remote desktop protocol (RDP) Download PDFInfo
- Publication number
- CN102223368B CN102223368B CN201110158731.5A CN201110158731A CN102223368B CN 102223368 B CN102223368 B CN 102223368B CN 201110158731 A CN201110158731 A CN 201110158731A CN 102223368 B CN102223368 B CN 102223368B
- Authority
- CN
- China
- Prior art keywords
- rdp
- module
- virtual
- data
- server end
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention discloses a system and a method capable of realizing operation identification during the monitoring of a remote desktop protocol (RDP). The system comprises an RDP virtual server-side module and an RDP virtual client-side module, wherein a protocol data flow-dividing processing module is established between the RDP virtual server-side module and the RDP virtual client-side module; the protocol data flow-dividing processing module transmits clear-text data to an RDP protocol data flow formatting module; the RDP protocol data flow formatting module processes RDP client-side data and RDP server-side data respectively; a virtual screen operation identification module analyzes effective operation and a return result of the effective operation; and the operation identification is finished during the monitoring of the RDP. By the invention, the defect that the conventional RDP technology cannot realize monitoring and the operation identification is overcome; by the system and the method, on the premise of realizing the operation monitoring of the RDP, the operation can be identified; and the whole system is simple and easy to operate.
Description
Technical field
The invention belongs to remote desktop host-host protocol technical field, specifically relate to a kind of system and method for realizing operation identification in the time that remote desktop host-host protocol is monitored.
Background technology
Remote desktop host-host protocol (Remote Desktop Protocol, RDP) RDP be Microsoft formulate for carry out a set of standard agreement of remote desktop access on network, it belongs to the application layer of network protocol suite.The Main Function of RDP allows user be connected to a remote Windows server (this startup of server the service of Terminal Service) by RDP client exactly.Set up with remote server the client being connected by RDP, can obtain the desktop of complete remote server, and on this desktop operations server, whole operating process is the same with the effect directly operating on remote server, is very easy to server maintenance personnel.
RDP is a patterned operating protocol, and because RDP is an agreement for maintenance server, therefore it is a kind of interactively agreement, has again server end return information when client is submitted information to.In order to guarantee to use glibly in band-limited situation, in RDP agreement, use the mode (compression means comprises a transmission of graphical changing unit and transmission packet is carried out to mppc compression) of compression transmission to save bandwidth; In order to ensure remote-operated fail safe, RDP agreement is encrypted transmission data simultaneously.Like this in the time need to monitoring the remote access operation based on RDP, the mode that captures packet by conventional bypass cannot therefrom obtain valid data, just must carry out secondary to RDP agreement by supervisory control system and log in or act on behalf of, otherwise just cannot from the data of encrypting, reduce and record attendant's operation.
Bis-logins of so-called RDP, be exactly that first operating personnel sign in in supervisory control system by RDP, supervisory control system is utilized the feature of RDP host-host protocol, use the mode of bitmap to provide visual menu interface for the operating personnel that authorized, operating personnel can select the server of oneself required login directly to login in menu.So-called RDP agency, is exactly the proxy server that operating personnel are appointed as supervisory control system RDP, and all RDP access all visit destination server using supervisory control system as agency.
In sum, we can know the principle that logs in or act on behalf of according to secondary, the RDP that operating personnel initiate is connected in supervisory control system and terminates, all connections to the destination server of safeguarding are all initiated by supervisory control system, supervisory control system is server for client like this, and be client for server end, can accomplish completely by this method the reduction of ciphered compressed data flow deciphering decompress(ion), and then RDP access process is monitored.
Summary of the invention
The present invention solves the existing technical problem of above-mentioned prior art, and a kind of system and method for realizing operation identification in the time that remote desktop host-host protocol is monitored is provided.
Above-mentioned technical problem of the present invention is mainly solved by following technical proposals: a kind of system that realizes operation identification in the time that remote desktop host-host protocol is monitored, comprise RDP virtual server end module and RDP virtual client module, the mutual ciphered compressed data of RDP virtual server end module and RDP client modules, the mutual ciphered compressed data of RDP virtual client module and RDP server end module, between RDP virtual server end module and RDP virtual client module, set up protocol data shunting processing module, protocol data shunting processing module is processed into clear data by the ciphered compressed data of RDP client modules and RDP server end module respectively and is transmitted to RDP virtual server end module and RDP virtual client module again, and clear data is copied to portion and give RDP protocol data-flow formatting module and be further processed.When described RDP protocol data-flow formatting module is processed RDP client data, out transfer to virtual screen operation identification module to process virtual key code information abstraction wherein; When described RDP protocol data-flow formatting module is processed RDP servers' data, the graphical information wherein comprising is parsed, then graphical information is plotted in a memory virtual screen of opening for this remote dummy desktop session, copied three parts simultaneously, portion is transferred to real-time monitoring video flow output module, another part is stored in retrospective playback database, submits to virtual screen operation identification module for the 3rd part.
The implementation method that realizes operation recognition system in the time that remote desktop host-host protocol is monitored is: RDP virtual server end module is decrypted decompression processing by the ciphered compressed data that come from RDP client and sends to protocol data shunting processing module, and RDP virtual client module is decrypted decompression processing by the ciphered compressed data that come from RDP server end and sends to protocol data shunting processing module, protocol data shunting processing module is as data bridge, the RDP client clear data of deciphering decompression processing is transmitted to RDP virtual client, the RDP server end clear data of deciphering decompression processing is transmitted to RDP virtual server end, and protocol data shunting processing module copies a RDP client clear data of deciphering decompression processing and gives RDP protocol data-flow formatting module with the RDP server end clear data of deciphering decompression processing simultaneously, RDP protocol data-flow formatting module is out to transfer to virtual screen operation identification module to process virtual key code information abstraction wherein while processing RDP client data, RDP protocol data-flow formatting module is that the graphical information wherein comprising is parsed while processing RDP servers' data, then graphical information is plotted in a memory virtual screen of opening for this remote dummy desktop session, copied three parts simultaneously, portion is transferred to real-time monitoring video flow output module, another part is stored in retrospective playback database, submit to virtual screen operation identification module for the 3rd part, in the time that virtual screen operation identification module gets the graphical information that RDP server end returns, the memory virtual screen obtaining with the last time compares, analyze the part changing in screen, and then extract word segment from change, from the queue of mouse-keyboard input above, find out the input node to returning to graphical information again, just can analyze valid function and return results, in the time that remote desktop host-host protocol is monitored, complete identifying operation.
The present invention has overcome the defect that can not realize monitoring and operation identification in existing remote desktop host-host protocol technology, meeting under the prerequisite that remote desktop transport protocol operations is monitored by technological means of the present invention, can also identify operation, operation is simple for whole system.
Accompanying drawing explanation
Fig. 1 is a kind of theory structure schematic diagram of the present invention.
Embodiment
Below by embodiment, and by reference to the accompanying drawings, technical scheme of the present invention is described in further detail.
Embodiment: referring to Fig. 1, the present invention includes RDP virtual server end module and RDP virtual client module, the mutual ciphered compressed data of RDP virtual server end module and RDP client modules, the mutual ciphered compressed data of RDP virtual client module and RDP server end module are set up protocol data shunting processing module between RDP virtual server end module and RDP virtual client module, protocol data shunting processing module is as data bridge, the RDP client clear data of deciphering decompression processing is transmitted to RDP virtual client, the RDP server end clear data of deciphering decompression processing is transmitted to RDP virtual server end, and protocol data shunting processing module copies a RDP client clear data of deciphering decompression processing and gives RDP protocol data-flow formatting module with the RDP server end clear data of deciphering decompression processing simultaneously, RDP protocol data-flow formatting module is out to transfer to virtual screen operation identification module to process virtual key code information abstraction wherein while processing RDP client data, RDP protocol data-flow formatting module is that the graphical information wherein comprising is parsed while processing RDP servers' data, then graphical information is plotted in a memory virtual screen of opening for this remote dummy desktop session, copied three parts simultaneously, portion is transferred to real-time monitoring video flow output module, another part is stored in retrospective playback database, submit to virtual screen operation identification module for the 3rd part, in the time that virtual screen operation identification module gets the graphical information that RDP server end returns, the memory virtual screen obtaining with the last time compares, analyze the part changing in screen, and then extract word segment from change, from the queue of mouse-keyboard input above, find out the input node to returning to graphical information again, just can analyze valid function and return results, in the time that remote desktop host-host protocol is monitored, complete identifying operation.
The operation identification major significance of remote desktop host-host protocol is, although people are divided the whole operating process of each session conversationally and are preserved by video mode, but for reviewing work, if find from a large amount of video files, to review be a little a very difficult thing afterwards.Therefore means of retrieving according to concrete operations are provided is very necessary and effective.
Writing task mainly comprises two aspects, first be by remote maintenance personnel's keyboard and mouse action is identified and record, then be the situation of moving various programs extract maintenance server in the process of screen change time, these work can operate and complete in identification module at virtual screen.The movement of general mouse position and click can't produce certain concrete operation, and for this interactivity operation between client and server end, the input of mouse and keyboard and server return and are rendered as in time linear relationship its response.Therefore in the time that operation is identified, need to first the server user's keyboard getting or mouse action be recorded in buffer queue, when waiting for server end returns it, do again further processing.In the time that server end returns to graphical information, because virtual screen operation identification module is directly to have obtained a memory virtual screen from RDP protocol data-flow formatting module, the memory virtual screen that can obtain with the last time so compares, analyze the part changing in screen, and then extract word segment from change, the input node finding out from mouse-keyboard input rank above returning to graphical information again (is searched according to the feature of time linear distribution, immediate node of the time of finding out), so far just can analyze easily valid function and return results.The key point that obtains word segment from memory virtual screen is: 1, memory virtual screen is that a resolution of consulting between client and server when accessing is at first as basic dot matrix Memory slice, find so the changing unit of two virtual screens, in dot matrix Memory slice, find exactly the Memory slice of changing unit; 2, the Memory slice of changing unit is also a dot matrix Memory slice, and finding therein word segment is exactly the dot matrix that finds out word according to the characteristic of RDP agreement, then identifies word wherein according to the word lattice storehouse that system is gone to school inveterate habit in advance; 3, the process of study Dot Matrix Library is very simple, just repeats no more.
Finally, it should be pointed out that above embodiment is only the more representational example of the present invention.Obviously, technical scheme of the present invention is not limited to above-described embodiment, can also have many distortion.All distortion that those of ordinary skill in the art can directly derive or associate from content disclosed by the invention, all should think protection scope of the present invention.
Claims (2)
1. in the time that monitoring, realizes remote desktop host-host protocol the system of operation identification for one kind, it is characterized in that described system comprises RDP virtual server end module and RDP virtual client module, the mutual ciphered compressed data of RDP virtual server end module and RDP client modules, the mutual ciphered compressed data of RDP virtual client module and RDP server end module, between RDP virtual server end module and RDP virtual client module, set up protocol data shunting processing module, protocol data shunting processing module is processed into the ciphered compressed data of RDP client modules and RDP server end module respectively clear data and is transmitted to RDP virtual client module and RDP virtual server end module again, and clear data is copied to portion and give RDP protocol data-flow formatting module and be further processed, when described RDP protocol data-flow formatting module is processed RDP client modules data, out transfer to virtual screen operation identification module to process virtual key code information abstraction wherein, when described RDP protocol data-flow formatting module is processed RDP server end module data, the graphical information wherein comprising is parsed, then graphical information is plotted in a memory virtual screen of opening for the session of remote dummy desktop, copied three parts simultaneously, portion is transferred to real-time monitoring video flow output module, another part is stored in retrospective playback database, submits to virtual screen operation identification module for the 3rd part, in the time that virtual screen operation identification module gets the graphical information that RDP server end module returns, the memory virtual screen obtaining with the last time compares, analyze the part changing in screen, and then extract word segment from change, from the queue of mouse-keyboard input, find out the input node to returning to graphical information again, just can analyze valid function and return results, in the time that remote desktop host-host protocol is monitored, complete identifying operation.
2. in the time that monitoring, realizes remote desktop host-host protocol according to claim 1 the implementation method of operation recognition system, it is characterized in that described method is: RDP virtual server end module is decrypted decompression processing by the ciphered compressed data that come from RDP client modules and sends to protocol data shunting processing module, and RDP virtual client module is decrypted decompression processing by the ciphered compressed data that come from RDP server end module and sends to protocol data shunting processing module, protocol data shunting processing module is as data bridge, the RDP client modules clear data of deciphering decompression processing is transmitted to RDP virtual client module, the RDP server end module clear data of deciphering decompression processing is transmitted to RDP virtual server end module, and protocol data shunting processing module copies a RDP client modules clear data of deciphering decompression processing and gives RDP protocol data-flow formatting module with the RDP server end module clear data of deciphering decompression processing simultaneously, RDP protocol data-flow formatting module is out to transfer to virtual screen operation identification module to process virtual key code information abstraction wherein while processing RDP client modules data, RDP protocol data-flow formatting module is that the graphical information wherein comprising is parsed while processing RDP server end module data, then graphical information is plotted in a memory virtual screen of opening for the session of remote dummy desktop, copied three parts simultaneously, portion is transferred to real-time monitoring video flow output module, another part is stored in retrospective playback database, submit to virtual screen operation identification module for the 3rd part, in the time that virtual screen operation identification module gets the graphical information that RDP server end module returns, the memory virtual screen obtaining with the last time compares, analyze the part changing in screen, and then extract word segment from change, from the queue of mouse-keyboard input, find out the input node to returning to graphical information again, just can analyze valid function and return results, in the time that remote desktop host-host protocol is monitored, complete identifying operation.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201110158731.5A CN102223368B (en) | 2011-06-14 | 2011-06-14 | System and method capable of realizing operation identification during monitoring of remote desktop protocol (RDP) |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201110158731.5A CN102223368B (en) | 2011-06-14 | 2011-06-14 | System and method capable of realizing operation identification during monitoring of remote desktop protocol (RDP) |
Publications (2)
Publication Number | Publication Date |
---|---|
CN102223368A CN102223368A (en) | 2011-10-19 |
CN102223368B true CN102223368B (en) | 2014-05-21 |
Family
ID=44779797
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201110158731.5A Active CN102223368B (en) | 2011-06-14 | 2011-06-14 | System and method capable of realizing operation identification during monitoring of remote desktop protocol (RDP) |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN102223368B (en) |
Families Citing this family (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105592121B (en) * | 2014-10-31 | 2018-10-02 | 中国科学院声学研究所 | A kind of RDP data acquisition devices and method |
CN105847307B (en) * | 2015-01-12 | 2019-03-08 | 北京神州泰岳信息安全技术有限公司 | Integrated O&M method and system |
CN106161496B (en) * | 2015-03-25 | 2019-07-23 | 阿里巴巴集团控股有限公司 | The remote assistance method and device of terminal, system |
CN107194394A (en) * | 2016-09-29 | 2017-09-22 | 北京神州泰岳信息安全技术有限公司 | Remotely access monitoring method and relevant apparatus |
CN106506639B (en) * | 2016-11-03 | 2019-05-07 | 珠海智城信息技术有限公司 | The reverse analytic method of data, device, system and data collection terminal |
CN106713494B (en) * | 2017-01-23 | 2020-05-08 | 上海上讯信息技术股份有限公司 | Intelligent auditing method and device |
CN108234627A (en) * | 2017-12-29 | 2018-06-29 | 上海上讯信息技术股份有限公司 | A kind of method of the remote desktop proxy video video recording based on RDP agreements |
CN110602118B (en) * | 2019-09-20 | 2022-04-22 | 南京信易达计算技术有限公司 | Virtualization data remote encryption security system and method |
FR3133685A1 (en) * | 2022-03-15 | 2023-09-22 | Serenicity | SYSTEM FOR AUTOMATED ANALYSIS OF USER ACTIONS CONNECTED REMOTELY TO A SERVER |
CN114697407A (en) * | 2022-03-28 | 2022-07-01 | 杭州安恒信息技术股份有限公司 | Data processing method and device based on RDP (remote desktop protocol), electronic device and storage medium |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101426027A (en) * | 2008-10-28 | 2009-05-06 | 北京航空航天大学 | Bottom layer communication method for distributed virtual machine monitor |
CN101707622A (en) * | 2009-10-30 | 2010-05-12 | 深圳市深视音电子技术有限公司 | Method for realizing remote data monitoring |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP2264956B1 (en) * | 2004-07-23 | 2017-06-14 | Citrix Systems, Inc. | Method for securing remote access to private networks |
-
2011
- 2011-06-14 CN CN201110158731.5A patent/CN102223368B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101426027A (en) * | 2008-10-28 | 2009-05-06 | 北京航空航天大学 | Bottom layer communication method for distributed virtual machine monitor |
CN101707622A (en) * | 2009-10-30 | 2010-05-12 | 深圳市深视音电子技术有限公司 | Method for realizing remote data monitoring |
Also Published As
Publication number | Publication date |
---|---|
CN102223368A (en) | 2011-10-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN102223368B (en) | System and method capable of realizing operation identification during monitoring of remote desktop protocol (RDP) | |
US11442802B2 (en) | Linking related events for various devices and services in computer log files on a centralized server | |
US9628357B2 (en) | Service compliance enforcement using user activity monitoring and work request verification | |
EP3104287B1 (en) | Systems and methods for indexing and aggregating data records | |
US11258814B2 (en) | Methods and systems for using embedding from Natural Language Processing (NLP) for enhanced network analytics | |
US7991838B2 (en) | Apparatus and method for report sharing within an instant messaging framework | |
US20100162273A1 (en) | Monitoring method, monitoring system, system program and recording medium having program recorded thereon | |
JP6384551B2 (en) | System and method for monitoring, sensing and analyzing collaborative devices | |
US10347286B2 (en) | Displaying session audit logs | |
US20200177435A1 (en) | Method and system for architecture analysis of an enterprise | |
CN114144798A (en) | Security incident investigation event capture | |
CN108040045B (en) | Access flow file generation method and device, server and storage medium | |
USRE48912E1 (en) | Systems, methods, and apparatuses for creating a shared file system between a mainframe and distributed systems | |
CN106713494B (en) | Intelligent auditing method and device | |
US11445010B2 (en) | Distributed historization system | |
WO2016065787A1 (en) | Rdp data collection apparatus and method | |
TW201606530A (en) | Methods for accessing big data and systems using the same | |
US20190066012A1 (en) | Enterprise customer website | |
CN109104487A (en) | One kind being based on logstash+kafka data transmission method | |
US20180295145A1 (en) | Multicomputer Digital Data Processing to Provide Information Security Control | |
CN104462220B (en) | Web page screen-cutting and coding and transmission method and device | |
US11128605B2 (en) | Distributed encryption of mainframe data | |
KR20110070767A (en) | Remote forensics system based on network | |
CN204360400U (en) | Two-dimensional code data sound cross network transmission platform | |
JP5339456B2 (en) | Event log extraction method, apparatus and program thereof |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant |